Spyware & Phishing

Enrique Escribanoeescriba@hawk.iit.edu

Nowadays

Millions of people use Internet nowadays, so we must be aware of the different risks users are exposed to.

There are many ways of cyber attacks: - new techniques are continuously released: smart

attackers and smart tools - intense fight between cyber-security vendors and

cyber criminals: long race updating and discovering new tools to mitigate contemporaneous attacks.

- difficult to prevent, remove and defend against malware.

Viruses, trojan horses, worms…

Spyware

What is Spyware?

“Software that aids in gathering information about a person or organization without their knowledge and that may send such information to another entity without the consumer's consent, or that asserts control over a computer without the consumer's knowledge.”

Wikipedia: http://en.wikipedia.org/wiki/Spyware

History

The first recorded use of the term spyware occurred on 16 October 1995, denoting espionage issues.

In 2005, AOL and National Cyber-Security Alliance stated that 61% of the computers in their experiment were infected with spyware. 92% of the total number of users surveyed claimed they did not know of the presence of the spyware.

In 2006, spyware became one of the principal security threats for all the systems running Microsoft Windows OS and using Internet Explorer

How Spyware works

Symptons: Unwanted behavior and degradation of system

performance Undesired CPU and disk activity Applications freezing Slower network traffic

Main target: victim’s web browser Installing undesired plugins or toolbars Redirecting user’s traffic Changing web browser’s configuration: home URL,

search engine…

Example: Keylogger

- Keyloggers are usually hidden in downloaded content from the web or manually install by the admin of the system.

- They capture every keyboard keystroke that the victim is typing in his computer.

- Some keyloggers are also able to secretly take screenshots of the victim’s system.

- Actually, it is very easy to find this type of malware on the web: free or commercialized.

Types of Spyware

AdWare (render advertisements in order to generate revenue for its author)

KeyloggersTrojan downloaders (install additional

software)Browser hijackers (modify web browsers’

configurations and redirect traffic)Dialers (use victim’s modem to make calls)

Spyware Infection

Different from viruses and worms.Secretly Installation:

Without victim’s authorization Without victim’s knowledge

2 ways: Trojan horse (hidden in desired benign downloaded

content) Exploiting some security bug of the web browser:

attacker infects the victim, redirect traffic to a controlled website and monitor his movements

Spyware on the web (1/2)

Interesting research: “Alexander Moshchuk, Tanya Bragin, Steven D. Gribble, and Henry M. Levy A Crawler-based Study of Spyware on the Web Proceedings of NDSS'2006”.

Abstract: study the Spyware risk on the web.Steps:

1) crawl thousands of random websites 2) find executable files in the sites 3) downloading exec files and installing them on VM,

prepared with Spyware managing tools (AD-Aware SE, limitations)

Spyware on the web (2/2)

Some interesting results13% of the exec files were infected with

SpywareSpyware programs rare are diverse:

Over 80 different types of Spyware were found Only about 15 spywares were installed in more than

20 files (over more than 2000 exec files) Most of the computers were infected by more than

one spywareConclusion: wide variety of this kind of

malware, which complicates its extinction

Spyware Prevention & Detection

Costly problem: it sometimes can only be repaired by reinstalling the whole OS

Prevent or block these attacks Scanning all incoming data Anti-spyware programs (needed to be constantly

updated)How? Inspecting the performance of the OS

and installed applications, and remove everything which is considered a threat

But, how do we make sure it is a real spyware threat? …

Is it a threat?

First approach: the system may have a database of threats installed. This requires to oftenly update the database to detect newer versions of spyware. Costly.

Second approach: presented in the reseacrh project of the Tech. Univ. of Vienna: “Engin Kirda, Christopher Kruegel, Greg Banks, Giovanni Vigna, and Richard A. Kemmerer, Behavior-based Spyware Detection , Proceedings of USENIX Security'2006”.

Second approach

Focused on Browser Helper Object (BHO) and toolbar sypware programs on Internet Explorer.

Main point: because of the tight interaction between Internet Explorer and Microsoft Windows OS.

Exploiting BHO calls to IE’s interfaces to interact with the OS.

Gaining access to restricted parts of the OS.

How to detect the threat?

When simultaneously: Victim’s behavior is being monitored AND Windows API calls that can potentially leak

information are anomally invoked

When both, they state that it is a Spyware attack

Security practices

Avoid Internet Explorer, although no web browser is completely safe

Install firewalls and proxies to block access to some sites categorized as possible threats

Avoid file-sharing applicationsIn the first research commented before, it is

stated that some web categories are more dangerous than others: “GAMES” (1 out of 5 files were infected), “CELEBRITIES” (1 out of 7).

Signatured-based tools (scanning) and Blacklisting (firewalls).

BHO or Toolbar Spyware Infection on IE

Phishing

What is phishing?

