full-disclosure-uk August 2008 archive
Main Archive Page > Month Archives  > full-disclosure-uk archives
full-disclosure-uk: Re: [Full-disclosure] simple phishing fix

Re: [Full-disclosure] simple phishing fix

From: lsi <stuart_at_nospam>
Date: Sun Aug 03 2008 - 02:05:14 GMT
To: full-disclosure@lists.grok.org.uk


To cut to the chase, approx 80% of all phish target 1 of 20 or less companies. [1] [2] [7] [8] [9]

I also found a paper which suggests the blacklist might work. [6] I found three other papers that reviewed phish detection in-depth, however none of them seemed to mention filtering on the FROM field.
[4] [5] [10]

I also detail a fix for unblocked senders (eg. to selectively allow mail from spoofed domains, such as Paypal), see below.

Nick says the blacklist won't stop phishing, per se, because phishers will begin to target unlisted companies. While I agree that phishers will begin to target unlisted companies, it does not follow that phishing will continue to be profitable. It MAY still be profitable to be a phisher in these circumstances.

What will definitely be true is that such a blacklist will make phishing less profitable, this being because the total amount of funds available to phish has been substantially reduced, while at the same time, locating new victims is more difficult.

What will also be true is the list will stop phish from listed companies from clogging mail systems, particularly as most users never have any need to receive mail from those companies.

I accept that the blacklist MAY NOT make phishing unprofitable, and the blacklist WILL NOT stop phish from unlisted companies.

So, the list WILL reduce junk and WILL hit phishers in the back pocket. And this is a bad idea?

Assumptions:

  1. the phisher does NOT know which bank his potential victims use
  2. the phisher is seeking to maximise revenue, and minimise costs
  3. creating the fake mail and site is time-consuming

likely factors affecting phishing profitability:

Here's a description of the phishing business model, there's no reference cos I made it up. As you can see there's a few more costs than actually spamming out the phish, which I agree may be without cost.

total cost =

time + money to create the fake mail
PLUS
time + money to create the fake web site PLUS
time + money to obtain hosting for the fake web site PLUS
time + money to obtain/maintain/rent the botnet used to send the fake mail
PLUS
time + money to launder the cash
PLUS
time + money on personal security

total revenue =

total number of mails sent
MINUS
mails blocked - bad recipient address
MINUS
mails blocked - filtered (anti-spam/phish filter etc) MINUS
mails deleted - end-user not a customer of target institution MINUS
mails deleted - end-user not fooled
MINUS
mails deleted - end-user not interested
MINUS
mails deleted - technical issue
MULTIPLY
average profit per successful phish

Most articles on phishing describe how the fake mail and fake website are "carefully" designed, and "carefully" selected recipient lists are used. Careful means slow, AFAIK. The more careful you are, the more successful your phish, BUT the longer it takes you to make, the more money you need to make to break even. So the rational phisher will find a balance there. The point is, the rational phisher will not bang out a new site every five minutes. The site needs to be convincing, the email needs to be convincing, and being convincing takes time.

I might be wrong. The kits Nick mentioned might make it all easy. But Nick also mentions that those kits are backdoored. So I think that means the rational phisher is going to have to make his own pages from scratch. And that is gonna take time.

Time = money. If the phisher makes $20/hr from phishing, but he could be making $50/hr spamming, it's costing him $30/hr to be a phisher. The rational phisher would cease phishing in these circumstances.


statistics showing that blocking the top 20 brands will have a big impact:

"..These brands exhibited Pareto-type properties in that a small number of brands accounts for a large number of actual phishing sites." [9]

Approx 80% of all phish target 1 of 20 or less companies. [1] [2] [7]
[8] [9] If those companies were widely blacklisted, 80% of all
phish/phishers would need to make new phishing sites, and find new victims.

Note that 20 is a very small number and a blacklist of this size, including variants, is manageable.

Note that although 20 is a very small number, it covers all of the most-profitable-to-phish companies currently being phished (assuming that profitability-to-phish is proportionate to total phishing attempts, this may be wrong, but if it is wrong, some phishers are wasting their time).

Although the top 20 account for 80% of total phish, blacklisting mail from those companies will not stop 80% of phish, because phishers will presumably move on to target companies that are not blacklisted.

However, those companies are less profitable for phishers - if they were more profitable, then those companies would be in the top 80% already. There are many reasons why they might be less profitable:

  • ease of execution
  • size of customerbase
  • total funds available
  • additional benefits or penalties

The blacklist would make phishing less profitable because it forces less-profitable companies to be targetted. When an unlisted company is targetted, it is added to the list. Eventually, all high-profit companies will be listed.

Nick suggests that the phishers will just send more emails, I suggest this will just get them detected, blocked, and taken down faster.

Nick seems to be suggesting that phishers will always be able to make a healthy profit by targetting small institutions. This might continue to be true if:

  • costs to phishers are small, and remain so
  • revenue is decent, and remains so

However various technologies are working to push costs up and revenue down, this is going to continue. Phishers, OTOH cannot do much more than they are already doing to maximise their revenues, that means as anti-phishing technology evolves, phishing profits are going to fall.  How much they fall depends on the tech.

There is a definite possibility that some/all phishers will not be able to cover their costs. Certainly, anti-phishing technologies should seek to maximise this possibility. The harder phishing is, the less profitable it becomes.

Nick mentioned an infinite set of domainnames, I believe at that time he was confused between the domainname stated in the FROM field (which is what I am focusing on) and domainnames listed in the bodytext (I'm ignoring those). The set of domainnames in the from field is very small, 714 items in total [2], most of which have only been phished a few times. I agree the set of domainnames in the bodytext is infinite.

