You are on page 1of 11

[Type text

]

CAPTCHA TECHNIQUE FOR PHISHING ATTACK .
NIKHIL V. AGARWAL
to Internet Crime such as phishing has broken its

ABSTRACT
Phishing is the latest technique used by the crackers (non-ethical hacker) to crack into the e-mail accounts, social-networking sites accounts and online banking accounts etc. In phishing technique, the duplicate web page is created as similar to the original web page to make fool to the account users. A link is send by crackers to targeted user in his/her e-mail account if he/she click on the link and gives its account details such as account-id and password. The targeted user loses his/her personal information such as project tenders, office documents etc. Phishing is proving beneficial for the crackers as they do not use their own system to crack the accounts. Cybercrime branch find it difficult to track the crackers positions i.e. IP address of the System immediately but it takes a long time to track the system used by the crackers. Cyber Laws are not so strong to give penalties to the crackers. So it is beneficial for us to use countermeasures for the phishing attacks. The technique such as strong website authentication, Captcha, mail-server authentication and lot of other techniques can be used to avoid phishing. Keywords:- Captcha, Cyberlaws, Phishing, Cybercrime etc. 1. INTRODUCTION : Since the first phishing term was recorded in 1996 which was hunting for free AOL account, phishing is having an increasing tendency over the years. It then evolutes to financial fraud quickly, as the criminals always aim for high yield. Luckily, with the pursuit of online banking, the banking industry is always motivated to play a leading role in fighting phishing threat. However, the reported loss

record each year. It is telling us that we are still looking for a better solution. CAPTCHA is the use of hard AI problem to distinguish Human and bot apart which was originally evolved from Visual authentication and identification. The primary use of CAPTCHA is to fight against auto-bot in Account Registration and Click Fraud. Also, its application can be used to authenticate a group of people sharing common knowledge or abilities. In fact, visual human verifiable techniques are vulnerable to MITM attack. Also, careless

CAPTCHA implementation can lead the application fail to achieve its mission. CAPTCHA alone is nothing in defending MITM attack, such visual security depend on user conscious which can not authenticate other end actually. Motivated by mitigating MITM attack, we propose Extended CAPTCHA Input System (ECIS) which can withstand the described RT-MITM, by combining CAPTCHA and OTP, E-CIS can authenticate specific person, which can be used in secure online banking login scenario. 2. PHISHING In the field of computer security, Phishing is the criminally fraudulent process of attempting to acquire sensitive information such as usernames, passwords and credit card details, by masquerading

1

4.com.tripod. actually this URL points to the "yourbank" (i. Phishing) section of the example website.google.com/ might deceive a casual observer into believing that it will open a page on www. The Phishers obtains the confidential communication. LINK MANIPULATION Most methods of Phishing use some form of technical deception designed to make a link in an email appear to belong to the spoofed organization. actually directs the browser using a to a page on of members. 5.com@members. 2.1 PHISHING TECHNIQUES Phishers use a wide variety of techniques.yourbank.google. The confidential information is used to impersonate the user. 2. There are many variations on this scheme. bank account numbers. Phishing is a fraudulent e-mail that attempts to get you to divulge personal data that can then be used for illegitimate purposes. The damage caused by Phishing ranges from denial of access to e-mail to substantial financial loss. An old method of spoofing used links containing the '@' symbol.google. social security numbers and mothers¶ maiden names. Misspelled URLs or the use of sub domains are common tricks used by Phishers.com: the username opens page normally. Phishing presents direct risks through the use of stolen credentials and indirect risk to institutions that conduct business on line through erosion of customer confidence. http://www.example. It is possible to phish for other information in additions to usernames and passwords such as credit card numbers. The Phishers obtains illicit monetary gain.com. The simplified flow of information in a Phishing attack: information from the server.tripod. originally intended as a way to include a username and password. http://www. A user provides confidential information to a Phishing server (normally after some interaction with the server). regardless of the username supplied. A deceptive message is sent from the Phishers to the user. In the following example. it appears as though the URL will take you to the example section of the yourbank website. For example. 2 . with one common thread.[Type text] as a trustworthy entity in an electronic 3.com/.e. www. whereas it 1.

