Using Web bugs and honeytokens to investigate the source of phishing attacks

McRae, Craig Michael

03 May 2008

Phishing is the use of social engineering and electronic communications such as emails to try and illicit sensitive information such as usernames, passwords, and financial information. This form of identity theft has become a rampant problem in today’s society. Phishing attacks have cost financial institutions millions of dollars per year and continue to do so. Today’s defense against phishing attacks primarily consists of trying to take down the phishing web site as quickly as possible before it can claim too many victims. This thesis demonstrates that is possible to track down a phisher to the IP address of the phisher’s workstation rather than innocent machines used as intermediaries. By using web bugs and honeytokens on the fake web site forms the phisher presents, one can log accesses to the web bugs by the phisher when the attacker views the results of the forms.

investigation

tracking

web bugs

honeytoken

anti-phishing

phishing

Monitorování síťových útoků pomocí systémů honeypot / Monitoring of network attacks with honeypot systems

Krula, Jiří

January 2016

This thesis focuses on the topic of honeypots technology and their use for network attacks monitoring. It theoretically analyzes the honeypots and their variants honeynet and honeytoken. The practical part describes how to deploy two open source solutions of honeypot, Kippo and Dionaea. Kippo honeypot can be classified, despite its limitations, as a high interactive honeypot. This solution emulates the SSH service and it is primarily intended for the detection and capture of brute force attacks on the service. Dionaea is a honeypot designed primarily for capturing malware. It aims to capture malware in the trap using the vulnerabilities of offered and exposed network services with the aim to obtain a copy of the malware for subsequent analysis. Data obtained from the real deployment of the proposed solutions are presented and measures in relation to the SIEM instruments are proposed as well as improved security of the protected network.

Masquerader Detection via 2fa Honeytokens

Wiklund, Anton

January 2021

Detection of insider threats is vital within cybersecurity. Techniques for detection include honeytokens, which most often are resources that, through deception, seek to expose intruders. One kind of insider that is detectable via honeytokens is the masquerader. This project proposes implementing a masquerader detection technique where honeytokens are placed within users’ filesystems in such a way that they also provide Two Factor Authentication(2fa) functionality. If a user’s second factor – the honeytoken –is not accessed within a specified timeframe after login, this indicates a potential intrusion, and only a “fake” filesystem will remain available. An alert is also triggered. The intention is to deter insiders from masquerading since they are aware that they must access a uniquely located honeytokena fter logging in to the legitimate user’s account. The technique was evaluated via user-testing that included interviews, a checklist with requirements for feasibility, and a cyber-security expert’s opinion on the technique’s feasibility. The main question evaluated during the project was the feasibility of adding the proposed technique to a computer system’s protective capabilities. The results of the project indicated that the proposed technique is feasible. The project’s results were also compared with the results of prior related research. The project’s scope was limited to a Linux system accessed via SSH into a Bash terminal(non-GUI-compatible), and the implemented technique was also evaluated within such an environment.

Cyber security deception

two-factor authentication(2fa)

honeytoken

misinformation

intrusion detection

Other Engineering and Technologies

Annan teknik