CipherTrust Proprietary & Confidential Jonathan A. Zdziarski, Weilai Yang, Paul Judge CipherTrust, Inc. APPROACHES TO PHISHING.

Slides:

Advertisements

Similar presentations

What Are Scams? Scams are designed to trick you into giving away your money or your personal details. Scams come to you in many forms – by mail, ,

Advertisements

THE DHS PHISHING IQ TEST PART 2 LEGITIMATE V PHISHING How do you know if an is legitimate, or is a phony, phishing ? Take the.

Social Engineering Training. Training Goals Increase Laboratory Awareness. Provide the tools required to identify, avoid and report advanced Social Engineering.

© 2005 Convio, Inc. NTEN Webinar: Protecting your organization and donors from online scams February 23, 2006.

1 CANTINA : A Content-Based Approach to Detecting Phishing Web Sites WWW Yue Zhang, Jason Hong, and Lorrie Cranor.

Design and Evaluation of a Real-Time URL Spam Filtering Service

PHAD- A Phishing Avoidance and Detection Tool Using Invisible Digital Watermarking By Sonali Batra Web 2.0 Security and Privacy 2014.

Phishing and Pharming New Identity Theft Threats Presentation by Jason Guthrie.

Bsharah Presentation Threats to Information Security Protecting Your Personal Information from Phishing Scams.

Design and Evaluation of a Real- Time URL Spam Filtering Service Kurt Thomas, Chris Grier, Justin Ma, Vern Paxson, Dawn Song University of California,

Internet Phishing Not the kind of Fishing you are used to.

Robotics Research Laboratory Louisiana State University.

Verma - ICISS 2014 R easoning M ining NLP Defense Rakesh M. Verma ReMiND Laboratory Catching Classical and Hijack-based Phishing Attacks.

SHASHANK MASHETTY security. Introduction Electronic mail most commonly referred to as or e- mail. Electronic mail is one of the most commonly.

D IRECT M AIL, E MAIL, W EB I NTEGRATION Delivering Measurable Results Marketing Techniques to Increase Response & Revenue |

Deduplication CSCI 572: Information Retrieval and Search Engines Summer 2010.

GONE PHISHING ECE 4112 Final Lab Project Group #19 Enid Brown & Linda Larmore.

1 The Business Case for DomainKeys Identified Mail.

CHAPTER 3 The Component Object Model and DirectX © 2008 Cengage Learning EMEA.

Visual-Similarity-Based Phishing Detection Eric Medvet, Engin Kirda, Christopher Kruegel SecureComm 2008 Sep.

WEB SPOOFING by Miguel and Ngan. Content Web Spoofing Demo What is Web Spoofing How the attack works Different types of web spoofing How to spot a spoofed.

CS-280 Dr. Mark L. Hornick 1 ASCII table. 2 Displaying Numbers as Text Problem: display numerical values as text Consider the numerical value 0x5A held.

Internet Security facilities for secure communication.

Payment Center Self Enrollment and Making a Payment Employee Paid (Individual Liability) Travel Card January 2009.

Reporter: Li, Fong Ruei National Taiwan University of Science and Technology 9/19/2015Slide 1 (of 32)

Adam Soph, Alexandra Smith, Landon Peterson. Phishing is a way of attempting to acquire information such as usernames, passwords, and credit card details.

 Programmed for educational purposes  Efficiency sacrificed for clarity/explanation.

11 CANTINA: A Content- Based Approach to Detecting Phishing Web Sites Reporter: Gia-Nan Gao Advisor: Chin-Laung Lei 2010/6/7.

Partners – “How to Get Started” Michelle Hartley, Americas Channel Marketing August 2010 © 2007 Palo Alto Networks. Proprietary and Confidential.

Phishing Webpage Detection Jau-Yuan Chen COMS E6125 WHIM March 24, 2009.

2008 Community Door Training & Awareness Workshop Management Support Online (MSO)

CCT355H5 F Presentation: Phishing November Jennifer Li.

How Phishing Works Prof. Vipul Chudasama.

What is risk online operation:  massive movement of operation to the internet has attracted hackers who try to interrupt such operation daily.  To unauthorized.

Inappropriate Content Hackers Phishers Scammers Child Abusers Bullies.

