Methodology

To test if a site has registered their .xxx counterpart, my script perform a whois query and record the answer: If the whois query return NOT FOUND, the domain is assumed free, otherwise the registrar info was recorded and stored to generate the following charts. The crawl was performed on the 26Th December (20 days after .xxx domains became available to the general public)

How popular are .xxx domains ?

The first question, I wanted to answer was how many of the 50000 most popular websites  on the planet did in fact registered their .xxx domain counterpart. The graph below show the cumulative percentage of the websites that did, in fact registered their .xxx domains.

As visible on the chart, if almost all  the top 100 sites (except weibo)  did registered their .xxx domains, the percentage quickly drop below 50% and then stabilize around 20%.

When .xxx domains were registered ?

The second interesting question is when did the companies ordered their .xxx domains ? Did they take advantage of the “sunset period#” to register them early or did they wait the last minute ? Well as visible on the chart below, only 65% of them, did actually  take the time to register them before they the 6th December (Regardless of their real date, every .xxx pre-order are marked as been issued on Dec-1st on the whois data)

One piece of data missing here is how many of the 1595 domains registered on the 6th December are from the same owner than the real websites. I haven’t found a good way to automate this process, so if you have any idea on how to do it , I will be glad to do it. I might end-up using Mechanical Turk even-though it seems overkill.

How made a ton of cash selling .xxx domains ?

Last but not least who did profit the most of selling .xxx domain at 99$ a piece ? The ICM registry that officially operates the .xxx domain registration is the biggest winner with 72% of the sales, as visible on the graph below (careful the graph is in logarithmic scale). Every other domain got at most 3% of the sales. Note that this graph only display data for 8135 domains as the whois information did not return parsable data for the others.

Thanks for reading this post. If you like it please sharing it with the world, it makes me happy You can follow me on Twitter @elie or on Google+

Today a spam email landed in my Gmail inbox. Because usually Gmail is very good at blocking spam, I took at look at it. This spam email simply contains link to a Google docs that contains the real spam that offers you to get a free diploma as visible in the screenshot below:

Back in 2008 spammers used Google Docs to massively spam users by sharing unwanted documents with them. The documents ended-up in their Google doc home directory. For this new campaign, it seems that they are just sending regular emails with a Google doc link.

The two things I find interesting about this spam campaign is that:

1) it seems that this type of spam effectively bypass the Gmail spam filter: A couple of my friends have confirmed that they also received the same type of spams and it has landed in their Gmail inbox as well.

2) Google doc display the number of viewers so you can see people come and go as they are lured to click on the link. I saw 7 other people taking a look at the document while writing this post (see the screenshot on the right) so it is clear that this campaign is active and “successful” As you can see, the viewers widget, also says that user 9923 and 2079 have opened/closed the document but I think it is a bug (9923 users seems a lot). I also wonder what is the click-rate through the link stored in the document (that will be nice to know).

What can we do about this ? Well you can do two things: first mark the email as spam and two mark the Google doc as spam by clicking on the report abuse in the help section as visible on the screenshot below:

Thanks for reading this post. If you like it please sharing it with the world, it makes me happy You can follow me on Twitter @elie or on Google+

One of my current research project, with Jing and a bunch of people of the university of Michigan, is to develop an in-browser defense against phishing, that will be able to detect phishing sites as quickly as they are created.  Instead of relying on a black list, it will use vision and machine learning algorithms.

Before to set out on a journey to find the best way to do this,  we needed to understand why detecting phishing sites is so difficult. There is little information on how phishers operate in the wild so we ran our own experiment and analyzed around 5000 recent phishing websites. Turnout that the results of this preliminary analysis are interesting  by themselves and shed a new light on current phishers behaviors so I decided to share them with you via this blog post.

