spyware & phishing enrique escribano [email protected]
TRANSCRIPT
![Page 2: Spyware & Phishing Enrique Escribano eescriba@hawk.iit.edu](https://reader034.vdocument.in/reader034/viewer/2022051517/56649da25503460f94a8eea1/html5/thumbnails/2.jpg)
Nowadays
Millions of people use Internet nowadays, so we must be aware of the different risks users are exposed to.
There are many ways of cyber attacks: - new techniques are continuously released: smart
attackers and smart tools - intense fight between cyber-security vendors and
cyber criminals: long race updating and discovering new tools to mitigate contemporaneous attacks.
- difficult to prevent, remove and defend against malware.
Viruses, trojan horses, worms…
![Page 3: Spyware & Phishing Enrique Escribano eescriba@hawk.iit.edu](https://reader034.vdocument.in/reader034/viewer/2022051517/56649da25503460f94a8eea1/html5/thumbnails/3.jpg)
Spyware
![Page 4: Spyware & Phishing Enrique Escribano eescriba@hawk.iit.edu](https://reader034.vdocument.in/reader034/viewer/2022051517/56649da25503460f94a8eea1/html5/thumbnails/4.jpg)
What is Spyware?
“Software that aids in gathering information about a person or organization without their knowledge and that may send such information to another entity without the consumer's consent, or that asserts control over a computer without the consumer's knowledge.”
Wikipedia: http://en.wikipedia.org/wiki/Spyware
![Page 5: Spyware & Phishing Enrique Escribano eescriba@hawk.iit.edu](https://reader034.vdocument.in/reader034/viewer/2022051517/56649da25503460f94a8eea1/html5/thumbnails/5.jpg)
History
The first recorded use of the term spyware occurred on 16 October 1995, denoting espionage issues.
In 2005, AOL and National Cyber-Security Alliance stated that 61% of the computers in their experiment were infected with spyware. 92% of the total number of users surveyed claimed they did not know of the presence of the spyware.
In 2006, spyware became one of the principal security threats for all the systems running Microsoft Windows OS and using Internet Explorer
![Page 6: Spyware & Phishing Enrique Escribano eescriba@hawk.iit.edu](https://reader034.vdocument.in/reader034/viewer/2022051517/56649da25503460f94a8eea1/html5/thumbnails/6.jpg)
How Spyware works
Symptons: Unwanted behavior and degradation of system
performance Undesired CPU and disk activity Applications freezing Slower network traffic
Main target: victim’s web browser Installing undesired plugins or toolbars Redirecting user’s traffic Changing web browser’s configuration: home URL,
search engine…
![Page 7: Spyware & Phishing Enrique Escribano eescriba@hawk.iit.edu](https://reader034.vdocument.in/reader034/viewer/2022051517/56649da25503460f94a8eea1/html5/thumbnails/7.jpg)
Example: Keylogger
- Keyloggers are usually hidden in downloaded content from the web or manually install by the admin of the system.
- They capture every keyboard keystroke that the victim is typing in his computer.
- Some keyloggers are also able to secretly take screenshots of the victim’s system.
- Actually, it is very easy to find this type of malware on the web: free or commercialized.
![Page 8: Spyware & Phishing Enrique Escribano eescriba@hawk.iit.edu](https://reader034.vdocument.in/reader034/viewer/2022051517/56649da25503460f94a8eea1/html5/thumbnails/8.jpg)
Types of Spyware
AdWare (render advertisements in order to generate revenue for its author)
KeyloggersTrojan downloaders (install additional
software)Browser hijackers (modify web browsers’
configurations and redirect traffic)Dialers (use victim’s modem to make calls)
![Page 9: Spyware & Phishing Enrique Escribano eescriba@hawk.iit.edu](https://reader034.vdocument.in/reader034/viewer/2022051517/56649da25503460f94a8eea1/html5/thumbnails/9.jpg)
Spyware Infection
Different from viruses and worms.Secretly Installation:
Without victim’s authorization Without victim’s knowledge
2 ways: Trojan horse (hidden in desired benign downloaded
content) Exploiting some security bug of the web browser:
attacker infects the victim, redirect traffic to a controlled website and monitor his movements
![Page 10: Spyware & Phishing Enrique Escribano eescriba@hawk.iit.edu](https://reader034.vdocument.in/reader034/viewer/2022051517/56649da25503460f94a8eea1/html5/thumbnails/10.jpg)
Spyware on the web (1/2)
Interesting research: “Alexander Moshchuk, Tanya Bragin, Steven D. Gribble, and Henry M. Levy A Crawler-based Study of Spyware on the Web Proceedings of NDSS'2006”.
