Phishing By: Joanna Georgiou Dhamija, R., Tygar, J. D., & - - PowerPoint PPT Presentation

Phishing

By: Joanna Georgiou

Dhamija, R., Tygar, J. D., & Hearst, M. (2006, April 22). Why Phishing Works. Gelernter, N., Kalma, S., Magnezi, B., & Porcilan, H. (2017). The Password Reset MitM Attack.

What is Phishing?

Dhamija, R., Tygar, J. D., & Hearst, M. (2006, April 22).

Why Phishing Works.

Contributions

• Provided fi

first empirical evidence about which malicious strategies are successful at deceiving users.

• Studied large set of captured

phishing attacks.

• Usability study which 22

participants were shown 20 websites.

Phishing

• Successful Phishers: Present a high-credibility webpage → the user to fail to

recognize security measures installed in web browsers.

• Phishers exploit: Lack of Knowledge:
• Lack of computer system knowledge (eg. Some users do not understand the

meaning of the syntax of domain names and cannot distinguish legitimate versus fake URLs)

• Lack of knowledge of security and security indicators

Lack of knowledge of security and security indicators

• Do not know that a closed

padlock icon in the browser indicates that the page they are viewing was delivered securely by SSL

• Even if they understand it they

can be fooled by its placement within the body of a web page.

• Do not understand SSL

certifi ficates

Visual Deception

• Visually Deceptive Text: Syntax of a domain name (typejacking attacks) eg.

www.paypa1.com instead of www.paypal.com , or using non-printing / non-ASCII characters.

• Images masking underlying text: Use an image of a legitimate hyperlink to serve as a

hyperlink to a rogue site.

• Images mimicking windows: Use images in the content of a web page that mimic browser

windows / dialog windows.

• Windows masking underlying windows: Place an illegitimate browser window on top of /

next to a legitimate window. (if they have the same look and feel the user may mistakenly believe that are from the same source / may not even notice that a second window exists)

Bounded Attention

• Lack of attention to the absence of security

identucators

• Lack of attention on security identucators
• When users are too focused on their primary task

Study: Distinguish Legitimate Websites

• Collected appr. 200 unique phishing

websites (including all related links, images and web pages)

• Anticipated that the results would be

better than it would be in real life

• Created 3 phishing websites
• Every participant saw every website, but

in randomized order.

Study

• Study scenario: giving instructions, a randomized list of hyperlinks to websites

labeled “Website 1”, “Website 2”.

• Participants had no expectations about each website.
• Each website that we presented was fully functioning.

Presented participants with 20 websites; the first 19 were in random order:

• 7 legitimate websites
• 9 representative phishing websites
• 3 phishing websites constructed by the authors using additional phishing

techniques

• 1 website requiring users to accept a self-signed SSL certifi

ficate (this website was presented last to segue into an interview about SSL and certificates).

• Self-Signed SSL Certifi

ficate: Users are exposed to a risk that a third party could intercept traffic to the website using the third-party's

• wn self-signed certificate.

Study

Study: Participants

Study: Participants

Study: Participants

• Most participants regularly

use more than one type of browser and operating system.

Study: Participants

• Hours of computer usage per week ranged from

10 to 135 hours

• 18 participants regularly use online banking
• 20 participants said they regularly shop online

Results

• Good phishing websites fooled 90% of participants.
• 23% did not look at browser-based cues (address bar, status bar, security indicators)
• On Average: 40% incorrect choices of the time.
• 15 out of 22 participants proceeded without

hesitation when popup warning about fraudulent certifi ficates were shown.

• Neither education, age, sex, previous

experience, hours of computer use showed a statistically significant correlation with vulnerability to phishing.

Strategies for Determining Website Legitimacy

• Type 1: Security indicators in website

content only

• Type 2: Content and domain name only
• Type 3: Content and address, plus

HTTPS

• Type 4: All of the above, plus padlock

icon

• Type 5: All of above, plus certificates

Additional Strategies

• 2 participants stated: they would only question a website’s legitimacy if more

than the username and password was requested.

• 1 participant actually submitted her username and password to some websites in
• rder to verify if it was a site at which she had an account.
• 1 participant:
• Opened up another browser window, typed in all URLs by hand to compare these

pages to every website presented in the study.

• Occasionally used Yahoo to search for the organization in question, then click on the

top search result and compare it to the website presented in the study.

Phishing Websites

• Hosted at “www.bankofthevvest.com”,

with 2 “v”s instead of a “w” in the domain name.

