Phishing Detection: Understanding Phishing Techniques and Anti-Phishing Approaches, Quizzes of Cryptography and System Security

Download Phishing Detection: Understanding Phishing Techniques and Anti-Phishing Approaches and more Quizzes Cryptography and System Security in PDF only on Docsity! Web phishing and Security Sadia Afroz sa499@drexel.edu Overview • What is phishing? • Phishing – current situation • Phishing approaches • Anti-phishing approaches • Current phishing tools • A new phishing detection approach Phishing approaches • Phishing using a fake website • Phishing using cross-site scripting (XSS) • Different type of phishing -Phishing Trojan Phishing using fake websites ® entering data consumer to fake webpage attacker Log in with captured account information and initiate money transfer al Phishing the web / Peter Panter / 2004-12-27 Quiz • Can you detect phishing sites? Anti-phishing approach • Ideas? • Check different aspects of sites like URL, domain name, symbol for secure site’s (heuristic approach). • Check if this site was black listed (blacklisting approach). • Check if it is one of your trusted site (white listing approach). • We will discuss these approaches later. Phishing using cross-site scripting Suppose, a site www.example.com/signin.html has username and password field. Many sites do not check what you are entering in these fields. So, if you type <script> alert(‘test’)</script> in the username field, and click the ‘login’ button the url will look like www.example.com/signin.html?username= <script> alert(‘test’)</script> &password=…. And the site will show an alert box saying ‘test’. That is, you just made the site execute your script!! Phishing using cross-site scripting • What you can do with it? • You can write a script that captures user’s Id and password and email those to you !! • This is Cross site scripting (XSS) attack • Cross-site scripting (XSS) occurs when an attacker introduces malicious scripts to a dynamic form that allows the attacker to capture the private session information Phishing Trojan Attacker makes Trojan User installs the Trojan that acts as a Plug-in for browser Login to bank’s site from Trojan affected pc Trojan transfers login informationTo attacker Attacker uses that information to transfer your money Hey, I have cute emoticons!!! Download me!!! Anti-phishing approach • Ideas? • Warn user before installing malicious plugins. • Use firewalls • Will that prevent this form of phishing? • Trojans send data in as a form of PING request that firewalls can’t detect as harmful. Anti-phishing approaches  Blacklist approach Reports phishing sites Phishing Database Anti phishing toolbar Verify Verifiers Anti-phishing approaches  Server side validation  Server sends verification key to prove its authenticity  For example, server can send its certificate.  In another approach, server and client share a secret key. Server generates an image with its key and displays it. Client generates an image with its key and displays it in the browser. User can verify server’s authenticity by matching these two images. Anti-phishing approaches  Use google  Find mostly used text of a site and google them.  If the url matches with first five or ten search results, then it is real site. Anti-phishing approaches  Education and awareness training – Use cartoons and games – Anti phishing phil Available tools  Netcraft Anti-Phishing Toolbar:  Firefox 3:  Netscape Browser 8.1: This toolbar relies solely on a blacklist, which is maintained by AOL and updated frequently.  CallingID Toolbar:  Cloudmark Anti-Fraud Toolbar  EarthLink Toolbar  eBay Toolbar  GeoTrust TrustWatch Toolbar:  Microsoft Phishing Filter in Windows Internet Explorer 7  Netscape Browser 8.1  SpoofGuard  Trust bar Results 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% 0 1 2 12 24 Time (hours) P h is h in g s it e s co rr e c tl y i d e n ti fi e d SpoofGuard EarthLink Netcraft Google IE7 Cloudmark TrustWatch eBay Netscape McAfee 38% false positives 1% false positives PhishTank Y. Zhang, S. Egelman, L. Cranor, J. Hong. Phinding Phish: An Evaluation of Anti- Phishing Toolbars. NDSS 2006. Page loaded Does it match a profile Yes, this is the right site SSL matches, address matches, Content doesn’t Want to make ? yes No Partially matches Content matches, SSL doesn’t Phishing site Make a profile according to user’s choice Check if content changed, if changed update profile Our approach Components • 2 main components: – Profile maker – Profile matcher Profile • 1. SSL • 2. URL of the site • 3. Site content: – HTML code is used for simplicity Algorithm for fuzzy hash 2. Defined some triggers. Trigger points are just some arbitrary values used to define block end points. When we reach the trigger points, end of block is considered. 