Download
distributed phishing attacks n.
Skip this Video
Loading SlideShow in 5 Seconds..
Distributed Phishing Attacks PowerPoint Presentation
Download Presentation
Distributed Phishing Attacks

Distributed Phishing Attacks

147 Views Download Presentation
Download Presentation

Distributed Phishing Attacks

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Distributed Phishing Attacks Markus Jakobsson Joint work with Adam Young, LECG

  2. A typical phishing attack

  3. A distributed phishing attack

  4. How can this be done? 1. Adversary needs to control many hosts. • Malware • Symbiotic host program • Firewall weaknesses (an arbitrary victim is fine) 2. Hosts must be uncorrelated. 3. Hosts need to report to adversary. • Without giving away location of adversary • Without giving away compromised credentials

  5. Attack structure • Adversary randomly plants host pages. • Spam victims, using spoofing, referring to host pages. • Each host page waits to receive credentials, then posts to bulletin board(s). • Adversary retrieves credentials from bulletin board(s).

  6. Attack details Posted credentials are hidden using steganographic methods. (Not easy to detect what constitutes a posting from a host.) Posted credentials are public-key encrypted to hide credentials from anybody but the attacker. Alternatively, harvested credentials can be sent to an email account associated with the attack instance (attacker creates lots of accounts + uses POP from anonymous location.)

  7. Failed protection mechanisms • Given information about a few hosts, one cannot infer the location/identity of other hosts. (Makes honeypots and collaborative detection meaningless.) • Given knowledge of what bulletin boards are used, one cannot shut them down, or this is a DoS on the infrastructure … besides, the hosts can post to several BBs.

  8. Promising protection mechanism • Gather network statistics. (Already done, just augment what is collected; can scan for common phrases and structures.) • Detect a few instances of a DPA. • Cluster instances with suspect profile. • Automatically demand all hosts in cluster to be blocked (Authenticated requests) or DoS them. • Automatically warn victims of emails in cluster. (Provides second line of defense.)

  9. Some details of defense • Use OCR to detect similarities in appearance between images. • Use anti-plagiarism techniques to detect similarities between texts. (See, e.g., SPLAT) • Also detect similarities between pages pointed to (only for likely candidates.) • Cluster with known offenders and with likely offenders. (Based on content and communication patterns.) Paper? Please email markus@indiana.edu