Security against Deceptive Phishing

Submitted
BY

D.Nikhitha

11UC15802

Department of computer science and Engineering Talla Padmavathi College of Engineering WARANGAL(A.P.)

ABSTRACT
Phishing is online identity theft in which confidential information is obtained from an individual. Phishing for passwords is worthwhile only if the password sent to the phishing server is also useful at a legitimate site. One way to prevent phishers from collecting useful passwords is to encode user passwords according to where they are used, and transmit only an encoded password to a web site. An implementation of this idea is called password hashing. In password hashing, password information is hashed together with the domain name to which it is going before it is transmitted, so that the actual transmitted passwords can be used only at the domain receiving the password data.

Security against Deceptive Phishing

1.1 Phishing
Phishing is online identity theft in which confidential information is obtained from an individual. Phishing, also known as Web Spoofing or Carding, is a significant problem involving fraudulent email and websites that trick unsuspecting users into revealing private information.

As financial institutions have increased their online presence, the economic value of compromising account information has increased dramatically. Phishers target many kinds of confidential information, including user names and passwords, social security numbers, credit card numbers, bank account numbers, and personal information. The US Secret Service and the San Francisco Electronic Crimes Task Force report that approximately 30 attack sites are detected each day. Each attack site may be used to defraud hundreds or thousands of victims, and it is likely that many attack sites are never detected. A typical phishing attack begins with bulk email to a group of unsuspecting victims. Victims of the phishing attack then follow a link in the email message to connect to a spoofed site. Once a victim enters his or her user name and password on the spoof site, the criminal has then means to impersonate the victim.

1.1

TYPES OF PHISHING :
Phishing includes many different types of attacks, mainly: Deceptive attacks, in which users are tricked by fraudulent messages into giving out information; Malware attacks, in which malicious software causes data compromises; and DNS-based attacks, in which the lookup of host names is altered to send users to a fraudulent server.

1.1.2 Malware-Based Phishing

Malware-based phishing refers generally to any type of phishing that involves running malicious software on the users machine. A deceptive phishing email could direct the user to a site that has been compromised via content injection, which installs malware that poisons the users host file. Malware based phishing can take many forms. Some of the most prevalent forms are: Key loggers: Key loggers are programs that install themselves either into a web browser or as a device driver, which monitor data being input and send relevant data to a phishing server Session hijackers: Session hijackers refer to an attack in which a users activities are monitored, typically by a malicious browser component. Web Trojans: Web Trojans are malicious programs that pop up over login screens to collect credentials. The user believes that he or she is entering information on a website, while in fact the information is being entered locally, and then transmitted to the phisher for misuse.

 Data Theft: Once malicious code is running on a user users computer, it can directly steals confidential information stored on the computer. Such information can include passwords.

1.1.3 DNS-Based Phishing or Pharming

DNS-based phishing is used to refer generally to any form of phishing that interferes with the integrity of the lookup process for a domain name. This includes hosts file poisoning, even though the hosts file is not properly part of the Domain Name System. Another form of DNS-based phishing involves polluting the users DNS cache with incorrect information that will be used to direct the user to an incorrect location. If the user has a misconfigured DNS cache, this can be done directly. It can also be done wit with a system reconfiguration attack that changes the users DNS server to a malicious server, by hacking a legitimate DNS server, or by polluting the cache of a misconfigured legitimate DNS server

1.1.1 Deceptive Phishing

In deceptive phishing the most common vector today is email. In a typical scenario, a phisher sends deceptive email, in bulk; with a call to action that demands the recipient click on a link. The web site to which the user is directed collects the users confidential information. If a recipient enters confidential information into fraudulent site the phisher can subsequently impersonate the victim

Username: link email Password:

database

Phisher

Illustration of deceptive phishing

1.1.2 Password Phishing Heres a problem that you may be familiar with. A user arrives at an officiallooking web site, perhaps after clicking a link in a fraudulent email or mistyping a web address. The user thinks that theyre at a bank site, but actually theyre giving their password to the fake site controlled by a malicious criminal. Once the user gives away their password, the attacker can now log in to the real bank with the users account. These types of identity theft attacks are called phishing attacks and have become very common in recent years. So we have a situation where the security of the users password is only as strong as the least secure site where the password is used.

Password phishing attacks begin with a bulk email asking the user to update some information in the site. The email also contains a link to the fraudulent site

feigning to be the original site. When the user enters the site by clicking it, the site prompts for the username and password, thus making the user to reveal it. So the phisher can use this knowledge to impersonate the innocent user and access the users account on the original site. Users commonly use the same password on multiple sites, so stolen username and password data from one site can be reused on another.

Illustrtion of Phishing problem 11.3Common password problem Heres another related, but different attack. Our user has online accounts at many different sites, and because it is difficult to remember a unique password for every site, she uses the same password at her bank and at her newspapers login page. Maybe the newspaper login page isnt protected by SSL for performance reasons, or maybe the passwords are stored in the clear on the newspaper server. Maybe a successful phishing attack was executed on the newspaper site, or perhaps the newspaper itself is owned by a nefarious villain who wants to sell these passwords to

the highest bidder. In any case, the security of the bank site is compromised by the lowsecurity site, because the user has a common password at both sites. So we have a situation where the security of the users password is only as strong as the least secure site where the password is used. Merely beefing up security at the banks server wont help us very much. What we need is a client-side security solution to protect the bank password from being given to the newspaper.

