nd Joint Workshop between Security Research Labs in JAPAN and KOREA Anti-Phishing Scheme: Preventing Confidential Data from Posted to Spoofed Site Researcher: Hunsuk Choi Presenter: Yuna Kim High Performance Computing Laboratory, POSTECH, Republic of KOREA
nd Joint Workshop between Security Research Labs in JAPAN and KOREA 2/13 Contents Phishing Attack Problem Definition Proposed Scheme Experiments Conclusion & Future Works
nd Joint Workshop between Security Research Labs in JAPAN and KOREA 3/13 Introduction Phishing is a form of social engineering trying to fraudulently acquire confidential information by masquerading as a trustworthy business. Phishing attacks are becoming more popular because unsuspecting people are divulging personal information to attackers. So, anti-phishing schemes are required neither to trust nor to qualify users.
nd Joint Workshop between Security Research Labs in JAPAN and KOREA 4/13 Phishing Attack Model Public trust site T User A User A’s Computer Phisher P 1. Register ID = aaa PASSWORD = bbb Victim of phiser P This is Trusted Site T 4. Send Mail Please verify your account User-expected identity = T 5. Post ID = aaa PASSWORD = bbb 2. Target Target site of phisher P = T 3. Build Spoofed site X of T
nd Joint Workshop between Security Research Labs in JAPAN and KOREA 5/13 Related Works Fraud prevention (-) easily evaded by the sophisticated phishers. Browser-based Web-spoofing prevention (-) web site is easily spoofed by drawing logos. (-) most users have no knowledge of certificate authorities. Authenticator prevention (-) disable to defend against man-in-the-middle attack. (-) not scalable.
nd Joint Workshop between Security Research Labs in JAPAN and KOREA 6/13 Problem Definition To prevent a user from posting his confidential information to a spoofed website, while the user does not have explicit knowledge about details of the function of the Web service. Design Requirements Systematic decision Infrequent user work Infrequent interruption
nd Joint Workshop between Security Research Labs in JAPAN and KOREA 7/13 Basic Idea Prevent a user from posting confidential data to a spoofed website. Predict a user-expected identity of the current site based on data typed by user. Compare a user-expected identity with the real identity of the current site. Determine whether the posted data is confidential data or not. Distinguish spoofed site from trusted site.
nd Joint Workshop between Security Research Labs in JAPAN and KOREA 8/13 Phase 1: Initialization User registers the domain of trusted sites into the client system as the following record: Type 1 record : Phase 2: Training When the user posts data to the trusted sites, the client system stores data as the following record: To prevent type 2 records from increasing up to a great volume, delete older and smaller-counter records. Type 2 record:
nd Joint Workshop between Security Research Labs in JAPAN and KOREA 9/13 Phase 3: Prediction When a user posts data to non-trusted site, the client system predicts the user-expected identity. The user-expected identity infers one of the trusted site whose stored field value is same as the current posted data. Phase 4: Collaboration If user-expected identity and real-identity are different, the current site may be a spoofed site or a sister-site of the trusted site. In order to distinguish them, the client agent queries to the server-agent whether the current site can be authenticated.
nd Joint Workshop between Security Research Labs in JAPAN and KOREA 10/13 Phase 5: Prevention The client system judges the current site is a spoofed if Current site is not registered as a trusted site. None of server agents can authenticate the current site. → User posts the same confidential data as one of the trusted sites, but current site is not sister-site. The client system rejects the posting user tries, and registers in black list, which the site is spoofed one.
nd Joint Workshop between Security Research Labs in JAPAN and KOREA 11/13 2. Fill out ID = aaa P/W = bbb Applied Scenario trusted site T1 Domain = D1 User This is Trusted Site T1 7. Predict User-expected identity = T1 Spoofed site X of T1 1. Register 4. Post ID = aaa P/W = bbb 3. Store 6. Fill out 5. Connect the spoofed site X ID = aaa P/W = bbb 10. Prevent Serve r agent of T1 8. Query Is X sister-site ? 9. No User’s com
nd Joint Workshop between Security Research Labs in JAPAN and KOREA 12/13 Experiment accumulated # of interruptions # of Type 2 records # of confidential information Counts Accumulated # of Transactions We want to show that type 2 records are not increasing up to a great volume. Real world data of 2 users for 5 days No phishing attack Interruptions 2 times # of type 2 records stayed in a steady state in spite of internet searching → We can apply this scheme to real web browser.
nd Joint Workshop between Security Research Labs in JAPAN and KOREA 13/13 Conclusion & Future Works We proposed a mechanism that defends against phishing attacks by preventing a user from posting data to a probably spoofed website. We expect that a proper human-computer interaction which helps a system understands the meaning of a user’s activity will provide a useful defense against not only phishing attacks but also other kinds of attacks targeting users. As a future work, we are required to implement the proposed mechanism.
nd Joint Workshop between Security Research Labs in JAPAN and KOREA 14/13 Thank You!
nd Joint Workshop between Security Research Labs in JAPAN and KOREA 15/13 Reference [1] Merja Ranta-aho. WWW and the surng metaphor: harmful for the novice user? In Proceedings of the 16th international symposium on Human Factors in telecommunications, [2] Christine E. Drake, Jonathan J. Oliver, and Eugene J Koontz. Anotomy of a phishing . In Proceedings of the 1st Conference on and Anti-Spam, [3] Aaron Emigh. Online identity theft: Phishing technology, chokepoints and countermeasures. [4] Amir Herzberg and Ahmad Gbara. Trustbar: Protecting (even naive) web users from spoong and phishing attacks. Technical Report DIMACS TR: , [5] Tie-Yan Li and Yongdong Wu. Trust on web browser: Attack vs. defense. In Proceedings of the 1st ACNS, [6] Zishuang Ye, Sean Smith, and Denise Anthony. Trusted paths for browsers. ACM Transactions on Information and System Security, 8(2): , [7] Microsoft. Microsoft security bulletin ms [8] Rachna Dhamija and J. D. Tygar. The battle against phishing: Dynamic security skins. In Proceedings of the Symposium On Usable Privacy and Security, [9] Alma Whitten and J. D. Tygar. Anotomy of a phishing . In Proceedings of the 8th Usenix Security Symposium, pp , [10] Amir Herzberg. Web spoong and phishing attacks and their prevention, MICCS [11] Robert Lemos. Study: Spammers use id to gain legitimacy. [12] CoreStreet. Spoofstick. [13] Louise Sheeran, M. Angela Sasse, Jon Rimmer, and Ian Wakeman. How web browsers shape users' understanding of networks. The Electronic Library, 20(1): , [14] Anti-Phishing Working Group. Phishing activity trends report