Current phishing attacks focus primarily on stealing user credentials such as passwords. In response, web sites are deploying stronger authentication and backend analytics systems. These tools are designed to make it harder for phishers to extract value from stolen passwords. We anticipate that phishers will adapt in response. In particular, we expect to see huge growth in the use of a different type of botnet malware called a Transaction Generator or TG for short. A TG waits for the user to log in to his account at a site and then issues transactions on behalf of the user. We discuss a number of mechanisms by which TGs can hide their tracks so that users have no idea that fraudulent transactions were issued by their machine. We also describe a mitigation system, called SpyBlock, that can help reduce the damage caused by TGs.
SpyBlock can defend against transaction generator malware. To use SpyBlock, you will need the following:
Mozilla Firefox,
a free, extensible, open source web browser.
Windows
Vista in the host operating system provides CardSpace, the identity selector.
VMWare Player,
a free virtual machine system that runs on Linux and Windows.
VMWare
Browser Appliance, a simple Linux-based virtual machine
with a web browser.
Currently in beta testing; please contact
authors for instructions.
Be sure to install SpyBlock on both the browser appliance and the host.
Please send us your feedback!
Stanford Security Lab has developed several other related anti-phishing projects:
SpoofGuard
detects when you visit a phishing page and warns you.
PwdHash
generates phishing-resistant passwords.
SafeCache
protects your browser cache from context-aware phishing attacks.
SafeHistory
protects your visited links from context-aware phishing attacks.
