wesley w. owen [email protected] graduate student
DESCRIPTION
Examining the Effectiveness and Techniques of the Anti-Phishing Technology in Leading Web Browsers and Security Toolbars. Wesley W. Owen [email protected] Graduate Student U Mass Lowell Dept. of Computer Science. MIT Spam Conference March 27-28 2008. Brief History. - PowerPoint PPT PresentationTRANSCRIPT
Examining the Effectiveness and Techniques of the Anti-Phishing
Technology in Leading Web Browsers and Security Toolbars.
Wesley W. [email protected]
Graduate StudentU Mass Lowell
Dept. of Computer Science
MIT Spam ConferenceMarch 27-28 2008
Brief History
• The first known phishing attack on a financial operator was June 2001 against E-Gold.
• In 2004 phishing became a widespread attack and started to appear on the radar of technology crimes.
• Between 2004 and 2005, organized crime and phishers united to launch more attacks for profit.
Sep-04
Nov-04
Jan-0
5
Mar-05
May-05
Jul-0
5
Sep-05
Nov-05
Jan-0
6
Mar-06
May-06
Jul-0
6
Sep-06
Nov-06
Jan-0
7
Mar-07
May-07
Jul-0
7
Sep-07
Nov-07
0
10,000
20,000
30,000
40,000
50,000
60,000
Unique Phishing Sites Per Month
Date
# of
Site
s
Data gathered from http://www.antiphishing.org/phishReportsArchive.html
Tests Performed
• Test each technology against 10 real live phishing sites– Some URLs in blacklists
• Test those phishing sites copied to the lab– Lab URLs not in blacklists
• Create 10 phishing sites of my own in a lab– Viewing sites in IE7 view->source -> file -> save as– wget -p --convert-links --user-agent="Mozilla…
Limitations
• I did not decompile any anti-phishing technologies – my results are purely from Trial and Error
• I did not test enough phishing sites to make determinations regarding which anti-phishing filter is more effective at real phishing sites. Other papers in this are have done this. See:– http://www.cylab.cmu.edu/files/cmucylab06018.p
df– http://www.3sharp.com/projects/antiphishing/gon
e-phishing.pdf
Anti-Phishing Technologies Examined
• Internet Explorer 7.0• Netcraft’s Toolbar• Earthlink’s Toolbar• Geotrust Trustwatch• SpoofGuard• eBay’s Toolbar• Firefox 2
IE 7 Netcraft Earthlink Geotrust SpoofGuard Ebay Firefox 20
1
2
3
4
5
6
7
8
9
10
Remote Phishing Sites
phishsuspect
Anti-Phishing Technology
# of
Site
s D
etec
ted
IE 7 Netcraft Earthlink Geotrust SpoofGuard Ebay Firefox 20
1
2
3
4
5
6
7
8
9
10
Remote Phishing Sites Copied to Lab
phishsuspect
Anti-Phishing Technology
# of
Site
s D
etec
ted
IE 7 Netcraft Earthlink Geotrust SpoofGuard Ebay Firefox 20
1
2
3
4
5
6
7
8
9
10
Lab Phishing Sites (IE7 Save-As)
phishsuspect
Anti-Phishing Technology
# of
Site
s D
etec
ted
IE 7 Netcraft Earthlink Geotrust SpoofGuard Ebay Firefox 20
1
2
3
4
5
6
7
8
9
10
Lab Phishing Sites (wget)
phishsuspect
Anti-Phishing Technology
# of
Site
s D
etec
ted
IE 7 Netcraft Earthlink Geotrust SpoofGuard Ebay Firefox 20
5
10
15
20
25
30
35
40
All Tests Combined
phishsuspect
Anti-Phishing Technology
# of
Site
s D
etec
ted
Types ofAnti-Phishing Technology
• URL Blacklists• Content Filter• URL Popularity & Characteristics• Password recognition
URL Blacklists
Similar idea as SPAM Blacklists – a database of URLs that are known phishing sites
Pros:– Low false positives– Easy to lookup URLs (low overhead)– Effective once the URL is listed
Cons:– “Time to list” is too large to keep phishers out of
business – approx 10 hrs as of 2/08 (phishtank.com)
Content Filter
Examines the body of each web page visited
Pros:– Detects phishing sites as soon as phishers publish them
Cons:– Higher overhead than other technologies (a small price
to pay for the most users)– It is possible to learn the content rules and work
around them
URL Popularity & Characteristics
URL Popularity: Checks domains against Google, Alexa, etc. to see how popular the URL is. The basis is that phishing sites are not popular.
