Phishing Information Recycling from Spam Mails
description
Transcript of Phishing Information Recycling from Spam Mails
Phishing Information Phishing Information Recycling from Spam MailsRecycling from Spam Mails
許富皓資訊工程學系中央大學
NCU Advanced Defense Lab
OUTLINEOUTLINEIntroduction
System Overview
Evaluation
Discussion and Conclusion
NCU Advanced Defense Lab
Statistics of Statistics of Spam MailsSpam MailsThe global spam rate for Q3 2009
is 88.1%, equating to around 151 billion emails a day.
The major purpose of these spam mails is for advertising.
In Q3 2009, phishing activity was 1 in 368.6 emails.
NCU Advanced Defense Lab
PhishingPhishingAims to steal sensitive
information from users.
A phishing attack usually comprises two steps:◦Prepare a forged web page◦Send spoofed e-mails
NCU Advanced Defense Lab
Phishing E-mail ExamplePhishing E-mail ExamplePhishing e-mails would fool users
to visit a forged web page.
An example of a phishing e-mail. NCU Advanced Defense Lab
Phishing Web Page Phishing Web Page ExampleExampleA phishing web page would look
like a real service web page.
An example of a phishing page NCU Advanced Defense Lab
Anti-Phishing MethodsAnti-Phishing MethodsEmail level solution
◦Filters and content-analysis
Browser-integrated solution◦SpoofGuard ◦PwdHash◦AntiPhish
Keeps track of sensitive information
◦DOMAntiPhish Compared the DOMs of the pages
NCU Advanced Defense Lab
Most Popular Phishing Most Popular Phishing SolutionsSolutionsThe most popular and widely-
deployed solutions are based on blacklists.◦IE 7 browser◦Google Safe Browsing◦NetCraft tool bar◦eBay tool bar◦..etc
NCU Advanced Defense Lab
Drawbacks of Current Drawbacks of Current SolutionsSolutionsAPWG detected more than 40,000
unique phishing URLs in Aug. 2009.
On average, a phishing domain lasts 3 days.
Many e-mail receivers trust the e-mails that have passed the examination of an e-mail filter.
NCU Advanced Defense Lab
Why Phishing Works ?Why Phishing Works ?Why Phishing Works Proc. CHI (2006)
◦SMTP does not contain any authentication mechanisms
◦23% users base their trust only on page content
None of the solutions are foolproof.About five million U.S. consumers
gave information to spoofed websites resulting in direct losses of $1.7 billion (2008).
NCU Advanced Defense Lab
ObservationObservationThe phishing domain lasts 3 days,
so the phishing mail contains this domain must be sent in this period.
Legitimate server hosts usually create a lot of network traffic. However phishing hosts usually only have a small amount of network traffic.
NCU Advanced Defense Lab
Our Method - SharkOur Method - SharkActively counterattack phishers,
not just passively defend.The goal is to overload phishing
web sites with large forged data.Collect phishing information from
spam mails.Detect Botnet from spam mails
NCU Advanced Defense Lab
System ComponentsSystem ComponentsAgent Host
Collect phishing URLs from spam mails Send large amount of forged data to forged
websites
SQL Server◦Handling the suspect URLs
Camouflage Router◦Allow the agent host to use various IP
addresses to establish TCP connections.NCU Advanced Defense Lab
System System OverviewOverview
14
Information Recycling Information Recycling ComponentsComponentsAgent host
◦Simply sniffs the URLs in e-mails which pass through our camouflage router.
SQL server◦Collect those URLs◦Record their arrival time
NCU Advanced Defense Lab
Information RecyclingInformation RecyclingClassify URLs according to their
domains.
Record the number of URLs appearing in each domain.
Collect suspect URLs◦A URL whose domain contains more URLs
than a threshold in a short period (normally 3 days) is deemed as a phishing URL.
NCU Advanced Defense Lab
Recognize Phishing Web Recognize Phishing Web SitesSitesSuspect web site
◦Parse html content ◦Check form tag, input tag…
type=password
Combine Google API◦Check if the website has enough traffic
flow
Could combines other phishing detection
NCU Advanced Defense Lab
CounterattackCounterattackAgent host
◦ Initiate TCP connections to the phishing sites◦ Find out the form tags which can be used to
submit data to the phishing sites◦ Send forged data to the phishing sites◦ Limit the number of TCP connections an
agent host can establish with a phishing host (based on the number of phishing URLs)
Camouflage router◦ randomly choose an IP address belonging to
its domain and provide it to the agent host to establish a new TCP connection with a phishing host
NCU Advanced Defense Lab
Effects of CounterattackEffects of CounterattackPhishers would not be able to
distinguish victim data and forged data.
Login pages of legal web sites can record the IPs of hosts that use bait (forged) data to login
Hosts sent phishing e-mails or using bait data to login are usually the bots of some botnets. NCU Advanced Defense Lab
EvaluationEvaluationFalse Negative
◦2,543 phishing websites in PhishTank
False Positive◦5000 legitimate websites in Alexa
0 false positive
NCU Advanced Defense Lab
EvaluationEvaluationSolved 1208(48%)
Unresolved1195(47
%)
Second Page 16%
No Password 3%
Redirect 8%
JavaScript 1%
Non-meaningful Page
67%
Not Phishing 3%
Other 2%
Expired 119(5%)
NCU Advanced Defense Lab
Phishing websites in PhishTank (Total 2,543)
ContributionContributionA novel counterattack solution
for phishingConfuse the phishers with large
forged dataProtect users even if they have
been tricked to leak their private information to phishers
Botnet detection
NCU Advanced Defense Lab
Future WorkFuture WorkJavaScriptwin32com.client
NCU Advanced Defense Lab
Thank YouThank YouQ&A
NCU Advanced Defense Lab