• 20 participants incorrectly judged this to

be the legitimate Bank of the West website

• 17 participants mentioned the content of

the page as one reason for their decision.

• 8 participants relied on links to other

sites

• 6 participants clicked on the Verisign

logo(displaying an SSL protected webpage, hosted at Verisign, shows the SSL certificate status of the www.bankofthewest.com.)

• 3 participants said the correctness of the

URL was the primary factor in deciding.

Conclusions:

• Even when users expect spoofs to be present and are motivated to discover them, many

users cannot distinguish a legitimate website from a spoofed website.

• Indicators that are designed to signal trustworthiness were not understood (or even

noticed) by many participants.

• 5 out of 22 participants only used the content of the website to evaluate its authenticity.
• A number of participants incorrectly said a padlock icon is more important when it is

displayed within the page than if presented by the browser.

• Other participants were more persuaded by animated graphics, pictures, and design

touches such as favicons (icons in the URL bar) than SSL indicators.

Conclusions:

• Phishers can create and fully functioning site with images, links, logos and images of security

indicators to persuade the users that the spoofed websites were legitimate.

• Legitimate organizations that follow security precautions are penalized and were judged by

some of the participants to be less trustworthy. Confused the participants by hosting secure pages with third parties, where the domain name does not match the brand name.

• It is not suffi

fficient for security indicators to appear only under trusted conditions, it is important to alert users to the untrusted state.

• Security interface designers must consider that indicators placed outside of the user’s

periphery or focus of attention (e.g., using colors in the address bar to indicate suspicious and trusted sites) may be ignored entirely by some users

Gelernter, N., Kalma, S., Magnezi, B., & Porcilan, H. (2017).

The Password Reset MitM Attack.

Contributions

• Introduce the PRMitM attack
• Evaluate the PRMitM attack on Google and

Facebook.

• Explore further and identify similar

vulnerabilities in popular mobile applications.

• Design secure password reset processes using

SMS and phone calls, and evaluate of them on Google and Facebook users.

• List recommendations for the secure design of

the password reset process.

Introduction

The Password Reset Man in the Middle Attack (PRMitM)

• It exploits the similarity of the registration and password reset processes to launch a man

in the middle (MitM) attack at the application level.

• The attacker initiates a password reset process with a website and forwards every

challenge to the victim who either wishes to register in the attacking site or to access a particular resource on it.

To Launch PRMitM, the attacker:

• Only needs to control a website; no MitM or eavesdropping capabilities are required.
• Attacks visitors of his website and takes over their accounts in other websites.
• Needs basic pieces of information (eg. username, email, or phone number). This

information can be extracted from the victim by the attacker during a registration process to the attacking website or before some operations like file download, when the victim is required to identify themselves using their phone.

PRMitM Example

Survey

• Survey: “if they would agree to either

register to a website or prove they are human using their phone or both, in order to use common online services such as fi file downloads for free”.

• Students ranged between 18 and 35.
• Among 138 participants:

1) They would never register for unknown websites or give their phone number, no matter what free services are offered. 2) Said they would agree to use both

• ptions.

3) Would only agree to register. 4) Would only agree to identify themselves using their phone

Simulation

• Simulation: a website that stores fi

files and requires a valid phone number to download them. The verification is done via SMS code, and the user is only required to insert his phone number.

• Among 99 participants:

1) 39.4% said they would insert their phone number immediately. 2) 14.1% said they would fi first try to

• btain the fi

files via friends or via

• nline SMS services.

3) 18.2% percent said they would insert their phone number only if they really needed the fi files (rather than just wanting them). 4) They wouldn’t insert their phone number.

Reset - Password Challenges

1) CAPTCHA: do not aim to prevent an attacker from resetting the password, but rather aim to prevent the attacker from doing this automatically. 2) Security Question: During the registration, users are sometimes asked to answer personal question(s) that will be used to identify them. 3) Code to the Mobile Phone: Authentication can be done via one of three approaches: (1) something you know (e.g., password), (2) something you are (e.g., fi fingerprints), and (3) something you have (e.g., special token device or a phone). Authentication with phone is usually done by sending a message with a password reset code to the phone of the user via SMS or by automated phone call to the user, in which the code is given. The user is required to insert this code in order to change her password.

Reset - Password Challenges

4) Reset Link to the Email: The most common countermeasure. The PRMitM attack cannot be applied on websites that allow password reset only by sending a reset link to the email. Unfortunately, this option is usually not relevant for the email services themselves. Moreover, relying only on this option blocks password recovery when users have lost access to their email account.

