| |
| |
Preface | |
| |
| |
Acknowledgements | |
| |
| |
| |
Introduction to Phishing | |
| |
| |
| |
What is Phishing? | |
| |
| |
| |
A Brief History of Phishing | |
| |
| |
| |
The Costs to Society of Phishing | |
| |
| |
| |
A Typical Phishing Attack | |
| |
| |
| |
Phishing Example: America's Credit Unions | |
| |
| |
| |
Phishing Example: PayPal | |
| |
| |
| |
Making The Lure Convincing | |
| |
| |
| |
Setting The Hook | |
| |
| |
| |
Making The Hook Convincing | |
| |
| |
| |
The Catch | |
| |
| |
| |
Take-Down and Related Technologies | |
| |
| |
| |
Evolution of Phishing | |
| |
| |
| |
Case Study: Phishing on Froogle | |
| |
| |
| |
Protecting Users from Phishing | |
| |
| |
References | |
| |
| |
| |
Phishing Attacks: Information Flow and Chokepoints | |
| |
| |
| |
Types of Phishing Attacks | |
| |
| |
| |
Deceptive Phishing | |
| |
| |
| |
Malware-Based Phishing | |
| |
| |
| |
DNS-Based Phishing ("Pharming") | |
| |
| |
| |
Content-Injection Phishing | |
| |
| |
| |
Man-in-the-Middle Phishing | |
| |
| |
| |
Search Engine Phishing | |
| |
| |
| |
Technology, Chokepoints and Countermeasures | |
| |
| |
| |
Step 0: Preventing a Phishing Attack Before it Begins | |
| |
| |
| |
Step 1: Preventing Delivery of Phishing Payload | |
| |
| |
| |
Step 2: Preventing or Disrupting a User Action | |
| |
| |
| |
Steps 2 and 4: Prevent Navigation and Data Compromise | |
| |
| |
| |
Step 3: Preventing Transmission of the Prompt | |
| |
| |
| |
Step 4: Preventing Transmission of Confidential Information | |
| |
| |
| |
Steps 4 and 6: Preventing Data Entry and Rendering it Useless | |
| |
| |
| |
Step 5: Tracing Transmission of Compromised Credentials | |
| |
| |
| |
Step 6: Interfering with the Use of Compromised Information | |
| |
| |
| |
Step 7: Interfering with the Financial Benefit | |
| |
| |
References | |
| |
| |
| |
Spoofing and Countermeasures | |
| |
| |
| |
Email Spoofing | |
| |
| |
| |
Filtering | |
| |
| |
| |
Whitelisting and Greylisting | |
| |
| |
| |
Anti-spam Proposals | |
| |
| |
| |
User Education | |
| |
| |
| |
IP Spoofing | |
| |
| |
| |
IP Traceback | |
| |
| |
| |
IP Spoofing Prevention | |
| |
| |
| |
Intradomain Spoofing | |
| |
| |
| |
Homograph Attacks Using Unicode | |
| |
| |
| |
Homograph Attacks | |
| |
| |
| |
Similar Unicode String Generation | |
| |
| |
| |
Methodology of Homograph Attack Detection | |
| |
| |
| |
Simulated Browser Attack | |
| |
| |
| |
Using the Illusion | |
| |
| |
| |
Web Spoofing | |
| |
| |
| |
SSL and Webspoofing | |
| |
| |
| |
Ensnaring the User | |
| |
| |
| |
SpoofGuard Versus the Simulated Browser Attack | |
| |
| |
| |
Case Study: Warning the User About Active Web Spoofing | |
| |
| |
References | |
| |
| |
| |
Pharming and Client Side Attacks | |
| |
| |
| |
Malware | |
| |
| |
| |
Viruses and Worms | |
| |
| |
| |
Spyware | |
| |
| |
| |
Adware | |
| |
| |
| |
Browser Hijackers | |
| |
| |
| |
Keyloggers | |
| |
| |
| |
Trojan Horses | |
| |
| |
| |
Rootkits | |
| |
| |
| |
Session Hijackers | |
| |
| |
| |
Malware Defense Strategies | |
| |
| |
| |
Defense Against Worms and Viruses | |
| |
| |
| |
Defense Against Spyware and Keyloggers | |
| |
| |
| |
Defending Against Rootkits | |
| |
| |
| |
Pharming | |
| |
| |
| |
Overview of DNS | |
| |
| |
| |
