Fuzzing E-mail Filters with Generative Grammars and N-Gram Analysis Sean Palka Damon McCoy George Mason University International Computer Science Institute Abstract ing a few that might cause unexpected conditions. How- ever, there is no guarantee that fuzzing will discover any Phishing attacks remain a common attack vector in to- exploitable vulnerabilities. While fuzzing is sometimes day’s IT threat landscape, and one of the primary means employed by attackers in the wild, for example when tar- of preventing phishing attacks is e-mail filtering. Most geting web-based applications and services, the nature e-mail filtering is done according to a either a signature- of the fuzzing is very loud. This type of activity is easily based approach or using Bayesian models, so when spe- noticed, often raises alarms, and puts network defend- cific signatures are detected the e-mail is either quar- ers in a heightened state of awareness. As such, fuzzing antined or moved to a Junk mailbox. Much like anti- is usually performed offline whenever possible, where it virus, though, a signature-based approach is inadequate can be automated by the attackers to avoid detection. when it comes to detecting zero-day phishing e-mails, and can often be bypassed with slight variations in the There are several types of fuzzing tools available, de- e-mail contents. In this paper, we demonstrate an ap- pending on the type of system or protocol being tested proach to evaluating the effectiveness of e-mail filters [16, 43, 48, 51]. Pattern- or list-based fuzzers are not using a fuzzing strategy. We present a system that uti- very intelligent in that they will try a series of prede- lizes generative grammars to create large sets of unique termined inputs and variations on those inputs, and re- phishing e-mails, which can then be used for fuzzing in- port the outcome. More intelligent fuzzers, on the other put against e-mail filters. Rather than creating random hand, will vary the tests according to previous responses, text, our approach maintains a high degree of semantic and are able to more efficiently find error conditions that quality in generated e-mails. We demonstrate how our might be exploitable. While fuzzers have been developed system is able to adapt to existing filters and identify con- for testing most types of systems and protocols, fuzzing tents that are not detected, and show how this approach techniques are far more difficult to apply to social engi- can be used to ensure the delivery of e-mails without the neering attacks like phishing. need to white-list. In this paper, we describe our approach to fuzzing e- mail contents for phishing attacks in order to identify 1 INTRODUCTION gaps in e-mail filters. We utilized PhishGen, a previ- ously released open-source software solution for dynam- Fuzzing is a technique commonly employed when ically generating phishing e-mail contents using gram- testing boundary conditions and constraints of a sys- mars, to create the e-mails. We then applied a technique tem or protocol. The general idea is to provide a wide called n-gram analysis, in which sentences are broken range of variations on input parameter values to deter- smaller fragments for analysis, to determine which sen- mine whether various conditions and state transitions are tence structures resulted in filtering. Our analysis used handled appropriately. By testing boundary conditions, detected feedback to adjust production rules in the gram- fuzzing is often able to identify weaknesses or vulnera- mar, so that PhishGen focused on successful rules rather bilities that can be exploited. than rules that may have produced content that was fil- Fuzzing is a brute force attack, in that the fuzzing tests tered. Instead of generating random text though, as might provide a massive amount of variations in hopes of find- be expected from a fuzzing utility, the system is able to 1 maintain semantic validity in the e-mails that are gener- When used as a fuzzing tool, PhishGen tends be very ated. noisy. In order to adapt to filters, multiple rounds of e- mails are typically required, and as with most fuzzing 2 BACKGROUND tools a fairly large number of test cases are required. An attacker would probably not be interested in these multi- Many research approaches to phishing attack detection ple rounds of follow-on attacks once they have received focus on either detecting the incoming message at the a successful response during an actual attack. So as a mail server, or detecting the e-mail inside the mail client tool for the bad guys, PhishGen would probably be con- once downloaded locally by a user. Research has focused sidered fairly cumbersome. For network defenders, on on analyzing the incoming e-mail for suspicious ele- the other hand, PhishGen can be used to simulate multi- ments, such as obfuscated links or suspicious phrases, or ple attacks without involving users or risking actual data using feature selection algorithms to try and discriminate breaches, and as such could be a valuable assessment between