lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Sun, 03 Aug 2008 03:05:14 +0100
From: "lsi" <stuart@...erdelix.net>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: simple phishing fix

To cut to the chase, approx 80% of all phish target 1 of 20 or less 
companies. [1] [2] [7] [8] [9]

I also found a paper which suggests the blacklist might work. [6]  I 
found three other papers that reviewed phish detection in-depth, 
however none of them seemed to mention filtering on the FROM field. 
[4] [5] [10]

I also detail a fix for unblocked senders (eg. to selectively allow 
mail from spoofed domains, such as Paypal), see below.

Nick says the blacklist won't stop phishing, per se, because phishers 
will begin to target unlisted companies.  While I agree that phishers 
will begin to target unlisted companies, it does not follow that 
phishing will continue to be profitable.  It MAY still be profitable 
to be a phisher in these circumstances.

What will definitely be true is that such a blacklist will make 
phishing less profitable, this being because the total amount of 
funds available to phish has been substantially reduced, while at the 
same time, locating new victims is more difficult.

What will also be true is the list will stop phish from listed 
companies from clogging mail systems, particularly as most users 
never have any need to receive mail from those companies.

I accept that the blacklist MAY NOT make phishing unprofitable, and 
the blacklist WILL NOT stop phish from unlisted companies.

So, the list WILL reduce junk and WILL hit phishers in the back 
pocket.  And this is a bad idea?

Assumptions:

1. the phisher does NOT know which bank his potential victims use
2. the phisher is seeking to maximise revenue, and minimise costs
3. creating the fake mail and site is time-consuming

-------

likely factors affecting phishing profitability:

Here's a description of the phishing business model, there's no 
reference cos I made it up.  As you can see there's a few more costs 
than actually spamming out the phish, which I agree may be without 
cost.

total cost =

time + money to create the fake mail
PLUS
time + money to create the fake web site
PLUS
time + money to obtain hosting for the fake web site
PLUS
time + money to obtain/maintain/rent the botnet used to send the fake 
mail
PLUS
time + money to launder the cash
PLUS
time + money on personal security

total revenue =

total number of mails sent
MINUS
mails blocked - bad recipient address
MINUS
mails blocked - filtered (anti-spam/phish filter etc)
MINUS
mails deleted - end-user not a customer of target institution
MINUS
mails deleted - end-user not fooled
MINUS
mails deleted - end-user not interested
MINUS
mails deleted - technical issue
MULTIPLY
average profit per successful phish

Most articles on phishing describe how the fake mail and fake website 
are "carefully" designed, and "carefully" selected recipient lists 
are used.  Careful means slow, AFAIK.  The more careful you are, the 
more successful your phish, BUT the longer it takes you to make, the 
more money you need to make to break even.  So the rational phisher 
will find a balance there.  The point is, the rational phisher will 
not bang out a new site every five minutes.  The site needs to be 
convincing, the email needs to be convincing, and being convincing 
takes time.

I might be wrong.  The kits Nick mentioned might make it all easy.  
But Nick also mentions that those kits are backdoored.  So I think 
that means the rational phisher is going to have to make his own 
pages from scratch.  And that is gonna take time.

Time = money.  If the phisher makes $20/hr from phishing, but he 
could be making $50/hr spamming, it's costing him $30/hr to be a 
phisher.  The rational phisher would cease phishing in these 
circumstances.

--------

statistics showing that blocking the top 20 brands will have a big 
impact:

"..These brands exhibited Pareto-type properties in that a small 
number of brands accounts for a large number of actual phishing 
sites." [9]

Approx 80% of all phish target 1 of 20 or less companies. [1] [2] [7] 
[8] [9]  If those companies were widely blacklisted, 80% of all 
phish/phishers would need to make new phishing sites, and find new 
victims.

Note that 20 is a very small number and a blacklist of this size, 
including variants, is manageable.

