Download Understanding Phishing: Attacks, Statistics, and Defenses and more Lab Reports Electrical and Electronics Engineering in PDF only on Docsity! Phishing for Phish in the Phispond A lab on understanding Phishing attacks and defenses … Group 21-B Sagar Mehta Note: This lab does not require any equipment other than a laptop/P.C. Background: In computing, Phishing is a criminal activity using social engineering techniques.[16] Phishers attempt to fraudulently acquire sensitive information, such as usernames, passwords and credit card details, by masquerading as a trustworthy entity in an electronic communication. eBay and PayPal are two of the most targeted companies, and online banks are also common targets. Phishing is typically carried out using email or an instant message, and often directs users to give details at a website. Attempts to deal with the growing number of reported Phishing incidents include legislation, user training, and technical measures. The term Phishing is a variant of fishing, probably influenced by phreaking and alludes to the use of increasingly sophisticated lures to "fish" for users' financial information and passwords. According to [12], some of the recent Phishing statistics are as follows: Page 1 of 18 Some important observations are: The average online time of a Phishing site is very low, so tracking such bogus sites is very difficult and needs to be done in realtime. Also in 46% of the cases, some form of the target which is being imitated is present in the Phishing url. For eg: http://www.bogus-site.com/www.bankofamerica.com. Similarly in 42% of the cases, there is no hostname but just an ip address. For eg: http://215.67.23.118/paypal.htm. Thus in many cases just by looking at the url, one can find out if it is Phishing or not. Indeed, Phishing urls can be classified into 4 distinct categories as follows: [8] 1. Type I: Obfuscating the Host with an IP address. In this form of attack the url’s hostname is replaced with an IP address and usually the organization being phished is placed in the path. Very often the IP address is also represented in hex or decimal rather than the dotted quad form. 2. Type II: Obfuscating the Host with another Domain. In this form of attack the url’s host contains a valid looking domain name and the path contains the organization being phished. This form of attack usually tries to imitate urls containing a redirect so as to make it appear valid. 3. Type III: Obfuscating with large host names. This form of attack has the organization being phished in the host but appends a large string of words and domains after the host name. Page 2 of 18 target resource to be accessed. An attack is said to be successful if there exists a path from the starting state to this target node. Large-scale Phishing attacks use spam to reach victims. Therefore, anti-spam methods play an important role in defending against Phishing attacks. However, when the interaction with the victim is done via a proxy, then standard anti-spam tools do not provide any protection. Several authentication mechanisms have been deployed against the Phishing problem. These mechanisms broadly fall into user, server or email authentication. AOL Passcode is one such user authentication system designed to protect against password Phishing. It uses a device which generates a unique six digit numeric code every 60 seconds for login to the AOL web site. Microsoft implemented an email authentication protocol called SenderID, which addresses the problem of domain spoofing. Yahoo implemented a domain level email authentication protocol called DomainKeys. It combines public key cryptography and the DNS to provide credible domain-level authentication for email. When an email claims to originate from a certain domain, DomainKeys provides a mechanism by which the recipient system can credibly determine that the email did in fact originate from a person or system authorized to send email for the domain. In [5], Chandrasekaran et al propose a framework to protect the identities of the end-users by providing fake information to the websites requesting critical information until the site’s authenticity has been verified. Their premise is that just as an end user cannot tell legitimate and spoofed emails apart, phishers cannot tell the responses of legitimate and phantom users apart. Therefore, the response of the Phishing site is the same for both real and contrived user answers. In [6], the idea is that when a Phishing site maliciously claims a false identity, it always demonstrates abnormal behaviors compared to a legitimate site, which are indicated by some web DOM objects in the page and HTTP transactions. The authors propose to detect a Phishing website by capturing those anomalies. Page 5 of 18 In [7], the research objective is to track down a phisher to the IP address of the phisher’s workstation rather than innocent machines used as intermediaries. By using web bugs and honeytokens on the fake web site forms that the phisher