Smart-Phone Phishing Mohammed Alqahtani
Dec 19, 2015
Smart-Phone PhishingMohammed Alqahtani
Mohammed Alqahtani - CS691 Summer2011
What is Phishing ?
http://kukumoj.co.uk/pp/paypal/intl/webscr.php
Mohammed Alqahtani - CS691 Summer2011
Why Is It Called Phishing?
Mohammed Alqahtani - CS691 Summer2011
Damage by phishing
between May 2004 & May 2005, 1.2 million users in the U.S. were phished .[1]
Costing approximately US$929 million. [1] United States businesses lose an
estimated $2 billion every year.[1] 3.6 million adults lost money in phishing
attacks within 12 months 2007.[2] 1/20 users has lost out to phishing in
2005.[3] $1.8 Billion Lost to Phishing in 2008[4]
Mohammed Alqahtani - CS691 Summer2011
History of Phishing
during 1970’s : phone calls.
In 1995 : AOL users, getting account passwords for free time, low threat.
Techniques: Similar names ( www.ao1.com for www.aol.com ), social engineering
In 2001 Ebayers and major banks, credit card numbers, accounts, medium risk.
Techniques: Similar name, key-logging.
In 2007 Paypal, banks, ebay, bank accounts, High risk.
Techniques: browser vulnerabilities, link confusion
Mohammed Alqahtani - CS691 Summer2011
Industries Affected
Major industries affected are: Financial Services ISPs Online retailers
Source: OWASP.com – Chennai - 2007
Mohammed Alqahtani - CS691 Summer2011
Phishing Techniques
Deceptive. Malware-Based: on the user’s machine
Search Engine Phishing. Man-in-the-Middle Phishing.
Mohammed Alqahtani - CS691 Summer2011
Phishing Techniques
Content-Injection. Cross-site Scripting
Mohammed Alqahtani - CS691 Summer2011
Why Phishing Works?
Lack of Knowledge Lack of computer system knowledge and
security .Visual Deception
Visually deceptive text. Images masking underlying text.
Bounded Attention Lack of attention to security indicators. Lack of attention to the absence of
security indicators Why phishing works ? by Rachna Dhamija, J. D. Tygar, and Marti Hearst. 2006
Mohammed Alqahtani - CS691 Summer2011
Why Phishing Works?
Vulnerability in browsers Weak authentication at websites. Vulnerability in applications … and more, Phish keep looking for
Vulnerabilities.
Mohammed Alqahtani - CS691 Summer2011
Anti-phishing
Educate Users increase the awareness of phishing
impact. to train people to recognize phishing
attempts. Ensure that the web browser has the
latest security patch applied and Install latest anti-virus packages.
Never submit credentials on forms embedded in emails.
Mohammed Alqahtani - CS691 Summer2011
Anti-phishing
Technical defense Client Side Defense.
▪ Browser Content Filtering.▪ Digitally signed e-mails.
Mohammed Alqahtani - CS691 Summer2011
Anti-phishing
Technical defense Server Side Defense
▪ Validating Official Communications.▪ Web Validation Portals.▪ Web Application Security.▪ Sign-in and Session bound images
Enterprise Level Defense: server & ISP▪ Mail server Authentication.▪ Domain Monitoring take down .
▪ Manage Services using 3rd party, blacklist .
Mohammed Alqahtani - CS691 Summer2011
Previous Work
Existing solutions : Use blacklist to filter phishing sites.
▪ Collected list: PhishTank.▪ Automatic List : An automatic detection uses leering
machine. Integrate filtering/alerting functions into
browsers through plugs-ins, extensions and toolbar.
filtering and monitoring phishing links from server side, take them down.
Mohammed Alqahtani - CS691 Summer2011
Related Work
PhishTank, operated by OpenDNS, October 2006, A free community site where uses public’s effort to build
dependable Black-list of phishing websites. The committee verify the reported websites , after they
are submitted by members. PhishTank works effectively fighting against phishing
attacks, detecting monthly thousands of phishing links.▪ well known organizations and browsers started using PhishTank‘s
blacklist database such as Yahoo mail, Opera, MaCafee, and Mozilla Firefox .
