Top Banner
ABSTRACT The outcomes of phishing attacks are dramatically increasing every day. Attacks on financial services companies have been doubling each year compared to previous years. It is very important for companies to come up with new ways to solve phishing problems because it can become a major loss to well known companies. Also, it can cause consumers to lose confidence in doing business online, which can affect many companies with an online presence. Not any type of technology can stop phishing attacks, but there are many ways to enable phishers from accomplishing their goals. Consumer education can increase the awareness of the phishing threat and other online vulnerabilities. Lastly, biometrics should become one of the major aspects and play an important role to combat phishing because it provides different steps to authenticate users.
32
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: Phishing

ABSTRACT

The outcomes of phishing attacks are dramatically increasing every day Attacks

on financial services companies have been doubling each year compared to

previous years It is very important for companies to come up with new ways to

solve phishing problems because it can become a major loss to well known

companies Also it can cause consumers to lose confidence in doing business

online which can affect many companies with an online presence Not any type

of technology can stop phishing attacks but there are many ways to enable

phishers from accomplishing their goals Consumer education can increase the

awareness of the phishing threat and other online vulnerabilities Lastly

biometrics should become one of the major aspects and play an important role to

combat phishing because it provides different steps to authenticate users

INTRODUCTION

Phishing is the practice where criminals send out unsolicited Commercial e-mails

masquerading as valid authorities by using Logos and other formatting to

resemble authentic e-mails sent by the company that they are attempting to

impersonate

Once the users receive such emails the phishers attempt to lure them to web

sites where personal information such as credit card number and social security

numbers are required in an attempt to hack into the usersrsquo accounts The so-

called ldquophishersrdquo try to steal usernames and passwords for identity and banking

theft

Companies such as PayPal eBay Amazon and most of the banks have been the

biggest target for phishing attacks

LITERATURE REVIEW

The first phishing attempt occurred in January 1996 A hacker who was

attempting to steal accounts from unexpected AOL Members coined the term

phishing

Comparison to Spam

The purpose of a phishing message is to acquire sensitive information about a

user In order to do so the message needs to deceive the intended recipient into

believing it is from a legitimate organization As a form of deception a phishing

message contains no useful information for the intended recipient and thus falls

under the category of spam Although phishing is categorized as spam it also

differs from spam Amongst other things spam tries to sell a product or service

while a phishing message needs to look like it is from a legitimate organization

Due to the similarity between phishing and legitimate messages techniques that

are applied to spam messages cannot be applied naively to phishing messages

For example text-based classification can perform reasonably well in identifying

spam but as a phishing message is forged to look like a message from a legitimate

organization text-based classification applied naively to a phishing message will

have a high miss rate

Anatomy of a phishing message

A raw phishing message can be split into two components the content and the

headers These components are commonly accepted as being the major

components of a message

Content

The content is the part of the message that the user sees and is used by phishing

message producers to deceive users It can be subdivided into two parts

The cover is the content which is made to look like a message from the

legitimate organization and usually informs the user of a problem with

their account Early phishing messages could be identified based only on

their cover due to imperfect grammar or spelling mistakes (which are

uncommon in legitimate messages) Over time the covers used in phishing

messages have become more sophisticated to the point where they even

warn the users about protecting their password and avoiding fraud An

example of this can be seen in Figure below where the phishing message

tells the victim to ldquoProtect Your Account Infordquo by making sure ldquoyou never

provide your password to fraudulent websitesrdquo

The sting is the part of the content that directs the victim to take

remedial actions It usually takes the form of a clickable URL that directs the

victim to a fake website to log into their account or enter other personal

details We call this the sting as this is the part of the content that inflicts

pain by means of financial loss or other undesirable action after the victim

enters their details on the website Typically the sting is hidden by using

HTML to display a legitimate looking address instead of the address of the

fake website An example of this is shown in above Figure where the

address of the fake website is httpwwwnutristorecomaurhtm and

the corresponding displayed text is a legitimate looking

httpswww2paypalcomcgi-bincmd= login

Headers

The headers are the part of the message which is primarily used by the mail

servers and the mail client to determine where the message is going and how to

unpack the message Most users do not see these headers but in terms of

determining if a message is phishing or not this part of the message can be quite

useful Headers can be subdivided into three parts based on the entities which

add them to the message

Mail clients typically add headers such as ldquoTordquo ldquoFromrdquo ldquoSubjectrdquo

and some client specific headers Examples of mail client headers are X-

MSMail-Priority X-Mailer and X-MimeOLE and they can be seen in above

figure Phishing messages may try to fake a particular header and in doing

so give away that the message is fake For example if the X-Mailer header

indicates that a HTML message has been composed using MS Outlook but

the message only contains HTML (without plaintext) this is an indication

that the message is fake as MS Outlook cannot send HTML only messages

Mail relays will add headers along the path of the message These are

usually ldquoReceivedrdquo headers which can be used to determine the

originating IP of the message and the path taken by the message

Spam-filters or virus-scanners will usually add headers to the message to

indicate results of the tests run over the message These headers can then

be used by the receiving client to determine (based on a user-set

threshold) what to do with the message

WHY PHISHING ATTACK

Lack of Knowledge

Lack of computer system knowledge Many users lack the

underlying knowledge of how operating systems applications email and

the web work and how to distinguish among these Phishing sites exploit

this lack of knowledge in several ways For example some users do not

understand the meaning or the syntax of domain names and cannot

distinguish legitimate versus fraudulent URLs (eg they may think

wwwebay-members-securitycom belongs to wwwebaycom) Another

attack strategy forges the email header many users do not have the skills

to distinguish forged from legitimate headers

Lack of knowledge of security and security indicators Many

users do not understand security indicators For example many users do

not know that a closed padlock icon in the browser indicates that the page

they are viewing was delivered securely by SSL Even if they understand the

meaning of that icon users can be fooled by its placement within the body

of a web page (this confusion is not aided by the fact that competing

browsers use different icons and place them in different parts of their

display) More generally users may not be aware that padlock icons appear

in the browser ldquochromerdquo (the interface constructed by the browser around

a web page eg toolbars windows address bar status bar) only under

specific conditions (ie when SSL is used) while icons in the content of the

web page can be placed there arbitrarily by designers (or by phishers) to

induce trust Attackers can also exploit usersrsquo lack of understanding of the

verification process for SSL certificates Most users do not know how to

check SSL certificates in the browser or understand the information

presented in a certificate In one spoofing strategy a rogue site displays a

certificate authoritys (CA) trust seal that links to a CA webpage This

webpage provides an English language description and verification of the

legitimate sitersquos certificate Only the most informed and diligent users

would know to check that the URL of the originating site and the legitimate

site described by the CA match

Lack of knowledge of web fraud Some users donrsquot know that

spoofing websites is possible Without awareness phishing is possible

some users simply do not question website legitimacy

Erroneous security knowledge Some users have misconceptions

about which website features indicate security For example participants

assumed that if websites contained professional-looking images

animations and ads they assumed the sites were legitimate (influenced by

well-known trust indicators discussed below) Similarly dedicated login

pages from banks were less trusted than those originating from a

homepage several participants mentioned a lack of images and links as a

reason for their distrust

Visual Deception

Phishers use visual deception tricks to mimic legitimate text images and

windows

Visually deceptive text Users may be fooled by the syntax of a

domain name in ldquotype jackingrdquo attacks which substitute letters that may

go unnoticed (eg wwwpaypaicom uses a lowercase ldquoirdquo which looks

similar to the letter ldquolrdquo and wwwpaypa1com substitutes the number ldquo1rdquo

for the letter ldquolrdquo) Phishers have also taken advantage of non-printing

characters and non-ASCII Unicode characters in domain names

Images masking underlying text One common technique used by

phishers is to use an image of a legitimate hyperlink The image itself

serves as a hyperlink to a different rogue site

Images mimicking windows Phishers use images in the content of a

web page that mimic browser windows or For user convenience some

legitimate organizations allow users to login from non-SSL pages Although

the user data may be transmitted securely there is no visual cue in the

browser to indicate if SSL is used for form submissions To ldquoremedyrdquo this

designers resort to placing a padlock icon in the page content a tactic that

phishers also exploit or dialog windows Because the image looks exactly

like a real window a user can be fooled unless he tries to move or resize

the image

Windows masking underlying windows A common phishing

technique is to place an illegitimate browser window on top of or next to

a legitimate window If they have the same look and feel users may

mistakenly believe that both windows are from the same source

regardless of variations in address or security indicators In the worst case

a user may not even notice that a second window exists (browsers that

allow borderless pop-up windows aggravate the problem)

Deceptive look and feel If images and logos are copied perfectly

sometimes the only cues that are available to the user are the tone of the

language misspellings or other signs of unprofessional design If the

phishing site closely mimics the target site the only cue to the user might

be the type and quantity of requested personal information

WHAT SHOULD BE DONE TO FIGHT

PHISHING(ANTI-PHISHING)

Phishing needs to be followed in a managerial way within the network and its

components such as servers PCs operating systems browsers and other

applications that run off a connection

As considering the danger of both false negative where firewall packet

inspection fails to identify a phishing site and false positive where firewall packet

inspection wrongly rejects the valid sites it is important to minimize these risks

Microsoftrsquos Anti-phishing response team analyzes sites carefully to confirm they

are fraud e-mails before adding them to the blacklist Even then sites that are

concerned can be reconsidered and later removed from the list

Another way of solving this problem can be in a technical way by using a

biometric check up Biometrics refers to technologies that analyze an individualrsquos

physical and behavioral characteristics to automate identification or verification

of the user

To avoid the risk of being locked in by phishers here are few tips

bull Be extremely suspicious of any e-mails with urgent

requests for personal information

bull Do not fill out any forms in e-mail messages especially

from banks

bull Do not use the links that are provided in the e-mails this

can cause installing any malicious malware on your

computer Instead contact the company over the phone

to solve any problems

bull Do not give your credit card numbers or account

information unless you are using a secure Web site or

the telephone If you are using a Web site check the

beginning of the web address in your browsersrsquo address

bar A secure site should up as ldquohttpsrdquo instead of just

http

Verify the real address of a web site Cut and paste the

following text into your browser address bar

javascriptalert(The actual URL of this site has been verified

as + location protocol + + location hostname +)

Ensure that your browser and OS software is up-to-date and

that latest security patches are applied

Possible ways of by-passing AntiPhish with JavaScript

As long as the web page that the user is viewing is pure HTML AntiPhish can

easily mitigate phishing attacks This is because the attacker can only steal the

sensitive information in the page after the user performs a submit Before this can

happen however AntiPhish detects that sensitive information has been typed

into a form and cancels the operation Stopping a phishing attack in an HTML

page that has JavaScript on the other hand is not that easy and special care has

to be taken JavaScript is a powerful language that is widely used in webpage for

providing functionality such as submitting forms opening windows intercepting

events and performing input validity checks At the same time however

JavaScript gives the attacker a wide range of possibilities for by-passing a

monitoring application such as AntiPhish Just as AntiPhish creates hooks for

intercepting user generated events such as key strokes the attacker can also

create such hooks using JavaScript embedded into the HTML page Instead of

waiting for the user to press a submit button to send the information the attacker

could intercept the keys that are pressed and send the information character by

character to a server of her choice Typically this is done by modifying the URL of

an existing or hidden image to a web site that the attacker controls (eg if ldquoa ldquohas

been pressed an image URL may be set to httpattackercomkeya)

Another possibility for the attacker could be to set a simple timer and to capture

ldquosnapshotsrdquo of the information in the forms In this way an important part of the

information could be captured without the user ever hitting a submit button The

easiest solution to the JavaScript problem is to deactivate JavaScript on a page

that contains forms Unfortunately this solution is not feasible because as

mentioned before a large number of Web sites use JavaScript for validation and

submission purposes The solution we use in AntiPhish is to deactivate

JavaScript every time the focus is on an HTML text element and to reactivate it

whenever the focus is lost Using this technique we ensure that the attacker is

not able to create hooks timers and intercept browser events such as key presses

while the user is typing information into a text field At the same time we ensure

that the legitimate JavaScript functionality on a page (eg such as input validation

routines) are preserved By the time the focus is lost from the text element and

Java script is reactivated AntiPhish has already determined if the information that

was typed into the text element is sensitive If the web site is un trusted the

operation can be canceled One side-effect of our approach is that legitimate

event-based Java script functionality such as input validation based on key presses

will not function The use of key press events for input validation however is

uncommon Most web sites perform client-side input validation once before a

form is submitted

Implementation detailsWe implemented the prototype of AntiPhish as a Mozilla browser extension (ie

plug-in)Mozilla browser extensions are written using the Mozilla XML User-

Interface language (XUL) and JavaScript The Mozilla implementation of AntiPhish

has a small footprint and consists of about 900 lines of JavaScript code and 200

lines of XUL user interface code We used Paul Terorsquos JavaScript DES

implementation for safely storing the sensitive information

ANALYSIS OF A PHISHING DATABASE

The Anti Phishing Working Group maintains a ldquoPhishing Archiverdquo describing phishing attacks dating back to September 2003 We performed a cognitive walkthrough on the approximately 200 sample attacks within this archive (A cognitive walkthrough evaluates the steps required to perform a task and attempts to uncover mismatches between how users think about a task and how the user interface designer thinks about the task) Our goal was to gather information about which strategies are used by attackers and to formulate hypotheses about how lay users would respond to these strategies Below we list the strategies organized along three dimensions lack of knowledge visual deception and lack of attention To aid readers who are unfamiliar with the topic Security Terms and DefinitionsCertificate (digital certificate public key certificate)

Uses a digital signature to bind together a public key with an identity If the

browser encounters a certificate that has not been signed by a trusted

certificate authority it issues a warning to the user Some organizations

create and sign their own self signed

Certificates If a browser encounters a self-signed certificate it issues a

warning and allows the user to decide whether to accept the certificate

Certificate Authority (CA)

An entity that issues certificates and attests that a public key belongs to a

particular identity A list of trusted CAs is stored in the browser A certificate

may be issued to a fraudulent website by a CA without a rigorous verification

process

HTTPS

Web browsers use HTTPS rather than HTTP as a prefix to the URL to

indicate that HTTP is sent over SSLTLS

Secure Sockets Layer (SSL) and Transport Layer Security

(TLS)

Cryptographic protocols used to provide authentication and secure

communications over the Internet SSLTLS authenticates a server by

verifying that the server holds a certificate that has been digitally signed by

a trusted certificate authority SSLTLS also allows the client and server to

agree on an encryption algorithm for securing communications

CryptographyCryptography is a method of storing and transmitting data in a form that only those it is intended for can read and process It is a science of protecting information by encoding it into an unreadable format Cryptography is an effective way of protecting sensitive information as it is stored on media or transmitted through network communication pathsAlthough the ultimate goal of cryptography and the mechanisms that make it up is to hide information from unauthorized individuals most algorithms can be broken and the information can be revealed if the attacker has enough time desire and resources So a more realistic goal of cryptography is to make obtaining the information too work-intensive to be worth it to the attacker

Digital Certificates

Digital Certificates are part of a technology called Public Key Infrastructure orPKI Digital certificates have been described as virtual ID cards This is a useful analogy There are many ways that digital certificates and ID cards really are thesame Both ID cards and client digital certificates contain information about usersuch as user name and information about the organization that issued thecertificate or card to user

Creating digital certificates a unique cryptographic key pair is generated One of these keys is referred to as a public key and the other as a private key The certification authoritymdashgenerally on your campusmdashcreates a digital certificate by combining information about user and the issuing organization with the public key and digitally signing the whole thing This is very much like an organizationrsquos ID office filling out an ID card for user and then signing it to make it official

The process defines how a certificate authority establishes that a person or institution is who they say they are Certification may require recipients to appear in person and to present pictures birth certificates or social security numbers Certificates that are issued after rigorous authentication will be more trustworthy than certificates requiring little or no authentication

The contents of a digital certificate are prescribed by the X509 standard developed by the International Standards Organization (ISO) and adopted by the American National Standards Institute (ANSI) and the Internet Engineering Task Force (IETF) The latest version is now X509 v3 The principal elements of a digital certificate are as followsbull Version number of the certificate formatbull Serial number of the certificatebull Signature algorithm identifierbull Issuer of digital certificate a certificate authority with URLbull Validity periodbull Unique identification of certificate holderbull Public key informationThe Parties to a Digital CertificateIn principle there are three different interests associated with a digital certificateThe Requesting Party The party who needs the certificate and will offer it for use by others they will generally provide some or all of the information it containsThe Issuing Party

The party that digitally signs the certificate after creating the information in the certificate or checking its correctnessThe Verifying Party (or Parties) Parties that validate the signature on the certificate and then rely on its contents for some purposeType of Certificate Requesting Party Issuing Party Verifying PartyIdentity The person

concernedThe appropriategovernment agency

Anyone undertaking anidentity check

Accreditation A qualified memberof a profession

The professionalbody

A user of the servicesoffered by the member

Authorization A customer wishing to access a resource

The resource owner The resource owner

Public key CertificateThe combination of standards protocols and software that support digital certificates is called a public key infrastructure or PKI The software that supports this infrastructure generates sets of public-private key pairs Public-private key pairs are codes that are related to one another through a complex mathematical algorithm The key pairs can reside on onersquos computer or on hardware devices such as smart cards or floppy disks Individuals or organizations must ensure the security of their private keys However the public keys that correspond to their private keys can be posted on Web sites or sent across the network Issuers of digital certificates often maintain online repositories of public keys These repositories make it possible to authenticate owners of digital certificates in real timeFor example publishers as service providers will want to authenticate the digital certificate of a faculty member or student in real time This is possible by verifying the digital signature using the public key in the repository

Certificate AuthoritiesDigital certificates are one part of a set of components that make up a public keyinfrastructure (PKI) A PKI includes organizations called certification authorities (CAs) that issue manage and revoke digital certificates organizations called relying parties who use the certificates as indicators of authentication and clientswho request manage and use certificates A CA might create a separate registration authority (RA) to handle the task of identifying individuals who applyfor certificates Examples of certification authorities include VeriSign a wellknowncommercial provider and the CREN Certificate Authority that isavailable for higher education institutions

Types of CertificatesThere are different types of certificates each with different functions and this canbe confusing It helps to differentiate between at least four types of certificatesYou can see samples of some of these different types of certificates in your browserbull Root or authority certificatesThese are certificates that create the base (or root) of a certification authority hierarchy such as Thawte or CREN These certificates are not signed by another CAmdashthey are self signed by the CA that created them When a certificate is self-

signed it means that the name in the Issuer field is the same as the name in the Subject Fieldbull Institutional authority certificates These certificates are also called campus certificates These certificates are signed by a third party verifying the authenticity of a campus certification authority Campuses then use their ldquoauthorityrdquo to issue client certificates for faculty staff and studentsbull Client certificatesThese are also known as end-entity certificates identity certificates or personal certificates The Issuer is typically the campus CAbull Web server certificates These certificates are used to secure communications to and from Web servers for example when you buy something on the Web They are called server-side certificates The Subject name in a server certificate is the DNS name of the server

The CREN Digital Certificate ServicesCREN currently offers an expanded set of certificate authority services to higher education institutionsbull CREN-signed campus certificates for institutionsThese CREN-signed certificates are for institutions issuing certificates for their campus communitymdashin the range of 10 or more Web server certificates and formore than 500-1000 client certificatesbull CREN Web server certificates These certificates are for campuses to use for securing Web servers supporting a range of campus Web applicationsbull Client certificatesCREN has an internal CRENNET service equivalent to a campus certificate-issuing application A registration contact at a campus validatesapproves individuals and CREN issues the certificates

With these three levels of service mdash including the free test certificates mdash CRENcan help campuses get started using digital certificates at a level matching theirparticular campus needs

RECOMMENDATION

It is very important to reduce the risk of phishing in todayrsquos business because

hackers need to stay out of companiesrsquo databases Todayrsquos education is not

enough since phishes are getting better each day and coming with newer trends

to catch innocent customers

The real problem of phishing is because the login systems are very weak and thus

they need to be tighter when it comes to userrsquos authentication The companies

could increase their cryptographic system protection by using more IPSec VPNs

and digital certificates The use of IPSec VPNs customers will need to establish

digital certificates from a certificate authority as well as the merchant Recently

while doing this research we came through an article from PayPal where they are

convincing email providers to block messages that lack digital signatures

The reason for this is that PayPal is known as one of the most highly spoofed

brands that fraudsterrsquos uses today This is a very good idea and a good way to

keep hackers out of PayPal databases As a matter of fact not only PayPal but also

every company that conducts business should come up with a similar strategy like

this Using strategies similar to this will help customers to gain confidence in

doing business and dealing with money issues In addition well-known companies

should increase user awareness by education training and working with FBI to

track down phishers

CONCLUSION

In short the outcomes of phishing attacks are dramatically increasing every day Attacks on financial services companies have been doubling each year compared to previous years It is of crucial importance for companies to come up with new ways to solve phishing problems because it can become a major loss to well-known companies Also it can cause consumers to lose confidence in doing business online which can affect many companies with an online presence Not any type of technologyCan stop phishing attacks but there are many ways to enable Phishes from accomplishing their goals Consumer education can increase the awareness of the phishing threat and other online vulnerabilities Lastly biometrics should become one of the major aspects and play an important role to combat phishing because it provides different steps to authenticate users

REFERENCES

[1] Cannon JC Privacy Pearson Education 2005[2] Hilley Sarah ldquoInternet war picking on the finance Sector-surveyrdquo Computer Fraud amp Security October 2006[3] Bellowin Steven ldquoSpamming Phishing Authentication and Privacyrdquo Inside Risks December

2004 Vol47 No12 144[4] Mulrean Jennifer ldquoPhishing scams How to avoid Getting hookedrdquo DollarWise[5] Hunter Philip ldquoMicrosoft declares war on phishersrdquo Computer Fraud amp Security May 2006 (15-16)[6] Google httpwwwgooglecom

[7] Anti-Phishing Working Group Phishing Activity Trends Report November 2005 [8] Anti-Phishing Working Group Phishing Archivehttpanti-phishingorgphishing_archivehtm[9] Ba S amp P Pavlov Evidence of the Effect of TrustBuilding Technology in Electronic Markets PricePremiums and Buyer Behavior

Page 2: Phishing

resemble authentic e-mails sent by the company that they are attempting to

impersonate

Once the users receive such emails the phishers attempt to lure them to web

sites where personal information such as credit card number and social security

numbers are required in an attempt to hack into the usersrsquo accounts The so-

called ldquophishersrdquo try to steal usernames and passwords for identity and banking

theft

Companies such as PayPal eBay Amazon and most of the banks have been the

biggest target for phishing attacks

LITERATURE REVIEW

The first phishing attempt occurred in January 1996 A hacker who was

attempting to steal accounts from unexpected AOL Members coined the term

phishing

Comparison to Spam

The purpose of a phishing message is to acquire sensitive information about a

user In order to do so the message needs to deceive the intended recipient into

believing it is from a legitimate organization As a form of deception a phishing

message contains no useful information for the intended recipient and thus falls

under the category of spam Although phishing is categorized as spam it also

differs from spam Amongst other things spam tries to sell a product or service

while a phishing message needs to look like it is from a legitimate organization

Due to the similarity between phishing and legitimate messages techniques that

are applied to spam messages cannot be applied naively to phishing messages

For example text-based classification can perform reasonably well in identifying

spam but as a phishing message is forged to look like a message from a legitimate

organization text-based classification applied naively to a phishing message will

have a high miss rate

Anatomy of a phishing message

A raw phishing message can be split into two components the content and the

headers These components are commonly accepted as being the major

components of a message

Content

The content is the part of the message that the user sees and is used by phishing

message producers to deceive users It can be subdivided into two parts

The cover is the content which is made to look like a message from the

legitimate organization and usually informs the user of a problem with

their account Early phishing messages could be identified based only on

their cover due to imperfect grammar or spelling mistakes (which are

uncommon in legitimate messages) Over time the covers used in phishing

messages have become more sophisticated to the point where they even

warn the users about protecting their password and avoiding fraud An

example of this can be seen in Figure below where the phishing message

tells the victim to ldquoProtect Your Account Infordquo by making sure ldquoyou never

provide your password to fraudulent websitesrdquo

The sting is the part of the content that directs the victim to take

remedial actions It usually takes the form of a clickable URL that directs the

victim to a fake website to log into their account or enter other personal

details We call this the sting as this is the part of the content that inflicts

pain by means of financial loss or other undesirable action after the victim

enters their details on the website Typically the sting is hidden by using

HTML to display a legitimate looking address instead of the address of the

fake website An example of this is shown in above Figure where the

address of the fake website is httpwwwnutristorecomaurhtm and

the corresponding displayed text is a legitimate looking

httpswww2paypalcomcgi-bincmd= login

Headers

The headers are the part of the message which is primarily used by the mail

servers and the mail client to determine where the message is going and how to

unpack the message Most users do not see these headers but in terms of

determining if a message is phishing or not this part of the message can be quite

useful Headers can be subdivided into three parts based on the entities which

add them to the message

Mail clients typically add headers such as ldquoTordquo ldquoFromrdquo ldquoSubjectrdquo

and some client specific headers Examples of mail client headers are X-

MSMail-Priority X-Mailer and X-MimeOLE and they can be seen in above

figure Phishing messages may try to fake a particular header and in doing

so give away that the message is fake For example if the X-Mailer header

indicates that a HTML message has been composed using MS Outlook but

the message only contains HTML (without plaintext) this is an indication

that the message is fake as MS Outlook cannot send HTML only messages

Mail relays will add headers along the path of the message These are

usually ldquoReceivedrdquo headers which can be used to determine the

originating IP of the message and the path taken by the message

Spam-filters or virus-scanners will usually add headers to the message to

indicate results of the tests run over the message These headers can then

be used by the receiving client to determine (based on a user-set

threshold) what to do with the message

WHY PHISHING ATTACK

Lack of Knowledge

Lack of computer system knowledge Many users lack the

underlying knowledge of how operating systems applications email and

the web work and how to distinguish among these Phishing sites exploit

this lack of knowledge in several ways For example some users do not

understand the meaning or the syntax of domain names and cannot

distinguish legitimate versus fraudulent URLs (eg they may think

wwwebay-members-securitycom belongs to wwwebaycom) Another

attack strategy forges the email header many users do not have the skills

to distinguish forged from legitimate headers

Lack of knowledge of security and security indicators Many

users do not understand security indicators For example many users do

not know that a closed padlock icon in the browser indicates that the page

they are viewing was delivered securely by SSL Even if they understand the

meaning of that icon users can be fooled by its placement within the body

of a web page (this confusion is not aided by the fact that competing

browsers use different icons and place them in different parts of their

display) More generally users may not be aware that padlock icons appear

in the browser ldquochromerdquo (the interface constructed by the browser around

a web page eg toolbars windows address bar status bar) only under

specific conditions (ie when SSL is used) while icons in the content of the

web page can be placed there arbitrarily by designers (or by phishers) to

induce trust Attackers can also exploit usersrsquo lack of understanding of the

verification process for SSL certificates Most users do not know how to

check SSL certificates in the browser or understand the information

presented in a certificate In one spoofing strategy a rogue site displays a

certificate authoritys (CA) trust seal that links to a CA webpage This

webpage provides an English language description and verification of the

legitimate sitersquos certificate Only the most informed and diligent users

would know to check that the URL of the originating site and the legitimate

site described by the CA match

Lack of knowledge of web fraud Some users donrsquot know that

spoofing websites is possible Without awareness phishing is possible

some users simply do not question website legitimacy

Erroneous security knowledge Some users have misconceptions

about which website features indicate security For example participants

assumed that if websites contained professional-looking images

animations and ads they assumed the sites were legitimate (influenced by

well-known trust indicators discussed below) Similarly dedicated login

pages from banks were less trusted than those originating from a

homepage several participants mentioned a lack of images and links as a

reason for their distrust

Visual Deception

Phishers use visual deception tricks to mimic legitimate text images and

windows

Visually deceptive text Users may be fooled by the syntax of a

domain name in ldquotype jackingrdquo attacks which substitute letters that may

go unnoticed (eg wwwpaypaicom uses a lowercase ldquoirdquo which looks

similar to the letter ldquolrdquo and wwwpaypa1com substitutes the number ldquo1rdquo

for the letter ldquolrdquo) Phishers have also taken advantage of non-printing

characters and non-ASCII Unicode characters in domain names

Images masking underlying text One common technique used by

phishers is to use an image of a legitimate hyperlink The image itself

serves as a hyperlink to a different rogue site

Images mimicking windows Phishers use images in the content of a

web page that mimic browser windows or For user convenience some

legitimate organizations allow users to login from non-SSL pages Although

the user data may be transmitted securely there is no visual cue in the

browser to indicate if SSL is used for form submissions To ldquoremedyrdquo this

designers resort to placing a padlock icon in the page content a tactic that

phishers also exploit or dialog windows Because the image looks exactly

like a real window a user can be fooled unless he tries to move or resize

the image

Windows masking underlying windows A common phishing

technique is to place an illegitimate browser window on top of or next to

a legitimate window If they have the same look and feel users may

mistakenly believe that both windows are from the same source

regardless of variations in address or security indicators In the worst case

a user may not even notice that a second window exists (browsers that

allow borderless pop-up windows aggravate the problem)

