ECS 153 Homework 2

Assigned Tuesday, April 18, 2006

Due Sunday, April 30, 10:00pm

One of the most widespread attacks in recent years is the Phishing attack, where attackers run a malicious website masquerading as a legitimate site, and try to induce users into entering sensitive data such as account numbers and passwords. The attackers will later use the information they harvest to defraud the users.

In order for the attack to be successful, a phishing web page uses a variety of techniques to masquerade as a legitimate site, including:

Copying content directly from the real site
Hiding the real target of a URL, for example with a username or password in the URL:
http://www.paypal.com@phishysite.us
Putting an anchor in the web page whose text looks like a URL, but whose target address is different:
http://www.paypal.com
Registering a domain name that is a slight misspelling of the legitimate site's domain name, e.g. paypa1.com instead of paypal.com
Using unusual but legitimate encodings of domain names, like using the decimal form of an IP address:
http://2850883080/www.paypal.com/

These are all positive indicators that a web site might be phishing. Negative indicators might be:

Have you been here before? A web site that's visited often or is bookmarked is less likely to be a phishing site than one you've never seen before.
Does the page use SSL? This might not be a very strong indicator, depending on the certificate authority that signed the certificate, but phishing websites seem less likely to bother with a certificate than real sites.

You can find lots more examples, and examples of phishing web pages, at http://antiphishing.org.

Getting Started

In this assignment you will be developing Phish Fry, an extension to the Firefox browser that will attempt to detect if a web page is "phishy" or not. You will write the extension in JavaScript. Even if you've never written in JavaScript before, it's very easy to use, so that shouldn't impede your ability to complete the assignment.

First, pick your teammates. You will work in groups of 3 for this project.

Next, download the skeleton for the project into any Linux/UNIX system. Unpack it with:

      unzip phishfry.zip

Change directories to the phishfry subdirectory. Change the creator tag in install.rdf to the members of your team, and change the homepage URL if you like.

Try building it by running build.sh from the main directory. This will create the file phishfry.xpi in the current directory. Install it by opening the file in Firefox. This will ask you if you want to install the extension; say yes. You'll then have to restart Firefox to see it.

After restarting Firefox, you can verify that Phish Fry is installed by opening Tools, Extensions. You should see Phish Fry 0.1 in the list of extensions.

You can test it by right-clicking on any web page, and selecting Show Phishiness from the pop menu. You should see the following dialog:

Note:I give instructions to use a *nix system, but any system with bash and zip installed will work fine. You can do this under Cygwin on Windows, or modify build.sh to be a batch file, or just make the .xpi file by hand. I'll only offer help with the build script to UNIX users though.

You'll be implementing the function isPhishy in chrome/content/phishfry/phishFryOverlay.js It returns a boolean indicating whether it thinks the current page is phishy or not. To get started, follow the instructions in debugging your extension. Once you've got that set up, continue on to coding the assignment.

Grading

You'll be graded on the following components:

Accuracy: 30 points

Your phishiness evaluator should be as accurate as possible: it should return few false positives (sites that it considers to be phishy, but are not) as well as few false negatives (sites that it thinks are legitimate, but are actually phishing sites.)

We will evaluate your accuracy by looking at how well your extension distinguishes real web sites (e.g. those in the Web 100) from phishing websites. You and your classmates will be coming up with the phishing website list (more on this in the next section), but in the meantime, see examples of phishing emails and websites at the phishing archive at antiphishing.org.

Your extension should work equally well a year from now as today, so building a list of good and bad sites into your extension is not acceptable.

Writeup: 20 points

You'll be expected to write a short report describing your work. It should include a brief introduction, then describe the methods you use to evaluate a web page for signs of phishing. Be concise. It should also include a self-evaluation, which I'll describe in more detail later.

Your report must be in PDF format.

Phishy Web Pages: 20 points

Your team should come up with as many phishing web pages as it can, and download them for testing. You'll be tested against these and those your classmates find. This isn't hard, just don't filter your email for junk mail during the assignment. I get around 100 junk mails a day. I hope you don't get as many, but in two weeks' time, your team should be able to amass 25-50 examples.

Save your phishing emails and web pages as html files, one web page per directory. Save any associated graphics in the same directory. A handy way to do this is with wget, as follows:

wget -r phishyURL

Since emails will reference a website, try to download an archive of the site as well, again with wget. Often this doesn't work, since phishing websites are very short-lived, but the more pages you get, the better.

Robustness: 15 points

Your extension shouldn't crash the browser or cause annoying JavaScript errors to appear. This is basically a binary score, either you get this right or you don't.

Self Assessment: 15 points

Evaluation of your work is a critical part of any report, so it gets its own grade. In your report, you want to address how well you did. What limitations does your approach have? What could you do better? The more honest this assessment is, the better.

Creativity: Up to 10 points

You can improve your grade by doing something we didn't ask you to do. Some ideas to think about:

Make the user interface better, where better != snazzier. You might want to read this paper to find out why our user interface sucks.
A phishing attack works because it looks like some site the user has been to before. Can you guess what site the user really wants when she opens a phishing page, and suggest she go there instead?

Given the limited time, I'd rather you do the first parts well, so don't spend all your time here if you haven't gotten the basics done.

It should go without saying, so I'll say it anyway: We are interested in your work, not in the work of other people, so simply asking Google or some other site whether a page is phishy isn't acceptable, even if it is accurate.

Handing It In

Place your project files in a directory named hw2. The files must be named as follows:

report.pdf: your team's project report
phishfry.xpi: your team's extension
urls: a directory of phishing web pages, with each subdirectory of this containing a single html file and any associated graphics.

Create a tarball of the whole thing like so:

tar czf hw2.tgz hw2/*

Hand in the tarball using the handin command on the CSIF machines:

handin cs153 hw2 hw2.tgz

Only one student per team need turn in the project, but make sure the report names all your team members.

Useful Links

Eric Hamiter's tutorial on How to create Firefox extensions
Continue to debugging your extension
Continue to coding the assignment