J. Comp. & Math. Sci. Vol.2 (3), 399-405 (2011)
PhishProtector: A Tool for Protection against Phishing Attacks BHARGAV TEJA MANIKONDA, DIVYAJYOTI KHANDELWAL and V. VIJAYASHERLY School of Computing Science and Engineering, VIT University, Vellore. India ABSTRACT Phishing is a criminally fraudulent process of acquiring personal information like username, password and credit card details by masquerading. Existing phishing prevention mechanisms are flooded with techniques of detecting phishing pages however they do not guarantee complete security to users from phishing. The reason behind is the weakest link in the protection chain – “Users”. Users do not make smart decisions and ignore security warnings more often then they read them. Thus, instead of preventing users from phishing, it is a better option to attack Phishers. This is done by fake credential feeds to the Phisher. For the same, a unique client side anti phishing tool is proposed. It works by transparently injecting huge number of fake credentials to alleged phishing site. It protects user’s real credentials from being compromised. It also enables a legitimate website to identify stolen credentials in a well-timed manner. The tool is designed as an extension to Firefox using XUL and Ajax.
I. INTRODUCTION Phishing, basically is a criminally fraudulent process of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication. Phishing is a form of online identity theft. Phishing attacks is a combination of social engineering and technical spoofing techniques to persuade users into giving
away sensitive information that the attacker can then use to make a financial profit. These attacks are usually carried out using either spam emails, links posted on social networking websites or an instant message, in an attempt to entice recipients to a fake web site to disclose personal credentials. Phishing scams have been getting wide-ranging media coverage because of the reason that such attacks have been increasing in number and cleverness. According to recent Anti-Phishing Working
Journal of Computer and Mathematical Sciences Vol. 2, Issue 3, 30 June, 2011 Pages (399-580)
400
Bhargav Teja Manikonda, et al., J. Comp. & Math. Sci. Vol.2 (3), 399-405 (2011)
Group2 there is amplification in the number of phishing sites, victims and the amount of financial losses occurring from phishing attacks. More than 5 million U.S. consumers lost money to phishing attacks in the 12 months ending in September 2008, a 39.8 percent increase over the number of victims a year earlier, according to Gartner Inc.9 Many mechanisms have been proposed to defend against phishing. They include SSL certificates, user selected logos and auxiliary security indicators to help users to check the genuineness of web sites. Other measures include web browsers endowed with automatic phishing detection feature, master passwords, add-ons etc to tip off the users away from suspected phishing sites. However, usability study4, 5, 6, 15 shows that above measures and warnings are ineffective in preventing vulnerable users from being deceived. The ever increasing severity of phishing attacks and the amount of loss occurring from them clearly indicate that there is a strong urge for the development of some efficient anti-phishing mechanism. II. OVERVIEW OF THE PROPOSED SYSTEM PhishProtector, a Firefox extension is based on the assertion that for inexpert, technically primitive users, who do not take smart decision and do not respond positively to the security cues, it is better for an application to prevent them from falling prey to phishing. Unlike a user, an application will not be fooled by phishing tricks. The complete protection mechanism is automated
to avoid chances of users making wrong decisions. 1. Working of the System Whenever a phished page is identified, a warning is generated by the phishing detection component. A user will then have two choices: either to navigate away from that page or continue surfing. If a user navigates away, he would protect himself. But if a user does not interpret the warning properly and continues surfing on the phished page then he is to be protected. In the situation without protection, when a phishing site is visited by users, real credentials are submitted by exposed users and a Phisher can verify the collected credentials and trade them for money. In the protection enabled state whenever a login page is interpreted as a phishing page, the extension will perform differently based on a user's response to the warning. For a vulnerable user who ignores the warning and submits a real credential, the extension will intercept the victim's real credential; use this to generate a set of N counterfeit credentials. It then submits these credentials one after the other to the phishing site within a short time. For a security-conscious user who responds to the warning, a fake username password pair will be first generated, this will then be used to generate another N-1 bogus credentials and the same process will follow. These actions will be completely transparent to both vulnerable and securityconscious users. The working of the system is depicted in Figure 1.
Journal of Computer and Mathematical Sciences Vol. 2, Issue 3, 30 June, 2011 Pages (399-580)
Bhargav Teja Manikonda, et al., J. Comp. & Math. Sci. Vol.2 (3), 399-405 (2011)
401
Figure1: Working of the extension after the warning is generated.
