I am starting to put together a list of Anti-Phishing techniques. Phishing is a tough problem for a few reasons. First, this is an automated social engineering attack and user behavior is very difficult to control. Second, it uses two applications (usually email and web), neither of which is "compromised" per se. And third, other than the individual himself, the entity that cares the most (the enterprise being spoofed) is usually not inline with the phishing session, even though the individual thinks so. Here are some techniques that are in use today to identify and stop phishing:
- URL Blacklists/content scanners – can be used on inbound email and outbound web requests. Assumes knowledge of the phish site up front and can’t deal with dynamic sites very well.
Anti-Spam techniques – many of the same techniques to identify spam can be used to combat phishing.
- URL resolution and reporting – evaluating an obfuscated URL and reporting the actual domain of a requested site back to the user.
- Behavioral evaluation of phishing website – evaluating the URL construction, identity-oriented input fields, DNS registration information (recent? Google-able?), IP address range of the site, etc. can provide some insight into the potential for bogus site.
- Security awareness training – being used proactively to help warn end users.
- Client-side "strong" authentication – the legitimate enterprise site can use strong authentication for its users to eliminate a lot of the risk, though with the common practice of using the same password on multiple sites, the identity information captured may be useful at some other site and therefore is still at risk.
- Server-side authentication – [per comment below - thanks Adam] server-side authentication provides a cue to the user when he/she is logging in that validates the server to the end user. Pass Mark uses photos (I believe). This is similar to the anti-spam technique that also does server validation.
I would really like to see more correlation between email and web activity, since those are the two vectors of attack. For example, a solution that can populate a URL blacklist from an email message and/or identify Outlook as the click-through point on a URL.
Nice list!
I’d add two things: Server authenticators (such as passmark), and water-muddiers, such as AT&T wireless sending your bill as a javascript-enabled encrypted email which (apparently) downloads activeX. How the user is supposed to distinguish this from an attack is unclear to me. As such, they should be listed under water-muddiers who make life harder for the anti-phishing folks.
I guess I’ll need to divide up the “strong authentication” category into two – one for client-side authentication, and the other for server-side authentication. Good catch, thanks!