Abstract: study the Spyware risk on the web.Steps:
1) crawl thousands of random websites 2) find executable files in the sites 3) downloading exec files and installing them on VM,
prepared with Spyware managing tools (AD-Aware SE, limitations)
![Page 11: Spyware & Phishing Enrique Escribano eescriba@hawk.iit.edu](https://reader034.vdocument.in/reader034/viewer/2022051517/56649da25503460f94a8eea1/html5/thumbnails/11.jpg)
Spyware on the web (2/2)
Some interesting results13% of the exec files were infected with
SpywareSpyware programs rare are diverse:
Over 80 different types of Spyware were found Only about 15 spywares were installed in more than
20 files (over more than 2000 exec files) Most of the computers were infected by more than
one spywareConclusion: wide variety of this kind of
malware, which complicates its extinction
![Page 12: Spyware & Phishing Enrique Escribano eescriba@hawk.iit.edu](https://reader034.vdocument.in/reader034/viewer/2022051517/56649da25503460f94a8eea1/html5/thumbnails/12.jpg)
Spyware Prevention & Detection
Costly problem: it sometimes can only be repaired by reinstalling the whole OS
Prevent or block these attacks Scanning all incoming data Anti-spyware programs (needed to be constantly
updated)How? Inspecting the performance of the OS
and installed applications, and remove everything which is considered a threat
But, how do we make sure it is a real spyware threat? …
![Page 13: Spyware & Phishing Enrique Escribano eescriba@hawk.iit.edu](https://reader034.vdocument.in/reader034/viewer/2022051517/56649da25503460f94a8eea1/html5/thumbnails/13.jpg)
Is it a threat?
First approach: the system may have a database of threats installed. This requires to oftenly update the database to detect newer versions of spyware. Costly.
Second approach: presented in the reseacrh project of the Tech. Univ. of Vienna: “Engin Kirda, Christopher Kruegel, Greg Banks, Giovanni Vigna, and Richard A. Kemmerer, Behavior-based Spyware Detection , Proceedings of USENIX Security'2006”.
![Page 14: Spyware & Phishing Enrique Escribano eescriba@hawk.iit.edu](https://reader034.vdocument.in/reader034/viewer/2022051517/56649da25503460f94a8eea1/html5/thumbnails/14.jpg)
Second approach
Focused on Browser Helper Object (BHO) and toolbar sypware programs on Internet Explorer.
Main point: because of the tight interaction between Internet Explorer and Microsoft Windows OS.
Exploiting BHO calls to IE’s interfaces to interact with the OS.
Gaining access to restricted parts of the OS.
![Page 15: Spyware & Phishing Enrique Escribano eescriba@hawk.iit.edu](https://reader034.vdocument.in/reader034/viewer/2022051517/56649da25503460f94a8eea1/html5/thumbnails/15.jpg)
How to detect the threat?
When simultaneously: Victim’s behavior is being monitored AND Windows API calls that can potentially leak
information are anomally invoked
When both, they state that it is a Spyware attack
![Page 16: Spyware & Phishing Enrique Escribano eescriba@hawk.iit.edu](https://reader034.vdocument.in/reader034/viewer/2022051517/56649da25503460f94a8eea1/html5/thumbnails/16.jpg)
Security practices
Avoid Internet Explorer, although no web browser is completely safe
Install firewalls and proxies to block access to some sites categorized as possible threats
Avoid file-sharing applicationsIn the first research commented before, it is
stated that some web categories are more dangerous than others: “GAMES” (1 out of 5 files were infected), “CELEBRITIES” (1 out of 7).
Signatured-based tools (scanning) and Blacklisting (firewalls).
![Page 17: Spyware & Phishing Enrique Escribano eescriba@hawk.iit.edu](https://reader034.vdocument.in/reader034/viewer/2022051517/56649da25503460f94a8eea1/html5/thumbnails/17.jpg)
BHO or Toolbar Spyware Infection on IE
![Page 18: Spyware & Phishing Enrique Escribano eescriba@hawk.iit.edu](https://reader034.vdocument.in/reader034/viewer/2022051517/56649da25503460f94a8eea1/html5/thumbnails/18.jpg)
Phishing
![Page 19: Spyware & Phishing Enrique Escribano eescriba@hawk.iit.edu](https://reader034.vdocument.in/reader034/viewer/2022051517/56649da25503460f94a8eea1/html5/thumbnails/19.jpg)
What is phishing?