Return to the PC Security web page Lesson 6: Improving Security.

Electronics for HPS Proposal September 20, 2010 S. Boyarinov 1 HPS DAQ Overview Sergey Boyarinov JLAB June 17, 2014.

Basics What is ? is short for electronic mail. is a method for sending messages electronically from one computer.

ECE 111 SHA-2 Algorithms.

The Runtime Environment CSE 340 – Principles of Programming Languages Fall 2015 Adam Doupé Arizona State University

Phishing & Pharming Methods and Safeguards Baber Aslam and Lei Wu.

1 Bits, Bytes, Binary & Hex CIS TAG ▪ Byte Bit.

FEM Power: 1. The TestBench version of the FEM requires A for proper operation. 2. The FEM can be powered from a 6U VME crate or from a lab.

FLTCYBERCOM / C10F    U.S. FLEET CYBER COMMAND / U.S. TENTH FLEET    1 Overall Classification of this Briefing is UNCLASSIFIED//FOUO Phishing.

Spoofing The False Digital Identity. What is Spoofing?  Spoofing is the action of making something look like something that it is not in order to gain.

Definition, purposes/functions, elements of IR systems Lesson 1.

Safe Computing Practices. What is behind a cyber attack? 1.

Confidential - Copyright © 2006 Fidelis Security Systems, Inc. All Rights Reserved Mitigate the Risks of Data Leakage.

Phishing and Internet Scams. Definitions and recent statistics Why is it dangerous? Phishing techniques and identifiers Examples of phishing and scam.

Exposing Private Information by Timing Web Applications Stephen Kleinheider.

Network Artifacts.

Transportation, Transshipment, and Assignment Problems Chapter 6.

BUILD SECURE PRODUCTS AND SERVICES

Hash Algorithms.

ISYM 540 Current Topics in Information System Management

Information Security and Privacy Pertaining to Phishing and Internet Scams Brian Corl COSC 316 Information Security and Privacy.

Whether you decide to use hidden frames or XMLHttp, there are several things you'll need to consider when building an Ajax application. Expanding the role.

Computer Architecture and Organization Miles Murdocca and Vincent Heuring Chapter 4 – The Instruction Set Architecture.

The Best Way To Secure U R Self

Information Security Session October 24, 2005

LC-3 Details and Examples

Transportation, Transshipment and Assignment Models

Introduction to Intel x86-64 Assembly, Architecture, Applications, & Alliteration Xeno Kovah – 2014 xkovah at gmail.

Staying safe on the internet

CS334: Number Systems Lab 1.

Wireless Spoofing Attacks on Mobile Devices

Exposing Private Information by Timing Web Applications

Doxing Phishers: Analyzing Phishing Attacks from Lure to Attribution

Presentation transcript:

CipherTrust Proprietary & Confidential Jonathan A. Zdziarski, Weilai Yang, Paul Judge CipherTrust, Inc. APPROACHES TO PHISHING IDENTIFICATION USING MATCH AND PROBABILISTIC DIGITAL FINGERPRINTING TECHNIQUES

CipherTrust Proprietary & Confidential The Problem  Detection by means of delivery mechanism, not actual attack  Content-based filters can stop some, but not all phishing  Training Demands  Envelope heuristics and anti-forgery tools can stop some, but not all phishing  So we detect it… then what? (Burden of enforcement)

CipherTrust Proprietary & Confidential Detection Goals  Distinguish Phishing from other content (spam, spoofs, viruses)  Identify the targeted organization  Correlate attacks to single sources  Provide evidentiary examples of copying

CipherTrust Proprietary & Confidential What is Digital Fingerprinting?  Create digital content markers  Whitespace insensitivity  Noise suppression  Position independence 'Tis better to have loved and lost than never to have loved at all 0x07a3ca26 0x1a25a210 0x1b47235f (Alfred Lord Tennyson) Karp-Rabin, All-to-All, Winnowing, SCAM, COPS - Just to name a few approaches

CipherTrust Proprietary & Confidential What is Digital Fingerprinting  Surrounding changes allow some fingerprints to remain matches  Better than content matching! The goal of fingerprinting is to identify copying, even if some of the text has been modified. Should the input text be slightly altered to read: 'Tis better to hate love and lose and never to have loved at all 0x07a3ca26 0x0be4f7b3 0x1b47235f (Alfred Lord Tennyson, post-Jessica Simpson era)

