MDMap: Assisting Users in Identifying Phishing Emails

Copyright 2010 @ Florida State University. All Rights Reserved.

Email-based online phishing is one of the key security threats on the Internet, which greatly deteriorate the trustworthiness of the Internet as a global communications platform. In recent years, many spam filters have been developed; however, a non-negligible number of phishing emails still sneak into users' inboxes each day.  On the other hand, despite the advances in the sophistication of phishing attacks, phishing emails often contain suspicious information that separate them from the legitimate ones. However, the average non-expert email users are not acquainted with the details of the Internet email system. As a consequence, distinguishing phishing emails from legitimate ones presents a great challenge for the average, non-expert email users, who are often the target of online phishing scams and who often fall victim to these attacks.

It is clear that it is impossible for all email users to become an expert on the Internet email system. There is an urgent need to develop more intuitive and sensible methods to assist (average) email users in identifying phishing emails, without requiring them to completely understand the details of the Internet email system. Towards this goal, we design and develop a simple yet effective system named MDMap to assist email users in identifying phishing emails by revealing suspicious information in a phishing email in a more sensible manner. In addition to other features, MDMap provides a geographical map showing the message delivery path of an email, based on the Received: header fields carried in the email. 

Given that a phishing email is often originated from or traverses suspicious regions with respect to the main theme of the message, MDMap helps caution the recipient in responding to such a message. For example, it looks suspicious even for average email users if a message concerning accounts at the Bank of America was originated from or traversed a foreign country. Note that phishers may insert faked Received: header fields into a phishing email; however this behavior will not affect the effectiveness of MDMap because the complete message delivery path instead of only the (claimed) first hop is shown in the geographical map. Indeed, faked Received: header fields often cause inconsistency in the message delivery path, working against the interest of the phisher when the complete path is investigated (instead of only the first hop).

A prototype of MDMap has been implemented as a standalone Java program using the MaxMind GeoLite City API (for obtaining the geographical location of an IP address or domain name) and the Google Maps API. We choose these two packages because they are free and we are familiar with them. Other packages can also be used including the Bing and Yahoo! Maps APIs. Although MDMap is presented as a standalone program in this paper, we envision that it can be incorporated into web-based email systems and provided as a service feature to their users. As an example, should MDMap have been incorporated into Yahoo! Mail, when a user opens a message, an MDMap can be shown along with the content of the message to assist the user in judging the nature of the email. Similarly, MDMap can be adapted as an application for PDA devices such as smart phones.

The following picture shows a snapshot of the MDMap program.

Snapshot of MDMap