«PhD-FSTC-2015-30 Ecole Doctorale IAEM Lorraine Faculté des Sciences, de la Technologie et de la Communication DISSERTATION Defense held on ...»
The raise of phishing targets caused as well the raise of ﬁnancial damage. No accurate estimation is available to quantify the ﬁnancial loss due to phishing. However, in 2007 a Gartner
1.1. Phishing: an Online Con Game
Figure 1.2: Most targeted industry sectors for the 3rd quarter 2014 (source: APWG)
survey [gar07] estimated a direct ﬁnancial loss of 3.2 billion dollars over the year due to phishing.
In 2010, a report [str10] about identity theft mainly performed with phishing attacks presented an estimation of 54 billion dollars loss as consequence of this theft. Lately, in 2013, the estimated direct loss over the year due to phishing was of 5.9 billion dollars reaching a record [rsa14]. As described in [AR14] the ﬁrst day of a phishing attack is the most lucrative and thus fast take down of phishing websites is paramount to limit the ﬁnancial damage. Between 2010 and 2014, the average uptime of phishing websites has been divided by two, dropping from 72 hours to 32 hours. More signiﬁcant is the median uptime of phishing websites that decreased from 15 hours in 2010 to less than 9 hours in 2014. The development of phishing detection and prevention techniques reduced the delay of fake websites take down, thus reducing the ﬁnancial loss due to each phishing attack. While causing important loss, phishing is a low reward activity for phishers [HF08]. Hence, the number of phishing attacks constantly increases to increase the gain, having for consequence the increase of victims and the raise of the global ﬁnancial loss. The availability of easy-to-deploy phishing kits [CKV08] that target both users and victims makes performing phishing attacks an easy task and explain the raise of perpetrated attacks and the increase of phisher’s count. Phishing is the cybercrime equivalent of pickpocketing. It is easily perpetrated with low technical skills and low cost to the attacker thanks to phishing kits and cheap criminal hosting services.
1.1.4 Challenges to Fight Phishing The observation of phishing evolution shows that there is still room for improvement in techniques to cope with this cybercrime. Despite the progress made for fast take down of phishing websites, the global damage of phishing is still increasing due to the increase of attacks. Besides the ﬁnancial damage caused by phishing attacks, phishing causes an erosion of trust among Internet users and start to destroy emails as a way of communicating. Hence, the development of new means to deal with this problem is an ongoing activity to reverse the loss growth trend.
The variety of phishing vectors and the ease to perform phishing attacks makes the ﬁght against it very challenging. We identiﬁed six requirements to develop eﬃcient protection techniques. These consider the characteristics of phishing namely the variety of vectors used, the Chapter 1. Phishing and Protection Techniques
speed of phishing attacks and the human factor. The requirements are the followings:
• Speed: Since phishing attacks make large monetary damage in few time and especially during the ﬁrst hours of a phishing attack, the identiﬁcation of a phish must be fast to limit the nefarious eﬀects. If we consider phishing detection methods, these are involved while users are surﬁng the Web or consulting emails, thus a detection method must not impact the quality of the user’s experience by introducing large delay.
• Coverage: Phishing defences must be able to prevent against as many vectors as possible and a perfect phishing protection method would be able to deal with the several techniques presented in Section 1.1.2 to provide the best protection.
• Information required: The best phishing detection method must be easy to implement and must not rely on several information. Some phishing detection methods rely on several kind of information that is not necessarily available, which limit their applicability. In addition the retrieval of this information is often time consuming, which impacts the speed of the methods.
• Reliability: Phishing protection methods must protect from the most phishing attacks, as described in the coverage requirement. However, these must identify as low as possible legitimate communications as phishing attacks. Too many false alarms can aﬀect badly the user experience. In addition, it can cause the loss of conﬁdence in the protection technique impacting the user consideration.
• Ease of use: Methods must be easy to use and to understand by users. Most users and especially phishing victims have few technical knowledge and few knowledge of the way phishing attacks are performed, explaining why they are trapped. Hence, phishing protection must consider this parameter and be tailored to be easily used.
• Actual usage: This requirement is a consequence of the previous one and evaluate if the protection method can be actually implemented and used by users or if it is just ignored or too complicated to implement. This mostly evaluates the ability of a given method to cope with the unmotivated user property.
Several methods have been develop to cope with phishing and have been proved eﬃcient in identifying attacks such that the time of phishing attacks globally decreased. Despite this eﬃcacy, phishing is still an ongoing problem and these did not succeed to get rid of this threat.
To understand the cause of this unsuccess, we analyse to which extent state of the art phishing protection methods meet the introduced requirements.
1.2 Phishing Prevention Techniques For more than ten years the research activities to develop eﬃcient techniques to cope with phishing have been very active. The solutions proposed can be divided in two main categories according to their goals that are phishing prevention and phishing detection. The former methods were the ﬁrst to be introduced in order to prevent any connections to phishing websites for users. These techniques were mainly focused on three ﬁelds that are the development of strong authentication protocols, security toolbars to raise user awareness about phishing danger and the implementation of blacklists.
1.2. Phishing Prevention Techniques 1.2.1 Strong Authentication Schemes While accessing banking services, retail services or social network on the Internet for instance, one is expected to enter some personal information (e.g. username, password, etc.) to prove his identity to the web service and access his account. This is needed since the account associated to such service contains some other more sensitive information about the user that must be protected from access of others. This is the process of authentication required by any Internet service dealing with personal data. This process has been implemented with some ﬂaws letting unauthorized users accessing this information. The use of weak passwords and their reuse by unsavvy users make the authentication process subject to attacks. Moreover, the reverse process, consisting in authenticating a website to a user, has been proven weak. Users cannot reliably identify the entity they communicate with, letting space for phishing attacks to occur.
Hence, some solutions have been proposed to ﬁght phishing by developing strong authentication processes allowing both parties (client and server) to prove their identity without having to reveal sensitive information during the handshake.
The ﬁrst proposed solutions consisted of browser extensions aiming to help users distinguish content provided by legitimate websites from content provided by unlegitimate entities. This is to avoid that users enter sensitive information in unlegitimate ﬁelds and to prevent thus credentials stealing. In [YS02], a browser extension giving diﬀerent colors to window boundaries is introduced. Two kinds of windows are depicted to users according to the nature of the window content. It allows to distinguish browser provided status from web server provided contents.
Easily distinguishable windows help users to detect malicious content provided by web servers and prevent them for providing sensitive information to unlegitimate entities. In [DT05], a similar solution of tuned browser windows is proposed to authenticate a web server. It uses unique
images to display a dedicated password window for users to enter their credentials and log in to a given website. The look of the window is diﬀerent for every user and transaction and generated based on a shared password between the user and the server. Hence, users can easily see if the displayed password window is a spoofed window since such window would not have the expected look for a given legitimate website.
Methods for improving servers authentication have been proposed like in [TH09]. DNS TXT records are used to store the legitimate entity’s certiﬁcate and authenticate to the client. A client plugin and a server plugin are used. The client plugin authenticates the web server by validating the certiﬁcate stored in the DNS TXT record. Then both plugins realize a mutual authentication using a one-time password.
One bad habit of Internet users is to use similar weak passwords for diﬀerent websites. These can be easily guessed by phishers and one stolen password can give access to several accounts.
To cope with this bad habit some techniques to strengthen and diﬀerentiate passwords have been proposed [RJM+ 05, YS06, GLLA07]. For instance, Ross et al. introduce a browser extension named PwdHash [RJM+ 05]. This extension transparently produces diﬀerent password for each site a user wants to sign in based on a single password. It relies on hash functions that generates a password from the unique user password and some data associated with the website that cannot be spoofed by a phisher: the domain name. It strengthens web password authentication and prevents to provide user’s password to phishers in fake websites since fake websites have a diﬀerent domain name than the one they spoof.
This relies on a token delivered with a secure channel that is stored on the web browser and further used for every authentication.
On the one hand, the latest presented methods having for aim the strengthening of users authentication are eﬃcient to avoid passwords stealing and the reuse of them by phishers. Some of the techniques proposing a second factor authentication have been adopted by sensitive services such as e-banking services to enforce the security. On the other hand, methods for strengthening server authentication while having good foundations did not improve the situation. Contrarily to strong user authentication that is imposed by e-services, strong server authentication is up to Internet users. Since most Internet users are unaware of the phishing dangers and since security is a secondary purpose, these optional methods have not been adopted. These security solutions [YS02, DT05] are not mandatory, diﬃcult to understand and globally add constraints to users for their primary purpose of surﬁng the Web. Other techniques [TH09] being transparently used still have some ﬂaws like being vulnerable to DNS cache poisoning attacks. Even though some of these techniques would be widely implemented, most users do not understand the provided security indicators proving authenticity of the entities they communicate with [HJ08]. This limits the applicability of server authentication techniques.
1.2.2 Security Toolbars To cope with the unmotivated user property to use security enhancement solutions [WT99] and the incapacity for users to eﬃciently exploit security indicators provided to them by web browsers, some browser extensions also called security toolbar were developed. Eﬃcient indicators provided by web browsers can be used by mature users to easily infer the legitimacy of a website. One of these indicators is the address bar showing the URL of the consulted web page. One can easily see whether the domain name of the web page is the expected one. Another indicator is the use of a secure connection depicted by the use of the HTTPS protocol in the address bar. Finally, for the authentication of the web server one communicates with, the veriﬁcation of the use of Transport Layer Security (TLS) certiﬁcates with a padlock icon is fast. Further investigation about the issuer of the certiﬁcate can be done by a simple click. All these indicators provide the necessary information to authenticate a website. However, a small part of users use them and that is why browser extensions or security toolbars were developed to ease the access to this information and give some additional information to users.
The Netcraft toolbar [net] is an example of commercial anti-phishing toolbar providing a risk rating for a visited web page in the form of an easily understandable colour code (green = safe, red = unsafe). SpoofGuard security toolbar [CLTM04] provides the same kind of information with colour code. In addition, the Netcraft toolbar displays the time since the web page is monitored, a popularity rank for the web page and the country where the web site is hosted.
Figure 1.3 shows the Netcraft toolbar with the website information it displays.
Several techniques are used to infer the likelihood that a web page is a phish and display this information. SpoofGuard security toolbar [CLTM04] is another web browser plugin relying on stateless web page evaluation to provide a spoof index of a website to users. Trustbar [HJ08] provides some TLS certiﬁcate derived indicators and others users customized indicators to depict the likelihood that a website is a phish or not. A user study shows that indicators provided by Trustbar are more eﬃcient in raising user awareness about danger than basic browsers security indicators such as padlocks or HTTPS indicators. Gastellier et al. propose another security toolPhishing Prevention Techniques