Deceptive look and feel If images and logos are copied perfectly

sometimes the only cues that are available to the user are the tone of the

language misspellings or other signs of unprofessional design If the

phishing site closely mimics the target site the only cue to the user might

be the type and quantity of requested personal information

WHAT SHOULD BE DONE TO FIGHT

PHISHING(ANTI-PHISHING)

Phishing needs to be followed in a managerial way within the network and its

components such as servers PCs operating systems browsers and other

applications that run off a connection

As considering the danger of both false negative where firewall packet

inspection fails to identify a phishing site and false positive where firewall packet

inspection wrongly rejects the valid sites it is important to minimize these risks

Microsoftrsquos Anti-phishing response team analyzes sites carefully to confirm they

are fraud e-mails before adding them to the blacklist Even then sites that are

concerned can be reconsidered and later removed from the list

Another way of solving this problem can be in a technical way by using a

biometric check up Biometrics refers to technologies that analyze an individualrsquos

physical and behavioral characteristics to automate identification or verification

of the user

To avoid the risk of being locked in by phishers here are few tips

bull Be extremely suspicious of any e-mails with urgent

requests for personal information

bull Do not fill out any forms in e-mail messages especially

from banks

bull Do not use the links that are provided in the e-mails this

can cause installing any malicious malware on your

computer Instead contact the company over the phone

to solve any problems

bull Do not give your credit card numbers or account

information unless you are using a secure Web site or

the telephone If you are using a Web site check the

beginning of the web address in your browsersrsquo address

bar A secure site should up as ldquohttpsrdquo instead of just

http

Verify the real address of a web site Cut and paste the

following text into your browser address bar

javascriptalert(The actual URL of this site has been verified

as + location protocol + + location hostname +)

Ensure that your browser and OS software is up-to-date and

that latest security patches are applied

Possible ways of by-passing AntiPhish with JavaScript

As long as the web page that the user is viewing is pure HTML AntiPhish can

easily mitigate phishing attacks This is because the attacker can only steal the

sensitive information in the page after the user performs a submit Before this can

happen however AntiPhish detects that sensitive information has been typed

into a form and cancels the operation Stopping a phishing attack in an HTML

page that has JavaScript on the other hand is not that easy and special care has

to be taken JavaScript is a powerful language that is widely used in webpage for

providing functionality such as submitting forms opening windows intercepting

events and performing input validity checks At the same time however

JavaScript gives the attacker a wide range of possibilities for by-passing a

monitoring application such as AntiPhish Just as AntiPhish creates hooks for

intercepting user generated events such as key strokes the attacker can also

create such hooks using JavaScript embedded into the HTML page Instead of

waiting for the user to press a submit button to send the information the attacker

could intercept the keys that are pressed and send the information character by

character to a server of her choice Typically this is done by modifying the URL of

an existing or hidden image to a web site that the attacker controls (eg if ldquoa ldquohas

been pressed an image URL may be set to httpattackercomkeya)

Another possibility for the attacker could be to set a simple timer and to capture

ldquosnapshotsrdquo of the information in the forms In this way an important part of the

information could be captured without the user ever hitting a submit button The

easiest solution to the JavaScript problem is to deactivate JavaScript on a page

that contains forms Unfortunately this solution is not feasible because as

mentioned before a large number of Web sites use JavaScript for validation and

submission purposes The solution we use in AntiPhish is to deactivate

JavaScript every time the focus is on an HTML text element and to reactivate it

whenever the focus is lost Using this technique we ensure that the attacker is

not able to create hooks timers and intercept browser events such as key presses

while the user is typing information into a text field At the same time we ensure

that the legitimate JavaScript functionality on a page (eg such as input validation

routines) are preserved By the time the focus is lost from the text element and

Java script is reactivated AntiPhish has already determined if the information that

was typed into the text element is sensitive If the web site is un trusted the

operation can be canceled One side-effect of our approach is that legitimate

event-based Java script functionality such as input validation based on key presses

will not function The use of key press events for input validation however is

uncommon Most web sites perform client-side input validation once before a

form is submitted

Implementation detailsWe implemented the prototype of AntiPhish as a Mozilla browser extension (ie

plug-in)Mozilla browser extensions are written using the Mozilla XML User-

Interface language (XUL) and JavaScript The Mozilla implementation of AntiPhish

has a small footprint and consists of about 900 lines of JavaScript code and 200

lines of XUL user interface code We used Paul Terorsquos JavaScript DES

implementation for safely storing the sensitive information

ANALYSIS OF A PHISHING DATABASE

The Anti Phishing Working Group maintains a ldquoPhishing Archiverdquo describing phishing attacks dating back to September 2003 We performed a cognitive walkthrough on the approximately 200 sample attacks within this archive (A cognitive walkthrough evaluates the steps required to perform a task and attempts to uncover mismatches between how users think about a task and how the user interface designer thinks about the task) Our goal was to gather information about which strategies are used by attackers and to formulate hypotheses about how lay users would respond to these strategies Below we list the strategies organized along three dimensions lack of knowledge visual deception and lack of attention To aid readers who are unfamiliar with the topic Security Terms and DefinitionsCertificate (digital certificate public key certificate)

Uses a digital signature to bind together a public key with an identity If the

browser encounters a certificate that has not been signed by a trusted

certificate authority it issues a warning to the user Some organizations

create and sign their own self signed

Certificates If a browser encounters a self-signed certificate it issues a

warning and allows the user to decide whether to accept the certificate

Certificate Authority (CA)

An entity that issues certificates and attests that a public key belongs to a

particular identity A list of trusted CAs is stored in the browser A certificate

may be issued to a fraudulent website by a CA without a rigorous verification

process

HTTPS

Web browsers use HTTPS rather than HTTP as a prefix to the URL to

indicate that HTTP is sent over SSLTLS

Secure Sockets Layer (SSL) and Transport Layer Security

(TLS)

Cryptographic protocols used to provide authentication and secure

communications over the Internet SSLTLS authenticates a server by

verifying that the server holds a certificate that has been digitally signed by

a trusted certificate authority SSLTLS also allows the client and server to

agree on an encryption algorithm for securing communications

CryptographyCryptography is a method of storing and transmitting data in a form that only those it is intended for can read and process It is a science of protecting information by encoding it into an unreadable format Cryptography is an effective way of protecting sensitive information as it is stored on media or transmitted through network communication pathsAlthough the ultimate goal of cryptography and the mechanisms that make it up is to hide information from unauthorized individuals most algorithms can be broken and the information can be revealed if the attacker has enough time desire and resources So a more realistic goal of cryptography is to make obtaining the information too work-intensive to be worth it to the attacker

Digital Certificates

Digital Certificates are part of a technology called Public Key Infrastructure orPKI Digital certificates have been described as virtual ID cards This is a useful analogy There are many ways that digital certificates and ID cards really are thesame Both ID cards and client digital certificates contain information about usersuch as user name and information about the organization that issued thecertificate or card to user

Creating digital certificates a unique cryptographic key pair is generated One of these keys is referred to as a public key and the other as a private key The certification authoritymdashgenerally on your campusmdashcreates a digital certificate by combining information about user and the issuing organization with the public key and digitally signing the whole thing This is very much like an organizationrsquos ID office filling out an ID card for user and then signing it to make it official

The process defines how a certificate authority establishes that a person or institution is who they say they are Certification may require recipients to appear in person and to present pictures birth certificates or social security numbers Certificates that are issued after rigorous authentication will be more trustworthy than certificates requiring little or no authentication

The contents of a digital certificate are prescribed by the X509 standard developed by the International Standards Organization (ISO) and adopted by the American National Standards Institute (ANSI) and the Internet Engineering Task Force (IETF) The latest version is now X509 v3 The principal elements of a digital certificate are as followsbull Version number of the certificate formatbull Serial number of the certificatebull Signature algorithm identifierbull Issuer of digital certificate a certificate authority with URLbull Validity periodbull Unique identification of certificate holderbull Public key informationThe Parties to a Digital CertificateIn principle there are three different interests associated with a digital certificateThe Requesting Party The party who needs the certificate and will offer it for use by others they will generally provide some or all of the information it containsThe Issuing Party

The party that digitally signs the certificate after creating the information in the certificate or checking its correctnessThe Verifying Party (or Parties) Parties that validate the signature on the certificate and then rely on its contents for some purposeType of Certificate Requesting Party Issuing Party Verifying PartyIdentity The person

concernedThe appropriategovernment agency

Anyone undertaking anidentity check

Accreditation A qualified memberof a profession

The professionalbody

A user of the servicesoffered by the member

Authorization A customer wishing to access a resource

The resource owner The resource owner

Public key CertificateThe combination of standards protocols and software that support digital certificates is called a public key infrastructure or PKI The software that supports this infrastructure generates sets of public-private key pairs Public-private key pairs are codes that are related to one another through a complex mathematical algorithm The key pairs can reside on onersquos computer or on hardware devices such as smart cards or floppy disks Individuals or organizations must ensure the security of their private keys However the public keys that correspond to their private keys can be posted on Web sites or sent across the network Issuers of digital certificates often maintain online repositories of public keys These repositories make it possible to authenticate owners of digital certificates in real timeFor example publishers as service providers will want to authenticate the digital certificate of a faculty member or student in real time This is possible by verifying the digital signature using the public key in the repository

Certificate AuthoritiesDigital certificates are one part of a set of components that make up a public keyinfrastructure (PKI) A PKI includes organizations called certification authorities (CAs) that issue manage and revoke digital certificates organizations called relying parties who use the certificates as indicators of authentication and clientswho request manage and use certificates A CA might create a separate registration authority (RA) to handle the task of identifying individuals who applyfor certificates Examples of certification authorities include VeriSign a wellknowncommercial provider and the CREN Certificate Authority that isavailable for higher education institutions

Types of CertificatesThere are different types of certificates each with different functions and this canbe confusing It helps to differentiate between at least four types of certificatesYou can see samples of some of these different types of certificates in your browserbull Root or authority certificatesThese are certificates that create the base (or root) of a certification authority hierarchy such as Thawte or CREN These certificates are not signed by another CAmdashthey are self signed by the CA that created them When a certificate is self-

signed it means that the name in the Issuer field is the same as the name in the Subject Fieldbull Institutional authority certificates These certificates are also called campus certificates These certificates are signed by a third party verifying the authenticity of a campus certification authority Campuses then use their ldquoauthorityrdquo to issue client certificates for faculty staff and studentsbull Client certificatesThese are also known as end-entity certificates identity certificates or personal certificates The Issuer is typically the campus CAbull Web server certificates These certificates are used to secure communications to and from Web servers for example when you buy something on the Web They are called server-side certificates The Subject name in a server certificate is the DNS name of the server

The CREN Digital Certificate ServicesCREN currently offers an expanded set of certificate authority services to higher education institutionsbull CREN-signed campus certificates for institutionsThese CREN-signed certificates are for institutions issuing certificates for their campus communitymdashin the range of 10 or more Web server certificates and formore than 500-1000 client certificatesbull CREN Web server certificates These certificates are for campuses to use for securing Web servers supporting a range of campus Web applicationsbull Client certificatesCREN has an internal CRENNET service equivalent to a campus certificate-issuing application A registration contact at a campus validatesapproves individuals and CREN issues the certificates

With these three levels of service mdash including the free test certificates mdash CRENcan help campuses get started using digital certificates at a level matching theirparticular campus needs

RECOMMENDATION

It is very important to reduce the risk of phishing in todayrsquos business because

hackers need to stay out of companiesrsquo databases Todayrsquos education is not

enough since phishes are getting better each day and coming with newer trends

to catch innocent customers

The real problem of phishing is because the login systems are very weak and thus

they need to be tighter when it comes to userrsquos authentication The companies

could increase their cryptographic system protection by using more IPSec VPNs

and digital certificates The use of IPSec VPNs customers will need to establish

digital certificates from a certificate authority as well as the merchant Recently

while doing this research we came through an article from PayPal where they are

convincing email providers to block messages that lack digital signatures

The reason for this is that PayPal is known as one of the most highly spoofed

brands that fraudsterrsquos uses today This is a very good idea and a good way to

keep hackers out of PayPal databases As a matter of fact not only PayPal but also

every company that conducts business should come up with a similar strategy like

this Using strategies similar to this will help customers to gain confidence in

doing business and dealing with money issues In addition well-known companies

should increase user awareness by education training and working with FBI to

track down phishers

CONCLUSION

In short the outcomes of phishing attacks are dramatically increasing every day Attacks on financial services companies have been doubling each year compared to previous years It is of crucial importance for companies to come up with new ways to solve phishing problems because it can become a major loss to well-known companies Also it can cause consumers to lose confidence in doing business online which can affect many companies with an online presence Not any type of technologyCan stop phishing attacks but there are many ways to enable Phishes from accomplishing their goals Consumer education can increase the awareness of the phishing threat and other online vulnerabilities Lastly biometrics should become one of the major aspects and play an important role to combat phishing because it provides different steps to authenticate users

REFERENCES

[1] Cannon JC Privacy Pearson Education 2005[2] Hilley Sarah ldquoInternet war picking on the finance Sector-surveyrdquo Computer Fraud amp Security October 2006[3] Bellowin Steven ldquoSpamming Phishing Authentication and Privacyrdquo Inside Risks December

2004 Vol47 No12 144[4] Mulrean Jennifer ldquoPhishing scams How to avoid Getting hookedrdquo DollarWise[5] Hunter Philip ldquoMicrosoft declares war on phishersrdquo Computer Fraud amp Security May 2006 (15-16)[6] Google httpwwwgooglecom

[7] Anti-Phishing Working Group Phishing Activity Trends Report November 2005 [8] Anti-Phishing Working Group Phishing Archivehttpanti-phishingorgphishing_archivehtm[9] Ba S amp P Pavlov Evidence of the Effect of TrustBuilding Technology in Electronic Markets PricePremiums and Buyer Behavior

Page 3: Phishing

under the category of spam Although phishing is categorized as spam it also

differs from spam Amongst other things spam tries to sell a product or service

while a phishing message needs to look like it is from a legitimate organization

Due to the similarity between phishing and legitimate messages techniques that

are applied to spam messages cannot be applied naively to phishing messages

For example text-based classification can perform reasonably well in identifying

spam but as a phishing message is forged to look like a message from a legitimate

organization text-based classification applied naively to a phishing message will

have a high miss rate

Anatomy of a phishing message

A raw phishing message can be split into two components the content and the

headers These components are commonly accepted as being the major

components of a message

Content

The content is the part of the message that the user sees and is used by phishing

message producers to deceive users It can be subdivided into two parts

The cover is the content which is made to look like a message from the

legitimate organization and usually informs the user of a problem with

their account Early phishing messages could be identified based only on

their cover due to imperfect grammar or spelling mistakes (which are

uncommon in legitimate messages) Over time the covers used in phishing

messages have become more sophisticated to the point where they even

warn the users about protecting their password and avoiding fraud An

example of this can be seen in Figure below where the phishing message

tells the victim to ldquoProtect Your Account Infordquo by making sure ldquoyou never

provide your password to fraudulent websitesrdquo

The sting is the part of the content that directs the victim to take

remedial actions It usually takes the form of a clickable URL that directs the

victim to a fake website to log into their account or enter other personal

details We call this the sting as this is the part of the content that inflicts

pain by means of financial loss or other undesirable action after the victim

enters their details on the website Typically the sting is hidden by using

HTML to display a legitimate looking address instead of the address of the

fake website An example of this is shown in above Figure where the

address of the fake website is httpwwwnutristorecomaurhtm and

the corresponding displayed text is a legitimate looking

httpswww2paypalcomcgi-bincmd= login

Headers

The headers are the part of the message which is primarily used by the mail

servers and the mail client to determine where the message is going and how to

unpack the message Most users do not see these headers but in terms of

determining if a message is phishing or not this part of the message can be quite

useful Headers can be subdivided into three parts based on the entities which

add them to the message

Mail clients typically add headers such as ldquoTordquo ldquoFromrdquo ldquoSubjectrdquo

and some client specific headers Examples of mail client headers are X-

MSMail-Priority X-Mailer and X-MimeOLE and they can be seen in above

figure Phishing messages may try to fake a particular header and in doing

so give away that the message is fake For example if the X-Mailer header

indicates that a HTML message has been composed using MS Outlook but

the message only contains HTML (without plaintext) this is an indication

that the message is fake as MS Outlook cannot send HTML only messages

Mail relays will add headers along the path of the message These are

usually ldquoReceivedrdquo headers which can be used to determine the

originating IP of the message and the path taken by the message

Spam-filters or virus-scanners will usually add headers to the message to

indicate results of the tests run over the message These headers can then

be used by the receiving client to determine (based on a user-set

threshold) what to do with the message

WHY PHISHING ATTACK

Lack of Knowledge

Lack of computer system knowledge Many users lack the

underlying knowledge of how operating systems applications email and

the web work and how to distinguish among these Phishing sites exploit

this lack of knowledge in several ways For example some users do not

understand the meaning or the syntax of domain names and cannot

distinguish legitimate versus fraudulent URLs (eg they may think

wwwebay-members-securitycom belongs to wwwebaycom) Another

attack strategy forges the email header many users do not have the skills

to distinguish forged from legitimate headers

Lack of knowledge of security and security indicators Many

users do not understand security indicators For example many users do

not know that a closed padlock icon in the browser indicates that the page

they are viewing was delivered securely by SSL Even if they understand the

meaning of that icon users can be fooled by its placement within the body

of a web page (this confusion is not aided by the fact that competing

browsers use different icons and place them in different parts of their

display) More generally users may not be aware that padlock icons appear

in the browser ldquochromerdquo (the interface constructed by the browser around

a web page eg toolbars windows address bar status bar) only under

specific conditions (ie when SSL is used) while icons in the content of the

web page can be placed there arbitrarily by designers (or by phishers) to

induce trust Attackers can also exploit usersrsquo lack of understanding of the

verification process for SSL certificates Most users do not know how to

check SSL certificates in the browser or understand the information

presented in a certificate In one spoofing strategy a rogue site displays a

certificate authoritys (CA) trust seal that links to a CA webpage This

webpage provides an English language description and verification of the

legitimate sitersquos certificate Only the most informed and diligent users

would know to check that the URL of the originating site and the legitimate

site described by the CA match

Lack of knowledge of web fraud Some users donrsquot know that

spoofing websites is possible Without awareness phishing is possible

some users simply do not question website legitimacy

Erroneous security knowledge Some users have misconceptions

about which website features indicate security For example participants

assumed that if websites contained professional-looking images

animations and ads they assumed the sites were legitimate (influenced by

well-known trust indicators discussed below) Similarly dedicated login

pages from banks were less trusted than those originating from a

homepage several participants mentioned a lack of images and links as a

reason for their distrust

Visual Deception

Phishers use visual deception tricks to mimic legitimate text images and

windows

Visually deceptive text Users may be fooled by the syntax of a

domain name in ldquotype jackingrdquo attacks which substitute letters that may

go unnoticed (eg wwwpaypaicom uses a lowercase ldquoirdquo which looks

similar to the letter ldquolrdquo and wwwpaypa1com substitutes the number ldquo1rdquo

for the letter ldquolrdquo) Phishers have also taken advantage of non-printing

characters and non-ASCII Unicode characters in domain names

Images masking underlying text One common technique used by

phishers is to use an image of a legitimate hyperlink The image itself

serves as a hyperlink to a different rogue site

Images mimicking windows Phishers use images in the content of a

web page that mimic browser windows or For user convenience some

legitimate organizations allow users to login from non-SSL pages Although

the user data may be transmitted securely there is no visual cue in the

browser to indicate if SSL is used for form submissions To ldquoremedyrdquo this

designers resort to placing a padlock icon in the page content a tactic that

phishers also exploit or dialog windows Because the image looks exactly

like a real window a user can be fooled unless he tries to move or resize

the image

Windows masking underlying windows A common phishing

technique is to place an illegitimate browser window on top of or next to

a legitimate window If they have the same look and feel users may

mistakenly believe that both windows are from the same source

regardless of variations in address or security indicators In the worst case

a user may not even notice that a second window exists (browsers that

allow borderless pop-up windows aggravate the problem)

Deceptive look and feel If images and logos are copied perfectly

sometimes the only cues that are available to the user are the tone of the

language misspellings or other signs of unprofessional design If the

phishing site closely mimics the target site the only cue to the user might

be the type and quantity of requested personal information

WHAT SHOULD BE DONE TO FIGHT

PHISHING(ANTI-PHISHING)

Phishing needs to be followed in a managerial way within the network and its

components such as servers PCs operating systems browsers and other

applications that run off a connection

As considering the danger of both false negative where firewall packet

inspection fails to identify a phishing site and false positive where firewall packet

inspection wrongly rejects the valid sites it is important to minimize these risks

Microsoftrsquos Anti-phishing response team analyzes sites carefully to confirm they

are fraud e-mails before adding them to the blacklist Even then sites that are

concerned can be reconsidered and later removed from the list

Another way of solving this problem can be in a technical way by using a

biometric check up Biometrics refers to technologies that analyze an individualrsquos

physical and behavioral characteristics to automate identification or verification

of the user

To avoid the risk of being locked in by phishers here are few tips

bull Be extremely suspicious of any e-mails with urgent

requests for personal information

bull Do not fill out any forms in e-mail messages especially

from banks

bull Do not use the links that are provided in the e-mails this

can cause installing any malicious malware on your

computer Instead contact the company over the phone

to solve any problems

bull Do not give your credit card numbers or account

information unless you are using a secure Web site or

the telephone If you are using a Web site check the

beginning of the web address in your browsersrsquo address

bar A secure site should up as ldquohttpsrdquo instead of just

http

Verify the real address of a web site Cut and paste the

following text into your browser address bar

javascriptalert(The actual URL of this site has been verified

as + location protocol + + location hostname +)

Ensure that your browser and OS software is up-to-date and

that latest security patches are applied

Possible ways of by-passing AntiPhish with JavaScript

As long as the web page that the user is viewing is pure HTML AntiPhish can

easily mitigate phishing attacks This is because the attacker can only steal the

sensitive information in the page after the user performs a submit Before this can

happen however AntiPhish detects that sensitive information has been typed

into a form and cancels the operation Stopping a phishing attack in an HTML

page that has JavaScript on the other hand is not that easy and special care has

to be taken JavaScript is a powerful language that is widely used in webpage for

providing functionality such as submitting forms opening windows intercepting

events and performing input validity checks At the same time however

JavaScript gives the attacker a wide range of possibilities for by-passing a

monitoring application such as AntiPhish Just as AntiPhish creates hooks for

intercepting user generated events such as key strokes the attacker can also

create such hooks using JavaScript embedded into the HTML page Instead of

waiting for the user to press a submit button to send the information the attacker

could intercept the keys that are pressed and send the information character by

character to a server of her choice Typically this is done by modifying the URL of

an existing or hidden image to a web site that the attacker controls (eg if ldquoa ldquohas

been pressed an image URL may be set to httpattackercomkeya)

Another possibility for the attacker could be to set a simple timer and to capture

ldquosnapshotsrdquo of the information in the forms In this way an important part of the

information could be captured without the user ever hitting a submit button The

easiest solution to the JavaScript problem is to deactivate JavaScript on a page

that contains forms Unfortunately this solution is not feasible because as

mentioned before a large number of Web sites use JavaScript for validation and

submission purposes The solution we use in AntiPhish is to deactivate

JavaScript every time the focus is on an HTML text element and to reactivate it

whenever the focus is lost Using this technique we ensure that the attacker is

not able to create hooks timers and intercept browser events such as key presses

while the user is typing information into a text field At the same time we ensure

that the legitimate JavaScript functionality on a page (eg such as input validation

routines) are preserved By the time the focus is lost from the text element and

Java script is reactivated AntiPhish has already determined if the information that

was typed into the text element is sensitive If the web site is un trusted the

operation can be canceled One side-effect of our approach is that legitimate

event-based Java script functionality such as input validation based on key presses

will not function The use of key press events for input validation however is

uncommon Most web sites perform client-side input validation once before a

form is submitted

Implementation detailsWe implemented the prototype of AntiPhish as a Mozilla browser extension (ie

plug-in)Mozilla browser extensions are written using the Mozilla XML User-

Interface language (XUL) and JavaScript The Mozilla implementation of AntiPhish

has a small footprint and consists of about 900 lines of JavaScript code and 200

lines of XUL user interface code We used Paul Terorsquos JavaScript DES

implementation for safely storing the sensitive information

ANALYSIS OF A PHISHING DATABASE

The Anti Phishing Working Group maintains a ldquoPhishing Archiverdquo describing phishing attacks dating back to September 2003 We performed a cognitive walkthrough on the approximately 200 sample attacks within this archive (A cognitive walkthrough evaluates the steps required to perform a task and attempts to uncover mismatches between how users think about a task and how the user interface designer thinks about the task) Our goal was to gather information about which strategies are used by attackers and to formulate hypotheses about how lay users would respond to these strategies Below we list the strategies organized along three dimensions lack of knowledge visual deception and lack of attention To aid readers who are unfamiliar with the topic Security Terms and DefinitionsCertificate (digital certificate public key certificate)

Uses a digital signature to bind together a public key with an identity If the

browser encounters a certificate that has not been signed by a trusted

certificate authority it issues a warning to the user Some organizations

create and sign their own self signed

Certificates If a browser encounters a self-signed certificate it issues a

warning and allows the user to decide whether to accept the certificate

Certificate Authority (CA)

An entity that issues certificates and attests that a public key belongs to a

particular identity A list of trusted CAs is stored in the browser A certificate

may be issued to a fraudulent website by a CA without a rigorous verification

process

HTTPS

Web browsers use HTTPS rather than HTTP as a prefix to the URL to

indicate that HTTP is sent over SSLTLS

Secure Sockets Layer (SSL) and Transport Layer Security

(TLS)

Cryptographic protocols used to provide authentication and secure

communications over the Internet SSLTLS authenticates a server by

verifying that the server holds a certificate that has been digitally signed by

a trusted certificate authority SSLTLS also allows the client and server to

agree on an encryption algorithm for securing communications

CryptographyCryptography is a method of storing and transmitting data in a form that only those it is intended for can read and process It is a science of protecting information by encoding it into an unreadable format Cryptography is an effective way of protecting sensitive information as it is stored on media or transmitted through network communication pathsAlthough the ultimate goal of cryptography and the mechanisms that make it up is to hide information from unauthorized individuals most algorithms can be broken and the information can be revealed if the attacker has enough time desire and resources So a more realistic goal of cryptography is to make obtaining the information too work-intensive to be worth it to the attacker

