Phishing and Counter-Measures discusses how and why phishing is a threat, and presents effective countermeasures. Showing you how phishing attacks have been mounting over the years, how to detect and prevent current as well as future attacks, this text focuses on corporations who supply the resources used by attackers. The authors subsequently deliberate on what action the government can take to respond to this situation and compare adequate versus inadequate countermeasures.
"This book is the encyclopedia of phishing. It provides views from the payment, human, and technical perspectives. The material is remarkably readable—each chapter is contributed by an expert on that topic, but none require specialized background on the part of the reader. The text will be useful for any professional who seeks to understand phishing."—Directors of the International Financial Cryptography Association (IFCA) Phishing attacks, or the practice of deceiving people into revealing sensitive data on a computer system, continue to mount. Here is the information you need to understand how phishing works, how to detect it, and how to prevent it. Phishing and Countermeasures begins with a technical introduction to the problem, setting forth the tools and techniques that phishers use, along with current security technology and countermeasures that are used to thwart them. Readers are not only introduced to current techniques of phishing, but also to emerging and future threats and the countermeasures that will be needed to stop them. The potential and limitations of all countermeasures presented in the text are explored in detail. In spite of the fact that phishing attacks constantly evolve, much of the material in this book will remain valid, given that the book covers the general principles as much as actual instances of phishing. While delving into a myriad of countermeasures and defense strategies, the authors also focus on the role of the user in preventing phishing attacks. The authors assert that countermeasures often fail not for technical reasons, but rather because users are unable or unwilling to use them. In response, the authors present a number of countermeasures that are simple for users to implement, or that can be activated without a user's direct participation. Moreover, the authors propose strategies for educating users. The text concludes with a discussion of how researchers and security professionals can ethically and legally perform phishing experiments to test the effectiveness of their defense strategies against the strength of current and future attacks. Each chapter of the book features an extensive bibliography to help readers explore individual topics in greater depth. With phishing becoming an ever-growing threat, the strategies presented in this text are vital for technical managers, engineers, and security professionals tasked with protecting users from unwittingly giving out sensitive data. It is also recommended as a textbook for students in computer science and informatics.
Preface xixAcknowledgements xxivIntroduction to Phishing 1What is Phishing? 1A Brief History of Phishing 2The Costs to Society of Phishing 4A Typical Phishing Attack 5Phishing Example: America's Credit Unions 6Phishing Example: PayPal 10Making the Lure Convincing 12Setting The Hook 18Making the Hook Convincing 20The Catch 22Take-Down and Related Technologies 23Evolution of Phishing 23Case Study: Phishing on Froogle 24Protecting Users from Phishing 28References 29Phishing Attacks: Information Flow and Chokepoints 31Types of Phishing Attacks 32Deceptive Phishing 32Malware-Based Phishing 34DNS-Based Phishing ("Pharming") 35Content-Injection Phishing 36Man-in-the-Middle Phishing 36Search Engine Phishing 37Technology, Chokepoints, and Countermeasures 37Step 0: Preventing a Phishing Attack Before It Begins 38Step 1: Preventing Delivery of Phishing Payload 40Step 2: Preventing or Disrupting a User Action 43Steps 2 and 4: Prevent Navigation and Data Compromise 49Step 3: Preventing Transmission of the Prompt 50Step 4: Preventing Transmission of Confidential Information 52Steps 4 and 6: Preventing Data Entry and Rendering It Useless 55Step 5: Tracing Transmission of Compromised Credentials 57Step 6: Interfering with the Use of Compromised Information 58Step 7: Interfering with the Financial Benefit 62References 62Spoofing and Countermeasures 65Email Spoofing 65Filtering 68Whitelisting and Greylisting 70Anti-spam Proposals 71User Education 73IP Spoofing 74IP Traceback 75IP Spoofing Prevention 78Intradomain Spoofing 80Homograph Attacks Using Unicode 81Homograph Attacks 81Similar Unicode String Generation 82Methodology of Homograph Attack Detection 83Simulated Browser Attack 89Using the Illusion 93Web Spoofing 94SSL and Web Spoofing 96Ensnaring the User 98SpoofGuard Versus the Simulated Browser Attack 99Case Study: Warning the User About Active Web Spoofing 101References 102Pharming and Client Side Attacks 