wombon
wombon
Branch Unspecified
13 Jul 2007

Antiphishing method

I'm co-inventor of the following antiphishing method. I'm asking for serious technical feedback from CE members.

A bank publishes a set of domains that will be in outgoing messages, before it sends out any of those messages. Call this a Partner List. It goes to a central website, Agg Center, that gets such lists from banks.

A browser mod is made. When a user gets an email claiming to be from the bank, the browser finds the domains in links in the message. It asks the Agg Center for the Partner List for that bank. If a domain is not in the Partner List, then the message is considered phishing. The browser turns a Notphish button red. It can also disable all links or just the bad link. Buf if all the message's domains are in the Partner List, then the button turns green, and the message is considered verified.

How does the browser decide whether to contact the Agg Center? A real message from the bank will have a Notphish tag, eg <notphish a="bank.com" />. Where bank.com is replaced by the domain of the actual bank. Most messages are not from banks or phishers, and they won't have the tag. So the mod will just leave the button neutral.

All that a user has to be trained to do, is expect that real messages from a bank will turn the Notphish button green. If a phisher omits the tag, then her message will not validate. If she puts in a tag for a real bank, and she has a link to her phishing website, then this will not be in the bank's Partner List. The browser will discover this and turn the button red.

The use of the Notphish tag avoids a problem with some methods that have heuristics and expect the user to manually push a button to run those tests against a suspect message. Since most messages are ok, she might tire about doing the tests. And, by definition, she won't do those against a message that fools her. The tag also avoids an automated approach that checks all messages against some central website. Very wasteful of bandwidth.

A simple extension is that the bank can also publish hashes of its future outgoing messages to the Agg Center.

The method avoids the user having to memorise multiple passwords (that are text or image) for websites at which she has accounts. It is objective in that it does not use subjective (and weak) heuristics. Lightweight, for there is no advanced cryptography.

The method also avoids the drawback of blacklists used against phishing. These are susceptible to a zero day attack. Which is the time interval between when a phisher sends out messages, pointing to a new phishing website that she has, and when those messages are deteceted by various antiphishing groups, and decisions made to put the website's domain into a blacklist, and the promulgation of the blacklist. Whereas here, the bank disseminates its Partner List before the messages go out.

A user does not have to use a fob to generate one time passwords for a website. Fobs are expensive. And do not scale when a user has accounts at several websites, each with its own fob. Cost and usability issues here. Also, our method lets a user get a verified message from a bank at which she does not have an account. Where the message might be to try to sign her up. There is no prospect of her having a fob at a bank at which she is not a customer.

The method can also be used when a user is surfing the web. Websites associated with a bank can have a Notphish tag in their pages. The bank can have another Partner List, that gives domains of associated websites. So the tag lets the method treat messages and websites in the same way.

The biggest problem with most current antiphishing methods is that they do not involve the banks, in the manner described above. Hence, when a method gets a message or webpage, it has a hard AI problem, trying to decide if that item is phishing or not. An open loop problem. Our method closes the loop by involving banks.

You can read the full text of the method at this link, to the World Intellectual Property Organisation -
https://www.wipo.int/pctdb/en/ia.jsp?IA=CN2005001423&DISPLAY=DESC
Elisa

Elisa

Branch Unspecified
14 Jul 2007
Hi wombon, welcome to CrazyEngineers. I liked the way you've simplified the whole process. In fact, I think there's big potential in the method that you have created. Althought I have not gone through the link that you mentioned, I will do it soon, as the time permits.

Does the mod support safari & netscape? Unless your mod supports wide range of browsers, the method will not be very effective in preventing phishing.
wombon

wombon

Branch Unspecified
14 Jul 2007
Thanks for the question. Yes, the mod would be done for all common browsers. Starting with IE, which has over 80% of the desktop. But also including safari and netscape. Keep in mind that the latter 2 have a fairly minor presence on the desktop.

The method is independent of browsers (or OSes for that matter).
14 Jul 2007
Welcome to CE, wombon! I appreciate your idea.