Digital Certificates

Digital Certificates are part of a technology called Public Key Infrastructure orPKI Digital certificates have been described as virtual ID cards This is a useful analogy There are many ways that digital certificates and ID cards really are thesame Both ID cards and client digital certificates contain information about usersuch as user name and information about the organization that issued thecertificate or card to user

Creating digital certificates a unique cryptographic key pair is generated One of these keys is referred to as a public key and the other as a private key The certification authoritymdashgenerally on your campusmdashcreates a digital certificate by combining information about user and the issuing organization with the public key and digitally signing the whole thing This is very much like an organizationrsquos ID office filling out an ID card for user and then signing it to make it official

The process defines how a certificate authority establishes that a person or institution is who they say they are Certification may require recipients to appear in person and to present pictures birth certificates or social security numbers Certificates that are issued after rigorous authentication will be more trustworthy than certificates requiring little or no authentication

The contents of a digital certificate are prescribed by the X509 standard developed by the International Standards Organization (ISO) and adopted by the American National Standards Institute (ANSI) and the Internet Engineering Task Force (IETF) The latest version is now X509 v3 The principal elements of a digital certificate are as followsbull Version number of the certificate formatbull Serial number of the certificatebull Signature algorithm identifierbull Issuer of digital certificate a certificate authority with URLbull Validity periodbull Unique identification of certificate holderbull Public key informationThe Parties to a Digital CertificateIn principle there are three different interests associated with a digital certificateThe Requesting Party The party who needs the certificate and will offer it for use by others they will generally provide some or all of the information it containsThe Issuing Party

The party that digitally signs the certificate after creating the information in the certificate or checking its correctnessThe Verifying Party (or Parties) Parties that validate the signature on the certificate and then rely on its contents for some purposeType of Certificate Requesting Party Issuing Party Verifying PartyIdentity The person

concernedThe appropriategovernment agency

Anyone undertaking anidentity check

Accreditation A qualified memberof a profession

The professionalbody

A user of the servicesoffered by the member

Authorization A customer wishing to access a resource

The resource owner The resource owner

Public key CertificateThe combination of standards protocols and software that support digital certificates is called a public key infrastructure or PKI The software that supports this infrastructure generates sets of public-private key pairs Public-private key pairs are codes that are related to one another through a complex mathematical algorithm The key pairs can reside on onersquos computer or on hardware devices such as smart cards or floppy disks Individuals or organizations must ensure the security of their private keys However the public keys that correspond to their private keys can be posted on Web sites or sent across the network Issuers of digital certificates often maintain online repositories of public keys These repositories make it possible to authenticate owners of digital certificates in real timeFor example publishers as service providers will want to authenticate the digital certificate of a faculty member or student in real time This is possible by verifying the digital signature using the public key in the repository

Certificate AuthoritiesDigital certificates are one part of a set of components that make up a public keyinfrastructure (PKI) A PKI includes organizations called certification authorities (CAs) that issue manage and revoke digital certificates organizations called relying parties who use the certificates as indicators of authentication and clientswho request manage and use certificates A CA might create a separate registration authority (RA) to handle the task of identifying individuals who applyfor certificates Examples of certification authorities include VeriSign a wellknowncommercial provider and the CREN Certificate Authority that isavailable for higher education institutions

Types of CertificatesThere are different types of certificates each with different functions and this canbe confusing It helps to differentiate between at least four types of certificatesYou can see samples of some of these different types of certificates in your browserbull Root or authority certificatesThese are certificates that create the base (or root) of a certification authority hierarchy such as Thawte or CREN These certificates are not signed by another CAmdashthey are self signed by the CA that created them When a certificate is self-

signed it means that the name in the Issuer field is the same as the name in the Subject Fieldbull Institutional authority certificates These certificates are also called campus certificates These certificates are signed by a third party verifying the authenticity of a campus certification authority Campuses then use their ldquoauthorityrdquo to issue client certificates for faculty staff and studentsbull Client certificatesThese are also known as end-entity certificates identity certificates or personal certificates The Issuer is typically the campus CAbull Web server certificates These certificates are used to secure communications to and from Web servers for example when you buy something on the Web They are called server-side certificates The Subject name in a server certificate is the DNS name of the server

The CREN Digital Certificate ServicesCREN currently offers an expanded set of certificate authority services to higher education institutionsbull CREN-signed campus certificates for institutionsThese CREN-signed certificates are for institutions issuing certificates for their campus communitymdashin the range of 10 or more Web server certificates and formore than 500-1000 client certificatesbull CREN Web server certificates These certificates are for campuses to use for securing Web servers supporting a range of campus Web applicationsbull Client certificatesCREN has an internal CRENNET service equivalent to a campus certificate-issuing application A registration contact at a campus validatesapproves individuals and CREN issues the certificates

With these three levels of service mdash including the free test certificates mdash CRENcan help campuses get started using digital certificates at a level matching theirparticular campus needs

RECOMMENDATION

It is very important to reduce the risk of phishing in todayrsquos business because

hackers need to stay out of companiesrsquo databases Todayrsquos education is not

enough since phishes are getting better each day and coming with newer trends

to catch innocent customers

The real problem of phishing is because the login systems are very weak and thus

they need to be tighter when it comes to userrsquos authentication The companies

could increase their cryptographic system protection by using more IPSec VPNs

and digital certificates The use of IPSec VPNs customers will need to establish

digital certificates from a certificate authority as well as the merchant Recently

while doing this research we came through an article from PayPal where they are

convincing email providers to block messages that lack digital signatures

The reason for this is that PayPal is known as one of the most highly spoofed

brands that fraudsterrsquos uses today This is a very good idea and a good way to

keep hackers out of PayPal databases As a matter of fact not only PayPal but also

every company that conducts business should come up with a similar strategy like

this Using strategies similar to this will help customers to gain confidence in

doing business and dealing with money issues In addition well-known companies

should increase user awareness by education training and working with FBI to

track down phishers

CONCLUSION

In short the outcomes of phishing attacks are dramatically increasing every day Attacks on financial services companies have been doubling each year compared to previous years It is of crucial importance for companies to come up with new ways to solve phishing problems because it can become a major loss to well-known companies Also it can cause consumers to lose confidence in doing business online which can affect many companies with an online presence Not any type of technologyCan stop phishing attacks but there are many ways to enable Phishes from accomplishing their goals Consumer education can increase the awareness of the phishing threat and other online vulnerabilities Lastly biometrics should become one of the major aspects and play an important role to combat phishing because it provides different steps to authenticate users

REFERENCES

[1] Cannon JC Privacy Pearson Education 2005[2] Hilley Sarah ldquoInternet war picking on the finance Sector-surveyrdquo Computer Fraud amp Security October 2006[3] Bellowin Steven ldquoSpamming Phishing Authentication and Privacyrdquo Inside Risks December

2004 Vol47 No12 144[4] Mulrean Jennifer ldquoPhishing scams How to avoid Getting hookedrdquo DollarWise[5] Hunter Philip ldquoMicrosoft declares war on phishersrdquo Computer Fraud amp Security May 2006 (15-16)[6] Google httpwwwgooglecom

[7] Anti-Phishing Working Group Phishing Activity Trends Report November 2005 [8] Anti-Phishing Working Group Phishing Archivehttpanti-phishingorgphishing_archivehtm[9] Ba S amp P Pavlov Evidence of the Effect of TrustBuilding Technology in Electronic Markets PricePremiums and Buyer Behavior

Page 4: Phishing

A raw phishing message can be split into two components the content and the

headers These components are commonly accepted as being the major

components of a message

Content

The content is the part of the message that the user sees and is used by phishing

message producers to deceive users It can be subdivided into two parts

The cover is the content which is made to look like a message from the

legitimate organization and usually informs the user of a problem with

their account Early phishing messages could be identified based only on

their cover due to imperfect grammar or spelling mistakes (which are

uncommon in legitimate messages) Over time the covers used in phishing

messages have become more sophisticated to the point where they even

warn the users about protecting their password and avoiding fraud An

example of this can be seen in Figure below where the phishing message

tells the victim to ldquoProtect Your Account Infordquo by making sure ldquoyou never

provide your password to fraudulent websitesrdquo

The sting is the part of the content that directs the victim to take

remedial actions It usually takes the form of a clickable URL that directs the

victim to a fake website to log into their account or enter other personal

details We call this the sting as this is the part of the content that inflicts

pain by means of financial loss or other undesirable action after the victim

enters their details on the website Typically the sting is hidden by using

HTML to display a legitimate looking address instead of the address of the

fake website An example of this is shown in above Figure where the

address of the fake website is httpwwwnutristorecomaurhtm and

the corresponding displayed text is a legitimate looking

httpswww2paypalcomcgi-bincmd= login

Headers

The headers are the part of the message which is primarily used by the mail

servers and the mail client to determine where the message is going and how to

unpack the message Most users do not see these headers but in terms of

determining if a message is phishing or not this part of the message can be quite

useful Headers can be subdivided into three parts based on the entities which

add them to the message

Mail clients typically add headers such as ldquoTordquo ldquoFromrdquo ldquoSubjectrdquo

and some client specific headers Examples of mail client headers are X-

MSMail-Priority X-Mailer and X-MimeOLE and they can be seen in above

figure Phishing messages may try to fake a particular header and in doing

so give away that the message is fake For example if the X-Mailer header

indicates that a HTML message has been composed using MS Outlook but

the message only contains HTML (without plaintext) this is an indication

that the message is fake as MS Outlook cannot send HTML only messages

Mail relays will add headers along the path of the message These are

usually ldquoReceivedrdquo headers which can be used to determine the

originating IP of the message and the path taken by the message

Spam-filters or virus-scanners will usually add headers to the message to

indicate results of the tests run over the message These headers can then

be used by the receiving client to determine (based on a user-set

threshold) what to do with the message

WHY PHISHING ATTACK

Lack of Knowledge

Lack of computer system knowledge Many users lack the

underlying knowledge of how operating systems applications email and

the web work and how to distinguish among these Phishing sites exploit

this lack of knowledge in several ways For example some users do not

understand the meaning or the syntax of domain names and cannot

distinguish legitimate versus fraudulent URLs (eg they may think

wwwebay-members-securitycom belongs to wwwebaycom) Another

attack strategy forges the email header many users do not have the skills

to distinguish forged from legitimate headers

Lack of knowledge of security and security indicators Many

users do not understand security indicators For example many users do

not know that a closed padlock icon in the browser indicates that the page

they are viewing was delivered securely by SSL Even if they understand the

meaning of that icon users can be fooled by its placement within the body

of a web page (this confusion is not aided by the fact that competing

browsers use different icons and place them in different parts of their

display) More generally users may not be aware that padlock icons appear

in the browser ldquochromerdquo (the interface constructed by the browser around

a web page eg toolbars windows address bar status bar) only under

specific conditions (ie when SSL is used) while icons in the content of the

web page can be placed there arbitrarily by designers (or by phishers) to

induce trust Attackers can also exploit usersrsquo lack of understanding of the

verification process for SSL certificates Most users do not know how to

check SSL certificates in the browser or understand the information

presented in a certificate In one spoofing strategy a rogue site displays a

certificate authoritys (CA) trust seal that links to a CA webpage This

webpage provides an English language description and verification of the

legitimate sitersquos certificate Only the most informed and diligent users

would know to check that the URL of the originating site and the legitimate

site described by the CA match

Lack of knowledge of web fraud Some users donrsquot know that

spoofing websites is possible Without awareness phishing is possible

some users simply do not question website legitimacy

Erroneous security knowledge Some users have misconceptions

about which website features indicate security For example participants

assumed that if websites contained professional-looking images

animations and ads they assumed the sites were legitimate (influenced by

well-known trust indicators discussed below) Similarly dedicated login

pages from banks were less trusted than those originating from a

homepage several participants mentioned a lack of images and links as a

reason for their distrust

Visual Deception

Phishers use visual deception tricks to mimic legitimate text images and

windows

Visually deceptive text Users may be fooled by the syntax of a

domain name in ldquotype jackingrdquo attacks which substitute letters that may

go unnoticed (eg wwwpaypaicom uses a lowercase ldquoirdquo which looks

similar to the letter ldquolrdquo and wwwpaypa1com substitutes the number ldquo1rdquo

for the letter ldquolrdquo) Phishers have also taken advantage of non-printing

characters and non-ASCII Unicode characters in domain names

Images masking underlying text One common technique used by

phishers is to use an image of a legitimate hyperlink The image itself

serves as a hyperlink to a different rogue site

Images mimicking windows Phishers use images in the content of a

web page that mimic browser windows or For user convenience some

legitimate organizations allow users to login from non-SSL pages Although

the user data may be transmitted securely there is no visual cue in the

browser to indicate if SSL is used for form submissions To ldquoremedyrdquo this

designers resort to placing a padlock icon in the page content a tactic that

phishers also exploit or dialog windows Because the image looks exactly

like a real window a user can be fooled unless he tries to move or resize

the image

Windows masking underlying windows A common phishing

technique is to place an illegitimate browser window on top of or next to

a legitimate window If they have the same look and feel users may

mistakenly believe that both windows are from the same source

regardless of variations in address or security indicators In the worst case

a user may not even notice that a second window exists (browsers that

allow borderless pop-up windows aggravate the problem)

Deceptive look and feel If images and logos are copied perfectly

sometimes the only cues that are available to the user are the tone of the

language misspellings or other signs of unprofessional design If the

phishing site closely mimics the target site the only cue to the user might

be the type and quantity of requested personal information

WHAT SHOULD BE DONE TO FIGHT

PHISHING(ANTI-PHISHING)

Phishing needs to be followed in a managerial way within the network and its

components such as servers PCs operating systems browsers and other

applications that run off a connection

As considering the danger of both false negative where firewall packet

inspection fails to identify a phishing site and false positive where firewall packet

inspection wrongly rejects the valid sites it is important to minimize these risks

Microsoftrsquos Anti-phishing response team analyzes sites carefully to confirm they

are fraud e-mails before adding them to the blacklist Even then sites that are

concerned can be reconsidered and later removed from the list

Another way of solving this problem can be in a technical way by using a

biometric check up Biometrics refers to technologies that analyze an individualrsquos

physical and behavioral characteristics to automate identification or verification

of the user

To avoid the risk of being locked in by phishers here are few tips

bull Be extremely suspicious of any e-mails with urgent

requests for personal information

bull Do not fill out any forms in e-mail messages especially

from banks

bull Do not use the links that are provided in the e-mails this

can cause installing any malicious malware on your

computer Instead contact the company over the phone

to solve any problems

bull Do not give your credit card numbers or account

information unless you are using a secure Web site or

the telephone If you are using a Web site check the

beginning of the web address in your browsersrsquo address

bar A secure site should up as ldquohttpsrdquo instead of just

http

Verify the real address of a web site Cut and paste the

following text into your browser address bar

javascriptalert(The actual URL of this site has been verified

as + location protocol + + location hostname +)

Ensure that your browser and OS software is up-to-date and

that latest security patches are applied

Possible ways of by-passing AntiPhish with JavaScript

As long as the web page that the user is viewing is pure HTML AntiPhish can

easily mitigate phishing attacks This is because the attacker can only steal the

sensitive information in the page after the user performs a submit Before this can

happen however AntiPhish detects that sensitive information has been typed

into a form and cancels the operation Stopping a phishing attack in an HTML

page that has JavaScript on the other hand is not that easy and special care has

to be taken JavaScript is a powerful language that is widely used in webpage for

providing functionality such as submitting forms opening windows intercepting

events and performing input validity checks At the same time however

JavaScript gives the attacker a wide range of possibilities for by-passing a

monitoring application such as AntiPhish Just as AntiPhish creates hooks for

intercepting user generated events such as key strokes the attacker can also

create such hooks using JavaScript embedded into the HTML page Instead of

waiting for the user to press a submit button to send the information the attacker

could intercept the keys that are pressed and send the information character by

character to a server of her choice Typically this is done by modifying the URL of

an existing or hidden image to a web site that the attacker controls (eg if ldquoa ldquohas

been pressed an image URL may be set to httpattackercomkeya)

Another possibility for the attacker could be to set a simple timer and to capture

ldquosnapshotsrdquo of the information in the forms In this way an important part of the

information could be captured without the user ever hitting a submit button The

easiest solution to the JavaScript problem is to deactivate JavaScript on a page

that contains forms Unfortunately this solution is not feasible because as

mentioned before a large number of Web sites use JavaScript for validation and

submission purposes The solution we use in AntiPhish is to deactivate

JavaScript every time the focus is on an HTML text element and to reactivate it

whenever the focus is lost Using this technique we ensure that the attacker is

not able to create hooks timers and intercept browser events such as key presses

while the user is typing information into a text field At the same time we ensure

that the legitimate JavaScript functionality on a page (eg such as input validation

routines) are preserved By the time the focus is lost from the text element and

Java script is reactivated AntiPhish has already determined if the information that

was typed into the text element is sensitive If the web site is un trusted the

operation can be canceled One side-effect of our approach is that legitimate

event-based Java script functionality such as input validation based on key presses

will not function The use of key press events for input validation however is

uncommon Most web sites perform client-side input validation once before a

form is submitted

Implementation detailsWe implemented the prototype of AntiPhish as a Mozilla browser extension (ie

plug-in)Mozilla browser extensions are written using the Mozilla XML User-

Interface language (XUL) and JavaScript The Mozilla implementation of AntiPhish

has a small footprint and consists of about 900 lines of JavaScript code and 200

lines of XUL user interface code We used Paul Terorsquos JavaScript DES

implementation for safely storing the sensitive information

ANALYSIS OF A PHISHING DATABASE

The Anti Phishing Working Group maintains a ldquoPhishing Archiverdquo describing phishing attacks dating back to September 2003 We performed a cognitive walkthrough on the approximately 200 sample attacks within this archive (A cognitive walkthrough evaluates the steps required to perform a task and attempts to uncover mismatches between how users think about a task and how the user interface designer thinks about the task) Our goal was to gather information about which strategies are used by attackers and to formulate hypotheses about how lay users would respond to these strategies Below we list the strategies organized along three dimensions lack of knowledge visual deception and lack of attention To aid readers who are unfamiliar with the topic Security Terms and DefinitionsCertificate (digital certificate public key certificate)

Uses a digital signature to bind together a public key with an identity If the

browser encounters a certificate that has not been signed by a trusted

certificate authority it issues a warning to the user Some organizations

create and sign their own self signed

Certificates If a browser encounters a self-signed certificate it issues a

warning and allows the user to decide whether to accept the certificate

Certificate Authority (CA)

An entity that issues certificates and attests that a public key belongs to a

particular identity A list of trusted CAs is stored in the browser A certificate

may be issued to a fraudulent website by a CA without a rigorous verification

process

HTTPS

Web browsers use HTTPS rather than HTTP as a prefix to the URL to

indicate that HTTP is sent over SSLTLS

Secure Sockets Layer (SSL) and Transport Layer Security

(TLS)

Cryptographic protocols used to provide authentication and secure

communications over the Internet SSLTLS authenticates a server by

verifying that the server holds a certificate that has been digitally signed by

a trusted certificate authority SSLTLS also allows the client and server to

agree on an encryption algorithm for securing communications

CryptographyCryptography is a method of storing and transmitting data in a form that only those it is intended for can read and process It is a science of protecting information by encoding it into an unreadable format Cryptography is an effective way of protecting sensitive information as it is stored on media or transmitted through network communication pathsAlthough the ultimate goal of cryptography and the mechanisms that make it up is to hide information from unauthorized individuals most algorithms can be broken and the information can be revealed if the attacker has enough time desire and resources So a more realistic goal of cryptography is to make obtaining the information too work-intensive to be worth it to the attacker

Digital Certificates

Digital Certificates are part of a technology called Public Key Infrastructure orPKI Digital certificates have been described as virtual ID cards This is a useful analogy There are many ways that digital certificates and ID cards really are thesame Both ID cards and client digital certificates contain information about usersuch as user name and information about the organization that issued thecertificate or card to user

Creating digital certificates a unique cryptographic key pair is generated One of these keys is referred to as a public key and the other as a private key The certification authoritymdashgenerally on your campusmdashcreates a digital certificate by combining information about user and the issuing organization with the public key and digitally signing the whole thing This is very much like an organizationrsquos ID office filling out an ID card for user and then signing it to make it official

The process defines how a certificate authority establishes that a person or institution is who they say they are Certification may require recipients to appear in person and to present pictures birth certificates or social security numbers Certificates that are issued after rigorous authentication will be more trustworthy than certificates requiring little or no authentication

The contents of a digital certificate are prescribed by the X509 standard developed by the International Standards Organization (ISO) and adopted by the American National Standards Institute (ANSI) and the Internet Engineering Task Force (IETF) The latest version is now X509 v3 The principal elements of a digital certificate are as followsbull Version number of the certificate formatbull Serial number of the certificatebull Signature algorithm identifierbull Issuer of digital certificate a certificate authority with URLbull Validity periodbull Unique identification of certificate holderbull Public key informationThe Parties to a Digital CertificateIn principle there are three different interests associated with a digital certificateThe Requesting Party The party who needs the certificate and will offer it for use by others they will generally provide some or all of the information it containsThe Issuing Party

The party that digitally signs the certificate after creating the information in the certificate or checking its correctnessThe Verifying Party (or Parties) Parties that validate the signature on the certificate and then rely on its contents for some purposeType of Certificate Requesting Party Issuing Party Verifying PartyIdentity The person

concernedThe appropriategovernment agency

Anyone undertaking anidentity check

Accreditation A qualified memberof a profession

The professionalbody

A user of the servicesoffered by the member

Authorization A customer wishing to access a resource

The resource owner The resource owner

Public key CertificateThe combination of standards protocols and software that support digital certificates is called a public key infrastructure or PKI The software that supports this infrastructure generates sets of public-private key pairs Public-private key pairs are codes that are related to one another through a complex mathematical algorithm The key pairs can reside on onersquos computer or on hardware devices such as smart cards or floppy disks Individuals or organizations must ensure the security of their private keys However the public keys that correspond to their private keys can be posted on Web sites or sent across the network Issuers of digital certificates often maintain online repositories of public keys These repositories make it possible to authenticate owners of digital certificates in real timeFor example publishers as service providers will want to authenticate the digital certificate of a faculty member or student in real time This is possible by verifying the digital signature using the public key in the repository

Certificate AuthoritiesDigital certificates are one part of a set of components that make up a public keyinfrastructure (PKI) A PKI includes organizations called certification authorities (CAs) that issue manage and revoke digital certificates organizations called relying parties who use the certificates as indicators of authentication and clientswho request manage and use certificates A CA might create a separate registration authority (RA) to handle the task of identifying individuals who applyfor certificates Examples of certification authorities include VeriSign a wellknowncommercial provider and the CREN Certificate Authority that isavailable for higher education institutions

Types of CertificatesThere are different types of certificates each with different functions and this canbe confusing It helps to differentiate between at least four types of certificatesYou can see samples of some of these different types of certificates in your browserbull Root or authority certificatesThese are certificates that create the base (or root) of a certification authority hierarchy such as Thawte or CREN These certificates are not signed by another CAmdashthey are self signed by the CA that created them When a certificate is self-

signed it means that the name in the Issuer field is the same as the name in the Subject Fieldbull Institutional authority certificates These certificates are also called campus certificates These certificates are signed by a third party verifying the authenticity of a campus certification authority Campuses then use their ldquoauthorityrdquo to issue client certificates for faculty staff and studentsbull Client certificatesThese are also known as end-entity certificates identity certificates or personal certificates The Issuer is typically the campus CAbull Web server certificates These certificates are used to secure communications to and from Web servers for example when you buy something on the Web They are called server-side certificates The Subject name in a server certificate is the DNS name of the server

The CREN Digital Certificate ServicesCREN currently offers an expanded set of certificate authority services to higher education institutionsbull CREN-signed campus certificates for institutionsThese CREN-signed certificates are for institutions issuing certificates for their campus communitymdashin the range of 10 or more Web server certificates and formore than 500-1000 client certificatesbull CREN Web server certificates These certificates are for campuses to use for securing Web servers supporting a range of campus Web applicationsbull Client certificatesCREN has an internal CRENNET service equivalent to a campus certificate-issuing application A registration contact at a campus validatesapproves individuals and CREN issues the certificates

With these three levels of service mdash including the free test certificates mdash CRENcan help campuses get started using digital certificates at a level matching theirparticular campus needs

RECOMMENDATION

It is very important to reduce the risk of phishing in todayrsquos business because

hackers need to stay out of companiesrsquo databases Todayrsquos education is not

enough since phishes are getting better each day and coming with newer trends

to catch innocent customers

The real problem of phishing is because the login systems are very weak and thus

they need to be tighter when it comes to userrsquos authentication The companies

could increase their cryptographic system protection by using more IPSec VPNs

and digital certificates The use of IPSec VPNs customers will need to establish

digital certificates from a certificate authority as well as the merchant Recently

while doing this research we came through an article from PayPal where they are

convincing email providers to block messages that lack digital signatures

The reason for this is that PayPal is known as one of the most highly spoofed

brands that fraudsterrsquos uses today This is a very good idea and a good way to

keep hackers out of PayPal databases As a matter of fact not only PayPal but also

every company that conducts business should come up with a similar strategy like

this Using strategies similar to this will help customers to gain confidence in

doing business and dealing with money issues In addition well-known companies

should increase user awareness by education training and working with FBI to

track down phishers

CONCLUSION

In short the outcomes of phishing attacks are dramatically increasing every day Attacks on financial services companies have been doubling each year compared to previous years It is of crucial importance for companies to come up with new ways to solve phishing problems because it can become a major loss to well-known companies Also it can cause consumers to lose confidence in doing business online which can affect many companies with an online presence Not any type of technologyCan stop phishing attacks but there are many ways to enable Phishes from accomplishing their goals Consumer education can increase the awareness of the phishing threat and other online vulnerabilities Lastly biometrics should become one of the major aspects and play an important role to combat phishing because it provides different steps to authenticate users

REFERENCES

[1] Cannon JC Privacy Pearson Education 2005[2] Hilley Sarah ldquoInternet war picking on the finance Sector-surveyrdquo Computer Fraud amp Security October 2006[3] Bellowin Steven ldquoSpamming Phishing Authentication and Privacyrdquo Inside Risks December

2004 Vol47 No12 144[4] Mulrean Jennifer ldquoPhishing scams How to avoid Getting hookedrdquo DollarWise[5] Hunter Philip ldquoMicrosoft declares war on phishersrdquo Computer Fraud amp Security May 2006 (15-16)[6] Google httpwwwgooglecom

[7] Anti-Phishing Working Group Phishing Activity Trends Report November 2005 [8] Anti-Phishing Working Group Phishing Archivehttpanti-phishingorgphishing_archivehtm[9] Ba S amp P Pavlov Evidence of the Effect of TrustBuilding Technology in Electronic Markets PricePremiums and Buyer Behavior

