CS680 Joanna Georgiou

Phishing

Phishing: The attack of tricking the user that browses in a legitimate website, but in

reality he browses in the attacker’s page. (attacker.com) Attacker’s purpose is to take

over the user’s account, by tricking the user to give to the attacker sensitive information

such as username and password.

Successful Attackers in Phishing: Present a high-credibility webpage (a good

impersonation of another website) that will lead the user to fail to recognize security

measures installed in web browsers (eg. SSL padlock, SSL certificates).

Attackers on Phishing Exploit:

- Lack of computer system knowledge:

- Some users do not understand the meaning of the syntax of domain names and cannot distinguish legitimate versus fake URLs.

- Lack of knowledge of security and security indicators:

- Some users do not understand the meaning of SSL locked padlock. Even if they understand it, they can be fooled by its placement within the body of a web page. (SSL padlock indicates that the connection through the user and the website is encrypted with the use of TLS protocol.)

- Do not understand SSL certificates or don’t know how to check them, or they don’t understand that the SSL certificate’s domain name should be the same with the website’s URL domain name. (a secure SSL certificate is the certificate that is used for the TLS connection. Specifically, it is the website’s public key encrypted with a private key of a Certificate Authority. A Self-signed certificate key is encrypted by the website’s private key, but in these cases no one can assure us that a man in the middle has the private key too, so that he can read / modify the messages that we

1

CS680 Joanna Georgiou

exchange with the website. Self-signed certificates encrypt their connection with TLS too.)

Visual Deception:

- Visually Deceptive Text: Syntax of a domain name (typejacking attacks) eg. www.paypa1.com instead of www.paypal.com, or adding in URLs non-printing / non-ASCII characters.

- Images masking underlying text: Use an image of a legitimate hyperlink to serve as a hyperlink to a rogue site.

- Images mimicking windows: Use images in the content of a web page that mimic browser windows / dialog windows.

- Windows masking underlying windows: Place an illegitimate browser window on top of / next to a legitimate window. (if they have the same look and feel the user may mistakenly believe that they are from the same source or may not even notice that a second window exists)

Bounded Attention:

- Another aspect that can lead to successful phishing, is the user’s bounded or lack of attention. The users are too focused on their primary task, as a result they:

- Lack of attention to the absence of security indicators.

- Lack of attention on security indicators (eg. to check if an SSL certificate is valid or not.)

User Study:

- Purpose: To check whether the browser indicators actually help users to differentiate legitimate from illegitimate websites. Generally, they wanted to see what type of strategies users use to decide whether a website is fake or not.

2

CS680 Joanna Georgiou

- Browser Indicators:

- SSL Padlock: indicates that the connection between the user and the website is encrypted using TLS.

- SSL Certificate: If the certificate’s domain is the same as the website’s domain, and it’s certified by a CA, then it means that the TLS connection is safely certified with a CA’s key. (the certificate is the website’s public key, encrypted with the CA’s private key)

- HTTPS: again, it indicates that the connection uses TLS encryption.

- Presented to the 22 participants, 20 websites:

- 7 legitimate websites

- 9 representative phishing websites (that they found online)

- 3 phishing websites that they constructed on their own (so that they can add some extra phishing techniques)

- 1 website requiring users to accept a self-signed SSL certificate

In the following diagram we can see the amount of correct answers that the users gave based on their strategy type:

3

CS680 Joanna Georgiou

Users’ strategies for determining website’s legitimacy:

Type 1: by using content only

Type 2: by using content and domain only

Type 3: by using content, domain and https

Type 4: by using content, domain, https, and SSL padlock (but they were some users that they believed that it a website is more secure if the padlock is inside the website and not on the browser - which is wrong)

Type 5: by using all of the above, plus the SSL certificates.

- User Study: Observations:

- A lot of users judged if a website is legitimate or not only based on their content.

- A lot of users thought that if the SSL padlock was inside the content then it’s more secure.

- A lot of users judged if a website is legitimate based on the variety of the graphics, favicons, pictures they were on the website. As a result, if an attacker implements a well-functioning website with a lot of pictures, favicons and graphics, they can fool the user that they are browsing on a legitimate website, but in reality they are browsing on the attacker’s website.

- Browser’s indicators were ignored or not understood by the users.

- Legitimate organizations that follow security precautions are penalized and were judged by some of the participants to be less trustworthy. They confused the participants by hosting secure pages with third parties, where the domain name does not match the brand name.

4

CS680 Joanna Georgiou

Password Reset Man in the Middle (PRMitM) Attack

PRMitM:

- The attack that exploits the similarity between the registration process and the password reset process.

- The attacker initiates a password reset process on a website(eg. Google, Facebook) and forwards every challenge to the victim.

