Understanding Phishing: Attacks, Statistics, and Defenses, Lab Reports of Electrical and Electronics Engineering

Download Understanding Phishing: Attacks, Statistics, and Defenses and more Lab Reports Electrical and Electronics Engineering in PDF only on Docsity! Phishing for Phish in the Phispond A lab on understanding Phishing attacks and defenses … Group 21-B Sagar Mehta Note: This lab does not require any equipment other than a laptop/P.C. Background: In computing, Phishing is a criminal activity using social engineering techniques.[16] Phishers attempt to fraudulently acquire sensitive information, such as usernames, passwords and credit card details, by masquerading as a trustworthy entity in an electronic communication. eBay and PayPal are two of the most targeted companies, and online banks are also common targets. Phishing is typically carried out using email or an instant message, and often directs users to give details at a website. Attempts to deal with the growing number of reported Phishing incidents include legislation, user training, and technical measures. The term Phishing is a variant of fishing, probably influenced by phreaking and alludes to the use of increasingly sophisticated lures to "fish" for users' financial information and passwords. According to [12], some of the recent Phishing statistics are as follows: Page 1 of 18 Some important observations are: The average online time of a Phishing site is very low, so tracking such bogus sites is very difficult and needs to be done in realtime. Also in 46% of the cases, some form of the target which is being imitated is present in the Phishing url. For eg: http://www.bogus-site.com/www.bankofamerica.com. Similarly in 42% of the cases, there is no hostname but just an ip address. For eg: http://215.67.23.118/paypal.htm. Thus in many cases just by looking at the url, one can find out if it is Phishing or not. Indeed, Phishing urls can be classified into 4 distinct categories as follows: [8] 1. Type I: Obfuscating the Host with an IP address. In this form of attack the url’s hostname is replaced with an IP address and usually the organization being phished is placed in the path. Very often the IP address is also represented in hex or decimal rather than the dotted quad form. 2. Type II: Obfuscating the Host with another Domain. In this form of attack the url’s host contains a valid looking domain name and the path contains the organization being phished. This form of attack usually tries to imitate urls containing a redirect so as to make it appear valid. 3. Type III: Obfuscating with large host names. This form of attack has the organization being phished in the host but appends a large string of words and domains after the host name. Page 2 of 18 target resource to be accessed. An attack is said to be successful if there exists a path from the starting state to this target node. Large-scale Phishing attacks use spam to reach victims. Therefore, anti-spam methods play an important role in defending against Phishing attacks. However, when the interaction with the victim is done via a proxy, then standard anti-spam tools do not provide any protection. Several authentication mechanisms have been deployed against the Phishing problem. These mechanisms broadly fall into user, server or email authentication. AOL Passcode is one such user authentication system designed to protect against password Phishing. It uses a device which generates a unique six digit numeric code every 60 seconds for login to the AOL web site. Microsoft implemented an email authentication protocol called SenderID, which addresses the problem of domain spoofing. Yahoo implemented a domain level email authentication protocol called DomainKeys. It combines public key cryptography and the DNS to provide credible domain-level authentication for email. When an email claims to originate from a certain domain, DomainKeys provides a mechanism by which the recipient system can credibly determine that the email did in fact originate from a person or system authorized to send email for the domain. In [5], Chandrasekaran et al propose a framework to protect the identities of the end-users by providing fake information to the websites requesting critical information until the site’s authenticity has been verified. Their premise is that just as an end user cannot tell legitimate and spoofed emails apart, phishers cannot tell the responses of legitimate and phantom users apart. Therefore, the response of the Phishing site is the same for both real and contrived user answers. In [6], the