145 CHAPTER 7 SERVER SIDE PHISHING FILTERING TECHNIQUES 7.1 INTRODUCTION The client side phishing techniques were discussed in the previous chapters. In this chapter, we will look into the server side techniques. Usually, the servers are more favoured targets for obvious reasons. Since phishing attacks are getting trickier, the client information submitted to the server cannot be trusted all the time. In addition to stealing the user’s password, phishers also steal more sensitive information of the user by imitating successful authentication. They even check the validity of the password by forwarding it to the legitimate server or sometimes hijack user’s login session by using the man in the middle attack. A phishing attack is usually carried out by an email or an instantaneous message, in an effort to attract recipients to a fake website, to reveal their personal credentials. A number of countermeasures have been proposed and developed for protecting the website against phishing attacks. Server-side protection uses SSL certiソcates, user selected logo and other security gauges to help users verify the legitimacy of websites.When phishing is carried out via email, the illegal user sends out a large number of messages that appear to come from a genuine source, such as a confidence business or financial institution. The emails include urgent requests for personal information to be submitted. Typically, the phisher reveals that there is some serious need to update an account instantly. A link is provided in the email message to an authorized
40
Embed
CHAPTER 7 SERVER SIDE PHISHING FILTERING TECHNIQUESshodhganga.inflibnet.ac.in/bitstream/10603/23895/12/12... · 2018-07-09 · 145 CHAPTER 7 SERVER SIDE PHISHING FILTERING TECHNIQUES
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
145
CHAPTER 7
SERVER SIDE PHISHING FILTERING TECHNIQUES
7.1 INTRODUCTION
The client side phishing techniques were discussed in the previous
chapters. In this chapter, we will look into the server side techniques. Usually,
the servers are more favoured targets for obvious reasons. Since phishing
attacks are getting trickier, the client information submitted to the server
cannot be trusted all the time. In addition to stealing the user’s password,
phishers also steal more sensitive information of the user by imitating
successful authentication. They even check the validity of the password by
forwarding it to the legitimate server or sometimes hijack user’s login session
by using the man in the middle attack. A phishing attack is usually carried out
by an email or an instantaneous message, in an effort to attract recipients to a
fake website, to reveal their personal credentials.
A number of countermeasures have been proposed and developed
for protecting the website against phishing attacks. Server-side protection uses
SSL certi cates, user selected logo and other security gauges to help users
verify the legitimacy of websites.When phishing is carried out via email, the
illegal user sends out a large number of messages that appear to come from a
genuine source, such as a confidence business or financial institution. The
emails include urgent requests for personal information to be submitted.
Typically, the phisher reveals that there is some serious need to update an
account instantly. A link is provided in the email message to an authorized
146
appearing website, where the information is truly entered by users; the
personal information provided to this site, however, the genuine information
goes directly to the illegal business committing the phishing attack, and not to
the imitated but legitimate business.
The term 'server side' here does not only mean the servers in
financial institutions. Instead, it also includes servers running through whole
network. Though many methods exist for protecting the information for the
users, most of the times, many individuals and organizations lose their
information. The literature clearly reveals that the existing server side
phishing techniques have not identified the phishers clearly. Thus, there exists
a large gap between the server side phishing techniques and the expected
user’s secrecy. Therefore, there is a need for better phishing prevention
techniques, considering the importance of the user’s personal information.
There is a need to tailor the secrecy of the information, and to satisfy
everyone who uses the website.
The preventing phishing technique is a promising way to resolve
this problem by advanced methods. In this work, considering that the personal
information of users is more secure, users should be aware when the step by
step process is not applicable, and when they need to stop the process. They
should not give their personal information. To meet all these necessities, there
are four server side techniques introduced. They are the one-time password
mechanism, watermarking mechanism, preventing phishing through session
hijacking and e-mail phishing. In the one-time password mechanism, the
password will be available after the first step of authentication. In the
watermaking mechanism, there should be the specified watermaking present
during authentication. The one-time URL method is applied in session
hijacking and e-mail filtering methods are implemented.