CipherTrust Proprietary & Confidential Applying Digital Fingerprinting Step 1. Retrieve the web pages  Fetch (and cache!) URLs in  Account for IFRAMEs, FRAMEs, etc.  Deal with META REFRESHes  Parse XMLHTTP calls  Handle other disgusting or dastardly obfuscation Tokenizer= Content-Based Filters’ Headache HTTP Fetch= Fingerprinting’s Headache!

CipherTrust Proprietary & Confidential Applying Digital Fingerprinting Step 2: Fingerprint Generation (Real Site) 0x0026fa80 0x004129ec 0x00da62a0 0x03f3db0e 0x06fa9461 0x06d4bb73 0x024c3386 0x f 0x00f x00281f20 0x015bee8b 0x026a0340 0x003379df 0x018ec907 0x039228f5 0x0090b551 0x d 0x03283fb1 0x00ebc2b2 0x03a4dcea 0x001d815b 0x01c779eb 0x0028de1b 0x00e x00f47a83 0x00baa5cb 0x01293c6b 0x0132f10e 0x001b2b34 0x00dfa027 0x018720f7 0x0335e45a 0x x0052cc93 0x015a3b15 0x0028de1b 0x03bb7d39 0x x028b9318 0x00334ba1 0x000ad731 0x x009f88d3 0x00f48df6 0x0491cdfb 0x01b0d1b5 0x0411a87a

CipherTrust Proprietary & Confidential Applying Digital Fingerprinting Step 3: Matching (Exact Match Approach) 0x016ebbee 0x x00da62a0 0x x03f3db0e 0x01a4214f 0x003cab67 0x0055d8f4 0x x00be53bb 0x009274ec 0x0322e14e 0x025f6aa9 0x0564a046 0x033902f8 0x00b0788c 0x01777ee5 0x01b x0116e6f3 0x02546b57 0x01b x x00ab0a5d 0x015c0529 0x005924ee 0x0009bbcd 0x03b56dab 0x02c x023b5f86 0x00baa5cb 0x0162ebde 0x03dee023 0x030d9946 0x01a0cd6a 0x017196bd 0x091e583c 0x0139b2e1 0x006f60b4 0x x0156d882 0x0023b5e3 0x025896e7 0x003f4a71 0x0637e497 0x01316dfc 0x0100f5d9 0x024536f1 0x000ad731 0x x009f88d3 0x00114c2c 0x0051eb2f 0x00f48df6 0x x02162f4c 0x006986d9 0x01413ce3 0x000b2636 0x03347a16 0x0113cb62 Suspect Site

CipherTrust Proprietary & Confidential Applying Digital Fingerprinting Step 3: Matching (Probabilistic Approach) Ideal for smaller content-based markers 0x0da62a x03f3db0e0.98 0x00baa5cb0.46 P = 1-N M /N T N M Matching Organizations N T Total Organizations (0.75)(0.98)(0.46) ____________________________________ (0.75)(0.98)(0.46) + (1-0.75)(1-0.98)(1-0.46) =99.20% Match Confidence Obligatory Plug for Bayesian

CipherTrust Proprietary & Confidential Source Correlation  Intersect fingerprints to identify “copies of Phishing attacks”  Tie different attacks to a single likely source 0x00baa5cb 0x000ad731 0x009f88d3 0x00f48df6 0x00f48df6 0x x02162f4c 0x006986d9 0x00114c2c 0x0051eb2f 0x00f48df6 0x Genuine Site Phish 1 Phish 2

CipherTrust Proprietary & Confidential Benefits  Performing a true match comparison  Very little training (legitimate site to start)  Forces scammers to constantly be obfuscating website OR risk detection  Judge the content, not the delivery

CipherTrust Proprietary & Confidential PhishRegistry.org  Register your institution in our systems  Receive [free] periodic reports of Phishing activity targeting your business  Submit other [legitimate] sites of interest to our system (no reports)  Registration online now, reports available within ~ days Neighborhood Watch Service for Phishing