phishing presentation - ucy · 2020. 3. 30. · phishing - successful phishers: present a...
TRANSCRIPT
PhishingBy: Joanna Georgiou
Dhamija, R., Tygar, J. D., & Hearst, M. (2006, April 22). Why Phishing Works.
Gelernter, N., Kalma, S., Magnezi, B., & Porcilan, H. (2017). The Password Reset MitM Attack.
What is Phishing?
Dhamija, R., Tygar, J. D., & Hearst, M. (2006, April 22).
Why Phishing Works.
Contributions
- Provided first empirical evidence
about which malicious strategies
are successful at deceiving users.
- Studied large set of captured
phishing attacks.
- Usability study which 22
participants were shown 20
websites.
Phishing- Successful Phishers: Present a high-credibility webpage → the user to fail to
recognize security measures installed in web browsers.
- Phishers exploit: Lack of Knowledge:
- Lack of computer system knowledge (eg. Some users do not understand the
meaning of the syntax of domain names and cannot distinguish legitimate
versus fake URLs)
- Lack of knowledge of security and security indicators
Lack of knowledge of security and security indicators - Do not know that a closed
padlock icon in the browser
indicates that the page they are
viewing was delivered securely
by SSL
- Even if they understand it they
can be fooled by its placement
within the body of a web page.
- Do not understand SSL
certificates
Visual Deception- Visually Deceptive Text: Syntax of a domain name (typejacking attacks) eg.
www.paypa1.com instead of www.paypal.com , or using non-printing / non-ASCII
characters.
- Images masking underlying text: Use an image of a legitimate hyperlink to serve as a
hyperlink to a rogue site.
- Images mimicking windows: Use images in the content of a web page that mimic browser
windows / dialog windows.
- Windows masking underlying windows: Place an illegitimate browser window on top of /
next to a legitimate window. (if they have the same look and feel the user may mistakenly
believe that are from the same source / may not even notice that a second window exists)
Bounded Attention
- Lack of attention to the absence of security
identucators
- Lack of attention on security identucators
- When users are too focused on their primary task
Study: Distinguish Legitimate Websites- Collected appr. 200 unique phishing
websites (including all related links,
images and web pages)
- Anticipated that the results would be
better than it would be in real life
- Created 3 phishing websites
- Every participant saw every website, but
in randomized order.
Study- Study scenario: giving instructions, a randomized list of hyperlinks to websites
labeled “Website 1”, “Website 2”.
- Participants had no expectations about each website.
- Each website that we presented was fully functioning.
Presented participants with 20 websites; the first 19 were in random order:
- 7 legitimate websites
- 9 representative phishing websites
- 3 phishing websites constructed by the authors using additional phishing
techniques
- 1 website requiring users to accept a self-signed SSL certificate (this website was
presented last to segue into an interview about SSL and certificates).
- Self-Signed SSL Certificate:
Users are exposed to a risk that a third party could
intercept traffic to the website using the third-party's
own self-signed certificate.
Study
Study: Participants
Study: Participants
Study: Participants
- Most participants regularly
use more than one type of
browser and operating
system.
Study: Participants
- Hours of computer usage per week ranged from
10 to 135 hours
- 18 participants regularly use online banking
- 20 participants said they regularly shop online
Results- Good phishing websites fooled 90% of participants.
- 23% did not look at browser-based cues (address bar, status bar, security indicators)
- On Average: 40% incorrect choices of the time.
- 15 out of 22 participants proceeded without
hesitation when popup warning about
fraudulent certificates were shown.
- Neither education, age, sex, previous
experience, hours of computer use showed a
statistically significant correlation with
vulnerability to phishing.
Strategies for Determining Website Legitimacy- Type 1: Security indicators in website
content only
- Type 2: Content and domain name only
- Type 3: Content and address, plus
HTTPS
- Type 4: All of the above, plus padlock
icon
- Type 5: All of above, plus certificates
Additional Strategies- 2 participants stated: they would only question a website’s legitimacy if more
than the username and password was requested.
- 1 participant actually submitted her username and password to some websites in
order to verify if it was a site at which she had an account.
- 1 participant:
- Opened up another browser window, typed in all URLs by hand to compare these
pages to every website presented in the study.
- Occasionally used Yahoo to search for the organization in question, then click on the
top search result and compare it to the website presented in the study.
Phishing Websites- Hosted at “www.bankofthevvest.com”,
with 2 “v”s instead of a “w” in the
domain name.
