Phishers Beware

Phishing and computer infiltration affected 1.2 million Americans in the first half of 2006

In the first half of 2006, phishers sent out more than 157,000 different email messages to millions of recipients an 81 percent increase over the last six months of 2005, according to a bi-annual Internet Security Threat Report released by the security-software maker Symantec.

If phishing schemes in which attackers pose as legitimate organizations in order to dupe Internet users into handing over passwords and other private information are on the rise, so are attacks that install software onto computers that steal passwords as they are
being typed, or hijack PCs for use in denial of service or spam attacks. The economic loss from these types of electronic crimes has been estimated at $1 billion, affecting 1.2 million Americans, in the first half of this year alone.

To address this growing problem, researchers at the Team for Research in Ubiquitous Secure Technology (TRUST), a multi-campus initiative, have created a set of tools that help protect Internet users against online identity theft. Available through CITRIS’s NERF (Non-Exclusive Royalty Free) licensing agreement, these software downloads are already being put to good use. Working with California law enforcement, researchers with CITRIS’s Cybersecurity Center are also developing more effective means of litigating against these crimes.

Few are as familiar with the challenges of preventing and prosecuting online identity theft and other electronic crimes as Robert
Rodriguez. A retired secret service agent who directed the Secret Service West Coast Electronic Crime Taskforce, Rodriguez is now
collaborating with TRUST.

“The threats and risks and vulnerabilities change every day. It is moving at a very fast pace. All the tools, processes, policies, and procedures are reactive for the most part. And the attackers are in a global environment, attacking from foreign countries we can’t reach out to. Law enforcement does not have the technical or financial resources or the manpower to challenge them. We’re inundated,” says Rodriquez.

Several years ago, Rodriguez and his colleagues turned to Stanford University computer science professors John Mitchell and Dan Boneh for help. “Law enforcement was very helpful in telling us what kinds of problems they were seeing. Companies have been very helpful in giving us more information about what their business constraints are and what kinds of solutions may be acceptable to them. What we can do in the university is just try things out without having a good idea of what the market is or how we’re going to make money off of it,” says Mitchell, a TRUST member.

Since that meeting more than three years ago, Mitchell, Boneh, and their students have developed five free browser extensions (software that, when installed, works with an Internet browser like Mozilla Firefox) that Internet users can download for protection against some of the most common tricks played by electronic thieves. PwdHash encrypts Internet users’ passwords as they are entered so that thieves will not be able to use them, while SpoofGuard alerts Web browsers when they have landed on a fake site. SafeCache and SafeHistory protect users of the Mozilla Firefox browser against malicious crimeware that tracks which sites and links they have visited. SpyBlock blocks passwords from any keylogging software that might be embedded on a user’s computer.

One of the reasons phishing schemes are so successful in getting people to turn over their personal information is their ability to replicate existing Web sites. Research conducted by UC Berkeley professor and TRUST member Doug Tygar, revealed that computer users often ignore and misread the clues (e.g. address bar, status bar, and security indicators) that the Web site they are visiting is a fake. His proposed solution: Dynamic Security Skins, which provide users with bolder visual cues photographic images and patterns to reassure them that the site they’re signing in to is a trusted one.

The problem, of course, is that people savvy enough to know about and download these tools and others like them are usually savvy enough to avoid falling for a phishing scheme in the first place. “One of the best outcomes for us would be to have some of the ideas we’ve developed in our prototype software get adopted and built into browsers,” says Mitchell. That way, everyone surfing the Web would be automatically protected whether or not they are aware of phishing.

However, software alone will not bring electronic identity theft to an end. “Criminals are increasingly sophisticated these days, and this
escalation poses new technical problems. We certainly need to increase platform security, protect assets from crimeware, and improve web authentication. But we also need to address the social and legal issues, the human factors,” says Deirdre Mulligan, Clinical Professor of Law and Director of the Samuelson Law, Technology and Public Policy Clinic.

Mulligan and a team of Berkeley students are collaborating with TRUST scientists and engineers to make sure the social and legal aspects of electronic identity theft and other TRUST projects are addressed alongside the technical challenges.

For example, if computer users are provided with more concise notices before or after they install software, they will be far less
likely to install programs that they will later regret having on their machines. This was one of the conclusions of a recently completed study of 222 computer users by Berkeley Ph.D. students Jens Grossklags and Nathan Good, along with University of Minnesota computer science professor Joseph Konstan. This is significant because many seemingly harmless software programs come bundled with spyware or adware. This study’s results suggest that just by redesigning software notices, such as the End User License Agreement (EULA), users can be guided towards making safer, better-informed decisions about what applications they choose to install.

Similarly, a high-tech analysis of spyware and adware programs distributed by Enternet, PacerD, and 180 Solutions conducted last year by TRUST-affiliated students and faculty from Stanford’s computer science departments and Law School could be useful should prosecutors ever decide to legally challenge those companies.

Encouraged by these successes, TRUST researchers are working on more defenses to combat the growing problem of online identity theft from developing a curriculum to ongoing research in collaboration with industry and government partners to ensure that help is available where it is needed. It is a big problem, but by bringing together the best minds from the public and private sectors to tackle it, TRUST believes that victory can be achieved.