Page 5: Phishing

The cover is the content which is made to look like a message from the

legitimate organization and usually informs the user of a problem with

their account Early phishing messages could be identified based only on

their cover due to imperfect grammar or spelling mistakes (which are

uncommon in legitimate messages) Over time the covers used in phishing

messages have become more sophisticated to the point where they even

warn the users about protecting their password and avoiding fraud An

example of this can be seen in Figure below where the phishing message

tells the victim to ldquoProtect Your Account Infordquo by making sure ldquoyou never

provide your password to fraudulent websitesrdquo

The sting is the part of the content that directs the victim to take

remedial actions It usually takes the form of a clickable URL that directs the

victim to a fake website to log into their account or enter other personal

details We call this the sting as this is the part of the content that inflicts

pain by means of financial loss or other undesirable action after the victim

enters their details on the website Typically the sting is hidden by using

HTML to display a legitimate looking address instead of the address of the

fake website An example of this is shown in above Figure where the

address of the fake website is httpwwwnutristorecomaurhtm and

the corresponding displayed text is a legitimate looking

httpswww2paypalcomcgi-bincmd= login

Headers

The headers are the part of the message which is primarily used by the mail

servers and the mail client to determine where the message is going and how to

unpack the message Most users do not see these headers but in terms of

determining if a message is phishing or not this part of the message can be quite

useful Headers can be subdivided into three parts based on the entities which

add them to the message

Mail clients typically add headers such as ldquoTordquo ldquoFromrdquo ldquoSubjectrdquo

and some client specific headers Examples of mail client headers are X-

MSMail-Priority X-Mailer and X-MimeOLE and they can be seen in above

figure Phishing messages may try to fake a particular header and in doing

so give away that the message is fake For example if the X-Mailer header

indicates that a HTML message has been composed using MS Outlook but

the message only contains HTML (without plaintext) this is an indication

that the message is fake as MS Outlook cannot send HTML only messages

Mail relays will add headers along the path of the message These are

usually ldquoReceivedrdquo headers which can be used to determine the

originating IP of the message and the path taken by the message

Spam-filters or virus-scanners will usually add headers to the message to

indicate results of the tests run over the message These headers can then

be used by the receiving client to determine (based on a user-set

threshold) what to do with the message

WHY PHISHING ATTACK

Lack of Knowledge

Lack of computer system knowledge Many users lack the

underlying knowledge of how operating systems applications email and

the web work and how to distinguish among these Phishing sites exploit

this lack of knowledge in several ways For example some users do not

understand the meaning or the syntax of domain names and cannot

distinguish legitimate versus fraudulent URLs (eg they may think

wwwebay-members-securitycom belongs to wwwebaycom) Another

attack strategy forges the email header many users do not have the skills

to distinguish forged from legitimate headers

Lack of knowledge of security and security indicators Many

users do not understand security indicators For example many users do

not know that a closed padlock icon in the browser indicates that the page

they are viewing was delivered securely by SSL Even if they understand the

meaning of that icon users can be fooled by its placement within the body

of a web page (this confusion is not aided by the fact that competing

browsers use different icons and place them in different parts of their

display) More generally users may not be aware that padlock icons appear

in the browser ldquochromerdquo (the interface constructed by the browser around

a web page eg toolbars windows address bar status bar) only under

specific conditions (ie when SSL is used) while icons in the content of the

web page can be placed there arbitrarily by designers (or by phishers) to

induce trust Attackers can also exploit usersrsquo lack of understanding of the

verification process for SSL certificates Most users do not know how to

check SSL certificates in the browser or understand the information

presented in a certificate In one spoofing strategy a rogue site displays a

certificate authoritys (CA) trust seal that links to a CA webpage This

webpage provides an English language description and verification of the

legitimate sitersquos certificate Only the most informed and diligent users

would know to check that the URL of the originating site and the legitimate

site described by the CA match

Lack of knowledge of web fraud Some users donrsquot know that

spoofing websites is possible Without awareness phishing is possible

some users simply do not question website legitimacy

Erroneous security knowledge Some users have misconceptions

about which website features indicate security For example participants

assumed that if websites contained professional-looking images

animations and ads they assumed the sites were legitimate (influenced by

well-known trust indicators discussed below) Similarly dedicated login

pages from banks were less trusted than those originating from a

homepage several participants mentioned a lack of images and links as a

reason for their distrust

Visual Deception

Phishers use visual deception tricks to mimic legitimate text images and

windows

Visually deceptive text Users may be fooled by the syntax of a

domain name in ldquotype jackingrdquo attacks which substitute letters that may

go unnoticed (eg wwwpaypaicom uses a lowercase ldquoirdquo which looks

similar to the letter ldquolrdquo and wwwpaypa1com substitutes the number ldquo1rdquo

for the letter ldquolrdquo) Phishers have also taken advantage of non-printing

characters and non-ASCII Unicode characters in domain names

Images masking underlying text One common technique used by

phishers is to use an image of a legitimate hyperlink The image itself

serves as a hyperlink to a different rogue site

Images mimicking windows Phishers use images in the content of a

web page that mimic browser windows or For user convenience some

legitimate organizations allow users to login from non-SSL pages Although

the user data may be transmitted securely there is no visual cue in the

browser to indicate if SSL is used for form submissions To ldquoremedyrdquo this

designers resort to placing a padlock icon in the page content a tactic that

phishers also exploit or dialog windows Because the image looks exactly

like a real window a user can be fooled unless he tries to move or resize

the image

Windows masking underlying windows A common phishing

technique is to place an illegitimate browser window on top of or next to

a legitimate window If they have the same look and feel users may

mistakenly believe that both windows are from the same source

regardless of variations in address or security indicators In the worst case

a user may not even notice that a second window exists (browsers that

allow borderless pop-up windows aggravate the problem)

Deceptive look and feel If images and logos are copied perfectly

sometimes the only cues that are available to the user are the tone of the

language misspellings or other signs of unprofessional design If the

phishing site closely mimics the target site the only cue to the user might

be the type and quantity of requested personal information

WHAT SHOULD BE DONE TO FIGHT

PHISHING(ANTI-PHISHING)

Phishing needs to be followed in a managerial way within the network and its

components such as servers PCs operating systems browsers and other

applications that run off a connection

As considering the danger of both false negative where firewall packet

inspection fails to identify a phishing site and false positive where firewall packet

inspection wrongly rejects the valid sites it is important to minimize these risks

Microsoftrsquos Anti-phishing response team analyzes sites carefully to confirm they

are fraud e-mails before adding them to the blacklist Even then sites that are

concerned can be reconsidered and later removed from the list

Another way of solving this problem can be in a technical way by using a

biometric check up Biometrics refers to technologies that analyze an individualrsquos

physical and behavioral characteristics to automate identification or verification

of the user

To avoid the risk of being locked in by phishers here are few tips

bull Be extremely suspicious of any e-mails with urgent

requests for personal information

bull Do not fill out any forms in e-mail messages especially

from banks

bull Do not use the links that are provided in the e-mails this

can cause installing any malicious malware on your

computer Instead contact the company over the phone

to solve any problems

bull Do not give your credit card numbers or account

information unless you are using a secure Web site or

the telephone If you are using a Web site check the

beginning of the web address in your browsersrsquo address

bar A secure site should up as ldquohttpsrdquo instead of just

http

Verify the real address of a web site Cut and paste the

following text into your browser address bar

javascriptalert(The actual URL of this site has been verified

as + location protocol + + location hostname +)

Ensure that your browser and OS software is up-to-date and

that latest security patches are applied

Possible ways of by-passing AntiPhish with JavaScript

As long as the web page that the user is viewing is pure HTML AntiPhish can

easily mitigate phishing attacks This is because the attacker can only steal the

sensitive information in the page after the user performs a submit Before this can

happen however AntiPhish detects that sensitive information has been typed

into a form and cancels the operation Stopping a phishing attack in an HTML

page that has JavaScript on the other hand is not that easy and special care has

to be taken JavaScript is a powerful language that is widely used in webpage for

providing functionality such as submitting forms opening windows intercepting

events and performing input validity checks At the same time however

JavaScript gives the attacker a wide range of possibilities for by-passing a

monitoring application such as AntiPhish Just as AntiPhish creates hooks for

intercepting user generated events such as key strokes the attacker can also

create such hooks using JavaScript embedded into the HTML page Instead of

waiting for the user to press a submit button to send the information the attacker

could intercept the keys that are pressed and send the information character by

character to a server of her choice Typically this is done by modifying the URL of

an existing or hidden image to a web site that the attacker controls (eg if ldquoa ldquohas

been pressed an image URL may be set to httpattackercomkeya)

Another possibility for the attacker could be to set a simple timer and to capture

ldquosnapshotsrdquo of the information in the forms In this way an important part of the

information could be captured without the user ever hitting a submit button The

easiest solution to the JavaScript problem is to deactivate JavaScript on a page

that contains forms Unfortunately this solution is not feasible because as

mentioned before a large number of Web sites use JavaScript for validation and

submission purposes The solution we use in AntiPhish is to deactivate

JavaScript every time the focus is on an HTML text element and to reactivate it

whenever the focus is lost Using this technique we ensure that the attacker is

not able to create hooks timers and intercept browser events such as key presses

while the user is typing information into a text field At the same time we ensure

that the legitimate JavaScript functionality on a page (eg such as input validation

routines) are preserved By the time the focus is lost from the text element and

Java script is reactivated AntiPhish has already determined if the information that

was typed into the text element is sensitive If the web site is un trusted the

operation can be canceled One side-effect of our approach is that legitimate

event-based Java script functionality such as input validation based on key presses

will not function The use of key press events for input validation however is

uncommon Most web sites perform client-side input validation once before a

form is submitted

Implementation detailsWe implemented the prototype of AntiPhish as a Mozilla browser extension (ie

plug-in)Mozilla browser extensions are written using the Mozilla XML User-

Interface language (XUL) and JavaScript The Mozilla implementation of AntiPhish

has a small footprint and consists of about 900 lines of JavaScript code and 200

lines of XUL user interface code We used Paul Terorsquos JavaScript DES

implementation for safely storing the sensitive information

ANALYSIS OF A PHISHING DATABASE

The Anti Phishing Working Group maintains a ldquoPhishing Archiverdquo describing phishing attacks dating back to September 2003 We performed a cognitive walkthrough on the approximately 200 sample attacks within this archive (A cognitive walkthrough evaluates the steps required to perform a task and attempts to uncover mismatches between how users think about a task and how the user interface designer thinks about the task) Our goal was to gather information about which strategies are used by attackers and to formulate hypotheses about how lay users would respond to these strategies Below we list the strategies organized along three dimensions lack of knowledge visual deception and lack of attention To aid readers who are unfamiliar with the topic Security Terms and DefinitionsCertificate (digital certificate public key certificate)

Uses a digital signature to bind together a public key with an identity If the

browser encounters a certificate that has not been signed by a trusted

certificate authority it issues a warning to the user Some organizations

create and sign their own self signed

Certificates If a browser encounters a self-signed certificate it issues a

warning and allows the user to decide whether to accept the certificate

Certificate Authority (CA)

An entity that issues certificates and attests that a public key belongs to a

particular identity A list of trusted CAs is stored in the browser A certificate

may be issued to a fraudulent website by a CA without a rigorous verification

process

HTTPS

Web browsers use HTTPS rather than HTTP as a prefix to the URL to

indicate that HTTP is sent over SSLTLS

Secure Sockets Layer (SSL) and Transport Layer Security

(TLS)

Cryptographic protocols used to provide authentication and secure

communications over the Internet SSLTLS authenticates a server by

verifying that the server holds a certificate that has been digitally signed by

a trusted certificate authority SSLTLS also allows the client and server to

agree on an encryption algorithm for securing communications

CryptographyCryptography is a method of storing and transmitting data in a form that only those it is intended for can read and process It is a science of protecting information by encoding it into an unreadable format Cryptography is an effective way of protecting sensitive information as it is stored on media or transmitted through network communication pathsAlthough the ultimate goal of cryptography and the mechanisms that make it up is to hide information from unauthorized individuals most algorithms can be broken and the information can be revealed if the attacker has enough time desire and resources So a more realistic goal of cryptography is to make obtaining the information too work-intensive to be worth it to the attacker

Digital Certificates

Digital Certificates are part of a technology called Public Key Infrastructure orPKI Digital certificates have been described as virtual ID cards This is a useful analogy There are many ways that digital certificates and ID cards really are thesame Both ID cards and client digital certificates contain information about usersuch as user name and information about the organization that issued thecertificate or card to user

Creating digital certificates a unique cryptographic key pair is generated One of these keys is referred to as a public key and the other as a private key The certification authoritymdashgenerally on your campusmdashcreates a digital certificate by combining information about user and the issuing organization with the public key and digitally signing the whole thing This is very much like an organizationrsquos ID office filling out an ID card for user and then signing it to make it official

The process defines how a certificate authority establishes that a person or institution is who they say they are Certification may require recipients to appear in person and to present pictures birth certificates or social security numbers Certificates that are issued after rigorous authentication will be more trustworthy than certificates requiring little or no authentication

The contents of a digital certificate are prescribed by the X509 standard developed by the International Standards Organization (ISO) and adopted by the American National Standards Institute (ANSI) and the Internet Engineering Task Force (IETF) The latest version is now X509 v3 The principal elements of a digital certificate are as followsbull Version number of the certificate formatbull Serial number of the certificatebull Signature algorithm identifierbull Issuer of digital certificate a certificate authority with URLbull Validity periodbull Unique identification of certificate holderbull Public key informationThe Parties to a Digital CertificateIn principle there are three different interests associated with a digital certificateThe Requesting Party The party who needs the certificate and will offer it for use by others they will generally provide some or all of the information it containsThe Issuing Party

The party that digitally signs the certificate after creating the information in the certificate or checking its correctnessThe Verifying Party (or Parties) Parties that validate the signature on the certificate and then rely on its contents for some purposeType of Certificate Requesting Party Issuing Party Verifying PartyIdentity The person

concernedThe appropriategovernment agency

Anyone undertaking anidentity check

Accreditation A qualified memberof a profession

The professionalbody

A user of the servicesoffered by the member

Authorization A customer wishing to access a resource

The resource owner The resource owner

Public key CertificateThe combination of standards protocols and software that support digital certificates is called a public key infrastructure or PKI The software that supports this infrastructure generates sets of public-private key pairs Public-private key pairs are codes that are related to one another through a complex mathematical algorithm The key pairs can reside on onersquos computer or on hardware devices such as smart cards or floppy disks Individuals or organizations must ensure the security of their private keys However the public keys that correspond to their private keys can be posted on Web sites or sent across the network Issuers of digital certificates often maintain online repositories of public keys These repositories make it possible to authenticate owners of digital certificates in real timeFor example publishers as service providers will want to authenticate the digital certificate of a faculty member or student in real time This is possible by verifying the digital signature using the public key in the repository

Certificate AuthoritiesDigital certificates are one part of a set of components that make up a public keyinfrastructure (PKI) A PKI includes organizations called certification authorities (CAs) that issue manage and revoke digital certificates organizations called relying parties who use the certificates as indicators of authentication and clientswho request manage and use certificates A CA might create a separate registration authority (RA) to handle the task of identifying individuals who applyfor certificates Examples of certification authorities include VeriSign a wellknowncommercial provider and the CREN Certificate Authority that isavailable for higher education institutions

Types of CertificatesThere are different types of certificates each with different functions and this canbe confusing It helps to differentiate between at least four types of certificatesYou can see samples of some of these different types of certificates in your browserbull Root or authority certificatesThese are certificates that create the base (or root) of a certification authority hierarchy such as Thawte or CREN These certificates are not signed by another CAmdashthey are self signed by the CA that created them When a certificate is self-

signed it means that the name in the Issuer field is the same as the name in the Subject Fieldbull Institutional authority certificates These certificates are also called campus certificates These certificates are signed by a third party verifying the authenticity of a campus certification authority Campuses then use their ldquoauthorityrdquo to issue client certificates for faculty staff and studentsbull Client certificatesThese are also known as end-entity certificates identity certificates or personal certificates The Issuer is typically the campus CAbull Web server certificates These certificates are used to secure communications to and from Web servers for example when you buy something on the Web They are called server-side certificates The Subject name in a server certificate is the DNS name of the server

The CREN Digital Certificate ServicesCREN currently offers an expanded set of certificate authority services to higher education institutionsbull CREN-signed campus certificates for institutionsThese CREN-signed certificates are for institutions issuing certificates for their campus communitymdashin the range of 10 or more Web server certificates and formore than 500-1000 client certificatesbull CREN Web server certificates These certificates are for campuses to use for securing Web servers supporting a range of campus Web applicationsbull Client certificatesCREN has an internal CRENNET service equivalent to a campus certificate-issuing application A registration contact at a campus validatesapproves individuals and CREN issues the certificates

With these three levels of service mdash including the free test certificates mdash CRENcan help campuses get started using digital certificates at a level matching theirparticular campus needs

RECOMMENDATION

It is very important to reduce the risk of phishing in todayrsquos business because

hackers need to stay out of companiesrsquo databases Todayrsquos education is not

enough since phishes are getting better each day and coming with newer trends

to catch innocent customers

The real problem of phishing is because the login systems are very weak and thus

they need to be tighter when it comes to userrsquos authentication The companies

could increase their cryptographic system protection by using more IPSec VPNs

and digital certificates The use of IPSec VPNs customers will need to establish

digital certificates from a certificate authority as well as the merchant Recently

while doing this research we came through an article from PayPal where they are

convincing email providers to block messages that lack digital signatures

The reason for this is that PayPal is known as one of the most highly spoofed

brands that fraudsterrsquos uses today This is a very good idea and a good way to

keep hackers out of PayPal databases As a matter of fact not only PayPal but also

every company that conducts business should come up with a similar strategy like

this Using strategies similar to this will help customers to gain confidence in

doing business and dealing with money issues In addition well-known companies

should increase user awareness by education training and working with FBI to

track down phishers

CONCLUSION

In short the outcomes of phishing attacks are dramatically increasing every day Attacks on financial services companies have been doubling each year compared to previous years It is of crucial importance for companies to come up with new ways to solve phishing problems because it can become a major loss to well-known companies Also it can cause consumers to lose confidence in doing business online which can affect many companies with an online presence Not any type of technologyCan stop phishing attacks but there are many ways to enable Phishes from accomplishing their goals Consumer education can increase the awareness of the phishing threat and other online vulnerabilities Lastly biometrics should become one of the major aspects and play an important role to combat phishing because it provides different steps to authenticate users

REFERENCES

[1] Cannon JC Privacy Pearson Education 2005[2] Hilley Sarah ldquoInternet war picking on the finance Sector-surveyrdquo Computer Fraud amp Security October 2006[3] Bellowin Steven ldquoSpamming Phishing Authentication and Privacyrdquo Inside Risks December

2004 Vol47 No12 144[4] Mulrean Jennifer ldquoPhishing scams How to avoid Getting hookedrdquo DollarWise[5] Hunter Philip ldquoMicrosoft declares war on phishersrdquo Computer Fraud amp Security May 2006 (15-16)[6] Google httpwwwgooglecom

[7] Anti-Phishing Working Group Phishing Activity Trends Report November 2005 [8] Anti-Phishing Working Group Phishing Archivehttpanti-phishingorgphishing_archivehtm[9] Ba S amp P Pavlov Evidence of the Effect of TrustBuilding Technology in Electronic Markets PricePremiums and Buyer Behavior

Page 6: Phishing

The sting is the part of the content that directs the victim to take

remedial actions It usually takes the form of a clickable URL that directs the

victim to a fake website to log into their account or enter other personal

details We call this the sting as this is the part of the content that inflicts

pain by means of financial loss or other undesirable action after the victim

enters their details on the website Typically the sting is hidden by using

HTML to display a legitimate looking address instead of the address of the

fake website An example of this is shown in above Figure where the

address of the fake website is httpwwwnutristorecomaurhtm and

the corresponding displayed text is a legitimate looking

httpswww2paypalcomcgi-bincmd= login

Headers

The headers are the part of the message which is primarily used by the mail

servers and the mail client to determine where the message is going and how to

unpack the message Most users do not see these headers but in terms of

determining if a message is phishing or not this part of the message can be quite

useful Headers can be subdivided into three parts based on the entities which

add them to the message

Mail clients typically add headers such as ldquoTordquo ldquoFromrdquo ldquoSubjectrdquo

and some client specific headers Examples of mail client headers are X-

MSMail-Priority X-Mailer and X-MimeOLE and they can be seen in above

figure Phishing messages may try to fake a particular header and in doing

so give away that the message is fake For example if the X-Mailer header

indicates that a HTML message has been composed using MS Outlook but

the message only contains HTML (without plaintext) this is an indication

that the message is fake as MS Outlook cannot send HTML only messages

Mail relays will add headers along the path of the message These are

usually ldquoReceivedrdquo headers which can be used to determine the

originating IP of the message and the path taken by the message

Spam-filters or virus-scanners will usually add headers to the message to

indicate results of the tests run over the message These headers can then

be used by the receiving client to determine (based on a user-set

threshold) what to do with the message

WHY PHISHING ATTACK

Lack of Knowledge

Lack of computer system knowledge Many users lack the

underlying knowledge of how operating systems applications email and

the web work and how to distinguish among these Phishing sites exploit

this lack of knowledge in several ways For example some users do not

understand the meaning or the syntax of domain names and cannot

distinguish legitimate versus fraudulent URLs (eg they may think

wwwebay-members-securitycom belongs to wwwebaycom) Another

attack strategy forges the email header many users do not have the skills

to distinguish forged from legitimate headers

Lack of knowledge of security and security indicators Many

users do not understand security indicators For example many users do

not know that a closed padlock icon in the browser indicates that the page

they are viewing was delivered securely by SSL Even if they understand the

meaning of that icon users can be fooled by its placement within the body

of a web page (this confusion is not aided by the fact that competing

browsers use different icons and place them in different parts of their

display) More generally users may not be aware that padlock icons appear

in the browser ldquochromerdquo (the interface constructed by the browser around

a web page eg toolbars windows address bar status bar) only under

specific conditions (ie when SSL is used) while icons in the content of the

web page can be placed there arbitrarily by designers (or by phishers) to

induce trust Attackers can also exploit usersrsquo lack of understanding of the

verification process for SSL certificates Most users do not know how to

check SSL certificates in the browser or understand the information

presented in a certificate In one spoofing strategy a rogue site displays a

certificate authoritys (CA) trust seal that links to a CA webpage This

webpage provides an English language description and verification of the

legitimate sitersquos certificate Only the most informed and diligent users

would know to check that the URL of the originating site and the legitimate

site described by the CA match

Lack of knowledge of web fraud Some users donrsquot know that

spoofing websites is possible Without awareness phishing is possible

some users simply do not question website legitimacy

Erroneous security knowledge Some users have misconceptions

about which website features indicate security For example participants

assumed that if websites contained professional-looking images

animations and ads they assumed the sites were legitimate (influenced by

well-known trust indicators discussed below) Similarly dedicated login

pages from banks were less trusted than those originating from a

homepage several participants mentioned a lack of images and links as a

reason for their distrust

Visual Deception

Phishers use visual deception tricks to mimic legitimate text images and

windows

Visually deceptive text Users may be fooled by the syntax of a

domain name in ldquotype jackingrdquo attacks which substitute letters that may

go unnoticed (eg wwwpaypaicom uses a lowercase ldquoirdquo which looks

similar to the letter ldquolrdquo and wwwpaypa1com substitutes the number ldquo1rdquo

for the letter ldquolrdquo) Phishers have also taken advantage of non-printing

characters and non-ASCII Unicode characters in domain names

Images masking underlying text One common technique used by

phishers is to use an image of a legitimate hyperlink The image itself

serves as a hyperlink to a different rogue site

Images mimicking windows Phishers use images in the content of a

web page that mimic browser windows or For user convenience some

legitimate organizations allow users to login from non-SSL pages Although

the user data may be transmitted securely there is no visual cue in the

browser to indicate if SSL is used for form submissions To ldquoremedyrdquo this

designers resort to placing a padlock icon in the page content a tactic that

phishers also exploit or dialog windows Because the image looks exactly

like a real window a user can be fooled unless he tries to move or resize

the image

Windows masking underlying windows A common phishing

technique is to place an illegitimate browser window on top of or next to

a legitimate window If they have the same look and feel users may

mistakenly believe that both windows are from the same source

regardless of variations in address or security indicators In the worst case

a user may not even notice that a second window exists (browsers that

allow borderless pop-up windows aggravate the problem)

Deceptive look and feel If images and logos are copied perfectly

sometimes the only cues that are available to the user are the tone of the

language misspellings or other signs of unprofessional design If the

phishing site closely mimics the target site the only cue to the user might

be the type and quantity of requested personal information

WHAT SHOULD BE DONE TO FIGHT

PHISHING(ANTI-PHISHING)

Phishing needs to be followed in a managerial way within the network and its

components such as servers PCs operating systems browsers and other

applications that run off a connection

As considering the danger of both false negative where firewall packet

inspection fails to identify a phishing site and false positive where firewall packet

inspection wrongly rejects the valid sites it is important to minimize these risks

Microsoftrsquos Anti-phishing response team analyzes sites carefully to confirm they

are fraud e-mails before adding them to the blacklist Even then sites that are

concerned can be reconsidered and later removed from the list

Another way of solving this problem can be in a technical way by using a

biometric check up Biometrics refers to technologies that analyze an individualrsquos

physical and behavioral characteristics to automate identification or verification

of the user

To avoid the risk of being locked in by phishers here are few tips

bull Be extremely suspicious of any e-mails with urgent

requests for personal information

bull Do not fill out any forms in e-mail messages especially

from banks

bull Do not use the links that are provided in the e-mails this

can cause installing any malicious malware on your

computer Instead contact the company over the phone

to solve any problems

bull Do not give your credit card numbers or account

information unless you are using a secure Web site or

the telephone If you are using a Web site check the

beginning of the web address in your browsersrsquo address

bar A secure site should up as ldquohttpsrdquo instead of just

http

Verify the real address of a web site Cut and paste the

following text into your browser address bar

javascriptalert(The actual URL of this site has been verified

as + location protocol + + location hostname +)

Ensure that your browser and OS software is up-to-date and

that latest security patches are applied

Possible ways of by-passing AntiPhish with JavaScript

As long as the web page that the user is viewing is pure HTML AntiPhish can

easily mitigate phishing attacks This is because the attacker can only steal the

sensitive information in the page after the user performs a submit Before this can

happen however AntiPhish detects that sensitive information has been typed

into a form and cancels the operation Stopping a phishing attack in an HTML

page that has JavaScript on the other hand is not that easy and special care has

to be taken JavaScript is a powerful language that is widely used in webpage for

providing functionality such as submitting forms opening windows intercepting

events and performing input validity checks At the same time however

JavaScript gives the attacker a wide range of possibilities for by-passing a

monitoring application such as AntiPhish Just as AntiPhish creates hooks for

intercepting user generated events such as key strokes the attacker can also

create such hooks using JavaScript embedded into the HTML page Instead of

waiting for the user to press a submit button to send the information the attacker

could intercept the keys that are pressed and send the information character by

character to a server of her choice Typically this is done by modifying the URL of

an existing or hidden image to a web site that the attacker controls (eg if ldquoa ldquohas

been pressed an image URL may be set to httpattackercomkeya)

Another possibility for the attacker could be to set a simple timer and to capture

ldquosnapshotsrdquo of the information in the forms In this way an important part of the

information could be captured without the user ever hitting a submit button The

easiest solution to the JavaScript problem is to deactivate JavaScript on a page

that contains forms Unfortunately this solution is not feasible because as

mentioned before a large number of Web sites use JavaScript for validation and

submission purposes The solution we use in AntiPhish is to deactivate

JavaScript every time the focus is on an HTML text element and to reactivate it

whenever the focus is lost Using this technique we ensure that the attacker is

not able to create hooks timers and intercept browser events such as key presses

while the user is typing information into a text field At the same time we ensure

that the legitimate JavaScript functionality on a page (eg such as input validation

routines) are preserved By the time the focus is lost from the text element and

Java script is reactivated AntiPhish has already determined if the information that

was typed into the text element is sensitive If the web site is un trusted the

operation can be canceled One side-effect of our approach is that legitimate

event-based Java script functionality such as input validation based on key presses

will not function The use of key press events for input validation however is

uncommon Most web sites perform client-side input validation once before a

form is submitted

Implementation detailsWe implemented the prototype of AntiPhish as a Mozilla browser extension (ie

plug-in)Mozilla browser extensions are written using the Mozilla XML User-

Interface language (XUL) and JavaScript The Mozilla implementation of AntiPhish

has a small footprint and consists of about 900 lines of JavaScript code and 200

lines of XUL user interface code We used Paul Terorsquos JavaScript DES

implementation for safely storing the sensitive information

ANALYSIS OF A PHISHING DATABASE

The Anti Phishing Working Group maintains a ldquoPhishing Archiverdquo describing phishing attacks dating back to September 2003 We performed a cognitive walkthrough on the approximately 200 sample attacks within this archive (A cognitive walkthrough evaluates the steps required to perform a task and attempts to uncover mismatches between how users think about a task and how the user interface designer thinks about the task) Our goal was to gather information about which strategies are used by attackers and to formulate hypotheses about how lay users would respond to these strategies Below we list the strategies organized along three dimensions lack of knowledge visual deception and lack of attention To aid readers who are unfamiliar with the topic Security Terms and DefinitionsCertificate (digital certificate public key certificate)