Line of attack 1- An algorithm shall be used to create a number of bogus credentials. These are then passed on to Phisher. Phisher will try to filter out the credentials at the legitimate website. When he enters a wrong Username/Password pair, the algorithm which was used to generate counterfeit credentials will start taking the supplied Username/Password pair as input. This will generate the same set of the credentials as generated before. This set can be checked if it incorporates any real Username/Password. If it does, then it is clear that a Phisher is trying to get access to others’ account and hence the identity of the original person can be protected. There will be no offshoots of user’s account getting blocked because all the usernames will be different for the N requests sent out by PhishProtector. Line of attack 2 – When it is found that a particular users’ account being compromised, he/she can be informed about
it. The address from which the request with fake credential was generated can be informed to anti phishing communities like PhishTank14 to check these phishing sites. This line of attack will be implemented at the legitimate website’s end. Independent of the underlying Phishing detection Mechanism: Two frequently used phishing detection mechanisms are blacklisting and heuristics. Blacklisting provides more promising results than heuristic based approaches. But at times some phishing sites are not added to blacklist. Various heuristic-based techniques are proposed by researchers to identify phishing sites in real time8,12,13,16. PhishProtector’s design is not dependent on any precise detection mechanism; it can always take advantage of advances made in these mechanisms. The screenshot as in Figure 2 shows the deployed extension on the browser. The screen shot in Figure 3
Journal of Computer and Mathematical Sciences Vol. 2, Issue 3, 30 June, 2011 Pages (399-580)
402
Bhargav Teja Manikonda, et al., J. Comp. & Math. Sci. Vol.2 (3), 399-405 (2011)
displays a menu item which can also be used I. to launch the extension otherwise its working is triggered whenever a warning message appears.
III. DESIGN The design approach to be followed here is the layered design as shown in Figure 4. The system is organized in form of layers, each of which provides a set of services. There are basically five layers in this design.
Figure 2: Extension deployed on Mozilla Firefox
Figure 4: The design of the extension.
1. Phishing Detection Layer This layer constitutes Mozilla’s built in phishing detection mechanism. However, the extension can be developed in a way that it can make use of existing Phishing detection toolbars or add-ons.
Figure 3: A menu item which can also be used to launch the extension
2. Credential Extraction Layer The Credential extraction layer extracts the username and password pair and its matching form element from a login page. This is done by extracting all the tags with type = “input” first. Then extracting the
Journal of Computer and Mathematical Sciences Vol. 2, Issue 3, 30 June, 2011 Pages (399-580)
Bhargav Teja Manikonda, et al., J. Comp. & Math. Sci. Vol.2 (3), 399-405 (2011)
password with type = “password”. Username is obtained by extracting the field just before the password field. 3. Fake Credentials Generation Layer The fake credential generation module generates N bogus credentials based on an initial credential pair. For a victim, his real credentials will be the initial credentials. For a security-conscious user, this module will arbitrarily generate a username/ password pair composed of letters and digits as the initial credential. The credentials generated should have following features: i. Vastness: The number of fake credentials fed into a phishing site should be large enough. ii. Indiscernibility: Without the credential verification at the legitimate web site, it should be extremely difficult for a Phisher to discover that the credentials are fake. iii. Usability: The generation of fake credentials by PhishProtector at the client-side should not incur undue overhead or unwanted side effects, nor should it produce any security or privacy concerns. 4. Phisher Attacking Layer The Phisher Attacking layer is responsible for attacking the Phisher by providing all the counterfeit credentials generated by the previous layer. It then creates multiple requests containing these credentials. This can be done by intercepting the first request submitted by the user, extracting the header information, spawning new requests with same header fields as of the first request. The same process is to be imitated for a user who navigates away from
403
a phishing page. XMLHttpRequest objects can be used to create new requests. 5. Response Mapping Layer On receiving requests, server replies with a response message. When a phishing website receives a request it might reply with a failed login page and redirect the user to the genuine website or follow some other tricks. In the scenario of N requests being submitted to the phishing site, which response to be displayed to user is a question. So, PhishProtector will always display the first response sent by the website to the user. Other N-1 responses can be dealt with behind the screen or can simply be ignored. IV. RESULTS AND PERFORMANCE EVALUATION i.