“The attempt to acquire sensitive information such as usernames, passwords, and credit card details by masqueradingas a trustworthy entity in an electronic communication.”
http://en.wikipedia.org/wiki/Phishing
![Page 20: Spyware & Phishing Enrique Escribano eescriba@hawk.iit.edu](https://reader034.vdocument.in/reader034/viewer/2022051517/56649da25503460f94a8eea1/html5/thumbnails/20.jpg)
Functionality
Based on emails (or instant messages) which may contain links or URLs to websites that are designed and infected with malware.
These emails often direct victims to login at a fake website which is identical to the legitimate one.
Attackers usually use social networks like Facebook, Twitter or Google Apps to attack people.
It is used to simulate the site the user often visits without letting the victim notice that is faked. Once the victim enters his personal information (unaware that it is not the legitimate site) the attacker have full control over this information: passwords, pin numbers, credit card information…
![Page 21: Spyware & Phishing Enrique Escribano eescriba@hawk.iit.edu](https://reader034.vdocument.in/reader034/viewer/2022051517/56649da25503460f94a8eea1/html5/thumbnails/21.jpg)
Potential of phishing attacks
2004-2005: 1.2 million users in the US lost approximately $929 million.
In general, US businesses lose S2 billion per year due to their clients being phishing victims.
According to a Microsoft Safer Index Report released in February 2014, the annual worldwide impact of phishing could be as high as $5 billion.
![Page 22: Spyware & Phishing Enrique Escribano eescriba@hawk.iit.edu](https://reader034.vdocument.in/reader034/viewer/2022051517/56649da25503460f94a8eea1/html5/thumbnails/22.jpg)
How Phishing works
![Page 23: Spyware & Phishing Enrique Escribano eescriba@hawk.iit.edu](https://reader034.vdocument.in/reader034/viewer/2022051517/56649da25503460f94a8eea1/html5/thumbnails/23.jpg)
Targets or potential victims
Most common targeted users are those people who use banks and online payment services. Once interecepted their security credentials, phishers get control over the access of their credit card managing systems.
Social networking sites: used by millions of people Many personal details and information posted in
social networks that can be exploited by phishers
![Page 24: Spyware & Phishing Enrique Escribano eescriba@hawk.iit.edu](https://reader034.vdocument.in/reader034/viewer/2022051517/56649da25503460f94a8eea1/html5/thumbnails/24.jpg)
Why does phishing work?
It seems it can be easily prevented and detected.
However the research project by Harvard and Berkeley students showed this assumption is not correct.
“Rachna Dhamija, J. D. Tygar and Marti Hearst, Why Phishing Works , Proceedings of ACM CHI'2006”.
Basically, 22 users carried out the experiment of being phished and the results are interesting.
![Page 25: Spyware & Phishing Enrique Escribano eescriba@hawk.iit.edu](https://reader034.vdocument.in/reader034/viewer/2022051517/56649da25503460f94a8eea1/html5/thumbnails/25.jpg)
Phishing research
A very good designed phishing website can deceive over 90% of its visitors
Existing anti-phishing browsing cues are ineffective: 23% of participants did not look at the address bar, status bar, or other security indicators.
Pop-ups warnings are not usually taken into account.
No social differences: results may not vary depending on age, sex, etc
They established 3 different categories to phish
![Page 26: Spyware & Phishing Enrique Escribano eescriba@hawk.iit.edu](https://reader034.vdocument.in/reader034/viewer/2022051517/56649da25503460f94a8eea1/html5/thumbnails/26.jpg)
Lack of computer system knowledge
Many users lack the knowledge needed to understand how operating systems, emails, web applications… work. This vulnerability, very common among internet users, is exploited by phishing attackers
For example: changing url domains http://www.facebook.com http://www.secure-facebook.com
![Page 27: Spyware & Phishing Enrique Escribano eescriba@hawk.iit.edu](https://reader034.vdocument.in/reader034/viewer/2022051517/56649da25503460f94a8eea1/html5/thumbnails/27.jpg)
Visual deception
Phishers mimic text, images and web browsers’ windows to deceive users
For example: http://www.paypal.com http://www.paypa1.com
Windows underlying other windows. Users do not notice they are clicking on the fake window and are being redirected to a phishing website.
![Page 28: Spyware & Phishing Enrique Escribano eescriba@hawk.iit.edu](https://reader034.vdocument.in/reader034/viewer/2022051517/56649da25503460f94a8eea1/html5/thumbnails/28.jpg)
Bounded attention
Users must be aware of the presence of security indicators.
