Lorrie Faith Krenor

Don't get caught, fish! Problems and methods of combating phishing

Lorrie Faith Cranor is an associate professor of computer science and technology and public policy at Carnegie Mellon University and leads the Privacy and Security Practice Lab, where she directs anti-phishing research. She also recently co-founded Wombat Security Technologies, which aims to bring products developed by her group to market. Krenor has published four books and many scientific articles about the protection of information in networks, phishing, spam, electronic voting and other subjects related to information security. She hopes that over time people will stop perceiving the expression " practical safety"like an oxymoron.

Basic provisions

Phishing is a type of online crime that involves defrauding people of confidential or classified information. It already costs victims billions of dollars a year, and its threat is growing. Since phishing is based on human weaknesses, studying the factors that determine people's propensity to take the bait will help educate users and improve anti-fraud technologies. To combat phishing, we need to join forces law enforcement, information security specialists and ordinary users.

Behind last week I received a ton of emails: warnings from several banks about blocking my credit cards, a reminder from eBay to change my password, a notification from Apple about unpaid bills for downloaded music, an airline offering to make a quick $50 by filling out a survey, and a request from the Red Cross to donate money to a fund to help those affected by the earthquake in China. On the face of it, this correspondence did not arouse any suspicion. However, all the letters, except for the message from eBay, were fakes, known as "phish" (a distorted version of the English word fish - "fish").

Fraudsters masterfully compose messages on behalf of respected organizations and usually call for urgent actions to avoid unwanted events or to earn something. The goal is to induce a person to go to a certain website or call a certain number and give out their personal information to scammers. Sometimes all you have to do is click on a link or open a file attached to an email for your computer to become infected with malware that allows a phisher to extract necessary information or control the victim's computer to carry out further attacks. Each phishing attack has its own characteristics, but the result is usually the same: thousands of careless victims provide criminals with information that is then used to steal money from bank accounts or obtain sensitive information.

An international consortium of online fraud organizations monitors phishing activity. In 2007 total number Phishing sites detected each month reached 55,643. About two hundred company names or logos were used each month to deceive victims into believing they were dealing with reputable organizations. According to the consulting company Gartner, in 2007, 3.6 million Americans were caught in the fittings, whose total losses exceeded $3.2 billion.

The stakes are high, and experts information security They are developing increasingly sophisticated filters for email clients and web browsers that can detect and register phishing attempts. Although such programs help stop many attacks, phishers are constantly changing tactics, trying to stay one step ahead of security technologies. Phishing is based on exploiting human weaknesses, and for the attack to be successful, the victim must succumb to temptation and take action. certain actions, so the problem is not just technology. So my group at Carnegie Mellon University is looking for the best ways training people to recognize and protect themselves from phishing attempts. We also educate people on how anti-phishing programs work so that users can use them correctly. Since the human factor is key to the success of phishing attacks, we have come to the conclusion that it can also become an important weapon in the fight against phishing.

Comprehensive protection
Many browsers already have built-in security filters and can work in conjunction with other programs to identify suspicious sites. But even though anti-phishing software will detect phishing sites, it will be of little use if users ignore its warnings. To understand why users don't pay attention to warnings, my graduate student Serge Egelman sent phishing emails to volunteers participating in our research. If recipients were fooled and clicked on the link, a warning message appeared on their screen. Egelman discovered that browser users Mozilla Firefox 2 heeded these warnings, but those using the Microsoft Internet Explorer 7 (I-E7) browser often ignored them. As we found out, so a big difference in the reactions of the two groups of participants was due to the fact that IE7 browser users either did not notice the warnings or confused them with warnings about less serious dangers.

ELEMENTS and SIGNS OF POSSIBLE PHISHING

Evolving threat
In the information security community, we are not alone in constantly striving to improve technology. As security improves, phishers change their tactics accordingly. Phishing emails are now sent via ICQ and SMS. Phishers use online games like World of Warcraft and online communities like MySpace and Facebook to lure potential victims. Phishing attacks also use the creation of Wi-Fi access points in in public places and imitation of registration pages of real providers. The goal of these attacks is to determine the victims' passwords and infect their computers with malware.