Uses a digital signature to bind together a public key with an identity If the

browser encounters a certificate that has not been signed by a trusted

certificate authority it issues a warning to the user Some organizations

create and sign their own self signed

Certificates If a browser encounters a self-signed certificate it issues a

warning and allows the user to decide whether to accept the certificate

Certificate Authority (CA)

An entity that issues certificates and attests that a public key belongs to a

particular identity A list of trusted CAs is stored in the browser A certificate

may be issued to a fraudulent website by a CA without a rigorous verification

process

HTTPS

Web browsers use HTTPS rather than HTTP as a prefix to the URL to

indicate that HTTP is sent over SSLTLS

Secure Sockets Layer (SSL) and Transport Layer Security

(TLS)

Cryptographic protocols used to provide authentication and secure

communications over the Internet SSLTLS authenticates a server by

verifying that the server holds a certificate that has been digitally signed by

a trusted certificate authority SSLTLS also allows the client and server to

agree on an encryption algorithm for securing communications

CryptographyCryptography is a method of storing and transmitting data in a form that only those it is intended for can read and process It is a science of protecting information by encoding it into an unreadable format Cryptography is an effective way of protecting sensitive information as it is stored on media or transmitted through network communication pathsAlthough the ultimate goal of cryptography and the mechanisms that make it up is to hide information from unauthorized individuals most algorithms can be broken and the information can be revealed if the attacker has enough time desire and resources So a more realistic goal of cryptography is to make obtaining the information too work-intensive to be worth it to the attacker

Digital Certificates

Digital Certificates are part of a technology called Public Key Infrastructure orPKI Digital certificates have been described as virtual ID cards This is a useful analogy There are many ways that digital certificates and ID cards really are thesame Both ID cards and client digital certificates contain information about usersuch as user name and information about the organization that issued thecertificate or card to user

Creating digital certificates a unique cryptographic key pair is generated One of these keys is referred to as a public key and the other as a private key The certification authoritymdashgenerally on your campusmdashcreates a digital certificate by combining information about user and the issuing organization with the public key and digitally signing the whole thing This is very much like an organizationrsquos ID office filling out an ID card for user and then signing it to make it official

The process defines how a certificate authority establishes that a person or institution is who they say they are Certification may require recipients to appear in person and to present pictures birth certificates or social security numbers Certificates that are issued after rigorous authentication will be more trustworthy than certificates requiring little or no authentication

The contents of a digital certificate are prescribed by the X509 standard developed by the International Standards Organization (ISO) and adopted by the American National Standards Institute (ANSI) and the Internet Engineering Task Force (IETF) The latest version is now X509 v3 The principal elements of a digital certificate are as followsbull Version number of the certificate formatbull Serial number of the certificatebull Signature algorithm identifierbull Issuer of digital certificate a certificate authority with URLbull Validity periodbull Unique identification of certificate holderbull Public key informationThe Parties to a Digital CertificateIn principle there are three different interests associated with a digital certificateThe Requesting Party The party who needs the certificate and will offer it for use by others they will generally provide some or all of the information it containsThe Issuing Party

The party that digitally signs the certificate after creating the information in the certificate or checking its correctnessThe Verifying Party (or Parties) Parties that validate the signature on the certificate and then rely on its contents for some purposeType of Certificate Requesting Party Issuing Party Verifying PartyIdentity The person

concernedThe appropriategovernment agency

Anyone undertaking anidentity check

Accreditation A qualified memberof a profession

The professionalbody

A user of the servicesoffered by the member

Authorization A customer wishing to access a resource

The resource owner The resource owner

Public key CertificateThe combination of standards protocols and software that support digital certificates is called a public key infrastructure or PKI The software that supports this infrastructure generates sets of public-private key pairs Public-private key pairs are codes that are related to one another through a complex mathematical algorithm The key pairs can reside on onersquos computer or on hardware devices such as smart cards or floppy disks Individuals or organizations must ensure the security of their private keys However the public keys that correspond to their private keys can be posted on Web sites or sent across the network Issuers of digital certificates often maintain online repositories of public keys These repositories make it possible to authenticate owners of digital certificates in real timeFor example publishers as service providers will want to authenticate the digital certificate of a faculty member or student in real time This is possible by verifying the digital signature using the public key in the repository

Certificate AuthoritiesDigital certificates are one part of a set of components that make up a public keyinfrastructure (PKI) A PKI includes organizations called certification authorities (CAs) that issue manage and revoke digital certificates organizations called relying parties who use the certificates as indicators of authentication and clientswho request manage and use certificates A CA might create a separate registration authority (RA) to handle the task of identifying individuals who applyfor certificates Examples of certification authorities include VeriSign a wellknowncommercial provider and the CREN Certificate Authority that isavailable for higher education institutions

Types of CertificatesThere are different types of certificates each with different functions and this canbe confusing It helps to differentiate between at least four types of certificatesYou can see samples of some of these different types of certificates in your browserbull Root or authority certificatesThese are certificates that create the base (or root) of a certification authority hierarchy such as Thawte or CREN These certificates are not signed by another CAmdashthey are self signed by the CA that created them When a certificate is self-

signed it means that the name in the Issuer field is the same as the name in the Subject Fieldbull Institutional authority certificates These certificates are also called campus certificates These certificates are signed by a third party verifying the authenticity of a campus certification authority Campuses then use their ldquoauthorityrdquo to issue client certificates for faculty staff and studentsbull Client certificatesThese are also known as end-entity certificates identity certificates or personal certificates The Issuer is typically the campus CAbull Web server certificates These certificates are used to secure communications to and from Web servers for example when you buy something on the Web They are called server-side certificates The Subject name in a server certificate is the DNS name of the server

The CREN Digital Certificate ServicesCREN currently offers an expanded set of certificate authority services to higher education institutionsbull CREN-signed campus certificates for institutionsThese CREN-signed certificates are for institutions issuing certificates for their campus communitymdashin the range of 10 or more Web server certificates and formore than 500-1000 client certificatesbull CREN Web server certificates These certificates are for campuses to use for securing Web servers supporting a range of campus Web applicationsbull Client certificatesCREN has an internal CRENNET service equivalent to a campus certificate-issuing application A registration contact at a campus validatesapproves individuals and CREN issues the certificates

With these three levels of service mdash including the free test certificates mdash CRENcan help campuses get started using digital certificates at a level matching theirparticular campus needs

RECOMMENDATION

It is very important to reduce the risk of phishing in todayrsquos business because

hackers need to stay out of companiesrsquo databases Todayrsquos education is not

enough since phishes are getting better each day and coming with newer trends

to catch innocent customers

The real problem of phishing is because the login systems are very weak and thus

they need to be tighter when it comes to userrsquos authentication The companies

could increase their cryptographic system protection by using more IPSec VPNs

and digital certificates The use of IPSec VPNs customers will need to establish

digital certificates from a certificate authority as well as the merchant Recently

while doing this research we came through an article from PayPal where they are

convincing email providers to block messages that lack digital signatures

The reason for this is that PayPal is known as one of the most highly spoofed

brands that fraudsterrsquos uses today This is a very good idea and a good way to

keep hackers out of PayPal databases As a matter of fact not only PayPal but also

every company that conducts business should come up with a similar strategy like

this Using strategies similar to this will help customers to gain confidence in

doing business and dealing with money issues In addition well-known companies

should increase user awareness by education training and working with FBI to

track down phishers

CONCLUSION

In short the outcomes of phishing attacks are dramatically increasing every day Attacks on financial services companies have been doubling each year compared to previous years It is of crucial importance for companies to come up with new ways to solve phishing problems because it can become a major loss to well-known companies Also it can cause consumers to lose confidence in doing business online which can affect many companies with an online presence Not any type of technologyCan stop phishing attacks but there are many ways to enable Phishes from accomplishing their goals Consumer education can increase the awareness of the phishing threat and other online vulnerabilities Lastly biometrics should become one of the major aspects and play an important role to combat phishing because it provides different steps to authenticate users

REFERENCES

[1] Cannon JC Privacy Pearson Education 2005[2] Hilley Sarah ldquoInternet war picking on the finance Sector-surveyrdquo Computer Fraud amp Security October 2006[3] Bellowin Steven ldquoSpamming Phishing Authentication and Privacyrdquo Inside Risks December

2004 Vol47 No12 144[4] Mulrean Jennifer ldquoPhishing scams How to avoid Getting hookedrdquo DollarWise[5] Hunter Philip ldquoMicrosoft declares war on phishersrdquo Computer Fraud amp Security May 2006 (15-16)[6] Google httpwwwgooglecom

[7] Anti-Phishing Working Group Phishing Activity Trends Report November 2005 [8] Anti-Phishing Working Group Phishing Archivehttpanti-phishingorgphishing_archivehtm[9] Ba S amp P Pavlov Evidence of the Effect of TrustBuilding Technology in Electronic Markets PricePremiums and Buyer Behavior

Page 7: Phishing

address of the fake website is httpwwwnutristorecomaurhtm and

the corresponding displayed text is a legitimate looking

httpswww2paypalcomcgi-bincmd= login

Headers

The headers are the part of the message which is primarily used by the mail

servers and the mail client to determine where the message is going and how to

unpack the message Most users do not see these headers but in terms of

determining if a message is phishing or not this part of the message can be quite

useful Headers can be subdivided into three parts based on the entities which

add them to the message

Mail clients typically add headers such as ldquoTordquo ldquoFromrdquo ldquoSubjectrdquo

and some client specific headers Examples of mail client headers are X-

MSMail-Priority X-Mailer and X-MimeOLE and they can be seen in above

figure Phishing messages may try to fake a particular header and in doing

so give away that the message is fake For example if the X-Mailer header

indicates that a HTML message has been composed using MS Outlook but

the message only contains HTML (without plaintext) this is an indication

that the message is fake as MS Outlook cannot send HTML only messages

Mail relays will add headers along the path of the message These are

usually ldquoReceivedrdquo headers which can be used to determine the

originating IP of the message and the path taken by the message

Spam-filters or virus-scanners will usually add headers to the message to

indicate results of the tests run over the message These headers can then

be used by the receiving client to determine (based on a user-set

threshold) what to do with the message

WHY PHISHING ATTACK

Lack of Knowledge

Lack of computer system knowledge Many users lack the

underlying knowledge of how operating systems applications email and

the web work and how to distinguish among these Phishing sites exploit

this lack of knowledge in several ways For example some users do not

understand the meaning or the syntax of domain names and cannot

distinguish legitimate versus fraudulent URLs (eg they may think

wwwebay-members-securitycom belongs to wwwebaycom) Another

attack strategy forges the email header many users do not have the skills

to distinguish forged from legitimate headers

Lack of knowledge of security and security indicators Many

users do not understand security indicators For example many users do

not know that a closed padlock icon in the browser indicates that the page

they are viewing was delivered securely by SSL Even if they understand the

meaning of that icon users can be fooled by its placement within the body

of a web page (this confusion is not aided by the fact that competing

browsers use different icons and place them in different parts of their

display) More generally users may not be aware that padlock icons appear

in the browser ldquochromerdquo (the interface constructed by the browser around

a web page eg toolbars windows address bar status bar) only under

specific conditions (ie when SSL is used) while icons in the content of the

web page can be placed there arbitrarily by designers (or by phishers) to

induce trust Attackers can also exploit usersrsquo lack of understanding of the

verification process for SSL certificates Most users do not know how to

check SSL certificates in the browser or understand the information

presented in a certificate In one spoofing strategy a rogue site displays a

certificate authoritys (CA) trust seal that links to a CA webpage This

webpage provides an English language description and verification of the

legitimate sitersquos certificate Only the most informed and diligent users

would know to check that the URL of the originating site and the legitimate

site described by the CA match

Lack of knowledge of web fraud Some users donrsquot know that

spoofing websites is possible Without awareness phishing is possible

some users simply do not question website legitimacy

Erroneous security knowledge Some users have misconceptions

about which website features indicate security For example participants

assumed that if websites contained professional-looking images

animations and ads they assumed the sites were legitimate (influenced by

well-known trust indicators discussed below) Similarly dedicated login

pages from banks were less trusted than those originating from a

homepage several participants mentioned a lack of images and links as a

reason for their distrust

Visual Deception

Phishers use visual deception tricks to mimic legitimate text images and

windows

Visually deceptive text Users may be fooled by the syntax of a

domain name in ldquotype jackingrdquo attacks which substitute letters that may

go unnoticed (eg wwwpaypaicom uses a lowercase ldquoirdquo which looks

similar to the letter ldquolrdquo and wwwpaypa1com substitutes the number ldquo1rdquo

for the letter ldquolrdquo) Phishers have also taken advantage of non-printing

characters and non-ASCII Unicode characters in domain names

Images masking underlying text One common technique used by

phishers is to use an image of a legitimate hyperlink The image itself

serves as a hyperlink to a different rogue site

Images mimicking windows Phishers use images in the content of a

web page that mimic browser windows or For user convenience some

legitimate organizations allow users to login from non-SSL pages Although

the user data may be transmitted securely there is no visual cue in the

browser to indicate if SSL is used for form submissions To ldquoremedyrdquo this

designers resort to placing a padlock icon in the page content a tactic that

phishers also exploit or dialog windows Because the image looks exactly

like a real window a user can be fooled unless he tries to move or resize

the image

Windows masking underlying windows A common phishing

technique is to place an illegitimate browser window on top of or next to

a legitimate window If they have the same look and feel users may

mistakenly believe that both windows are from the same source

regardless of variations in address or security indicators In the worst case

a user may not even notice that a second window exists (browsers that

allow borderless pop-up windows aggravate the problem)

Deceptive look and feel If images and logos are copied perfectly

sometimes the only cues that are available to the user are the tone of the

language misspellings or other signs of unprofessional design If the

phishing site closely mimics the target site the only cue to the user might

be the type and quantity of requested personal information

WHAT SHOULD BE DONE TO FIGHT

PHISHING(ANTI-PHISHING)

Phishing needs to be followed in a managerial way within the network and its

components such as servers PCs operating systems browsers and other

applications that run off a connection

As considering the danger of both false negative where firewall packet

inspection fails to identify a phishing site and false positive where firewall packet

inspection wrongly rejects the valid sites it is important to minimize these risks

Microsoftrsquos Anti-phishing response team analyzes sites carefully to confirm they

are fraud e-mails before adding them to the blacklist Even then sites that are

concerned can be reconsidered and later removed from the list

Another way of solving this problem can be in a technical way by using a

biometric check up Biometrics refers to technologies that analyze an individualrsquos

physical and behavioral characteristics to automate identification or verification

of the user

To avoid the risk of being locked in by phishers here are few tips

bull Be extremely suspicious of any e-mails with urgent

requests for personal information

bull Do not fill out any forms in e-mail messages especially

from banks

bull Do not use the links that are provided in the e-mails this

can cause installing any malicious malware on your

computer Instead contact the company over the phone

to solve any problems

bull Do not give your credit card numbers or account

information unless you are using a secure Web site or

the telephone If you are using a Web site check the

beginning of the web address in your browsersrsquo address

bar A secure site should up as ldquohttpsrdquo instead of just

http

Verify the real address of a web site Cut and paste the

following text into your browser address bar

javascriptalert(The actual URL of this site has been verified

as + location protocol + + location hostname +)

Ensure that your browser and OS software is up-to-date and

that latest security patches are applied

Possible ways of by-passing AntiPhish with JavaScript

As long as the web page that the user is viewing is pure HTML AntiPhish can

easily mitigate phishing attacks This is because the attacker can only steal the

sensitive information in the page after the user performs a submit Before this can

happen however AntiPhish detects that sensitive information has been typed

into a form and cancels the operation Stopping a phishing attack in an HTML

page that has JavaScript on the other hand is not that easy and special care has

to be taken JavaScript is a powerful language that is widely used in webpage for

providing functionality such as submitting forms opening windows intercepting

events and performing input validity checks At the same time however

JavaScript gives the attacker a wide range of possibilities for by-passing a

monitoring application such as AntiPhish Just as AntiPhish creates hooks for

intercepting user generated events such as key strokes the attacker can also

create such hooks using JavaScript embedded into the HTML page Instead of

waiting for the user to press a submit button to send the information the attacker

could intercept the keys that are pressed and send the information character by

character to a server of her choice Typically this is done by modifying the URL of

an existing or hidden image to a web site that the attacker controls (eg if ldquoa ldquohas

been pressed an image URL may be set to httpattackercomkeya)

Another possibility for the attacker could be to set a simple timer and to capture

ldquosnapshotsrdquo of the information in the forms In this way an important part of the

information could be captured without the user ever hitting a submit button The

easiest solution to the JavaScript problem is to deactivate JavaScript on a page

that contains forms Unfortunately this solution is not feasible because as

mentioned before a large number of Web sites use JavaScript for validation and

submission purposes The solution we use in AntiPhish is to deactivate

JavaScript every time the focus is on an HTML text element and to reactivate it

whenever the focus is lost Using this technique we ensure that the attacker is

not able to create hooks timers and intercept browser events such as key presses

while the user is typing information into a text field At the same time we ensure

that the legitimate JavaScript functionality on a page (eg such as input validation

routines) are preserved By the time the focus is lost from the text element and

Java script is reactivated AntiPhish has already determined if the information that

was typed into the text element is sensitive If the web site is un trusted the

operation can be canceled One side-effect of our approach is that legitimate

event-based Java script functionality such as input validation based on key presses

will not function The use of key press events for input validation however is

uncommon Most web sites perform client-side input validation once before a

form is submitted

Implementation detailsWe implemented the prototype of AntiPhish as a Mozilla browser extension (ie

plug-in)Mozilla browser extensions are written using the Mozilla XML User-

Interface language (XUL) and JavaScript The Mozilla implementation of AntiPhish

has a small footprint and consists of about 900 lines of JavaScript code and 200

lines of XUL user interface code We used Paul Terorsquos JavaScript DES

implementation for safely storing the sensitive information

ANALYSIS OF A PHISHING DATABASE

The Anti Phishing Working Group maintains a ldquoPhishing Archiverdquo describing phishing attacks dating back to September 2003 We performed a cognitive walkthrough on the approximately 200 sample attacks within this archive (A cognitive walkthrough evaluates the steps required to perform a task and attempts to uncover mismatches between how users think about a task and how the user interface designer thinks about the task) Our goal was to gather information about which strategies are used by attackers and to formulate hypotheses about how lay users would respond to these strategies Below we list the strategies organized along three dimensions lack of knowledge visual deception and lack of attention To aid readers who are unfamiliar with the topic Security Terms and DefinitionsCertificate (digital certificate public key certificate)

Uses a digital signature to bind together a public key with an identity If the

browser encounters a certificate that has not been signed by a trusted

certificate authority it issues a warning to the user Some organizations

create and sign their own self signed

Certificates If a browser encounters a self-signed certificate it issues a

warning and allows the user to decide whether to accept the certificate

Certificate Authority (CA)

An entity that issues certificates and attests that a public key belongs to a

particular identity A list of trusted CAs is stored in the browser A certificate

may be issued to a fraudulent website by a CA without a rigorous verification

process

HTTPS

Web browsers use HTTPS rather than HTTP as a prefix to the URL to

indicate that HTTP is sent over SSLTLS

Secure Sockets Layer (SSL) and Transport Layer Security

(TLS)

Cryptographic protocols used to provide authentication and secure

communications over the Internet SSLTLS authenticates a server by

verifying that the server holds a certificate that has been digitally signed by

a trusted certificate authority SSLTLS also allows the client and server to

agree on an encryption algorithm for securing communications

CryptographyCryptography is a method of storing and transmitting data in a form that only those it is intended for can read and process It is a science of protecting information by encoding it into an unreadable format Cryptography is an effective way of protecting sensitive information as it is stored on media or transmitted through network communication pathsAlthough the ultimate goal of cryptography and the mechanisms that make it up is to hide information from unauthorized individuals most algorithms can be broken and the information can be revealed if the attacker has enough time desire and resources So a more realistic goal of cryptography is to make obtaining the information too work-intensive to be worth it to the attacker

Digital Certificates

Digital Certificates are part of a technology called Public Key Infrastructure orPKI Digital certificates have been described as virtual ID cards This is a useful analogy There are many ways that digital certificates and ID cards really are thesame Both ID cards and client digital certificates contain information about usersuch as user name and information about the organization that issued thecertificate or card to user

Creating digital certificates a unique cryptographic key pair is generated One of these keys is referred to as a public key and the other as a private key The certification authoritymdashgenerally on your campusmdashcreates a digital certificate by combining information about user and the issuing organization with the public key and digitally signing the whole thing This is very much like an organizationrsquos ID office filling out an ID card for user and then signing it to make it official

The process defines how a certificate authority establishes that a person or institution is who they say they are Certification may require recipients to appear in person and to present pictures birth certificates or social security numbers Certificates that are issued after rigorous authentication will be more trustworthy than certificates requiring little or no authentication

The contents of a digital certificate are prescribed by the X509 standard developed by the International Standards Organization (ISO) and adopted by the American National Standards Institute (ANSI) and the Internet Engineering Task Force (IETF) The latest version is now X509 v3 The principal elements of a digital certificate are as followsbull Version number of the certificate formatbull Serial number of the certificatebull Signature algorithm identifierbull Issuer of digital certificate a certificate authority with URLbull Validity periodbull Unique identification of certificate holderbull Public key informationThe Parties to a Digital CertificateIn principle there are three different interests associated with a digital certificateThe Requesting Party The party who needs the certificate and will offer it for use by others they will generally provide some or all of the information it containsThe Issuing Party

The party that digitally signs the certificate after creating the information in the certificate or checking its correctnessThe Verifying Party (or Parties) Parties that validate the signature on the certificate and then rely on its contents for some purposeType of Certificate Requesting Party Issuing Party Verifying PartyIdentity The person

concernedThe appropriategovernment agency

Anyone undertaking anidentity check

Accreditation A qualified memberof a profession

The professionalbody

A user of the servicesoffered by the member

Authorization A customer wishing to access a resource

The resource owner The resource owner

Public key CertificateThe combination of standards protocols and software that support digital certificates is called a public key infrastructure or PKI The software that supports this infrastructure generates sets of public-private key pairs Public-private key pairs are codes that are related to one another through a complex mathematical algorithm The key pairs can reside on onersquos computer or on hardware devices such as smart cards or floppy disks Individuals or organizations must ensure the security of their private keys However the public keys that correspond to their private keys can be posted on Web sites or sent across the network Issuers of digital certificates often maintain online repositories of public keys These repositories make it possible to authenticate owners of digital certificates in real timeFor example publishers as service providers will want to authenticate the digital certificate of a faculty member or student in real time This is possible by verifying the digital signature using the public key in the repository

Certificate AuthoritiesDigital certificates are one part of a set of components that make up a public keyinfrastructure (PKI) A PKI includes organizations called certification authorities (CAs) that issue manage and revoke digital certificates organizations called relying parties who use the certificates as indicators of authentication and clientswho request manage and use certificates A CA might create a separate registration authority (RA) to handle the task of identifying individuals who applyfor certificates Examples of certification authorities include VeriSign a wellknowncommercial provider and the CREN Certificate Authority that isavailable for higher education institutions

Types of CertificatesThere are different types of certificates each with different functions and this canbe confusing It helps to differentiate between at least four types of certificatesYou can see samples of some of these different types of certificates in your browserbull Root or authority certificatesThese are certificates that create the base (or root) of a certification authority hierarchy such as Thawte or CREN These certificates are not signed by another CAmdashthey are self signed by the CA that created them When a certificate is self-

signed it means that the name in the Issuer field is the same as the name in the Subject Fieldbull Institutional authority certificates These certificates are also called campus certificates These certificates are signed by a third party verifying the authenticity of a campus certification authority Campuses then use their ldquoauthorityrdquo to issue client certificates for faculty staff and studentsbull Client certificatesThese are also known as end-entity certificates identity certificates or personal certificates The Issuer is typically the campus CAbull Web server certificates These certificates are used to secure communications to and from Web servers for example when you buy something on the Web They are called server-side certificates The Subject name in a server certificate is the DNS name of the server

The CREN Digital Certificate ServicesCREN currently offers an expanded set of certificate authority services to higher education institutionsbull CREN-signed campus certificates for institutionsThese CREN-signed certificates are for institutions issuing certificates for their campus communitymdashin the range of 10 or more Web server certificates and formore than 500-1000 client certificatesbull CREN Web server certificates These certificates are for campuses to use for securing Web servers supporting a range of campus Web applicationsbull Client certificatesCREN has an internal CRENNET service equivalent to a campus certificate-issuing application A registration contact at a campus validatesapproves individuals and CREN issues the certificates

With these three levels of service mdash including the free test certificates mdash CRENcan help campuses get started using digital certificates at a level matching theirparticular campus needs

RECOMMENDATION

It is very important to reduce the risk of phishing in todayrsquos business because

hackers need to stay out of companiesrsquo databases Todayrsquos education is not

enough since phishes are getting better each day and coming with newer trends

to catch innocent customers

The real problem of phishing is because the login systems are very weak and thus

they need to be tighter when it comes to userrsquos authentication The companies

could increase their cryptographic system protection by using more IPSec VPNs

and digital certificates The use of IPSec VPNs customers will need to establish

digital certificates from a certificate authority as well as the merchant Recently

while doing this research we came through an article from PayPal where they are

convincing email providers to block messages that lack digital signatures

The reason for this is that PayPal is known as one of the most highly spoofed

brands that fraudsterrsquos uses today This is a very good idea and a good way to

keep hackers out of PayPal databases As a matter of fact not only PayPal but also

every company that conducts business should come up with a similar strategy like

this Using strategies similar to this will help customers to gain confidence in

doing business and dealing with money issues In addition well-known companies

should increase user awareness by education training and working with FBI to

track down phishers

CONCLUSION

In short the outcomes of phishing attacks are dramatically increasing every day Attacks on financial services companies have been doubling each year compared to previous years It is of crucial importance for companies to come up with new ways to solve phishing problems because it can become a major loss to well-known companies Also it can cause consumers to lose confidence in doing business online which can affect many companies with an online presence Not any type of technologyCan stop phishing attacks but there are many ways to enable Phishes from accomplishing their goals Consumer education can increase the awareness of the phishing threat and other online vulnerabilities Lastly biometrics should become one of the major aspects and play an important role to combat phishing because it provides different steps to authenticate users

REFERENCES

[1] Cannon JC Privacy Pearson Education 2005[2] Hilley Sarah ldquoInternet war picking on the finance Sector-surveyrdquo Computer Fraud amp Security October 2006[3] Bellowin Steven ldquoSpamming Phishing Authentication and Privacyrdquo Inside Risks December

2004 Vol47 No12 144[4] Mulrean Jennifer ldquoPhishing scams How to avoid Getting hookedrdquo DollarWise[5] Hunter Philip ldquoMicrosoft declares war on phishersrdquo Computer Fraud amp Security May 2006 (15-16)[6] Google httpwwwgooglecom