147
7.2 ONE-TIME PASSWORD MECHANISM
A password that is valid only for one session or transaction is
known as a One-Time Password (OTP), and it helps in avoiding the risks of
traditional or regular passwords. In this system, a password will be available
only after generating the secret code. Users can be authenticated with the
encrypted security code delivered via a reliable communication protocol on
demand. The user database at the server side matches a user’s name with its
corresponding identity on another communication path. When a user wants to
access the website, the server sends an encrypted security code to the user
through the communication protocol. On receipt of the encrypted security
code the user has to decrypt that code, and enter the login. The security code
is encrypted with the private key and decrypted with the public key. The
decryption process is done by the user.
The admin process consisting of registration, involves the
following steps. The user must choose one login name, fill in all the required
information fields, and provide at least one type of personal contact
information (E-mail address or Mobile number). The website should list all
the services that it uses, to deliver the security code so that the user can
choose the preferred service. The use of a security question is not mandatory.
It depends on the web site provider’s policy or the user’s wish. The proposed
system is shown in Figure 7.1. However, such questions make the
authentication process more secure. The steps are as follows:
(i) The validation page is sent to the customer. The page contains
the name of the login used by the web site.
(ii) If the customer’s login name is new to the web site, the
customer is asked for permission to add the login name to the
websites’ contact list.
148
(iii) After the login has been approved by both the web site and the
customer, the website sends an account validation message to
the user via the designated communication channel.
Figure 7.1 One-time password system for preventing a phishing attack
Next, the user starts the actual login process, by browsing the login
page which contains an input field for the customer’s login name and the
CAPTCHA test. If the user’s login name is not recognized by the website, it
must be displayed in a page. If the user’s account name is valid, the website
checks the customer’s registered account, and sends an acknowledgement to
that account. If the acknowledgement message is valid, the customer enters
the assigned security code on the input page. On receipt of the security code,
the website has to make sure that the customer submits the security code from
exactly the same IP address as the customer requests to login.
User
Registration
Decryptio
n
Login
Generate
security code
DB
Client Server
Encrypted code
User name and captcha
code
Acknowledgement
Security Code
149
7.2.1 Implementation Process
This solution can only be implemented on the web server’s side. If
our system is to offer a practical opposition against phishing attacks, it must
impose minimal overhead, since a solution that significantly slows to the web
browsing experience will be unlikely to be adapted. Figure 7.2 contains an
input field for the user’s login name and the CAPTCHA test. If the user’s
login name is not valid, it will show an error message. If the user’s name is
valid, the website checks the user’s registered account and sends an
acknowledgement to that user.
Figure 7.2 First login page
Next, the customer enters the assigned security code on the input
page as shown in Figure 7.3. On receipt of the security code, the website has
to check whether the user submits a valid security code. If it is not valid, it
will display the error message and the user can enter the wrong security code
only n times.
150
Figure 7.3 Identification of the user name
7.2.2 Security analysis of one-time password mechanism
Other than phishing, this system avoids some of the attacks. The
following are the attacks that trouble the websites:
(i) Denial of service attack
A denial of service could be launched against any part of the
Internet connectivity and network infrastructure. In the proposed solution, the
website authenticates the customer, by asking him/her to input the security
code already assigned by the website. The customer authenticates the website
by first checking the sender of the acknowledgement message.
(ii) IP Spoofing
In IP spoofing, the target computer will have attacks that resemble
those generated from its own address, by faking the source IP address,
causing the Operating system like Windows to crash or lock up. This
proposed solution restricts the locations that are able to launch the IP-
151
Spoofing attacks. If the attacker uses the same IP address as the user in the
same local network concurrently, the user can detect it. The lifetime of the
security code is only a few seconds. So, it is not possible for the attacker to
login the protected website via the same IP address.
(iii) Server spoofing
In Windows 95 stations, the LANMAN authentication can be
requested from the client by running the C2MYAZZ utility, which the
attacker uses to his benefit, by acting like the server during the user login
sessions. If the attacker is successful in tricking the client, then he will be able
to read user login details from the network packets. The proposed solution
does not require a preset password to login, thereby avoiding password theft.
