Transcript Phishing
CSCD 303
Essential Computer
Security
Winter 2014
Lecture 3 - Social Engineering1
Phishing
Reading: See links at end of lecture
Overview
• Social Engineering
– Defined
• Humans as vulnerabilities
• Phishing
– What is it?
– What does it accomplish
– How to recognize it?
– Solutions to Phishing
Social Engineering
Social Engineering Manipulating or
tricking people into divulging private
information as opposed to using technical
hacking techniques
Or, getting them to use unauthorized
devices to compromise themselves
Test Case of Human Vulnerabilities
June 2011, Bloomberg published the
results of a test conducted by the U.S.
Depart. of Homeland Security
To assess the government’s vulnerability to
unauthorized system access,
DHS dropped disks and USB drives in
parking lots of government agencies and
private contractors
Test Case of Human Vulnerabilities
Results
60 % of workers who found devices plugged
them into their office computers
When device was imprinted with an official
number of installations on office machines
skyrocketed to 90 %
http://www.crn.com/blogs-op-ed/channelvoices/232200743/how-to-manage-the-weak-link-incybersecurity-humans.htm
The Individual User
Users…
• Represent the largest install base
• Completely lack standards
• Cannot be controlled centrally (or
otherwise)
• Are only predictable in their
unpredictability
• Cannot be redesigned
• Are all of us !!!
What Exactly is Phishing?
Define Phishing
Phishing Scams Defined
• Phishing is type of deception designed to steal your
personal data, such as credit card numbers,
passwords, account data, or other information
• Con artists might send millions of fraudulent e-mail
messages that appear to come from Web sites you
trust
•Like your bank or credit card company, and request
that you provide personal information.
More Phishing Definitions
Spear Phishing – a phishing scam that
targets a specific audience
Example with Kansas Statue Univ. but
mentions Kansas State University and is
sent to K-State email addresses
Scareware - Tries to trick you into
responding by using shock, anxiety or
threats
“reply with your password now or we’ll
shut down your email account tomorrow”
Spear-Phishing: Improved Target Selection
Socially aware attacks
Mine social relationships from public data
Phishing email appears to arrive from someone known to victim
Use spoofed identity of trusted organization to gain trust
Urge victims to update or validate their account
Threaten to terminate the account if the victims not reply
Use gift or bonus as a bait
Security promises
Context-aware attacks
“Your bid on eBay has won!”
“The books on your Amazon wish list are on sale!”
Phishing Increasing in Sophistication
Targeting Your Organization
Spear-phishing targets specific groups or
individuals
Type 1 – Uses info about your organization
General Patton is retiring next week,
click here to say whether you can
attend his retirement party
Phishing Increasing in Sophistication
Targeting Your Organization
Around 40% of people in experiments at
Phishing Increasing in Sophistication
Targeting You Specifically
Type 2 – Uses info specifically about you
Social Phishing
• Might use information from social networking sites,
corporate directories, or publicly available data
• Ex. Fake email from friends or co-workers
• Ex. Fake videos of you and your friends
Phishing Increasing in Sophistication
Targeting You Specifically
Here’s a video I took of your
poster presentation.
Another Example:
But wait…
WHOIS 210.104.211.21:
Location: Korea, Republic Of
Even bigger problem:
I don’t have an account with US Bank!