Role of DNS in Pharming | |
| |
| |
| |
Defending Against Pharming | |
| |
| |
| |
Case Study: Pharming with Appliances | |
| |
| |
| |
A Different Phishing Strategy | |
| |
| |
| |
The Spoof: A Home Pharming Appliance | |
| |
| |
| |
Sustainability of Distribution in the Online Marketplace | |
| |
| |
| |
Countermeasures | |
| |
| |
| |
Case Study: Race-Pharming | |
| |
| |
| |
Technical Description | |
| |
| |
| |
Detection and Countermeasures | |
| |
| |
| |
Contrast with DNS Pharming | |
| |
| |
References | |
| |
| |
| |
Status Quo Security Tools | |
| |
| |
| |
An overview of Anti-Spam Techniques | |
| |
| |
| |
Public Key Cryptography and its Infrastructure | |
| |
| |
| |
Public key Encryption | |
| |
| |
| |
Digital Signatures | |
| |
| |
| |
Certificates & Certificate Authorities | |
| |
| |
| |
Certificates | |
| |
| |
| |
SSL Without a PKI | |
| |
| |
| |
Modes of Authentication | |
| |
| |
| |
The Handshaking Protocol | |
| |
| |
| |
SSL in the Browser | |
| |
| |
| |
Honeypots | |
| |
| |
| |
Advantages and Disadvantages. | |
| |
| |
| |
Technical Details | |
| |
| |
| |
Honeypots and the Security Process | |
| |
| |
| |
Email Honeypots | |
| |
| |
| |
Phishing Tools and Tactics | |
| |
| |
References | |
| |
| |
| |
Adding Context to Phishing Attacks: Spear Phishing | |
| |
| |
| |
Overview of Context Aware Phishing | |
| |
| |
| |
Modeling Phishing Attacks | |
| |
| |
| |
Stages of Context Aware Attacks | |
| |
| |
| |
Identity Linking | |
| |
| |
| |
Analysing the General Case | |
| |
| |
| |
Analysis of One Example Attack | |
| |
| |
| |
Defenses Against our Example Attacks | |
| |
| |
| |
Case Study: Automated Trawling for Public Private Data | |
| |
| |
| |
Mother's Maiden Name: Plan of Attack | |
| |
| |
| |
Availability of Vital Information | |
| |
| |
| |
Heuristics for MMN Discovery | |
| |
| |
| |
Experimental Design | |
| |
| |
| |
Assessing the Damage | |
| |
| |
| |
Time and Space Heustics | |
| |
| |
| |
MMN Compromise in Suffixed Children | |
| |
| |
| |
Other Ways to Derive Mother's Maiden Names | |
| |
| |
| |
Case Study: Using Your Social Network Against You | |
| |
| |
| |
Motivations of a Social Phishing Attack Experiment | |
| |
| |
| |
Design Considerations | |
| |
| |
| |
Data Mining | |
| |
| |
| |
Performing the Attack | |
| |
| |
| |
Results | |
| |
| |
| |
Reactions Expressed in Experiment Blog | |
| |
| |
| |
Case Study: Browser Recon Attacks | |
| |
| |
| |
Who Cares Where I've Been? | |
| |
| |
| |
Mining Your History | |
| |
| |
| |
CSS To Mine History | |
| |
| |
| |
Bookmarks | |
| |
| |
| |
Various Uses For Browser-Recon | |
| |
| |
| |
Protecting Against Browser Recon Attacks | |
| |
| |
| |
Case Study: Using the Autofill feature in Phishing | |
| |
| |
| |
Case Study: Acoustic Keyboard Emanations | |
| |
| |
| |
Previous Attacks of Acoustic Emanations | |
| |
| |
| |
Description of Attack | |
| |
| |
| |
Technical Details | |
| |
| |
| |
Experiments | |
| |
| |
References | |
| |
| |
| |
Human-Centered Design Considerations | |
| |
| |
| |
Introduction: The Human Context of Phishing and Online Security | |
| |
| |
| |
Human Behavior | |
| |
| |
| |
Browser and Security Protocol Issues in the Human Context | |
| |
| |
| |
Overview of the HCI and Security Literature | |
| |
| |
| |