3. When Rolling Hash reaches trigger points, record LSB (least significant bit) of Traditional Hash value. 4. When finished, combine LSBs to make signature 5. After finding signature of the two files, compute their ``Edit Distance''. It is the number of insertions, modifications and deletions to turn Signature 1 into Signature 2. Signatures (and thus files) match when the ratio of the edit distance to the length is small Algorithm for fuzzy hash • Compute the match score of the files. The match score represents a conservative weighted percentage of how much of s1 and s2 are ordered homologous sequences. match score=100-100*S*e(s1,s2)/64(l1+l2) where S = block size si = signature of ith file, i = 1,2 li = signature length of ith file, i = 1, 2 Example: Deep into the darkness peering, long I stood there, wondering, fearing Doubting, dreaming dreams no mortals ever dared to dream before; But the silence was unbroken, and the stillness gave no token, And the only word there spoken was the whispered word, Lenore?, This I whispered, and an echo murmured back the word, "Lenore!" Merely this, and nothing more Example is taken from Fuzzy Hashing, Jesse Kornblum Deep into the darkness peering, long I stood there, wondering, fearing Doubting, dreaming dreams no mortals ever dared to dream before ; But the silence was unbroken, and the stillness gave no token, And the only word there spoken was the whispered word,Lenore ?, This I whispered, and an echo murmured back the word,"Lenore !" Merely this, and nothing more So, the hash key is: 32730 28163 491522 57 145410213 738210 Deep into the darkness peering, long I stood there, wondering, fearing Doubting, dreaming dreams 00000000000000000 before ; But the silence was unbroken, and the stillness gave no token, And the only word there spoken was the whispered word,Lenore ?, This I whispered, and an echo murmured back the word,"Lenore !" Merely this, and nothing more 28163 491525 57 145410213 738210 • New hash key: 35730 • Old hash key : 32730 • Compute “Edit Distance”. It is the number of insertions, modifications and deletions to turn Signature 1 into Signature 2. • Which is 1 (as they differ in one position) Results 90 96 60 4 0 0 6 4 40 firefox netcraft PDP Phishing Detection true positive false positive false negative Remarks • Though overall result is not good, this approach can detect new phishing sites where firefox 3 and netcraft fail. • ssdeep is not perfect. It matches hashing of two files in blocks. So if the html code is rearranged ssdeep can't detect similarity between them. Improved approach • Another option: using ssdeep on separate contents (like images, links) of the site. • As now we have more than one contents we need a similarity metric • Similarity metric used here is Threshold = m/n where m = number of elements matched with real site n = total number of elements in the real site Problem Only 12% of phishing sites look exactly like real sites Possible solution • Add different weights to different contents of the site. • Use limited blacklisting approach that is add only phishing sites of selected sites. Future works We are always matching phishing page with the corresponding real one. But in many cases there is no real site. ea Edit View. History Tools Help a pase = S XK ® (P ttps/mouyaljsm.siteburg.com/www PayPal,Com22/webscrcmd=_login-done&login_access=1190737782.htm £2 >} IGl+} Googie Jost Visited @ Getting Started Latest Headlines __ javascript-console Quyrieun comte | Connexion | Aide | Centre de Siicurti PayPal Change Your Language Fransais . oe Connexion au compte — The safer, easier way to pay without exposing * your credit card or bank account number ’ ‘What is PayPal? How we keep you secure How you checkout faster a a “ re ws El Top questions Payer en ligne Vendre en ligne Pourquoi utiliser PayPal, alors que fon possude Pavez plus rapidement lorsque vous Accepter les cartes de crit facitement et des cartes de cridit? achetez en ligne. rapidement. Quelles sontles Payez Sans Divulquer vos informations de Augmentez vos ventes. Ajoutez PayPal possibiltis offertes par carte de cnidit comme solution de paiement pour attirer PayPal? un plus grand nombre dacheteurs. Envover de argent a vos amis ou avotre Lumisaton de PaiPal famille Des outils pour simplifier vos efforts de sstelle oratuite 2 vente En savoir plus sur le paiement avec PayPal. En savoir plus surle paiement avec PayPal. < ™& Fas Checkout today's ey cae PRAUYV MEAL <=. ng for register.siteburg.com... = Future works (contd..) • Detect phishing for sites without SSL • Fuzzy hashing problem: how similar is similar? • Use different similarity matching algorithm Questions