For you. but it¶s very difficult to program a computer to solve them.1 Types of CAPTCHAs CAPTCHAs are classified based on what is distorted and presented as a challenge to the user. The simplest yet novel approach is to present the user with some questions which only a human user can solve. or by closing the original address bar and opening a new one with the legitimate URL. the test should be simple and straightforward. you first have to pass a test. Hopper and John (all of Carnegie Mellon of IBM). They're also known as a type of Human Interaction Proof (HIP). Therefore. They are: Text CAPTCHAs: These are simple to implement. you pass the test. Examples of such questions are: y What is twenty minus three? Such questions are very easy for a human user to solve. It's your job to type the correct series of letters into a form. You've probably seen CAPTCHA tests on lots of Web sites. If your letters match the ones in the distorted image. 3. the correct response to a CAPTCHA challenge is assumed to come from a human and the user is permitted into the website. The purpose of a CAPTCHA is to block form submissions from spam bots ± automated scripts that harvest email addresses from publicly available web forms. CAPTCHAs are short for Completely Automated Public Turing test to tell Computers and Humans Apart.in fact. WEBSITE FORGERY Once a victim visits the Phishing website the deception is not over. 3 CAPTCHA Overview: You're trying to sign up for a free email service offered by Gmail or Yahoo. It's not a hard test -. This is done either by placing a picture of a legitimate URL over the address bar. A common kind of CAPTCHA used on most websites requires the users to enter the string of characters that appear in a distorted form on the screen. whereas it is relatively easy for a human to understand the text hidden behind the distortions. Before you can submit your application. Nicholas J. But for a computer. The term "CAPTCHA" was coined in 2000 by Luis Von Ahn.[Type text] FILTER EVASION Phishers have used images instead of text to make it harder for anti-Phishing filters to detect text commonly used in Phishing e-mails. that's the point. This sort of test is a CAPTCHA. The most common form of CAPTCHA is an image of several distorted letters. CAPTCHAs are used because of the fact that it is difficult for the computers to extract the text from such a distorted image. the test should be almost impossible to solve. Manuel Blum. University. Some Phishing scams use JavaScript commands in order to alter the address bar. These are also friendly to people with 3 . They are Langford (then challenge-response tests to ensure that the users are indeed human.

The various implementations are: CAPTCHA Fig 3. clever bots could be designed to check the ability to read extremely distorted text and the inability of computer programs to do the same.[Type text] visual disability ± such as those with color blindness.2 Yahoo¶s Ez ± Gimpy Gimpy: Gimpy is a very reliable text CAPTCHA built by CMU in collaboration with Yahoo for their Messenger service. dictionary for the matching word by brute-force. Gimpy then asks the users to enter a subset of the words in the image. Gimpy is based on the human BaffleText: This was developed by Henry Baird at University of California at Berkeley. Foreground is dark blue. They use eight characters (upper case) and digits.3 BaffleText MSN Captcha: Microsoft uses a different CAPTCHA for services provided under MSN umbrella. This is a variation of the Gimpy. Other text CAPTCHAs involves text distortions and the user is asked to identify the text hidden. which makes computer recognition very difficult. and background is grey. These are popularly called MSN Passport CAPTCHAs. Gimpy works by choosing ten words randomly from a dictionary. whereas a computer program cannot to do so. The user is then asked to identify the text correctly. to produce a ripple effect. Ez ± Gimpy randomly picks a single word from a dictionary and applies distortion to the text. The human user is capable of identifying the words correctly. ourses Fig 3. This doesn¶t contain dictionary words. 4 . Gimpy uses dictionary words and hence. adopted by Yahoo in their signup page. and displaying them in a distorted and overlapped manner. This is a simplified version of the Gimpy CAPTCHA. Warping is used to distort the characters. Distortions are then added to this text and the user is challenged to guess the right word. but it picks up random alphabets to create a nonsense but pronounceable text. This technique overcomes the drawback of Gimpy CAPTCHA because.