For example: the SSL padlock icon
Also, user must be aware of the ABSENCE of security indicators too
![Page 29: Spyware & Phishing Enrique Escribano eescriba@hawk.iit.edu](https://reader034.vdocument.in/reader034/viewer/2022051517/56649da25503460f94a8eea1/html5/thumbnails/29.jpg)
Techniques (1/2)
Spear phishing: Attackers may collect personal information about their
specific target to increase their probability of success when attacking.
91% of phishing attacks use this techniques, and it is clearly the most widely used by phishers.
Clone phishing: The content of a legitimate and previously delivered email is
identically cloned except that the attachment in the email of the redirection link is replaced with a malicious destination.
It appears to be sent by the original legitimate sender, it can seem it is a forwarding email or an updated version to the original email.
![Page 30: Spyware & Phishing Enrique Escribano eescriba@hawk.iit.edu](https://reader034.vdocument.in/reader034/viewer/2022051517/56649da25503460f94a8eea1/html5/thumbnails/30.jpg)
Techniques (2/2)
Whaling: Attacks that have been directed specifically at senior
executives and other high profile targets within businesses As a curiousity, the term derives from casinos in Las Vegas,
where big spenders (whales) get special personal treatment. Man in the Middle (MITM):
Gaining access to the WiFi Router, attacker can monitor all the WiFi’s users’ traffic
Link manipulation: like examples previously shown
Website forgery: using JavaScript commands in order to alter the address bar to
hide the fake link the victim has been redirected to
![Page 31: Spyware & Phishing Enrique Escribano eescriba@hawk.iit.edu](https://reader034.vdocument.in/reader034/viewer/2022051517/56649da25503460f94a8eea1/html5/thumbnails/31.jpg)
Detection & Prevention
Dealing with phishing attacks is not an easy task.
The human factor is crucialBut there are some existing tools designed to
enforce security and help users to avoid phishing attacks.
Add-ons or plugins that can be installed on web browsers: they add a toolbar or a special box into the web
browser’s window in which they will show information about the websites the user is visiting.
![Page 32: Spyware & Phishing Enrique Escribano eescriba@hawk.iit.edu](https://reader034.vdocument.in/reader034/viewer/2022051517/56649da25503460f94a8eea1/html5/thumbnails/32.jpg)
Examples of anti-phishing tools of IE
![Page 33: Spyware & Phishing Enrique Escribano eescriba@hawk.iit.edu](https://reader034.vdocument.in/reader034/viewer/2022051517/56649da25503460f94a8eea1/html5/thumbnails/33.jpg)
Effectiveness of anti-phishing tools (1/3)
Taking into account the results of the research of the Carnegie Mellon Institute: “Yue Zhang, Serge Egelman, Lorrie Cranor, and Jason Hong, Phinding Phish: Evaluating Anti-Phishing Tools Proceedings of NDSS'2007”.
We have previously commented dealing with phishing attacks is a hard task. Let’s see:
![Page 34: Spyware & Phishing Enrique Escribano eescriba@hawk.iit.edu](https://reader034.vdocument.in/reader034/viewer/2022051517/56649da25503460f94a8eea1/html5/thumbnails/34.jpg)
Effectiveness of anti-phishing tools (2/3)
![Page 35: Spyware & Phishing Enrique Escribano eescriba@hawk.iit.edu](https://reader034.vdocument.in/reader034/viewer/2022051517/56649da25503460f94a8eea1/html5/thumbnails/35.jpg)
Effectiveness of anti-phishing tools (3/3)
Average percentage of success is around 50%, which means that one every two malicious pages is not detected by anti-phishing programs.
SpoofGuard program seems to work really well, averaging a 97% of success.
However, SpoofGuard also incorrectly identified 42% of legitimate URLs as phish.
Reassuring the idea of how difficult is dealing with phishing techniques, not only because the human factor involved, but also the smart abilities of hackers to mimic and deceive users and anti-phsihing tools
![Page 36: Spyware & Phishing Enrique Escribano eescriba@hawk.iit.edu](https://reader034.vdocument.in/reader034/viewer/2022051517/56649da25503460f94a8eea1/html5/thumbnails/36.jpg)
Conclusion
Spyware and phishing techniques: very dangerous for internet users’ privacy
We all must be aware of the risks we are exposed to when navigating on the web, and must take the needed countermeasures to prevent and defend against these attacks: Increasing our attention Following security principles and avoiding
unnecessary risks Installing defensive software to increase security
![Page 37: Spyware & Phishing Enrique Escribano eescriba@hawk.iit.edu](https://reader034.vdocument.in/reader034/viewer/2022051517/56649da25503460f94a8eea1/html5/thumbnails/37.jpg)
Questions