Mohammed Alqahtani. Mohammed Alqahtani - CS691 Summer2011.

Smart-Phone PhishingMohammed Alqahtani

Mohammed Alqahtani - CS691 Summer2011

What is Phishing ?

http://kukumoj.co.uk/pp/paypal/intl/webscr.php


Why Is It Called Phishing?


Damage by phishing

between May 2004 & May 2005, 1.2 million users in the U.S. were phished .[1]

Costing approximately US$929 million. [1] United States businesses lose an

estimated $2 billion every year.[1] 3.6 million adults lost money in phishing

attacks within 12 months 2007.[2] 1/20 users has lost out to phishing in

2005.[3] $1.8 Billion Lost to Phishing in 2008[4]


History of Phishing

during 1970’s : phone calls.

In 1995 : AOL users, getting account passwords for free time, low threat.

Techniques: Similar names ( www.ao1.com for www.aol.com ), social engineering

In 2001 Ebayers and major banks, credit card numbers, accounts, medium risk.

Techniques: Similar name, key-logging.

In 2007 Paypal, banks, ebay, bank accounts, High risk.

Techniques: browser vulnerabilities, link confusion

http://www.ao1.com/

http://www.aol.com/


Industries Affected

Major industries affected are: Financial Services ISPs Online retailers

Source: OWASP.com – Chennai - 2007


Phishing Techniques

Deceptive. Malware-Based: on the user’s machine

Search Engine Phishing. Man-in-the-Middle Phishing.


Phishing Techniques

Content-Injection. Cross-site Scripting


Why Phishing Works?

Lack of Knowledge Lack of computer system knowledge and

security .Visual Deception

Visually deceptive text. Images masking underlying text.

Bounded Attention Lack of attention to security indicators. Lack of attention to the absence of

security indicators Why phishing works ? by Rachna Dhamija, J. D. Tygar, and Marti Hearst. 2006


Why Phishing Works?

Vulnerability in browsers Weak authentication at websites. Vulnerability in applications … and more, Phish keep looking for

Vulnerabilities.


Anti-phishing

Educate Users increase the awareness of phishing

impact. to train people to recognize phishing

attempts. Ensure that the web browser has the

latest security patch applied and Install latest anti-virus packages.

Never submit credentials on forms embedded in emails.


Anti-phishing

Technical defense Client Side Defense.

▪ Browser Content Filtering.▪ Digitally signed e-mails.


Anti-phishing

Technical defense Server Side Defense

▪ Validating Official Communications.▪ Web Validation Portals.▪ Web Application Security.▪ Sign-in and Session bound images

Enterprise Level Defense: server & ISP▪ Mail server Authentication.▪ Domain Monitoring take down .

▪ Manage Services using 3rd party, blacklist .


Previous Work

Existing solutions : Use blacklist to filter phishing sites.

▪ Collected list: PhishTank.▪ Automatic List : An automatic detection uses leering

machine. Integrate filtering/alerting functions into

browsers through plugs-ins, extensions and toolbar.

filtering and monitoring phishing links from server side, take them down.


Related Work

PhishTank, operated by OpenDNS, October 2006, A free community site where uses public’s effort to build

dependable Black-list of phishing websites. The committee verify the reported websites , after they

are submitted by members. PhishTank works effectively fighting against phishing

attacks, detecting monthly thousands of phishing links.▪ well known organizations and browsers started using PhishTank‘s

blacklist database such as Yahoo mail, Opera, MaCafee, and Mozilla Firefox .


Related Work

“Large-Scale Automatic Classification of Phishing Pages”, Colin Whittaker, Brian Ryner, Marria Nazif, NDSS '10, 2010. An automatic classifier to detect phishing websites and

maintains Google’s blacklist , analyzes millions of pages a day . false positive rate below 0.1%. correctly classifies more than 90% of phishing pages.

“Bogus Biter: A transparent protection against phishing attacks”. Chuan Yue and Haining Wang, 2010 ACM Trans. Internet Technol. 10, 2, Article 6 (June 2010) A client-side tool called BogusBiter that send a large number of

bogus credentials to suspected phishing sites and hides the real credentials from phishers . BogusBiter can conceals a victim's real credential and identify stolen credentials in a timely manner


More verities of Access

To do daily activities and tasks Online banking. Paying bills. Online shopping. Emailing .

Why use more verities ? Easier to use and carry . Flexibility. Mobility, everywhere. Special need.


Rapid Growth of smartphones market 2009 - 2010


The Problem

Trusteer Inc recently analyzed log files of several web servers that were hosting phishing websites: Mobile users are the first to arrive.

▪ They are always “on”. Mobile users accessing phishing websites are

three times more likely to submit their login info than desktop users.▪ It's harder to spot a phishing website on a mobile device

than on a computer due to limited size of mobile screens and computation capability , harder to view credentials while typing or display warnings .

▪ (e.g. www.acmebank,com.vdgrtgrt …)

http://www.acmebank,com.vdgrtgrt/


The Problem

Users have varieties ways to access the internet Different platforms: notebooks,

handhelds, smartphones, etc. Different computation capabilities and

features Existed phishing protection mainly

support desktop.


The Problem

Expand the surface for phishing attackers and make it harder to provide protection.

Harder to provide a comprehensive protection.


Challenges

Is every device capable to use the protection against phishing attack effectively ? Computation capabilities. Features.

Optimized protection with small size devices Consume as little screen resource as

possible.


Challenges

What websites likely to be phishing, what websites are rarely to be phishing .60% phishing

attacks was lunched by TLDs: .COM, .NET, and .CC.

Global Phishing Survey – APWG 2011


Goals

Provide user protection, against phishing websites, can be used by different devices Computation capabilities. Features.