- The attacker only needs to control a website; no MitM or eavesdropping capabilities are required.

- Attacks visitors of his website and takes over their accounts in other websites.

- Needs basic pieces of information (eg. username, email, or phone number). This information can be extracted from the victim by the attacker during a registration process to the attacking website or before some operations like file download, when the victims are required to identify themselves using their phone.

5

CS680 Joanna Georgiou

Reset - Password Challenges:

- CAPTCHA: Do not aim to prevent the attacker from resetting the password, but rather aim to prevent the attacker from doing this automatically.

- The attacker can bypass this by: forwarding this challenge to the victim, so that the victim will solve it for him.

- Security Question: During the registration, users are sometimes asked to answer personal question(s) that will be used to identify them.

- The attacker can bypass this by: forwarding the question to the victim on the registration process. Then, the attacker will forward the victim’s answer to the service he wants to attack (eg. Google)

- Code to mobile phone: Authentication with phone is usually done by sending a message with a password reset code to the phone of the user via SMS or by automated phone call to the user, in which the code is given. The user is required to insert this code in order to change her password.

- The attacker can bypass this by: asking the victim to insert their phone, and then to insert the code that they got on their phone.

- Reset Password Link via Email: This the most common way to reset a password. The PRMitM attack cannot be applied on websites that allow password reset only by sending a reset link to the email. Unfortunately, this option cannot be applied on email services. Moreover, relying only on this option blocks password recovery when users have lost access to their email account.

- Reset Password Link via SMS: This is the paper’s recommended reset password challenge. Basically, instead of sending a code via SMS, the user will receive a long link. To exploit such a message, the PRMitM attacker has to ask the user to copy a link to his website, which is unusual. Users have the habit to just click on links. In their implementation of this challenge, the link refers the user to an interactive page that has an alert about the attempt to reset password.

6

CS680 Joanna Georgiou

Experiments:

1) Correctness of security question’s answers:

a) Process and Purpose: Participants had to register to an unknown website. During the registration process they were asked to answer a security question, “What is your mother’s maiden name?”. After that, the authors asked them whether they answered correctly the question or not.

b) The results were: almost 80% of the participants answered correctly.

c) Observation: If the users answered correctly to an unknown website, we can assume that they would answer correctly to the question on a trusted website (eg. Google) and on the attacker’s page too.

2) Effectiveness of PRMitM on Facebook users using SMS, and comparison between Facebook SMS and more detailed SMS:

a) Process and Purpose: The experiment page (attacker’s page) asked the participants to identify themselves using their phone. It told them to type their phone, so that they can receive an SMS with a code that they should also type in. The participants were divided into two groups, the one group got Facebook’s reset password message (“Your reset password code is: XXXX”), and the other group got a detailed version of it (“*WARNING* Someone requested to reset your Facebook password. DO NOT SHARE THIS CODE with anyone or type it outside Facebook. The password reset code is XXXXXX.”). Both types of messages had as a receiver “Facebook”.

b) The results were: Only a really small amount of users understood that they were attacked, even after several hints. Most of the users did not understand that they were being attacked.

c) Observations:

i) Many users just searched for the code without reading the text. Or, did not open the message, they only expanded it a bit on the notification bar and read just the code.

7

CS680 Joanna Georgiou

ii) Many users who noticed that the message was sent from Facebook, but they thought that the login mechanism to the attacker’s page was done using the Facebook login mechanism. This means that if the attacker adds to his website “Powered by Facebook”, may make sms spoofing (adding the organization’s name as a sender) worthless.

d) Problems with reset password SMS code:

i) Unclear Message: A lot of organizations in their reset password

sms do not even include the meaning of the code (eg. “The code: XXXXXX” instead of “You’re getting this message because you launched a reset password process. Your reset password code is: XXXXXX”).

ii) Sender Identity: Some organizations use spoofing to change the unknown number with their organization name. Nevertheless, not all of the organizations use this, as a result, the victim cannot really know who is the sender of the code that they received.

iii) Token Validity Period: The token validity period that the authors find during 2017 for famous websites were between 5 min and 24 hours. The attacker prefers to launch the reset password during hours that the victim sleeps, so he/she will not notice it. The preferred and recommended period is between 1-15 minutes.

iv) Language Compatibility: A lot of websites support various

languages. Nevertheless, when the authors tested the reset password process, they found out that most websites didn’t translate correctly or didn’t support at all the reset password messages for all of their supported languages, instead, they sent messages in English.

