PhishingBy: Joanna Georgiou

Dhamija, R., Tygar, J. D., & Hearst, M. (2006, April 22). Why Phishing Works.

Gelernter, N., Kalma, S., Magnezi, B., & Porcilan, H. (2017). The Password Reset MitM Attack.

What is Phishing?

Dhamija, R., Tygar, J. D., & Hearst, M. (2006, April 22).

Why Phishing Works.

Contributions

- Provided first empirical evidence

about which malicious strategies

are successful at deceiving users.

- Studied large set of captured

phishing attacks.

- Usability study which 22

participants were shown 20

websites.

Phishing- Successful Phishers: Present a high-credibility webpage → the user to fail to

recognize security measures installed in web browsers.

- Phishers exploit: Lack of Knowledge:

- Lack of computer system knowledge (eg. Some users do not understand the

meaning of the syntax of domain names and cannot distinguish legitimate

versus fake URLs)

- Lack of knowledge of security and security indicators

Lack of knowledge of security and security indicators - Do not know that a closed

padlock icon in the browser

indicates that the page they are

viewing was delivered securely

by SSL

- Even if they understand it they

can be fooled by its placement

within the body of a web page.

- Do not understand SSL

certificates

Visual Deception- Visually Deceptive Text: Syntax of a domain name (typejacking attacks) eg.

www.paypa1.com instead of www.paypal.com , or using non-printing / non-ASCII

characters.

- Images masking underlying text: Use an image of a legitimate hyperlink to serve as a

hyperlink to a rogue site.

- Images mimicking windows: Use images in the content of a web page that mimic browser

windows / dialog windows.

- Windows masking underlying windows: Place an illegitimate browser window on top of /

next to a legitimate window. (if they have the same look and feel the user may mistakenly

believe that are from the same source / may not even notice that a second window exists)

Bounded Attention

- Lack of attention to the absence of security

identucators

- Lack of attention on security identucators

- When users are too focused on their primary task

Study: Distinguish Legitimate Websites- Collected appr. 200 unique phishing

websites (including all related links,

images and web pages)

- Anticipated that the results would be

better than it would be in real life

- Created 3 phishing websites

- Every participant saw every website, but

in randomized order.

Study- Study scenario: giving instructions, a randomized list of hyperlinks to websites

labeled “Website 1”, “Website 2”.

- Participants had no expectations about each website.

- Each website that we presented was fully functioning.

Presented participants with 20 websites; the first 19 were in random order:

- 7 legitimate websites

- 9 representative phishing websites

- 3 phishing websites constructed by the authors using additional phishing

techniques

- 1 website requiring users to accept a self-signed SSL certificate (this website was

presented last to segue into an interview about SSL and certificates).

- Self-Signed SSL Certificate:

Users are exposed to a risk that a third party could

intercept traffic to the website using the third-party's

own self-signed certificate.

Study

Study: Participants

Study: Participants

Study: Participants

- Most participants regularly

use more than one type of

browser and operating

system.

Study: Participants

- Hours of computer usage per week ranged from

10 to 135 hours

- 18 participants regularly use online banking

- 20 participants said they regularly shop online

Results- Good phishing websites fooled 90% of participants.

- 23% did not look at browser-based cues (address bar, status bar, security indicators)

- On Average: 40% incorrect choices of the time.

- 15 out of 22 participants proceeded without

hesitation when popup warning about

fraudulent certificates were shown.

- Neither education, age, sex, previous

experience, hours of computer use showed a

statistically significant correlation with

vulnerability to phishing.

Strategies for Determining Website Legitimacy- Type 1: Security indicators in website

content only

- Type 2: Content and domain name only

- Type 3: Content and address, plus

HTTPS

- Type 4: All of the above, plus padlock

icon

- Type 5: All of above, plus certificates

Additional Strategies- 2 participants stated: they would only question a website’s legitimacy if more

than the username and password was requested.

- 1 participant actually submitted her username and password to some websites in

order to verify if it was a site at which she had an account.

- 1 participant:

- Opened up another browser window, typed in all URLs by hand to compare these

pages to every website presented in the study.

- Occasionally used Yahoo to search for the organization in question, then click on the

top search result and compare it to the website presented in the study.

Phishing Websites- Hosted at “www.bankofthevvest.com”,

with 2 “v”s instead of a “w” in the

domain name.

- 20 participants incorrectly judged this to

be the legitimate Bank of the West

website

- 17 participants mentioned the content of

the page as one reason for their decision.