(iv) Man in the middle attack
An attacker may watch a session open on a network. Once
authentication is over, he might attack the client system to disable it, and use
IP spoofing to declare to be the client who was just authenticated and take the
session. In this proposed solution, suppose the attacker discovers both the
customer’s web account name and the security code for the current session.
Since the life span of the security code is very short, it would be of little use
to the attacker.
This approach would be deployed for websites requiring a high
level of security, and it would ultimately help in retaining the customer’s
confidence in using web-based commerce. When comparing the
consequences of phishing, the increase in time in milliseconds is negligible.
This approach is to prevent phishing sites, which are more powerful than the
earlier techniques. But this fundamental checking does not prevent complete
phishing sites. So, the next technique is implemented with watermarking.
152
7.3 WATERMARKING MECHANISM
The purpose of a watermark is to recognize the work and avoids its
unauthorized use. Visible watermark is a common way of recognizing images
and protecting them from unauthorized use online. The watermark message is
intended to be distinctive for every user, and carries a shared secret between
the company and the user in order to stop attacks like phishing. The proposed
system is shown in Figure 7.4.
Figure 7.4 System for preventing phishing attack using watermarking
Here, the client will enter the URL to view the required webpage of
a particular web server. To increase the credibility of the web site of that
particular webpage, the client machine’s current date and time will be
displayed at the client browser. Usually, when the phishing attack occurs, the
User
User
Registration
Login
Application Decrypt
the code
Auto generation
of Secret code
Encrypt
the code
DB
Show the code to user
Show as a
watermarking
Retrieve the
secret code
based on user ID
Client Server
Increase Credibility
153
page may redirect during the money transaction. When the clients need to
enter their personal details, such as online banking password or ATM pin
number, they need to login. After logging in, the client may not know whether
he is in a correct page or not. Here is where the water marking technique
plays a major role, to give the highest credibility of that particular webpage.
After logging in, and before giving the personal details, the user can check the
credibility level of the webpage. This credibility provision is only possible
through the water marking mechanism, as shown in Figure 7.5.
Before logging into a commercial web site, the user can see his/her
machine’s date and time in the logo, which is initiated from the server. After
logging in, if the user places the cursor over the logo, the secret code will be
displayed. This secret code is user dependent and it will be stored in the
server database. If the user places the cursor at the top of the web page, the
user’s name will be displayed.
But the attacker may hack the server database to get the respective
secret code of the user, and may show the watermark in the fake website as a
legitimate website. To avoid this kind of problem, the server will encrypt the
secret code, using the symmetric key encryption algorithm before storing it in
the database.
This algorithm will convert the secret code into an encrypted
format, which cannot be understood by humans. When the user logs in to this
website, the secret code of that particular user will be fetched from the
database, and decrypted, into a human readable format, using the symmetric
key decryption algorithm.
154
Figure 7.5 Watermarking system
This encrypted water marking mechanism is more secure than the
previous ones, since the date and time are initiated from the server and the
secret code is displayed only after decryption. Even if the attacker hacks the
server database he/she cannot understand the secret code. This is the simplest,
easiest, and at the same time, the most efficient watermarking technique, to
prevent phishing attacks.
Here, the main advantage is that the secret code will be decrypted
on the client side and the server will send the encrypted secret code only to
the client side. Using this, the man in the middle attacks will be prevented.
Some of the existing watermarking techniques are a little more
costly than this method, since they need some additional software, such as
image magic. This approach is platform independent, and there is no load on
155
the client side, such as the usage of an additional tool. But this fundamental
checking does not prevent all phishing attacks. So, the next technique is
implemented with session hijacking.
7.4 PREVENTING PHISHING THROUGH SESSION
HIJACKING
The method, by which the attacker gains access to the user's session
by obtaining his session ID, and acting like the authorized user, is called
Session hijacking. This gives free access to the hacker to do anything in the
network which the legitimate user is allowed to do.
Normally the cookie or URL stores the session ID inside and the
authentication procedures are carried out in the initial setup time, which is
taken as an advantage for the hijacking by intruding into that session in real
time. Session hijacking can be a possible reason behind the unexpected
response of the website or no response to the user inputs.
