Section 14.1. Introduction


14.1. Introduction

Phishing attacks are rapidly increasing in frequency; many are good enough to fool users. According to the Anti-Phishing Working Group (APWG) ,[1] reports of phishing attacks increased by 180% in April 2004 alone, and by 4,000% in the six months prior to April. A recent study done by the antispam firm MailFrontier Inc. found that phishing emails fooled users 28% of the time.[2] Estimates of losses resulting from phishing approached $37 million in 2002.[3]

[1] Anti-Phishing Working Group, "Phishing Attack Trends Report, April 2004"; http://antiphishing.org/APWG_Phishing_Attack_Report-Apr2004.pdf.

[2] Bob Sullivan, "Consumers Still Falling for Phish," MSNBC (July 28, 2004); http://www.msnbc.msn.com/id/5519990/.

[3] Neil Chou, Robert Ledesma, Yuka Teraguchi, and John C. Mitchell, "Client-Side Defense Against Web-Based Identity Theft," 11th Annual Network and Distributed System Security Symposium (2004); http://theory.stanford.edu/people/jcm/papers/spoofguard-ndss.pdf.

14.1.1. Anatomy of a Phishing Attack

The Anti-Phishing Working Group collects and archives examples of phishing attacks, a valuable service because the web site used in an attack exists only for a short time. One example on APWG is an attack against eBay customers, first reported on March 9, 2004.[4]

[4] Anti-Phishing Working Group, "eBayNOTICE eBay Obligatory VerifyingInvalid User Information" (March 9, 2004); http://www.antiphishing.org/phishing_archive/eBay_03-09-04.htm.

The attack begins when the potential victim receives an email (Figure 14-1), purporting to be from eBay, that claims that the user's account information is invalid and must be corrected. The email contains an embedded hyperlink that appears to point to a page on eBay's web site. This web page asks for the user's credit card number, contact information, Social Security number, and eBay username and password (Figure 14-2).

Beneath the surface, however, neither the email message nor the web page is what it appears to be. Figure 14-3 breaks the deception down schematically. The phishing email resembles a legitimate email from eBay. Its source (listed in the "From:" header) appears to be S-Harbor@eBay.com, which refers to the legitimate domain name for eBay Inc. The link embedded in the message also appears to go to eBay.com, even using an encrypted channel ("https:"). Based on these presentation cues and the content of the message, the user forms a mental model of the message: eBay is requesting updated information. The user then performs an action, clicking on the embedded hyperlink, which is presumed to go to eBay. But the user's action is translated into a completely different system operationnamely, retrieving a web page from IP address 210.93.131.250, a server from a communication company registered in Seoul, South Korea. This company has no relationship with eBay Inc.

The phishing web site follows a similar pattern of deception. The page looks like a legitimate eBay web page. It contains an eBay logo, and its content and layout match the format of pages from the actual eBay web site. Based on this presentation, the user forms a

Figure 14-1. Screenshot of a phishing email (source: Anti-Phishing Working Group)


mental model that the browser is showing the eBay web site and that the requested information must be provided in order to keep the user's eBay account active. The user then performs an action, typing in personal and financial data and clicking the Submit button, with the intention of sending this information to eBay. This action is translated by the web browser into a system operation, encoding the entered data into an HTTP request sent to 210.93.131.250, which is not a legitimate eBay server.

14.1.2. Phishing as a Semantic Attack

Bruce Schneier has observed that methods for attacking computer networks can be categorized in waves of increasing sophistication and abstraction. According to Schneier, the first wave of attacks was physical in nature, targeting the computers, the network devices, and the wires between them, in order to disrupt the flow of information. The second wave consisted of syntactic attacks, which target vulnerabilities in network protocols, encryption algorithms, or software implementations. Syntactic attacks have been a primary concern

Figure 14-2. Screenshot of a phishing web page pointed to by the phishing email (source: Anti-Phishing Working Group)


Figure 14-3. Anatomy of a phishing attack


of security research for the last decade. The third wave is semantic: "attacks that target the way we, as humans, assign meaning to content."[5]

[5] Bruce Schneier, "Semantic Attacks: The Third Wave of Network Attacks," Crypto-Gram Newsletter (Oct. 15, 2000); http://www.schneier.com/crypto-gram-0010.html#1.

Phishing is a semantic attack. Successful phishing depends on a discrepancy between the way a user perceives a communication, like an email message or a web page, and the actual effect of the communication. Figure 14-4 shows the structure of a typical Internet communication, dividing it into two parts. The system model is concerned with how computers exchange bitsprotocols, representations, and software. When human users play a role in the communication, however, understanding and protecting the system model is not enough, because the real message communicated depends not on the bits exchanged but on the semantic meanings that are derived from the bits. This semantic layer is the user's mental model. The effectiveness of phishing indicates that human users do not always assign the proper semantic meaning to their online interactions.

Figure 14-4. Human-Internet communication


When a user faces a phishing attack, the user's mental model about the interaction disagrees with the system model. For example, the user's intention may be "go to eBay," but the actual implementation of the hyperlink may be "go to a server in South Korea." It is this discrepancy that enables the attack, and it is this discrepancy that makes phishing attacks very hard to defend against. Users derive their mental models of the interaction from the presentation of the interactionthe way it appears on the screen. The implementation details of web pages and email messages are hidden, and are generally inaccessible to most users. Thus, the user is in no position to compare his mental model with the system model, and it would take extra effort to do so. On the other hand, email clients and web browsers follow the coded instructions provided to them in the message, but are unable to check the user's intentions. Without awareness of both models, neither the user nor the computer is able to detect the discrepancy introduced by phishing.

One extreme solution to the phishing problem would simply discard the presentation part of an Internet communicationthe part that produces the user's mental modelbecause it can't be trusted. Instead, a new presentation would be generated directly from the implementation. If the user's computer is trustworthy, then, the presentation seen by the user would be guaranteed to be related to the actual implementation. Unfortunately, the cost of this idea in both usability and functionality would be enormous. Most online messages are legitimate, after all, with the presentation correctly reflecting the implementation. Phishing messages are rare (but pernicious) exceptions. So this solution would improperly sacrifice the freedom of legitimate senders to present and brand themselves in order to block a small number of wrongdoers.

So we must accept the fact that users will see messages with mismatched presentation and implementation. Attempts to fight phishing computationally, which are discussed in this chapter, try to enable the computer to bridge the gap between the user's mental model and the true system model. But the human user must be the final decision-maker about whether a message is phishing. The reason is that phishing targets how users assign semantic meaning to their online interactions, and this assignment process is outside the system's control.



Security and Usability. Designing Secure Systems that People Can Use
Security and Usability: Designing Secure Systems That People Can Use
ISBN: 0596008279
EAN: 2147483647
Year: 2004
Pages: 295

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net