ADDITIONAL LITERATURE

One of the types computer fraud got such an interesting name as Phishing. In English it means fishing, fishing. Only the criminals are hooked not on fish, but on the user’s confidential data. All this is done through cunning and deceptive actions.

For example, you receive an email with some tempting offer. Then, following the link, you are asked to enter your login and password, for example from your email. Often, attackers use brands of popular services (Mail, Google, any social networks) in such letters, changing only one letter in the address. Letters may contain text such as your account is blocked and you need to recheck authorization. On a fake site, you enter your data and thereby scammers gain access to your email account. And we often store passwords from other services in our mail.

Currently, the main goal of phishers is to obtain data from clients of banks and electronic payment systems. Carrying out certain rules, you can confidently protect your data from online theft.

Methods to combat phishing attacks

• Do not click on dubious links or enter your data there. Check the sender's address
• use an antivirus program that can block navigation to phishing sites
• Use browsers that warn you about phishing threats. These include GoogleChrome, MozillaFirefox, Opera, Yandex.Browser
• check yours constantly bank accounts for unnecessary operations
• do not use the same password for different services
• regularly update computer security software

Alexey Komarov

The threats that emerged with the advent of phishing required the implementation of adequate protection measures. Within the framework of this article, both already widespread methods of countering phishing and new ones will be considered. effective methods. This division is very arbitrary: we will classify as traditional methods well-known (including to the attackers themselves) methods of countering phishing and analyze their effectiveness in the first part of this article. According to the APWG report, 47,324 phishing sites were identified during the first half of 2008. The same report also shows the average losses of users and companies as a result of a phishing site - they amount to at least $300 per hour. Simple multiplications allow us to conclude that this type of black business is highly profitable.

Modern phishing

The word "phishing" is derived from English words password – password and ёshing – fishing, fishing. The purpose of this type of Internet fraud is to deceive the user into a fake site in order to subsequently steal his personal information or, for example, infect the computer of the user redirected to the fake site with a Trojan. An infected computer can be actively used in botnet networks to send spam, organize DDOS attacks, and also to collect user data and send it to an attacker. The range of applications of information “extracted” from the user is quite wide.

Phishing mechanisms

The main vector of a phishing attack is aimed at the weakest link of any modern security system - the person. The bank client does not always know exactly which address is correct: mybank.account. com or account.mybank. com? Attackers can also exploit the fact that in some fonts, lowercase i and uppercase L look the same (I = l). Such methods allow you to deceive a person using a link similar to a real one. email, and even hovering the mouse over such a link (in order to see the real address) does not help. Attackers also have other means in their arsenal: from banal substitution of a real address in the local IP address database with a fake one (in Windows XP, for example, for this it is enough to edit hosts file) before farming. Another type of fraud is replacing a Web page locally, “on the fly.” A special Trojan that has infected a user’s computer can add additional fields to the site displayed by the browser that are not on the original page. For example, a credit card number. Of course, to successfully carry out such an attack you need to know the bank or payment system, which the victim uses. That is why thematic databases email addresses They are very popular and are a liquid commodity on the black market. Phishers who do not want to incur additional costs simply direct their attacks to the most popular services - auctions, payment systems, large banks - in the hope that the random recipient of the spam email will have account. Unfortunately, the hopes of attackers are often justified.

Traditional methods of countering phishing attacks

Unique website design The essence of this method is this: a client, for example, of a bank, when concluding an agreement, selects one of the proposed images. In the future, when entering the bank’s website, this image will be shown to him. If the user does not see it or sees something else, he must leave the fake site and immediately report it to the security service. It is assumed that attackers who were not present when the contract was signed will a priori not be able to guess the correct image and deceive the client. However, in practice this method does not stand up to criticism. Firstly, in order to show the user his picture, he must first be identified, for example, by the login that he entered on the first page of the bank’s website. It is not difficult for an attacker to prepare a fake website to find out this information, and for the user to emulate a communication error. Now all you have to do is go to the real server, enter the stolen login and peek at the correct image.

