ECS 153 Homework 3

Assigned Monday, May 15, 2006

Due Tuesday, May 23, 10:00pm

Attacking Phish Fry

In the previous assignment, we developed Phish Fry, a Firefox extension to detect phishing web pages. In this assignment, we will be playing the role of an attacker, trying to fool Phish Fry into thinking our web pages are not phishy, when in fact they are. We will also attempt to find real web sites that are flagged as phishy by Phish Fry, but that are not.

You will not necessarily be attempting to attack your own extension. Instead, you will be attacking the most accurate of your classmates' extensions. Three extensions had the lowest false-negative rate, that is, they misidentified the fewest phishy web pages as not phishy. You will be attacking at least two of these (you may choose which two.)

In addition to these extensions, you will be looking for a (legitimate) web site that my extension thinks is phishy. Mine had a higher false-negative rate than some of yours, but it produced no false positives in the web 100, that is, it didn't identify any of the Web 100 web sites as phishy.

Part 0: Getting Started

In this assignment, you will be working in groups of three. You may work in different groups than last time, or in the same groups if you prefer.

The extensions you will be attacking, along with their reports, are available in the following tarball:

extensions.tgz

Extract the archive with: 
tar xzf extensions.tgz
After extracting it, you will find the following subdirectories: 
ext1
ext2
ext3
juan

The ext1, ext2, and ext3 directories contain extensions from the class. Each directory contains a phishfry.xpi file, as well as the team's self-evaluation, evaluation.txt. The juan directory contains my extension. I didn't write a report, so there isn't a self-evaluation there.

First, pick which two of the class's extensions you will attack. You may want to read each team's self-evaluation to help you choose; that may give you an idea which one you think would be easier to attack. It should also the biggest clue in how to attack it: the checks the extension did not implement, or the things it fails to catch, should be described in it. Feel free to choose your own extension as one of the two you attack.

You may want to examine an extension's source code. This is easy, since it's written in javascript (and isn't compiled.) First, change directories to the extension you want to look at, and unzip the .xpi file like so: 

unzip phishyfry.xpi
Then change to the chrome directory: 
cd chrome
Unzip the jar file you find there: 
unzip phishyfry.jar
The extension's source code is now in content/phishyfry/phishFryOverlay.js

Part 1: Find a False Positive (5 points)

For this part, you must find a web site (that you didn't create) that my evaluator identifies as phishy, but is not. This isn't impossible, there just don't happen to be any in the Web 100. Remember: this is only a false positive from my extension, not from any of yours. (All of yours had false positives in the Web 100, which isn't much of a challenge.)

Part 2: Create Phishy Web Pages (Open ended, 5-10 points per page)

For this section, you will create phishy web pages. What makes them phishy? Their job is to induce the user to click on a link, where presumably he will enter their credit card information or paypal password. Whether that page is successful is outside the scope of this assignment; your job is to embed a link to a the following URL:

http://169.237.7.129/~juan/phish.htm

Since the target is numeric, most of your extensions will flag the page as phishy. Your job is to trick the extensions into thinking the page isn't phishy.

You can make multiple phishy web pages to boost your score, but each web page you submit must use a different trick or technique to fool the extensions. Don't waste my time: If I think you're trying to scam me with trivially different web pages, I reserve the right to deduct points from your score.

Trick two extensions: 5 points

If your phishy page manages to trick both extensions you chose, you'll get five points. These must be the same two extensions for all your pages, and they must be from the class. (My extension had a fairly high false negative rate, so it's too easy to attack. Sorry.)

Trick all three extensions: 10 points

If you manage to trick all three class extensions with the same page, you'll get 10 points for that page.

Part 3: Writeup (20 points)

You must convince me that each of your attacks is distinct, and that's what you'll do in the writeup. Tell me how each method differs from the rest. I am the final arbiter on what constitutes a unique attack, but some things that probably won't be:

Part 4: Attack ext3's Phishiness Indicator (Optional, 10 points)

The third extension took an interesting approach: not only did it identify phishy web pages, but it identified each potentially phishy link on a web page, and modified it to read {PHISHY} in red. However, it modifies it after the page is loaded, so a script running in the web page would be able to detect the change, and override it, either by changing color schemes, or by removing the {PHISHY} text from the link. Write a web page that defeats the visual phishiness indicator created by this extension.

Handing It In

Your writeup should again be in PDF format, and named report.pdf. You may put the URL you found for section 1 anywhere in this report. Please describe each of the attacks you implemented for section 2 in the report as well. Like last time, make a hw3 subdirectory. Make a urls subdirectory of that, and make a unique subdirectory for each phishy web page you create, and place a single html file in it. Your final directory structure should look something like: 
hw3
  report.pdf
  urls
    <subdirectory 1>/index.htm
    <subdirectory 2>/index.htm
Create a tarball of the whole thing like so: 
tar czf hw3.tgz hw3/*
Hand it all in with the handin command, 
handin cs153 hw3 hw3.tgz