These bots would take advantage of the service and would sign up for a large number of accounts. 5 . Fig 3. This often created problems in account management and also increased the burden on their servers. CAPTCHAs can effectively be used to filter out the bots and ensure that only human users are allowed to create accounts.2 APPLICATIONS: CAPTCHAs are used in L9D28229B various Web applications to identify human users and to restrict access to them. 3.4 MSN Passport CAPTCHA Some of them are: y Graphic CAPTCHAs: Graphic CAPTCHAs are challenges that involve pictures or objects that have some sort of similarity that the users have to guess.[Type text] because the user has to understand the language and XTNM5YRE the accent in which the sound clip is recorded. renders the word or the numbers into a sound clip and distorts the sound clip. bots can wreak havoc to any unprotected online poll. The idea is that a human is able to efficiently disregard the distortion and interpret the characters being read out while software would struggle with the distortion being applied. They might create a large number of votes which would then falsely represent the poll winner in spotlight. these service polls. similar to Mensa tests. The program picks a word or a sequence of numbers at random. Until recently. This also results in decreased faith in these polls. This CAPTCHA is based on the difference in ability between humans and computers in recognizing spoken language. Online Polls: As mentioned before. Nancy Chan of the City University in Hong Kong was the first to implement a sound-based system of this type. and hence bring up the reliability of the Audio CAPTCHAs: The final example we offer is based on sound. and need to be effective at speech to text translation in order to be successful. providers suffered from a serious problem bots. Computer generates the puzzles and grades the answers. They are visual puzzles. This is a crude way to filter humans and it is not so popular y Preventing comment spam: Most bloggers are familiar with programs that submit large number of automated posts that are done with the intention of increasing the search y Protecting Web Registration: Several companies offer free email and other services. CAPTCHAs can be used in websites that have embedded polls to protect them from being accessed by bots. but is itself unable to solve it. it then presents the distorted sound clip to the user and asks users to enter its contents.

In many cases. Because CAPTCHA is a barrier between spammers or hackers and their goal. While CAPTCHA applications don't prevent scalping. y Search engine bots: It is sometimes desirable to keep web pages not indexed to prevent others from finding them easily.Improve Artificial Intelligence (AI) technology: Luis von Ahn of Carnegie Mellon University is one of the inventors of CAPTCHA. Legitimate customers 3. it only serves to say "no bots. All we have to do is to use a CAPTCHA challenge to verify that indeed a human has sent the email. applications help prevent ticket scalpers from bombarding the service with massive ticket purchases for big events. plausible solution to the problem of spam emails.[Type text] engine ranks of that site. There is an html tag to prevent search engine bots from reading web pages. y E-Ticketing: Ticket brokers like Ticketmaster also use CAPTCHA applications. Scalpers then try to sell the tickets above face value. since they usually belong to large companies. y . doesn't guarantee that bots won't read a web page. people who break CAPTCHAs concentrate not on making 6 . respect web pages that don't want to allow them in. however. please." Search engine bots. Their successes mean that machines are getting more sophisticated. Every time someone figures out how to teach a machine to defeat a CAPTCHA. The really hard task is teaching become victims as events sell out minutes after tickets become available. However. it's possible for a scalper to use a bot to place hundreds or thousands of ticket orders in a matter of seconds. CAPTCHAs are needed. humans should have at least an 80 percent success rate.after all. y Email spam: CAPTCHAs also present a they do make it more difficult to scalp tickets on a large scale. CAPTCHAs can be used before a post is submitted to ensure that only human users can create posts.3 Breaking CAPTCHAs The challenge in breaking a CAPTCHA isn't figuring out what a message says -. these people have dedicated time and energy toward breaking CAPTCHAs. In a 2006 lecture. The tag. These we move one step closer to artificial intelligence. in order to truly guarantee that bots won't enter a web site. but it will help prevent bots from posting messages automatically. A CAPTCHA won't stop someone who is determined to post a rude message or harass an administrator. Without some sort of filter. a computer how to process information in a way similar to how humans think. von Ahn talked about the relationship between things like CAPTCHA and the field of artificial intelligence (AI).

looking for matches. but it can work often enough to be worthwhile to spammers. Users have 7 . That means the application removes all the color from the image. it might cross reference those letters with a database of English words. CAPTCHA arranges the words in pairs and the words of each pair overlap one another. it's also significant. Spammers can afford to have only one-third of their attempts succeed if they set bots to break CAPTCHAs several hundred times every minute. Let's assume you've protected an online form using a CAPTCHA that displays English words. The 4 MAN IN THE MIDDLE ATTACK As it turns out. For more complex CAPTCHAs like Gimpy. Greg Mori and Jitendra Malik published a paper detailing their approach to cracking the Gimpy version of CAPTCHA. He or she would need to write an algorithm -. the CAPTCHA includes a randomly generated background behind the word. to type in three correct words in order to move forward. taking away one of the levels of obfuscation the CAPTCHA employs. one step might be to convert the image in grayscale. They also used the Gimpy's 500-word dictionary. The program compares each pattern to a normal letter. but reducing the complexity of the problem posed by the CAPTCHA. A programmer wishing to break this CAPTCHA could approach the problem in phases. This approach can be surprisingly effective. In addition. CAPTCHA displays 10 English words with warped fonts across an irregular background. One thing that helped them was that the Gimpy approach uses actual words rather than random strings of letters and numbers. It might not work 100 percent of the time.a set of instructions that directs a machine to follow a certain series of steps. stretching and bending the letters in unpredictable ways. Then it would plug in likely candidates into the submit field. it's not terribly reliable. Mori and Malik designed an algorithm that tried to identify words by examining the beginning and end of the string of letters.[Type text] computers smarter. The application warps the font slightly. Next. In this scenario. They found that their algorithm could correctly identify the words in a Gimpy CAPTCHA 33 percent of the time. While that's far from perfect. with the right CAPTCHA-cracking algorithm. If the program can only match a few of the letters. With this in mind. the algorithm might tell the computer to detect patterns in the black and white image. Mori and Malik ran a series of tests using their algorithm.