Note that although 20 is a very small number, it covers all of the 
most-profitable-to-phish companies currently being phished (assuming 
that profitability-to-phish is proportionate to total phishing 
attempts, this may be wrong, but if it is wrong, some phishers are 
wasting their time).

Although the top 20 account for 80% of total phish, blacklisting mail 
from those companies will not stop 80% of phish, because phishers 
will presumably move on to target companies that are not blacklisted.

However, those companies are less profitable for phishers - if they 
were more profitable, then those companies would be in the top 80% 
already.  There are many reasons why they might be less profitable:

 - ease of execution
 - size of customerbase
 - total funds available
 - additional benefits or penalties

The blacklist would make phishing less profitable because it forces 
less-profitable companies to be targetted.  When an unlisted company 
is targetted, it is added to the list.  Eventually, all high-profit 
companies will be listed.

Nick suggests that the phishers will just send more emails, I suggest 
this will just get them detected, blocked, and taken down faster.

Nick seems to be suggesting that phishers will always be able to make 
a healthy profit by targetting small institutions.  This might 
continue to be true if:

- costs to phishers are small, and remain so
- revenue is decent, and remains so

However various technologies are working to push costs up and revenue 
down, this is going to continue.  Phishers, OTOH cannot do much more 
than they are already doing to maximise their revenues, that means as 
anti-phishing technology evolves, phishing profits are going to fall. 
 How much they fall depends on the tech.

There is a definite possibility that some/all phishers will not be 
able to cover their costs.  Certainly, anti-phishing technologies 
should seek to maximise this possibility.  The harder phishing is, 
the less profitable it becomes.

Nick mentioned an infinite set of domainnames, I believe at that time 
he was confused between the domainname stated in the FROM field 
(which is what I am focusing on) and domainnames listed in the 
bodytext (I'm ignoring those).  The set of domainnames in the from 
field is very small, 714 items in total [2], most of which have only 
been phished a few times.  I agree the set of domainnames in the 
bodytext is infinite.

It seems to me that the FROM field is the most obvious sign of a 
phish.  If the mail is FROM a company I don't do business with, of 
course it's a phish, no need for any further testing.  But I don't 
need to list every company I don't do business with, I only need to 
list every company I don't do business with *that phishes me*.  This 
list is currently very small, as the referenced statistics show.

---------

ease of use by end-users:

I agree end-users can't be relied on.  The way it could work, say 
with a webmail service, is that the webmail service has a page, "my 
phishing preferences", on there is a list of blocked-by-default 
companies (the blacklist).  The user scrolls down to the company they 
want to unblock and unchecks the "blocked" box.  Then they click 
Save.

For corporate environments, a similar function could be performed by 
the IT dept as part of their usual antispam/antivirus routine.  All 
users are blocked by default from receiving all mail from any 
blacklisted company.  To receive mail from a blacklisted company, 
fill in a form on the intranet and await a response in email from the 
IT dept.  The IT dept does their magic using procmail or similar.

For end-users with POP3 clients the blacklist would ideally be a 
installation component, packaged with the binary, the user would go 
to Tools.. Options.. Phishing Preferences.  The default setting for 
each company listed is "blocked".  The user scrolls down to the 
company they want to unblock and unchecks the "blocked" box.  Then 
they click Save.

If an updated blacklist was deployed, users would want to see the 
list of new blocked companies, in case they were corresponding with 
them previously.

I agree that a list with hundreds of thousands of institutions on it 
would not be workable.  However the statistics show that currently, 
this is not required. [1] [2] [7] [8] [9]

---------

how to secure "unblocked" companies:

So above I went through a few ways in which users could unblock 
companies they want to receive mail from, it's obviously a 
vulnerability when they do this, but it can be fixed, Paypal's 
strategy is to include a pre-shared secret in the bodytext of the 
mail.  This requires two filtering rules, the second conditional on a 
match on the first.  This is not a problem for some mail clients such 
as Pegasus Mail but may be a problem for lesser-evolved beasts such 
as Outlook.