idea is that when a Phishing site maliciously claims a false identity, it always demonstrates abnormal behaviors compared to a legitimate site, which are indicated by some web DOM objects in the page and HTTP transactions. The authors propose to detect a Phishing website by capturing those anomalies. Page 5 of 18 In [7], the research objective is to track down a phisher to the IP address of the phisher’s workstation rather than innocent machines used as intermediaries. By using web bugs and honeytokens on the fake web site forms that the phisher presents, one can log accesses to the honeytokens by the phisher when the attacker views the results of the forms. More recently in [8], Doshi et al focus on studying the URLs employed in various Phishing attacks. Their finding is that it is often possible to tell that a URL belongs to a Phishing attack without requiring any knowledge of the corresponding page content and describe several features that can be used to distinguish a Phishing URL from a non- Phishing one. Using Google’s infrastructure, they created a classifier based on certain features like the Google Page Rank, Page index and Page quality scores. A Phishing page mostly likely either will not have the values for above attributes or those values would be very small. They also use certain word based features like presence or absence of words like webscr, secure, banking, ebayisapi, account, confirm, login and signin which are typically found in Phishing mails. Phishing IQ test – [adopted from the famous MailFrontier and SonicWall Phishing IQ test] Below you will be presented with some emails. By carefully observing them you need to tell whether they are “Phish” or “Legitimate”, and give your reasoning for each. Helpful Hints 1. At the bottom of each "e-mail", on the status bar, there is the URL of the active link - the one being pointed to in the e-mail. You can decide if what is displayed is "real" or fake. 2. For this test, assume that you are "John Doe" or "Jane Doe" - in other words that you received the e-mail in your inbox addressed to you. If you score a 100% then you can call yourself the “Phishmaster” Page 6 of 18 © Customer Service - Cyrillic (Windows) Ele Edit View Tools Message Helo wen SX/OOlW From: CFCU Community Credit Union To: CFCU@mycfcu.com Subject: Customer Service Bw Crcu _aéffl Community Credit Union As a CFCU Community Credit Union member, your privacy and security always come first. We have been dedicated to customer safety and protection, and our mission remains as strong as ever. In order to further protect your account, we have introduced some new important security standards and browser requirements. and we need to confirm your information. Just click on the link below and verify your information to us: http/www_mycicu.com/verify?secur as The Message is secure and. of course. your information will be kept confidential. http://www amycleu.com/verify/?secure=yes EMAIL 1 Page 7 of 18  Lie]Uy] an aati ee Pete a ners File Edit View Tools Message Help Hs. 2x OO w From: —— MySBC Account Profile Date: Tuesday, March 28, 2006 10:14PM To: johndoe@sonicwall.com Subject: MySEC ACTION REQUIRED: User ID Guideline Change Re: USER ID GUIDELINE CHANGES - ACTION REQUIRED Dear Valued Customer, On April 1, 2006, we will be updating our online features to better serve you. We are sending you this email because your current MySBC account profile User ID does not meet our new guidelines. We are asking that you take the time now to update your User ID using the following steps: Step 1: Go to http2/www.sbe.com/mysbe Step 2: Enter your current User ID and password Step 3: Select the "My Profile" tab at the top of the page Step 4: Select the "Edit" link next to your current User ID under "Login Information" Step 5: Create anew User ID* based on the following criteria: « User ID must be between 6 and 18 characters in length « User ID can be comprised of any combination of letters, numbers, and the following characters (all other characters will be disallowed): ".""-""_" « Use of such words as "administrator". words containing "com" or "www" or profanity will result in having to perform this task again after the new guidelines have been implemented * Note: This is to change your User ID only - your password does not need to be changed. If you do not change your User ID by May 11, 2006, you will not be able to sign on using your MySBC.com account. We apologize for any inconvenience. Thank you for using AT&T Online Services. We look forward to contimuing to serve you. Sincerely, AT&T Online Services DO NOT REPLY TO THIS MESSAGE All repkes are automatically deleted. For questions regarding this message, please go to: hitp?