- 20 participants incorrectly judged this to
be the legitimate Bank of the West
website
- 17 participants mentioned the content of
the page as one reason for their decision.
- 8 participants relied on links to other
sites
- 6 participants clicked on the Verisign
logo(displaying an SSL protected
webpage, hosted at Verisign, shows the
SSL certificate status of the
www.bankofthewest.com.)
- 3 participants said the correctness of the
URL was the primary factor in deciding.
Conclusions:- Even when users expect spoofs to be present and are motivated to discover them, many
users cannot distinguish a legitimate website from a spoofed website.
- Indicators that are designed to signal trustworthiness were not understood (or even
noticed) by many participants.
- 5 out of 22 participants only used the content of the website to evaluate its authenticity.
- A number of participants incorrectly said a padlock icon is more important when it is
displayed within the page than if presented by the browser.
- Other participants were more persuaded by animated graphics, pictures, and design
touches such as favicons (icons in the URL bar) than SSL indicators.
Conclusions:- Phishers can create and fully functioning site with images, links, logos and images of security
indicators to persuade the users that the spoofed websites were legitimate.
- Legitimate organizations that follow security precautions are penalized and were judged by
some of the participants to be less trustworthy. Confused the participants by hosting secure
pages with third parties, where the domain name does not match the brand name.
- It is not sufficient for security indicators to appear only under trusted conditions, it is
important to alert users to the untrusted state.
- Security interface designers must consider that indicators placed outside of the user’s
periphery or focus of attention (e.g., using colors in the address bar to indicate suspicious and
trusted sites) may be ignored entirely by some users
Gelernter, N., Kalma, S., Magnezi, B., & Porcilan, H. (2017).
The Password Reset MitM Attack.
Contributions
- Introduce the PRMitM attack
- Evaluate the PRMitM attack on Google and
Facebook.
- Explore further and identify similar
vulnerabilities in popular mobile applications.
- Design secure password reset processes using
SMS and phone calls, and evaluate of them on
Google and Facebook users.
- List recommendations for the secure design of
the password reset process.
Introduction
The Password Reset Man in the Middle Attack (PRMitM)- It exploits the similarity of the registration and password reset processes to launch a man
in the middle (MitM) attack at the application level.
- The attacker initiates a password reset process with a website and forwards every
challenge to the victim who either wishes to register in the attacking site or to access a
particular resource on it.
To Launch PRMitM, the attacker:- Only needs to control a website; no MitM or eavesdropping capabilities are required.
- Attacks visitors of his website and takes over their accounts in other websites.
- Needs basic pieces of information (eg. username, email, or phone number). This
information can be extracted from the victim by the attacker during a registration
process to the attacking website or before some operations like file download, when the
victim is required to identify themselves using their phone.
PRMitM Example
Survey- Survey: “if they would agree to either
register to a website or prove they are
human using their phone or both, in order
to use common online services such as file
downloads for free”.
- Students ranged between 18 and 35.
- Among 138 participants:
1) They would never register for
unknown websites or give their phone
number, no matter what free services
are offered.
2) Said they would agree to use both
options.
3) Would only agree to register.
4) Would only agree to identify
themselves using their phone
Simulation- Simulation: a website that stores files and
requires a valid phone number to
download them. The verification is done
via SMS code, and the user is only required
to insert his phone number.
- Among 99 participants:
1) 39.4% said they would insert their
phone number immediately.
2) 14.1% said they would first try to
obtain the files via friends or via
online SMS services.
3) 18.2% percent said they would insert
their phone number only if they really
needed the files (rather than just
wanting them).
4) They wouldn’t insert their phone
number.
Reset - Password Challenges1) CAPTCHA: do not aim to prevent an attacker from resetting the password, but rather
aim to prevent the attacker from doing this automatically.
2) Security Question: During the registration, users are sometimes asked to answer
personal question(s) that will be used to identify them.
3) Code to the Mobile Phone: Authentication can be done via one of three approaches: (1)
something you know (e.g., password), (2) something you are (e.g., fingerprints), and (3)
something you have (e.g., special token device or a phone). Authentication with phone is
usually done by sending a message with a password reset code to the phone of the user
via SMS or by automated phone call to the user, in which the code is given. The user is
required to insert this code in order to change her password.
Reset - Password Challenges4) Reset Link to the Email: The most
common countermeasure. The PRMitM
attack cannot be applied on websites that
allow password reset only by sending a reset
link to the email.
Unfortunately, this option is usually not
relevant for the email services themselves.
Moreover, relying only on this option blocks
password recovery when users have lost
access to their email account.
Experiment 1: Correctness of security question’s answer
Participants were asked to register to a
website in order to perform a short
experiment.
During the registration process, they were
asked to type their email address, and only
then, to answer a classical security question:
What is your mother’s maiden name.
Once the users completed the registration,
they were asked whether the answer they just
typed was correct.
52 Participants
Limitations of Password Reset
Using SMS- Unclear message
- Sender identity
- Token validity period
- Language compatibility
Experiment 2: Effectiveness of
PRMitM attack on Facebook users using SMS
and comparison between Facebook’s SMS
and more detailed SMS.
The experiment page (attacker’s page) asked
them to identify themselves using their
phone number.
Specifically, the page asked the participants
to type their phone number, so they can
receive an SMS with a code that should be
typed in.
Participants: 88 volunteer students
Detailed SMS:*WARNING* Someone requested to reset your Facebook password. DO NOT SHARE THIS CODE with anyone or type it outside Facebook. The password reset code is XXXXXX.
Experiment 2: Observations
1) Many users just searched for the code without reading the text. Some of them did not
open the message, but read the code from the notification that was prompted in their
phone.
2) Many users who noticed that the message was sent from Facebook, thought the login to
experiment was done using the widely used login with Facebook mechanism.
- This means that the sender identity as specify by SMS spoofing has a minor importance
in the attack, mainly if the content of the message is unclear. Furthermore, adding
sentences to the attacking page like ”Powered by Facebook” or even just an explanation
that the message will arrive with specific sender, may make SMS spoofing even more
worthless.
SMS code vs. Phone Call- Sender identifier.
- Length of message: SMS code is limited in its length. In phone calls it is possible to
deliver longer messages.
- User attention: Reading a code from SMS does not require effort or concentration. In a
phone call, the user dedicates more attention to the content of the phone number.
- Language issues: Reading a reset code from an SMS in unknown language is possible, as
numbers are written the same in many languages. To extract the reset code from a phone
call, at least basic understanding in the language is required; hence, a user that extracts
the code from a phone call is more likely to also understand the message.
SMS code vs. Phone Call
- Interactivity: Can be used to ensure that the user understands the situation.
Phone call from Google in English:
Hello! Thank you for using Google phone verification. Remember! You should
not share this code with anyone else, and no one from Google will ever ask for this
code. Your code is XXXXXX. Again, your code is XXXXXX. Good bye
Phone call from Google in other language:
Hello! Thank you for using our phone verification. Your code is XXXXXX. Again,
your code is XXXXXX. Good bye.
Experiment 3: Effectiveness of PRMitM attack on Google users using phone calls
To initiate a password reset process in
Google, only the email address of the
victim is required. Nevertheless, they
asked the users to insert both their
email address and phone number, so the
call will not be suspicious
The most common argument was the
fact that the phone call did not specify
anything about the meaning of the code.
Survey: Password Reset in Mobile Messaging Applications
- Taking over such applications exposes private and sensitive information
about the user.
- Allows the attacker to perform sensitive operations like sending messages
in the name of the user.
- Messages with password reset code can be sent through the applications
themselves to the mobile phone of the user.
Mobile Applications PRMitM Vulnerabilities
Defenses- Good Security Questions :
- Security questions that are exclusively related to the website are harder to
bypass them, they cannot be forwarded to the user as legitimate security
questions for other websites.
- Secure Password Reset Using SMS
- Some users do not read the entire SMS messages they receive.
- Lack a warning about giving away the code.
- Sometimes missing explanations about the meaning of the code.
- Sometimes missing sender.
- Lack of language compatibility.
- => reset password code should not be sent in a clear text over SMS.
- => Link-Via-SMS (LVS) Password Reset
Link-Via-SMS (LVS) Password Reset- Sending a detailed SMS message with a long link (instead of a code) overcomes the
limitations of the SMS with the code.
- To exploit such a message, the PRMitM attacker has to ask the user to copy a link to his website, which is
unusual.
- Users have the habit to just click on links.
- In their implementation of the LVS, the link refers the user to an interactive page that
has an alert about the attempt to reset the user password.
- Does it increase the risk to other attacks?
- They believe that the answer to this question is negative. Following received links in SMS might be harmful,
but this has nothing to do with an SMS that is sent by a service that intends to protect its users
- Attackers might try to impersonate legitimate LVS message, to trick users to follow malicious links;
however, they can do the same also for legit SMS messages.