This same technique (the pre-shared secret) could be used by any 
targetted company that sends emails to customers, all that is needed 
is that the filter knows the secret, and takes that into account when 
filtering.

Ideally, what would happen is that when the user unblocks a company, 
they are prompted for the pre-shared secret.  Missing secret = unable 
to unblock.  The filtering rules ideally would then be autoconfigured 
in the correct way by the software/IT dept.

--------

variations/obfuscation/armouring:

There is very little evidence, in the databases I checked [1] [2], of 
the use of variations such as wachov1a, although added spaces, 
missing hyphens and so on does happen.  Obfuscation/armouring is a 
common spam tactic, but phish are seeking to be as legitimate as 
possible, and any kind of obfuscation reduces total revenue.  This is 
a distinguishing feature between phish and spam, and it permits the 
possibility that techniques that don't work against spam, such as a 
blacklist, might be successfully used against phish.

If the variations get excessive, I suggest regular expressions.  
Again, not a problem for some mail clients, but other software such 
as Thunderbird does not support them (last I checked).

It is *hoped* that the power of regex's will be enough - there is a 
limit on how much obfuscation can be used, as it potentially alerts 
the user to the phish.  Time will tell.

---------

this idea elsewhere on the net:

Three academic papers [4] [5] [10] review the literature concerning 
phish detection in detail, however none of them list analysis of the 
FROM field of the mail.  That is, they don't even list it and dismiss 
it, because of x, y and z, the technique is simply not mentioned.

One paper [6] notes that the FROM field "likely matches legitimate 
mail from [the targetted company]"; later it says "domain 
blacklisting can be used effectively to flag and drop messages".

--------- 

references:

[1] shows that the top 10 targetted companies account for 12166 of 
16527 phish (73%)
http://www.phishtank.com/stats/2008/04/

[2] shows a total of 714 targetted companies - with some duplication -
 most with one 1 or 2 phishing attempts
http://www.millersmiles.co.uk/scams.php

[3] gives an estimate of average profit per successful phish = USD 
1224:
http://www.markmonitor.com/download/wp/wp-whofights.pdf

[4] "Behind Phishing: An Examination of Phisher Modi Operandi" 
(contains a useful literature review)
http://www.antiphishing.org/reports/behindPhishingWhitePaper.pdf

[5] "Learning to Detect Phishing Emails" (contains a useful 
literature review)
http://www.cs.cmu.edu/~sadeh/Publications/Small%20Selection/www07%20FI
NAL%20SUBMISSION.pdf

[6] "Evolution of Phishing Attacks" (mentions that filtering on the 
FROM field might be beneficial)
http://www.antiphishing.org/Evolution%20of%20Phishing%20Attacks.pdf

[7] shows a list similar to Millers' Miles
http://www.ciphertrust.com/resources/statistics/phishing.php

[8] "Phishing Activity Trends Report" states that the top 17 
targetted companies account for 80% of all phish
http://www.antiphishing.org/reports/apwg_report_August_2006.pdf

[9] "Phishing Attacks: Analyzing Trends in 2006" (states that "the 
top 10 spoofed brands account for nearly 85% of phishing web sites")
http://www.ceas.cc/2007/papers/paper-34.pdf

[10] "Anti-Phishing Best Practices for ISPs and Mailbox Providers" 
(contains a useful literature review)
http://www.antiphishing.org/reports/bestpracticesforisps.pdf

PS no I'm not trolling I've been using this approach for 6 months or 
so and it works great for me, so I thought I'd share it ...

PPS "80% of all phish target 1 of 20 or less companies" DOES NOT MEAN 
that 20% of phish target 2 companies or more, each phish targets 1 
company, but that 1 company is, 80% of the time, in a list of 20 
companies that are commonly phished.  And the list of companies might 
be even smaller than 20, depending on whose stats you're reading.

---
Stuart Udall
stuart at@...erdelix.dot net - http://www.cyberdelix.net/

--- 
 * Origin: lsi: revolution through evolution (192:168/0.2)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