[7] Anti-Phishing Working Group Phishing Activity Trends Report November 2005 [8] Anti-Phishing Working Group Phishing Archivehttpanti-phishingorgphishing_archivehtm[9] Ba S amp P Pavlov Evidence of the Effect of TrustBuilding Technology in Electronic Markets PricePremiums and Buyer Behavior

Page 8: Phishing

Spam-filters or virus-scanners will usually add headers to the message to

indicate results of the tests run over the message These headers can then

be used by the receiving client to determine (based on a user-set

threshold) what to do with the message

WHY PHISHING ATTACK

Lack of Knowledge

Lack of computer system knowledge Many users lack the

underlying knowledge of how operating systems applications email and

the web work and how to distinguish among these Phishing sites exploit

this lack of knowledge in several ways For example some users do not

understand the meaning or the syntax of domain names and cannot

distinguish legitimate versus fraudulent URLs (eg they may think

wwwebay-members-securitycom belongs to wwwebaycom) Another

attack strategy forges the email header many users do not have the skills

to distinguish forged from legitimate headers

Lack of knowledge of security and security indicators Many

users do not understand security indicators For example many users do

not know that a closed padlock icon in the browser indicates that the page

they are viewing was delivered securely by SSL Even if they understand the

meaning of that icon users can be fooled by its placement within the body

of a web page (this confusion is not aided by the fact that competing

browsers use different icons and place them in different parts of their

display) More generally users may not be aware that padlock icons appear

in the browser ldquochromerdquo (the interface constructed by the browser around

a web page eg toolbars windows address bar status bar) only under

specific conditions (ie when SSL is used) while icons in the content of the

web page can be placed there arbitrarily by designers (or by phishers) to

induce trust Attackers can also exploit usersrsquo lack of understanding of the

verification process for SSL certificates Most users do not know how to

check SSL certificates in the browser or understand the information

presented in a certificate In one spoofing strategy a rogue site displays a

certificate authoritys (CA) trust seal that links to a CA webpage This

webpage provides an English language description and verification of the

legitimate sitersquos certificate Only the most informed and diligent users

would know to check that the URL of the originating site and the legitimate

site described by the CA match

Lack of knowledge of web fraud Some users donrsquot know that

spoofing websites is possible Without awareness phishing is possible

some users simply do not question website legitimacy

Erroneous security knowledge Some users have misconceptions

about which website features indicate security For example participants

assumed that if websites contained professional-looking images

animations and ads they assumed the sites were legitimate (influenced by

well-known trust indicators discussed below) Similarly dedicated login

pages from banks were less trusted than those originating from a

homepage several participants mentioned a lack of images and links as a

reason for their distrust

Visual Deception

Phishers use visual deception tricks to mimic legitimate text images and

windows

Visually deceptive text Users may be fooled by the syntax of a

domain name in ldquotype jackingrdquo attacks which substitute letters that may

go unnoticed (eg wwwpaypaicom uses a lowercase ldquoirdquo which looks

similar to the letter ldquolrdquo and wwwpaypa1com substitutes the number ldquo1rdquo

for the letter ldquolrdquo) Phishers have also taken advantage of non-printing

characters and non-ASCII Unicode characters in domain names

Images masking underlying text One common technique used by

phishers is to use an image of a legitimate hyperlink The image itself

serves as a hyperlink to a different rogue site

Images mimicking windows Phishers use images in the content of a

web page that mimic browser windows or For user convenience some

legitimate organizations allow users to login from non-SSL pages Although

the user data may be transmitted securely there is no visual cue in the

browser to indicate if SSL is used for form submissions To ldquoremedyrdquo this

designers resort to placing a padlock icon in the page content a tactic that

phishers also exploit or dialog windows Because the image looks exactly

like a real window a user can be fooled unless he tries to move or resize

the image

Windows masking underlying windows A common phishing

technique is to place an illegitimate browser window on top of or next to

a legitimate window If they have the same look and feel users may

mistakenly believe that both windows are from the same source

regardless of variations in address or security indicators In the worst case

a user may not even notice that a second window exists (browsers that

allow borderless pop-up windows aggravate the problem)

Deceptive look and feel If images and logos are copied perfectly

sometimes the only cues that are available to the user are the tone of the

language misspellings or other signs of unprofessional design If the

phishing site closely mimics the target site the only cue to the user might

be the type and quantity of requested personal information

WHAT SHOULD BE DONE TO FIGHT

PHISHING(ANTI-PHISHING)

Phishing needs to be followed in a managerial way within the network and its

components such as servers PCs operating systems browsers and other

applications that run off a connection

As considering the danger of both false negative where firewall packet

inspection fails to identify a phishing site and false positive where firewall packet

inspection wrongly rejects the valid sites it is important to minimize these risks

Microsoftrsquos Anti-phishing response team analyzes sites carefully to confirm they

are fraud e-mails before adding them to the blacklist Even then sites that are

concerned can be reconsidered and later removed from the list

Another way of solving this problem can be in a technical way by using a

biometric check up Biometrics refers to technologies that analyze an individualrsquos

physical and behavioral characteristics to automate identification or verification

of the user

To avoid the risk of being locked in by phishers here are few tips

bull Be extremely suspicious of any e-mails with urgent

requests for personal information

bull Do not fill out any forms in e-mail messages especially

from banks

bull Do not use the links that are provided in the e-mails this

can cause installing any malicious malware on your

computer Instead contact the company over the phone

to solve any problems

bull Do not give your credit card numbers or account

information unless you are using a secure Web site or

the telephone If you are using a Web site check the

beginning of the web address in your browsersrsquo address

bar A secure site should up as ldquohttpsrdquo instead of just

http

Verify the real address of a web site Cut and paste the

following text into your browser address bar

javascriptalert(The actual URL of this site has been verified

as + location protocol + + location hostname +)

Ensure that your browser and OS software is up-to-date and

that latest security patches are applied

Possible ways of by-passing AntiPhish with JavaScript

As long as the web page that the user is viewing is pure HTML AntiPhish can

easily mitigate phishing attacks This is because the attacker can only steal the

sensitive information in the page after the user performs a submit Before this can

happen however AntiPhish detects that sensitive information has been typed

into a form and cancels the operation Stopping a phishing attack in an HTML

page that has JavaScript on the other hand is not that easy and special care has

to be taken JavaScript is a powerful language that is widely used in webpage for

providing functionality such as submitting forms opening windows intercepting

events and performing input validity checks At the same time however

JavaScript gives the attacker a wide range of possibilities for by-passing a

monitoring application such as AntiPhish Just as AntiPhish creates hooks for

intercepting user generated events such as key strokes the attacker can also

create such hooks using JavaScript embedded into the HTML page Instead of

waiting for the user to press a submit button to send the information the attacker

could intercept the keys that are pressed and send the information character by

character to a server of her choice Typically this is done by modifying the URL of

an existing or hidden image to a web site that the attacker controls (eg if ldquoa ldquohas

been pressed an image URL may be set to httpattackercomkeya)

Another possibility for the attacker could be to set a simple timer and to capture

ldquosnapshotsrdquo of the information in the forms In this way an important part of the

information could be captured without the user ever hitting a submit button The

easiest solution to the JavaScript problem is to deactivate JavaScript on a page

that contains forms Unfortunately this solution is not feasible because as

mentioned before a large number of Web sites use JavaScript for validation and

submission purposes The solution we use in AntiPhish is to deactivate

JavaScript every time the focus is on an HTML text element and to reactivate it

whenever the focus is lost Using this technique we ensure that the attacker is

not able to create hooks timers and intercept browser events such as key presses

while the user is typing information into a text field At the same time we ensure

that the legitimate JavaScript functionality on a page (eg such as input validation

routines) are preserved By the time the focus is lost from the text element and

Java script is reactivated AntiPhish has already determined if the information that

was typed into the text element is sensitive If the web site is un trusted the

operation can be canceled One side-effect of our approach is that legitimate

event-based Java script functionality such as input validation based on key presses

will not function The use of key press events for input validation however is

uncommon Most web sites perform client-side input validation once before a

form is submitted

Implementation detailsWe implemented the prototype of AntiPhish as a Mozilla browser extension (ie

plug-in)Mozilla browser extensions are written using the Mozilla XML User-

Interface language (XUL) and JavaScript The Mozilla implementation of AntiPhish

has a small footprint and consists of about 900 lines of JavaScript code and 200

lines of XUL user interface code We used Paul Terorsquos JavaScript DES

implementation for safely storing the sensitive information

ANALYSIS OF A PHISHING DATABASE

The Anti Phishing Working Group maintains a ldquoPhishing Archiverdquo describing phishing attacks dating back to September 2003 We performed a cognitive walkthrough on the approximately 200 sample attacks within this archive (A cognitive walkthrough evaluates the steps required to perform a task and attempts to uncover mismatches between how users think about a task and how the user interface designer thinks about the task) Our goal was to gather information about which strategies are used by attackers and to formulate hypotheses about how lay users would respond to these strategies Below we list the strategies organized along three dimensions lack of knowledge visual deception and lack of attention To aid readers who are unfamiliar with the topic Security Terms and DefinitionsCertificate (digital certificate public key certificate)

Uses a digital signature to bind together a public key with an identity If the

browser encounters a certificate that has not been signed by a trusted

certificate authority it issues a warning to the user Some organizations

create and sign their own self signed

Certificates If a browser encounters a self-signed certificate it issues a

warning and allows the user to decide whether to accept the certificate

Certificate Authority (CA)

An entity that issues certificates and attests that a public key belongs to a

particular identity A list of trusted CAs is stored in the browser A certificate

may be issued to a fraudulent website by a CA without a rigorous verification

process

HTTPS

Web browsers use HTTPS rather than HTTP as a prefix to the URL to

indicate that HTTP is sent over SSLTLS

Secure Sockets Layer (SSL) and Transport Layer Security

(TLS)

Cryptographic protocols used to provide authentication and secure

communications over the Internet SSLTLS authenticates a server by

verifying that the server holds a certificate that has been digitally signed by

a trusted certificate authority SSLTLS also allows the client and server to

agree on an encryption algorithm for securing communications

CryptographyCryptography is a method of storing and transmitting data in a form that only those it is intended for can read and process It is a science of protecting information by encoding it into an unreadable format Cryptography is an effective way of protecting sensitive information as it is stored on media or transmitted through network communication pathsAlthough the ultimate goal of cryptography and the mechanisms that make it up is to hide information from unauthorized individuals most algorithms can be broken and the information can be revealed if the attacker has enough time desire and resources So a more realistic goal of cryptography is to make obtaining the information too work-intensive to be worth it to the attacker

Digital Certificates

Digital Certificates are part of a technology called Public Key Infrastructure orPKI Digital certificates have been described as virtual ID cards This is a useful analogy There are many ways that digital certificates and ID cards really are thesame Both ID cards and client digital certificates contain information about usersuch as user name and information about the organization that issued thecertificate or card to user

Creating digital certificates a unique cryptographic key pair is generated One of these keys is referred to as a public key and the other as a private key The certification authoritymdashgenerally on your campusmdashcreates a digital certificate by combining information about user and the issuing organization with the public key and digitally signing the whole thing This is very much like an organizationrsquos ID office filling out an ID card for user and then signing it to make it official

The process defines how a certificate authority establishes that a person or institution is who they say they are Certification may require recipients to appear in person and to present pictures birth certificates or social security numbers Certificates that are issued after rigorous authentication will be more trustworthy than certificates requiring little or no authentication

The contents of a digital certificate are prescribed by the X509 standard developed by the International Standards Organization (ISO) and adopted by the American National Standards Institute (ANSI) and the Internet Engineering Task Force (IETF) The latest version is now X509 v3 The principal elements of a digital certificate are as followsbull Version number of the certificate formatbull Serial number of the certificatebull Signature algorithm identifierbull Issuer of digital certificate a certificate authority with URLbull Validity periodbull Unique identification of certificate holderbull Public key informationThe Parties to a Digital CertificateIn principle there are three different interests associated with a digital certificateThe Requesting Party The party who needs the certificate and will offer it for use by others they will generally provide some or all of the information it containsThe Issuing Party

The party that digitally signs the certificate after creating the information in the certificate or checking its correctnessThe Verifying Party (or Parties) Parties that validate the signature on the certificate and then rely on its contents for some purposeType of Certificate Requesting Party Issuing Party Verifying PartyIdentity The person

concernedThe appropriategovernment agency

Anyone undertaking anidentity check

Accreditation A qualified memberof a profession

The professionalbody

A user of the servicesoffered by the member

Authorization A customer wishing to access a resource

The resource owner The resource owner

Public key CertificateThe combination of standards protocols and software that support digital certificates is called a public key infrastructure or PKI The software that supports this infrastructure generates sets of public-private key pairs Public-private key pairs are codes that are related to one another through a complex mathematical algorithm The key pairs can reside on onersquos computer or on hardware devices such as smart cards or floppy disks Individuals or organizations must ensure the security of their private keys However the public keys that correspond to their private keys can be posted on Web sites or sent across the network Issuers of digital certificates often maintain online repositories of public keys These repositories make it possible to authenticate owners of digital certificates in real timeFor example publishers as service providers will want to authenticate the digital certificate of a faculty member or student in real time This is possible by verifying the digital signature using the public key in the repository

Certificate AuthoritiesDigital certificates are one part of a set of components that make up a public keyinfrastructure (PKI) A PKI includes organizations called certification authorities (CAs) that issue manage and revoke digital certificates organizations called relying parties who use the certificates as indicators of authentication and clientswho request manage and use certificates A CA might create a separate registration authority (RA) to handle the task of identifying individuals who applyfor certificates Examples of certification authorities include VeriSign a wellknowncommercial provider and the CREN Certificate Authority that isavailable for higher education institutions

Types of CertificatesThere are different types of certificates each with different functions and this canbe confusing It helps to differentiate between at least four types of certificatesYou can see samples of some of these different types of certificates in your browserbull Root or authority certificatesThese are certificates that create the base (or root) of a certification authority hierarchy such as Thawte or CREN These certificates are not signed by another CAmdashthey are self signed by the CA that created them When a certificate is self-

signed it means that the name in the Issuer field is the same as the name in the Subject Fieldbull Institutional authority certificates These certificates are also called campus certificates These certificates are signed by a third party verifying the authenticity of a campus certification authority Campuses then use their ldquoauthorityrdquo to issue client certificates for faculty staff and studentsbull Client certificatesThese are also known as end-entity certificates identity certificates or personal certificates The Issuer is typically the campus CAbull Web server certificates These certificates are used to secure communications to and from Web servers for example when you buy something on the Web They are called server-side certificates The Subject name in a server certificate is the DNS name of the server

The CREN Digital Certificate ServicesCREN currently offers an expanded set of certificate authority services to higher education institutionsbull CREN-signed campus certificates for institutionsThese CREN-signed certificates are for institutions issuing certificates for their campus communitymdashin the range of 10 or more Web server certificates and formore than 500-1000 client certificatesbull CREN Web server certificates These certificates are for campuses to use for securing Web servers supporting a range of campus Web applicationsbull Client certificatesCREN has an internal CRENNET service equivalent to a campus certificate-issuing application A registration contact at a campus validatesapproves individuals and CREN issues the certificates

With these three levels of service mdash including the free test certificates mdash CRENcan help campuses get started using digital certificates at a level matching theirparticular campus needs

RECOMMENDATION

It is very important to reduce the risk of phishing in todayrsquos business because

hackers need to stay out of companiesrsquo databases Todayrsquos education is not

enough since phishes are getting better each day and coming with newer trends

to catch innocent customers

The real problem of phishing is because the login systems are very weak and thus

they need to be tighter when it comes to userrsquos authentication The companies

could increase their cryptographic system protection by using more IPSec VPNs

and digital certificates The use of IPSec VPNs customers will need to establish

digital certificates from a certificate authority as well as the merchant Recently

while doing this research we came through an article from PayPal where they are

convincing email providers to block messages that lack digital signatures

The reason for this is that PayPal is known as one of the most highly spoofed

brands that fraudsterrsquos uses today This is a very good idea and a good way to

keep hackers out of PayPal databases As a matter of fact not only PayPal but also

every company that conducts business should come up with a similar strategy like

this Using strategies similar to this will help customers to gain confidence in

doing business and dealing with money issues In addition well-known companies

should increase user awareness by education training and working with FBI to

track down phishers

CONCLUSION

In short the outcomes of phishing attacks are dramatically increasing every day Attacks on financial services companies have been doubling each year compared to previous years It is of crucial importance for companies to come up with new ways to solve phishing problems because it can become a major loss to well-known companies Also it can cause consumers to lose confidence in doing business online which can affect many companies with an online presence Not any type of technologyCan stop phishing attacks but there are many ways to enable Phishes from accomplishing their goals Consumer education can increase the awareness of the phishing threat and other online vulnerabilities Lastly biometrics should become one of the major aspects and play an important role to combat phishing because it provides different steps to authenticate users

REFERENCES

[1] Cannon JC Privacy Pearson Education 2005[2] Hilley Sarah ldquoInternet war picking on the finance Sector-surveyrdquo Computer Fraud amp Security October 2006[3] Bellowin Steven ldquoSpamming Phishing Authentication and Privacyrdquo Inside Risks December

2004 Vol47 No12 144[4] Mulrean Jennifer ldquoPhishing scams How to avoid Getting hookedrdquo DollarWise[5] Hunter Philip ldquoMicrosoft declares war on phishersrdquo Computer Fraud amp Security May 2006 (15-16)[6] Google httpwwwgooglecom

[7] Anti-Phishing Working Group Phishing Activity Trends Report November 2005 [8] Anti-Phishing Working Group Phishing Archivehttpanti-phishingorgphishing_archivehtm[9] Ba S amp P Pavlov Evidence of the Effect of TrustBuilding Technology in Electronic Markets PricePremiums and Buyer Behavior

Page 9: Phishing

they are viewing was delivered securely by SSL Even if they understand the

meaning of that icon users can be fooled by its placement within the body

of a web page (this confusion is not aided by the fact that competing

browsers use different icons and place them in different parts of their

display) More generally users may not be aware that padlock icons appear

in the browser ldquochromerdquo (the interface constructed by the browser around

a web page eg toolbars windows address bar status bar) only under

specific conditions (ie when SSL is used) while icons in the content of the

web page can be placed there arbitrarily by designers (or by phishers) to

induce trust Attackers can also exploit usersrsquo lack of understanding of the

verification process for SSL certificates Most users do not know how to

check SSL certificates in the browser or understand the information

presented in a certificate In one spoofing strategy a rogue site displays a

certificate authoritys (CA) trust seal that links to a CA webpage This

webpage provides an English language description and verification of the

legitimate sitersquos certificate Only the most informed and diligent users

would know to check that the URL of the originating site and the legitimate

site described by the CA match

Lack of knowledge of web fraud Some users donrsquot know that

spoofing websites is possible Without awareness phishing is possible

some users simply do not question website legitimacy

Erroneous security knowledge Some users have misconceptions

about which website features indicate security For example participants

assumed that if websites contained professional-looking images

animations and ads they assumed the sites were legitimate (influenced by

well-known trust indicators discussed below) Similarly dedicated login

pages from banks were less trusted than those originating from a

homepage several participants mentioned a lack of images and links as a

reason for their distrust

Visual Deception

Phishers use visual deception tricks to mimic legitimate text images and

windows

Visually deceptive text Users may be fooled by the syntax of a

domain name in ldquotype jackingrdquo attacks which substitute letters that may

go unnoticed (eg wwwpaypaicom uses a lowercase ldquoirdquo which looks

similar to the letter ldquolrdquo and wwwpaypa1com substitutes the number ldquo1rdquo

for the letter ldquolrdquo) Phishers have also taken advantage of non-printing

characters and non-ASCII Unicode characters in domain names

Images masking underlying text One common technique used by

phishers is to use an image of a legitimate hyperlink The image itself

serves as a hyperlink to a different rogue site

Images mimicking windows Phishers use images in the content of a

web page that mimic browser windows or For user convenience some

legitimate organizations allow users to login from non-SSL pages Although

the user data may be transmitted securely there is no visual cue in the

browser to indicate if SSL is used for form submissions To ldquoremedyrdquo this

designers resort to placing a padlock icon in the page content a tactic that

phishers also exploit or dialog windows Because the image looks exactly

like a real window a user can be fooled unless he tries to move or resize

the image

Windows masking underlying windows A common phishing

technique is to place an illegitimate browser window on top of or next to

a legitimate window If they have the same look and feel users may

mistakenly believe that both windows are from the same source

regardless of variations in address or security indicators In the worst case

a user may not even notice that a second window exists (browsers that

allow borderless pop-up windows aggravate the problem)

Deceptive look and feel If images and logos are copied perfectly

sometimes the only cues that are available to the user are the tone of the

language misspellings or other signs of unprofessional design If the

phishing site closely mimics the target site the only cue to the user might

be the type and quantity of requested personal information

WHAT SHOULD BE DONE TO FIGHT

PHISHING(ANTI-PHISHING)

Phishing needs to be followed in a managerial way within the network and its

components such as servers PCs operating systems browsers and other

applications that run off a connection

As considering the danger of both false negative where firewall packet

inspection fails to identify a phishing site and false positive where firewall packet

inspection wrongly rejects the valid sites it is important to minimize these risks

Microsoftrsquos Anti-phishing response team analyzes sites carefully to confirm they

are fraud e-mails before adding them to the blacklist Even then sites that are

concerned can be reconsidered and later removed from the list

Another way of solving this problem can be in a technical way by using a

biometric check up Biometrics refers to technologies that analyze an individualrsquos

physical and behavioral characteristics to automate identification or verification

of the user

To avoid the risk of being locked in by phishers here are few tips

bull Be extremely suspicious of any e-mails with urgent

requests for personal information

bull Do not fill out any forms in e-mail messages especially

from banks

bull Do not use the links that are provided in the e-mails this

can cause installing any malicious malware on your

computer Instead contact the company over the phone

to solve any problems

bull Do not give your credit card numbers or account

information unless you are using a secure Web site or

the telephone If you are using a Web site check the

beginning of the web address in your browsersrsquo address

bar A secure site should up as ldquohttpsrdquo instead of just

http

Verify the real address of a web site Cut and paste the

following text into your browser address bar

javascriptalert(The actual URL of this site has been verified

as + location protocol + + location hostname +)

Ensure that your browser and OS software is up-to-date and

that latest security patches are applied

Possible ways of by-passing AntiPhish with JavaScript

As long as the web page that the user is viewing is pure HTML AntiPhish can

easily mitigate phishing attacks This is because the attacker can only steal the

sensitive information in the page after the user performs a submit Before this can

happen however AntiPhish detects that sensitive information has been typed

into a form and cancels the operation Stopping a phishing attack in an HTML

page that has JavaScript on the other hand is not that easy and special care has

to be taken JavaScript is a powerful language that is widely used in webpage for

providing functionality such as submitting forms opening windows intercepting

events and performing input validity checks At the same time however

JavaScript gives the attacker a wide range of possibilities for by-passing a

monitoring application such as AntiPhish Just as AntiPhish creates hooks for

intercepting user generated events such as key strokes the attacker can also

create such hooks using JavaScript embedded into the HTML page Instead of

waiting for the user to press a submit button to send the information the attacker

could intercept the keys that are pressed and send the information character by

character to a server of her choice Typically this is done by modifying the URL of

an existing or hidden image to a web site that the attacker controls (eg if ldquoa ldquohas

been pressed an image URL may be set to httpattackercomkeya)

Another possibility for the attacker could be to set a simple timer and to capture

ldquosnapshotsrdquo of the information in the forms In this way an important part of the

information could be captured without the user ever hitting a submit button The

easiest solution to the JavaScript problem is to deactivate JavaScript on a page

that contains forms Unfortunately this solution is not feasible because as

mentioned before a large number of Web sites use JavaScript for validation and

submission purposes The solution we use in AntiPhish is to deactivate

JavaScript every time the focus is on an HTML text element and to reactivate it

whenever the focus is lost Using this technique we ensure that the attacker is

not able to create hooks timers and intercept browser events such as key presses

while the user is typing information into a text field At the same time we ensure

that the legitimate JavaScript functionality on a page (eg such as input validation

routines) are preserved By the time the focus is lost from the text element and

Java script is reactivated AntiPhish has already determined if the information that

was typed into the text element is sensitive If the web site is un trusted the

operation can be canceled One side-effect of our approach is that legitimate

event-based Java script functionality such as input validation based on key presses

will not function The use of key press events for input validation however is

uncommon Most web sites perform client-side input validation once before a

form is submitted

Implementation detailsWe implemented the prototype of AntiPhish as a Mozilla browser extension (ie

plug-in)Mozilla browser extensions are written using the Mozilla XML User-

Interface language (XUL) and JavaScript The Mozilla implementation of AntiPhish

has a small footprint and consists of about 900 lines of JavaScript code and 200

lines of XUL user interface code We used Paul Terorsquos JavaScript DES

implementation for safely storing the sensitive information

ANALYSIS OF A PHISHING DATABASE

The Anti Phishing Working Group maintains a ldquoPhishing Archiverdquo describing phishing attacks dating back to September 2003 We performed a cognitive walkthrough on the approximately 200 sample attacks within this archive (A cognitive walkthrough evaluates the steps required to perform a task and attempts to uncover mismatches between how users think about a task and how the user interface designer thinks about the task) Our goal was to gather information about which strategies are used by attackers and to formulate hypotheses about how lay users would respond to these strategies Below we list the strategies organized along three dimensions lack of knowledge visual deception and lack of attention To aid readers who are unfamiliar with the topic Security Terms and DefinitionsCertificate (digital certificate public key certificate)

Uses a digital signature to bind together a public key with an identity If the

browser encounters a certificate that has not been signed by a trusted

certificate authority it issues a warning to the user Some organizations

create and sign their own self signed

Certificates If a browser encounters a self-signed certificate it issues a

warning and allows the user to decide whether to accept the certificate

Certificate Authority (CA)

An entity that issues certificates and attests that a public key belongs to a

particular identity A list of trusted CAs is stored in the browser A certificate

may be issued to a fraudulent website by a CA without a rigorous verification

process

HTTPS

Web browsers use HTTPS rather than HTTP as a prefix to the URL to

indicate that HTTP is sent over SSLTLS

Secure Sockets Layer (SSL) and Transport Layer Security

(TLS)

Cryptographic protocols used to provide authentication and secure

communications over the Internet SSLTLS authenticates a server by

verifying that the server holds a certificate that has been digitally signed by

a trusted certificate authority SSLTLS also allows the client and server to

agree on an encryption algorithm for securing communications

CryptographyCryptography is a method of storing and transmitting data in a form that only those it is intended for can read and process It is a science of protecting information by encoding it into an unreadable format Cryptography is an effective way of protecting sensitive information as it is stored on media or transmitted through network communication pathsAlthough the ultimate goal of cryptography and the mechanisms that make it up is to hide information from unauthorized individuals most algorithms can be broken and the information can be revealed if the attacker has enough time desire and resources So a more realistic goal of cryptography is to make obtaining the information too work-intensive to be worth it to the attacker

Digital Certificates

Digital Certificates are part of a technology called Public Key Infrastructure orPKI Digital certificates have been described as virtual ID cards This is a useful analogy There are many ways that digital certificates and ID cards really are thesame Both ID cards and client digital certificates contain information about usersuch as user name and information about the organization that issued thecertificate or card to user

Creating digital certificates a unique cryptographic key pair is generated One of these keys is referred to as a public key and the other as a private key The certification authoritymdashgenerally on your campusmdashcreates a digital certificate by combining information about user and the issuing organization with the public key and digitally signing the whole thing This is very much like an organizationrsquos ID office filling out an ID card for user and then signing it to make it official

