Phishing and other related scams are becoming more common every day, and the as more and more criminals are trying to make a killing, the degree of sophistication is slowly but surely increasing. Only a year or two ago, it was fairly straightforward to spot phishing attempts: the spoofed email messages people would receive were often marked by poor grammar, and often, corporate logos were missing. There was almost never any attempt to circumvent spam filters -- it was simply not needed -- and the URLs to which victims were taken were commonly IP addresses, and therefore easily detected as associated by phishing by reasonably security savvy consumers. Today, the situation is very different. An increasing portion of phishing emails are professionally crafted, well designed, and psychologically convincing. They often use cleverly selected cousin-name domains or subdomain tricks to deceive recipients. Malware, such as keyboard loggers and screen scrapers are commonly used -- independently of phishing emails -- to capture user names and passwords. It is rumored in the financial industry that many phishing emails have a higher click-through rate than legitimate advertising campaigns carried out by the respective banks.
The trends also point to an increasing portion of malware attacks that are mounted for financial benefit, whether to capture credentials, to extort providers, or to distribute spam to other users. A related trend in Internet crime is that of click-fraud, which is often also relying on malware, and which quite possibly may be performed using the same set of criminals as are behind phishing. Another and often related form of attack is one that is referred to by the term pharming or DNS poisoning. In such an attack (exemplified by the work of Tsow on router pharming), a victim computer is given an incorrect translation of domain names to IP addresses, causing the victim to be connected to the wrong site. For example, a pharmer who has succeeded in modifying the lookup table for "Citibank.com" will cause an incorrect connection to be made for users who type that URL in their browser, searches for CitiBank using any search engine, and even follows CitiBank's own links. Their browser will say "www.citibank.com", and (assuming the attacker correctly copied all the content from the real site) will also look correct in all other ways. The only problem is that this is not Citibank, but perhaps somebody in Bulgaria, and as the victim enters his user name and credentials, the attacker captures them. The attacker may even start a simultaneous session with the real service provider, automatically forwarding the captured credentials, and thereby providing the victim with a perfectly convincing session. When the victim logs out, the attacker may perform a few transactions, and then forward the logout request. While properly performed SSL connections will cause the connection to be flagged to the victim as it is being made -- he will get a notice stating that it is a new certificate -- it has been showed that many are quite willing to disregard such warnings. Moreover, it has also been shown that many users are not aware of whether an SSL connection is made or not, and those who look for the lock to make sure that the connection is secure are often fooled by an image of a lock in the content portion of a page or as the favicon. It is well known that attacks that are based on an attacker inserting himself between the client and the server (so-called man-in-the-middle attacks), can foil not only standard password authentication techniques, but also all known uses of authentication tokens.
While synthetic identity fraud has a greater financial impact on banks than phishing does, it does not affect consumers and commerce in such a direct manner. Namely, phishing directly affects online merchants who rely on people trusting Internet transactions, and individuals, who have to fear financial exploitation on an almost daily basis. Given the large indirect costs associated with lack of trust, it is not clear what type of fraud actually carries the greatest cost to society.The IU phishing group is studying threats and countermeasures associated with phishing and related financial fraud. We are -- often silently -- developing what we believe will be the next wave of phishing attacks in order to then devise appropriate countermeasures to these This, in turn, allows such countermeasures to be analyzed and deployed before the attacks they defend against become independently developed by criminal minds, and used. Sometimes, we are more successful in developing a threatening attack than we are at building a countermeasure. In these cases, we always notify the affected service providers, and appropriate trade organizations well in advance of discussing the problem publicly. This allows other researchers to protect their organizations and clients before the threat materializes from another -- and criminal -- direction. We believe that it is important to eventually notify both affected service providers and media. It is important that consumers know what the threats are, but not necessarily so that they can be made responsible in protecting themselves, but sometimes rather so that they can influence service providers and legislators to take action on their behalf. There are many situations in which the best countermeasures are not a matter of consumer education, but instead, of good design of -- and deployment of -- server-side measures to detect and prevent attacks.
Moreover, we are trying to understand exactly what makes phishing work from a social and psychological point of view. This is important given that phishing is not a technical problem, but a socio-technical problem. Some attacks (such as many malware attacks) depend on technical vulnerabilities alone, and some on deceit alone (most notably 419 scams), but most phishing attacks rely on a combination of technical vulnerabilities and deceit. The arch-typical phishing scam is an example of this: phishers use technical loopholes to spoof messages, and craft deceptive messages to attempt to convince the recipients to volunteer personal information, such as passwords.