phishing e-mails and normal e-mails [4,6,9,32]. tool. Once identified, a phishing e-mail can then be removed from the users work stream, and the risk of them clicking 3 RELATED WORKS on malicious links or attachments is completely negated. For the most part, technical controls are limited in their Due to the regularity of phishing attacks, it has be- attempt at preventing phishing in live networks for three come a heavily researched area in academia. The major- reasons. First, most theoretical models for detecting or ity of available research focuses on detection methods, preventing phishing have limitations that make them un- preventative approaches, or analysis of why users fall for suitable for deployment in live networks [2]. They may phishing attacks. A wide range of existing research fo- be too slow, or have a high false positive rate that makes cuses on analysis of the incoming e-mail for suspicious automated filtering unreliable. Second, users that are elements [3,5,15,19,44], or on detecting fraudulent web susceptible to phishing will often disregard or even by- sites [17, 25, 30, 42]. Finally, some researchers have de- pass warnings, and in some cases actually disable detec- veloped technical components for browsers that prevent tion tools [39, 50]. Finally, as a social engineering at- access or warn the user when something suspicious is de- tack, phishing is constantly evolving to bypass technical tected [11, 18, 37]. controls and target the user. Once a technical control is Some attempts have also been made to model the over- made available to the public, the attackers will often find all attack process of phishing [10, 12, 21, 22, 26], and loopholes or vulnerabilities that will allow their attacks several studies have also been performed on the effec- to bypass the control [20, 24]. So, while technical solu- tiveness of various technical controls [14, 23, 24, 47, 50]. tions such as browser add-ins and e-mail filtering provide Several studies have been performed on why users fall some level of protection, they cannot at present provide for phishing attacks [12,13,40,45,46], and the effective- a fully effective solution to the phishing problem. ness of various training options as well [7, 8, 28, 29, 41]. A fairly common practice for network defense is to 2.1 ETHICAL CONSIDERATIONS setup signature-based countermeasures, similar to how many anti-virus solutions work. For example, by pro- PhishGen is available by request to researchers interested viding signatures for specific keywords and phrases like in developing phishing prevention techniques and detec- ’Viagra’ or links that say ’click here’, some spam and tion algorithms. The intended purpose is to provide auto- phishing attacks can be quickly identified. Addition- mated content generation for use in training algorithms, ally, references to known-malicious websites, domains, but as we demonstrate in this paper it also has potential or IP addresses can be used in a blacklisting approach, offensive capabilities. There is always some concern that or alternatively site reputation can be used as a filtering such tools give additional capabilities to the bad guys. In method [31]. While PhishGen does contain functionality the wild, phishers and spammers already have numerous for URL obfuscation, our fuzzing technique is focused tools to execute complex attacks [33, 35, 38]. They also primarily on evading content-based filtering by modify- use underground forums to share and disseminate new ing grammatical elements. We assume that an attacker tools [34,49]. Additionally, it is already well established can test IP addresses and domain names/URL against that existing signature-based filters can be bypassed by common filtering techniques to mitigate the chance that tweaking key features, and attackers already have means they are blacklisted, however it is much more difficult of testing their content to bypass filters [27]. to identify grammatical elements of an e-mail that might 2 result in filtering. have been shown to result in decreased click-through As mentioned in previous sections, some research has rates as well, and so would not be considered useful ex- already been performed in the area of filter bypass us- amples. To provide realistic content as part of the fuzzing ing synonym replacement [27]. In this type of approach, process, PhishGen utilizes a modified context-free gram- filters that are triggered by specific terms are bypassed mar (CFG) that is is able to create multiple variations of using synonyms, for example by substituting the phrase an e-mail according to various production rules. By uti- ’authentication tokens’ for ’passwords’. This results in lizing this rule-based text generation approach, the tool content that may bypass filters, but will often become is able to generate semantically valid text that performs illegible or confusing as more obscure synonyms are re- as well as manually generated e-mails in live exercises quired.
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages10 Page
-
File Size-