105Malware 105Viruses and Worms 106Spyware 115Adware 115Browser Hijackers 115Keyloggers 116Trojan Horses 116Rootkits 116Session Hijackers 118Malware Defense Strategies 118Defense Against Worms and Viruses 118Defense Against Spyware and Keyloggers 121Defense Against Rootkits 121Pharming 122Overview of DNS 123Role of DNS in Pharming 124Defense Against Pharming 125Case Study: Pharming with Appliances 126A Different Phishing Strategy 127The Spoof: A Home Pharming Appliance 128Sustainability of Distribution in the Online Marketplace 131Countermeasures 132Case Study: Race-Pharming 133Technical Description 134Detection and Countermeasures 135Contrast with DNS Pharming 136References 137Status Quo Security Tools 139An Overview of Anti-Spam Techniques 139Public Key Cryptography and its Infrastructure 144Public Key Encryption 145Digital Signatures 146Certificates & Certificate Authorities 147Certificates 149SSL Without a PKI 151Modes of Authentication 152The Handshaking Protocol 152SSL in the Browser 155Honeypots 159Advantages and Disadvantages 161Technical Details 162Honeypots and the Security Process 166Email Honeypots 168Phishing Tools and Tactics 170References 172Adding Context to Phishing Attacks: Spear Phishing 175Overview of Context Aware Phishing 175Modeling Phishing Attacks 177Stages of Context Aware Attacks 182Identity Linking 185Analyzing the General Case 187Analysis of One Example Attack 190Defenses Against Our Example Attacks 190Case Study: Automated Trawling for Public Private Data 191Mother's Maiden Name: Plan of Attack 193Availability of Vital Information 193Heuristics for MMN Discovery 194Experimental Design 196Assessing the Damage 196Time and Space Heuristics 198MMN Compromise in Suffixed Children 199Other Ways to Derive Mother's Maiden Names 199Case Study: Using Your Social Network Against You 202Motivations of a Social Phishing Attack Experiment 203Design Considerations 203Data Mining 204Performing the Attack 206Results 207Reactions Expressed in Experiment Blog 208Case Study: Browser Recon Attacks 210Who Cares Where I've Been? 210Mining Your History 211CSS to Mine History 216Bookmarks 218Various Uses for Browser-Recon 218Protecting Against Browser Recon Attacks 218Case Study: Using the Autofill Feature in Phishing 219Case Study: Acoustic Keyboard Emanations 221Previous Attacks of Acoustic Emanations 223Description of Attack 223Technical Details 226Experiments 231References 237Human-Centered Design Considerations 241Introduction: The Human Context of Phishing and Online Security 241Human Behavior 241Browser and Security Protocol Issues in the Human Context 243Overview of the HCI and Security Literature 246Understanding and Designing for Users 247Understanding Users and Security 248Designing Usable Secure Systems 255Mis-Education 260How Does Learning Occur? 260The Lessons 261Learning to Be Phished 269Solution Framework 271References 273Passwords 277Traditional Passwords 277Cleartext Passwords 277Password Recycling 278Hashed Passwords 278Brute Force Attacks 280Dictionary Attacks 281Time-Memory Tradeoffs 281Salted Passwords 283Eavesdropping 284One-Time Passwords 285Alternatives to Passwords 285Case Study: Phishing in Germany 286Comparison of Procedures 286Recent Changes and New Challenges 286Security Questions as Password Reset Mechanisms 290Knowledge-Based Authentication 291Security Properties of Life Questions 292Protocols Using Life Questions 296Example Systems 298One-Time Password Tokens 301OTPs as a Phishing Countermeasure 306Advanced Concepts 306References 308Mutual Authentication and Trusted Pathways 309The Need for Reliable Mutual Authentication 309Distinctions Between the Physical and Virtual World 310The State of Current Mutual Authentication 311Password Authenticated Key Exchange 312A Comparison Between PAKE and SSL 312An Example PAKE Protocol: SPEKE 313Other PAKE Protocols and Some Augmented Variations 316Doppelganger Attacks on PAKE 317Delayed Password Disclosure 318DPD Security Guarantees 320A DPD Protocol 323Trusted Path: How To Find Trust in an Unscrupulous World 327Trust on the World Wide Web 328Trust Model: Extended Conventional Model 329Trust Model: Xenophobia 333Trust Model: Untrusted Local Computer 333Trust Model: Untrusted Recipient 335Usability Considerations 338Dynamic Security Skins 339Security Properties 340Why Phishing Works 340Dynamic Security Skins 341User Interaction 349Security Analysis 350Browser Enhancements for Preventing Phishing 351Goals for Anti-Phishing Techniques 353Google Safe Browsing 354Phoolproof Phishing Prevention 358Final Design of the Two-Factor Authentication System 360References 364Biometrics and Authentication 369Biometrics 369Fundamentals of Biometric Authentication 371Biometrics and Cryptography 377Biometrics and Phishing 382Phishing Biometric Characteristics 384Hardware Tokens for Authentication and Authorization 385Trusted Computing Platforms and Secure Operating Systems 387Protecting Against Information Harvesting 