It seems to me that the FROM field is the most obvious sign of a phish. If the mail is FROM a company I don't do business with, of course it's a phish, no need for any further testing. But I don't need to list every company I don't do business with, I only need to list every company I don't do business with *that phishes me*. This list is currently very small, as the referenced statistics show.


ease of use by end-users:

I agree end-users can't be relied on. The way it could work, say with a webmail service, is that the webmail service has a page, "my phishing preferences", on there is a list of blocked-by-default companies (the blacklist). The user scrolls down to the company they want to unblock and unchecks the "blocked" box. Then they click Save.

For corporate environments, a similar function could be performed by the IT dept as part of their usual antispam/antivirus routine. All users are blocked by default from receiving all mail from any blacklisted company. To receive mail from a blacklisted company, fill in a form on the intranet and await a response in email from the IT dept. The IT dept does their magic using procmail or similar.

For end-users with POP3 clients the blacklist would ideally be a installation component, packaged with the binary, the user would go to Tools.. Options.. Phishing Preferences. The default setting for each company listed is "blocked". The user scrolls down to the company they want to unblock and unchecks the "blocked" box. Then they click Save.

If an updated blacklist was deployed, users would want to see the list of new blocked companies, in case they were corresponding with them previously.

I agree that a list with hundreds of thousands of institutions on it would not be workable. However the statistics show that currently, this is not required. [1] [2] [7] [8] [9]


how to secure "unblocked" companies:

So above I went through a few ways in which users could unblock companies they want to receive mail from, it's obviously a vulnerability when they do this, but it can be fixed, Paypal's strategy is to include a pre-shared secret in the bodytext of the mail. This requires two filtering rules, the second conditional on a match on the first. This is not a problem for some mail clients such as Pegasus Mail but may be a problem for lesser-evolved beasts such as Outlook.

This same technique (the pre-shared secret) could be used by any targetted company that sends emails to customers, all that is needed is that the filter knows the secret, and takes that into account when filtering.

Ideally, what would happen is that when the user unblocks a company, they are prompted for the pre-shared secret. Missing secret = unable to unblock. The filtering rules ideally would then be autoconfigured in the correct way by the software/IT dept.


variations/obfuscation/armouring:

There is very little evidence, in the databases I checked [1] [2], of the use of variations such as wachov1a, although added spaces, missing hyphens and so on does happen. Obfuscation/armouring is a common spam tactic, but phish are seeking to be as legitimate as possible, and any kind of obfuscation reduces total revenue. This is a distinguishing feature between phish and spam, and it permits the possibility that techniques that don't work against spam, such as a blacklist, might be successfully used against phish.

If the variations get excessive, I suggest regular expressions. Again, not a problem for some mail clients, but other software such as Thunderbird does not support them (last I checked).

It is *hoped* that the power of regex's will be enough - there is a limit on how much obfuscation can be used, as it potentially alerts the user to the phish. Time will tell.


this idea elsewhere on the net:

Three academic papers [4] [5] [10] review the literature concerning phish detection in detail, however none of them list analysis of the FROM field of the mail. That is, they don't even list it and dismiss it, because of x, y and z, the technique is simply not mentioned.

One paper [6] notes that the FROM field "likely matches legitimate mail from [the targetted company]"; later it says "domain blacklisting can be used effectively to flag and drop messages".


references:

[1] shows that the top 10 targetted companies account for 12166 of
16527 phish (73%)
http://www.phishtank.com/stats/2008/04/

[2] shows a total of 714 targetted companies - with some duplication -
 most with one 1 or 2 phishing attempts
http://www.millersmiles.co.uk/scams.php

[3] gives an estimate of average profit per successful phish = USD
1224:
http://www.markmonitor.com/download/wp/wp-whofights.pdf

[4] "Behind Phishing: An Examination of Phisher Modi Operandi"
(contains a useful literature review)
http://www.antiphishing.org/reports/behindPhishingWhitePaper.pdf

[5] "Learning to Detect Phishing Emails" (contains a useful
literature review)
http://www.cs.cmu.edu/~sadeh/Publications/Small%20Selection/www07%20FI NAL%20SUBMISSION.pdf

[6] "Evolution of Phishing Attacks" (mentions that filtering on the
FROM field might be beneficial)
http://www.antiphishing.org/Evolution%20of%20Phishing%20Attacks.pdf

[7] shows a list similar to Millers' Miles
http://www.ciphertrust.com/resources/statistics/phishing.php

[8] "Phishing Activity Trends Report" states that the top 17
targetted companies account for 80% of all phish http://www.antiphishing.org/reports/apwg_report_August_2006.pdf

[9] "Phishing Attacks: Analyzing Trends in 2006" (states that "the
top 10 spoofed brands account for nearly 85% of phishing web sites") http://www.ceas.cc/2007/papers/paper-34.pdf

[10] "Anti-Phishing Best Practices for ISPs and Mailbox Providers"
(contains a useful literature review)
http://www.antiphishing.org/reports/bestpracticesforisps.pdf

PS no I'm not trolling I've been using this approach for 6 months or so and it works great for me, so I thought I'd share it ...

PPS "80% of all phish target 1 of 20 or less companies" DOES NOT MEAN that 20% of phish target 2 companies or more, each phish targets 1 company, but that 1 company is, 80% of the time, in a list of 20 companies that are commonly phished. And the list of companies might be even smaller than 20, depending on whose stats you're reading. --- Stuart Udall stuart at_at_cyberdelix.dot net - http://www.cyberdelix.net/ --- * Origin: lsi: revolution through evolution (192:168/0.2) _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/