Understanding and Designing for Users | |
| |
| |
| |
Understanding Users and Security | |
| |
| |
| |
Designing Usable Secure Systems | |
| |
| |
| |
Mis-Education | |
| |
| |
| |
How Does Learning Occur? | |
| |
| |
| |
The Lessons | |
| |
| |
| |
Learning to Be Phished | |
| |
| |
| |
Solution Framework | |
| |
| |
References | |
| |
| |
| |
Passwords | |
| |
| |
| |
Traditional Passwords | |
| |
| |
| |
Cleartext Passwords | |
| |
| |
| |
Password recycling | |
| |
| |
| |
Hashed Passwords | |
| |
| |
| |
Brute force attacks | |
| |
| |
| |
Dictionary Attacks | |
| |
| |
| |
Time-Memory Tradeoffs | |
| |
| |
| |
Salted Passwords | |
| |
| |
| |
Eavesdropping | |
| |
| |
| |
One-Time Passwords | |
| |
| |
| |
Alternatives to Passwords | |
| |
| |
| |
Case Study: Phishing in Germany | |
| |
| |
| |
Comparison of Procedures | |
| |
| |
| |
Recent Changes and New Challenges | |
| |
| |
| |
Security Questions as Password Reset Mechanisms | |
| |
| |
| |
Knowledge Based Authentication | |
| |
| |
| |
Security Properties of Life Questions | |
| |
| |
| |
Protocols Using Life Questions | |
| |
| |
| |
Example Systems | |
| |
| |
| |
One-Time Password Tokens | |
| |
| |
| |
OTPs as a Phishing Countermeasure | |
| |
| |
| |
Advanced Concepts | |
| |
| |
References | |
| |
| |
| |
Mutual Authentication and Trusted Pathways | |
| |
| |
| |
The Need for Reliable Mutual Authentication | |
| |
| |
| |
Distinctions Between The Physical and Virtual World | |
| |
| |
| |
The State of Current Mutual Authentication | |
| |
| |
| |
Password Authenticated Key Exchange | |
| |
| |
| |
A Comparison Between PAKE and SSL | |
| |
| |
| |
An Example PAKE Protocol: SPEKE | |
| |
| |
| |
Other PAKE Protocols and Some Augmented Variations | |
| |
| |
| |
Doppelganger Attacks on PAKE | |
| |
| |
| |
Delayed Password Disclosure | |
| |
| |
| |
DPD Security Guarantees | |
| |
| |
| |
A DPD Protocol | |
| |
| |
| |
Trusted Path: How To Find Trust in an Unscrupulous World | |
| |
| |
| |
Trust on the World Wide Web | |
| |
| |
| |
Trust Model: Extended Conventional Model | |
| |
| |
| |
Trust Model: Xenophobia | |
| |
| |
| |
Trust Model: Untrusted Local Computer | |
| |
| |
| |
Trust Model: Untrusted Recipient | |
| |
| |
| |
Usability Considerations | |
| |
| |
| |
Dynamic Security Skins | |
| |
| |
| |
Security Properties | |
| |
| |
| |
Why Phishing Works | |
| |
| |
| |
Dynamic Security Skins | |
| |
| |
| |
User Interaction | |
| |
| |
| |
Security Analysis | |
| |
| |
| |
Browser Enhancements for Preventing Phishing | |
| |
| |
| |
Goals for Anti-phishing Techniques | |
| |
| |
| |
Google Safe Browsing | |
| |
| |
| |
Phoolproof Phishing Prevention | |
| |
| |
| |
Final Design of the Two-Factor Authentication System | |
| |
| |
References | |
| |
| |
| |
Biometrics and Authentication | |
| |
| |
| |
Biometrics | |
| |
| |
| |
Fundamentals of Biometric Authentication | |
| |
| |
| |
Biometrics and Cryptography | |
| |
| |
| |
Biometrics and Phishing | |
| |
| |
| |
Phishing Biometric Characteristics | |
| |
| |
| |
Hardware Tokens for Authentication and Authorization | |
| |
| |
| |
Trusted Computing Platforms and Secure Operating Systems | |
| |
| |
| |
Protecting Against Information Harvesting | |
| |
| |
| |
Protecting Against Information Snooping | |
| |
| |
| |
