Security: Phishing Attacks
Lecture Notes for CS 142
Spring 2013
John Ousterhout
- Additional reading for this topic:
Online Identity Theft: Phishing Technology, Chokepoints and
Countermeasures, by Aaron Emigh.
- Basic idea:
- Get unsuspecting users to visit an evil Web site
- Convince them that the evil Web site is actually a legitimate
site (such as a bank or PayPal)
- Trick the user into disclosing personal information
(password, credit card number, etc.)
- Use the personal information for evil purposes such as
identity theft.
- How to attract users?
- Spam email
- Network attacks: redirect legitimate traffic
- Infected machine:
- First, compromise user's machine through other mechanisms
- Then, modify "hosts" file that maps from host names to
network addresses
- Legitimate traffic then gets redirected to the attack
site
- How to spoof the legitimate site?
- Copy HTML
- Include images from legitimate Web site
- Many links refer back to the legitimate Web site
- After collecting login info, log user in to legitimate
site, redirect to legitimate site
- User has no idea that password has been stolen
- Won't user recognize a bogus address in the URL bar?
http:rusprory.mass.hc.ru/old_site/update/index.php
Many people won't notice the difference.
- Attacker can pick names that look similar to legitimate names:
- "vv" instead of "w"
- bankofthewest.login.com
- Companies often use multiple names themselves (e.g., partners)
so it's hard to tell what is legitimate.
- Use Chinese characters that look like "/", "?", and "=" to
create legitimate-looking URLS:
- www.bank.com/accounts/login.php?q=me.badguy.cn
- Picture in picture: use image to generate fake browser look-alike
inside the main window
- Counter-measure: visual indicators to help users identify
legitimate sites:
- Lock symbols to indicate HTTPS
- Color change to indicate HTTPS
- Problems:
- Lock symbols not always obvious
- In older versions of Firefox, site could spoof lock symbol
with icon
- Problem: too easy to obtain certificates that look like
legitimate sites
- Example: bankofamerica-secure.com
- Pressure on certificate authorities to issue certificates
quickly
- E.g. "domain validation only" certificates: certificate
authority only verifies
that applicant has right to a particular Internet domain name;
no verification of legal status of organization.
- Counter-measure: extended validation certificates
- Goal: prevent attackers from obtaining certificates that
look like legitimate sites
- Certificate authority must thoroughly vet the organization
obtaining the certificate; prevent look-alike names.
- Certificate authority must undergo audits to ensure it is
doing the vets carefully.
- Browser provides special indicator for extended validation sites
- Problems:
- Small organizations don't like delays and cost of
extended validation
- Until recently, extended validation indicators not very
visible in browsers (but much better nowadays).
- Other counter-measures:
- Browsers starting to include anti-phishing measures (warn users
about known phishing sites)
- Legitimate Web sites can monitor traffic; changes may indicate
attacks under way:
- Spike in download rates for official images
- Unusual rate of password changes, funds transfers
- Legitimate sites can incorporate personal information in emails
to authenticate them: phishers won't have such information. Of
course, must avoid private information such as passwords.
- Remaining problems:
- Legitimate Web sites often use deceptive techniques to get
users to click through ("your last chance for ..."), which
reduces distinction between honest and dishonest sites.
- Education ineffective against phishing: response rates
to phishing e-mails comparable to those for "legitimate"
commercial e-mail.
- Warnings about shady certificates are ineffective: people
just click through.