July 8, 2010

Outsmarting social engineering threats with SmartScreen

SmartScreen for URLs

This safety feature is another step Windows Live is taking to protect you from socially engineered attacks and account abuse. This abuse is an industry-wide problem, and we've seen a significant uptick in these types of attacks within the context of social networks over the past couple years (details in Microsoft SIR V8, p.119). Social networking targeted scams now account for over half of the phishing attacks that SmartScreen filter blocks in Internet Explorer 8. This trend makes sense; internet users are particularly vulnerable within their social networks because messages appear to come from their friends and contacts. There is an implicit trust boundary being exploited. With Windows Live’s deep social connectivity and increased social feed integration in Wave4, we felt it essential to introduce a new protection mechanism for URLs posted in the Live network.

We’ve been working on this problem for a while. The SmartScreen team has worked with several large social networking partners over the past couple years to combat this abuse and has seen success with both our browser filter and simple features within the social network that help users regain context in the midst of a scam. These features disrupt the social engineering attempt.

With these successes in mind, we’re happy to announce the use of SmartScreen on the new Messenger and Windows Live websites, such as profile and photos. When you click a link on one of these sites, the web request is first examined by our SmartScreen service. The service checks the reputation of the link prior to navigation with three potential outcomes:

1. Direct Navigation (Redirection)

If the website has a positive reputation (e.g., has high traffic and no history of hosting any phishing scams or malware) - the user is directly navigated to the destination website. This is the case most of the time - you go directly to the website you chose, with no interruption from SmartScreen at all.

2. Block

If the link points to a known bad website— for example, one that hosts a malware or a phishing scam—the redirection server navigates the user to a red block page.

Unsafe website - blocked

3. Informational

If the website has very low traffic or has had a history of abuse, you’ll be taken to an informational interstitial page. This page helps establish context and lets you decide how to proceed.

Informational interstitial

How do these attacks work?

Attackers can breach social networks by compromising a user's account and subsequently preying on their friends/contacts or by directly tricking users into accepting them into their social circle. A common attack from a compromised friend's account might say:

"Hey, check out my new video http://somesite“

When you click on the link, you might get a fake login page that looks just like your regular login page, or a site that looks like a video player but that requires a download (which is malware).

This is a common example, but if you live on the internet and use social networking sites regularly, you’ll probably face many variants of these types of attacks. For the typical user, these attacks are very difficult to discern from a normal interaction with their friends and contacts – we click on links all the time, we log in often, and we download files regularly. Leveraging these common behaviors as elements of an attack is social engineering at work. We understand that some users are able to recognize the characteristics of an attack scenario before falling prey, but for the majority of internet users, these subtle and technical cues are impossible to distinguish from their everyday activity. This is why social networks providers, communication software providers, browser makers, and other software providers must put multiple levels of safety in place to keep their users informed and safe.

Given our past experience in the space, we’re convinced that this feature will help protect you from socially engineered attacks and give us a new tool in the fight to keep you safe online. As with all safety mechanisms, this feature is a learning system, and we’re actively studying the data to continue to improve both the experience and the intelligence.

No comments: