Web identity security : advanced phishing attacks and counter measures
Student thesis: Doctoral Thesis
Related Research Unit(s)
|Award date||3 Oct 2006|
Phishing is an emerging type of social engineering crime on the Web. Most phishers initiate attacks by sending emails to potential victims. These emails lure users to access fake websites, and induce them to expose sensitive and/or private information. The rapid development and evolution of phishing techniques pose a big challenge in Web identity security for computer science researchers in both academia and industry. Advanced counter measures are required in urgency. All phishing attacks spoof users from the visual level and semantic level, i.e., they make the appearances of web pages look similar to the real ones and make the web links and web page contents semantically related to the real ones. All such scams happen through human computer interaction. In this dissertation, we address a series of advanced counter measures against the most prominent phishing scams. We also propose a tool to provide web page originality verification. The backbone of this dissertation consists of four parts: Visual Assessment Approach, Semantic Assessment Approach, Human Computer Interaction Enforcement, and Website Originality Verification. We develop a system with algorithmic solutions for handling the phishing problem with different tools. In addition, we present experimental results showing the effectiveness of our work. Finally, we discuss future research topics and directions. In the Visual Assessment Approach, we detect phishing attacks using visual features of web pages. Study in  demonstrated that visual assessment based detection is successful, but it fails in advanced phishing attacks, as shown in Chapter 2 (Section 2.2). The reason is that visual assessment at the code level (HTML) is not actually reflecting the classification curve of human eye assessment. In this dissertation, we evaluate visual features that are completely from the computer screen. We use Earth Mover’s Distance (EMD), a linear programming model, to assess the visual features’ similarity. We create a system, SiteWatcher, to monitor email servers and client side network traffic. We parse out the web links in suspected emails and network traffic, and retrieve corresponding web pages from the Web in HTML. We further convert the retrieved web pages into images and use EMD to calculate their similarity to the protected web pages. Our experiments show that this method is superior to all other visual assessment methods. The Semantic Assessment Approach focuses on the text similarity assessment. Text based obfuscation is mainly seen in Unicode attacks. We propose a general methodology to detect Unicode attacks. We evaluate the similarity of Unicode strings from char-char similarity (visual similarity and semantic similarity), word-word similarity (semantic similarity), and word string similarity (semantic similarity). We build up a Unicode attack detection system and evaluate its effectiveness and performance. To our knowledge, this is the first Unicode attack detection system. The Human Computer Interaction Enforcement Approach focuses on developing new human computer interaction model to guide users to avoid making mistakes. As a matter of fact, whatever phishing attacks happen on visual level or semantic level, all spoofing scams are carried out through human computer interaction (HCI). However, we demonstrate these applications’ GUIs are not guaranteed to be secure. Our study shows that no place on computer screens is guaranteed to be secure, as shown in Chapter 2 (Section 2.4.1). The secure HCI is more difficult than ever expected, because antiV phishing applications have graphical user interfaces (GUI) and these GUI can be faked. We call it Screenjacking, which means phishing attacks applications, including the antiphishing applications. To solve this problem, we propose five different UI methods: Spring Loaded Security Key, Application Trace, Genuine Skin, Merged Approach, and User Challenge, to improve GUIs’ security. We also propose two password mechanisms: Semi-Random Password, and Context Sensitive Password, to improve public HCI security and password security. Semi-Random Password can provide better security for key logging based attacks. Context Sensitive Password is an exciting tool that protects users from both phishing and Screenjacking attacks. Website Originality Verification aims to give strong evidence based definitions to phisher and victim. We design and build a system, DistAca (short for “Distinguisher for Academia”), to verifying the originality of web pages (or any other data). We can make secure evidence to prove a websites’ originality with DistAca. The above four approaches compose a systematic anti-phishing solution. This solution aims at the advanced counter measures against Web identity fraud. The experiment shows that these approaches are effective to protect users from phishing attack.
- Phishing, Security measures, Internet