•Surachai CHITPINITYON•Kasom KOHT-ARSA•Surasak SANGUANPONG•Anan Phonphoem

•Office of Computer Services•Kasetsart University•E-mail: Surachai.Ch@ku.ac.th

Automatic Phishing Site Automatic Phishing Site Detection and BlockingDetection and Blocking

•APAN 2008, Haweii 23 January 2008This work is partially supported by Commission of Higher Education (CHE), UniNET, Thailand

2Network Operation Center Kasetsart University Office of Computer Services

Agenda

What is Phishing ? Why Phishing Site Detection and Blocking

are needed? Phishing Site Detection Techniques Proposed Solution: Detection and

Blocking Techniques Current Deployment Future Work

3Network Operation Center Kasetsart University Office of Computer Services

Agenda

What is Phishing ? Why Phishing Site Detection and Blocking Why Phishing Site Detection and Blocking

are needed?are needed? Phishing Site Detection TechniquesPhishing Site Detection Techniques Proposed Solution: Detection and Proposed Solution: Detection and

Blocking TechniquesBlocking Techniques Current DeploymentCurrent Deployment Future WorkFuture Work

4Network Operation Center Kasetsart University Office of Computer Services

What is Phishing ?Attempt to criminally and fraudulently acquire sensitive information, such as usernames, passwords and credit card details

We concentrate only Detection and Blocking phishing site inside campus network

5Network Operation Center Kasetsart University Office of Computer Services

Agenda

What is Phishing ?What is Phishing ? Why Phishing Site Detection and

Blocking are needed? Phishing Site Detection TechniquesPhishing Site Detection Techniques Proposed Solution :Blocking TechniquesProposed Solution :Blocking Techniques Current DeploymentCurrent Deployment Future WorkFuture Work

6Network Operation Center Kasetsart University Office of Computer Services

Why Phishing Site Detection and Blocking are needed?

Steal consumer’personal identity data Financial account credentials

7Network Operation Center Kasetsart University Office of Computer Services

Agenda

What is Phishing ?What is Phishing ? Why Phishing Site Detection and Blocking Why Phishing Site Detection and Blocking

are needed?are needed? Phishing Site Detection Techniques Proposed Solution: Detection and Proposed Solution: Detection and

Blocking TechniquesBlocking Techniques Current DeploymentCurrent Deployment Future WorkFuture Work

8Network Operation Center Kasetsart University Office of Computer Services

Phishing Site Detection Techniques

E-mail Detection at Mail GatewayE-mail Detection at Mail Gateway

https://signin.ebay.com

9Network Operation Center Kasetsart University Office of Computer Services

Agenda

What is Phishing ?What is Phishing ? Why Phishing Site Detection and Blocking Why Phishing Site Detection and Blocking

are needed?are needed? Phishing Site Detection TechniquesPhishing Site Detection Techniques Proposed Solution: Detection and

Blocking Techniques Current DeploymentCurrent Deployment Future WorkFuture Work

10Network Operation Center Kasetsart University Office of Computer Services

Detection and Blocking Techniques

Solution 1:Detection: Phishing Site URLBlocking: URL filtering techniques

Solution 2: Detection: Phishing Site Content

BBlocking: Firewall

11Network Operation Center Kasetsart University Office of Computer Services

Campus

Network

Gateway

Phishing Site

Solution 1: Traffic Flows

Phishing Site Detection and Blocking

Engine

Internet

12Network Operation Center Kasetsart University Office of Computer Services

Solution 1: Structure

Communicator

URL Analyzer

Internet

Internet

mirror traffic (incoming)

URL pattern

Regular Expression URL matching

Session Controller

TCP Termination

Phishing site blocking

Phishing Site Detection and Blocking Engine

13Network Operation Center Kasetsart University Office of Computer Services

Campus

Network

Solution 1: Procedure

Gateway

Phishing Site Detection and Blocking

Engine

Internet

Phishing Site

GET

3

1

GET

search

??

