Download presentation
Presentation is loading. Please wait.
Published byBrenda Shepherd Modified over 9 years ago
1
Distributed Phishing Attacks Markus Jakobsson Joint work with Adam Young, LECG
2
A typical phishing attack
3
A distributed phishing attack
4
How can this be done? 1. Adversary needs to control many hosts. Malware Symbiotic host program Firewall weaknesses (an arbitrary victim is fine) 2. Hosts must be uncorrelated. 3. Hosts need to report to adversary. Without giving away location of adversary Without giving away compromised credentials
5
Attack structure 1.Adversary randomly plants host pages. 2.Spam victims, using spoofing, referring to host pages. 3.Each host page waits to receive credentials, then posts to bulletin board(s). 4.Adversary retrieves credentials from bulletin board(s).
6
Attack details Posted credentials are hidden using steganographic methods. (Not easy to detect what constitutes a posting from a host.) Posted credentials are public-key encrypted to hide credentials from anybody but the attacker. Alternatively, harvested credentials can be sent to an email account associated with the attack instance (attacker creates lots of accounts + uses POP from anonymous location.)
7
Failed protection mechanisms Given information about a few hosts, one cannot infer the location/identity of other hosts. (Makes honeypots and collaborative detection meaningless.) Given knowledge of what bulletin boards are used, one cannot shut them down, or this is a DoS on the infrastructure … besides, the hosts can post to several BBs.
8
Promising protection mechanism 1.Gather network statistics. (Already done, just augment what is collected; can scan for common phrases and structures.) 2.Detect a few instances of a DPA. 3.Cluster instances with suspect profile. 4.Automatically demand all hosts in cluster to be blocked (Authenticated requests) or DoS them. 5.Automatically warn victims of emails in cluster. (Provides second line of defense.)
9
Some details of defense Use OCR to detect similarities in appearance between images. Use anti-plagiarism techniques to detect similarities between texts. (See, e.g., SPLAT)SPLAT Also detect similarities between pages pointed to (only for likely candidates.) Cluster with known offenders and with likely offenders. (Based on content and communication patterns.) Paper? Please email markus@indiana.edumarkus@indiana.edu
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.