Experiment 1: Correctness

• f security question’s answer

Participants were asked to register to a website in order to perform a short experiment. During the registration process, they were asked to type their email address, and only then, to answer a classical security question: What is your mother’s maiden name. Once the users completed the registration, they were asked whether the answer they just typed was correct.

52 Participants

Limitations of Password Reset Using SMS

• Unclear message
• Sender identity
• Token validity period
• Language compatibility

Experiment 2: Effectiveness of

PRMitM attack on Facebook users using SMS and comparison between Facebook’s SMS and more detailed SMS. The experiment page (attacker’s page) asked them to identify themselves using their phone number. Specifically, the page asked the participants to type their phone number, so they can receive an SMS with a code that should be typed in. Participants: 88 volunteer students

Detailed SMS: *WARNING* Someone requested to reset your Facebook password. DO NOT SHARE THIS CODE with anyone or type it outside Facebook. The password reset code is XXXXXX.

Experiment 2: Observations

1) Many users just searched for the code without reading the text. Some of them did not

• pen the message, but read the code from the notification that was prompted in their

phone. 2) Many users who noticed that the message was sent from Facebook, thought the login to experiment was done using the widely used login with Facebook mechanism.

• This means that the sender identity as specify by SMS spoofing has a minor importance

in the attack, mainly if the content of the message is unclear. Furthermore, adding sentences to the attacking page like ”Powered by Facebook” or even just an explanation that the message will arrive with specifi fic sender, may make SMS spoofi fing even more worthless.

SMS code vs. Phone Call

• Sender identifi

fier.

• Length of message: SMS code is limited in its length. In phone calls it is possible to

deliver longer messages.

• User attention: Reading a code from SMS does not require efffort or concentration. In a

phone call, the user dedicates more attention to the content of the phone number.

• Language issues: Reading a reset code from an SMS in unknown language is possible, as

numbers are written the same in many languages. To extract the reset code from a phone call, at least basic understanding in the language is required; hence, a user that extracts the code from a phone call is more likely to also understand the message.

SMS code vs. Phone Call

• Interactivity: Can be used to ensure that the user understands the situation.

Phone call from Google in English: Hello! Thank you for using Google phone verification. Remember! You should not share this code with anyone else, and no one from Google will ever ask for this

• code. Your code is XXXXXX. Again, your code is XXXXXX. Good bye

Phone call from Google in other language: Hello! Thank you for using our phone verification. Your code is XXXXXX. Again, your code is XXXXXX. Good bye.

Experiment 3: Efgectiveness of

PRMitM attack on Google users using phone calls To initiate a password reset process in Google, only the email address of the victim is required. Nevertheless, they asked the users to insert both their email address and phone number, so the call will not be suspicious The most common argument was the fact that the phone call did not specify anything about the meaning of the code.

Survey: Password Reset in Mobile Messaging Applications

• Taking over such applications exposes private and sensitive information

about the user.

• Allows the attacker to perform sensitive operations like sending messages

in the name of the user.

• Messages with password reset code can be sent through the applications

themselves to the mobile phone of the user.

Mobile Applications PRMitM Vulnerabilities

Defenses

• Good Security Questions :
• Security questions that are exclusively related to the website are harder to

bypass them, they cannot be forwarded to the user as legitimate security questions for other websites.

• Secure Password Reset Using SMS
• Some users do not read the entire SMS messages they receive.
• Lack a warning about giving away the code.
• Sometimes missing explanations about the meaning of the code.
• Sometimes missing sender.
• Lack of language compatibility.
• => reset password code should not be sent in a clear text over SMS.
• => Link-Via-SMS (LVS) Password Reset

Link-Via-SMS (LVS) Password Reset

• Sending a detailed SMS message with a long link (instead of a code) overcomes the

limitations of the SMS with the code.

• To exploit such a message, the PRMitM attacker has to ask the user to copy a link to his website, which is

unusual.

• Users have the habit to just click on links.
• In their implementation of the LVS, the link refers the user to an interactive page that

has an alert about the attempt to reset the user password.

• Does it increase the risk to other attacks?
• They believe that the answer to this question is negative. Following received links in SMS might be harmful,

but this has nothing to do with an SMS that is sent by a service that intends to protect its users

• Attackers might try to impersonate legitimate LVS message, to trick users to follow malicious links;

however, they can do the same also for legit SMS messages.

