Download presentation
Presentation is loading. Please wait.
Published byAnthony Hoover Modified over 9 years ago
1
Examining the Effectiveness and Techniques of the Anti-Phishing Technology in Leading Web Browsers and Security Toolbars. Wesley W. Owen spamconference@wesconsulting.com Graduate Student U Mass Lowell Dept. of Computer Science MIT Spam Conference March 27-28 2008
2
Brief History The first known phishing attack on a financial operator was June 2001 against E-Gold. In 2004 phishing became a widespread attack and started to appear on the radar of technology crimes. Between 2004 and 2005, organized crime and phishers united to launch more attacks for profit.
3
Data gathered from http://www.antiphishing.org/phishReportsArchive.htmlhttp://www.antiphishing.org/phishReportsArchive.html
4
Tests Performed Test each technology against 10 real live phishing sites – Some URLs in blacklists Test those phishing sites copied to the lab – Lab URLs not in blacklists Create 10 phishing sites of my own in a lab – Viewing sites in IE7 view->source -> file -> save as – wget -p --convert-links --user-agent="Mozilla…
5
Limitations I did not decompile any anti-phishing technologies – my results are purely from Trial and Error I did not test enough phishing sites to make determinations regarding which anti-phishing filter is more effective at real phishing sites. Other papers in this are have done this. See: – http://www.cylab.cmu.edu/files/cmucylab06018.pdf http://www.cylab.cmu.edu/files/cmucylab06018.pdf – http://www.3sharp.com/projects/antiphishing/gone- phishing.pdf http://www.3sharp.com/projects/antiphishing/gone- phishing.pdf
6
Anti-Phishing Technologies Examined Internet Explorer 7.0 Netcraft’s Toolbar Earthlink’s Toolbar Geotrust Trustwatch SpoofGuard eBay’s Toolbar Firefox 2
12
Types of Anti-Phishing Technology URL Blacklists Content Filter URL Popularity & Characteristics Password recognition
13
URL Blacklists Similar idea as SPAM Blacklists – a database of URLs that are known phishing sites Pros: – Low false positives – Easy to lookup URLs (low overhead) – Effective once the URL is listed Cons: – “Time to list” is too large to keep phishers out of business – approx 10 hrs as of 2/08 (phishtank.com)
14
Content Filter Examines the body of each web page visited Pros: – Detects phishing sites as soon as phishers publish them Cons: – Higher overhead than other technologies (a small price to pay for the most users) – It is possible to learn the content rules and work around them
15
URL Popularity & Characteristics URL Popularity: Checks domains against Google, Alexa, etc. to see how popular the URL is. The basis is that phishing sites are not popular. URL Characteristics: Checks characteristics of the URL such as strange port numbers, recently registered domains, IP addresses, etc.
16
URL Popularity & Characteristics Pros: – Easy to lookup URL (low overhead) Cons: – Usually requires human interpretation of the indicator and requires the operator to be aware of what phishing is. – Privacy concerns – each site visited must be looked up at Google, Alexa, etc. – May not work well for phishing sites hosted at sites like geocities e.g. http://www.geocities.com/phisher/ebay/http://www.geocities.com/phisher/ebay/
17
Password recognition Pros: – Easy to detect (low overhead) Cons: – Assumes users never use the same password at more than one site – Requires users to enter passwords to all sites ahead of time
18
Details of IE7s Content Filter By using Trial and Error I was able to determine what IE7s content filter was looking for when detecting fake ebay.com sites: 2 input tags nested in a form tag and 3 links: – “forgot userid” link – “forgot password” link – “keep me signed in” link 1 or more of 10 links that point to ebay.com
19
Smallest Page that trips IE7s Content Filter
20
Details of Earthlinks Content Filter By using Trial and Error I was able to determine what Earthlinks content filter was looking for when detecting fake ebay.com sites: 2 input tags 2 or more of 14 links that point to ebay.com & 1.js file on ebay.com
21
Smallest Page that trips Earthlinks Content Filter Help Privacy Policy
22
Page Load Attack <?php while(1){ echo " "; flush(); sleep(1); } ?>
23
Image Load Attack.
24
JavaScript Attack function go() { var buf = "phishing site here" ; output.innerHTML = buf ; }
25
Attacks Against Anti-Phishing Filters Anti-Phishing Technology Page Load Attack Image Load Attack JavaScript Attack IE 7.0 (Content Filter / Blacklist) Yes / No Yes / N/A NetcraftNo N/A Earthlink (Content Filter / Blacklist) No / No Yes / No Yes / N/A GeotrustNo N/A SpoofGuardYes eBay’s ToolbarYes* N/A Firefox 2No N/A * The Page Load and Image Load attacks worked some of the time against eBay’s Toolbar. I was unable to determine why it worked with some URLs but not others.
26
Attacks against URL Blacklists Google’s blacklist: http://sb.google.com/safebrowsing/update?version=goog-black-url:1:1 has similar entries that lead me to believe wildcards are not being used: http://sb.google.com/safebrowsing/update?version=goog-black-url:1:1 http://home.doramail.com/w37eudhs/ http://home.doramail.com/w823ehds/ http://189.140.107.157/ http://189.140.107.157/bankmain.htm/ http://189.140.107.157/boveda/ similar results at http://www.phishtank.com/phish_archive.phphttp://www.phishtank.com/phish_archive.php
27
Attacks against URL Blacklists Using multiple subdomains, folders, etc. phishers already create many phishing URLs. It is possible to create infinitely many URLs by: Custom 404 error page (page not found) Apache rewrite rule RewriteEngine on RewriteRule ^[A-Za-z0-9]*$ phishing_page.html
28
Conclusions The best anti-phishing filters use a layered approach (URL Blacklist + Content Filter) – Use multiple phishing blacklists Future work: – Decompiling IE7 and Earthlink’s content filter to learn more about them If they use static rules, enhance them to use dynamic rules that can be controlled & updated centrally that would make it much harder for phishers to succeed Address the page/image load & JavaScript attacks
29
Questions and Comments?
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.