Common password problem

2.10 Password Hashing to counter phishing

Although there are many solutions to the deceptive phishing, many users often fall victims to the phishing scams. The above mentioned countermeasures to phishing all fall short on some issues or the other. So, we tried to develop a solution to the phishing problem using and combining a few of these concepts. The software created was based on the concepts of URL check, Domain check, Password check and Outgoing Password check. Password Hashing can be described as a combination of all these, so it provides a better security against phishing. Password Hashing is a simple technique which combines the password and the salt so that the salt varies for different sites. This generates different passwords for different sites. So, the main challenge here is to choose the salt. The salt is to be chosen in such a way that it is different even for the original site and the phishing site, even though the phishing site resembles the original in more than detectable ways. Password hashing didnt disappear, however. The idea has been kicked around ever since. Password Hashing has been implemented by taking the domain name that will receive the data. Here we try to implement the same technique using the domain name of the site hosting the current page as the salt. But for many security breeches it 8

has encountered, it was a good development in the direction of overcoming phishing rather than trying to prevent or avoid it. Password Hashing was also implemented by using SSL certificates of the domain as the salt. This provides good security until the authenticity of the certificate comes into question. Also many small organizations do not have any SSL certificates. So users who wanted to log into such sites had to go unprotected. Thus there was a need for a solution that overcomes these incompatibilities. Our concept is designed to protect the ordinary user. We have implemented Password Hashing by taking the domain name of the site hosting the current page as the salt. This new direction gave us two advantages. Firstly, user had different passwords for different domains. So, even after successful phishing at one site, the phisher could not access any other account of the user other than the one which he had secured the password of. Secondly, it was not possible for the phisher to extract the users password for a domain because the salt was different for the original domain and the phishing site. Thus, the password obtained by the phisher became worthless. He could not log on to the original domain with the phished password. Thus Password Hashing was helpful to thwart the phishing attacks successfully.

Phishing for passwords is worthwhile only if the password sent to the phishing server is also useful at a legitimate site. One way to prevent phishers from collecting useful passwords is to encode user passwords according to where they are used, and transmit only an encoded password to a web site. Thus, a user could type in the same 9

password for multiple sites, but each site including a phishing site would receive a differently encoded version of the password. An implementation of this idea is called password hashing. In password hashing, password information is hashed together with the domain name to which it is going before it is transmitted, so that the actual transmitted passwords can be used only at the domain receiving the password data Password hashing involves two encryption process. Cleartext password is given as input which undergoes encryption process. Encrypted password along with domain is given as input to hash algorithm which gives output as domain specific password.

This application can address two problems. They are . 1. Phishing attack: A user arrives at an official-looking web site, perhaps after clicking a link in a fraudulent email or mistyping a web address. The user thinks that theyre at a bank site, but actually theyre giving their password to the fake site controlled by a malicious criminal. Once the user gives away their password, the attacker can now log in to the real bank with the users account. These types of identity theft attacks are called phishing attacks and have become very common in recent years.

The security properties of the hash function make it hard for an attacker to recover the original password using only the hashed version as we develop different passwords for different domain, that is password of original site is different from fake site because of change in domain names . Thus, we protect against a password phishing attack, as long as the phishing site has a different domain name from the original site. 10

2.

Common password problem: The user has online accounts at many different sites, and because it is difficult to remember a unique password for every site, he uses the same password at his bank and at his blog. Maybe the passwords at the blog are stored in the clear on the server, maybe a successful phishing attack was executed on the blog site, or perhaps the blog itself is owned by a nefarious villain who wants to sell these passwords to the highest bidder. In any case, the security of the bank site is compromised by the low-security site, because the user has a common password at both sites

Heres how password hashing works. Suppose our user gives the same password to both bank A and site B, either because site B is a phishing site or just a site with lower security than the bank. Rather than send these passwords directly to the remote server, we instead combine the users password and the domain name of the site into a secure hash that is used as the users domain specific password. When hashed with two different domain names with common password output of each hash function varies. hashed version. And we handle the common password problem by ensuring that the user has a different unique password everywhere they visit sites.

11

CONCLUSION
We have presented paper which helps in improving password authentication by making the password as domain specific. We can counter phishing problem and tackle common password problem. We will be able to generate strong passwords to make cracking of password difficult. Generate different passwords for different domains even when user password is common. Though this is a little bit time taking, it is worth using as it not only solves the common password problem but also protects from a much larger and dangerous phishing problem. Our concept to a greater extent puts a check to the attempts of the phisher to obtain the original password and also tricks him by giving away a false password.

BIBLIOGRAPHY
[1] Anti-phishing working group. http://www.antiphishing.org [2] Aaron Emigh, Radix Labs. www.antiphishing.org/Phishing-dhs-report.pdf [3] Markus Jakobsson. School of Informatics. www.informatics.indiana.edu/markus/papers/phishing_jakobsson.pdf [4] Neil Chou, Robert Ledsma, Yuka Teraguchi, Dan Boneh, John Mitchell. crypto.stanford.edu/SpoofGuard/webspoof.pdf [5] Blake Ross, Collin Jackson, Nick Miyake, Dan Boneh, John Mitchell. crypto.stanford.edu/PwdHash/pwdhash.pdf 12

13