392Protecting Against Information Snooping 398Protecting Against Redirection 405Secure Dongles and PDAs 407The Promise and Problems of PKI 408Smart Cards and USB Dongles to Mitigate Risk 409PorKI Design and Use 413PorKI Evaluation 416New Applications and Directions 419Cookies for Authentication 420Cache-Cookie Memory Management 423Cache-Cookie Memory 423C-Memory 424TIF-Based Cache Cookies 425Schemes for User Identification and Authentication 425Identifier Trees 427Rolling-Pseudonym Scheme 429Denial-of-Service Attacks 430Secret Cache Cookies 431Audit Mechanisms 432Proprietary Identifier-Trees 433Implementation 434Lightweight Email Signatures 435Cryptographic and System Preliminaries 438Lightweight Email Signatures 439Technology Adoption 444Vulnerabilities 447Experimental Results 449References 453Making Takedown Difficult 461Detection and Takedown 461Avoiding Distributed Phishing Attacks-Overview 464Collection of Candidate Phishing Emails 465Classification of Phishing Emails 465References 467Protecting Browser State 469Client-Side Protection of Browser State 469Same-Origin Principle 470Protecting Cache 473Protecting Visited Links 474Server-Side Protection of Browser State 476Goals 478A Server-Side Solution 480Pseudonyms 481Translation Policies 485Special Cases 486Security Argument 486Implementation Details 487Pseudonyms and Translation 487General Considerations 490References 491Browser Toolbars 493Browser-Based Anti-Phishing Tools 493Information-Oriented Tools 494Database-Oriented Tools 501Domain-Oriented Tools 507Do Browser Toolbars Actually Prevent Phishing? 514Study Design 514Results and Discussion 517References 521Social Networks 523The Role of Trust Online 524Existing Solutions for Securing Trust Online 527Reputation Systems and Social Networks 527Third-Party Certifications 532First-Party Assertions 534Existing Solutions for Securing Trust Online 535Case Study: "Net Trust" 535Identity 538The Buddy List 539The Security Policy 542The Rating System 542The Reputation System 543Privacy Considerations and Anonymity Models 546Usability Study Results 546The Risk of Social Networks 548References 549Microsoft's Anti-Phishing Technologies and Tactics 551Cutting the Bait: SmartScreen Detection of Email Spam and Scams 552Cutting the Hook: Dynamic Protection Within the Web Browser 556Prescriptive Guidance and Education for Users 560Ongoing Collaboration, Education, and Innovation 561References 562Using S/MIME 563Secure Electronic Mail: A Brief History 564The Key Certification Problem 565Sending Secure Email: Usability Concerns 567The Need to Redirect Focus 568Amazon.com's Experience with S/MIME 569Survey Methodology 569Awareness of Cryptographic Capabilities 570Segmenting the Respondents 573Appropriate Uses of Signing and Sealing 574Signatures Without Sealing 574Evaluating the Usability Impact of S/MIME-Signed Messages 576Problems from the Field 582Conclusions and Recommendations 586Promote Incremental Deployment 587Extending Security from the Walled Garden 588S/MIME for Webmail 589Improving the S/MIME Client 590References 590Experimental evaluation of attacks and countermeasures 595Behavioral Studies 595Targets of Behavioral Studies 596Techniques of Behavioral Studies for Security 597Strategic and Tactical Studies 599Case Study: Attacking eBay Users with Queries 600User-to-User Phishing on eBay 602eBay Phishing Scenarios 608Experiment Design 609Methodology 615Case Study: Signed Applets 618Trusting Applets 618Exploiting Applets' Abilities 619Understanding the Potential Impact 621Case Study: Ethically Studying Man in the Middle 622Man-in-the-Middle and Phishing 623Experiment: Design Goals and Theme 628Experiment: Man-in-the-Middle Technique Implementation 629Experiment: Participant Preparation 632Experiment: Phishing Delivery Method 634Experiment: Debriefing 635Preliminary Findings 635Legal Considerations in Phishing Research 640Specific Federal and State Laws 641Contract Law: Business Terms of Use 651Potential Tort Liability 652The Scope of Risk 654Case Study: Designing and Conducting Phishing Experiments 655Ethics and Regulation 657Phishing Experiments - Three Case Studies 661Making It Look Like Phishing 665Subject Reactions 666The Issue of Timeliness 667References 668Liability for Phishing 671Impersonation 671Anti-SPAM 671Trademark 674Copyright 674Obtaining Personal Information 675Fraudulent Access 675Identity Theft 676Wire Fraud 677Pretexting 677Unfair Trade Practice 678Phishing-Specific Legislation 678Theft 680Exploiting Personal Information 680Fraud 680Identity Theft 681Illegal Computer Access 682Trespass to Chattels 682References 685The Future 687References 694Index 695About the Editors 700
\ From the Publisher"…I highly recommend this as a must-read book in the collection of phishing literature." (Computing Reviews.com, September 13, 2007)\ "…may be used as a textbook or a comprehensive reference for individuals involved with Internet security…" (CHOICE, July 2007)\ \ \