- 8 participants relied on links to other

sites

- 6 participants clicked on the Verisign

logo(displaying an SSL protected

webpage, hosted at Verisign, shows the

SSL certificate status of the

www.bankofthewest.com.)

- 3 participants said the correctness of the

URL was the primary factor in deciding.

Conclusions:- Even when users expect spoofs to be present and are motivated to discover them, many

users cannot distinguish a legitimate website from a spoofed website.

- Indicators that are designed to signal trustworthiness were not understood (or even

noticed) by many participants.

- 5 out of 22 participants only used the content of the website to evaluate its authenticity.

- A number of participants incorrectly said a padlock icon is more important when it is

displayed within the page than if presented by the browser.

- Other participants were more persuaded by animated graphics, pictures, and design

touches such as favicons (icons in the URL bar) than SSL indicators.

Conclusions:- Phishers can create and fully functioning site with images, links, logos and images of security

indicators to persuade the users that the spoofed websites were legitimate.

- Legitimate organizations that follow security precautions are penalized and were judged by

some of the participants to be less trustworthy. Confused the participants by hosting secure

pages with third parties, where the domain name does not match the brand name.

- It is not sufficient for security indicators to appear only under trusted conditions, it is

important to alert users to the untrusted state.

- Security interface designers must consider that indicators placed outside of the user’s

periphery or focus of attention (e.g., using colors in the address bar to indicate suspicious and

trusted sites) may be ignored entirely by some users

Gelernter, N., Kalma, S., Magnezi, B., & Porcilan, H. (2017).

The Password Reset MitM Attack.

Contributions

- Introduce the PRMitM attack

- Evaluate the PRMitM attack on Google and

Facebook.

- Explore further and identify similar

vulnerabilities in popular mobile applications.

- Design secure password reset processes using

SMS and phone calls, and evaluate of them on

Google and Facebook users.

- List recommendations for the secure design of

the password reset process.

Introduction

The Password Reset Man in the Middle Attack (PRMitM)- It exploits the similarity of the registration and password reset processes to launch a man

in the middle (MitM) attack at the application level.

- The attacker initiates a password reset process with a website and forwards every

challenge to the victim who either wishes to register in the attacking site or to access a

particular resource on it.

To Launch PRMitM, the attacker:- Only needs to control a website; no MitM or eavesdropping capabilities are required.

- Attacks visitors of his website and takes over their accounts in other websites.

- Needs basic pieces of information (eg. username, email, or phone number). This

information can be extracted from the victim by the attacker during a registration

process to the attacking website or before some operations like file download, when the

victim is required to identify themselves using their phone.

PRMitM Example

Survey- Survey: “if they would agree to either

register to a website or prove they are

human using their phone or both, in order

to use common online services such as file

downloads for free”.

- Students ranged between 18 and 35.

- Among 138 participants:

1) They would never register for

unknown websites or give their phone

number, no matter what free services

are offered.

2) Said they would agree to use both

options.

3) Would only agree to register.

4) Would only agree to identify

themselves using their phone

Simulation- Simulation: a website that stores files and

requires a valid phone number to

download them. The verification is done

via SMS code, and the user is only required

to insert his phone number.

- Among 99 participants:

1) 39.4% said they would insert their

phone number immediately.

2) 14.1% said they would first try to

obtain the files via friends or via

online SMS services.

3) 18.2% percent said they would insert

their phone number only if they really

needed the files (rather than just

wanting them).

4) They wouldn’t insert their phone

number.

Reset - Password Challenges1) CAPTCHA: do not aim to prevent an attacker from resetting the password, but rather

aim to prevent the attacker from doing this automatically.

2) Security Question: During the registration, users are sometimes asked to answer

personal question(s) that will be used to identify them.

3) Code to the Mobile Phone: Authentication can be done via one of three approaches: (1)

something you know (e.g., password), (2) something you are (e.g., fingerprints), and (3)

something you have (e.g., special token device or a phone). Authentication with phone is

usually done by sending a message with a password reset code to the phone of the user

via SMS or by automated phone call to the user, in which the code is given. The user is

required to insert this code in order to change her password.

Reset - Password Challenges4) Reset Link to the Email: The most

common countermeasure. The PRMitM

attack cannot be applied on websites that

allow password reset only by sending a reset

link to the email.

Unfortunately, this option is usually not

relevant for the email services themselves.

Moreover, relying only on this option blocks

password recovery when users have lost

access to their email account.

Experiment 1: Correctness of security question’s answer

Participants were asked to register to a

website in order to perform a short

experiment.