Mohammed Alqahtani - CS691 Summer2011
Related Work
“Large-Scale Automatic Classification of Phishing Pages”, Colin Whittaker, Brian Ryner, Marria Nazif, NDSS '10, 2010. An automatic classifier to detect phishing websites and
maintains Google’s blacklist , analyzes millions of pages a day . false positive rate below 0.1%. correctly classifies more than 90% of phishing pages.
“Bogus Biter: A transparent protection against phishing attacks”. Chuan Yue and Haining Wang, 2010 ACM Trans. Internet Technol. 10, 2, Article 6 (June 2010) A client-side tool called BogusBiter that send a large number of
bogus credentials to suspected phishing sites and hides the real credentials from phishers . BogusBiter can conceals a victim's real credential and identify stolen credentials in a timely manner
Mohammed Alqahtani - CS691 Summer2011
More verities of Access
To do daily activities and tasks Online banking. Paying bills. Online shopping. Emailing .
Why use more verities ? Easier to use and carry . Flexibility. Mobility, everywhere. Special need.
Mohammed Alqahtani - CS691 Summer2011
Rapid Growth of smartphones market 2009 - 2010
Mohammed Alqahtani - CS691 Summer2011
The Problem
Trusteer Inc recently analyzed log files of several web servers that were hosting phishing websites: Mobile users are the first to arrive.
▪ They are always “on”. Mobile users accessing phishing websites are
three times more likely to submit their login info than desktop users.▪ It's harder to spot a phishing website on a mobile device
than on a computer due to limited size of mobile screens and computation capability , harder to view credentials while typing or display warnings .
▪ (e.g. www.acmebank,com.vdgrtgrt …)
Mohammed Alqahtani - CS691 Summer2011
The Problem
Users have varieties ways to access the internet Different platforms: notebooks,
handhelds, smartphones, etc. Different computation capabilities and
features Existed phishing protection mainly
support desktop.
Mohammed Alqahtani - CS691 Summer2011
The Problem
Expand the surface for phishing attackers and make it harder to provide protection.
Harder to provide a comprehensive protection.
Mohammed Alqahtani - CS691 Summer2011
Challenges
Is every device capable to use the protection against phishing attack effectively ? Computation capabilities. Features.
Optimized protection with small size devices Consume as little screen resource as
possible.
Mohammed Alqahtani - CS691 Summer2011
Challenges
What websites likely to be phishing, what websites are rarely to be phishing .60% phishing
attacks was lunched by TLDs: .COM, .NET, and .CC.
Global Phishing Survey – APWG 2011
Mohammed Alqahtani - CS691 Summer2011
Goals
Provide user protection, against phishing websites, can be used by different devices Computation capabilities. Features.
Consume as little computation and screen resource as possible.
Categorize sites with different levels of risks.
Mohammed Alqahtani - CS691 Summer2011
Proposed Solution
Classify and blocking phishing links. Uses Phishtank’s blacklist. Use Coloring scheme to indicate the
risk to users. consumes less computation and screen
recourses. The process is mainly done on the
server side. Not much in Client-Side Users receive classified and protected
links.
Mohammed Alqahtani - CS691 Summer2011
Proposed Solution
Expand the verification of the websites that unlikely to be phishing.
Blocking the verified phishing websites, the user can’t access.
Mohammed Alqahtani - CS691 Summer2011
Initial Design
Mohammed Alqahtani - CS691 Summer2011
References
1. Rachna Dhamija, J. D. Tygar, and Marti Hearst. 2006. Why phishing works. In Proceedings of the SIGCHI conference on Human Factors in computing systems (CHI '06), Rebecca Grinter, Thomas Rodden, Paul Aoki, Ed Cutrell, Robin Jeffries, and Gary Olson (Eds.). ACM, New York, NY, USA, 581-590. DOI=10.1145/1124772.1124861 http://doi.acm.org/10.1145/1124772.1124861.