Protecting Against Redirection | |
| |
| |
| |
Secure Dongles and PDAs | |
| |
| |
| |
The Promise and Problems of PKI | |
| |
| |
| |
Smart Cards and USB Dongles to Mitigate Risk | |
| |
| |
| |
PorKI Design and Use | |
| |
| |
| |
PorKI Evaluation | |
| |
| |
| |
New Applications and Directions | |
| |
| |
| |
Cookies for Authentication | |
| |
| |
| |
Cache-Cookie Memory Management | |
| |
| |
| |
Cache-Cookie Memory | |
| |
| |
| |
C-Memory | |
| |
| |
| |
TIF-Based Cache Cookies | |
| |
| |
| |
Schemes for User Identification and Authentication | |
| |
| |
| |
Identifier Trees | |
| |
| |
| |
Rolling-Pseudonym Scheme | |
| |
| |
| |
Denial-of-Service Attacks | |
| |
| |
| |
Secret Cache Cookies | |
| |
| |
| |
Audit Mechanisms | |
| |
| |
| |
Proprietary Identifier-Trees | |
| |
| |
| |
Implementation | |
| |
| |
| |
Lightweight Email Signatures | |
| |
| |
| |
Cryptographic and System Preliminaries | |
| |
| |
| |
Lightweight Email Signatures | |
| |
| |
| |
Technology Adoption | |
| |
| |
| |
Vulnerabilities | |
| |
| |
| |
Experimental Results | |
| |
| |
References | |
| |
| |
| |
Making Takedown Difficult | |
| |
| |
| |
Detection and Takedown | |
| |
| |
| |
Avoiding Distributed Phishing Attacks-Overview | |
| |
| |
| |
Collection of Candidate Phishing Emails | |
| |
| |
| |
Classification of Phishing Emails | |
| |
| |
References | |
| |
| |
| |
Protecting Browser State | |
| |
| |
| |
Client-Side Protection of Browser State | |
| |
| |
| |
Same-Origin Principle | |
| |
| |
| |
Protecting Cache | |
| |
| |
| |
Protecting Visited Links | |
| |
| |
| |
Server-Side Protection of Browser State | |
| |
| |
| |
Goals | |
| |
| |
| |
A Server-Side Solution | |
| |
| |
| |
Pseudonyms | |
| |
| |
| |
Translation Policies | |
| |
| |
| |
Special Cases | |
| |
| |
| |
Security Argument | |
| |
| |
| |
Implementation Details | |
| |
| |
| |
Pseudonyms and Translation | |
| |
| |
| |
General Considerations | |
| |
| |
References | |
| |
| |
| |
Browser Toolbars | |
| |
| |
| |
Browser-Based Anti-Phishing Tools | |
| |
| |
| |
Information-Oriented Tools | |
| |
| |
| |
Database-Oriented Tools | |
| |
| |
| |
Domain-Oriented Tools | |
| |
| |
| |
Do Browser Toolbars Actually Prevent Phishing? | |
| |
| |
| |
Study Design | |
| |
| |
| |
Results and Discussion | |
| |
| |
References | |
| |
| |
| |
Social Networks | |
| |
| |
| |
The Role of Trust Online | |
| |
| |
| |
Existing Solutions for Securing Trust Online | |
| |
| |
| |
Reputation Systems and Social Networks | |
| |
| |
| |
Third Party Certifications | |
| |
| |
| |
First Party Assertions | |
| |
| |
| |
Existing Solutions for Securing Trust Online | |
| |
| |
| |
Case Study: "Net Trust" | |
| |
| |
| |
Identity | |
| |
| |
| |
The Buddy List | |
| |
| |
| |
The Security Policy | |
| |
| |
| |
The Rating System | |
| |
| |
| |
The Reputation System | |
| |
| |
| |
Privacy Considerations and Anonymity Models | |
| |
| |
| |
Usability Study Results | |
| |
| |
| |
The Risk of Social Networks | |
| |
| |
References | |
| |
| |
| |
Microsoft's Anti-Phishing Technologies and Tactics | |
| |
| |
| |
Cutting The Bait: SmartScreen Detection of Email Spam and Scams | |
| |
| |
| |
Cutting The Hook: Dynamic Protection Within the Web Browser | |
| |
| |
| |
Prescriptive Guidance and Education for Users | |