Experiment 4: Efgectiveness

• f LVS against PRMitM attack on Facebook

users The LVS message was: *WARNING* Someone requested to reset your Facebook password. Press this link to reset your Facebook password: http://bit.ly/XXXXXXX. DO NOT SHARE IT!

• Participants. 46 volunteer students that

did not participate in any other experiment or survey All the participants stopped the attack

Experiment 5: Efgectiveness

• f detailed and interactive phone call against

PRMitM attacks. Two elements must hold: (1) the message must include the sender, the meaning of the code, and a warning about misuse (2) the call must cause the user to listen and understand the message

Instead of initiating a phone call from Google, they called the users with an (interactive) phone call.

Participants: 45 volunteer students that did not participate in any other experiment Results: None of the participants disclosed their code

General Guidelines

1) Password-reset messages (SMS, phone call, email) must include the sending website, clear explanation about the meaning of the code (password reset), and a warning to avoid giving this code to any person or website. 2) For each supported language, the password reset messages (SMS, phone call, email) must be sent in that language. 3) Test password reset process for every supported language separately. 4) Notify the user when a password reset request is sent, to both the email and the

• phone. If the password reset is done via the phone, this is even more critical. Email

notification to email account that got compromised is useless.

5) The link or the code sent to reset the password should be valid only for short time period, e.g., 1 − 15 minutes. 6) If there are several ways to reset the password for a user, automatically disable the less secure ones. If it is impossible to use a secure password reset process, contact the user in advance and offfer them both to add information that can be used to reset their password securely and to disable the (only) insecure ways. 7) Require several details about the user before sending the password-reset message (SMS, phone call, email). This prevents the easy option for the attacker to launch the attack given only the phone number of the user, without knowing anything else about the user.

General Guidelines

Difgerence Between Phishing and PRMitM

• An attacker who wants to take over an account

has to intensely explore each of its target websites.

• Unlike PRMitM, in cross-site attacks users must

also be authenticated to the attacked website.

• Clickjacking and some XSS attacks only a few

clicks are required.

• Need to insert private information
• The attacking page impersonates a legitimate

website and tricks the victim into inserting her credentials (username and password)

• The attacker’s greatest challenge: the

impersonation to another website.

• More interaction between the attacking page

and the victim is required.

• The victim is required to perform an
• peration in the attacking page and to insert

at least a single minimal correct piece of information about themselves.

• Need to insert private information
• The victim is only required to give personal

information (e.g., phone number) in order to get some services.

• Obviates the need for impersonation; it can

be launched naturally from every website.

Phishing PRMitM

What is being exploited?

• Exploit the users; there is no bug

in the design of the attacked website, the attacker exploits unwary users who ignore indications given to them by the browsers.

• Exploit bugs in the design of

password-reset process.

• There is no chance for the users

and other client-side defenses (e.g., browser built-in mechanisms or extensions) to detect the attack.

Phishing PRMitM

Thank you

Bibliography

• Dhamija, R., Tygar, J. D., & Hearst, M. (2006, April 22). Why Phishing Works
• Gelernter, N., Kalma, S., Magnezi, B., & Porcilan, H. (2017).

Images

• https://www.ophtek.com/category/phishing-email/
• https://www.pcmag.com/how-to/how-to-avoid-phishing-scams
• https://www.colourbox.com/vector/encryption-of-information-firewall-data-protection-sysrem-of-network-security-abstract-vector-technology-b

ackground-vector-31048858

• https://www.youtube.com/watch?v=7q-qOOeGSdI
• https://www.sslmarket.com/ssl/displaying-the-certificate-in-a-browser
• https://towardsdatascience.com/phishing-domain-detection-with-ml-5be9c99293e5
• https://www.psafe.com/en/blog/worried-password-phishing-android/
• https://www.intego.com/mac-security-blog/clever-phishing-scam-targets-your-apple-id-and-password/
• https://www.flaticon.com/free-icon/participant_1464174
• https://www.wpwhitesecurity.com/hacking-wordpress-login-capturing-usernames-passwords/
• https://www.pcmag.com/news/password-managers-can-be-vulnerable-to-malware-attacks
• https://www.google.com/search?q=password&sxsrf=ALeKk03Q2I-5n3klHlXQOgUpM-AKjRderA:1582552944271&source=lnms&tbm=isch&s

a=X&ved=2ahUKEwjZg9OQrernAhVRKewKHdLnDgQQ_AUoAXoECA4QAw&biw=1920&bih=949#imgrc=42buE2aboOLKDM

• https://www.techmion.com/tech_blog/10-benefits-of-sms-marketing/