presents, one can log accesses to the honeytokens by the phisher when the attacker views the results of the forms. More recently in [8], Doshi et al focus on studying the URLs employed in various Phishing attacks. Their finding is that it is often possible to tell that a URL belongs to a Phishing attack without requiring any knowledge of the corresponding page content and describe several features that can be used to distinguish a Phishing URL from a non- Phishing one. Using Google’s infrastructure, they created a classifier based on certain features like the Google Page Rank, Page index and Page quality scores. A Phishing page mostly likely either will not have the values for above attributes or those values would be very small. They also use certain word based features like presence or absence of words like webscr, secure, banking, ebayisapi, account, confirm, login and signin which are typically found in Phishing mails. Phishing IQ test – [adopted from the famous MailFrontier and SonicWall Phishing IQ test] Below you will be presented with some emails. By carefully observing them you need to tell whether they are “Phish” or “Legitimate”, and give your reasoning for each. Helpful Hints 1. At the bottom of each "e-mail", on the status bar, there is the URL of the active link - the one being pointed to in the e-mail. You can decide if what is displayed is "real" or fake. 2. For this test, assume that you are "John Doe" or "Jane Doe" - in other words that you received the e-mail in your inbox addressed to you. If you score a 100% then you can call yourself the “Phishmaster” Page 6 of 18 © Customer Service - Cyrillic (Windows)
Ele Edit View Tools Message Helo
wen SX/OOlW
From: CFCU Community Credit Union
To: CFCU@mycfcu.com
Subject: Customer Service
Bw Crcu
_aéffl Community
Credit Union
As a CFCU Community Credit Union member, your privacy and security always come first.
We have been dedicated to customer safety and protection, and our mission remains as
strong as ever.
In order to further protect your account, we have introduced some new important security
standards and browser requirements. and we need to confirm your information.
Just click on the link below and verify your information to us:
http/www_mycicu.com/verify?secur
as
The Message is secure and. of course. your information will be kept confidential.
http://www amycleu.com/verify/?secure=yes
EMAIL 1
Page 7 of 18
Lie]Uy] an aati ee Pete a ners
File Edit View Tools Message Help
Hs. 2x OO w
From: —— MySBC Account Profile
Date: Tuesday, March 28, 2006 10:14PM
To: johndoe@sonicwall.com
Subject: MySEC ACTION REQUIRED: User ID Guideline Change
Re: USER ID GUIDELINE CHANGES - ACTION REQUIRED
Dear Valued Customer,
On April 1, 2006, we will be updating our online features to better serve you. We are sending you this
email because your current MySBC account profile User ID does not meet our new guidelines. We
are asking that you take the time now to update your User ID using the following steps:
Step 1: Go to http2/www.sbe.com/mysbe
Step 2: Enter your current User ID and password
Step 3: Select the "My Profile" tab at the top of the page
Step 4: Select the "Edit" link next to your current User ID under "Login Information"
Step 5: Create anew User ID* based on the following criteria:
« User ID must be between 6 and 18 characters in length
« User ID can be comprised of any combination of letters, numbers, and the following characters
(all other characters will be disallowed): ".""-""_"
« Use of such words as "administrator". words containing "com" or "www" or profanity will result
in having to perform this task again after the new guidelines have been implemented
* Note: This is to change your User ID only - your password does not need to be changed.
If you do not change your User ID by May 11, 2006, you will not be able to sign on using your
MySBC.com account. We apologize for any inconvenience.
Thank you for using AT&T Online Services. We look forward to contimuing to serve you.
Sincerely,
AT&T Online Services
DO NOT REPLY TO THIS MESSAGE
All repkes are automatically deleted.
For questions regarding this message, please go to:
hitp?//www.sbe.com/contact_us
SBC, the SBC logo, and other SBC related product and service names are the trademarks and/or
registered trademarks of (c) AT&T Knowledge Ventures. (C) 2002-2005 AT&T Knowledge
Ventures. All nghts reserved.
http: /Awww.sbc,com/mysbe
Ik
EMAIL 4
Page 10 of 18
Rete
file Edit View Tools Message Help
‘a ‘
Se @ ss SG xKX\OO oO
From: —support@ebay.com
Date: Tuesday, December 06, 2005 2:24 AM
To: janedoe@sonicwall. com
Subject: Action Required — Credit/Debit Card Expiration Reminder
Credit/Debit Card Expiration Reminder ebyY
Dear eBay member,
This is a courtesy reminder that the following credit/debit card on file for your eBay account will soon
expire:
EBay Account ID: E000077978368-840
Card: MSC XXXX-XXXK-AXXX-2245
Expiration Date: 10-DEC-05
Date Reminder Issued: 120505
In order to receive uninterrupted service, please update this information.
