Copyright 2010 Florida State University. All Rights Reserved MDMap: Assisting Users in Identifying Phishing Emails Patrick Dwyer Department of Computer

Copyright 2010 Florida State University. All Rights Reserved

MDMap: Assisting Users in Identifying Phishing EmailsPatrick Dwyer

Department of Computer ScienceFlorida State University


Agenda Motivation and Background

MDMap Design and Implementation

Performance Evaluation

Summary


Motivation Motivation

Increase in Phishing emails/spam Spam filters Suspicious information in phishing emails Non-expert users Intuitive/Sensible method

Suspicious information Sender location information


Internet Email System MUAs and MTAs


Message Format Email envelope/content

Message header/body Headers related to sender

From: <[email protected]> Reply-To: <[email protected]> Return-Path: <[email protected]> Received:


Received: Header FieldReceived: from almostcosmic.com (n226-

h110.gw-net.metromax.ru [83.234.226.110]) by smtpin.cs.fsu.edu with SMTP id o24DvD3r010823

from-from: almostcosmic.com from-domain: n226-h110.gw-net.metromax.ru from-address: 83.234.226.110 by-domain: smtpin.cs.fsu.edu


Email Forgery From:/Reply-To:

Cannot be both faked for certain type of phishing emails

Received: Header First external MTA cannot be faked

Faked headers often contain conflicting information when examined collectively


MDMap Design Revealing suspicious or conflicting

information in intuitive and sensible manner Sender location information

Message delivery path Return-Path: From: Reply-To: URL links


Parsing Email Message

MDMap Workflow

Retrieving related header information (and URL)

Get geographical location information

Obtaining map showing sender location information


Message Delivery Path Shows how message delivered hop-by-hop at

MTA level Construction of path from header fields

List of MTAs/MUAs from Received: headers Private address Localhost IP address


Example Received: HeaderReceived: from smtpin.cs.fsu.edu (smtpin.cs.fsu.edu [128.186.120.196])

by mail.cs.fsu.edu (Postfix) with ESMTP id 217D5F2D32for <[email protected]>; Fri, 22 Jan 2010 17:48:30 -0500 (EST)

Received: from advanced62.inmotionhosting.com (advanced62.inmotionhosting.com [216.193.219.137])by smtpin.cs.fsu.edu (8.13.1/8.13.1) with SMTP id o0MMlbag016308for <[email protected]>; Fri, 22 Jan 2010 17:47:40 -0500

Received: from hsit (86.59.210.51)by advanced62.inmotionhosting.com; Fri, 22 Jan 2010 14:47:34 -0800


Map IP address to Geographic location GeoLiteCity API

ls = new LookupService("GeoLiteCity.dat", LookupService.GEOIP_MEMORY_CACHE);

loc = ls.getLocation(domain_name);

loc=ls.getLocation(InetAddress.getByName (IP_address));


Obtaining Map from Geographic Information Google Maps API

imageFile.createNewFile();HttpURLConnection httpConn = (HttpURLConnection)

url.openConnection();BufferedInputStream urlStream = new BufferedInputStream(

httpConn.getInputStream());FileOutputStream imageStream = new FileOutputStream(

ImageFile);while ((byteRead = urlStream.read()) != -1){ imageStream.write(byteRead); } Input = URL, output = Image file

Bing Maps API, Yahoo Maps API


A Snaphot of MDMap


Performance Evaluation Data set

100 Phishing (spam) emails From mid November 09 – March 10 Randomly Selected

Heuristics H1: MTAs along message delivery path H2: Reply-To:, From:, Return-Path: H3: URLs


Performance

H1 H2 H3 Flagged Total

70 47 19 82 100


Summary MDMap: simple and effective system

assisting users in identifying phishing emails Standalone Java program

Web-based email systems Mobile phones

Demo

Documents

Copyright 2010 Florida State University. All Rights Reserved MDMap: Assisting Users in Identifying Phishing Emails Patrick Dwyer Department of Computer