We propose RepuScore, a collaborative reputation management framework over email infrastrucure, which allows participating organizations to establish sender accountability on the basis of senders ’ past actions. RepuScore’s generalized design can be deployed with any Sender Authentication technique such as SPF, SenderID and DKIM. With RepuScore, participating organizations collect information on sender reputation locally from users or existing spam classification mechanisms and submit it to a central RepuScore authority. The central authority generates a global reputation summary which can be used to enforce sender accountability. We present the algorithms for reputation score calculation and share our findings from experiments based on a RepuScore prototype using a) our simulation logs and b) a 20 day log from a non-profit organization with five collaborating domains.

In the last few years, obfuscation has been used more and more by spammers to make spam emails bypass filters. The standard method is to use images that look like text, since typical spam filters are unable to parse such messages; this is what is used in so-called “rock phishing”. To fight imagebased spam, many spam filters use heuristic rules in which emails containing images are flagged, and since not many legit emails are composed mainly of a big image, this aids in detecting image-based spam. The spammers are thus interested in circumventing these methods. Unicode transliteration is a convenient tool for spammers, since it allows a spammer to create a large number of homomorphic clones of the same looking message; since Unicode contains many characters that are unique but appear very similar, spammers can translate a message’s characters at random to hide black-listed words in an effort to bypass filters. In order to defend against these unicode-obfuscated spam emails, we developed a prototype tool that can be used with SpamAssassin to block spam obfuscated in this way by mapping polymorphic messages to a common, more homogeneous representation. This representation can then be filtered using traditional methods. We demonstrate the ease with which Unicode polymorphism can be used to circumvent spam filters such as SpamAssassin, and then describe a de-obfuscation technique that can be used to catch messages that have been obfuscated in this fashion.

the Grants No. (NSC95-main) and No. (NSC95-org), and by gifts from AMD and Intel.

Abstract. A key way in which banks mitigate the effects of phishing is to remove fraudulent websites or suspend abusive domain names. This ‘take-down ’ is often subcontracted to specialist firms. Prior work has shown that these take-down companies refuse to share ‘feeds ’ of phishing website URLs with each other, and consequently, many phishing websites are not removed because the firm with the take-down contract remains unaware of their existence. The take-down companies are reticent to exchange feeds, fearing that competitors with less comprehensive lists might ‘free-ride ’ off their efforts by not investing resources to find new websites, as well as use the feeds to poach clients. In this paper, we propose the Phish Market protocol, which enables companies with less comprehensive feeds to learn about websites impersonating their own clients that are held by other firms. The protocol is designed so that the contributing firm is compensated only for those websites affecting its competitor’s clients and only those previously unknown to the receiving firm. Crucially, the protocol does not reveal to the contributing firm which URLs are needed by the receiver, as this is viewed as sensitive information by take-down firms. Using complete lists of phishing URLs obtained from two large take-down companies, our elliptic-curve-based implementation added a negligible average 5 second delay to securely share URLs. 1

Despite neglecting even basic security measures, close to two billion people use the Internet, and only a small fraction appear to be victimized each year. This paper suggests that an explanation lies in the economics of attacks. We distinguish between scalable attacks, where costs are almost independent of the number of users attacked, and non-scalable (or targeted) attacks, which involve per-user effort. Scalable attacks reach orders of magnitude more users. To compensate for her disadvantage in terms of reach the targeted attacker must target users with higher than average value. To accomplish this she needs that value be both visible and very concentrated, with few users having very high value while most have little. In this she is fortunate: power-law longtail distributions that describe the distributions of wealth, fame and other phenomena are extremely concentrated. However, in these distributions only a tiny fraction of the population have above average value. For example, fewer than 2 % of people have above average wealth in the US. Thus, when attacking assets where value is concentrated, the targeted attacker ignores the vast majority of users, since attacking them hurts rather than helps her requirement to extract greater than average value. This helps explain why many users escape harm, even when they neglect security precautions: most users never experience most attacks. Attacks that involve per-user effort will be seen by only a tiny fraction of users. No matter how clever the exploit, unless the expected value is high, there is little place for per-user effort in this world of mass-produced attacks. 1.

Abstract not found

Phishing is a kind of social engineering attack in which criminals use spoofed emails to trick people into sharing sensitive information or installing malware on their computers. Victims perceive these emails as associated with a trusted brand, while in

We describe the detrimental e#ects of browser cache/history sni#ng in the context of phishing attacks, and detail an approach that neutralizes the threat by means of URL personalization; we report on an implementation performing such personalization on the fly, and analyze the costs of and security properties of our proposed solution.

Abstract—In this research, we adopted event study methodology to analyze the impacts of 25 phishing announcements released by the Hong Kong Monetary Authority from 2003 to 2007 on market value of 10 local banks. The results showed that negative market return occurred immediately after the phishing incidences were announced. The intensity of the negative impacts became more severe as time passed. For banks being targets of repeated phishing attacks, the most recent attack brought more negative market return than initial attack. Our research also showed that apart from direct financial loss, phishing also attributed to indirect financial loss to market value of e-commerce enabled banks. Better preparation to deter phishing is necessary to reduce the potential financial loss. Index Terms—Event study methodology, Hong Kong banks, market value, phishing, phishing announcements.

Abstract—As a powerful anti-phishing tool, honeypots have been widely used by security service providers and financial institutes to collect phishing mails, so that new phishing sites can be earlier detected and quickly shut down. Another popular use of honeypots is to collect useful information about phishers’ activities, which is used to make various kinds of statistics for the purposes of research and forensics. Recently, it has also been proposed to actively feed phishers with honeytokens. In the present paper, we discuss some problems of existing antiphishing solutions based on honeypots. We propose to overcome these problems by transforming the real e-banking system itself into a honeypot equipped with honeytokens and supported by some other kinds of honeypots. A phishing detector is used to automatically detect suspicious phishers ’ attempts of stealing money from victims ’ accounts, and then ask for the potential victims ’ reconfirmation. This leads to a novel anti-phishing framework based on honeypots. As an indispensable part of the framework, we also propose to use phoneybots, i.e., active honeypots running in virtual machines and mimicking real users ’ behavior to access the real e-banking system automatically, in order to submit honeytokens to pharmers and phishing malware. The involvement of phoneybots is crucial to fight gainst advanced phishing attacks such as pharming and malware-based phishing attacks. Index Terms—phishing; honeypot; honeytoken; phoneypot; phoneytoken; phoneybot; online banking; money mule; I.