URL Characteristics: Checks characteristics of the URL such as strange port numbers, recently registered domains, IP addresses, etc.
URL Popularity & Characteristics
Pros:– Easy to lookup URL (low overhead)
Cons:– Usually requires human interpretation of the indicator
and requires the operator to be aware of what phishing is.– Privacy concerns – each site visited must be looked up at
Google, Alexa, etc.– May not work well for phishing sites hosted at sites like
geocities e.g. http://www.geocities.com/phisher/ebay/
Password recognition
Pros:– Easy to detect (low overhead)
Cons:– Assumes users never use the same password at
more than one site– Requires users to enter passwords to all sites
ahead of time
Details of IE7s Content Filter
By using Trial and Error I was able to determine what IE7s content filter was looking for when detecting fake ebay.com sites:
• 2 input tags nested in a form tag and 3 links:– “forgot userid” link– “forgot password” link– “keep me signed in” link
• 1 or more of 10 links that point to ebay.com
Smallest Page that trips IE7s Content Filter
<html><body>
<form action="."><input><input></form>
<a href="http://cgi4.ebay.com/ws/eBayISAPI.dll?UserIdRecognizerShow"></a><a href="http://cgi4.ebay.com/ws/eBayISAPI.dll?ForgotYourPasswordShow"></a><a href="http://pages.ebay.com/help/newtoebay/staying_signed_in.html"></a>
<a href="http://pages.ebay.com/help/new/contextual/account_protection.html"></a>
</body></html>
Details of Earthlinks Content Filter
By using Trial and Error I was able to determine what Earthlinks content filter was looking for when detecting fake ebay.com sites:
• 2 input tags• 2 or more of 14 links that point to ebay.com &
1 .js file on ebay.com
Smallest Page that trips Earthlinks Content Filter
<html><body>
<input><input>
<a href="http://pages.ebay.com/help/index.html">Help</a><a href="http://pages.ebay.com/help/policies/privacy-
policy.html">Privacy Policy</a>
</body></html>
Page Load Attack
<html> <body><!-- phishing site here --><?phpwhile(1){ echo " "; flush(); sleep(1);}?></body> </html>
Image Load Attack<html> <body>
<!-- phishing site here -->
<img src="http://1.2.3.4/image.gif"><img src="http://1.2.3.5/image.gif"><img src="http://1.2.3.6/image.gif"><img src="http://1.2.3.7/image.gif"><img src="http://1.2.3.8/image.gif">...</body> </html>
JavaScript Attack<html> <head><script language="JavaScript">function go(){ var buf = "phishing site here" ; output.innerHTML = buf ;}</script> </head>
<body onLoad="go()">
<div id="output"></div>
</body> </html>
Attacks Against Anti-Phishing FiltersAnti-Phishing
TechnologyPage Load
AttackImage Load
AttackJavaScript
Attack
IE 7.0(Content Filter /
Blacklist)Yes /No
Yes /No
Yes /N/A
Netcraft No No N/AEarthlink
(Content Filter / Blacklist)
No /No
Yes /No
Yes /N/A
Geotrust No No N/ASpoofGuard Yes Yes Yes
eBay’s Toolbar Yes* Yes* N/AFirefox 2 No No N/A
* The Page Load and Image Load attacks worked some of the time against eBay’s Toolbar. I was unable to determine why it worked with some URLs but not others.
Attacks against URL Blacklists
Google’s blacklist: http://sb.google.com/safebrowsing/update?version=goog-black-url:1:1 has similar entries that lead me to believe wildcards are not being used:
http://home.doramail.com/w37eudhs/http://home.doramail.com/w823ehds/http://189.140.107.157/http://189.140.107.157/bankmain.htm/http://189.140.107.157/boveda/
similar results at http://www.phishtank.com/phish_archive.php
Attacks against URL Blacklists
Using multiple subdomains, folders, etc. phishers already create many phishing URLs.
It is possible to create infinitely many URLs by:• Custom 404 error page (page not found)• Apache rewrite rule
RewriteEngine onRewriteRule ^[A-Za-z0-9]*$ phishing_page.html
Conclusions
• The best anti-phishing filters use a layered approach (URL Blacklist + Content Filter)– Use multiple phishing blacklists
• Future work:– Decompiling IE7 and Earthlink’s content filter to
learn more about them• If they use static rules, enhance them to use dynamic
rules that can be controlled & updated centrally that would make it much harder for phishers to succeed
• Address the page/image load & JavaScript attacks