Methodology

Before delving into the results, let me explain how we got to them. First we collected, phishing urls via Phishtank which is the best resources to get phishing URLs. Next we used these URLs to feed our crawler, which took a screenshot and collected a bunch of information for each of these sites. Then we used Amazon Mechanical Turk (as usual ) to have human review each screenshot and augment our data-set with “human intelligence”. To make sure our data-set is clean, we had every phishing site screenshot analyzed by three different Turkers. Finally we processed the data reported by the Turkers to compute the results that we are going to discuss. In particular we discarded meaningless results and used a voting system to come-up with a stable data set. In then end, we ended-up having data about 1000 phishing websites.  It might not seems a lot of works but trust me, it took us a lot of effort to get there

Type of Phishing

There is two kind of phishing websites: fake sites and scam sites. Fake sites are phishing sites that clone the appearance of the targeted website in the hope you will confuse the two and enter  your credentials (login and password). Here is an example of a Paypal phishing site

Paypal Fake website

Scam site try to talk you into entering your credentials for a dubious reason or another. The screenshot below show a phishing site that attempts to steal your MSN credentials via offering you a software that allows you to know who blocked you. Notice how the phisher, make clear that this is safe to use it ….

MSN Credential phishing via a SCAM

Accordingly the first question that comes to mind is which is the favority phishier tactic ? Faking or Scamming ? Well it is about equal (48.2%, 51.8%) as visible in the graph below:

Phishing Sites Target Type

The next question is what kind of sites phishers are targeting ? Are they trying to steal your bank account, your email, or your Facebook account ?
As visible on the chart below, for those we were able to categorize, Without any surprise  financial services, like Paypal and Banks, are the most targeted. The next big target (no surprise here either) are social networks (Facebook, Orkut…). What is surprising is that the third big type of target, are online games (World of Warcraft in particular) not email accounts. One hypothesis, that explains this trend is that reselling stolen online goods is a lucrative business.

Visual Similarity

One other question, we asked Turkers is to rank  how visually similar fakes sites are to the target site they attempt to phish.  We asked to rank the fake phishing site on a scale from 1 to 5.  1 being completely different to 5 being close to a perfect copy. I was expecting to have a majority of sites to look very similar to their target. Oh boy, how wrong was I, as visible in the chart below in reality most fake sites are poorly executed (on purpose to avoid detection ?).

Here are some examples of phishing sites with different level of visual similarity:

Eve-online phishing site (similarity 5/5 – high resemblance)

World of Warcraft phishing site (similarity 5/5 very similar)

World of Warcraft phishing site (visual similarity 2/5 very few common point with the original site)

Why Detecting Phishing is Hard ?

So why detecting phishing is hard ? Well the results of our analysis suggest at least two reasons: First many phishing sites (51.8%) are scam sites not fake sites which make them harder to classify because we don’t have a baseline for them (the real site). The second explanation is that those who attempt to fake a realsite are poorly executed and therefore are hard to recognize. While I still believe that  machine learning and vision algorithm can yield something (there are previous successful works on this), it is clear that we will need new ideas to deal with scam phishing sites  and poorly executed fake sites. Right now, I am thinking using image content extraction and spacial correlation but only time will tell if it will work. There is also probably more to the data that what I discussed, so if you have an idea let me know

Thanks for reading this post. If you like it please sharing it with the world, it makes me happy You can follow me on Twitter @elie or on Google+

Table of Content

Highlights

The 5 most popular news of the week

This top 5 was established based on bit.ly overall clicks data

Thanks for reading this post. Share your thoughts on last week headline by leaving a comment below or sharing it with the world.
You can subscribe to receive these report by RSS or @elie or on Facebook

Evolution of the lock shape

The first infographic below show the evolution of the lock icon itself. The first thing that infographic show is that beside Safari, every major browser vendor keeps revamping the lock icon from time to time. I have included Konqueror in the infographic because, it is the only that uses a shield as security indicator, despite users studies showing that the lock is the best indicator for SSL…

Don’t be surprise to not find Firefox 5+ in the infograhic, it was remove (you know have a blue box on the right of the URL when SSL is on)

Finally one thing that keeps puzzling me is why the Safari (every version) and Firefox icon (some version) are different depending of the OS ?

