Examining the Effectiveness and Techniques of the Anti-Phishing Technology in Leading Web Browsers and Security Toolbars. Wesley W. Owen Graduate Student U Mass Lowell Dept. of Computer Science MIT Spam Conference March

Brief History The first known phishing attack on a financial operator was June 2001 against E-Gold. In 2004 phishing became a widespread attack and started to appear on the radar of technology crimes. Between 2004 and 2005, organized crime and phishers united to launch more attacks for profit.

Data gathered from

Tests Performed Test each technology against 10 real live phishing sites – Some URLs in blacklists Test those phishing sites copied to the lab – Lab URLs not in blacklists Create 10 phishing sites of my own in a lab – Viewing sites in IE7 view->source -> file -> save as – wget -p --convert-links --user-agent="Mozilla…

Limitations I did not decompile any anti-phishing technologies – my results are purely from Trial and Error I did not test enough phishing sites to make determinations regarding which anti-phishing filter is more effective at real phishing sites. Other papers in this are have done this. See: – – phishing.pdf phishing.pdf

Anti-Phishing Technologies Examined Internet Explorer 7.0 Netcraft’s Toolbar Earthlink’s Toolbar Geotrust Trustwatch SpoofGuard eBay’s Toolbar Firefox 2

Types of Anti-Phishing Technology URL Blacklists Content Filter URL Popularity & Characteristics Password recognition

URL Blacklists Similar idea as SPAM Blacklists – a database of URLs that are known phishing sites Pros: – Low false positives – Easy to lookup URLs (low overhead) – Effective once the URL is listed Cons: – “Time to list” is too large to keep phishers out of business – approx 10 hrs as of 2/08 (phishtank.com)

Content Filter Examines the body of each web page visited Pros: – Detects phishing sites as soon as phishers publish them Cons: – Higher overhead than other technologies (a small price to pay for the most users) – It is possible to learn the content rules and work around them

URL Popularity & Characteristics URL Popularity: Checks domains against Google, Alexa, etc. to see how popular the URL is. The basis is that phishing sites are not popular. URL Characteristics: Checks characteristics of the URL such as strange port numbers, recently registered domains, IP addresses, etc.

URL Popularity & Characteristics Pros: – Easy to lookup URL (low overhead) Cons: – Usually requires human interpretation of the indicator and requires the operator to be aware of what phishing is. – Privacy concerns – each site visited must be looked up at Google, Alexa, etc. – May not work well for phishing sites hosted at sites like geocities e.g.

Password recognition Pros: – Easy to detect (low overhead) Cons: – Assumes users never use the same password at more than one site – Requires users to enter passwords to all sites ahead of time

Details of IE7s Content Filter By using Trial and Error I was able to determine what IE7s content filter was looking for when detecting fake ebay.com sites: 2 input tags nested in a form tag and 3 links: – “forgot userid” link – “forgot password” link – “keep me signed in” link 1 or more of 10 links that point to ebay.com

Smallest Page that trips IE7s Content Filter

Details of Earthlinks Content Filter By using Trial and Error I was able to determine what Earthlinks content filter was looking for when detecting fake ebay.com sites: 2 input tags 2 or more of 14 links that point to ebay.com & 1.js file on ebay.com

Smallest Page that trips Earthlinks Content Filter Help Privacy Policy

Page Load Attack <?php while(1){ echo " "; flush(); sleep(1); } ?>

Image Load Attack.

JavaScript Attack function go() { var buf = "phishing site here" ; output.innerHTML = buf ; }

Attacks Against Anti-Phishing Filters Anti-Phishing Technology Page Load Attack Image Load Attack JavaScript Attack IE 7.0 (Content Filter / Blacklist) Yes / No Yes / N/A NetcraftNo N/A Earthlink (Content Filter / Blacklist) No / No Yes / No Yes / N/A GeotrustNo N/A SpoofGuardYes eBay’s ToolbarYes* N/A Firefox 2No N/A * The Page Load and Image Load attacks worked some of the time against eBay’s Toolbar. I was unable to determine why it worked with some URLs but not others.

Attacks against URL Blacklists Google’s blacklist: has similar entries that lead me to believe wildcards are not being used: similar results at

Attacks against URL Blacklists Using multiple subdomains, folders, etc. phishers already create many phishing URLs. It is possible to create infinitely many URLs by: Custom 404 error page (page not found) Apache rewrite rule RewriteEngine on RewriteRule ^[A-Za-z0-9]*$ phishing_page.html

Conclusions The best anti-phishing filters use a layered approach (URL Blacklist + Content Filter) – Use multiple phishing blacklists Future work: – Decompiling IE7 and Earthlink’s content filter to learn more about them If they use static rules, enhance them to use dynamic rules that can be controlled & updated centrally that would make it much harder for phishers to succeed Address the page/image load & JavaScript attacks

Questions and Comments?