Phishing Information Recycling from Spam Mails

Phishing Information Phishing Information Recycling from Spam MailsRecycling from Spam Mails

許富皓資訊工程學系中央大學

NCU Advanced Defense Lab

OUTLINEOUTLINEIntroduction

System Overview

Evaluation

Discussion and Conclusion


Statistics of Statistics of Spam MailsSpam MailsThe global spam rate for Q3 2009

is 88.1%, equating to around 151 billion emails a day.

The major purpose of these spam mails is for advertising.

In Q3 2009, phishing activity was 1 in 368.6 emails.


PhishingPhishingAims to steal sensitive

information from users.

A phishing attack usually comprises two steps:◦Prepare a forged web page◦Send spoofed e-mails


Phishing E-mail ExamplePhishing E-mail ExamplePhishing e-mails would fool users

to visit a forged web page.

An example of a phishing e-mail. NCU Advanced Defense Lab

Phishing Web Page Phishing Web Page ExampleExampleA phishing web page would look

like a real service web page.

An example of a phishing page NCU Advanced Defense Lab

Anti-Phishing MethodsAnti-Phishing MethodsEmail level solution

◦Filters and content-analysis

Browser-integrated solution◦SpoofGuard ◦PwdHash◦AntiPhish

Keeps track of sensitive information

◦DOMAntiPhish Compared the DOMs of the pages


Most Popular Phishing Most Popular Phishing SolutionsSolutionsThe most popular and widely-

deployed solutions are based on blacklists.◦IE 7 browser◦Google Safe Browsing◦NetCraft tool bar◦eBay tool bar◦..etc


Drawbacks of Current Drawbacks of Current SolutionsSolutionsAPWG detected more than 40,000

unique phishing URLs in Aug. 2009.

On average, a phishing domain lasts 3 days.

Many e-mail receivers trust the e-mails that have passed the examination of an e-mail filter.


Why Phishing Works ?Why Phishing Works ?Why Phishing Works Proc. CHI (2006)

◦SMTP does not contain any authentication mechanisms

◦23% users base their trust only on page content

None of the solutions are foolproof.About five million U.S. consumers

gave information to spoofed websites resulting in direct losses of $1.7 billion (2008).


ObservationObservationThe phishing domain lasts 3 days,

so the phishing mail contains this domain must be sent in this period.

Legitimate server hosts usually create a lot of network traffic. However phishing hosts usually only have a small amount of network traffic.


Our Method - SharkOur Method - SharkActively counterattack phishers,

not just passively defend.The goal is to overload phishing

web sites with large forged data.Collect phishing information from

spam mails.Detect Botnet from spam mails


System ComponentsSystem ComponentsAgent Host

Collect phishing URLs from spam mails Send large amount of forged data to forged

websites

SQL Server◦Handling the suspect URLs

Camouflage Router◦Allow the agent host to use various IP

addresses to establish TCP connections.NCU Advanced Defense Lab

System System OverviewOverview

14

Information Recycling Information Recycling ComponentsComponentsAgent host

◦Simply sniffs the URLs in e-mails which pass through our camouflage router.

SQL server◦Collect those URLs◦Record their arrival time


Information RecyclingInformation RecyclingClassify URLs according to their

domains.

Record the number of URLs appearing in each domain.

Collect suspect URLs◦A URL whose domain contains more URLs

than a threshold in a short period (normally 3 days) is deemed as a phishing URL.


Recognize Phishing Web Recognize Phishing Web SitesSitesSuspect web site

◦Parse html content ◦Check form tag, input tag…

type=password

Combine Google API◦Check if the website has enough traffic

flow

Could combines other phishing detection


CounterattackCounterattackAgent host

◦ Initiate TCP connections to the phishing sites◦ Find out the form tags which can be used to

submit data to the phishing sites◦ Send forged data to the phishing sites◦ Limit the number of TCP connections an

agent host can establish with a phishing host (based on the number of phishing URLs)

Camouflage router◦ randomly choose an IP address belonging to

its domain and provide it to the agent host to establish a new TCP connection with a phishing host


Effects of CounterattackEffects of CounterattackPhishers would not be able to

distinguish victim data and forged data.

Login pages of legal web sites can record the IPs of hosts that use bait (forged) data to login

Hosts sent phishing e-mails or using bait data to login are usually the bots of some botnets. NCU Advanced Defense Lab

EvaluationEvaluationFalse Negative

◦2,543 phishing websites in PhishTank

False Positive◦5000 legitimate websites in Alexa

0 false positive


EvaluationEvaluationSolved 1208(48%)

Unresolved1195(47

%)

Second Page 16%

No Password 3%

Redirect 8%

JavaScript 1%

Non-meaningful Page

67%

Not Phishing 3%

Other 2%

Expired 119(5%)


Phishing websites in PhishTank (Total 2,543)

ContributionContributionA novel counterattack solution

for phishingConfuse the phishers with large

forged dataProtect users even if they have

been tricked to leak their private information to phishers

Botnet detection


Future WorkFuture WorkJavaScriptwin32com.client


Thank YouThank YouQ&A


Phishing Information Recycling from Spam Mails

Documents

Transcript of Phishing Information Recycling from Spam Mails