Modeling and Preventing Phishing Attacks

1
Modeling and Preventing Phishing Attacks

• Markus Jakobsson
• School of Informatics, IUB
• www.markus-jakobsson.com

2
Phishing example
Dear U.S. Bank Customer, J 6 rampant
seventeen polynomial forfeiture weed inflow
Murray At U.S. Bank, we take security very
seriously. As many customers already know,
Microsoft Internet Explorer has significant
'holes' or vulnerabilities that virus creators
can easily take advantage of. At U.S. Bank, we
maintain your personal information and data
according to strict standards of security and
confidentiality as described in the Terms and
Conditions that govern your use of this site.
Online access to your account portfolio is only
possible through a secure web browser. In order
to further protect your account, we have
introduced some new important security standards
and browser requirements. U.S. Bank security
systems require that your computer system is
compatible with our new standards. This
security update will be effective immediately.
Please sign on to U.S. Bank Online Banking in
order to verify security update installation.
Failure to do so may result in your account being
compromised. rhubarb Nelson cord Sincerely,
8 D pawnshop dismal likewise 72 192 The U.S.Bank
Security Department Team.  
Truth
Good news
Request
Threat
Anti-spam filter text
3
What is phishing?
Technology
Social engineering
4
What do people know?
Spam filters

• Common technique 1 spamming
• Common technique 2 spoofing
• (possible variation homographic attacks)
• Common technique password reuse attack
• Attackers work from Eastern Europe, SE Asia

Certification
Password randomizer plugin
Prevention is only hope
5
Current attack style
Approx 3 of adult Americans report to have been
victimized.
6
More sophisticated attack style
context aware attack
Preliminary tests show approx. 50 would have
been victimized.
7
Modeling phishing attacks
conjunction
starting state
target
disjunction
Edge carries description of cost, effort,
probability.
8
Example phishing attack
married?
account number
payment
refund alone
bank account
salary
Guess withholding, 401(k).
9
Connecting components of a personal graph

• Password reuse gives same entry for many
  applications. (Can be prevented.)
• Security question reuse gives same entry, too!
  (Not easily prevented.)
• Perform man-in-middle (e.g., domain server
  attack) and request password reminders.

10
Connecting personal graphs

• If you know my mothers maiden name, what can
  you say about that of my siblings?
• If you know where I was born, what can you say
  about where my siblings were born?

11
Context aware attacks

• Phase 1 Infer or manipulate context of victim.
• (Innocous.)
• Phase 2 Use context to convince victim of
  authenticity of request.
• (Indistinguishable from harmless.)

12
Context aware example
(simplified phishing graph)
13
Performing identity linking

• Inside-out (use interface, request response bid
  and request id info)
• Outside-in (spam enter your eBay id)
• Epidemic linking (get links from victims)

(so, in reality, identity linking corresponds to
three edges.)
14
Performing victim selection

• Bidders could they have won? What are their
  identifiers?
• Sellers will they decline?

15
Defense against example attack

• Make identity linking difficult
• response is always anonymous
• Make victim selection difficult
• do not display id of highest bidder

16
General analysis and defense

• Determine probability of success of paths (with
  limitations translated into probabilities)
• Identify weak links of phishing graph (paths with
  high probability of success)
• Perform economic analysis of each path (is it
  worth it?)
• Partition graph, decrease probabilities, or
  increase effort or cost.
• For large graphs, this must be automated!

17
Future work

• Build exhaustive picture of graph by improved
  understanding of threats.
• Apply automated analysis methods to phishing
  graphs.
• Develop improved authentication methods.
• Develop methods to detect phishing attempts.
• Develop methods to allow visualization of a
  situation.
• Educate users about unsafe behavior.