We are performing ethical experiments to assess the risks of various forms of attacks, in order to understand exactly what makes these successful. While many other institutions are trying to reach the same goals by either surveys of losses or by so-called phishing IQ tests, we do not believe that these necessarily reflect the facts. Namely, surveys are only meaningful if the participants know that they have been victims of phishing attacks, and in addition, are willing to admit this. That causes surveys to potentially result in low estimates of the threat level. On the other hand, surveys may at the same time introduce errors that make them overestimate the threat. For example, some survey participants may respond that they were victims of phishing simply based on an erroneous or fraudulent credit card charge. However, there are so many other ways in which this could have occurred, not at all involving phishing. Similarly, phishing IQ tests may end up not providing accurate estimates of the threat since the participants know that they are witnessing potential phishing attempts, and therefore, may act differently than they do in a "normal-life" situation. Ethical phishing experiments, on the other hand, allow us to measure the real threat level, both for attacks that do exist in the wild, and for attacks that do not. An example of one such experiment is described in the recent publication by Jakobsson and Ratkiewicz. Therein, it is shown that a given phishing attack on eBay had an approximate 11% yield per attack. This should be seen in comparison to the recent Gartner estimate stating that 5% of adult Americans fall victim to phishing attacks per year. The same study indicated that cousin-name and sub-domain attacks are substantially more successful than attacks in which plain IP addresses are used. It also showed that the use of a personalized greeting (or absence of the same) had a very limited security impact, which suggests that this is not a good security measure.
The IU phishing group is also working on understanding what types of user interfaces are the least prone to be vulnerable to phishing attacks. We design such interfaces, and assess their impact using various means, some of which involve experiments. This line of work is therefore another example of how attacks and countermeasures often are developed hand in hand: once we can understand and quantify what makes phishing attacks work, we can develop techniques that raise the bar for the phisher. It is important to recognize that this is what most countermeasures amount to: raising the cost or difficulty of attacks, or lowering their yield. We do not believe there is any one silver bullet against phishing, given the complexity of the problem. We -- and many others -- believe that this, instead, is a problem with a myriad countermeasures, each one of which has to be developed, tested and refined.
An Overview of Our Efforts
Spear phishing -- We study ways in which spear phishing can be performed, in order to understand this potent threat. In one of the first publications about phishing ever, we described what we called context aware phishing, which was later given the snappier term "spear phishing". In this paper, a theoretical model of spear phishing was described, along with a few examples of how it can be performed, backed by experimental data supporting its likely yield. Later, we studied how phishers can data-mine public records to infer mother's maiden names, and how they can data-mine social networks and use the extracted information to target victims. Using an ethical experiment, whose design is described from two different angles in the paper by Jagatic et al. and paper by Finn and Jakobsson, we determined that the accounts of over 70% of the targeted social network users would have been compromised, had this been a real phishing attack. Such compromise would immediately have allowed the attacker access to personal files and email on the affected machine. Moreover, access to email on one machine can allow an attacker to gain access to other accounts, since many service providers allow password reset to users with access to the registered email account. In instances where users can install new software, an attacker gaining access to an account can also install any malware, such as keyloggers, screen scrapers, and other spyware.
Browser recon attacks -- One can use a simple technique to examine the web browser history of an unsuspecting web site visitor using Cascading Style Sheets. This technique is particularly worrisome in the problem domain of phishing. Phishers typically send massive amounts of bulk email hoping their lure will be successful. Given greater context, such lures can be more effectively tailored---perhaps even in a context aware phishing attack. An even scarier attack is called a Chameleon attack; such an attack can appear as a web page that appears to be a different web site depending on the browsing history of a visitor. For example, a visitor who has recently used Key Bank's web site may see the chameleon site as Key Bank, whereas another visitor may see it as a different bank. Chameleon emails can also be constructed that will appear to originate from different sources depending on a recipient's browsing history. The Form Auto-fill function of browsers can also be exploited to extract context from a visitor's browser; this can be seen in the Riddle project. Our group has developed a solution that service providers, such as online financial institutions, can install to protect against browser-recon and related attacks that "sniff" a visitor's browser.
