1. Field of the Invention
The present invention relates generally to computer security, and more particularly but not exclusively to methods and apparatus for protecting computer users from online frauds.
2. Description of the Background Art
Phishing is a kind of social engineering that involves some form of misrepresentation to obtain confidential information from online computer users. Phishing is not only fraudulent, but is a criminal activity as well. Phishing is a rapidly spreading and dangerous “web threat” on the Internet.
In a typical phishing attack, the perpetrator (also referred to as “attacker” or “fraudster”) masquerades as a trustworthy entity in an electronic communication. A phishing attack usually starts with an e-mail falsely claiming to be from the victim's trusted online site. The e-mail is designed to look convincingly real, oftentimes complete with the look and feel of e-mails from the trusted online site. The e-mail includes a link to the attacker's website, which is also referred to as “phishing site.” The phishing site serves a web page, referred to as a “phishing page,” where the victim enters confidential information thinking he is providing the information to his trusted online site. The phishing page, like the e-mail linking to it, is made to look authentic.
FIG. 1 shows an example e-mail 160 employed in a phishing attack. In the example of FIG. 1, the e-mail 160 convincingly looks like an e-mail from the eBay® online auction site. However, the e-mail 160 includes a hyperlink 161 that when activated directs the user to a phishing site, rather than the eBay® site. FIG. 2 shows an example web page from the phishing site, while FIG. 3 shows an example web page from the eBay® site. Note the similarity between the phishing site (FIG. 2) and the authentic site (FIG. 3). It is thus not surprising that some users have difficulty distinguish between phishing and authentic sites, causing these users to provide confidential information, such as credit card information, passwords, banking information, personal information, and the like, to the phishing site.
Anti-phishing techniques have been developed to combat phishing attacks. One way of combating phishing is to create and maintain a database of URLs (uniform resource locators) of phishing sites. The database serves as a blacklist that may be consulted to alert users if they visit a potentially dangerous website. Attackers responded to URL look-up or URL-level pattern matching solutions by changing the URLs of phishing sites. For example, so-called “Rock Phishing” is a phishing toolkit for perpetrating phishing attacks. Similar to virus-making kits available in the past, Rock Phishing allows even non-technical individuals to carry out phishing attacks, making phishing more prevalent. Rock Phishing allows a single website with multiple DNS (domain name system) names to host a variety of phishing web pages, which may mimic those of legitimate websites. What is dangerous about Rock Phishing is that the URL of the phishing site can be changed dynamically by creating different middle domain names. FIG. 4 shows examples of dynamically created URLs for a phishing site. Using a URL-level pattern matching approach to detect Rock Phishing would thus be relatively difficult due to the large number of dynamically changing URLs.
A related serious web threat is pharming. Pharming involves redirection of a legitimate website's traffic to a fake website, such as a phishing site. Pharming attacks may be perpetrated using well known DNS cache poisoning, domain name spoofing, and domain name hijacking techniques. In a pharming attack, the user enters the correct URL of a legitimate website in his web browser but still gets redirected to a phishing site. That is, pharming involves phishing pages with legitimate URLs. Pharming therefore does not require emails with false links to point a user to a phishing site.
FIG. 5 shows a flow diagram schematically illustrating how pharming is typically perpetrated. In the example of FIG. 5, an attacker using a computer 506 hacks into the DNS server 521 (arrow 501) to change the IP (Internet Protocol) address of “www.nicebank.com” of the legitimate website 522 to the IP address of “www.n1cebank.com” of the phishing site 523. The phishing site 523 hosts web pages that fake those of the website 522. When the user tries to access the website 522 (arrow 502) by correctly entering “www.nicebank.com” in his browser, the computer 507 consults the DNS server 521 (arrow 503) for the IP address associated with “www.nicebank.com.” However, because of the earlier hacking, the DNS server 521 provides the computer 507 (arrow 504) the IP address of the phishing site 523 instead of the website 522. This results in the browser of the user being directed to the phishing site 523 (arrow 505). Thinking the phishing site 523 is the website 522, the user enters his confidential information in the phishing site 523.
There are many problems with conventional URL matching approaches in combating phishing and pharming attacks. Firstly, conventional URL matching is ineffective against pharming because the URL that directs the user to the phishing site is going to be a legitimate URL, albeit resolved to the IP address of a phishing site because of a compromised DNS server. Secondly, it is relatively difficult to keep track of dynamically created and changing phishing site URLs used in Rock Phishing attacks. Thirdly, there is no efficient way of collecting the URLs of all phishing sites—there are literally thousands of phishing sites and their number keeps on increasing. Fourthly, conventional URL matching can result in over-blocking, i.e., blocking websites that are not phishing sites. Because phishing sites may be hosted in legitimate websites, a URL of a legitimate website may be included in a block list even after the phishing site has been moved.
What is needed is an effective technique for protecting computer users from online frauds, such as phishing and pharming.