Images from Anti-Phishing Working Group’s Phishing Archi
Spear
Phishing
Example
KSU.edu
17
Spear
Phishing
Example
KSU.edu
18
Scareware
Example
19
Scareware
Example
20
Another Scareware
Example
21
Another Scareware Example
22
Spear phishing scam received by K-Staters,
January 2010
If you clicked on the link…
23
Malicious link in scam email took you to an exact replica
of K-State’s single sign-on web page, hosted on a server in the Netherlands,
that steals ID and password if they enter it and click “Sign in”
Clicking on “Sign in” then took user to K-State’s home page
Note the URL – flushandfloose.nl, which is obviously not k-state.edu 24
Fake SSO
web page
Real SSO
web page
25
Fake SSO
web page –
site not
secure
(http,
not https) and
hosted in the
Netherlands
(.nl)
Real SSO
web page –
note “https”
26
Fake SSO
web page
Real SSO
web page –
Use the eID
verification
badge to
validate
27
Result of clicking on eID verification badge on the fake SSO web
site, or any site that is not authorized to use the eID and password
28
Result of clicking on eID verification badge on a legitimate K-State web
site that is authorized to use the eID and password for authentication
29
Real K-State Federal
Credit Unionweb site
Fake K-State Federal
Credit Union web site
used in spear phishing
scam
30
History of Phishing
Phreaking + Fishing = Phishing
Phreaking = making phone calls for free back in 70’s
Fishing = Use bait to lure the target
Phishing in 1995
Target: AOL users
Purpose: getting account passwords for free time
Threat level: low
Techniques: Similar names ( www.ao1.com for www.aol.com ), social
engineering
Phishing in 2001
Target: Ebayers and major banks
Purpose: getting credit card numbers, accounts
Threat level: medium
Techniques: Same in 1995, keylogger
Phishing in 2007
Target: Paypal, banks, ebay
Purpose: bank accounts
Threat level: high
Techniques: browser vulnerabilities, link obfuscation
A bad day phishin’, beats a good day workin’
Anti-phishing Working
Group
http://www.antiphishi
ng.org/
• 2,000,000 emails are sent
• 5% get to the end user – 100,000 (APWG)
• 5% click on the phishing link – 5,000 (APWG)
• 2% enter data into the phishing site –100 (Gartner)
• $1,200 from each person who enters data (FTC)
• Potential reward: $120,000
In 2005 David Levi made over $360,000 from 160
people using an eBay Phishing scam
How Bad Is Phishing?
Consumer Perspective
Estimated ~0.5% of Internet users per year
fall for phishing attacks
Conservative $1B+ direct losses a year to
consumers
Bank accounts, credit card fraud
Doesn’t include time wasted on recovery
of funds,
restoring computers, emotional
uncertainty
Growth rate of phishing
How Bad Is Phishing?
Perspective of Corporations
Direct damage
Loss of sensitive customer data
How Bad Is Phishing?
Perspective of Corporations
Direct damage
Loss of sensitive customer data
Loss of intellectual property
Why Do People Fall for Phishing?
Phishing has been around for years
How come people still fall for it?
Research on Phishing
Carnegie Mellon University
Interviewed 40 Internet users including 35
non-experts
Conducted Mental models interviews
Mental models included email role play
and open ended questions
Reference: J Downs, M. Holbrook, and L. Cranor
Decision Strategies and Susceptibility to Phishing.
In Proc. of the 2006 Symposium On Usable Privacy and Security
Research on Phishing
Carnegie Mellon University
Only 50% knew the meaning of the term
Phishing
85% were aware of the lock icon
Only 40% knew it was supposed to be there
Only 35% had noticed the https and knew what
it means
Only 55% noticed an unexpected or strange
URL
Only 55% reported being cautious when asked
for sensitive financial info
Few reported being suspicious of being asked for
Research on Phishing
Carnegie Mellon University
Naïve Evaluation Strategies
Most strategies didn't help people in identifying
phishing
“ This email appears to be for me”
“ It's normal to hear from companies you do
business with”
“ Reputable companies will send emails”
Knowledge of some scams didn't help
identify other scams
Determining Email Fraud and Protection
Measures
Today's Solutions
Not so Successful
Anti-phishing filters that rely on blacklists
and whitelists
Usually not up to date and there are many false
positives
Training
Websites and posters help some
Spam Filters
Don't tend to catch phishing, emails look
legitimate
More Successful Solutions
Two Research Based Filters, CMU
Pilfer
Cantina
Pilfer – Looks at other features than email text
Number of domains linked to email
Links in email to other than the main domain
Cantina – Use Content based approach
Creates a fingerprint of a web page
Sends fingerprint to search engine
Sees if web page is in search results
• If yes, then legitimate
Detecting Phishing Web Sites
Industry uses blacklists to label phishing sites
But blacklists slow to new attacks
Idea: Use search engines
Scammers often directly copy web pages
But fake pages should have low PageRank on
search
engines
Generate text-based “fingerprint” of web page
keywords
and send to a search engine
Y. Zhang, S. Egelman, L. Cranor, and J. Hong Phinding Phish: Evaluating
Anti-Phishing Tools. In NDSS 2007.
