Distributed Phishing Attacks Markus Jakobsson Joint work with Adam Young, LECG

Distributed Phishing Attacks
Markus Jakobsson
Joint work with Adam Young, LECG
A typical phishing attack
A distributed phishing attack
How can this be done?
1. Adversary needs to control many hosts.
 Malware
 Symbiotic host program
 Firewall weaknesses (an arbitrary victim is fine)
2. Hosts must be uncorrelated.
3. Hosts need to report to adversary.
 Without giving away location of adversary
 Without giving away compromised credentials
Attack structure
1. Adversary randomly plants host pages.
2. Spam victims, using spoofing, referring to
host pages.
3. Each host page waits to receive
credentials, then posts to bulletin board(s).
4. Adversary retrieves credentials from
bulletin board(s).
Attack details
Posted credentials are hidden using
steganographic methods. (Not easy to detect
what constitutes a posting from a host.)
Posted credentials are public-key encrypted to
hide credentials from anybody but the attacker.
Alternatively, harvested credentials can be sent to
an email account associated with the attack
instance (attacker creates lots of accounts +
uses POP from anonymous location.)
Failed protection mechanisms
• Given information about a few hosts, one
cannot infer the location/identity of other
hosts. (Makes honeypots and collaborative
detection meaningless.)
• Given knowledge of what bulletin boards are
used, one cannot shut them down, or this is a
DoS on the infrastructure … besides, the
hosts can post to several BBs.
Promising protection mechanism
1. Gather network statistics. (Already done,
just augment what is collected; can scan for
common phrases and structures.)
2. Detect a few instances of a DPA.
3. Cluster instances with suspect profile.
4. Automatically demand all hosts in cluster to
be blocked (Authenticated requests) or DoS
5. Automatically warn victims of emails in
cluster. (Provides second line of defense.)
Some details of defense
• Use OCR to detect similarities in appearance
between images.
• Use anti-plagiarism techniques to detect
similarities between texts. (See, e.g., SPLAT)
• Also detect similarities between pages
pointed to (only for likely candidates.)
• Cluster with known offenders and with likely
offenders. (Based on content and
communication patterns.)
Paper? Please email [email protected]