2. Colin Whittaker, Brian Ryner, Marria Nazif, “Large-Scale Automatic Classification of Phishing Pages”, NDSS '10, 2010.< http://research.google.com/pubs/pub35580.html >
3. Gross, Ben. "Smartphone Anti-Phishing Protection Leaves Much to Be Desired | Messaging News." Messaging News | The Technology of Email and Instant Messaging. 26 Feb. 2010. Web. <http://www.messagingnews.com/story/smartphone-anti-phishing-protection-leaves-much-be-desired>.
4. ComScore, Inc. "Smartphone Subscribers Now Comprise Majority of Mobile Browser and Application Users in U.S." ComScore, Inc. - Measuring the Digital World. ComScore, Inc, 1 Oct. 2010. <http://www.comscore.com/Press_Events/Press_Releases/2010/10/Smartphone_Subscribers_Now_Comprise_Majority_of_Mobile_Browser_and_Application_Users_in_U.S>.
5. Entner, Roger. "Smartphones to Overtake Feature Phones in U.S. by 2011." Http://www.nielsen.com. Nielsen Wire, 26 Mar. 2010. Web. <http://blog.nielsen.com/nielsenwire/consumer/smartphones-to-overtake-feature-phones-in-u-s-by-2011/>.
6. Kerstein, Paul L. "How Can We Stop Phishing and Pharming Scams?" CSO Online - Security and Risk. CSO Magazine - Security and Risk, 19 July 2005. Web. <http://www.csoonline.com/article/220491/how-can-we-stop-phishing-and-pharming-scams->.
Mohammed Alqahtani - CS691 Summer2011
References
7. OpenDNS, LLC. PhishTank: an Anti-phishing Site. [Online]. http://www.phishtank.com.8. Joshi, Y.; Saklikar, S.; Das, D.; Saha, S.; , "PhishGuard: A browser plug-in for protection from
phishing," Internet Multimedia Services Architecture and Applications, 2008. IMSAA 2008. 2nd International Conference on , vol., no., pp.1-6, 10-12 Dec. 2008 doi: 10.1109/IMSAA.2008.4753929, URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=4753929&isnumber=4753904
9. PhishTank - Statistics about phishing activity and PhishTank usage , http://www.phishtank.com/stats.php
10. PhishTank, Friends of PhishTank, http://www.phishtank.com/friends.php11. SmartScreen Filter: Frequently Asked Questions." Windows Home - Microsoft Windows.
<http://windows.microsoft.com/en-US/windows7/SmartScreen-Filter-frequently-asked-questions-IE9>.
12. "SmartScreen Filter - Microsoft Windows." Windows Home - Microsoft Windows. Web. <http://windows.microsoft.com/en-US/internet-explorer/products/ie-9/features/smartscreen-filter>.
13. Apple - Safari - Learn about the Features Available in Safari." Apple. <http://www.apple.com/ca/safari/features.html>.
14. TECH.BLORGE- Top Technology news, Paypal warns buyers to avoid Safari browser from Apple - < http://tech.blorge.com/Structure:%20/2008/02/28/paypal-warns-buyers-to-avoid-safari-browser-from-apple/ >
15. "Firefox 2 Phishing Protection Effectiveness Testing." Home of the Mozilla Project. <http://www.mozilla.org/security/phishing-test.html>.
16. "AVIRA News - Anti-Virus Users Are Restless, Avira Survey Finds." Antivirus Software Solutions for Home and for Business. <http://www.avira.com/en/press-details/nid/482/>.
17. Chuan Yue and Haining Wang. 2010. BogusBiter: A transparent protection against phishing attacks. ACM Trans. Internet Technol. 10, 2, Article 6 (June 2010), 31 pages. DOI=10.1145/1754393.1754395 http://doi.acm.org/10.1145/1754393.1754395
18. Rachna Dhamija and J. D. Tygar. 2005. The battle against phishing: Dynamic Security Skins. In Proceedings of the 2005 symposium on Usable privacy and security (SOUPS '05). ACM, New York, NY, USA, 77-88. DOI=10.1145/1073001.1073009 http://doi.acm.org/10.1145/1073001.1073009
Mohammed Alqahtani - CS691 Summer2011
Questions ?