View
219
Download
1
Tags:
Embed Size (px)
Citation preview
iTrustPage: Pretty Good Phishing Protection
iTrustPage: Pretty Good Phishing Protection
Stefan Saroiu, Troy Ronda, and Alec WolmanStefan Saroiu, Troy Ronda, and Alec WolmanUniversity of Toronto and Microsoft ResearchUniversity of Toronto and Microsoft Research
Phishing Attacks Cost Real Phishing Attacks Cost Real Money!Money!
Hundreds of millions of $$$ cost to U.S. Hundreds of millions of $$$ cost to U.S. economyeconomy
Affects 1+ million Internet users in U.S. aloneAffects 1+ million Internet users in U.S. alone
Real cost:Real cost: Erosion of trust in Web as e-commerce Erosion of trust in Web as e-commerce
platformplatform 40% of people not banking online do not trust 40% of people not banking online do not trust
Web!!! Web!!!
Myriad of Solutions ProposedMyriad of Solutions Proposed
Spam filters [CMU ‘06, SpamAssassin, Spam filters [CMU ‘06, SpamAssassin, Outlook]Outlook]
Browser blacklists [IE7, FF 2.0, Opera]Browser blacklists [IE7, FF 2.0, Opera] Password managers [Princeton ‘05, Stanford Password managers [Princeton ‘05, Stanford
‘06, Berkeley ‘06]‘06, Berkeley ‘06] Out-of-band authentication [CMU ‘06, Out-of-band authentication [CMU ‘06,
Stanford ‘06]Stanford ‘06] User-created labels, warnings [Stanford ‘06]User-created labels, warnings [Stanford ‘06] Automatic fillers [MIT ‘06]Automatic fillers [MIT ‘06] Centralized approaches [MSR ‘06]Centralized approaches [MSR ‘06]
Yet… the Problem is Growing!Yet… the Problem is Growing!
Number of phishing sites grew Number of phishing sites grew 10X10X in 18 in 18 monthsmonths 2004 -- mid 20062004 -- mid 2006
Banks claim phishing becoming #1 source Banks claim phishing becoming #1 source of fraudof fraud
Phishing e-mails becoming personalizedPhishing e-mails becoming personalized sophisticated and hard-to-filtersophisticated and hard-to-filter
Must look into new anti-phishing Must look into new anti-phishing approaches!approaches!
OutlineOutline
Motivating the need for new approachesMotivating the need for new approaches Lessons learned from current approachesLessons learned from current approaches iTrustPage demoiTrustPage demo Design and implementationDesign and implementation EvaluationEvaluation ConclusionsConclusions
OutlineOutline
Motivating the need for new approachesMotivating the need for new approaches Lessons learned from current approachesLessons learned from current approaches iTrustPage demoiTrustPage demo Design and implementationDesign and implementation EvaluationEvaluation ConclusionsConclusions
Current Approaches’ Current Approaches’ ShortcomingsShortcomings Spam filters + blacklists imperfect and too Spam filters + blacklists imperfect and too
slowslow Phishing sites’ average uptime is 4.5 days Phishing sites’ average uptime is 4.5 days
Password managers have usability Password managers have usability problemsproblems Based on hard-to-grasp concepts, uncommon Based on hard-to-grasp concepts, uncommon
taskstasks
Personalized visual cluesPersonalized visual clues Rely on users to be diligentRely on users to be diligent
Automatic password fillersAutomatic password fillers Easy to fool + they create local password Easy to fool + they create local password
repositoryrepository
Lessons LearnedLessons Learned
Anti-phishing tools must be intuitive + easy-Anti-phishing tools must be intuitive + easy-to-useto-use Users must perform very simple, common tasksUsers must perform very simple, common tasks
Relying on users to be diligent unlikely to Relying on users to be diligent unlikely to workwork
Phishing is becoming personalizedPhishing is becoming personalized Can’t rely on static filtersCan’t rely on static filters
Anti-phishing tools must re-act quickly to Anti-phishing tools must re-act quickly to attacksattacks Cannot wait for updates or new filtersCannot wait for updates or new filters
Our Approach: iTrustPageOur Approach: iTrustPage
Prevents users from filling out phishing Prevents users from filling out phishing formsforms
Does not rely on static filtersDoes not rely on static filters
Users perform simple, common, and intuitive Users perform simple, common, and intuitive taskstasks
Doesn’t rely on users to stay vigilentDoesn’t rely on users to stay vigilent
Harder-to-foolHarder-to-fool Stops users whenever key is pressed on any site Stops users whenever key is pressed on any site
whether a form is present or notwhether a form is present or not
High-Level View of Our ToolHigh-Level View of Our Tool
If user fills suspicious form, user asked for If user fills suspicious form, user asked for input:input:
1.1. Describe search terms for questionable Describe search terms for questionable formform i.e., Is the user visiting an well-established i.e., Is the user visiting an well-established
site?site? If yes, site is unlikely to phish If yes, site is unlikely to phish
2.2. Visual comparison of questionable Web Visual comparison of questionable Web form with Web forms arrived at via Google form with Web forms arrived at via Google resultresult i.e., Do these two forms look visually the i.e., Do these two forms look visually the
same?same? If yes, site is likely to phishIf yes, site is likely to phish
Live Demonstration – Trusted Live Demonstration – Trusted PagePage Navigate to Google and perform a searchNavigate to Google and perform a search
Our Two Key ObservationsOur Two Key Observations
Rely on user input to help disambiguate Rely on user input to help disambiguate between legit and fake sitesbetween legit and fake sites Certain decision making tasks are hard to Certain decision making tasks are hard to