Matching

5

FIN2

GET

4

FIN

Phishing URL Lists

2

GET

14Network Operation Center Kasetsart University Office of Computer Services

FilteringFiltering

Solution 1: Session Hijacking

SYN J

SYN K , ACK J+1

ACK K+1

FIN L

ClientClient ServerServer

Data (request)

Data

(reply)Packet will be ignoredPacket will be ignored

Faked FIN by Filtering EngineFaked FIN by Filtering Engine

15Network Operation Center Kasetsart University Office of Computer Services

Solution 1: Session Hijacking

FIN L

ClientClient ServerServerFilteringFiltering

Data (request)

Data

(reply)

Successful filtering

ACK L+1Faked FINFaked FIN

FIN Mignoredignored

Unsuccessful filtering

ACK M+1

FIN L

Faked FINFaked FIN

16Network Operation Center Kasetsart University Office of Computer Services

Solution 1: A Closure Look of Hijacking

tt33 < t < t44

tt3 3 - t- t00 < t < t4 4 -- tt00

tt3 3 - t- t11 < RTT < RTT

Success Condition

From our measurement, From our measurement, tt3 – 3 – tt1 is 1 is less than 0.6 milliseconds. The less than 0.6 milliseconds. The average of average of tt3 –3 – t t1 is about 1 is about 0.2*RTT.0.2*RTT.

17Network Operation Center Kasetsart University Office of Computer Services

Campus

Network

Gateway

Phishing Site

Solution 2: Traffic Flows

Phishing Site Detection and Blocking

Engine

Internet 1 2

34

4

18Network Operation Center Kasetsart University Office of Computer Services

Solution 2: Structure

Communicator

Content Analyzer

Internet

Internet

mirror traffic (outgoing)

Content pattern

Regular Expression

content matching

Firewall

Phishing site blocking

Phishing Site Detection and Blocking Engine

19Network Operation Center Kasetsart University Office of Computer Services

Solution 2: Phishing site pattern

20Network Operation Center Kasetsart University Office of Computer Services

Campus

Network

Solution 2: Procedure

Gateway

Firewall

Phishing Site Detection and Blocking

Engine

Internet

Phishing Site

1

GET

2

GET

2

GET

Phishing

Content Lists

3

Reply

4

Reply

4

Reply

Reply ??

Matching

search

block

5

ReplyX

21Network Operation Center Kasetsart University Office of Computer Services

Agenda

What is Phishing ?What is Phishing ? Why Phishing Site Detection and Blocking Why Phishing Site Detection and Blocking

are needed?are needed? Phishing Site Detection TechniquesPhishing Site Detection Techniques Proposed Solution: Detection and Proposed Solution: Detection and

Blocking TechniquesBlocking Techniques Current Deployment Future WorkFuture Work

22Network Operation Center Kasetsart University Office of Computer Services

Current Deployment: Structure

Uninet Thaisarn

OCS KU

firewall

Phishing Site Detection Engine

Ethernet 10 Gbps

CPU : 2xDual Core Xeon 3.0 GhzRAM : 1 GBHD : SATA 1 TB

WebScreen Agent

Ethernet 1 Gbps

23Network Operation Center Kasetsart University Office of Computer Services

Current Deployment: TestingUninet Thaisarn

OCS KU

firewall Google phishing site detection Used “About Google” key word

24Network Operation Center Kasetsart University Office of Computer Services

Agenda

What is Phishing ?What is Phishing ? Why Phishing Site Detection and Blocking Why Phishing Site Detection and Blocking

are needed?are needed? Phishing Site Detection TechniquesPhishing Site Detection Techniques Proposed Solution: Detection and Proposed Solution: Detection and

Blocking TechniquesBlocking Techniques Current DeploymentCurrent Deployment Future Work

25Network Operation Center Kasetsart University Office of Computer Services

Future Work

Use picture, such as logo, for detection Use AI to classified phishing site

26Network Operation Center Kasetsart University Office of Computer Services

Q&A

27Network Operation Center Kasetsart University Office of Computer Services

Thank You