3) Effectiveness of PRMitM attack on Google users using phone calls:

a) Process and Purpose: Asked the participants to register into an unknown

website (attacker’s page), and to insert their email and phone number. After that, they received a phone call to get the code and insert it into the attacker’s page. They were divided into two groups, the first group got

8

CS680 Joanna Georgiou

Google's English phone call, and the other group got Google’s phone call in another language. (Phone call from Google in English:

“Hello! Thank you for using Google phone verification. Remember! You should not share this code with anyone else, and no one from Google will ever ask for this code. Your code is XXXXXX. Again, your code is XXXXXX. Good bye”

Phone call from Google in other language: “Hello! Thank you for using our phone verification. Your code is XXXXXX. Again, your code is XXXXXX. Good bye.”)

b) The results were: Some of the participants that got the english phone

call did not understand that they were being attacked, others understood after some hints. None of the participants that were in the group that got the Google’s message in another language understood that they were being attacked.

c) Reset password SMS code vs phone call:

i) Length of message: SMS have limited amount of characters. On the other hand, in phone calls it’s possible to deliver a longer message.

ii) Sender Identity: In phone calls they cannot spoof the sender’s identity, as a result, the victim can never know, just by seeing the phone number, who is their caller.

iii) User Attention: Reading a code from SMS does not require effort or concentration. In a phone call, the user dedicates more attention to the content of the call.

iv) Language Issues: Reading a reset code from an SMS in unknown

language is possible, as numbers are written the same in many languages. To extract the reset code from a phone call, at least basic understanding in the language is required; hence, a user that extracts the code from a phone call is more likely to also understand the message.

9

CS680 Joanna Georgiou

v) Interactivity: In phone calls, can be used to ensure that the user understands the situation. A secure phone call must include the initiating website, the reset password process, and a warning about disclosing the code.

4) Effectiveness of LVS (Link Via SMS) against PRMitM attack on Facebook users:

a) Process and Purpose: The experiment page (attacker’s page) asked the

participants to identify themselves using their phone, by typing their phone, so that they can receive an SMS with a long link. (*WARNING* Someone requested to reset your Facebook password. Press this link to reset your Facebook password: http://bit.ly/XXXXXXX. DO NOT SHARE IT!)

b) The results were: All of the participants stopped the attack.

5) Effectiveness of detailed and interactive phone call against PRMitM attacks:

a) Process and Purpose: Asked the participants to register into an unknown website (attacker’s page), while doing so the attacker.com asked the users to insert their email and phone number. After that, they received an interactive phone call to get the code and insert it into the attacker’s page. (the phone call was done by the authors) In this call they included the reason of the call and the caller.

b) The results were: None of the participants disclosed their code. Recommended Guidelines:

1) Password-reset messages (SMS, phone call, email) must include the sending website, clear explanation about the meaning of the code (password reset), and a warning to avoid giving this code to any person or website.

a) 2) For each supported language, the password reset messages (SMS, phone call,

email) must be sent in that language. a)

3) Notify the user when a password reset request is sent, to both the email and the

10

CS680 Joanna Georgiou

phone. If the password reset is done via the phone, this is even more critical. Email notification to email accounts that got compromised is useless.

a) 4) The link or the code sent to reset the password should be valid only for a short

time period, e.g., 1 − 15 minutes. a)

5) If there are several ways to reset the password for a user, automatically disable the less secure ones. If it is impossible to use a secure password reset process, contact the user in advance and offer them both to add information that can be used to reset their password securely and to disable the (only) insecure ways.

a) 6) Require several details about the user before sending the password-reset

message (SMS, phone call, email). This prevents the easy option for the attacker to launch the attack given only the phone number of the user, without knowing anything else about the user.

a) 7) Security questions should not be personal and general, instead, it should try to

be extremely relevant to the website and the user’s actions in it.

Difference between Phishing and PRMitM

Phishing PRMitM

- An attacker who wants to take over an account has to intensely explore each of its target websites.

- Unlike PRMitM, in cross-site attacks users must also be authenticated to the attacked website.

- Clickjacking and some XSS attacks require only a few clicks.

- The user needs to insert private information.

- The attacking page impersonates a

- More interaction between the attacking page and the victim is required. ** This is the main difference between Phishing PRMitM **

- The victim is required to perform an operation in the attacking page and to insert at least a single minimal correct piece of information about themselves.

- The user needs to insert private information. - The victim is only required to give personal

information (e.g., phone number) in order to get some services.

11

CS680 Joanna Georgiou

legitimate website and tricks the victim into inserting their credentials (username and password)

- The attacker’s greatest challenge: the impersonation to another website.

- Obviates the need for impersonation; it can be launched naturally from every website (attacker’s website).

What is being exploited?

Phishing PRMitM

- Exploit the users; there is no bug in the design of the attacked website, the attacker exploits unwary users who ignore indications given to them by the browsers.

- Exploit the similarity of the design of the registration process and the password-reset process.

- There is no chance for the users and other client-side defenses (e.g., browser built-in mechanisms or extensions) to detect the attack.

12