Examining the Effectiveness and Techniques of the Anti-Phishing

Technology in Leading Web Browsers and Security Toolbars.

Wesley W. Owenspamconference@wesconsulting.com

Graduate StudentU Mass Lowell

Dept. of Computer Science

MIT Spam ConferenceMarch 27-28 2008

Brief History

• The first known phishing attack on a financial operator was June 2001 against E-Gold.

• In 2004 phishing became a widespread attack and started to appear on the radar of technology crimes.

• Between 2004 and 2005, organized crime and phishers united to launch more attacks for profit.

Sep-0

4

Nov-0

4

Jan-

05

Mar

-05

May

-05

Jul-0

5

Sep-0

5

Nov-0

5

Jan-

06

Mar

-06

May

-06

Jul-0

6

Sep-0

6

Nov-0

6

Jan-

07

Mar

-07

May

-07

Jul-0

7

Sep-0

7

Nov-0

70

10,000

20,000

30,000

40,000

50,000

60,000

Unique Phishing Sites Per Month

Date

# o

f S

ite

s

Data gathered from http://www.antiphishing.org/phishReportsArchive.html

Tests Performed

• Test each technology against 10 real live phishing sites– Some URLs in blacklists

• Test those phishing sites copied to the lab– Lab URLs not in blacklists

• Create 10 phishing sites of my own in a lab– Viewing sites in IE7 view->source -> file -> save as– wget -p --convert-links --user-agent="Mozilla…

Limitations

• I did not decompile any anti-phishing technologies – my results are purely from Trial and Error

• I did not test enough phishing sites to make determinations regarding which anti-phishing filter is more effective at real phishing sites. Other papers in this are have done this. See:– http://www.cylab.cmu.edu/files/cmucylab06018.

pdf– http://www.3sharp.com/projects/antiphishing/go

ne-phishing.pdf

Anti-Phishing Technologies Examined

• Internet Explorer 7.0• Netcraft’s Toolbar• Earthlink’s Toolbar• Geotrust Trustwatch• SpoofGuard• eBay’s Toolbar• Firefox 2

IE 7 Netcraft Earthlink Geotrust SpoofGuard Ebay Firefox 20

1

2

3

4

5

6

7

8

9

10

Remote Phishing Sites

phish

suspect

Anti-Phishing Technology

# o

f S

ite

s D

ete

cte

d

IE 7 Netcraft Earthlink Geotrust SpoofGuard Ebay Firefox 20

1

2

3

4

5

6

7

8

9

10

Remote Phishing Sites Copied to Lab

phish

suspect

Anti-Phishing Technology

# o

f S

ite

s D

ete

cte

d

IE 7 Netcraft Earthlink Geotrust SpoofGuard Ebay Firefox 20

1

2

3

4

5

6

7

8

9

10

Lab Phishing Sites (IE7 Save-As)

phish

suspect

Anti-Phishing Technology

# o

f S

ite

s D

ete

cte

d

IE 7 Netcraft Earthlink Geotrust SpoofGuard Ebay Firefox 20

1

2

3

4

5

6

7

8

9

10

Lab Phishing Sites (wget)

phish

suspect

Anti-Phishing Technology

# o

f S

ite

s D

ete

cte

d

IE 7 Netcraft Earthlink Geotrust SpoofGuard Ebay Firefox 20

5

10

15

20

25

30

35

40

All Tests Combined

phish

suspect

Anti-Phishing Technology

# o

f S

ite

s D

ete

cte

d

Types ofAnti-Phishing Technology

• URL Blacklists• Content Filter• URL Popularity & Characteristics• Password recognition

URL Blacklists

Similar idea as SPAM Blacklists – a database of URLs that are known phishing sites

Pros:– Low false positives– Easy to lookup URLs (low overhead)– Effective once the URL is listed

Cons:– “Time to list” is too large to keep phishers out of

business – approx 10 hrs as of 2/08 (phishtank.com)

Content Filter

Examines the body of each web page visited

Pros:– Detects phishing sites as soon as phishers publish them

Cons:– Higher overhead than other technologies (a small price

to pay for the most users)– It is possible to learn the content rules and work

around them

URL Popularity & Characteristics

URL Popularity: Checks domains against Google, Alexa, etc. to see how popular the URL is. The basis is that phishing sites are not popular.

URL Characteristics: Checks characteristics of the URL such as strange port numbers, recently registered domains, IP addresses, etc.

URL Popularity & Characteristics

Pros:– Easy to lookup URL (low overhead)

Cons:– Usually requires human interpretation of the indicator and

requires the operator to be aware of what phishing is.– Privacy concerns – each site visited must be looked up at

Google, Alexa, etc.– May not work well for phishing sites hosted at sites like

geocities e.g. http://www.geocities.com/phisher/ebay/

Password recognition

Pros:– Easy to detect (low overhead)

Cons:– Assumes users never use the same password at

more than one site– Requires users to enter passwords to all sites

ahead of time

Details of IE7s Content Filter

By using Trial and Error I was able to determine what IE7s content filter was looking for when detecting fake ebay.com sites:

• 2 input tags nested in a form tag and 3 links:– “forgot userid” link– “forgot password” link– “keep me signed in” link

• 1 or more of 10 links that point to ebay.com

Smallest Page that trips IE7s Content Filter

<html><body>

<form action="."><input><input></form>

<a href="http://cgi4.ebay.com/ws/eBayISAPI.dll?UserIdRecognizerShow"></a><a href="http://cgi4.ebay.com/ws/eBayISAPI.dll?ForgotYourPasswordShow"></a><a href="http://pages.ebay.com/help/newtoebay/staying_signed_in.html"></a>

<a href="http://pages.ebay.com/help/new/contextual/account_protection.html"></a>

</body></html>

Details of Earthlinks Content Filter

By using Trial and Error I was able to determine what Earthlinks content filter was looking for when detecting fake ebay.com sites:

• 2 input tags• 2 or more of 14 links that point to ebay.com &

1 .js file on ebay.com

Smallest Page that trips Earthlinks Content Filter

<html><body>

<input><input>

<a href="http://pages.ebay.com/help/index.html">Help</a><a href="http://pages.ebay.com/help/policies/privacy-

policy.html">Privacy Policy</a>

</body></html>

Page Load Attack

<html> <body><!-- phishing site here --><?phpwhile(1){ echo " "; flush(); sleep(1);}?></body> </html>

Image Load Attack<html> <body>

<!-- phishing site here -->

<img src="http://1.2.3.4/image.gif"><img src="http://1.2.3.5/image.gif"><img src="http://1.2.3.6/image.gif"><img src="http://1.2.3.7/image.gif"><img src="http://1.2.3.8/image.gif">...</body> </html>

JavaScript Attack<html> <head><script language="JavaScript">function go(){ var buf = "phishing site here" ; output.innerHTML = buf ;}</script> </head>

<body onLoad="go()">

<div id="output"></div>

</body> </html>

Attacks Against Anti-Phishing FiltersAnti-Phishing

TechnologyPage Load

AttackImage Load

AttackJavaScript

Attack

IE 7.0(Content Filter /

Blacklist)Yes /No

Yes /No

Yes /N/A

Netcraft No No N/A

Earthlink(Content Filter /

Blacklist)No /No

Yes /No

Yes /N/A

Geotrust No No N/A

SpoofGuard Yes Yes Yes

eBay’s Toolbar Yes* Yes* N/A

Firefox 2 No No N/A

* The Page Load and Image Load attacks worked some of the time against eBay’s Toolbar. I was unable to determine why it worked with some URLs but not others.

Attacks against URL Blacklists

Google’s blacklist: http://sb.google.com/safebrowsing/update?version=goog-black-url:1:1 has similar entries that lead me to believe wildcards are not being used:

http://home.doramail.com/w37eudhs/http://home.doramail.com/w823ehds/http://189.140.107.157/http://189.140.107.157/bankmain.htm/http://189.140.107.157/boveda/

similar results at http://www.phishtank.com/phish_archive.php

Attacks against URL Blacklists

Using multiple subdomains, folders, etc. phishers already create many phishing URLs.

It is possible to create infinitely many URLs by:• Custom 404 error page (page not found)• Apache rewrite rule

RewriteEngine onRewriteRule ^[A-Za-z0-9]*$ phishing_page.html

Conclusions

• The best anti-phishing filters use a layered approach (URL Blacklist + Content Filter)– Use multiple phishing blacklists

• Future work:– Decompiling IE7 and Earthlink’s content filter to

learn more about them• If they use static rules, enhance them to use dynamic

rules that can be controlled & updated centrally that would make it much harder for phishers to succeed

• Address the page/image load & JavaScript attacks

Questions and Comments?