Malware -- There is a clear trend towards increased reliance of malware among financial criminals. We have studied this problem from a variety of angles to show that the problem is more complex than what most people may realize, and that malware countermeasures must be expanded and improved. In a first study, we demonstrated how easily malware can be socially propagated, and that it is possible to design malware that affects any machine, independently of platform. In a series of associated studies (by Tsow and Tsow et al), we demonstrate how malware can be designed to target not laptop computers or desktop computers, but wireless routers. This is a platform that is not even scanned by current anti-virus software -- if a router gets attacked by malware, it is more or less irrevocably corrupted. A malware attack on a router may be used for purposes of pharming, or to block updates to anti-virus software to any connected computer, in turn causing these computers to become vulnerable. We are also studying technical vulnerabilities associated with malware propagation, and methods toinoculate computers against yet-unseen malware strains.
Net Trust. The range of extant security technologies can solve the problems of impersonation in a technical sense; however these have failed in the larger economic sense. Computers excel at communication of data; calculation of complex functions; and fine distinctions in data. Computers cannot judge context. Computers can easily calculate, differentiate and evaluate specific data structure. In contrast, humans make decisions by lumping, simplification, and evaluation of context. People are asked to function as if they were computers in the design of many security systems. Therefore, we are developing a socio-technical solution which uses social networks to re-embed social information on-line that is imbued by geography and physical design off-line. Net Trust is the solution - trust technologies grounded in human behavior. Specifically, Net Trust uses social networks to improve resource allocation decisions and thereby empower users to self-protect. Our research includes the economic, and social theory, the modeling of information networks and social trust, and the human subjects testing that underlie the proposed signaling mechanism: Net Trust. Net Trust is the technical embodiment of an economic idea.
Economics of Security. Attacks on Internet users and businesses in the last decade have changed qualitatively. While earlier attacks resulted from research errors or adolescents seeking fame, now attacks are more often driven by the pursuit of profit, e.g., phishing, malware from web sites, and masquerade attacks. Economics of informations security has the potential to inform security design by providing a more profound understanding of the problems of security.
Countermeasures -- Hand in hand with the development of attacks we study, we also develop countermeasures to protect users and service providers. In response to the increased threat from pharming, we have developed active cookies and cache cookies, both of which offer partial protection against pharming attacks, whether mounted on traditional computers or hand-held computers, such as smart phones. Both of these approaches are server-side, and so, minimize the reliance on the client and his machine -- this gives a secondary protection against malware, both by limiting its impact and by avoiding to condition consumers to install things on their machines. Another server-side countermeasure we have developed protects the browser histories of users of the system -- these are, as shown by our demo otherwise vulnerable to snooping attackers. Other important defense mechanisms we are developing allow proactive anti-virus protection that protect machines against yet-unseen threats. This therefore offers an improvement on the common signature-based malware detection approach.
A closer look at some representative projects
We will now describe some aspects of the above-described efforts in a bit more detail, to give a flavor of what is involved in our research. For more details, we refer to our detailed list of projects and papers.
Spear phishing is to phishing what targeted advertising is to advertising. Namely, in spear phishing, the attacker infers or manipulates the context of his intended victim, and then "personalizes" his attack.
This can be as simple as determining whom the victim is banking with and then sending a spoofed email appearing to come from that bank. This may demand that the user logs in to a web site whose address is provided in the email. Somewhat more eceptively, the attacker may first send a large number of spoofed emails appearing to come from the bank in question, each one simply containing information, such as "Notification of transaction: $96.05 charged by debit card." and "Notification of transaction: $450 wire transfer completed." As the last of this sequence of emails, the attacker would send a notice stating that it appears there has been illegitimate activity on the recipient's account, and his attention is needed -- at this point a URL to log in is provided. If the attacker uses a cousin-name attack, this URL may be something like "www.citibank-alert-notification.com", which even though it is different from the normal URL used by the victim will seem very relevant, and therefore convincing.
Spear phishing can also be based on figuring out what auctions the intended victim is currently bidding on, and determination of the email address of the bidder, after which the attacker may send spoofed emails appearing to come from the auction company. This email may state that the recipient won, and now needs to pay. As the victim logs in to initiate the payment, he is really disclosing his password (or other log-in credentials) to the attacker. A variant of this attack was studied by Jakobsson and Ratkiewicz.
Based on insights gained from experiments, we have developed an educational effort, securitycartoon.com, aimed at teaching typical Internet users about online security. The methodology is explained in our recent paper.