290 likes | 398 Views
Examining the Effectiveness and Techniques of the Anti-Phishing Technology in Leading Web Browsers and Security Toolbars. Wesley W. Owen spamconference@wesconsulting.com Graduate Student U Mass Lowell Dept. of Computer Science. MIT Spam Conference March 27-28 2008. Brief History.
E N D
Examining the Effectiveness and Techniques of the Anti-Phishing Technology in Leading Web Browsers and Security Toolbars. Wesley W. Owen spamconference@wesconsulting.com Graduate Student U Mass LowellDept. of Computer Science MIT Spam ConferenceMarch 27-28 2008
Brief History • The first known phishing attack on a financial operator was June 2001 against E-Gold. • In 2004 phishing became a widespread attack and started to appear on the radar of technology crimes. • Between 2004 and 2005, organized crime and phishers united to launch more attacks for profit.
Data gathered from http://www.antiphishing.org/phishReportsArchive.html
Tests Performed • Test each technology against 10 real live phishing sites • Some URLs in blacklists • Test those phishing sites copied to the lab • Lab URLs not in blacklists • Create 10 phishing sites of my own in a lab • Viewing sites in IE7 view->source -> file -> save as • wget -p --convert-links --user-agent="Mozilla…
Limitations • I did not decompile any anti-phishing technologies – my results are purely from Trial and Error • I did not test enough phishing sites to make determinations regarding which anti-phishing filter is more effective at real phishing sites. Other papers in this are have done this. See: • http://www.cylab.cmu.edu/files/cmucylab06018.pdf • http://www.3sharp.com/projects/antiphishing/gone-phishing.pdf
Anti-Phishing Technologies Examined • Internet Explorer 7.0 • Netcraft’s Toolbar • Earthlink’s Toolbar • GeotrustTrustwatch • SpoofGuard • eBay’s Toolbar • Firefox 2
Types ofAnti-Phishing Technology • URL Blacklists • Content Filter • URL Popularity & Characteristics • Password recognition
URL Blacklists Similar idea as SPAM Blacklists – a database of URLs that are known phishing sites Pros: • Low false positives • Easy to lookup URLs (low overhead) • Effective once the URL is listed Cons: • “Time to list” is too large to keep phishers out of business – approx 10 hrs as of 2/08 (phishtank.com)
Content Filter Examines the body of each web page visited Pros: • Detects phishing sites as soon as phishers publish them Cons: • Higher overhead than other technologies (a small price to pay for the most users) • It is possible to learn the content rules and work around them
URL Popularity & Characteristics URL Popularity: Checks domains against Google, Alexa, etc. to see how popular the URL is. The basis is that phishing sites are not popular. URL Characteristics: Checks characteristics of the URL such as strange port numbers, recently registered domains, IP addresses, etc.
URL Popularity & Characteristics Pros: • Easy to lookup URL (low overhead) Cons: • Usually requires human interpretation of the indicator and requires the operator to be aware of what phishing is. • Privacy concerns – each site visited must be looked up at Google, Alexa, etc. • May not work well for phishing sites hosted at sites like geocities e.g. http://www.geocities.com/phisher/ebay/
Password recognition Pros: • Easy to detect (low overhead) Cons: • Assumes users never use the same password at more than one site • Requires users to enter passwords to all sites ahead of time
Details of IE7s Content Filter By using Trial and Error I was able to determine what IE7s content filter was looking for when detecting fake ebay.com sites: • 2 input tags nested in a form tag and 3 links: • “forgot userid” link • “forgot password” link • “keep me signed in” link • 1 or more of 10 links that point to ebay.com
Smallest Page that trips IE7s Content Filter <html> <body> <form action="."> <input> <input> </form> <a href="http://cgi4.ebay.com/ws/eBayISAPI.dll?UserIdRecognizerShow"></a> <a href="http://cgi4.ebay.com/ws/eBayISAPI.dll?ForgotYourPasswordShow"></a> <a href="http://pages.ebay.com/help/newtoebay/staying_signed_in.html"></a> <a href="http://pages.ebay.com/help/new/contextual/account_protection.html"></a> </body> </html>
Details of Earthlinks Content Filter By using Trial and Error I was able to determine what Earthlinks content filter was looking for when detecting fake ebay.com sites: • 2 input tags • 2 or more of 14 links that point to ebay.com & 1 .js file on ebay.com
Smallest Page that trips Earthlinks Content Filter <html> <body> <input> <input> <a href="http://pages.ebay.com/help/index.html">Help</a> <a href="http://pages.ebay.com/help/policies/privacy-policy.html">Privacy Policy</a> </body> </html>
Page Load Attack <html> <body> <!-- phishing site here --> <?php while(1){ echo " "; flush(); sleep(1); } ?> </body> </html>
Image Load Attack <html> <body> <!-- phishing site here --> <imgsrc="http://1.2.3.4/image.gif"> <imgsrc="http://1.2.3.5/image.gif"> <imgsrc="http://1.2.3.6/image.gif"> <imgsrc="http://1.2.3.7/image.gif"> <imgsrc="http://1.2.3.8/image.gif"> . . . </body> </html>
JavaScript Attack <html> <head> <script language="JavaScript"> function go() { varbuf = "phishing site here" ; output.innerHTML = buf ; } </script> </head> <body onLoad="go()"> <div id="output"></div> </body> </html>
Attacks Against Anti-Phishing Filters * The Page Load and Image Load attacks worked some of the time against eBay’s Toolbar. I was unable to determine why it worked with some URLs but not others.
Attacks against URL Blacklists Google’s blacklist: http://sb.google.com/safebrowsing/update?version=goog-black-url:1:1 has similar entries that lead me to believe wildcards are not being used: http://home.doramail.com/w37eudhs/ http://home.doramail.com/w823ehds/ http://189.140.107.157/ http://189.140.107.157/bankmain.htm/ http://189.140.107.157/boveda/ similar results at http://www.phishtank.com/phish_archive.php
Attacks against URL Blacklists Using multiple subdomains, folders, etc. phishers already create many phishing URLs. It is possible to create infinitely many URLs by: • Custom 404 error page (page not found) • Apache rewrite rule RewriteEngine on RewriteRule ^[A-Za-z0-9]*$ phishing_page.html
Conclusions • The best anti-phishing filters use a layered approach (URL Blacklist + Content Filter) • Use multiple phishing blacklists • Future work: • Decompiling IE7 and Earthlink’s content filter to learn more about them • If they use static rules, enhance them to use dynamic rules that can be controlled & updated centrally that would make it much harder for phishers to succeed • Address the page/image load & JavaScript attacks