1 / 9

Distributed Phishing Attacks

Distributed Phishing Attacks. Markus Jakobsson Joint work with Adam Young, LECG. A typical phishing attack. A distributed phishing attack. How can this be done? . 1. Adversary needs to control many hosts. Malware Symbiotic host program Firewall weaknesses (an arbitrary victim is fine)

guy
Download Presentation

Distributed Phishing Attacks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Distributed Phishing Attacks Markus Jakobsson Joint work with Adam Young, LECG

  2. A typical phishing attack

  3. A distributed phishing attack

  4. How can this be done? 1. Adversary needs to control many hosts. • Malware • Symbiotic host program • Firewall weaknesses (an arbitrary victim is fine) 2. Hosts must be uncorrelated. 3. Hosts need to report to adversary. • Without giving away location of adversary • Without giving away compromised credentials

  5. Attack structure • Adversary randomly plants host pages. • Spam victims, using spoofing, referring to host pages. • Each host page waits to receive credentials, then posts to bulletin board(s). • Adversary retrieves credentials from bulletin board(s).

  6. Attack details Posted credentials are hidden using steganographic methods. (Not easy to detect what constitutes a posting from a host.) Posted credentials are public-key encrypted to hide credentials from anybody but the attacker. Alternatively, harvested credentials can be sent to an email account associated with the attack instance (attacker creates lots of accounts + uses POP from anonymous location.)

  7. Failed protection mechanisms • Given information about a few hosts, one cannot infer the location/identity of other hosts. (Makes honeypots and collaborative detection meaningless.) • Given knowledge of what bulletin boards are used, one cannot shut them down, or this is a DoS on the infrastructure … besides, the hosts can post to several BBs.

  8. Promising protection mechanism • Gather network statistics. (Already done, just augment what is collected; can scan for common phrases and structures.) • Detect a few instances of a DPA. • Cluster instances with suspect profile. • Automatically demand all hosts in cluster to be blocked (Authenticated requests) or DoS them. • Automatically warn victims of emails in cluster. (Provides second line of defense.)

  9. Some details of defense • Use OCR to detect similarities in appearance between images. • Use anti-plagiarism techniques to detect similarities between texts. (See, e.g., SPLAT) • Also detect similarities between pages pointed to (only for likely candidates.) • Cluster with known offenders and with likely offenders. (Based on content and communication patterns.) Paper? Please email markus@indiana.edu

More Related