Handbook of Research on Social and Organizational Liabilities in Information Security Manish Gupta State University of New York at Buffalo, USA Raj Sharman State University of New York at Buffalo, USA INFORMATION SCIENCE REFERENCE Hershey • New York Director of Editorial Content: Kristin Klinger Director of Production: Jennifer Neidig Managing Editor: Jamie Snavely Assistant Managing Editor: Carole Coulson Typesetter: Jeff Ash Cover Design: Lisa Tosheff Printed at: Yurchak Printing Inc. Published in the United States of America by Information Science Reference (an imprint of IGI Global) 701 E. Chocolate Avenue, Suite 200 Hershey PA 17033 Tel: 717-533-8845 Fax: 717-533-8661 E-mail: [email protected] Web site: http://www.igi-global.com and in the United Kingdom by Information Science Reference (an imprint of IGI Global) 3 Henrietta Street Covent Garden London WC2E 8LU Tel: 44 20 7240 0856 Fax: 44 20 7379 0609 Web site: http://www.eurospanbookstore.com Copyright © 2009 by IGI Global. All rights reserved. No part of this publication may be reproduced, stored or distributed in any form or by any means, electronic or mechanical, including photocopying, without written permission from the publisher. Product or company names used in this set are for identification purposes only. Inclusion of the names of the products or companies does not indicate a claim of ownership by IGI Global of the trademark or registered trademark. Library of Congress Cataloging-in-Publication Data Handbook of research on social and organizational liabilities in information security / Manish Gupta and Raj Sharman, editors. p. cm. Includes bibliographical references and index. Summary: "This book offers insightful articles on the most salient contemporary issues of managing social and human aspects of information security"--Provided by publisher. ISBN 978-1-60566-132-2 (hardcover) -- ISBN 978-1-60566-133-9 (ebook) 1. Computer security--Management--Handbooks, manuals, etc. 2. Data protection--Management--Handbooks, manuals, etc. 3. Computer crimes--Prevention--Handbooks, manuals, etc. 4. Human computer interaction--Handbooks, manuals, etc. I. Gupta, Manish, 1978- II. Sharman, Raj. QA76.9.A25.H365 2008 658.4'78--dc22 2008035140 British Cataloguing in Publication Data A Cataloguing in Publication record for this book is available from the British Library. All work contributed to this book set is original material. The views expressed in this book are those of the authors, but not necessarily of the publisher. If a library purchased a print copy of this publication, please go to http://www.igi-global.com/agreement for information on activating the library's complimentary electronic access to this publication. Chapter XI A Multistage Framework to Defend Against Phishing Attacks Madhusudhanan Chandrasekaran SUNY at Buffalo, USA Shambhu Upadhyaya State University of New York, USA ABSTRACT Phishing scams pose a serious threat to end-users and commercial institutions alike. E-mail continues to be the favorite vehicle to perpetrate such scams, mainly due to its widespread use combined with the ability to easily spoof them. Several approaches, both generic and specialized, have been proposed to address this growing problem. However, phishing techniques, growing in ingenuity as well as sophisti- cation, render these solutions weak. To overcome these limitations, we propose a multistage framework – the first stage aims at detecting phishing based on their semantic and structural properties, whereas in the second stage we propose a proactive technique based on a challenge-response technique to establish the authenticity of a Web site. Using live e-mail data, we demonstrate that our approach with these two stages is able to detect a wider range of phishing attacks than existing schemes. Also, our performance analysis study shows that the implementation overhead introduced by our tool is negligibly small. INTRODUCTION number, social security number (SSN), and bank account number. As the Internet is becoming the Phishing is a form of Web based attack where de facto medium for online banking and trade, attackers employ deceit and social engineering phishing attacks are gaining notoriety, especially to defraud users of their private and confiden- amongst hacker communities. Anonymity over tial information such as password, credit card the Internet, coupled with the potential for large Copyright © 2009, IGI Global, distributing in print or electronic forms without written permission of IGI Global is prohibited. A Multistage Framework to Defend Against Phishing Attacks financial gains serves as strong motivation for at- based cues such as address bar, status bar, SSL tackers to perpetrate such seemingly low risk, yet certificates, and toolbar indicators and often