What can be done to prevent context aware attacks?
More and more people recognize the increasing threat of identity theft, where high-volume Internet based attacks (referred to as phishing) are the most commonly seen threat.
In contrast to what much of the current media coverage tells us, phishing is not only a threat to individuals and their personal savings, but also to society as a whole. One reason is that organized crime can use large number of accounts to perform money laundry — be it for drugs or to fund terrorism — simply by performing small payments to and from such accounts. Namely, if a criminal credits and debits accounts he controls by transferring money between them, he can move large sums of money in a way that is very hard to trace. More in particular, if each account has the same in-flow as out-flow of money (although not necessarily the same number of in and out transfers) then the account owners would not be financially affected by the attack, and may in fact not even notice that it takes place. However, as is well understood in theoretical computer science, the actual source and destination of funds would be very hard to trace, at least of several “hops” of payments are made, and a large number of accounts are involved.
Phishing is prominent today because of the low costs of performing it, the slim chances of detection, and the reasonable number of consumers that fall for the scams. However, it is commonly held that phishing will become an increasing problem if attacks become more convincing — by using information specific to the intended victims. One way would be to use supposedly private information in the emails — such as mother’s maiden names. In a recent study, it was shown that mother’s maiden names can be inferred from public databases with a very high success rate. (http://www.informatics.indiana.edu/markus/papers/mmn.pdf). Another approach is to infer personal relations and use these to target individuals — perhaps to download programs that appear to be innocuous screen savers, but which in reality log keystrokes. (A related experiment is described at http://www.indiana.edu/~phishing/social-network-experiment). As yet another example of this type of “context aware” attack, phishers would rarely be successful if sending consumers email notices appearing to come from banking institutions that the victims in question are not doing business with. The success rate would balloon if phishers could target victims better. As we show here, this is not difficult at all. All in all, context aware phishing (a term first coined in http://www.informatics.indiana.edu/markus/papers/phishing_jakobsson.pdf ) pose a serious threat.
It is important to understand these threats in order to better protect ourselves against them. While it is unlikely that there is any one protection technique (apart from unplugging one’s computer!) there may be a collection of these that, in coordination with each other, builds a better protection. Such techniques may involve a lesser reliance of “semi-secret” information; better technical constructions for alerting users of threats; stronger privacy laws; and a more unified defense by technology providers, corporations in general, and government agencies.
In a series of studies performed at Indiana University, we are investigating next-generation phishing threats, and developing countermeasures where applicable. If you are interested in learning more about either of these efforts. please contact us at phishing@indiana.edu. Please remember to specify what your background is, and how we best can help you.
Markus Jakobsson
Associate Professor of Informatics at IUB
Associate Director of CACR
August 25th, 2005 at 4:44 am
Great perspective on both dangers and mechanisms of phishing. Context-aware attacks are still in the early days, and it’s an exciting area to think about. You’re blazing some valuable trails IMHO.
As mentioned on the main browser recon page, getting history information via CSS (or other mechanisms) can make phishing attacks much more context-aware. I envision this being used in a phishing attack purporting to come from an independent agency such as the FDIC, requesting cooperation in an investigation or offering anti-fraud protection. When the user goes to the phishing site, it displays the banks with which the user has accounts (using the browser’s history) and requires the user to “confirm” his/her name and account information. A user could reasonably feel that this was a legitimate mutual authentication process, since the “FDIC” had apparently proven it had the user’s personal information, when in fact it was simply gleaned from the user’s history.
It also provides a vector for compromising high-security sites by getting into low-security ones. Users often use the same authentication credentials for low-security and high-security sites. This technique could tell a phisher both which low-security site to target (which users may not protect as jealously), and which high-security sites to try out the obtained credentials on.
There also potential applications to HTML email, which have the potential to be powerful and insidious…
Great stuff, and lots of food for thought!
Aaron Emigh
Radix Labs
August 25th, 2005 at 11:04 am
I can’t help but think that “legitimate” websites will consider this a goldmine of information as well. Certainly online retaliers have an interest in knowing you browsing history. This could be used to target advertisements from popular websites.
I wonder what other basic marketing principles (context is something marketers spend a lot of money to discover) could enhance the effectiveness of a phishing attack.
Alex Tsow
Indiana University
August 25th, 2005 at 6:50 pm
Context-aware phishing is a disturbing concept — and seems an important vulnerability to address. Knowledge of browsing history can be turned to account in more powerful ways than mere targeting based on banking relationships. Consumers are already accustomed to receiving phishing e-mail purporting to come from banks, and may be oblivious to basic contextual targeting. As a next step, phishers might build multi-faceted profiles of their targets. For example, if a victim is known to bank with “Ironclad Bank” and to have visited “Philodenrons R’ Us,” she might be targeted with e-mail concerning her “Failed $20 wire transfer to Philodenrons R’ Us at Ironclad bank.” Specificity enhances trust. I think such e-mail would pique icuriosity, if it didn’t entirely gull the recipient!
Given the underground market for exploit software and credit-card numbers, one can imagine an underground market developing for profiles on personal tastes. Targeted spam would be one possible application, blackmail another, for people who have visited unsavory sites. Chilling thoughts.
I hope to see a campaign to plug the browser features that make such attacks possible!
Ari Juels
RSA Laboratories
September 12th, 2005 at 10:02 am
I find your site to be very interesting! I got your link from the HT article from Sunday’s biz section (11 September 05). I’m grateful that you’re out here doing what you do. I hope people will listen… and that someday all these hackers and phishers and virus-authors will .. get lives.
Always me, Janee
myJanee.com Photoshop Resources