Evolution of the lock position

The second infographic show you where the lock is displayed in the browser.  One thing to note is that Safari icon position is different whether you use it on Windows or OSX.

Realizing the diversity of  lock shapes and positions makes me wondering if  it is not  one of the reason why users are confused and sometime have hard time to know if the connection is secure or not.  Maybe we should standardize the security indicator shape and position ?

Thanks for reading this post. If you like it please sharing it with the world, it makes me happy You can follow me on Twitter @elie or on Google+

Table of Content

Highlights

The 5 most popular news of the week

This top 5 was established based on bit.ly overall clicks data

Thanks for reading this post. Share your thoughts on last week news by leaving a comment below or sharing it with the world.
You can subscribe to receive these report by RSS or @elie or on Facebook

In this post I want to share with you the two simple steps I came up with to “harden” my credit card security against theft and duplication. In a nutshell, this hardening technique works by removing all the extra information written on the credit card (signature and security code) that are not necessary for it work and are valuable to an “attacker”. If you know another hardening technique please leave a comment or let me know via Twitter  / Google+

Removing the security code

Your credit card three digits security code is located at the back of your card as visible in the photo below:

Its only purpose as far as I know is to “prove” while doing online payment that you “have” the original card as this security code is not contained in the data stored on your card magnetic strip/chip. The problem with having this code in plain sight is that any one who manipulate you card (waiter, cashier..) can easily copy it and then shop online with your credit card.
Before erasing it from the card, make sure you copy this code in a safe location like your password manager BE CAREFUL where you store it as you need it for online shopping. Erasing this code is actually harder than you might think because it is engraved in the card so simply “blanking it” with a marker won’t be enough. So far, I had the most success by first scratch it with a nail-file and then blank it with a heavy marker. It is not perfect but it it is very very difficult to read it after this treatment.

Replacing the signature with the mention “SEE ID”

The other part of the hardening process is to replace the signature in the back of the card the mention “SEE ID”. As far as I can tell, the rational behind having your signature at the back of your card (at least in the US where they generally don’t ask for a PIN code to make a purchase) is to allow cashiers to make sure you are the true owner of the card by comparing the receipt signature and the signature at the back of the card. This approach have obviously two flaws: First the person who stole the card, have plenty of time to look at the signature and learn how to forge it. Secondly the security of this approach rely on the fact that cashiers are able to detect forged signature in a blink of an eye and under bad lighting conditions … So instead of hoping that every cashiers is an expert in graphology it is actually better to ask them to compare the credit card name with a valid ID by writing the mention SEE ID on the back of the card.

Return of experience

I have been using the hardened credit card visible on the picture below for almost two years.

During this period of time, I never had any issue with it: I was always able to pay with it no matter which store or country (US, France, Germany, Italy, Indonesia, Canada…) I used it. The sad part of the story is that very few cashiers ever asked me for my ID which tend to show that this whole signature idea is a fluke. The only stores that consitenly ask me for my ID no matter which one I go, are the Apple stores (Kudo to them). So will you secure your card ? Let me know via the comment system or on Twitter  or on Google+

Table of Content

Highlights

The 5 most popular news of the week

This top 5 was established based on bit.ly overall clicks data

Thanks for reading this post. Share your thoughts on last week headline by leaving a comment below or sharing it with the world.
You can subscribe to receive these report by RSS or @elie or on Facebook

Table of Content

Highlights

Vizualization of the week Vizualization of OCSP requests for rogue certificates through the world. So many interceptions http://bit.ly/pVK7C4 (188 clicks)   tweet this news

The 5 most popular news of the week

This top 5 was established based on bit.ly overall clicks data

Thanks for reading this post. Share your thoughts on last week headline by leaving a comment below or sharing it with the world.
You can subscribe to receive these report by RSS or @elie or on Facebook

Table of Content

Highlights

The 5 most popular news of the week

This top 5 was established based on bit.ly overall clicks data

Thanks for reading this post. Share your thoughts on last week headline by leaving a comment below or sharing it with the world.
You can subscribe to receive these report by RSS or @elie or on Facebook