//www.sbe.com/contact_us SBC, the SBC logo, and other SBC related product and service names are the trademarks and/or registered trademarks of (c) AT&T Knowledge Ventures. (C) 2002-2005 AT&T Knowledge Ventures. All nghts reserved. http: /Awww.sbc,com/mysbe Ik EMAIL 4 Page 10 of 18  Rete file Edit View Tools Message Help ‘a ‘ Se @ ss SG xKX\OO oO From: —support@ebay.com Date: Tuesday, December 06, 2005 2:24 AM To: janedoe@sonicwall. com Subject: Action Required — Credit/Debit Card Expiration Reminder Credit/Debit Card Expiration Reminder ebyY Dear eBay member, This is a courtesy reminder that the following credit/debit card on file for your eBay account will soon expire: EBay Account ID: E000077978368-840 Card: MSC XXXX-XXXK-AXXX-2245 Expiration Date: 10-DEC-05 Date Reminder Issued: 120505 In order to receive uninterrupted service, please update this information. To update your credit/debit card information: - Logon with your eBay User ID and Password - Update your credit card information http://signin.ebay.com/ws/eBayiSAPI_dil?SigningssPageName=h-h:sin:US Ifyour eBay accountinformation is not updated, your ability to sell or bicl on eBay will become restricted. Remember: Your personal information is protected by eBay's Privacy Policy and encrypted by industry standard SSL software. Thank you for using eBay Regards, eBay Billing http: //signin.ebay.com/ws/eBayISAPI.dll?signIngssPageName=h:h:sin:US EMAIL 5 Page 11 of 18 Bevery mi feels) Ls) File Edit View Tools Message Help ar & Bs Sx OO |W From: barbarap@comerica.com To: jqdoe@sonicwall. com Subject: Comerica Bank Account Disabled Dear John Q Doe, Access your to Comerica Bank account has been temporarily disabled due to multiple login errors. Protecting the security of your account and of the Comerica Bank network is our primary concem. Therefore, as a preventative measure, we have temporarily limited access to sensitive Comerica Bank account features. Tf you are the rightful holder of the account, please login to http:/webbanking.comerica.com as we try to verify your identity. Tf you received this notice and you are not the authorized account holder. please be aware that is a violation of Comerica Bank policy to represent oneself as another Comerica Bank account owner. Such action may also be in violation of local. national. and/or international law. Comerica Bank is committed to assist law enforcement with any inquires related to attempts to misappropriate personal information with the Internet to commit fraud or theft. Information will be provided at the request of law enforcement agencies to ensure that perpetrators are prosecuted to the fullest extent of the law. Thanks for your patience as we work together to protect your account. Barbara Pace | 1-888-544-5441 Copynght 2006 Comerica Bank & Co, All Rights Reserved. http: //glps0000.mad.idec.net/mambo/cache/. webbanking. comerica.com/ EMAIL 6 Page 12 of 18  Accept PayPal Policy Updates to Prevent Account Limitation : Bile Edit View Tools Message Help 8H 2/a x OO|W From: service@inil.paypal.com To: John Q Doe Subject: Accept PayPal Policy Updates to Prevent Account Limitation Dear John Q Doe, PayPal's records indicate that you have not yet accepted the updated PayPal User Agreement and Privacy Policy. Failure to accept the updated PayPal User Agreement and Privacy Policy within 30 days will result in limited access to your PayPal account. If your account is limited, you will no longer be able to receive or send payments. PayPal values you as a. customer and does not want your account to be limited. Please click the link below. On your Account Overview page, click on the New Policy Update link in the left column of the page: Copy and paste this link in to your browser, log in and click the New Policy Update link on your Account Overview page bttps)/waw paypal.com‘row/emd=_business-upgrade-info Thank you for using Pay? The PayPal Team PayPal Email ID PP 878 tins: fmww.paypal,com/row/emd=_business-upgrade-info EMAIL 9 Page 15 of 18 EMAIL 10 Appendix – A Answer sheet 1. Is Email 1 Phish or Legitimate? Why? 2. Is Email 2 Phish or Legitimate? Why? Page 16 of 18 3. Is Email 3 Phish or Legitimate? Why? 4. Is Email 4 Phish or Legitimate? Why? 5. Is Email 5 Phish or Legitimate? Why? 6. Is Email 6 Phish or Legitimate? Why? 7. Is Email 7 Phish or Legitimate? Why? 8. Is Email 8 Phish or Legitimate? Why? 9. Is Email 9 Phish or Legitimate? Why? 10. Is Email 10 Phish or Legitimate? Why? Page 17 of 18