Y. Zhang, J. Hong, and L. Cranor. CANTINA: A content-based
approach to detecting phishing web sites. In WWW 2007.
Human Training
Following slides provide common advice
for identifying phishing or fraudulent
emails ...
Human Training
How To Tell If An E-mail
Message is Fraudulent
Look at few phrases to look for if you think an e-mail message is
phishing scam
• "Verify your account" Businesses should not ask you to send
passwords, login names, Social Security numbers, or other
personal information through e-mail
– If you receive an e-mail from anyone asking you to update
your credit card information, do not respond:
– This is a phishing scam
• "If you don't respond within 48 hours, your account will be
closed." These messages convey a sense of urgency so that
you'll respond immediately without thinking
Human Training
How To Tell If An E-mail
Message is Fraudulent
"Dear Valued Customer."
Phishing e-mail messages are usually sent
out in bulk and often do not contain your first or last name
"Click the link below to gain access to your account."
• HTML-formatted messages can contain links or forms that you can fill out
just as you'd fill out a form on a Web site
• The links that you are urged to click may contain all or part of a real
company's name and are usually "masked," meaning that the link you see
does not take you to that address but somewhere different, usually a phony
Web site.
• Resting mouse pointer on link reveals the real Web address
• String of cryptic numbers looks nothing like the company's Web address,
which is a suspicious sign.
Human Training
How To Tell If An E-mail
Message is Fraudulent
Con artists also use Uniform Resource Locators (URLs)
that resemble the name of a well-known company but are
slightly altered by adding, omitting, or transposing letters.
For example, the URL "www.microsoft.com" could appear
instead as:
www.micosoft.com
www.mircosoft.com
www.verify-microsoft.com
Human Training
How To Tell If An E-mail
Message is Fraudulent
• Never respond to an email asking for personal information
• Always check the site to see if it is secure. Call the phone
number if necessary
• Never click on the link on the email. Retype the address in a
new window
• Keep your browser updated
• Keep antivirus definitions updated
• Use a firewall
P.S: Always shred your home documents before discarding them.
Human Training
Anti-Phishing Games
Ok, traditional training doesn't work but ..
People like to play games
Teach using a game
Results have shown that
More people willing to play game than read
People are better at identifying phishing after
playing the game
Best known is Anti-phishing Phil from
CMU
http://cups.cs.cmu.edu/antiphishing_phil/
Anti-Phishing Phil
A micro-game to teach people not to fall for phish
PhishGuru about email, this game about web
browser
Also based on learning science principles
You will get to Try the game!
S. Sheng et al. Anti-Phishing Phil: The Design and Evaluation of a Game
That Teaches People Not to Fall for Phish. In SOUPS 2007, Pittsburgh, PA,
2007.
Anti-Phishing Phil
Evaluation of PhishGuru
Is embedded training effective?
Study 1: Lab study, 30 participants
Study 2: Lab study, 42 participants
Study 3: Field trial at company, ~300 participants
Study 4: Field trial at CMU, ~500 participants
Studies showed significant decrease in falling for
phish and ability to retain what they learned
P. Kumaraguru et al. Protecting People from Phishing: The Design and
Evaluation of an Embedded Training Email System. CHI 2007.
P. Kumaraguru et al. Getting Users to Pay Attention to Anti-Phishing
Education: Evaluation of Retention and Transfer. eCrime 2007.
Anti-Phishing Phil: Study
Anti-Phishing Phil: Study 2
Summary
Wikipedia has a nice page on phishing
http://en.wikipedia.org/wiki/Phishing
Phishing is already a plague on the Internet
Seriously affects consumers, businesses,
governments
Criminals getting more sophisticated
End-users can be trained, but only if done
right
PhishGuru embedded training uses simulated
phishing
Anti-Phishing Phil and Anti-Phishing Phyllis
The End
Next Time: Attackers
– Lab this week is Phishing !!!
– Book – No real reference in our book
– See references on previous slide