Security: Phishing Attacks

Lecture Notes for CS 142
Fall 2010
John Ousterhout

  • Readings for this topic: Online Identity Theft: Phishing Technology, Chokepoints and Countermeasures, by Aaron Emigh.
  • Basic idea:
    • Get unsuspecting users to visit an evil Web site
    • Convince them that the evil Web site is actually a legitimate site (such as a bank or PayPal)
    • Trick the user into disclosing personal information (password, credit card number, etc.)
    • Use the personal information for evil purposes such as identity theft.
  • How to attract users?
    • Spam email
    • Sponsored advertisements on other sites
      • Ads relatively cheap
      • Ad networks, publishers incentivized to show ads, minimize background checks
    • Network attacks: redirect legitimate traffic
    • Infected machine:
      • First, compromise user's machine through other mechanisms
      • Then, modify "hosts" file that maps from host names to network addresses
      • Legitimate traffic then gets redirected to the attack site
  • How to spoof the legitimate site?
    • Copy HTML
    • Include images from legitimate Web site
    • Many links refer back to the legitimate Web site
    • After collecting login info, log user in to legitimate site, redirect to legitimate site
    • User has no idea that password has been stolen
  • Won't user recognize a bogus address in the URL bar?
    • http:rusprory.mass.hc.ru/old_site/update/index.php Many people won't notice the difference.
    • Attacker can pick names that look similar to legitimate names:
      • "vv" instead of "w"
      • bankofthewest.login.com
      • Companies often use multiple names themselves (e.g., partners) so it's hard to tell what is legitimate.
    • Use Chinese characters that look like "/", "?", and "=" to create legitimate-looking URLS:
      • www.bank.com/accounts/login.php?q=me.badguy.cn
    • Picture in picture: use image to generate fake browser look-alike inside the main window
  • Counter-measure: visual indicators to help users identify legitimate sites:
    • Lock symbols to indicate HTTPS
    • Color change to indicate HTTPS
    • Problems:
      • Lock symbols not very obvious (especially Firefox in lower right corner)
      • In Firefox, site can spoof lock symbol with icon
  • Problem: too easy to obtain certificates that look like legitimate sites
    • Example: bankofamerica-secure.com
    • Pressure on certificate authorities to issue certificates quickly
    • E.g. "domain validation only" certificates: certificate authority only verifies that applicant has right to a particular Internet domain name; no verification of legal status of organization.
  • Counter-measure: extended validation certificates
    • Goal: prevent attackers from obtaining certificates that look like legitimate sites
    • Certificate authority must thoroughly vet the organization obtaining the certificate; prevent look-alike names.
    • Certificate authority must undergo audits to ensure it is doing the vets carefully.
    • Browser provides special indicator for extended validation sites
    • Problems:
      • Small organizations don't like delays and cost of extended validation
      • Extended validation indicators not very visible in browsers
  • Other counter-measures:
    • Browsers starting to include anti-phishing measures (warn users about known phishing sites)
    • Legitimate Web sites can monitor traffic; changes may indicate attacks under way:
      • Spike in download rates for official images
      • Unusual rate of password changes, funds transfers
    • Legitimate sites can incorporate personal information in emails to authenticate them: phishers won't have such information. Of course, must avoid private information such as passwords.
  • Remaining problems:
    • Legitimate Web sites often use deceptive techniques to get users to click through ("your last chance for ..."), which reduces distinction between honest and dishonest sites.
    • Education ineffective against phishing: response rates to phishing e-mails comparable to those for "legitimate" commercial e-mail.
    • Warnings about shady certificates are ineffective: people just click through.
    • Status bar can be spoofed; not a reliable indicator of URL under mouse: 
      window.status = "You can trust this URL, honest";
    • Mashups:
      • Collect contents from many different organizations on a single page.
      • Any element of the mashup can easily make itself look like any other element.