Title: Context-Aware Phishing Attacks and Client-Side Defenses
1Context-Aware Phishing Attacks and Client-Side
Defenses
- Collin Jackson
- Stanford University
2Context-aware Phishing
C. Jackson, A. Bortz, D. Boneh, J. Mitchell (WWW
06)
- Bank of America
- customers see
- Wells Fargo
- customers see
- Works in all major browsers
- Design issue, not a just bug
3Example Attacks
- Query visited links
- ltstylegtavisited
- background url(track.php?example.com)
- lt/stylegtlta href"http//example.com/"gtHilt/agt
- Time browser cache
- ltscriptgtstart new Date()lt/scriptgt
- ltimg src"http//example.com/logo.gif"
- onload"end new Date()
- if (end.getTime() start.getTime() lt 5)
- // image was in cache
- "gt
- Block cache timing, background image?
4Chameleon Pages
- No JavaScript required
- No server involvement
- Even works in Outlook 2002
5Perspectives
- Phisher Where do you bank?
- China Have you been to subversive sites?
- Amazon Can I show contexual ads?
- Phished site Can I check history
against phishing blacklist? - PayPal Can I use history as 2nd factor?
- Sensitive website Can I protect visitors?
- Browser vendor
- Can I protect users at every site?
6 SafeCache
- Browser extension for Firefox
- Intercept requests to browser cache
- If no referrer, allow request
- If URL has referrer
- Store referrer host with cache entry
- Cache hit only on referrer host match
7 SafeHistory
- Intercept requests to browser history database
- For each history entry, record referrers
- Color visited link if
- Its a same-site link, or
- Cross-site link was visited from this site
8Server-Side Countermeasures
M. Jakobsson, S. Stamm (WWW 06)
- Hide internal links with session ID that is hard
for the attacker to guess - http//www.bank.com/?sessionidAB52F5104ED
- Obfuscate external inbound links by polluting the
history with pages from other sites - bankofamerica.com, wellsfargo.com, chase.com
- Still leaks some information
- Separate content for automated robots
9Common Password Problem
Bank A
high security site
pwdA
Site B
- Phishing attack or break-in at site B reveals
pwd at A - Server-side solutions will not keep pwd safe
- Solution Strengthen with client-side support
10 PwdHash
B. Ross, C. Jackson, N. Miyake, D. Boneh, J. C.
Mitchell (USENIX Sec 05)
hash(pwdA, BankA)
Bank A
hash(pwdB, SiteB)
Site B
- Generate a unique password per site
- HMACfido123(banka.com) ? Q7a0ekEXb
- HMACfido123(siteb.com) ? OzX2ICiqc
- Hashed password is not usable at target site
11User Interface Spoofing
- Attacker can display fake password fields or
dialogs - Password recorded using JavaScript
- Sent to attacker in the clear
12Trusted Password Interfaces
- Password prefix
- PwdHash
- Secure attention sequence
- Isolated screen area
- Trusted image or phrase
- Passmark
- SpyBlock
Starts with _at__at_
13Keylogger Spyware Problem
pwdA
- Attacker observes login on local machine
- Password is sent to attacker for later use
- Screenshot can observe screen keyboards
Bank A
pwdA
pwdA
Attacker
14Transaction Generator Problem
- Why bother with passwords?
- Once user is logged in, attacker can
- Corrupt user requests
- Issue unauthorized requests
Bank A
authenticated channel
Attacker
15 SpyBlock
C. Jackson, D. Boneh, J. C. Mitchell
- Isolated component for authentication
- Untrusted environment for user apps
16Authentication modes
- Hashing, injection require no server assistance
- Server support for additional protection
17Password injection
- Intercept outbound requests and insert password
- Check for password fields in HTML to deter
reflection
18Transaction confirmation
- Application environment cannot MAC fake
transaction - Unique transaction ID prevents replay attacks
19Project websites
- Phishing
- Phishing common pwd
- Phishing common pwd spyware
safehistory.com
safecache.com
spoofguard.org
pwdhash.com
getspyblock.com
20(No Transcript)