The process defines how a certificate authority establishes that a person or institution is who they say they are Certification may require recipients to appear in person and to present pictures birth certificates or social security numbers Certificates that are issued after rigorous authentication will be more trustworthy than certificates requiring little or no authentication

The contents of a digital certificate are prescribed by the X509 standard developed by the International Standards Organization (ISO) and adopted by the American National Standards Institute (ANSI) and the Internet Engineering Task Force (IETF) The latest version is now X509 v3 The principal elements of a digital certificate are as followsbull Version number of the certificate formatbull Serial number of the certificatebull Signature algorithm identifierbull Issuer of digital certificate a certificate authority with URLbull Validity periodbull Unique identification of certificate holderbull Public key informationThe Parties to a Digital CertificateIn principle there are three different interests associated with a digital certificateThe Requesting Party The party who needs the certificate and will offer it for use by others they will generally provide some or all of the information it containsThe Issuing Party

The party that digitally signs the certificate after creating the information in the certificate or checking its correctnessThe Verifying Party (or Parties) Parties that validate the signature on the certificate and then rely on its contents for some purposeType of Certificate Requesting Party Issuing Party Verifying PartyIdentity The person

concernedThe appropriategovernment agency

Anyone undertaking anidentity check

Accreditation A qualified memberof a profession

The professionalbody

A user of the servicesoffered by the member

Authorization A customer wishing to access a resource

The resource owner The resource owner

Public key CertificateThe combination of standards protocols and software that support digital certificates is called a public key infrastructure or PKI The software that supports this infrastructure generates sets of public-private key pairs Public-private key pairs are codes that are related to one another through a complex mathematical algorithm The key pairs can reside on onersquos computer or on hardware devices such as smart cards or floppy disks Individuals or organizations must ensure the security of their private keys However the public keys that correspond to their private keys can be posted on Web sites or sent across the network Issuers of digital certificates often maintain online repositories of public keys These repositories make it possible to authenticate owners of digital certificates in real timeFor example publishers as service providers will want to authenticate the digital certificate of a faculty member or student in real time This is possible by verifying the digital signature using the public key in the repository

Certificate AuthoritiesDigital certificates are one part of a set of components that make up a public keyinfrastructure (PKI) A PKI includes organizations called certification authorities (CAs) that issue manage and revoke digital certificates organizations called relying parties who use the certificates as indicators of authentication and clientswho request manage and use certificates A CA might create a separate registration authority (RA) to handle the task of identifying individuals who applyfor certificates Examples of certification authorities include VeriSign a wellknowncommercial provider and the CREN Certificate Authority that isavailable for higher education institutions

Types of CertificatesThere are different types of certificates each with different functions and this canbe confusing It helps to differentiate between at least four types of certificatesYou can see samples of some of these different types of certificates in your browserbull Root or authority certificatesThese are certificates that create the base (or root) of a certification authority hierarchy such as Thawte or CREN These certificates are not signed by another CAmdashthey are self signed by the CA that created them When a certificate is self-

signed it means that the name in the Issuer field is the same as the name in the Subject Fieldbull Institutional authority certificates These certificates are also called campus certificates These certificates are signed by a third party verifying the authenticity of a campus certification authority Campuses then use their ldquoauthorityrdquo to issue client certificates for faculty staff and studentsbull Client certificatesThese are also known as end-entity certificates identity certificates or personal certificates The Issuer is typically the campus CAbull Web server certificates These certificates are used to secure communications to and from Web servers for example when you buy something on the Web They are called server-side certificates The Subject name in a server certificate is the DNS name of the server

The CREN Digital Certificate ServicesCREN currently offers an expanded set of certificate authority services to higher education institutionsbull CREN-signed campus certificates for institutionsThese CREN-signed certificates are for institutions issuing certificates for their campus communitymdashin the range of 10 or more Web server certificates and formore than 500-1000 client certificatesbull CREN Web server certificates These certificates are for campuses to use for securing Web servers supporting a range of campus Web applicationsbull Client certificatesCREN has an internal CRENNET service equivalent to a campus certificate-issuing application A registration contact at a campus validatesapproves individuals and CREN issues the certificates

With these three levels of service mdash including the free test certificates mdash CRENcan help campuses get started using digital certificates at a level matching theirparticular campus needs

RECOMMENDATION

It is very important to reduce the risk of phishing in todayrsquos business because

hackers need to stay out of companiesrsquo databases Todayrsquos education is not

enough since phishes are getting better each day and coming with newer trends

to catch innocent customers

The real problem of phishing is because the login systems are very weak and thus

they need to be tighter when it comes to userrsquos authentication The companies

could increase their cryptographic system protection by using more IPSec VPNs

and digital certificates The use of IPSec VPNs customers will need to establish

digital certificates from a certificate authority as well as the merchant Recently

while doing this research we came through an article from PayPal where they are

convincing email providers to block messages that lack digital signatures

The reason for this is that PayPal is known as one of the most highly spoofed

brands that fraudsterrsquos uses today This is a very good idea and a good way to

keep hackers out of PayPal databases As a matter of fact not only PayPal but also

every company that conducts business should come up with a similar strategy like

this Using strategies similar to this will help customers to gain confidence in

doing business and dealing with money issues In addition well-known companies

should increase user awareness by education training and working with FBI to

track down phishers

CONCLUSION

In short the outcomes of phishing attacks are dramatically increasing every day Attacks on financial services companies have been doubling each year compared to previous years It is of crucial importance for companies to come up with new ways to solve phishing problems because it can become a major loss to well-known companies Also it can cause consumers to lose confidence in doing business online which can affect many companies with an online presence Not any type of technologyCan stop phishing attacks but there are many ways to enable Phishes from accomplishing their goals Consumer education can increase the awareness of the phishing threat and other online vulnerabilities Lastly biometrics should become one of the major aspects and play an important role to combat phishing because it provides different steps to authenticate users

REFERENCES

[1] Cannon JC Privacy Pearson Education 2005[2] Hilley Sarah ldquoInternet war picking on the finance Sector-surveyrdquo Computer Fraud amp Security October 2006[3] Bellowin Steven ldquoSpamming Phishing Authentication and Privacyrdquo Inside Risks December

2004 Vol47 No12 144[4] Mulrean Jennifer ldquoPhishing scams How to avoid Getting hookedrdquo DollarWise[5] Hunter Philip ldquoMicrosoft declares war on phishersrdquo Computer Fraud amp Security May 2006 (15-16)[6] Google httpwwwgooglecom

[7] Anti-Phishing Working Group Phishing Activity Trends Report November 2005 [8] Anti-Phishing Working Group Phishing Archivehttpanti-phishingorgphishing_archivehtm[9] Ba S amp P Pavlov Evidence of the Effect of TrustBuilding Technology in Electronic Markets PricePremiums and Buyer Behavior

Page 10: Phishing

well-known trust indicators discussed below) Similarly dedicated login

pages from banks were less trusted than those originating from a

homepage several participants mentioned a lack of images and links as a

reason for their distrust

Visual Deception

Phishers use visual deception tricks to mimic legitimate text images and

windows

Visually deceptive text Users may be fooled by the syntax of a

domain name in ldquotype jackingrdquo attacks which substitute letters that may

go unnoticed (eg wwwpaypaicom uses a lowercase ldquoirdquo which looks

similar to the letter ldquolrdquo and wwwpaypa1com substitutes the number ldquo1rdquo

for the letter ldquolrdquo) Phishers have also taken advantage of non-printing

characters and non-ASCII Unicode characters in domain names

Images masking underlying text One common technique used by

phishers is to use an image of a legitimate hyperlink The image itself

serves as a hyperlink to a different rogue site

Images mimicking windows Phishers use images in the content of a

web page that mimic browser windows or For user convenience some

legitimate organizations allow users to login from non-SSL pages Although

the user data may be transmitted securely there is no visual cue in the

browser to indicate if SSL is used for form submissions To ldquoremedyrdquo this

designers resort to placing a padlock icon in the page content a tactic that

phishers also exploit or dialog windows Because the image looks exactly

like a real window a user can be fooled unless he tries to move or resize

the image

Windows masking underlying windows A common phishing

technique is to place an illegitimate browser window on top of or next to

a legitimate window If they have the same look and feel users may

mistakenly believe that both windows are from the same source

regardless of variations in address or security indicators In the worst case

a user may not even notice that a second window exists (browsers that

allow borderless pop-up windows aggravate the problem)

Deceptive look and feel If images and logos are copied perfectly

sometimes the only cues that are available to the user are the tone of the

language misspellings or other signs of unprofessional design If the

phishing site closely mimics the target site the only cue to the user might

be the type and quantity of requested personal information

WHAT SHOULD BE DONE TO FIGHT

PHISHING(ANTI-PHISHING)

Phishing needs to be followed in a managerial way within the network and its

components such as servers PCs operating systems browsers and other

applications that run off a connection

As considering the danger of both false negative where firewall packet

inspection fails to identify a phishing site and false positive where firewall packet

inspection wrongly rejects the valid sites it is important to minimize these risks

Microsoftrsquos Anti-phishing response team analyzes sites carefully to confirm they

are fraud e-mails before adding them to the blacklist Even then sites that are

concerned can be reconsidered and later removed from the list

Another way of solving this problem can be in a technical way by using a

biometric check up Biometrics refers to technologies that analyze an individualrsquos

physical and behavioral characteristics to automate identification or verification

of the user

To avoid the risk of being locked in by phishers here are few tips

bull Be extremely suspicious of any e-mails with urgent

requests for personal information

bull Do not fill out any forms in e-mail messages especially

from banks

bull Do not use the links that are provided in the e-mails this

can cause installing any malicious malware on your

computer Instead contact the company over the phone

to solve any problems

bull Do not give your credit card numbers or account

information unless you are using a secure Web site or

the telephone If you are using a Web site check the

beginning of the web address in your browsersrsquo address

bar A secure site should up as ldquohttpsrdquo instead of just

http

Verify the real address of a web site Cut and paste the

following text into your browser address bar

javascriptalert(The actual URL of this site has been verified

as + location protocol + + location hostname +)

Ensure that your browser and OS software is up-to-date and

that latest security patches are applied

Possible ways of by-passing AntiPhish with JavaScript

As long as the web page that the user is viewing is pure HTML AntiPhish can

easily mitigate phishing attacks This is because the attacker can only steal the

sensitive information in the page after the user performs a submit Before this can

happen however AntiPhish detects that sensitive information has been typed

into a form and cancels the operation Stopping a phishing attack in an HTML

page that has JavaScript on the other hand is not that easy and special care has

to be taken JavaScript is a powerful language that is widely used in webpage for

providing functionality such as submitting forms opening windows intercepting

events and performing input validity checks At the same time however

JavaScript gives the attacker a wide range of possibilities for by-passing a

monitoring application such as AntiPhish Just as AntiPhish creates hooks for

intercepting user generated events such as key strokes the attacker can also

create such hooks using JavaScript embedded into the HTML page Instead of

waiting for the user to press a submit button to send the information the attacker

could intercept the keys that are pressed and send the information character by

character to a server of her choice Typically this is done by modifying the URL of

an existing or hidden image to a web site that the attacker controls (eg if ldquoa ldquohas

been pressed an image URL may be set to httpattackercomkeya)

Another possibility for the attacker could be to set a simple timer and to capture

ldquosnapshotsrdquo of the information in the forms In this way an important part of the

information could be captured without the user ever hitting a submit button The

easiest solution to the JavaScript problem is to deactivate JavaScript on a page

that contains forms Unfortunately this solution is not feasible because as

mentioned before a large number of Web sites use JavaScript for validation and

submission purposes The solution we use in AntiPhish is to deactivate

JavaScript every time the focus is on an HTML text element and to reactivate it

whenever the focus is lost Using this technique we ensure that the attacker is

not able to create hooks timers and intercept browser events such as key presses

while the user is typing information into a text field At the same time we ensure

that the legitimate JavaScript functionality on a page (eg such as input validation

routines) are preserved By the time the focus is lost from the text element and

Java script is reactivated AntiPhish has already determined if the information that

was typed into the text element is sensitive If the web site is un trusted the

operation can be canceled One side-effect of our approach is that legitimate

event-based Java script functionality such as input validation based on key presses

will not function The use of key press events for input validation however is

uncommon Most web sites perform client-side input validation once before a

form is submitted

Implementation detailsWe implemented the prototype of AntiPhish as a Mozilla browser extension (ie

plug-in)Mozilla browser extensions are written using the Mozilla XML User-

Interface language (XUL) and JavaScript The Mozilla implementation of AntiPhish

has a small footprint and consists of about 900 lines of JavaScript code and 200

lines of XUL user interface code We used Paul Terorsquos JavaScript DES

implementation for safely storing the sensitive information

ANALYSIS OF A PHISHING DATABASE

The Anti Phishing Working Group maintains a ldquoPhishing Archiverdquo describing phishing attacks dating back to September 2003 We performed a cognitive walkthrough on the approximately 200 sample attacks within this archive (A cognitive walkthrough evaluates the steps required to perform a task and attempts to uncover mismatches between how users think about a task and how the user interface designer thinks about the task) Our goal was to gather information about which strategies are used by attackers and to formulate hypotheses about how lay users would respond to these strategies Below we list the strategies organized along three dimensions lack of knowledge visual deception and lack of attention To aid readers who are unfamiliar with the topic Security Terms and DefinitionsCertificate (digital certificate public key certificate)

Uses a digital signature to bind together a public key with an identity If the

browser encounters a certificate that has not been signed by a trusted

certificate authority it issues a warning to the user Some organizations

create and sign their own self signed

Certificates If a browser encounters a self-signed certificate it issues a

warning and allows the user to decide whether to accept the certificate

Certificate Authority (CA)

An entity that issues certificates and attests that a public key belongs to a

particular identity A list of trusted CAs is stored in the browser A certificate

may be issued to a fraudulent website by a CA without a rigorous verification

process

HTTPS

Web browsers use HTTPS rather than HTTP as a prefix to the URL to

indicate that HTTP is sent over SSLTLS

Secure Sockets Layer (SSL) and Transport Layer Security

(TLS)

Cryptographic protocols used to provide authentication and secure

communications over the Internet SSLTLS authenticates a server by

verifying that the server holds a certificate that has been digitally signed by

a trusted certificate authority SSLTLS also allows the client and server to

agree on an encryption algorithm for securing communications

CryptographyCryptography is a method of storing and transmitting data in a form that only those it is intended for can read and process It is a science of protecting information by encoding it into an unreadable format Cryptography is an effective way of protecting sensitive information as it is stored on media or transmitted through network communication pathsAlthough the ultimate goal of cryptography and the mechanisms that make it up is to hide information from unauthorized individuals most algorithms can be broken and the information can be revealed if the attacker has enough time desire and resources So a more realistic goal of cryptography is to make obtaining the information too work-intensive to be worth it to the attacker

Digital Certificates

Digital Certificates are part of a technology called Public Key Infrastructure orPKI Digital certificates have been described as virtual ID cards This is a useful analogy There are many ways that digital certificates and ID cards really are thesame Both ID cards and client digital certificates contain information about usersuch as user name and information about the organization that issued thecertificate or card to user

Creating digital certificates a unique cryptographic key pair is generated One of these keys is referred to as a public key and the other as a private key The certification authoritymdashgenerally on your campusmdashcreates a digital certificate by combining information about user and the issuing organization with the public key and digitally signing the whole thing This is very much like an organizationrsquos ID office filling out an ID card for user and then signing it to make it official

The process defines how a certificate authority establishes that a person or institution is who they say they are Certification may require recipients to appear in person and to present pictures birth certificates or social security numbers Certificates that are issued after rigorous authentication will be more trustworthy than certificates requiring little or no authentication

The contents of a digital certificate are prescribed by the X509 standard developed by the International Standards Organization (ISO) and adopted by the American National Standards Institute (ANSI) and the Internet Engineering Task Force (IETF) The latest version is now X509 v3 The principal elements of a digital certificate are as followsbull Version number of the certificate formatbull Serial number of the certificatebull Signature algorithm identifierbull Issuer of digital certificate a certificate authority with URLbull Validity periodbull Unique identification of certificate holderbull Public key informationThe Parties to a Digital CertificateIn principle there are three different interests associated with a digital certificateThe Requesting Party The party who needs the certificate and will offer it for use by others they will generally provide some or all of the information it containsThe Issuing Party

The party that digitally signs the certificate after creating the information in the certificate or checking its correctnessThe Verifying Party (or Parties) Parties that validate the signature on the certificate and then rely on its contents for some purposeType of Certificate Requesting Party Issuing Party Verifying PartyIdentity The person

concernedThe appropriategovernment agency

Anyone undertaking anidentity check

Accreditation A qualified memberof a profession

The professionalbody

A user of the servicesoffered by the member

Authorization A customer wishing to access a resource

The resource owner The resource owner

Public key CertificateThe combination of standards protocols and software that support digital certificates is called a public key infrastructure or PKI The software that supports this infrastructure generates sets of public-private key pairs Public-private key pairs are codes that are related to one another through a complex mathematical algorithm The key pairs can reside on onersquos computer or on hardware devices such as smart cards or floppy disks Individuals or organizations must ensure the security of their private keys However the public keys that correspond to their private keys can be posted on Web sites or sent across the network Issuers of digital certificates often maintain online repositories of public keys These repositories make it possible to authenticate owners of digital certificates in real timeFor example publishers as service providers will want to authenticate the digital certificate of a faculty member or student in real time This is possible by verifying the digital signature using the public key in the repository

Certificate AuthoritiesDigital certificates are one part of a set of components that make up a public keyinfrastructure (PKI) A PKI includes organizations called certification authorities (CAs) that issue manage and revoke digital certificates organizations called relying parties who use the certificates as indicators of authentication and clientswho request manage and use certificates A CA might create a separate registration authority (RA) to handle the task of identifying individuals who applyfor certificates Examples of certification authorities include VeriSign a wellknowncommercial provider and the CREN Certificate Authority that isavailable for higher education institutions

Types of CertificatesThere are different types of certificates each with different functions and this canbe confusing It helps to differentiate between at least four types of certificatesYou can see samples of some of these different types of certificates in your browserbull Root or authority certificatesThese are certificates that create the base (or root) of a certification authority hierarchy such as Thawte or CREN These certificates are not signed by another CAmdashthey are self signed by the CA that created them When a certificate is self-

signed it means that the name in the Issuer field is the same as the name in the Subject Fieldbull Institutional authority certificates These certificates are also called campus certificates These certificates are signed by a third party verifying the authenticity of a campus certification authority Campuses then use their ldquoauthorityrdquo to issue client certificates for faculty staff and studentsbull Client certificatesThese are also known as end-entity certificates identity certificates or personal certificates The Issuer is typically the campus CAbull Web server certificates These certificates are used to secure communications to and from Web servers for example when you buy something on the Web They are called server-side certificates The Subject name in a server certificate is the DNS name of the server

The CREN Digital Certificate ServicesCREN currently offers an expanded set of certificate authority services to higher education institutionsbull CREN-signed campus certificates for institutionsThese CREN-signed certificates are for institutions issuing certificates for their campus communitymdashin the range of 10 or more Web server certificates and formore than 500-1000 client certificatesbull CREN Web server certificates These certificates are for campuses to use for securing Web servers supporting a range of campus Web applicationsbull Client certificatesCREN has an internal CRENNET service equivalent to a campus certificate-issuing application A registration contact at a campus validatesapproves individuals and CREN issues the certificates

With these three levels of service mdash including the free test certificates mdash CRENcan help campuses get started using digital certificates at a level matching theirparticular campus needs

RECOMMENDATION

It is very important to reduce the risk of phishing in todayrsquos business because

hackers need to stay out of companiesrsquo databases Todayrsquos education is not

enough since phishes are getting better each day and coming with newer trends

to catch innocent customers

The real problem of phishing is because the login systems are very weak and thus

they need to be tighter when it comes to userrsquos authentication The companies

could increase their cryptographic system protection by using more IPSec VPNs

and digital certificates The use of IPSec VPNs customers will need to establish

digital certificates from a certificate authority as well as the merchant Recently

while doing this research we came through an article from PayPal where they are

convincing email providers to block messages that lack digital signatures

The reason for this is that PayPal is known as one of the most highly spoofed

brands that fraudsterrsquos uses today This is a very good idea and a good way to

keep hackers out of PayPal databases As a matter of fact not only PayPal but also

every company that conducts business should come up with a similar strategy like

this Using strategies similar to this will help customers to gain confidence in

doing business and dealing with money issues In addition well-known companies

should increase user awareness by education training and working with FBI to

track down phishers

CONCLUSION

In short the outcomes of phishing attacks are dramatically increasing every day Attacks on financial services companies have been doubling each year compared to previous years It is of crucial importance for companies to come up with new ways to solve phishing problems because it can become a major loss to well-known companies Also it can cause consumers to lose confidence in doing business online which can affect many companies with an online presence Not any type of technologyCan stop phishing attacks but there are many ways to enable Phishes from accomplishing their goals Consumer education can increase the awareness of the phishing threat and other online vulnerabilities Lastly biometrics should become one of the major aspects and play an important role to combat phishing because it provides different steps to authenticate users

REFERENCES

[1] Cannon JC Privacy Pearson Education 2005[2] Hilley Sarah ldquoInternet war picking on the finance Sector-surveyrdquo Computer Fraud amp Security October 2006[3] Bellowin Steven ldquoSpamming Phishing Authentication and Privacyrdquo Inside Risks December

2004 Vol47 No12 144[4] Mulrean Jennifer ldquoPhishing scams How to avoid Getting hookedrdquo DollarWise[5] Hunter Philip ldquoMicrosoft declares war on phishersrdquo Computer Fraud amp Security May 2006 (15-16)[6] Google httpwwwgooglecom

[7] Anti-Phishing Working Group Phishing Activity Trends Report November 2005 [8] Anti-Phishing Working Group Phishing Archivehttpanti-phishingorgphishing_archivehtm[9] Ba S amp P Pavlov Evidence of the Effect of TrustBuilding Technology in Electronic Markets PricePremiums and Buyer Behavior

Page 11: Phishing

Windows masking underlying windows A common phishing

technique is to place an illegitimate browser window on top of or next to

a legitimate window If they have the same look and feel users may

mistakenly believe that both windows are from the same source

regardless of variations in address or security indicators In the worst case

a user may not even notice that a second window exists (browsers that

allow borderless pop-up windows aggravate the problem)

Deceptive look and feel If images and logos are copied perfectly

sometimes the only cues that are available to the user are the tone of the

language misspellings or other signs of unprofessional design If the

phishing site closely mimics the target site the only cue to the user might

be the type and quantity of requested personal information

WHAT SHOULD BE DONE TO FIGHT

PHISHING(ANTI-PHISHING)

Phishing needs to be followed in a managerial way within the network and its

components such as servers PCs operating systems browsers and other

applications that run off a connection

As considering the danger of both false negative where firewall packet

inspection fails to identify a phishing site and false positive where firewall packet

inspection wrongly rejects the valid sites it is important to minimize these risks

Microsoftrsquos Anti-phishing response team analyzes sites carefully to confirm they

are fraud e-mails before adding them to the blacklist Even then sites that are

concerned can be reconsidered and later removed from the list

Another way of solving this problem can be in a technical way by using a

biometric check up Biometrics refers to technologies that analyze an individualrsquos

physical and behavioral characteristics to automate identification or verification

of the user

To avoid the risk of being locked in by phishers here are few tips

bull Be extremely suspicious of any e-mails with urgent

requests for personal information

bull Do not fill out any forms in e-mail messages especially

from banks

bull Do not use the links that are provided in the e-mails this

can cause installing any malicious malware on your

computer Instead contact the company over the phone

to solve any problems

bull Do not give your credit card numbers or account

information unless you are using a secure Web site or

the telephone If you are using a Web site check the

beginning of the web address in your browsersrsquo address

bar A secure site should up as ldquohttpsrdquo instead of just

http

Verify the real address of a web site Cut and paste the

following text into your browser address bar

javascriptalert(The actual URL of this site has been verified

as + location protocol + + location hostname +)

Ensure that your browser and OS software is up-to-date and

that latest security patches are applied

Possible ways of by-passing AntiPhish with JavaScript

As long as the web page that the user is viewing is pure HTML AntiPhish can

easily mitigate phishing attacks This is because the attacker can only steal the

sensitive information in the page after the user performs a submit Before this can

happen however AntiPhish detects that sensitive information has been typed

into a form and cancels the operation Stopping a phishing attack in an HTML

page that has JavaScript on the other hand is not that easy and special care has

to be taken JavaScript is a powerful language that is widely used in webpage for

providing functionality such as submitting forms opening windows intercepting

events and performing input validity checks At the same time however

JavaScript gives the attacker a wide range of possibilities for by-passing a

monitoring application such as AntiPhish Just as AntiPhish creates hooks for

intercepting user generated events such as key strokes the attacker can also

create such hooks using JavaScript embedded into the HTML page Instead of

waiting for the user to press a submit button to send the information the attacker

could intercept the keys that are pressed and send the information character by

character to a server of her choice Typically this is done by modifying the URL of

an existing or hidden image to a web site that the attacker controls (eg if ldquoa ldquohas

been pressed an image URL may be set to httpattackercomkeya)

Another possibility for the attacker could be to set a simple timer and to capture

ldquosnapshotsrdquo of the information in the forms In this way an important part of the

information could be captured without the user ever hitting a submit button The

easiest solution to the JavaScript problem is to deactivate JavaScript on a page

that contains forms Unfortunately this solution is not feasible because as

mentioned before a large number of Web sites use JavaScript for validation and

submission purposes The solution we use in AntiPhish is to deactivate

JavaScript every time the focus is on an HTML text element and to reactivate it

whenever the focus is lost Using this technique we ensure that the attacker is

not able to create hooks timers and intercept browser events such as key presses

while the user is typing information into a text field At the same time we ensure

that the legitimate JavaScript functionality on a page (eg such as input validation

routines) are preserved By the time the focus is lost from the text element and

Java script is reactivated AntiPhish has already determined if the information that

was typed into the text element is sensitive If the web site is un trusted the

operation can be canceled One side-effect of our approach is that legitimate

event-based Java script functionality such as input validation based on key presses

will not function The use of key press events for input validation however is

uncommon Most web sites perform client-side input validation once before a

form is submitted

Implementation detailsWe implemented the prototype of AntiPhish as a Mozilla browser extension (ie

plug-in)Mozilla browser extensions are written using the Mozilla XML User-

Interface language (XUL) and JavaScript The Mozilla implementation of AntiPhish

has a small footprint and consists of about 900 lines of JavaScript code and 200

lines of XUL user interface code We used Paul Terorsquos JavaScript DES

implementation for safely storing the sensitive information

ANALYSIS OF A PHISHING DATABASE

The Anti Phishing Working Group maintains a ldquoPhishing Archiverdquo describing phishing attacks dating back to September 2003 We performed a cognitive walkthrough on the approximately 200 sample attacks within this archive (A cognitive walkthrough evaluates the steps required to perform a task and attempts to uncover mismatches between how users think about a task and how the user interface designer thinks about the task) Our goal was to gather information about which strategies are used by attackers and to formulate hypotheses about how lay users would respond to these strategies Below we list the strategies organized along three dimensions lack of knowledge visual deception and lack of attention To aid readers who are unfamiliar with the topic Security Terms and DefinitionsCertificate (digital certificate public key certificate)

Uses a digital signature to bind together a public key with an identity If the

browser encounters a certificate that has not been signed by a trusted

certificate authority it issues a warning to the user Some organizations

create and sign their own self signed

Certificates If a browser encounters a self-signed certificate it issues a

warning and allows the user to decide whether to accept the certificate

Certificate Authority (CA)