Here is my question - what if the users prefer to download the mails to their desktops (POP/IMAP)?

I guess, my question goes beyond the scope of your anti-phishing method. But there is a large set of users who do not access web mail.

-The Big K-
wombon

wombon

Branch Unspecified
14 Jul 2007
Two things. The actions done by the browser mod can also be done at a mail server, with both incoming and outgoing mail. The server can inspect the body of each message, looking for the Notphish tag. If it detects the tag, then it can find the domains in the message links, and compare these to the Partner List that it gets from the Agg Center. If a domain is not in the Partner List, then the server can [eg] delete the message entirely. So if this is an incoming message, the recipient never sees it. Technically, this detection is easy.

Most mail servers have the right to delete messages, to protect their users. Some, like hotmail, are already doing this outright deletion against generic spam. Hotmail is not using our methodd. But they are using various antispam methods. Part of the Terms of Service of most message providers entitles them to do various unspecified actions to protect themselves and their users.

So if a user's mail server does our method, there's no need for the user to have the browser mod. And if she downloads messages via IMAP, it's also moot, because the phishing has been deleted.

However, suppose her mail server does not use our method. And she downloads via IMAP [or equivalent]. Our method also covers the case where the viewing program that she uses to read those messages, has a similar mod to that of the browser.

Put it this way. These days, most such mail reading programs have the ability to show HTML, because of the pervasive nature of the latter. And if the reader can show HTML, then likely it also lets the user click on links, and it then goes to that linked page. If so, then it's just a type of browser.

This even extends to text only mail readers, like lynx, elm or pine.

The only apparent case where our method seems to run short is when the reader cannot go out to the Agg Center, because it's running on a machine isolated from the net. Like a mobile laptop, where earlier, the user had downloaded her messages when she was connected to the net. And when she goes to read them, she's isolated. In this case, the reader might have a cached copy of Agg Center data, from when it was connected at some earlier time. But in any event, if the machine is isolated, then the user cannot be fooled and click on a phishing link and go to some pharm.
M.Malik

M.Malik

Branch Unspecified
17 Jul 2007
wombon, apologies for a stupid question. But there are all these antivirus companies, symantec, ibm etc. Arent they doing something against phishing? Cus theyre already on so many desktops, with their antivirus scanners. Arent you worried about them as competition?
wombon

wombon

Branch Unspecified
18 Jul 2007
M. Malik,

The problem is that a phishing email normally is not a virus. It has standard HTML. So antivirus detectors will not trigger on the message. The antivirus companies make good products. But all their expertise in fighting viruses hasn't translated to any effective antiphishing product. If you go to their websites, yes they often say they fight phishing. But with me-too methods. Often using blacklists, and I've explained the zero day disadvantages of those. And also using weak, subjective heuristics.
edie4someone

edie4someone

Branch Unspecified
13 Sep 2007
wombon
Often using blacklists, and I've explained the zero day disadvantages of those. And also using weak, subjective heuristics.
Seems ok. But dontcha look thru emails, for those links? Sure, you trigger off your special tag. But if its there, you scan the email for links and then diff these against your bank's partner list. If i've understood your stuff ok.

Yeah, your list isnt a black list. But what if someone else in the US has a patent on the general case of scanning email for links and diffing these against any type of list?
wombon

wombon

Branch Unspecified
15 Sep 2007
edie4someone,

Good question. Please see this Patent Pending at the US PTO. Go to the link below.

https://appft1.uspto.gov/netahtml/PTO/search-bool.html

In the Term 1 box, type 20060168006. Press search. The result will be a PatPending co-written by me. "System and method for the classification of electronic communication". Submitted 23 March 2003. Look at paragraph 0143, and also at other parts of the text.These describe how to extract domains from links in messages, and compare these domains against a blacklist.

We believe, based on all public knowledge available to us, that we are the first inventors to devise this method of checking domains in message links against external lists. Typically, the external list could be a blacklist. But it could also be other types of lists, like a whitelist. Or like our antiphishing Partner List.

Share this content on your social channels -

Only logged in users can reply.