automate reliably, yet very easy for people to automate reliably, yet very easy for people to decidedecide
e.g., deciding when 2 Web sites appear visually e.g., deciding when 2 Web sites appear visually similarsimilar
Use external Web information repositoriesUse external Web information repositories Use Internet sources to help determine Use Internet sources to help determine
legitimacy of particular Web site or formlegitimacy of particular Web site or form e.g., many attacks target well-known, popular e.g., many attacks target well-known, popular
Web sites + search engines can identify such Web sites + search engines can identify such sitessites
OutlineOutline
Motivating the need for new approachesMotivating the need for new approaches Lessons learned from current approachesLessons learned from current approaches iTrustPage demoiTrustPage demo Design and implementationDesign and implementation EvaluationEvaluation ConclusionsConclusions
OutlineOutline
Motivating the need for new approachesMotivating the need for new approaches Lessons learned from current approachesLessons learned from current approaches iTrustPage demoiTrustPage demo Design and implementationDesign and implementation EvaluationEvaluation ConclusionsConclusions
Automatic ClassificationAutomatic Classification
iTrustPage stores locally previously visited iTrustPage stores locally previously visited formsforms No need to re-validate formNo need to re-validate form
Two additional conservative heuristicsTwo additional conservative heuristics Google’s PageRank >= 5Google’s PageRank >= 5 Must be verified by TrustWatchMust be verified by TrustWatch
Heuristics could be exploited by attackersHeuristics could be exploited by attackers Fundamental trade-off between usability & Fundamental trade-off between usability &
securitysecurity
ValidationValidation
Web form is validated if:Web form is validated if:1.1. Our conservative heuristics validate it Our conservative heuristics validate it
(automatically)(automatically)
2.2. Form’s domain in top 10 domains from GoogleForm’s domain in top 10 domains from Google Based on user-input keywordsBased on user-input keywords
3.3. Repeat step 2 k-times, refining search Repeat step 2 k-times, refining search keywordskeywords Where k is variable depending on form’s PageRankWhere k is variable depending on form’s PageRank Higher PageRank means lower kHigher PageRank means lower k
4.4. When everything else fails, raise flashy When everything else fails, raise flashy warning boxwarning box Fundamental corner-case, common to all toolsFundamental corner-case, common to all tools
ImplementationImplementation
5,200 lines of code for Firefox extension5,200 lines of code for Firefox extension Tested with Linux, Mac, WindowsTested with Linux, Mac, Windows Open-source, freely availableOpen-source, freely available
900 downloads in one month900 downloads in one month
Recently released ver. 2.0 with better Recently released ver. 2.0 with better interfaceinterface It still needs lots of work thoughIt still needs lots of work though
Circumventing iTrustPageCircumventing iTrustPage
Create phishing page on site with high Create phishing page on site with high PageRankPageRank1.1. Break into popular siteBreak into popular site
2.2. ““Google bomb” attackGoogle bomb” attack
Compromise user’s Web browserCompromise user’s Web browser In this case, all bets are off (spyware!)In this case, all bets are off (spyware!)
OutlineOutline
Motivating the need for new approachesMotivating the need for new approaches Lessons learned from current approachesLessons learned from current approaches iTrustPage demoiTrustPage demo Design and implementationDesign and implementation EvaluationEvaluation ConclusionsConclusions
OutlineOutline
Motivating the need for new approachesMotivating the need for new approaches Lessons learned from current approachesLessons learned from current approaches iTrustPage demoiTrustPage demo Design and implementationDesign and implementation EvaluationEvaluation ConclusionsConclusions
Evaluation StrategyEvaluation Strategy
1.1. Performance evaluationPerformance evaluation
2.2. Evaluating iTrustPage’s effectivenessEvaluating iTrustPage’s effectiveness
3.3. Usability studyUsability study
Evaluation StrategyEvaluation Strategy
1.1. Performance evaluationPerformance evaluation
2.2. Evaluating iTrustPage’s effectivenessEvaluating iTrustPage’s effectiveness
3.3. Usability studyUsability study
MethodologyMethodology
Would users notice a performance Would users notice a performance degradation?degradation? iTrustPage prefetches PageRank and iTrustPage prefetches PageRank and
TrustWatchTrustWatch
Load pages of randomly chosen 115 US Load pages of randomly chosen 115 US banksbanks
Average PC: P III, 256MB RAM, U of T Average PC: P III, 256MB RAM, U of T networknetwork
Compare page loading times of Compare page loading times of unmodified browser to unmodified browser to browser+iTrustPagebrowser+iTrustPage
Very Little Additional OverheadVery Little Additional Overhead
0
20
40
60
80
100
0 0.5 1 1.5 2 2.5 3Ratio of Load Times
Percentage of Web sites
(Browser + iTrustPage) over stock Browser
stock Browser 1st time over
stock Browser 2nd time
Average site has 27ms extra overheadAverage site has 27ms extra overhead
Evaluation StrategyEvaluation Strategy
1.1. Performance evaluationPerformance evaluation
2.2. Evaluating iTrustPage’s effectivenessEvaluating iTrustPage’s effectiveness
3.3. Usability studyUsability study
QuestionsQuestions
Are automatic validation heuristics Are automatic validation heuristics correct?correct?