Consume as little computation and screen resource as possible.

Categorize sites with different levels of risks.


Proposed Solution

Classify and blocking phishing links. Uses Phishtank’s blacklist. Use Coloring scheme to indicate the

risk to users. consumes less computation and screen

recourses. The process is mainly done on the

server side. Not much in Client-Side Users receive classified and protected

links.


Proposed Solution

Expand the verification of the websites that unlikely to be phishing.

Blocking the verified phishing websites, the user can’t access.


Initial Design


References

1. Rachna Dhamija, J. D. Tygar, and Marti Hearst. 2006. Why phishing works. In Proceedings of the SIGCHI conference on Human Factors in computing systems (CHI '06), Rebecca Grinter, Thomas Rodden, Paul Aoki, Ed Cutrell, Robin Jeffries, and Gary Olson (Eds.). ACM, New York, NY, USA, 581-590. DOI=10.1145/1124772.1124861 http://doi.acm.org/10.1145/1124772.1124861.

2. Colin Whittaker, Brian Ryner, Marria Nazif, “Large-Scale Automatic Classification of Phishing Pages”, NDSS '10, 2010.< http://research.google.com/pubs/pub35580.html >

3. Gross, Ben. "Smartphone Anti-Phishing Protection Leaves Much to Be Desired | Messaging News." Messaging News | The Technology of Email and Instant Messaging. 26 Feb. 2010. Web. <http://www.messagingnews.com/story/smartphone-anti-phishing-protection-leaves-much-be-desired>.

4. ComScore, Inc. "Smartphone Subscribers Now Comprise Majority of Mobile Browser and Application Users in U.S." ComScore, Inc. - Measuring the Digital World. ComScore, Inc, 1 Oct. 2010. <http://www.comscore.com/Press_Events/Press_Releases/2010/10/Smartphone_Subscribers_Now_Comprise_Majority_of_Mobile_Browser_and_Application_Users_in_U.S>.

5. Entner, Roger. "Smartphones to Overtake Feature Phones in U.S. by 2011." Http://www.nielsen.com. Nielsen Wire, 26 Mar. 2010. Web. <http://blog.nielsen.com/nielsenwire/consumer/smartphones-to-overtake-feature-phones-in-u-s-by-2011/>.

6. Kerstein, Paul L. "How Can We Stop Phishing and Pharming Scams?" CSO Online - Security and Risk. CSO Magazine - Security and Risk, 19 July 2005. Web. <http://www.csoonline.com/article/220491/how-can-we-stop-phishing-and-pharming-scams->.

http://doi.acm.org/10.1145/1124772.1124861

http://doi.acm.org/10.1145/1124772.1124861

http://research.google.com/pubs/pub35580.html


References

7. OpenDNS, LLC. PhishTank: an Anti-phishing Site. [Online]. http://www.phishtank.com.8. Joshi, Y.; Saklikar, S.; Das, D.; Saha, S.; , "PhishGuard: A browser plug-in for protection from

phishing," Internet Multimedia Services Architecture and Applications, 2008. IMSAA 2008. 2nd International Conference on , vol., no., pp.1-6, 10-12 Dec. 2008 doi: 10.1109/IMSAA.2008.4753929, URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=4753929&isnumber=4753904

9. PhishTank - Statistics about phishing activity and PhishTank usage , http://www.phishtank.com/stats.php

10. PhishTank, Friends of PhishTank, http://www.phishtank.com/friends.php11. SmartScreen Filter: Frequently Asked Questions." Windows Home - Microsoft Windows.

<http://windows.microsoft.com/en-US/windows7/SmartScreen-Filter-frequently-asked-questions-IE9>.

12. "SmartScreen Filter - Microsoft Windows." Windows Home - Microsoft Windows. Web. <http://windows.microsoft.com/en-US/internet-explorer/products/ie-9/features/smartscreen-filter>.

13. Apple - Safari - Learn about the Features Available in Safari." Apple. <http://www.apple.com/ca/safari/features.html>.

14. TECH.BLORGE- Top Technology news, Paypal warns buyers to avoid Safari browser from Apple - < http://tech.blorge.com/Structure:%20/2008/02/28/paypal-warns-buyers-to-avoid-safari-browser-from-apple/ >

15. "Firefox 2 Phishing Protection Effectiveness Testing." Home of the Mozilla Project. <http://www.mozilla.org/security/phishing-test.html>.

16. "AVIRA News - Anti-Virus Users Are Restless, Avira Survey Finds." Antivirus Software Solutions for Home and for Business. <http://www.avira.com/en/press-details/nid/482/>.

17. Chuan Yue and Haining Wang. 2010. BogusBiter: A transparent protection against phishing attacks. ACM Trans. Internet Technol. 10, 2, Article 6 (June 2010), 31 pages. DOI=10.1145/1754393.1754395 http://doi.acm.org/10.1145/1754393.1754395

18. Rachna Dhamija and J. D. Tygar. 2005. The battle against phishing: Dynamic Security Skins. In Proceedings of the 2005 symposium on Usable privacy and security (SOUPS '05). ACM, New York, NY, USA, 77-88. DOI=10.1145/1073001.1073009 http://doi.acm.org/10.1145/1073001.1073009

http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=4753929&isnumber=4753904

http://www.phishtank.com/stats.php

http://www.phishtank.com/friends.php

http://doi.acm.org/10.1145/1754393.1754395

http://doi.acm.org/10.1145/1073001.1073009

http://doi.acm.org/10.1145/1073001.1073009


Questions ?

Mohammed Alqahtani. Mohammed Alqahtani - CS691 Summer2011.

Documents

Transcript of Mohammed Alqahtani. Mohammed Alqahtani - CS691 Summer2011.