Title: AntiPhishing Scheme: Preventing Confidential Data from Posted to Spoofed Site
1Anti-Phishing Scheme Preventing Confidential
Data from Posted to Spoofed Site
- 2006.02.20
- Researcher Hunsuk Choi
- Presenter Yuna Kim
- High Performance Computing Laboratory, POSTECH,
Republic of KOREA
2Contents
- Phishing Attack
- Problem Definition
- Proposed Scheme
- Experiments
- Conclusion Future Works
3Introduction
- Phishing is a form of social engineering trying
to fraudulently acquire confidential information
by masquerading as a trustworthy business. - Phishing attacks are becoming more popular
because unsuspecting people are divulging
personal information to attackers. - So, anti-phishing schemes are required neither to
trust nor to qualify users.
4Phishing Attack Model
This is Trusted Site T
User-expected identity T
Public trust site T
2. Target
4. Send Mail
Target site of phisher P T
Please verify your account
User As Computer
User A
Phisher P
Victim of phiser P
3. Build
5. Post
Spoofed site X of T
ID aaaPASSWORD bbb
5Related Works
- Fraud e-mail prevention
- (-) easily evaded by the sophisticated phishers.
- Browser-based Web-spoofing prevention
- (-) web site is easily spoofed by drawing logos.
- (-) most users have no knowledge of certificate
authorities. - Authenticator prevention
- (-) disable to defend against man-in-the-middle
attack. - (-) not scalable.
6Problem Definition
- To prevent a user from posting his confidential
information to a spoofed website, while the user
does not have explicit knowledge about details of
the function of the Web service.
Design Requirements
- Systematic decision
- Infrequent user work
- Infrequent interruption
7Basic Idea
- Prevent a user from posting confidential data to
a spoofed website.
- Determine whether the posted data is confidential
data or not. - Distinguish spoofed site from trusted site.
- Predict a user-expected identity of the current
site based on data typed by user. - Compare a user-expected identity with the real
identity of the current site.
8Phase 1 Initialization
- User registers the domain of trusted sites into
the client system as the following record
Type 1 record ltidentity, domain, levelgt
Phase 2 Training
- When the user posts data to the trusted sites,
the client system stores data as the following
record - To prevent type 2 records from increasing up to a
great volume, delete older and smaller-counter
records.
Type 2 record ltURL, field_name, H(v), counter,
timestampgt
9Phase 3 Prediction
- When a user posts data to non-trusted site, the
client system predicts the user-expected
identity. - The user-expected identity infers one of the
trusted site whose stored field value is same as
the current posted data.
Phase 4 Collaboration
- If user-expected identity and real-identity are
different, - the current site may be a spoofed site or a
sister-site of the trusted site. - In order to distinguish them, the client agent
queries to the server-agent whether the current
site can be authenticated.
10Phase 5 Prevention
- The client system judges the current site is a
spoofed if - Current site is not registered as a trusted site.
- None of server agents can authenticate the
current site. - ? User posts the same confidential data as one of
the trusted sites, but current site is not
sister-site. - The client system rejects the posting user tries,
and registers in black list, which the site is
spoofed one.
11Applied Scenario
Server agent of T1
This is Trusted Site T1
8. Query
Is X sister-site ?
9. No
3. Store
ltU1, P/W, 35, 1, 1000gt
1. Register
4. Post
ltT1, D1, limitedgt
ID aaaP/W bbb
2. Fill out
User
Users com
ID aaaP/W bbb
5. Connect the spoofed site X
10. Prevent
7. Predict
6. Fill out
User-expected identity T1
ID aaaP/W bbb
12Experiment
- We want to show that type 2 records are not
increasing up to a great volume. - Real world data of 2 users for 5 days
- No phishing attack
- Interruptions
- 2 times
- of type 2 records
- stayed in a steady state in spite of internet
searching
of Type 2 records
of confidential information
? We can apply this scheme to real web browser.
accumulated of interruptions
13Conclusion Future Works
- We proposed a mechanism that defends against
phishing attacks by preventing a user from
posting data to a probably spoofed website. - We expect that a proper human-computer
interaction which helps a system understands the
meaning of a users activity will provide a
useful defense against not only phishing attacks
but also other kinds of attacks targeting users. - As a future work, we are required to implement
the proposed mechanism.
14 15Reference
- 1 Merja Ranta-aho. WWW and the surng metaphor
harmful for the novice user? In Proceedings of
the 16th international symposium on Human Factors
in telecommunications, 1997. - 2 Christine E. Drake, Jonathan J. Oliver, and
Eugene J Koontz. Anotomy of a phishing email. In
Proceedings of the 1st Conference on Email and
Anti-Spam, 2004. - 3 Aaron Emigh. Online identity theft Phishing
technology, chokepoints and countermeasures.
http//www.antiphishing.org/Phishing-dhs-report.pd
f. - 4 Amir Herzberg and Ahmad Gbara. Trustbar
Protecting (even naive) web users from spoong and
phishing attacks. Technical Report DIMACS TR
2004-23, 2004. - 5 Tie-Yan Li and Yongdong Wu. Trust on web
browser Attack vs. defense. In Proceedings of
the 1st ACNS, 2003. - 6 Zishuang Ye, Sean Smith, and Denise Anthony.
Trusted paths for browsers. ACM Transactions on
Information and System Security, 8(2)153--186,
2005. - 7 Microsoft. Microsoft security bulletin
ms01-017. - 8 Rachna Dhamija and J. D. Tygar. The battle
against phishing Dynamic security skins. In
Proceedings of the Symposium On Usable Privacy
and Security, 2005. - 9 Alma Whitten and J. D. Tygar. Anotomy of a
phishing email. In Proceedings of the 8th Usenix
Security Symposium, pp. 169--184, 1999. - 10 Amir Herzberg. Web spoong and phishing
attacks and their prevention, MICCS 2004. - 11 Robert Lemos. Study Spammers use e-mail id
to gain legitimacy. http//news.zdnet.com/2100-100
9-22-5357269.html. - 12 CoreStreet. Spoofstick. http//www.spoofstick
.com/ - 13 Louise Sheeran, M. Angela Sasse, Jon Rimmer,
and Ian Wakeman. How web browsers shape users'
understanding of networks. The Electronic
Library, 20(1)35--42, 2002. - 14 Anti-Phishing Working Group. Phishing
activity trends report - 2005.