Clientside defense against webbased identity theft Neil Chou, Robert Ledesma, Yuka Teraguchi, Dan Bo

1
Client-side defense against web-based identity
theftNeil Chou, Robert Ledesma, Yuka Teraguchi,
Dan Boneh, John C.MitchellNDSS 2004

• http//crypto.stanford.edu/SpoofGuard/
• Supriya Rathinasabapathy

2
Overview

• What is Phishing/web spoofing?
• Motivation
• SpoofGuard
• Evaluation of SpoofGuard
• False alarm rate

3
Phishing

• Phishing is a form of Internet fraud that aims
  to steal valuable information such as credit
  cards, social security numbers, user IDs and
  passwords.

4
Number of Phishing reports received by APWG
5
New phishing sites
6
Statistics related to Phishing

• A 2006 study done by Gartner Research found
•  Losses from phishing attacks in 2004 was 137
  million, in 2006 it was 2.8 billion
• Number of US adults who received a phishing
  email the number doubled from 57 million in 2004
  to 109 million in 2006
• The per victim loss increased almost five-fold
  from 257 in 2004 to 1,244 in 2006

7
SpoofGuard

• Browser plug-in that examines the web page,
  calculates spoof index and warns the users if the
  index exceeds a level selected by the user.
• Designed based on the characteristics of previous
  Phishing attacks.

8
SpoofGuard

• The tests used in distinguishing spoof page are
• Stateless methods
• Stateful methods
• Evaluvate outgoing html post data

9
Scoring

• Given a web page
• tests T1, T2 Tn are applied.
• The result for each Ti is Pi in the range 0 to 1
• Pi1 page is likely to be spoof
• pi0 page is reliable
• TSS (Total Spoof Score)
• wi is the weight to minimize the false alarm
  rate.

10
Stateless Methods

• URL check (checks for misleading URL)
• E.g.The url with in visible part of the browser
  might seem valid. But it might lead to spoof
  website.
• Image check (Images of legitimate site appears
  in spoof pages)
• Applied on the site where user input is asked.
• Database of images and their associated domain.
• Spoof score increases if the images matches but
  the domain doesnt match.

11
Stateless Methods (cont.)

• Link check (checks the links with in the page)
• Fails if atleast ¼ of the link fail the url
  check.
• Password check (pages requesting password are
  examined closer)
• E.g. check for the use of https

12
Stateful evaluation

• Domain check (If a domain of a page resembles
  another domain there is a possibility of spoof)
• use Hamming distance to compare similarity
• Referring page check (checks for the referring
  page)
• If the referring page is email client like
  Hotmail then possibility of Phishing is increased.

13
Evaluating post data

• Form post is allowed to proceed only when the
  spoof index is below some threshold.
• Outgoing password check
• A database of ltdomain, user name, passwordgt is
  maintained.
• If the user reuses a password on new domain then
  warning is generated.

14
Evaluating post data

• Interaction with the image check
• Combination of image check with the outgoing
  password check.
• The spoof index is increased multiplicatively in
  these cases.
• Check all post data
• All the post data are checked. Images might be
  used for password field.

15
Evaluation of SpoofGuard

• Used 14 spoof pages sent by U.S secret service.
• Spoof guard detected existence of the password
  fields in the form, succeeded in image check,
  outgoing password check

16
False alarm rate

• Use of same password in multiple domain for the
  first time may lead to false alarm.
• Deletion of history may mislead spoofguard.

17

• Questions?