After the bank server verify the user creditential. 2) Relays messages between them. which can defeat 2 factor secure token. Diffie etal. The above is also true for Trojan compromised scenario. hacker then gain access to online banking. However. but our CR-MITM attack can capture and One famous MITM attack on cryptographic Public Key Infrastructure (PKI) algorithm is the attack on initial in version fixed of by Diffie-Hellman it advanced MITIGATION We can start from the root of problem. Combine the use of Digital Signature and random number to authenticate each end parties. algorithm 1976.Man-In-The-Middle Attack (CR-MITM) Since CAPTCHA authentication system¶s visual interface can be relayed. MITM Attack makes the victims believe that they are directly talking to each other in a direct connection without indicating the existence of middle man.1: Control Relaying . to avoid MITM we can use hardware or trusted platform to perform destination validation by means of cryptographic. 5 EXTENDING THE IDEA OF CAPTCHA Control Relaying-Man in the Middle (CRMITM) attack. which can possibly defeat CAPTCHA As user general ignorance of CA cert validation warning. Schneier described a RT-MITM attack at user interface layer in 2005. 8 . Generally. hacker¶s browser content to the Remote Desktop Client running on victim¶s browser. authentication system. a remote attack that can capture and relay user inputs without local Trojan assistant. Since the victim input on CAPTCHA authentication system is processed directly on hacker¶s browser in real time. Authenticated Key Exchange (AKE) version in 1992. it can possibly mitigate CR-MITM. securing online banking by FOR AUTHENTICATION victim conscious and visual interface relaying.[Type text] Fig4. if the design of application can depress those. which project the 1) Eavesdrops and Intercepts all messages going between the victims. In short. As the hypothesis of CR-MITM attack is based on MITM can be at user interface layer visually. it is always costly. and trusted platform is not widely deployed still. Indeed. Hacker can employ a Remote Terminal Service. relay user inputs remotely without local Trojan assistant. This lesson telling the fact that a secure protocol without actual authentication will risks suffer from MITM attack. it seems there is no way to guarantee the security of online without a costly full hardware solution.

Consider calibration and customization may be needed for E-CIS scenario. he still has to input the OTP to E-CIS manually. and its ability of distinguishes between human and bot can raise the cost of bot automatic attack. CAPTCHA challenge HYPOTHESIS: By utilizing OTP. input authentication factor valid only in a short time that allow only one manual input time by the legitimate user. attacker with timeout OTP cannot gain access to Banking service. thus that the time induced for relayed login parameters input in RT-MITM scenario will not able to gain access. Motivated by the analysis of BEA CAPTCHA Input System defeated by RT-MITM.[Type text] CAPTCHA is worth to be developed. but then the OTP will no longer be valid after the client first manual input. The E-CIS perform a 9 . However the second manual input will cost extra time. ‡ Input method should be specially designed to against Key-logger and Mouse-logger. request a logon input page 5. by combining OTP in moving-CAPTCHA. should resist to Visual Relaying that it can further avoid Trojan screen capturing and human resolver attack.1 Defending RT-MITM by Extended-CIS 2) Bank generates an E-CIS on-the-fly with unique pre-share secret. so that the input creditential can be secret to attacker. In our design. PROCEDURE: Client Login procedures through E-CIS: 1) Client connect to Bank Server by HTTP over SSL. Consider the failure of CAPTCHA because of its reliable property. It The trick is to make hacker cannot automate the login by relaying the CAPTCHA to be solved by victim. setting an (C). in our design. ‡ For One Time Password that is based on timesynchronization between the authentication server and the client. or at least makes significant processing time to be understood by computer. the E-CIS requires the OTP Security Token owner to input the OTP by solving relevant CAPTCHA digits. and hence it can defends the described RT-MITM attack ‡ Assuming CAPTCHA is not understandable for computer. Then upload to user. and human resolver also takes time to recognize the CAPTCHA. as it is human verifiable that it is user friendlier than cryptography way. Even for the case that hacker finally receive the answer of OTP. we further design an Extended CAPTCHA Input System (E-CIS) for login process which we aim to mitigate the flaws in BEA¶s design. In the end. We further propose several non-relay-able properties for the E-CIS application. the E-CIS will not be easily relayed and exploited by hacker.

PRACTICAL ISSUE: Since our E-CIS demonstration is base on Time Synchronous type OTP and its human input time with its valid period. Old man input slower. ‡ Confidentiality is achieved by combining CAPTCHA input time with One Time Password time restriction. 6 ACHIEVEMENTS 10 .it links OTP input with human OTP owner by combining CAPTCHA and time Destination IP address of Bank server. since the OTP is only valid up to first manual input time induced by the human E-CIS B : EncSK {(T. and session hijacking by its properties. the human input time are various for users. Cr)i}} 7: 7) If passed. Youth input faster. by taking average input time of first few login process. restriction. nor earn credit by decompilation and analysis of the application. nor hijack session. independent. It can mitigate the described RT-MITM attack which threatening CAPTCHA and 2-factor authentications system. Password. Visual CAPTCHA is not feasible for Blind user. 4) Client input his user ID. stateful E-CIS application: 6) Bank verifies the OTP by decrypting the cipher by Pre-Share Secret Key (SK). and especially input OTP by mouse clicking on the floating CAPTCHA Digits in the E-CIS frame. signal E-CIS to Transaction mode 8) Transaction of online banking will be done in the E-CIS application just like a virtual browser. To make it practical. mouse logger.g.[Type text] Reverse Turning Test (RTT) utilizing visual CAPTCHA: RTTCAPTCHA {C} 3) The E-CIS make a new HTTPS connection to bank server by build-in CertBank and E-CIS is immune to key logger. A unique. information relaying. it should has a initial calibration customizing E-CIS valid time for each user. 5) The selections of numbers are sent back to Bank in form of Time and Coordination encrypted by the Pre-Share Secret Key (SK). e. Cr)i} security token owner.g. It is difficult to set a single valid time for all users. attacker cannot bypass CAPTCHA Challenge. OTPi = DecSK {EncSK {(T. LIMITATION AND DRAWBACKS INHERIT CAPTCHA PROPERTIES: The use of E-CIS will inherit user acceptance issues as in CAPTCHA system e. We are not going to discuss here.

-M. 10-12 Jan. [3] S. we reviewed Man-In-The-Middle (MITM) attacks which can even defeat CAPTCHA phishing protection. Saha. [Online]. B. ³Visual security for Anti-Phishing. we designed an Ex-tended CAPTCHA Input System (E-CIS). and H. which can save huge amount of money instead of re-design and shipping of a new hardware solution. Langweg. combining the time restriction of OTP. no installation needed. Taiwan. and the design of ECIS makes it highly resist to information relaying attack. ³Captcha based one-time password authentication system. Chang. The E-CIS is software base.com/site/lcmkov/ [2] T. ³Trojan horse attacks on We hope this work will encourage other attempt to optimization of CAPTCHA Input System. 2009.´ Consumer Communications and Networking To mitigate the above MITM attacks. 5th IEEE.google. Spalka. Leung. CCNC 2008. and Identification in Communication. IEEE.´ in is feeble 10 REFERENCES ICASID¶09: IEEE International Conference on Anti-counterfeiting.´ Tsung-Lun Chang Master¶s Thesis. ³Public key- embedded graphic captchas. we can also consider other form of OTP delivery such as SMS which the timing factor may be more deterministic. Conference. other form of CAPTCHA challenge can be considered. Feng Chia University. Our solution reuses the large scale shipped OTP token. Institute of Information Engineering. Available: http://sites. it is feasible to be widely deployed as compared to costly hardware. 2008. 2008. A. Aug.[Type text] Indeed. Cremers. Jul 2006. as the spirit of E-CIS is to utilize the property of CAPTCHA that can only be solvable by human. Saklikar and S. or even find more optimal candidate of CAPTCHA type and its relative One Time Password. [1]C. 11 . 262±266. then the ECIS application can resist to automated MITM attack as well as human assisted attack. for practical issues in synchronization and calibration. which we firstly enable a CAPTCHA system to authenticate a specific human by combining the use of OTP and its time restriction. pp. [4] A. Security. Also. Graduate 9 CONCLUSIONS In this work.-L.