How often do users need to validate How often do users need to validate forms?forms?
For hard-to-validate forms, how often do For hard-to-validate forms, how often do users need to revise search terms? users need to revise search terms?
QuestionsQuestions
Are automatic validation heuristics Are automatic validation heuristics correct?correct?
How often do users need to validate How often do users need to validate forms?forms?
For hard-to-validate forms, how often do For hard-to-validate forms, how often do users need to revise search terms?users need to revise search terms?
MethodologyMethodology
Can’t measure from iTrustPage’s Can’t measure from iTrustPage’s deploymentdeployment We do not record number of forms visited by We do not record number of forms visited by
usersusers
Use previously collected traces of Use previously collected traces of WebsitesWebsites Research log: 14 research lab users over 3.5 Research log: 14 research lab users over 3.5
monthsmonths IRCache log: 8,714 users over 6.5 monthsIRCache log: 8,714 users over 6.5 months
Assume all pages have formsAssume all pages have forms
40% Sites are Automatically 40% Sites are Automatically ValidatedValidated
40.47% 37.24%
59.53% 62.76%
0%
20%
40%
60%
80%
100%
Research Sites IRCache Sites
Must Use iTrustPage
iTrustPageRemains
Transparent
Users are Disrupted Less over Users are Disrupted Less over TimeTime
0%
20%
40%
60%
1 day 2 days 3 days 4 days 5 days 6 days 1 week 2 wks. 3 wks.
iTrustPage's Cache Hit Rate
This data is from iTrustPage’s deploymentThis data is from iTrustPage’s deployment
Evaluation StrategyEvaluation Strategy
1.1. Performance evaluationPerformance evaluation
2.2. Evaluating iTrustPage’s effectivenessEvaluating iTrustPage’s effectiveness
3.3. Usability studyUsability study
MethodologyMethodology
4-step study:4-step study: Fill-out preliminary survey to gather Fill-out preliminary survey to gather
background infobackground info Present tutorial on iTrustPagePresent tutorial on iTrustPage Ask users to perform six steps, including:Ask users to perform six steps, including:
Visit popular legit formVisit popular legit form Visit unpopular legit form, could be easily found on Visit unpopular legit form, could be easily found on
GoogleGoogle Visit phishing siteVisit phishing site Visit unpopular legit form, can’t be found on GoogleVisit unpopular legit form, can’t be found on Google
Post-study questionnairePost-study questionnaire
15 participants15 participants
More disruptions, less easy to More disruptions, less easy to use!use!
1
2
3
4
5
Commontask
Commonlogin
Lesscommon
task
Lesscommon
login
Phishingform
Login onunpopular
form
Ease of UseFeel Safe
Easy / Safe
Hard / Unsafe
Security vs. UsabilitySecurity vs. Usability
1
2
3
4
5
Overall ease-of-use
Overall sense ofsecurity
Phishingprotection is
important
Anti-phishingtools importanteven when not
easy to use
Give up onlinebanking ifphishingbecomesprevalent
Agree
Disagree
Security vs. UsabilitySecurity vs. Usability
1
2
3
4
5
Overall ease-of-use
Overall sense ofsecurity
Phishingprotection is
important
Anti-phishingtools importanteven when not
easy to use
Give up onlinebanking ifphishingbecomesprevalent
Agree
Disagree
ConclusionsConclusions
New anti-phishing tool based on two New anti-phishing tool based on two insightsinsights User input can be used to distinguish legit User input can be used to distinguish legit
from fake sites, as long as interaction is from fake sites, as long as interaction is simple and intuitivesimple and intuitive
Internet information repositories can be used Internet information repositories can be used to assist user with their decisionto assist user with their decision
Our evaluation has shown:Our evaluation has shown: Negligible performance overheadNegligible performance overhead Automatic classification heuristics correct and Automatic classification heuristics correct and
usefuluseful Tool becomes less disruptive over timeTool becomes less disruptive over time User like tool when few disruptions onlyUser like tool when few disruptions only