fall high return scams. The first recorded mention of prey to such imitation sites. phishing attacks was in AOL forums (“Phishing Until recently, anti-spam techniques were - Wikipedia,”) wherein attackers posing as system employed to detect phishing emails. However as administrators tricked the registered users into phishing emails closely resemble their legitimate disclosing their account information. Since then, counterpart, they do not share similar features phishing attacks growing in sophistication and as that of spam emails. Also, there exist a vast ingenuity have affected millions of users causing number of readily available tools that can bypass heavy monetary damage. For example, in the year both the statistical and rule based spam filters. 2006 alone, phishing attacks cost $2.8 billion in Several browser extensions and plug-ins have been losses to consumers and commercial organizations proposed to detect phishing attacks. Although worldwide (Gartner Press Release, 2006). these techniques act as a first line of defense, Due to its widespread adoption and ability they suffer from many limitations. First, as these to be easily spoofed, email continues to be the approaches operate on the fake Web site, they favorite vehicle to perpetrate such scams. Email take the users a step closer to the attack giving based phishing attacks are usually carried out as little leeway for suspicion. Second, most of the a three step process: (i) In the first step, phishers existing defense mechanisms are not automated harvest email addresses of their potential victims and delegate the onus of decision making onto the from Web pages, online forums and by other so- users. Third, as these tools embrace the authentic- cial engineering mechanisms; (ii) For the second ity of the IP address as an important classification step, a large volume of specially crafted emails criterion, they fail to protect from attacks that are appearing to originate from legitimate domains launched within the realm of legitimate domain. is dispatched to the assimilated list using open For example, an attacker could compromise a SMTP servers and compromised machines. These Web server and launch phishing pages from the emails contain hyperlinks which redirect the users domain itself1. to a fake Web site similar in appearance to the To overcome these limitations, we leverage on legitimate domain; (iii) Finally, account details our prior works (Chandrasekaran, Chinchani, & and other personal information are collected from Upadhyaya, 2006; Chandrasekaran, Narayanan, the users who unsuspectingly provide them into & Upadhyaya, 2006) and present a two-stage the fake Web site thinking it to be a legitimate solution to protect users against email based one. Phishing attacks, like other social engineer- phishing attacks. The first stage aims at detect- ing attacks, for their success depend upon users’ ing phishing emails based on their semantic and lack of system knowledge. Phishers adopt a structural properties, whereas in the second stage variety of visual deception agents to imitate the a proactive approach using the challenge-response legitimate Web site’s look-and-feel (Drake, Oliver, technique is presented to test the authenticity of & Koontz, 2004). The mimicry of a legitimate links present in the email. The essential driving Web site is usually achieved through spoofing force for this two-stage approach is that cleverly the URLs with non-ASCII Unicode characters fabricated emails can evade even the most smart using customized images to mask fake URLs spam filters which are put in place for phishing and embedding the fake Web sites within images detection. In the first stage, the existing phishing that resemble a browser window. Recent studies email corpus are analyzed and context models are (Dhamija, Tygar, & Hearst, 2006) show that naïve constructed which encapsulate the underlying users are inept in identifying common browser meaning of the emails using their syntactic and A Multistage Framework to Defend Against Phishing Attacks semantic properties. These context models then to the information requested by the Web site. serve as discrimination indicators, and are used to Based on our assumption, we note that the fake distinguish the legitimate and the phishing emails Web site cannot verify the credibility of the sup- apart. The context models are constructed from plied information, and is indifferent to both the various language specific features such as usage real and the contrived response. Using live email of certain emotional words, patterns of vocabu- data it can be demonstrated that this two-stage lary usage, unusual language usage, underlying approach is able to detect a wider range of phish- content, and also other stylistic features that ap-