Let's Sink the Phishermen's Boat!

Presented at DEF CON 16 (2008), Aug. 10, 2008, noon (20 minutes)

In this presentation, an advanced form of phishing attack will be discussed to show the risk how criminals might steal the entire fund from an online banking account protected with daily transaction limit and bypassing the 2-factor authentication system. This type of attack is able to work in stealthy mode without showing theft symptoms in the bank account balance to keep the victims in the dark. Challenges and limitations encountered by the existing phishing detection techniques will be also identified and reviewed to understand the applicability of each technique in different scenarios. As a step taken to combat phishing attacks effectively, the concept of 'website appearance signature' will be presented and explained how this new concept can be applied to detect unknown phishing websites. This has been a great challenge in the past since most phishing website detection tools verify the reputation of a website using a database of blacklisted URLs. In addition, a Proof-Of-Concept application employing the 'website appearance signature' combining with conventional phishing detection techniques will be demonstrated to see its accuracy and effectiveness as a phishing website detection tool.

Presenters:

  • Hirosh Joseph - Security Researcher, F-Secure Corporation
    Hirosh Joseph is currently working as a Web Security Researcher at F-Secure Corporation. He is the co-author of book entitled, Vulnerability Analysis and Defense for the Internet, published by Springer (ISBN-10: 0387743898) Previously, he was working at Third Brigade, a Canada based Information Security Company. He was one of the early members of Third Brigade Security Center and the key members of the research team. He has more than five years of experience in vulnerability research and is passionate about reverse engineering, malware analysis and spyware technologies. He has also held security research position at Blue Lane Technologies.
  • Teo Sze Siong - Security Researcher, F-Secure Corporation   as Teo Sze Siong
    Teo Sze Siong started programming at the age of 12. He is currently a Security Researcher at F-Secure Corporation, mainly working on threat analysis automation systems and honeyclient related research. His previous jobs as a Software Engineer with IRIS Corporation and Technical Consultant for InfiniteQL Group's R&D have exposed him to security area of various industries such as the government sector, casino, telecommunication, banking and property management companies. He has designed and implemented the Kingdom of Bahrain National Passport smartcard application, ePerolehan smartcard application for Malaysia government, real-time SCADA software for Maxis Communications and large scale video streaming and backup solutions for the Genting Casino Group. He has also developed a generic smartcard applet testing framework and APDU interpreter engine for IRIS Corporation. Last year, he has represented Malaysia at the United Nations ICT forum at Geneva, Switzerland. Some of his achievements include: Certified Penetration Testing Specialist Certified Scrum Master 2nd runner up of Microsoft Imagine Cup 2004 (Software design) Youngest speaker at the Hack In The Box Security Conference 2004 Winner team in the AstroTechnoloGenius Contest, Malaysia

Links:

Similar Presentations: