FY2010 - Oak Ridge National Laboratory
FY2010 - Oak Ridge National Laboratory
FY2010 - Oak Ridge National Laboratory
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Seed Money Fund—<br />
Computational Sciences and Engineering Division<br />
05881<br />
Thwarting Online Deception and Phishing with Honeypots and<br />
DNS Analysis<br />
Craig A. Shue, Gregory C. Hinkel, and Frederick T. Sheldon<br />
Project Description<br />
Criminals impersonate legitimate institutions and defraud users through the Internet. In phishing attacks,<br />
criminals send deceptive e-mails that encourage users to follow a link to a fraudulent Web site and<br />
provide sensitive information. In 2007, such attacks led to financial losses exceeding $3 billion.<br />
Phishers must obtain e-mail addresses for potential victims before they can launch an attack. Phishers<br />
harvest addresses through Web crawling, yet little is known about which sites they crawl or whether their<br />
crawlers exhibit atypical domain name service (DNS) access patterns. With extensive real-time data from<br />
trap e-mail addresses (or honeypots) at external sites and ORNL, combined with ORNL server logs, we<br />
will examine phishing Web crawler access patterns. This will enable us to (1) prevent crawlers from<br />
harvesting our users’ e-mail addresses, (2) block spam from the crawlers’ networks, and (3) determine<br />
whether a campaign is Internet-wide or targeting DOE.<br />
Mission Relevance<br />
Phishing has serious implications for organizations, including ORNL. In a June 2009 phishing test of the<br />
lab staff, ORNL Cyber Security found that over 20% of our users were deceived, including 14.86% of our<br />
technically savvy users authorized to administer their own machines. These phishing attacks can lead to<br />
infected machines, the loss of sensitive information, and a tarnished reputation for the organization. By<br />
protecting our users from phishing attacks, we can avoid these risks for ORNL and DOE.<br />
Our approach has broad implications for other federal agencies, including the Department of Defense, the<br />
Department of Homeland Security, and the Federal Bureau of Investigation. This work can deter financial<br />
crimes, help limit infiltrations into federal computers, and avoid the loss of sensitive data.<br />
Results and Accomplishments<br />
We have created honeypot systems for distributing trap e-mail accounts and for receiving phishing<br />
messages. We have been advertising the device to attract more phisher attention so that we can study their<br />
behavior. We have also obtained DNS server logs and network connection information from the<br />
Information Technology Services Division. We have analyzed these logs to determine the timing<br />
difference between a DNS resolver’s query and the Web/mail client access attempt. In doing so, we have<br />
found some atypical behavior with DNS caching that seems to be common among attackers: attackers<br />
tend to cache DNS responses long past when the records have expired. These caching violations can be a<br />
warning sign for automated malicious activity. However, some clients that have not been blacklisted also<br />
violate DNS cache limits. These clients may have been false negatives in blacklisting or automated<br />
visitors that are not malicious. We have additionally detected an instance of misconfiguration with an<br />
Internet service provider resolver.<br />
These results may allow us to detect automated visitor behavior early in the connection and allow us to<br />
take appropriate action, such as filtering e-mail messages or adjusting the information we release to these<br />
visitors. Future efforts will refine these measurements.<br />
196