To update your credit/debit card information:
- Logon with your eBay User ID and Password
- Update your credit card information
http://signin.ebay.com/ws/eBayiSAPI_dil?SigningssPageName=h-h:sin:US
Ifyour eBay accountinformation is not updated, your ability to sell or bicl on eBay will become
restricted. Remember: Your personal information is protected by eBay's Privacy Policy and
encrypted by industry standard SSL software.
Thank you for using eBay
Regards,
eBay Billing
http: //signin.ebay.com/ws/eBayISAPI.dll?signIngssPageName=h:h:sin:US
EMAIL 5
Page 11 of 18
Bevery mi feels) Ls)
File Edit View Tools Message Help ar
& Bs Sx OO |W
From: barbarap@comerica.com
To: jqdoe@sonicwall. com
Subject: Comerica Bank Account Disabled
Dear John Q Doe,
Access your to Comerica Bank account has been temporarily disabled due to multiple login
errors. Protecting the security of your account and of the Comerica Bank network is our
primary concem. Therefore, as a preventative measure, we have temporarily limited access
to sensitive Comerica Bank account features.
Tf you are the rightful holder of the account, please login to http:/webbanking.comerica.com
as we try to verify your identity.
Tf you received this notice and you are not the authorized account holder. please be aware
that is a violation of Comerica Bank policy to represent oneself as another Comerica Bank
account owner. Such action may also be in violation of local. national. and/or international
law. Comerica Bank is committed to assist law enforcement with any inquires related to
attempts to misappropriate personal information with the Internet to commit fraud or theft.
Information will be provided at the request of law enforcement agencies to ensure that
perpetrators are prosecuted to the fullest extent of the law.
Thanks for your patience as we work together to protect your account.
Barbara Pace | 1-888-544-5441
Copynght 2006 Comerica Bank & Co, All Rights Reserved.
http: //glps0000.mad.idec.net/mambo/cache/. webbanking. comerica.com/
EMAIL 6
Page 12 of 18
Accept PayPal Policy Updates to Prevent Account Limitation
: Bile Edit View Tools Message Help
8H 2/a x OO|W
From: service@inil.paypal.com
To: John Q Doe
Subject: Accept PayPal Policy Updates to Prevent Account Limitation
Dear John Q Doe,
PayPal's records indicate that you have not yet accepted the updated PayPal User Agreement and Privacy
Policy.
Failure to accept the updated PayPal User Agreement and Privacy Policy within 30 days will result in
limited access to your PayPal account. If your account is limited, you will no longer be able to receive or
send payments.
PayPal values you as a. customer and does not want your account to be limited. Please click the link
below. On your Account Overview page, click on the New Policy Update link in the left column of the
page:
Copy and paste this link in to your browser, log in and click the New Policy Update link on your Account
Overview page
bttps)/waw paypal.com‘row/emd=_business-upgrade-info
Thank you for using Pay?
The PayPal Team
PayPal Email ID PP 878
tins: fmww.paypal,com/row/emd=_business-upgrade-info
EMAIL 9
Page 15 of 18
EMAIL 10 Appendix – A Answer sheet 1. Is Email 1 Phish or Legitimate? Why? 2. Is Email 2 Phish or Legitimate? Why? Page 16 of 18 3. Is Email 3 Phish or Legitimate? Why? 4. Is Email 4 Phish or Legitimate? Why? 5. Is Email 5 Phish or Legitimate? Why? 6. Is Email 6 Phish or Legitimate? Why? 7. Is Email 7 Phish or Legitimate? Why? 8. Is Email 8 Phish or Legitimate? Why? 9. Is Email 9 Phish or Legitimate? Why? 10. Is Email 10 Phish or Legitimate? Why? Page 17 of 18