A web based detection and prevention mechanism called Session
Hijacking Attack Prevention System (SHAPS), is used to prevent session
hijacking. It fetches all the requests and responses, and validates them for
session hijacking. It prevents session fixation by validating the hostname, IP
address, and session ID, and mismatched sessions are invalidated.
The Universally Unique Identifier (UUID) and Time Stamp (TS)
are used to generate the URL for providing short time living services, and also
as a gateway for every request. The Secure Hash Algorithm (SHA-1) is used
in a non-static web session to prevent session hijacking, by dynamically
creating session identifiers, which are further used to weed out the phishing
website.
156
The Session Hijacking Attack Prevention System has two parts.
The first part of the system has the normal client server communication, and
the second part contains phases of the SHAPS. Each phase contains web
services for preventing a session hijacking attack. The repository stores the
necessary information about the client’s request in order to retrieve the
information later, to validate the client’s request.
The architecture of the system is described in terms of the
components and their interactions. A component is a part of the system which
performs a well defined interface. Components interact with other
components through their interfaces. In order to prevent the session hijacking
attack in web application, the client’s request in web application should be
captured and checked against the attacker session ID, through different types
of web services.
SHAPS has three parts, namely, the session fixation preventer web
service, one time URL web service and the non static web session creator web
service. Each part has a separate web service to detect and prevent the session
hijacking attack in web applications.
7.4.1 Session Fixation Preventer Web service
A session ID is issued by the web server to the user session. This
approach however ignores one very important issue. There is a possibility for
the attacker issuing a session ID to the client’s session, thereby forcing the
client to use a chosen session. This class of attack is called session fixation. It
is one of the session hijacking attacks because the user's session ID has been
fixed by the attacker in advance, instead of its being generated randomly at
login time. Figure 7.6 describes the session fixation attack preventer web
service.
157
Figure 7.6 Session Fixation Attack Preventer Web Service
In a normal client and server environment, the client sends a
request through the browser and the server responses to browser containing
web application. The HTTP stateless protocol maintains a session for reliable
communication between the client and server for each single user
communicating through the session. Each session has a unique session
identifier, for the identification key of the user. There is an opportunity for the
attacker issuing a session ID to the client’s browser, thereby forcing the user
to use a selected session. This class of attack is called session fixation. It is
one of the session hijacking attacks, because the user's session ID has been
fixed in advance instead of its being generated randomly. If the impersonated
client clicks the link as a request, an attacker session will be fixed to the client
session, in the weakly developed web application. The attacker already knows
Fetching data from
request
Validating fetched
request
Regenerated session ID
Original
session data
Web ServerClient Database
Web
Service
Req
Res
158
the fixed session ID; hence, at the same time the attacker can enter the client’s
account without providing the user name and password, and gain access till
the client signs out the session. For this problem, Figure 7.6 provides an
essential solution for the weakly developed web application. When the
client’s request is sent by the attacker, it will be fixed with the session ID to
the client session.
After successful login, a web server generated session ID is
displayed within the alert message box. It will be used to maintain a different
user session accessing the same server. If the attacker fixed session is blocked
by the web service, the attacked web page shows an alert message, or when
the session ID is mismatched, or if the session ID is not generated, then the
alert message will be displayed on the screen.
Using the session fixation preventer web service to a weakly
developed web application, each of the multiple requests will be fetched by
the session fixation preventer web service, and stored as essential information
in the repository. The essential information is the session ID, IP address, Date,
time, and host name of the request. Using all this information called by the
validation services, it can check the requested URL for the same session ID,
different IP address, and same host name request for a short period of time.
Then, the validation service finds it out as an attacker session, and the service
allows the request to the web server after logging in. The attacker fixed
session ID has been regenerated and stored in the repository. Now, the
attacker cannot attack the client session by fixing the attacker session ID to
the client session. Figure 7.7 shows the XML structure of the fixation
preventer service.
159
Figure 7.7 XML Structure of the fixation preventer service
7.4.2 One time URL Web Service
The main goal of the one time URL is to provide security to short
life time services, like transaction services, account activation services and
password reset services. The one time URL is valid for only one time access.
It will be generated by the web server, and our web service using UUID and