Phishing basics Dont try this at home.

1
Phishing basics(Dont try this at home.)
2
Phishing example
Dear U.S. Bank Customer, J 6 rampant
seventeen polynomial forfeiture weed inflow
Murray At U.S. Bank, we take security very
seriously. As many customers already know,
Microsoft Internet Explorer has significant
'holes' or vulnerabilities that virus creators
can easily take advantage of. At U.S. Bank, we
maintain your personal information and data
according to strict standards of security and
confidentiality as described in the Terms and
Conditions that govern your use of this site.
Online access to your account portfolio is only
possible through a secure web browser. In order
to further protect your account, we have
introduced some new important security standards
and browser requirements. U.S. Bank security
systems require that your computer system is
compatible with our new standards. This
security update will be effective immediately.
Please sign on to U.S. Bank Online Banking in
order to verify security update installation.
Failure to do so may result in your account being
compromised. rhubarb Nelson cord Sincerely,
8 D pawnshop dismal likewise 72 192 The U.S.Bank
Security Department Team.  
Truth
Good news
Request
Threat
Anti-spam filter text
3
What is phishing?
Technology
Social engineering
4
What is the problem?

• Technology that does things it should not do,
  and doesnt do things it should do.
• People who do things they should not do, and do
  not do things they should do.
• (Ask a general question
• get a general answer!)

5
Lets look at some common attacks!

• and lets consider possible countermeasures,
  too

6
Spoofing Mail

• A moment
• with
• The King

7
First, connect to a computer on the IU
network. (not required if sending mail to
someone at IU)
8
telnet mail-relay.iu.edu 25
Next, use telnet to connect to the Mail Transfer
Authority (e.g. mail-relay.iu.edu)
9
HELO graceland.net
Next, identify yourself with the HELO command
(you can lie here)
10
MAIL FROM elvis_at_graceland.net
Say who the mail is coming from. In this case,
the MTA doesnt care who it comes
from (elvis_at_graceland.net)
11
RCPT TO sstamm_at_indiana.edu
Say for whom the mail is destined. This MTA
accepts mail for any IU user from anybody on the
internet.
12
DATA From Elvis Presley T
o Sid Subject Dont step
on My blue suede shoes! -The King .
Type the email. This includes the To, From,
Subject fields that will show up in the targets
mail client.
13
QUIT
Close the connection to the MTA. It will
immediately deliver the email.
14
The victim gets an email that appears to be from
The King.
15
But a closer look at the headers reveals the
originating server, which is not graceland.net
16
The problem? Recall Mail Relays

• Open Relay senders not authenticated
• Closed Relay senders must have account

17
Could this problem be avoided using Digital
Signatures?
18
How does a digital signature(e.g., RSA) work?
SKAlice
PKAlice
mHello Bob.
mHello Bob.
Bit string0011 01
Bit string0011 01
Digitally sign
Verify
signature0001 01
signature0001 01
Send Message, signature, certificate
19
How do you know what public key to use?
Attack!
Bits n bytes (01..1, 1101...11) (11..0,
100111) (11..1, 010010)
Bits n bytes (01..1, 001101) (11..0,
100111) (11..1, 010010)
Interpretation (Bob, PKEve) (Joe,
PKJoe) (Lucy,PKLucy)
Interpretation (Bob, PKBob) (Joe,
PKJoe) (Lucy,PKLucy)
20
Our problem

• There
• is
• no
• ubiquitous
• public key infrastructure
• !

21
Although, a PKI would not immediately solve the
problem, either.

• Homograph attacks use foreign alphabets or
  similar-looking characters to register domains
  these can later get a valid certificate!

22
Another problemRecall Addressing

• Q I dont want to type numbers, cant I just
  type google.com?
• A Yes, thanks to the Domain Name System (DNS)

23
Another problemRecall Addressing

• Q I dont want to type numbers, cant I just
  type google.com?
• A Yes, thanks to the Domain Name System (DNS)

10.0.2.3
10.0.2.3
verybadplace.com
This is referred to as pharming.
24
Another phishing problem Spam

• Web Page Harvesting
• Online Address Books
• Viruses (Address Book Harvesting)
• Email Traffic Monitoring
• Random Guessing
• Exhaustive Search (a_at_iu.edu )
• Web bugs can be used to find active email
  accounts.

25
Spam Filters Protection

• Mail can be filtered when it is
• Sent (by originating server)
• En route (by servers along the way)
• Delivered (on destinations PC)

26
Blacklist Filtering
Deny mail from addresses on the list
On the list!Go Away!
To sid_at_iu.edu From viagra_at_hotmail.com Subject
free ViAgRa!
viagra_at_hotmail.com noreply_at_beernuts.org vicki_at_por
n-site.com
To sid_at_iu.edu From markus_at_iu.edu Subject free
money!
27
Whitelist Filtering
Allow only mail from addresses on the list
Not on the list!
To sid_at_iu.edu From viagra_at_hotmail.com Subject
free ViAgRa!
markus_at_iu.edu Prez_at_bigcorp.net fred00_at_hotmail.com
To sid_at_iu.edu From markus_at_iu.edu Subject free
money!
28
Collaborative Filtering

• Clients give spam to authority
• Authority archives all reported spam
• Clients ask authority if a message is spam
• Authority could be clients mail server

29
Bayesian Filtering

• Operates in two modes first learns, then filters
• More email seen better accuracy

TRAINING
FILTERING

• Analyzes messages
• Asks user to identify spam
• Learns from user feedback

• Analyzes messages
• Classifies messages as spam or not

More Info
30
Message Signing
What Really Happens
SigMS_bob
Valid(Sig,M,P_bob)?
Bobs machine signs with his private key
Alices machine verifies using Bobs public key
31
Another phishing problemPassword reuse

• Rogue sites obtain user names and passwords, and
  try them elsewhere (perhaps trying a few
  derivations, too.)
• Hackers and insiders obtain user names and
  passwords from honest sites, and try them
  elsewhere etc.

32
Possible fix PwdHash
In Human-memorized password and URL Out
Site-customized password
33
And a non-technical problem
You are here
Attackers are here
34
Current attack style
Approx 3 of adult Americans report to have been
victimized.
35
More sophisticated attack style
context aware attack a.k.a. spear phishing
Preliminary tests show 50-75 would have been
victimized.