NETSEC

Humboldt: Active Phishing Disruption

Phishing continues to be a major threat to the users of today's Internet. Despite remarkable progress in the detection of phishing sites and measures to prevent users from accessing them, phishers continue to find new victims. The consequence is massive financial loss for these victims and for the banks which sometimes must absorb the losses. It also furthers the popular belief that the Internet is generally an unsafe place to conduct business.

In recent years, the security community has begun to look at a more aggressive approach to anti-phishing in which fake credentials are submitted to the phishing site in an effort to disrupt the phisher's ability to turn the credentials into profit. Unfortunately, these solutions do not address the phishers' many countermeasures, nor the practical cost of detecting the fake credentials. Furthermore, since they do not provide permanent storage of the submitted fake credentials, they miss a golden opportunity to catch the phisher who attempts to use them.

This research focuses on Humboldt, an active phishing disruption system, which is named after the infamous Pacific squid known to attack fishers. Our prototype system is designed to vigorously hunt down phishing sites and automatically submit fake credentials in massive quantities. Its distributed design ensures that it is resilient against many phisher countermeasures. It also maintains permanent records of all submitted fake credentials. By collaborating with banks and other interested parties, we can detect when phishers attempt to use the stolen credentials, perhaps leading to phishers' capture.

While the design of our prototype system is effective for most current phishing sites, we cannot expect that the phishers wouldn't make upgrades in the face of such a threat. In particular, the fact that our submissions were done in an automated manner means that phishers could simply add a CAPTCHA to their site. In seeking a solution to this problem, we realized that no matter what modifications are done to the phishing site, it must remain usable by its human targets. We are therefore researching a redesign of this system which leverages human users for submissions. The costs and dynamics of this system are under active investigation.

Our publications include the following:

• Jason Gustafson and Jun Li, "Leveraging the crowds to disrupt phishing, in IEEE Conference on Communications and Network Security 2013 (CNS), October 2013, 9 pages. To appear.
• Paul Knickerbocker, Dongting Yu, and Jun Li, "Humboldt: A distributed phishing disruption system, in The Anti-Phishing Working Group eCrime Researchers Summit, October 2009, 11 pages.
• Paul Knickerbocker, Combating phishing through zero-knowledge authentication, master thesis, June 2008.

We also have a screencast video that demonstrates how our Humboldt prototype works.