PhishProtector's design is independent of any specific detection scheme, it can always make use of advances made in both blacklist based techniques and heuristic-based techniques to fight against the majority of phishing attacks. ii. Some websites like yahoo mail lock user’s account for a certain period of time when there are many failed login attempts. On using PhishProtector, this problem will not occur because the credential pairs will not have same usernames.
Limitations i.
PhishProtector is proposed with an assumption that a phisher does not know the reason of failed login i.e. he doesn’t know if it is because of invalid username or invalid
Journal of Computer and Mathematical Sciences Vol. 2, Issue 3, 30 June, 2011 Pages (399-580)
404
ii.
iii.
iv.
Bhargav Teja Manikonda, et al., J. Comp. & Math. Sci. Vol.2 (3), 399-405 (2011)
password. However, this assumption cannot be applied on all the websites. For example, Bank of America's web site can tell a user whether a login is valid before a password is entered. Input Stealing attacks: An inputstealing attack can use techniques like keystroke monitoring to steal a user's credential. The credentials thus obtained can be traded for money. Crooked login pages: A phisher may use an irregular login page to escape from PhishProtector. A phisher might make use of a login form without the type = “password" attribute, or might have a field other than username, before password. But such a trick will have to be designed by them only to escape from PhishProtector which might not be very feasible. CAPTCHA Test: A CAPTCHA test can circumvent PhishProtector1. CAPTCHA tests are primarily used to thwart automated registrations, but are hardly ever used in user authentication processes.
REFERENCES 1. Ahn L., Blum M., Hopper N. and Langford J. – “CAPTCHA: Using hard AI problems for security” In Proceedings of the Eurocrypt. 294-311. (2003). 2. APWG- Anti-Phishing Working Group http://www.antiphishing.org/ 3. Chuan Yue and Haining Wang – “BogusBiter: A Transparent Protection Against Phishing Attacks”, ACM
4.
5.
6.
7.
8.
9. 10.
11.
12.
13.
Transactions on Internet Technology, Vol. 10, No. 2, article 6, page 6:1-6:30, May (2010). Dhamija R, J. D. Tygar, and Hearst “Why phishing works” - In Proceedings of the CHI. 581- 590, (2006). Downs J. S, Holbrook M. B. and Cranor L. F. – “Decision strategies and susceptibility to phishing” - In Proceedings of the SOUPS, 79-90. (2006). Egelman S., Cranor L. F. and Hong – “You've been warned: An empirical study of the effectiveness of web browser phishing warnings”. In Proceedings of the CHI. 1065 - 1074, (2008). Engin Kirda, Christopher Kruegel – “Protecting Users against Phishing Attacks”, The Computer Journal Vol. 00 No. 0, (2005). Garera S., Provos N., Chew M., and Rubin A. D.– “A framework for detection and measurement of phishing attacks”. In Proceedings of the WORM. (2007). Gartner Survey–http://www.gartner.com/ it/page.jsp?id=936913 Jagatic T. N., Johnson N. A., Jakobsson M., and Menczer F - “Social phishing Communication” ACM 50, 10, 94-100, (2007). Jakobsson M. and Myers S - “Phishing and Countermeasures: Understanding the Increasing Problem of Electronic Identity Theft” Wiley-Interscience, ISBN 0-471-78245-9, (2006). Ludl C., McAllister S., Kirda E. and Kruegel - “On the effectiveness of techniques to detect phishing sites.” In Proceedings of the DIMVA. (2007). Neil Chou, Robert Ledesma, Yuka Teraguchi, John C. Mitchell – “Client-
Journal of Computer and Mathematical Sciences Vol. 2, Issue 3, 30 June, 2011 Pages (399-580)
Bhargav Teja Manikonda, et al., J. Comp. & Math. Sci. Vol.2 (3), 399-405 (2011)
side defense against web-based identity theft”- Computer Science Department, Stanford University, Stanford CA 94305 14. PhishTank http://www.phishtank.com. 15. Whalen T. and Inkpen K. M “Gathering evidence: use of visual security cues in web Browsers”. In
405
Proceedings of the conference on Graphics interface. 137-144. (2005). 16. Zhang Y., Hong J. and Cranor L – “CANTINA: A content-based approach to detecting phishing web sites. In Proceedings of the WWW. 639-648. (2007).
Journal of Computer and Mathematical Sciences Vol. 2, Issue 3, 30 June, 2011 Pages (399-580)