90 likes | 308 Vues
Distributed Phishing Attacks. Markus Jakobsson Joint work with Adam Young, LECG. A typical phishing attack. A distributed phishing attack. How can this be done? . 1. Adversary needs to control many hosts. Malware Symbiotic host program Firewall weaknesses (an arbitrary victim is fine)
E N D
Distributed Phishing Attacks Markus Jakobsson Joint work with Adam Young, LECG
How can this be done? 1. Adversary needs to control many hosts. • Malware • Symbiotic host program • Firewall weaknesses (an arbitrary victim is fine) 2. Hosts must be uncorrelated. 3. Hosts need to report to adversary. • Without giving away location of adversary • Without giving away compromised credentials
Attack structure • Adversary randomly plants host pages. • Spam victims, using spoofing, referring to host pages. • Each host page waits to receive credentials, then posts to bulletin board(s). • Adversary retrieves credentials from bulletin board(s).
Attack details Posted credentials are hidden using steganographic methods. (Not easy to detect what constitutes a posting from a host.) Posted credentials are public-key encrypted to hide credentials from anybody but the attacker. Alternatively, harvested credentials can be sent to an email account associated with the attack instance (attacker creates lots of accounts + uses POP from anonymous location.)
Failed protection mechanisms • Given information about a few hosts, one cannot infer the location/identity of other hosts. (Makes honeypots and collaborative detection meaningless.) • Given knowledge of what bulletin boards are used, one cannot shut them down, or this is a DoS on the infrastructure … besides, the hosts can post to several BBs.
Promising protection mechanism • Gather network statistics. (Already done, just augment what is collected; can scan for common phrases and structures.) • Detect a few instances of a DPA. • Cluster instances with suspect profile. • Automatically demand all hosts in cluster to be blocked (Authenticated requests) or DoS them. • Automatically warn victims of emails in cluster. (Provides second line of defense.)
Some details of defense • Use OCR to detect similarities in appearance between images. • Use anti-plagiarism techniques to detect similarities between texts. (See, e.g., SPLAT) • Also detect similarities between pages pointed to (only for likely candidates.) • Cluster with known offenders and with likely offenders. (Based on content and communication patterns.) Paper? Please email markus@indiana.edu