Another option is to give the client a fake warning about the expiration of their image and ask them to choose a new one...

One-time passwords

Classic passwords are reusable: the user enters the same password every time they go through the authentication procedure, sometimes without changing it for years. Once intercepted by an attacker, this password can be used repeatedly without the owner's knowledge.

Unlike the classic one, a one-time password is used only once, that is, with each request for access, the user enters a new password. For this purpose, in particular, special plastic cards with a protective layer are used. Each time the bank client erases another strip and enters the required one-time password. Total per card standard size holds about 100 passwords, which, with intensive use of telebanking services, requires regular replacement of the media. More convenient, but also expensive, are special devices - one-time password generators. Basically, two types of generation are distinguished: by time, when the current one-time password is displayed on the screen and changes periodically (for example, once every two minutes); by event, when a new value is generated each time the user presses a device button.

While more secure than classic password authentication, this method nevertheless leaves the attacker certain chances of success. For example, authentication using one-time passwords is not secure against man-in-the-middle attacks. Its essence is to “intervene” in the information exchange between the user and the server, when the attacker “introduces himself” to the user as the server, and vice versa. All information from the user is transferred to the server, including the one-time password he entered, but on behalf of the attacker. The server, having received the correct password, allows access to sensitive information. Without arousing suspicion, an attacker can allow the user to work, for example, with his account, sending him all the information from the server and back, but when the user ends his work session, do not break the connection with the server, but carry out the necessary transactions supposedly on behalf of the user.

To avoid wasting time waiting for a user session to end, an attacker can simply fake a communication error and prevent a legitimate user from accessing their account. Depending on the generation method used, the intercepted one-time password will be valid either for a short time or only for the first communication session, but in any case, this gives the attacker the opportunity to successfully steal the user's data or money.

In practice, authentication using one-time passwords itself is rarely used; to increase security, establishing a secure connection before authentication is used, for example, using the SSL protocol.

One-way authentication

Using the SSL (Secure Sockets Layer) secure connection protocol ensures secure data exchange between the Web server and users. Despite the fact that the protocol allows you to authenticate not only the server, but also the user, in practice only one-way authentication is most often used. To establish an SSL connection, the server must have a digital certificate used for authentication. A certificate is usually issued and certified by a trusted third party, which is a certification authority (CA) or certification authority (in Western terminology). The role of the CA is to confirm the authenticity of Web sites of various companies, allowing users, by “trusting” one single certification authority, to automatically be able to verify the authenticity of those sites whose owners accessed the same CA.

The list of trusted certification authorities is usually stored in the operating system registry or browser settings. It is these lists that are attacked by an attacker. Indeed, by issuing a certificate from a fake certification authority to a phishing site and adding this CA to the trusted ones, you can successfully carry out an attack without arousing any suspicion from the user.

Of course, this method will require more actions from the phisher and, accordingly, costs, but users, unfortunately, often help steal their data themselves, not wanting to understand the intricacies and features of use digital certificates. Due to habit or incompetence, we often click the “Yes” button without paying much attention to the browser messages about the lack of trust in the organization that issued the certificate.

By the way, some SSL traffic control tools use a very similar method. The point is that in Lately Cases have become more frequent when sites infected with Trojan programs and the Trojans themselves use the SSL protocol in order to bypass gateway traffic filtering systems - after all, neither the anti-virus engine nor the data leakage protection system is able to check encrypted information. Wedging in the exchange between the Web server and the user's computer allows such solutions to replace the Web server's certificate with one issued, for example, by a corporate CA and, without visible changes in the user's experience, scan the user's traffic when using the SSL protocol.

URL filtering

IN corporate environment site filtering is used to limit misuse Internet employees and as protection against phishing attacks. In many antivirus protection products this method combating fake sites is generally the only thing.