“The attempt to acquire sensitive information such as usernames, passwords, and credit card details by masqueradingas a trustworthy entity in an electronic communication.”

http://en.wikipedia.org/wiki/Phishing

Functionality

Based on emails (or instant messages) which may contain links or URLs to websites that are designed and infected with malware.

These emails often direct victims to login at a fake website which is identical to the legitimate one.

Attackers usually use social networks like Facebook, Twitter or Google Apps to attack people.

It is used to simulate the site the user often visits without letting the victim notice that is faked. Once the victim enters his personal information (unaware that it is not the legitimate site) the attacker have full control over this information: passwords, pin numbers, credit card information…

Potential of phishing attacks

2004-2005: 1.2 million users in the US lost approximately $929 million.

In general, US businesses lose S2 billion per year due to their clients being phishing victims.

According to a Microsoft Safer Index Report released in February 2014, the annual worldwide impact of phishing could be as high as $5 billion.

How Phishing works

Targets or potential victims

Most common targeted users are those people who use banks and online payment services. Once interecepted their security credentials, phishers get control over the access of their credit card managing systems.

Social networking sites: used by millions of people Many personal details and information posted in

social networks that can be exploited by phishers

Why does phishing work?

It seems it can be easily prevented and detected.

However the research project by Harvard and Berkeley students showed this assumption is not correct.

“Rachna Dhamija, J. D. Tygar and Marti Hearst, Why Phishing Works , Proceedings of ACM CHI'2006”.

Basically, 22 users carried out the experiment of being phished and the results are interesting.

Phishing research

A very good designed phishing website can deceive over 90% of its visitors

Existing anti-phishing browsing cues are ineffective: 23% of participants did not look at the address bar, status bar, or other security indicators.

Pop-ups warnings are not usually taken into account.

No social differences: results may not vary depending on age, sex, etc

They established 3 different categories to phish

Lack of computer system knowledge

Many users lack the knowledge needed to understand how operating systems, emails, web applications… work. This vulnerability, very common among internet users, is exploited by phishing attackers

For example: changing url domains http://www.facebook.com http://www.secure-facebook.com

Visual deception

Phishers mimic text, images and web browsers’ windows to deceive users

For example: http://www.paypal.com http://www.paypa1.com

Windows underlying other windows. Users do not notice they are clicking on the fake window and are being redirected to a phishing website.

Bounded attention

Users must be aware of the presence of security indicators.

For example: the SSL padlock icon

Also, user must be aware of the ABSENCE of security indicators too

Techniques (1/2)

Spear phishing: Attackers may collect personal information about their

specific target to increase their probability of success when attacking.

91% of phishing attacks use this techniques, and it is clearly the most widely used by phishers.

Clone phishing: The content of a legitimate and previously delivered email is

identically cloned except that the attachment in the email of the redirection link is replaced with a malicious destination.

It appears to be sent by the original legitimate sender, it can seem it is a forwarding email or an updated version to the original email.

Techniques (2/2)

Whaling: Attacks that have been directed specifically at senior

executives and other high profile targets within businesses As a curiousity, the term derives from casinos in Las Vegas,

where big spenders (whales) get special personal treatment. Man in the Middle (MITM):

Gaining access to the WiFi Router, attacker can monitor all the WiFi’s users’ traffic

Link manipulation: like examples previously shown

Website forgery: using JavaScript commands in order to alter the address bar to

hide the fake link the victim has been redirected to

Detection & Prevention

Dealing with phishing attacks is not an easy task.

The human factor is crucialBut there are some existing tools designed to

enforce security and help users to avoid phishing attacks.

Add-ons or plugins that can be installed on web browsers: they add a toolbar or a special box into the web

browser’s window in which they will show information about the websites the user is visiting.

Examples of anti-phishing tools of IE

Effectiveness of anti-phishing tools (1/3)

Taking into account the results of the research of the Carnegie Mellon Institute: “Yue Zhang, Serge Egelman, Lorrie Cranor, and Jason Hong, Phinding Phish: Evaluating Anti-Phishing Tools Proceedings of NDSS'2007”.

We have previously commented dealing with phishing attacks is a hard task. Let’s see:

Effectiveness of anti-phishing tools (2/3)

Effectiveness of anti-phishing tools (3/3)

Average percentage of success is around 50%, which means that one every two malicious pages is not detected by anti-phishing programs.

SpoofGuard program seems to work really well, averaging a 97% of success.

However, SpoofGuard also incorrectly identified 42% of legitimate URLs as phish.

Reassuring the idea of how difficult is dealing with phishing techniques, not only because the human factor involved, but also the smart abilities of hackers to mimic and deceive users and anti-phsihing tools

Conclusion

Spyware and phishing techniques: very dangerous for internet users’ privacy

We all must be aware of the risks we are exposed to when navigating on the web, and must take the needed countermeasures to prevent and defend against these attacks: Increasing our attention Following security principles and avoiding

unnecessary risks Installing defensive software to increase security

Questions