1. 2006 2 nd Joint Workshop between Security Research Labs in JAPAN and KOREA Anti-Phishing Scheme: Preventing Confidential Data from Posted to Spoofed Site 2006.02.20 Researcher: Hunsuk Choi Presenter: Yuna Kim High Performance Computing Laboratory, POSTECH, Republic of KOREA

2. 2006 2 nd Joint Workshop between Security Research Labs in JAPAN and KOREA 2/13 Contents  Phishing Attack  Problem Definition  Proposed Scheme  Experiments  Conclusion & Future Works

3. 2006 2 nd Joint Workshop between Security Research Labs in JAPAN and KOREA 3/13 Introduction  Phishing is a form of social engineering trying to fraudulently acquire confidential information by masquerading as a trustworthy business.  Phishing attacks are becoming more popular because unsuspecting people are divulging personal information to attackers.  So, anti-phishing schemes are required neither to trust nor to qualify users.

4. 2006 2 nd Joint Workshop between Security Research Labs in JAPAN and KOREA 4/13 Phishing Attack Model Public trust site T User A User A’s Computer Phisher P 1. Register ID = aaa PASSWORD = bbb Victim of phiser P This is Trusted Site T 4. Send Mail Please verify your account User-expected identity = T 5. Post ID = aaa PASSWORD = bbb 2. Target Target site of phisher P = T 3. Build Spoofed site X of T

5. 2006 2 nd Joint Workshop between Security Research Labs in JAPAN and KOREA 5/13 Related Works  Fraud e-mail prevention (-) easily evaded by the sophisticated phishers.  Browser-based Web-spoofing prevention (-) web site is easily spoofed by drawing logos. (-) most users have no knowledge of certificate authorities.  Authenticator prevention (-) disable to defend against man-in-the-middle attack. (-) not scalable.

6. 2006 2 nd Joint Workshop between Security Research Labs in JAPAN and KOREA 6/13 Problem Definition  To prevent a user from posting his confidential information to a spoofed website, while the user does not have explicit knowledge about details of the function of the Web service. Design Requirements  Systematic decision  Infrequent user work  Infrequent interruption

7. 2006 2 nd Joint Workshop between Security Research Labs in JAPAN and KOREA 7/13 Basic Idea Prevent a user from posting confidential data to a spoofed website.  Predict a user-expected identity of the current site based on data typed by user.  Compare a user-expected identity with the real identity of the current site.  Determine whether the posted data is confidential data or not.  Distinguish spoofed site from trusted site.

8. 2006 2 nd Joint Workshop between Security Research Labs in JAPAN and KOREA 8/13 Phase 1: Initialization  User registers the domain of trusted sites into the client system as the following record: Type 1 record : Phase 2: Training  When the user posts data to the trusted sites, the client system stores data as the following record:  To prevent type 2 records from increasing up to a great volume, delete older and smaller-counter records. Type 2 record:

9. 2006 2 nd Joint Workshop between Security Research Labs in JAPAN and KOREA 9/13 Phase 3: Prediction  When a user posts data to non-trusted site, the client system predicts the user-expected identity.  The user-expected identity infers one of the trusted site whose stored field value is same as the current posted data. Phase 4: Collaboration  If user-expected identity and real-identity are different, the current site may be a spoofed site or a sister-site of the trusted site. In order to distinguish them, the client agent queries to the server-agent whether the current site can be authenticated.

10. 2006 2 nd Joint Workshop between Security Research Labs in JAPAN and KOREA 10/13 Phase 5: Prevention  The client system judges the current site is a spoofed if Current site is not registered as a trusted site. None of server agents can authenticate the current site. → User posts the same confidential data as one of the trusted sites, but current site is not sister-site.  The client system rejects the posting user tries, and registers in black list, which the site is spoofed one.

11. 2006 2 nd Joint Workshop between Security Research Labs in JAPAN and KOREA 11/13 2. Fill out ID = aaa P/W = bbb Applied Scenario trusted site T1 Domain = D1 User This is Trusted Site T1 7. Predict User-expected identity = T1 Spoofed site X of T1 1. Register 4. Post ID = aaa P/W = bbb 3. Store 6. Fill out 5. Connect the spoofed site X ID = aaa P/W = bbb 10. Prevent Serve r agent of T1 8. Query Is X sister-site ? 9. No User’s com

12. 2006 2 nd Joint Workshop between Security Research Labs in JAPAN and KOREA 12/13 Experiment accumulated # of interruptions # of Type 2 records # of confidential information Counts Accumulated # of Transactions  We want to show that type 2 records are not increasing up to a great volume.  Real world data of 2 users for 5 days  No phishing attack  Interruptions 2 times  # of type 2 records stayed in a steady state in spite of internet searching → We can apply this scheme to real web browser.

13. 2006 2 nd Joint Workshop between Security Research Labs in JAPAN and KOREA 13/13 Conclusion & Future Works  We proposed a mechanism that defends against phishing attacks by preventing a user from posting data to a probably spoofed website.  We expect that a proper human-computer interaction which helps a system understands the meaning of a user’s activity will provide a useful defense against not only phishing attacks but also other kinds of attacks targeting users.  As a future work, we are required to implement the proposed mechanism.

14. 2006 2 nd Joint Workshop between Security Research Labs in JAPAN and KOREA 14/13 Thank You!

15. 2006 2 nd Joint Workshop between Security Research Labs in JAPAN and KOREA 15/13 Reference  [1] Merja Ranta-aho. WWW and the surng metaphor: harmful for the novice user? In Proceedings of the 16th international symposium on Human Factors in telecommunications, 1997.  [2] Christine E. Drake, Jonathan J. Oliver, and Eugene J Koontz. Anotomy of a phishing email. In Proceedings of the 1st Conference on Email and Anti-Spam, 2004.  [3] Aaron Emigh. Online identity theft: Phishing technology, chokepoints and countermeasures. http://www.antiphishing.org/Phishing-dhs-report.pdf.http://www.antiphishing.org/Phishing-dhs-report.pdf  [4] Amir Herzberg and Ahmad Gbara. Trustbar: Protecting (even naive) web users from spoong and phishing attacks. Technical Report DIMACS TR: 2004-23, 2004.  [5] Tie-Yan Li and Yongdong Wu. Trust on web browser: Attack vs. defense. In Proceedings of the 1st ACNS, 2003.  [6] Zishuang Ye, Sean Smith, and Denise Anthony. Trusted paths for browsers. ACM Transactions on Information and System Security, 8(2):153--186, 2005.  [7] Microsoft. Microsoft security bulletin ms01-017.  [8] Rachna Dhamija and J. D. Tygar. The battle against phishing: Dynamic security skins. In Proceedings of the Symposium On Usable Privacy and Security, 2005.  [9] Alma Whitten and J. D. Tygar. Anotomy of a phishing email. In Proceedings of the 8th Usenix Security Symposium, pp. 169--184, 1999.  [10] Amir Herzberg. Web spoong and phishing attacks and their prevention, MICCS 2004.  [11] Robert Lemos. Study: Spammers use e-mail id to gain legitimacy. http://news.zdnet.com/2100-1009-22-5357269.html. http://news.zdnet.com/2100-1009-22-5357269.html  [12] CoreStreet. Spoofstick. http://www.spoofstick.com/http://www.spoofstick.com/  [13] Louise Sheeran, M. Angela Sasse, Jon Rimmer, and Ian Wakeman. How web browsers shape users' understanding of networks. The Electronic Library, 20(1):35-- 42, 2002.  [14] Anti-Phishing Working Group. Phishing activity trends report - 2005.