| |
| |
| |
Ongoing Collaboration, Education and Innovation | |
| |
| |
References | |
| |
| |
| |
Using S/MIME | |
| |
| |
| |
Secure Electronic Mail: A Brief History | |
| |
| |
| |
The Key Certification Problem | |
| |
| |
| |
Sending Secure Email: Usability Concerns | |
| |
| |
| |
The Need to Redirect Focus | |
| |
| |
| |
Amazon.com's Experience with S/MIME | |
| |
| |
| |
Survey Methodology | |
| |
| |
| |
Awareness of Cryptographic Capabilities | |
| |
| |
| |
Segmenting the Respondents | |
| |
| |
| |
Appropriate Uses of Signing and Sealing | |
| |
| |
| |
Signatures Without Sealing | |
| |
| |
| |
Evaluating the Usability Impact of S/MIME-Signed Messages | |
| |
| |
| |
Problems from the Field | |
| |
| |
| |
Conclusions and Recommendations | |
| |
| |
| |
Promote Incremental Deployment | |
| |
| |
| |
Extending Security from the Walled Garden | |
| |
| |
| |
S/MIME for Webmail | |
| |
| |
| |
Improving the S/MIME Client | |
| |
| |
References | |
| |
| |
| |
Experimental evaluation of attacks and countermeasures | |
| |
| |
| |
Behavioral Studies | |
| |
| |
| |
Targets of Behavioral Studies | |
| |
| |
| |
Techniques of Behavioral Studies for Security | |
| |
| |
| |
Strategic and Tactical Studies | |
| |
| |
| |
Case Study: Attacking eBay Users with Queries | |
| |
| |
| |
User-to-User Phishing on eBay | |
| |
| |
| |
eBay Phishing Scenarios | |
| |
| |
| |
Experiment Design | |
| |
| |
| |
Methodology | |
| |
| |
| |
Case Study: Signed Applets | |
| |
| |
| |
Trusting Applets | |
| |
| |
| |
Exploiting Applets' Abilities | |
| |
| |
| |
Understanding the Potential Impact | |
| |
| |
| |
Case Study: Ethically Studying Man in the Middle | |
| |
| |
| |
Man-in-the-Middle and Phishing | |
| |
| |
| |
Experiment: Design Goals and Theme | |
| |
| |
| |
Experiment: Man-in-the-Middle Technique Implementation | |
| |
| |
| |
Experiment: Participant Preparation | |
| |
| |
| |
Experiment: Phishing Delivery Method | |
| |
| |
| |
Experiment: Debriefing | |
| |
| |
| |
Preliminary Findings | |
| |
| |
| |
Legal Considerations in Phishing Research | |
| |
| |
| |
Specific Federal and State Laws | |
| |
| |
| |
Contract Law - Business Terms of Use | |
| |
| |
| |
Potential Tort Liability | |
| |
| |
| |
The Scope of Risk | |
| |
| |
| |
Case Study: Designing and Conducting Phishing Experiments | |
| |
| |
| |
Ethics and Regulation | |
| |
| |
| |
Phishing experiments-Three Case Studies | |
| |
| |
| |
Making it Look Like Phishing | |
| |
| |
| |
Subject Reactions | |
| |
| |
| |
The Issue of Timeliness | |
| |
| |
References | |
| |
| |
| |
Liability for Phishing | |
| |
| |
| |
Impersonation | |
| |
| |
| |
Anti-SPAM | |
| |
| |
| |
Trademark | |
| |
| |
| |
Copyright | |
| |
| |
| |
Obtaining Personal Information | |
| |
| |
| |
Fraudulent Access | |
| |
| |
| |
Identity Theft | |
| |
| |
| |
Wire Fraud | |
| |
| |
| |
Pretexting | |
| |
| |
| |
Unfair Trade Practice | |
| |
| |
| |
Phishing-Specific Legislation | |
| |
| |
| |
Theft | |
| |
| |
| |
Exploiting Personal Information | |
| |
| |
| |
Fraud | |
| |
| |
| |
Identity Theft | |
| |
| |
| |
Illegal Computer Access | |
| |
| |
| |
Trespass to Chattels | |
| |
| |
References | |
| |
| |
| |
The Future | |
| |
| |
Index | |
| |
| |
About the Editors | |