During the registration process, they were

asked to type their email address, and only

then, to answer a classical security question:

What is your mother’s maiden name.

Once the users completed the registration,

they were asked whether the answer they just

typed was correct.

52 Participants

Limitations of Password Reset

Using SMS- Unclear message

- Sender identity

- Token validity period

- Language compatibility

Experiment 2: Effectiveness of

PRMitM attack on Facebook users using SMS

and comparison between Facebook’s SMS

and more detailed SMS.

The experiment page (attacker’s page) asked

them to identify themselves using their

phone number.

Specifically, the page asked the participants

to type their phone number, so they can

receive an SMS with a code that should be

typed in.

Participants: 88 volunteer students

Detailed SMS:*WARNING* Someone requested to reset your Facebook password. DO NOT SHARE THIS CODE with anyone or type it outside Facebook. The password reset code is XXXXXX.

Experiment 2: Observations

1) Many users just searched for the code without reading the text. Some of them did not

open the message, but read the code from the notification that was prompted in their

phone.

2) Many users who noticed that the message was sent from Facebook, thought the login to

experiment was done using the widely used login with Facebook mechanism.

- This means that the sender identity as specify by SMS spoofing has a minor importance

in the attack, mainly if the content of the message is unclear. Furthermore, adding

sentences to the attacking page like ”Powered by Facebook” or even just an explanation

that the message will arrive with specific sender, may make SMS spoofing even more

worthless.

SMS code vs. Phone Call- Sender identifier.

- Length of message: SMS code is limited in its length. In phone calls it is possible to

deliver longer messages.

- User attention: Reading a code from SMS does not require effort or concentration. In a

phone call, the user dedicates more attention to the content of the phone number.

- Language issues: Reading a reset code from an SMS in unknown language is possible, as

numbers are written the same in many languages. To extract the reset code from a phone

call, at least basic understanding in the language is required; hence, a user that extracts

the code from a phone call is more likely to also understand the message.

SMS code vs. Phone Call

- Interactivity: Can be used to ensure that the user understands the situation.

Phone call from Google in English:

Hello! Thank you for using Google phone verification. Remember! You should

not share this code with anyone else, and no one from Google will ever ask for this

code. Your code is XXXXXX. Again, your code is XXXXXX. Good bye

Phone call from Google in other language:

Hello! Thank you for using our phone verification. Your code is XXXXXX. Again,

your code is XXXXXX. Good bye.

Experiment 3: Effectiveness of PRMitM attack on Google users using phone calls

To initiate a password reset process in

Google, only the email address of the

victim is required. Nevertheless, they

asked the users to insert both their

email address and phone number, so the

call will not be suspicious

The most common argument was the

fact that the phone call did not specify

anything about the meaning of the code.

Survey: Password Reset in Mobile Messaging Applications

- Taking over such applications exposes private and sensitive information

about the user.

- Allows the attacker to perform sensitive operations like sending messages

in the name of the user.

- Messages with password reset code can be sent through the applications

themselves to the mobile phone of the user.

Mobile Applications PRMitM Vulnerabilities

Defenses- Good Security Questions :

- Security questions that are exclusively related to the website are harder to

bypass them, they cannot be forwarded to the user as legitimate security

questions for other websites.

- Secure Password Reset Using SMS

- Some users do not read the entire SMS messages they receive.

- Lack a warning about giving away the code.

- Sometimes missing explanations about the meaning of the code.

- Sometimes missing sender.

- Lack of language compatibility.

- => reset password code should not be sent in a clear text over SMS.

- => Link-Via-SMS (LVS) Password Reset

Link-Via-SMS (LVS) Password Reset- Sending a detailed SMS message with a long link (instead of a code) overcomes the

limitations of the SMS with the code.

- To exploit such a message, the PRMitM attacker has to ask the user to copy a link to his website, which is

unusual.

- Users have the habit to just click on links.

- In their implementation of the LVS, the link refers the user to an interactive page that

has an alert about the attempt to reset the user password.

- Does it increase the risk to other attacks?

- They believe that the answer to this question is negative. Following received links in SMS might be harmful,

but this has nothing to do with an SMS that is sent by a service that intends to protect its users

- Attackers might try to impersonate legitimate LVS message, to trick users to follow malicious links;

however, they can do the same also for legit SMS messages.

Experiment 4: Effectiveness of LVS against PRMitM attack on Facebook

users

The LVS message was: *WARNING*

Someone requested to reset your

Facebook password. Press this link to

reset your Facebook password:

http://bit.ly/XXXXXXX. DO NOT

SHARE IT!