Experiment 4: Effectiveness of LVS against PRMitM attack on Facebook
users
The LVS message was: *WARNING*
Someone requested to reset your
Facebook password. Press this link to
reset your Facebook password:
http://bit.ly/XXXXXXX. DO NOT
SHARE IT!
Participants. 46 volunteer students that
did not participate in any other
experiment or survey
All the participants stopped the attack
Experiment 5: Effectiveness of detailed and interactive phone call against
PRMitM attacks.Two elements must hold:
(1) the message must include the
sender, the meaning of the code, and
a warning about misuse
(2) the call must cause the user to
listen and understand the message
Instead of initiating a phone call
from Google, they called the users
with an (interactive) phone call.
Participants: 45 volunteer students that did
not participate in any other experiment
Results: None of the participants disclosed
their code
General Guidelines1) Password-reset messages (SMS, phone call, email) must include the sending website,
clear explanation about the meaning of the code (password reset), and a warning to
avoid giving this code to any person or website.
2) For each supported language, the password reset messages (SMS, phone call, email)
must be sent in that language.
3) Test password reset process for every supported language separately.
4) Notify the user when a password reset request is sent, to both the email and the
phone. If the password reset is done via the phone, this is even more critical. Email
notification to email account that got compromised is useless.
5) The link or the code sent to reset the password should be valid only for short time
period, e.g., 1 − 15 minutes.
6) If there are several ways to reset the password for a user, automatically disable the
less secure ones. If it is impossible to use a secure password reset process, contact the
user in advance and offer them both to add information that can be used to reset their
password securely and to disable the (only) insecure ways.
7) Require several details about the user before sending the password-reset message
(SMS, phone call, email). This prevents the easy option for the attacker to launch the
attack given only the phone number of the user, without knowing anything else about
the user.
General Guidelines
Difference Between Phishing and PRMitM
- An attacker who wants to take over an account
has to intensely explore each of its target
websites.
- Unlike PRMitM, in cross-site attacks users must
also be authenticated to the attacked website.
- Clickjacking and some XSS attacks only a few
clicks are required.
- Need to insert private information
- The attacking page impersonates a legitimate
website and tricks the victim into inserting her
credentials (username and password)
- The attacker’s greatest challenge: the
impersonation to another website.
- More interaction between the attacking page
and the victim is required.
- The victim is required to perform an
operation in the attacking page and to insert
at least a single minimal correct piece of
information about themselves.
- Need to insert private information
- The victim is only required to give personal
information (e.g., phone number) in order to
get some services.
- Obviates the need for impersonation; it can
be launched naturally from every website.
Phishing PRMitM
What is being exploited?
- Exploit the users; there is no bug
in the design of the attacked
website, the attacker exploits
unwary users who ignore
indications given to them by the
browsers.
- Exploit bugs in the design of
password-reset process.
- There is no chance for the users
and other client-side defenses (e.g.,
browser built-in mechanisms or
extensions) to detect the attack.
Phishing PRMitM
Thank you
Bibliography- Dhamija, R., Tygar, J. D., & Hearst, M. (2006, April 22). Why Phishing Works
- Gelernter, N., Kalma, S., Magnezi, B., & Porcilan, H. (2017).
Images- https://www.ophtek.com/category/phishing-email/- https://www.pcmag.com/how-to/how-to-avoid-phishing-scams- https://www.colourbox.com/vector/encryption-of-information-firewall-data-protection-sysrem-of-network-security-abstract-vector-technology-b
ackground-vector-31048858- https://www.youtube.com/watch?v=7q-qOOeGSdI- https://www.sslmarket.com/ssl/displaying-the-certificate-in-a-browser- https://towardsdatascience.com/phishing-domain-detection-with-ml-5be9c99293e5- https://www.psafe.com/en/blog/worried-password-phishing-android/- https://www.intego.com/mac-security-blog/clever-phishing-scam-targets-your-apple-id-and-password/- https://www.flaticon.com/free-icon/participant_1464174- https://www.wpwhitesecurity.com/hacking-wordpress-login-capturing-usernames-passwords/- https://www.pcmag.com/news/password-managers-can-be-vulnerable-to-malware-attacks- https://www.google.com/search?q=password&sxsrf=ALeKk03Q2I-5n3klHlXQOgUpM-AKjRderA:1582552944271&source=lnms&tbm=isch&s
a=X&ved=2ahUKEwjZg9OQrernAhVRKewKHdLnDgQQ_AUoAXoECA4QAw&biw=1920&bih=949#imgrc=42buE2aboOLKDM- https://www.techmion.com/tech_blog/10-benefits-of-sms-marketing/