A Hybrid System to Find & Fight Phishing

A HYBRID SYSTEM TO FIND & FIGHT PHISHING ATTACKS ACTIVELYBYCHAITHRASHREE B K

WHAT IS PHISHING?Phishing is an attack of identity theft, where criminals create fake web sites which counterfeit as famous organizations and ask users to fill out their personal confidential information. It is a criminal activity using social engineering techniques. It is also called as brand spoofing.

IS PHISHING A SERIOUS PROBLEM? According

to a study by Gartner, 57 million Internet users have identified the receipt of e-mail linked to phishing scams and about 2 million of them are estimated to have been tricked into giving away sensitive information.

TILL OCT,2011APAC HAS HANDLED 68,925 PHISHING WEBSITES.

1000

2000

3000

4000

5000

6000

0 08/07 08/08 08/09 08/10 08/11 08/12 09/01 09/02 09/03 09/04 09/05 09/06 09/07 09/08 09/09 09/10 09/11 09/12 10/01 10/02 10/03 10/04 10/05 10/06 10/07 10/08 10/09 10/11 10/12 11/01 11/02 11/03 11/04 11/05 11/06 11/07 11/08 11/09 11/10

EXAMPLE:

http://signinebay.com-cgibin.tk/eBaydll.php

WHOIS 210.104.211.21: Location: Korea

Even bigger problem:I dont have an account with US Bank!

THE MAIN FEATURES IN PHISHING ATTACKS: The

principal phishing web pages are more likely to be hidden deeply in phishing websites to avoid phishing detection, so their entire URLs are always complicated and multilevel. The living time of phishing URLs is shorter and shorter.

TYPES OF PHISHING ATTACKS:Spoofed

e-mails and web

sites Exploit-based phishing attacks.

SPOOFED E-MAILS: The

idea here to persuade the victim to send back sensitive information, using an e-mail formal request. Similar to scam where the attacker send a fake winning notification to the victim asking for his credit card number and so on

SPOOFED WEB SITES: Many

organizations, such as banks, do not provide interactive services based on e-mail where the user has to provide a password but use their websites to provide such interactive services (even on SSL!).

EXPLOIT-BASED PHISHING ATTACKS: Some

phishing attacks are technically more sophisticated and make use of wellknown vulnerabilities in popular web browsers such the Internet Explorer to install malicious software that collects sensitive information about the victim. Which malware will the attackers use?

Key loggers. Remote machine controllers.

TRADITIONAL ANTI-PHISHING METHODS:Most browser makers use blacklist provided by anti-phishing organizations, like APWG and PhishTank , to block phishing URLs. Some researchers made tools to detect userprovided URLs through heuristic rules to determine whether they are phishing URLs or not. DISADVANTAGE: It works in a passive way, not fast and efficient enough to find and take down phishing attacks.

HYBRID METHOD BY AntiPhishing Alliance of China (APAC):APAC is the authoritative anti-phishing organization whose main duty is receiving all phishing reports in China and doing appropriate handling on those real phishing attacks as quickly as possible. It proposed a hybrid method to detect general phishing attacks in an active way through DNS query logs and known phishing URLs.

DISCOVERING PHISHING SITES IN AN ACTIVE WAY:To find suspicious phishing hosts. Recursive DNS query logs record all the living hosts which are visited by local users. Known phishing URLs are used to get frequentlyused phishing paths. we can find phishing URLs actively by constructing URLs using phishing hosts and phishing paths.

FLOWCHART OF ANTI-PHISHING SYSTEM:DNS Query Logs

Preprocess Phishing Path Frequency Compute

Phishing Hosts Retrieval

Suspicious Phishing Host Phishing Paths

Phishing Repository

Phishing URL Constructi on

TOP N

Phishing URL

Domain Register Information

Third Part Information Filtering

URL Existence Detection

APAC

PHISHING URL CONSTRUCTION PROCESS:

DEPLOYMENT & RUNNING:Receiving and processing logs at 1:00 PM each day. Auto-analyze phishing reports to refresh phishing paths frequency.

Suspicious phishing hosts are auto-pushed

Phishing web pages screenshot are autostored as evidences.

CONCLUSION:The results of the present study are as follows: A hybrid method to discover phishing attacks actively by DNS logs and known phishing knowledge. Phishing detection system reporting Chinese phishing attacks to APAC and its contribution in anti-phishing.

SCOPE FOR FURTHER WORK:The present study can be further extended with the following suggestions kept in mind To

determine the quantity of high frequency paths, that are needed in constructing URLs in order to balance computing efficiency and recall rate. Visual similarity in calculating LD between strings can be considered.

REFERENCE: www.google.com www.wikipedia.com

http://technet.microsoft.com

THANK YOU