Participants. 46 volunteer students that

did not participate in any other

experiment or survey

All the participants stopped the attack

Experiment 5: Effectiveness of detailed and interactive phone call against

PRMitM attacks.Two elements must hold:

(1) the message must include the

sender, the meaning of the code, and

a warning about misuse

(2) the call must cause the user to

listen and understand the message

Instead of initiating a phone call

from Google, they called the users

with an (interactive) phone call.

Participants: 45 volunteer students that did

not participate in any other experiment

Results: None of the participants disclosed

their code

General Guidelines1) Password-reset messages (SMS, phone call, email) must include the sending website,

clear explanation about the meaning of the code (password reset), and a warning to

avoid giving this code to any person or website.

2) For each supported language, the password reset messages (SMS, phone call, email)

must be sent in that language.

3) Test password reset process for every supported language separately.

4) Notify the user when a password reset request is sent, to both the email and the

phone. If the password reset is done via the phone, this is even more critical. Email

notification to email account that got compromised is useless.

5) The link or the code sent to reset the password should be valid only for short time

period, e.g., 1 − 15 minutes.

6) If there are several ways to reset the password for a user, automatically disable the

less secure ones. If it is impossible to use a secure password reset process, contact the

user in advance and offer them both to add information that can be used to reset their

password securely and to disable the (only) insecure ways.

7) Require several details about the user before sending the password-reset message

(SMS, phone call, email). This prevents the easy option for the attacker to launch the

attack given only the phone number of the user, without knowing anything else about

the user.

General Guidelines

Difference Between Phishing and PRMitM

- An attacker who wants to take over an account

has to intensely explore each of its target

websites.

- Unlike PRMitM, in cross-site attacks users must

also be authenticated to the attacked website.

- Clickjacking and some XSS attacks only a few

clicks are required.

- Need to insert private information

- The attacking page impersonates a legitimate

website and tricks the victim into inserting her

credentials (username and password)

- The attacker’s greatest challenge: the

impersonation to another website.

- More interaction between the attacking page

and the victim is required.

- The victim is required to perform an

operation in the attacking page and to insert

at least a single minimal correct piece of

information about themselves.

- Need to insert private information

- The victim is only required to give personal

information (e.g., phone number) in order to

get some services.

- Obviates the need for impersonation; it can

be launched naturally from every website.

Phishing PRMitM

What is being exploited?

- Exploit the users; there is no bug

in the design of the attacked

website, the attacker exploits

unwary users who ignore

indications given to them by the

browsers.

- Exploit bugs in the design of

password-reset process.

- There is no chance for the users

and other client-side defenses (e.g.,

browser built-in mechanisms or

extensions) to detect the attack.

Phishing PRMitM

Thank you

Bibliography- Dhamija, R., Tygar, J. D., & Hearst, M. (2006, April 22). Why Phishing Works

- Gelernter, N., Kalma, S., Magnezi, B., & Porcilan, H. (2017).

Images- https://www.ophtek.com/category/phishing-email/- https://www.pcmag.com/how-to/how-to-avoid-phishing-scams- https://www.colourbox.com/vector/encryption-of-information-firewall-data-protection-sysrem-of-network-security-abstract-vector-technology-b

ackground-vector-31048858- https://www.youtube.com/watch?v=7q-qOOeGSdI- https://www.sslmarket.com/ssl/displaying-the-certificate-in-a-browser- https://towardsdatascience.com/phishing-domain-detection-with-ml-5be9c99293e5- https://www.psafe.com/en/blog/worried-password-phishing-android/- https://www.intego.com/mac-security-blog/clever-phishing-scam-targets-your-apple-id-and-password/- https://www.flaticon.com/free-icon/participant_1464174- https://www.wpwhitesecurity.com/hacking-wordpress-login-capturing-usernames-passwords/- https://www.pcmag.com/news/password-managers-can-be-vulnerable-to-malware-attacks- https://www.google.com/search?q=password&sxsrf=ALeKk03Q2I-5n3klHlXQOgUpM-AKjRderA:1582552944271&source=lnms&tbm=isch&s

a=X&ved=2ahUKEwjZg9OQrernAhVRKewKHdLnDgQQ_AUoAXoECA4QAw&biw=1920&bih=949#imgrc=42buE2aboOLKDM- https://www.techmion.com/tech_blog/10-benefits-of-sms-marketing/