An entity that issues certificates and attests that a public key belongs to a

particular identity A list of trusted CAs is stored in the browser A certificate

may be issued to a fraudulent website by a CA without a rigorous verification

process

HTTPS

Web browsers use HTTPS rather than HTTP as a prefix to the URL to

indicate that HTTP is sent over SSLTLS

Secure Sockets Layer (SSL) and Transport Layer Security

(TLS)

Cryptographic protocols used to provide authentication and secure

communications over the Internet SSLTLS authenticates a server by

verifying that the server holds a certificate that has been digitally signed by

a trusted certificate authority SSLTLS also allows the client and server to

agree on an encryption algorithm for securing communications

CryptographyCryptography is a method of storing and transmitting data in a form that only those it is intended for can read and process It is a science of protecting information by encoding it into an unreadable format Cryptography is an effective way of protecting sensitive information as it is stored on media or transmitted through network communication pathsAlthough the ultimate goal of cryptography and the mechanisms that make it up is to hide information from unauthorized individuals most algorithms can be broken and the information can be revealed if the attacker has enough time desire and resources So a more realistic goal of cryptography is to make obtaining the information too work-intensive to be worth it to the attacker

Digital Certificates

Digital Certificates are part of a technology called Public Key Infrastructure orPKI Digital certificates have been described as virtual ID cards This is a useful analogy There are many ways that digital certificates and ID cards really are thesame Both ID cards and client digital certificates contain information about usersuch as user name and information about the organization that issued thecertificate or card to user

Creating digital certificates a unique cryptographic key pair is generated One of these keys is referred to as a public key and the other as a private key The certification authoritymdashgenerally on your campusmdashcreates a digital certificate by combining information about user and the issuing organization with the public key and digitally signing the whole thing This is very much like an organizationrsquos ID office filling out an ID card for user and then signing it to make it official

The process defines how a certificate authority establishes that a person or institution is who they say they are Certification may require recipients to appear in person and to present pictures birth certificates or social security numbers Certificates that are issued after rigorous authentication will be more trustworthy than certificates requiring little or no authentication

The contents of a digital certificate are prescribed by the X509 standard developed by the International Standards Organization (ISO) and adopted by the American National Standards Institute (ANSI) and the Internet Engineering Task Force (IETF) The latest version is now X509 v3 The principal elements of a digital certificate are as followsbull Version number of the certificate formatbull Serial number of the certificatebull Signature algorithm identifierbull Issuer of digital certificate a certificate authority with URLbull Validity periodbull Unique identification of certificate holderbull Public key informationThe Parties to a Digital CertificateIn principle there are three different interests associated with a digital certificateThe Requesting Party The party who needs the certificate and will offer it for use by others they will generally provide some or all of the information it containsThe Issuing Party

The party that digitally signs the certificate after creating the information in the certificate or checking its correctnessThe Verifying Party (or Parties) Parties that validate the signature on the certificate and then rely on its contents for some purposeType of Certificate Requesting Party Issuing Party Verifying PartyIdentity The person

concernedThe appropriategovernment agency

Anyone undertaking anidentity check

Accreditation A qualified memberof a profession

The professionalbody

A user of the servicesoffered by the member

Authorization A customer wishing to access a resource

The resource owner The resource owner

Public key CertificateThe combination of standards protocols and software that support digital certificates is called a public key infrastructure or PKI The software that supports this infrastructure generates sets of public-private key pairs Public-private key pairs are codes that are related to one another through a complex mathematical algorithm The key pairs can reside on onersquos computer or on hardware devices such as smart cards or floppy disks Individuals or organizations must ensure the security of their private keys However the public keys that correspond to their private keys can be posted on Web sites or sent across the network Issuers of digital certificates often maintain online repositories of public keys These repositories make it possible to authenticate owners of digital certificates in real timeFor example publishers as service providers will want to authenticate the digital certificate of a faculty member or student in real time This is possible by verifying the digital signature using the public key in the repository

Certificate AuthoritiesDigital certificates are one part of a set of components that make up a public keyinfrastructure (PKI) A PKI includes organizations called certification authorities (CAs) that issue manage and revoke digital certificates organizations called relying parties who use the certificates as indicators of authentication and clientswho request manage and use certificates A CA might create a separate registration authority (RA) to handle the task of identifying individuals who applyfor certificates Examples of certification authorities include VeriSign a wellknowncommercial provider and the CREN Certificate Authority that isavailable for higher education institutions

Types of CertificatesThere are different types of certificates each with different functions and this canbe confusing It helps to differentiate between at least four types of certificatesYou can see samples of some of these different types of certificates in your browserbull Root or authority certificatesThese are certificates that create the base (or root) of a certification authority hierarchy such as Thawte or CREN These certificates are not signed by another CAmdashthey are self signed by the CA that created them When a certificate is self-

signed it means that the name in the Issuer field is the same as the name in the Subject Fieldbull Institutional authority certificates These certificates are also called campus certificates These certificates are signed by a third party verifying the authenticity of a campus certification authority Campuses then use their ldquoauthorityrdquo to issue client certificates for faculty staff and studentsbull Client certificatesThese are also known as end-entity certificates identity certificates or personal certificates The Issuer is typically the campus CAbull Web server certificates These certificates are used to secure communications to and from Web servers for example when you buy something on the Web They are called server-side certificates The Subject name in a server certificate is the DNS name of the server

The CREN Digital Certificate ServicesCREN currently offers an expanded set of certificate authority services to higher education institutionsbull CREN-signed campus certificates for institutionsThese CREN-signed certificates are for institutions issuing certificates for their campus communitymdashin the range of 10 or more Web server certificates and formore than 500-1000 client certificatesbull CREN Web server certificates These certificates are for campuses to use for securing Web servers supporting a range of campus Web applicationsbull Client certificatesCREN has an internal CRENNET service equivalent to a campus certificate-issuing application A registration contact at a campus validatesapproves individuals and CREN issues the certificates

With these three levels of service mdash including the free test certificates mdash CRENcan help campuses get started using digital certificates at a level matching theirparticular campus needs

RECOMMENDATION

It is very important to reduce the risk of phishing in todayrsquos business because

hackers need to stay out of companiesrsquo databases Todayrsquos education is not

enough since phishes are getting better each day and coming with newer trends

to catch innocent customers

The real problem of phishing is because the login systems are very weak and thus

they need to be tighter when it comes to userrsquos authentication The companies

could increase their cryptographic system protection by using more IPSec VPNs

and digital certificates The use of IPSec VPNs customers will need to establish

digital certificates from a certificate authority as well as the merchant Recently

while doing this research we came through an article from PayPal where they are

convincing email providers to block messages that lack digital signatures

The reason for this is that PayPal is known as one of the most highly spoofed

brands that fraudsterrsquos uses today This is a very good idea and a good way to

keep hackers out of PayPal databases As a matter of fact not only PayPal but also

every company that conducts business should come up with a similar strategy like

this Using strategies similar to this will help customers to gain confidence in

doing business and dealing with money issues In addition well-known companies

should increase user awareness by education training and working with FBI to

track down phishers

CONCLUSION

In short the outcomes of phishing attacks are dramatically increasing every day Attacks on financial services companies have been doubling each year compared to previous years It is of crucial importance for companies to come up with new ways to solve phishing problems because it can become a major loss to well-known companies Also it can cause consumers to lose confidence in doing business online which can affect many companies with an online presence Not any type of technologyCan stop phishing attacks but there are many ways to enable Phishes from accomplishing their goals Consumer education can increase the awareness of the phishing threat and other online vulnerabilities Lastly biometrics should become one of the major aspects and play an important role to combat phishing because it provides different steps to authenticate users

REFERENCES

[1] Cannon JC Privacy Pearson Education 2005[2] Hilley Sarah ldquoInternet war picking on the finance Sector-surveyrdquo Computer Fraud amp Security October 2006[3] Bellowin Steven ldquoSpamming Phishing Authentication and Privacyrdquo Inside Risks December

2004 Vol47 No12 144[4] Mulrean Jennifer ldquoPhishing scams How to avoid Getting hookedrdquo DollarWise[5] Hunter Philip ldquoMicrosoft declares war on phishersrdquo Computer Fraud amp Security May 2006 (15-16)[6] Google httpwwwgooglecom

[7] Anti-Phishing Working Group Phishing Activity Trends Report November 2005 [8] Anti-Phishing Working Group Phishing Archivehttpanti-phishingorgphishing_archivehtm[9] Ba S amp P Pavlov Evidence of the Effect of TrustBuilding Technology in Electronic Markets PricePremiums and Buyer Behavior

Page 12: Phishing

Microsoftrsquos Anti-phishing response team analyzes sites carefully to confirm they

are fraud e-mails before adding them to the blacklist Even then sites that are

concerned can be reconsidered and later removed from the list

Another way of solving this problem can be in a technical way by using a

biometric check up Biometrics refers to technologies that analyze an individualrsquos

physical and behavioral characteristics to automate identification or verification

of the user

To avoid the risk of being locked in by phishers here are few tips

bull Be extremely suspicious of any e-mails with urgent

requests for personal information

bull Do not fill out any forms in e-mail messages especially

from banks

bull Do not use the links that are provided in the e-mails this

can cause installing any malicious malware on your

computer Instead contact the company over the phone

to solve any problems

bull Do not give your credit card numbers or account

information unless you are using a secure Web site or

the telephone If you are using a Web site check the

beginning of the web address in your browsersrsquo address

bar A secure site should up as ldquohttpsrdquo instead of just

http

Verify the real address of a web site Cut and paste the

following text into your browser address bar

javascriptalert(The actual URL of this site has been verified

as + location protocol + + location hostname +)

Ensure that your browser and OS software is up-to-date and

that latest security patches are applied

Possible ways of by-passing AntiPhish with JavaScript

As long as the web page that the user is viewing is pure HTML AntiPhish can

easily mitigate phishing attacks This is because the attacker can only steal the

sensitive information in the page after the user performs a submit Before this can

happen however AntiPhish detects that sensitive information has been typed

into a form and cancels the operation Stopping a phishing attack in an HTML

page that has JavaScript on the other hand is not that easy and special care has

to be taken JavaScript is a powerful language that is widely used in webpage for

providing functionality such as submitting forms opening windows intercepting

events and performing input validity checks At the same time however

JavaScript gives the attacker a wide range of possibilities for by-passing a

monitoring application such as AntiPhish Just as AntiPhish creates hooks for

intercepting user generated events such as key strokes the attacker can also

create such hooks using JavaScript embedded into the HTML page Instead of

waiting for the user to press a submit button to send the information the attacker

could intercept the keys that are pressed and send the information character by

character to a server of her choice Typically this is done by modifying the URL of

an existing or hidden image to a web site that the attacker controls (eg if ldquoa ldquohas

been pressed an image URL may be set to httpattackercomkeya)

Another possibility for the attacker could be to set a simple timer and to capture

ldquosnapshotsrdquo of the information in the forms In this way an important part of the

information could be captured without the user ever hitting a submit button The

easiest solution to the JavaScript problem is to deactivate JavaScript on a page

that contains forms Unfortunately this solution is not feasible because as

mentioned before a large number of Web sites use JavaScript for validation and

submission purposes The solution we use in AntiPhish is to deactivate

JavaScript every time the focus is on an HTML text element and to reactivate it

whenever the focus is lost Using this technique we ensure that the attacker is

not able to create hooks timers and intercept browser events such as key presses

while the user is typing information into a text field At the same time we ensure

that the legitimate JavaScript functionality on a page (eg such as input validation

routines) are preserved By the time the focus is lost from the text element and

Java script is reactivated AntiPhish has already determined if the information that

was typed into the text element is sensitive If the web site is un trusted the

operation can be canceled One side-effect of our approach is that legitimate

event-based Java script functionality such as input validation based on key presses

will not function The use of key press events for input validation however is

uncommon Most web sites perform client-side input validation once before a

form is submitted

Implementation detailsWe implemented the prototype of AntiPhish as a Mozilla browser extension (ie

plug-in)Mozilla browser extensions are written using the Mozilla XML User-

Interface language (XUL) and JavaScript The Mozilla implementation of AntiPhish

has a small footprint and consists of about 900 lines of JavaScript code and 200

lines of XUL user interface code We used Paul Terorsquos JavaScript DES

implementation for safely storing the sensitive information

ANALYSIS OF A PHISHING DATABASE

The Anti Phishing Working Group maintains a ldquoPhishing Archiverdquo describing phishing attacks dating back to September 2003 We performed a cognitive walkthrough on the approximately 200 sample attacks within this archive (A cognitive walkthrough evaluates the steps required to perform a task and attempts to uncover mismatches between how users think about a task and how the user interface designer thinks about the task) Our goal was to gather information about which strategies are used by attackers and to formulate hypotheses about how lay users would respond to these strategies Below we list the strategies organized along three dimensions lack of knowledge visual deception and lack of attention To aid readers who are unfamiliar with the topic Security Terms and DefinitionsCertificate (digital certificate public key certificate)

Uses a digital signature to bind together a public key with an identity If the

browser encounters a certificate that has not been signed by a trusted

certificate authority it issues a warning to the user Some organizations

create and sign their own self signed

Certificates If a browser encounters a self-signed certificate it issues a

warning and allows the user to decide whether to accept the certificate

Certificate Authority (CA)

An entity that issues certificates and attests that a public key belongs to a

particular identity A list of trusted CAs is stored in the browser A certificate

may be issued to a fraudulent website by a CA without a rigorous verification

process

HTTPS

Web browsers use HTTPS rather than HTTP as a prefix to the URL to

indicate that HTTP is sent over SSLTLS

Secure Sockets Layer (SSL) and Transport Layer Security

(TLS)

Cryptographic protocols used to provide authentication and secure

communications over the Internet SSLTLS authenticates a server by

verifying that the server holds a certificate that has been digitally signed by

a trusted certificate authority SSLTLS also allows the client and server to

agree on an encryption algorithm for securing communications

CryptographyCryptography is a method of storing and transmitting data in a form that only those it is intended for can read and process It is a science of protecting information by encoding it into an unreadable format Cryptography is an effective way of protecting sensitive information as it is stored on media or transmitted through network communication pathsAlthough the ultimate goal of cryptography and the mechanisms that make it up is to hide information from unauthorized individuals most algorithms can be broken and the information can be revealed if the attacker has enough time desire and resources So a more realistic goal of cryptography is to make obtaining the information too work-intensive to be worth it to the attacker

Digital Certificates

Digital Certificates are part of a technology called Public Key Infrastructure orPKI Digital certificates have been described as virtual ID cards This is a useful analogy There are many ways that digital certificates and ID cards really are thesame Both ID cards and client digital certificates contain information about usersuch as user name and information about the organization that issued thecertificate or card to user

Creating digital certificates a unique cryptographic key pair is generated One of these keys is referred to as a public key and the other as a private key The certification authoritymdashgenerally on your campusmdashcreates a digital certificate by combining information about user and the issuing organization with the public key and digitally signing the whole thing This is very much like an organizationrsquos ID office filling out an ID card for user and then signing it to make it official

The process defines how a certificate authority establishes that a person or institution is who they say they are Certification may require recipients to appear in person and to present pictures birth certificates or social security numbers Certificates that are issued after rigorous authentication will be more trustworthy than certificates requiring little or no authentication

The contents of a digital certificate are prescribed by the X509 standard developed by the International Standards Organization (ISO) and adopted by the American National Standards Institute (ANSI) and the Internet Engineering Task Force (IETF) The latest version is now X509 v3 The principal elements of a digital certificate are as followsbull Version number of the certificate formatbull Serial number of the certificatebull Signature algorithm identifierbull Issuer of digital certificate a certificate authority with URLbull Validity periodbull Unique identification of certificate holderbull Public key informationThe Parties to a Digital CertificateIn principle there are three different interests associated with a digital certificateThe Requesting Party The party who needs the certificate and will offer it for use by others they will generally provide some or all of the information it containsThe Issuing Party

The party that digitally signs the certificate after creating the information in the certificate or checking its correctnessThe Verifying Party (or Parties) Parties that validate the signature on the certificate and then rely on its contents for some purposeType of Certificate Requesting Party Issuing Party Verifying PartyIdentity The person

concernedThe appropriategovernment agency

Anyone undertaking anidentity check

Accreditation A qualified memberof a profession

The professionalbody

A user of the servicesoffered by the member

Authorization A customer wishing to access a resource

The resource owner The resource owner

Public key CertificateThe combination of standards protocols and software that support digital certificates is called a public key infrastructure or PKI The software that supports this infrastructure generates sets of public-private key pairs Public-private key pairs are codes that are related to one another through a complex mathematical algorithm The key pairs can reside on onersquos computer or on hardware devices such as smart cards or floppy disks Individuals or organizations must ensure the security of their private keys However the public keys that correspond to their private keys can be posted on Web sites or sent across the network Issuers of digital certificates often maintain online repositories of public keys These repositories make it possible to authenticate owners of digital certificates in real timeFor example publishers as service providers will want to authenticate the digital certificate of a faculty member or student in real time This is possible by verifying the digital signature using the public key in the repository

Certificate AuthoritiesDigital certificates are one part of a set of components that make up a public keyinfrastructure (PKI) A PKI includes organizations called certification authorities (CAs) that issue manage and revoke digital certificates organizations called relying parties who use the certificates as indicators of authentication and clientswho request manage and use certificates A CA might create a separate registration authority (RA) to handle the task of identifying individuals who applyfor certificates Examples of certification authorities include VeriSign a wellknowncommercial provider and the CREN Certificate Authority that isavailable for higher education institutions

Types of CertificatesThere are different types of certificates each with different functions and this canbe confusing It helps to differentiate between at least four types of certificatesYou can see samples of some of these different types of certificates in your browserbull Root or authority certificatesThese are certificates that create the base (or root) of a certification authority hierarchy such as Thawte or CREN These certificates are not signed by another CAmdashthey are self signed by the CA that created them When a certificate is self-

signed it means that the name in the Issuer field is the same as the name in the Subject Fieldbull Institutional authority certificates These certificates are also called campus certificates These certificates are signed by a third party verifying the authenticity of a campus certification authority Campuses then use their ldquoauthorityrdquo to issue client certificates for faculty staff and studentsbull Client certificatesThese are also known as end-entity certificates identity certificates or personal certificates The Issuer is typically the campus CAbull Web server certificates These certificates are used to secure communications to and from Web servers for example when you buy something on the Web They are called server-side certificates The Subject name in a server certificate is the DNS name of the server

The CREN Digital Certificate ServicesCREN currently offers an expanded set of certificate authority services to higher education institutionsbull CREN-signed campus certificates for institutionsThese CREN-signed certificates are for institutions issuing certificates for their campus communitymdashin the range of 10 or more Web server certificates and formore than 500-1000 client certificatesbull CREN Web server certificates These certificates are for campuses to use for securing Web servers supporting a range of campus Web applicationsbull Client certificatesCREN has an internal CRENNET service equivalent to a campus certificate-issuing application A registration contact at a campus validatesapproves individuals and CREN issues the certificates

With these three levels of service mdash including the free test certificates mdash CRENcan help campuses get started using digital certificates at a level matching theirparticular campus needs

RECOMMENDATION

It is very important to reduce the risk of phishing in todayrsquos business because

hackers need to stay out of companiesrsquo databases Todayrsquos education is not

enough since phishes are getting better each day and coming with newer trends

to catch innocent customers

The real problem of phishing is because the login systems are very weak and thus

they need to be tighter when it comes to userrsquos authentication The companies

could increase their cryptographic system protection by using more IPSec VPNs

and digital certificates The use of IPSec VPNs customers will need to establish

digital certificates from a certificate authority as well as the merchant Recently

while doing this research we came through an article from PayPal where they are

convincing email providers to block messages that lack digital signatures

The reason for this is that PayPal is known as one of the most highly spoofed

brands that fraudsterrsquos uses today This is a very good idea and a good way to

keep hackers out of PayPal databases As a matter of fact not only PayPal but also

every company that conducts business should come up with a similar strategy like

this Using strategies similar to this will help customers to gain confidence in

doing business and dealing with money issues In addition well-known companies

should increase user awareness by education training and working with FBI to

track down phishers

CONCLUSION

In short the outcomes of phishing attacks are dramatically increasing every day Attacks on financial services companies have been doubling each year compared to previous years It is of crucial importance for companies to come up with new ways to solve phishing problems because it can become a major loss to well-known companies Also it can cause consumers to lose confidence in doing business online which can affect many companies with an online presence Not any type of technologyCan stop phishing attacks but there are many ways to enable Phishes from accomplishing their goals Consumer education can increase the awareness of the phishing threat and other online vulnerabilities Lastly biometrics should become one of the major aspects and play an important role to combat phishing because it provides different steps to authenticate users

REFERENCES

[1] Cannon JC Privacy Pearson Education 2005[2] Hilley Sarah ldquoInternet war picking on the finance Sector-surveyrdquo Computer Fraud amp Security October 2006[3] Bellowin Steven ldquoSpamming Phishing Authentication and Privacyrdquo Inside Risks December

2004 Vol47 No12 144[4] Mulrean Jennifer ldquoPhishing scams How to avoid Getting hookedrdquo DollarWise[5] Hunter Philip ldquoMicrosoft declares war on phishersrdquo Computer Fraud amp Security May 2006 (15-16)[6] Google httpwwwgooglecom

[7] Anti-Phishing Working Group Phishing Activity Trends Report November 2005 [8] Anti-Phishing Working Group Phishing Archivehttpanti-phishingorgphishing_archivehtm[9] Ba S amp P Pavlov Evidence of the Effect of TrustBuilding Technology in Electronic Markets PricePremiums and Buyer Behavior

Page 13: Phishing

bar A secure site should up as ldquohttpsrdquo instead of just

http

Verify the real address of a web site Cut and paste the

following text into your browser address bar

javascriptalert(The actual URL of this site has been verified

as + location protocol + + location hostname +)

Ensure that your browser and OS software is up-to-date and

that latest security patches are applied

Possible ways of by-passing AntiPhish with JavaScript

As long as the web page that the user is viewing is pure HTML AntiPhish can

easily mitigate phishing attacks This is because the attacker can only steal the

sensitive information in the page after the user performs a submit Before this can

happen however AntiPhish detects that sensitive information has been typed

into a form and cancels the operation Stopping a phishing attack in an HTML

page that has JavaScript on the other hand is not that easy and special care has

to be taken JavaScript is a powerful language that is widely used in webpage for

providing functionality such as submitting forms opening windows intercepting

events and performing input validity checks At the same time however

JavaScript gives the attacker a wide range of possibilities for by-passing a

monitoring application such as AntiPhish Just as AntiPhish creates hooks for

intercepting user generated events such as key strokes the attacker can also

create such hooks using JavaScript embedded into the HTML page Instead of

waiting for the user to press a submit button to send the information the attacker

could intercept the keys that are pressed and send the information character by

character to a server of her choice Typically this is done by modifying the URL of

an existing or hidden image to a web site that the attacker controls (eg if ldquoa ldquohas

been pressed an image URL may be set to httpattackercomkeya)

Another possibility for the attacker could be to set a simple timer and to capture

ldquosnapshotsrdquo of the information in the forms In this way an important part of the

information could be captured without the user ever hitting a submit button The

easiest solution to the JavaScript problem is to deactivate JavaScript on a page

that contains forms Unfortunately this solution is not feasible because as

mentioned before a large number of Web sites use JavaScript for validation and

submission purposes The solution we use in AntiPhish is to deactivate

JavaScript every time the focus is on an HTML text element and to reactivate it

whenever the focus is lost Using this technique we ensure that the attacker is

not able to create hooks timers and intercept browser events such as key presses

while the user is typing information into a text field At the same time we ensure

that the legitimate JavaScript functionality on a page (eg such as input validation

routines) are preserved By the time the focus is lost from the text element and

Java script is reactivated AntiPhish has already determined if the information that

was typed into the text element is sensitive If the web site is un trusted the

operation can be canceled One side-effect of our approach is that legitimate

event-based Java script functionality such as input validation based on key presses

will not function The use of key press events for input validation however is

uncommon Most web sites perform client-side input validation once before a

form is submitted

Implementation detailsWe implemented the prototype of AntiPhish as a Mozilla browser extension (ie

plug-in)Mozilla browser extensions are written using the Mozilla XML User-

Interface language (XUL) and JavaScript The Mozilla implementation of AntiPhish

has a small footprint and consists of about 900 lines of JavaScript code and 200

lines of XUL user interface code We used Paul Terorsquos JavaScript DES

implementation for safely storing the sensitive information

ANALYSIS OF A PHISHING DATABASE

The Anti Phishing Working Group maintains a ldquoPhishing Archiverdquo describing phishing attacks dating back to September 2003 We performed a cognitive walkthrough on the approximately 200 sample attacks within this archive (A cognitive walkthrough evaluates the steps required to perform a task and attempts to uncover mismatches between how users think about a task and how the user interface designer thinks about the task) Our goal was to gather information about which strategies are used by attackers and to formulate hypotheses about how lay users would respond to these strategies Below we list the strategies organized along three dimensions lack of knowledge visual deception and lack of attention To aid readers who are unfamiliar with the topic Security Terms and DefinitionsCertificate (digital certificate public key certificate)

Uses a digital signature to bind together a public key with an identity If the

browser encounters a certificate that has not been signed by a trusted

certificate authority it issues a warning to the user Some organizations

create and sign their own self signed

Certificates If a browser encounters a self-signed certificate it issues a

warning and allows the user to decide whether to accept the certificate

Certificate Authority (CA)

An entity that issues certificates and attests that a public key belongs to a

particular identity A list of trusted CAs is stored in the browser A certificate

may be issued to a fraudulent website by a CA without a rigorous verification

process

HTTPS

Web browsers use HTTPS rather than HTTP as a prefix to the URL to

indicate that HTTP is sent over SSLTLS

Secure Sockets Layer (SSL) and Transport Layer Security

(TLS)

Cryptographic protocols used to provide authentication and secure

communications over the Internet SSLTLS authenticates a server by

verifying that the server holds a certificate that has been digitally signed by

a trusted certificate authority SSLTLS also allows the client and server to

agree on an encryption algorithm for securing communications

CryptographyCryptography is a method of storing and transmitting data in a form that only those it is intended for can read and process It is a science of protecting information by encoding it into an unreadable format Cryptography is an effective way of protecting sensitive information as it is stored on media or transmitted through network communication pathsAlthough the ultimate goal of cryptography and the mechanisms that make it up is to hide information from unauthorized individuals most algorithms can be broken and the information can be revealed if the attacker has enough time desire and resources So a more realistic goal of cryptography is to make obtaining the information too work-intensive to be worth it to the attacker

Digital Certificates

Digital Certificates are part of a technology called Public Key Infrastructure orPKI Digital certificates have been described as virtual ID cards This is a useful analogy There are many ways that digital certificates and ID cards really are thesame Both ID cards and client digital certificates contain information about usersuch as user name and information about the organization that issued thecertificate or card to user

Creating digital certificates a unique cryptographic key pair is generated One of these keys is referred to as a public key and the other as a private key The certification authoritymdashgenerally on your campusmdashcreates a digital certificate by combining information about user and the issuing organization with the public key and digitally signing the whole thing This is very much like an organizationrsquos ID office filling out an ID card for user and then signing it to make it official

The process defines how a certificate authority establishes that a person or institution is who they say they are Certification may require recipients to appear in person and to present pictures birth certificates or social security numbers Certificates that are issued after rigorous authentication will be more trustworthy than certificates requiring little or no authentication

The contents of a digital certificate are prescribed by the X509 standard developed by the International Standards Organization (ISO) and adopted by the American National Standards Institute (ANSI) and the Internet Engineering Task Force (IETF) The latest version is now X509 v3 The principal elements of a digital certificate are as followsbull Version number of the certificate formatbull Serial number of the certificatebull Signature algorithm identifierbull Issuer of digital certificate a certificate authority with URLbull Validity periodbull Unique identification of certificate holderbull Public key informationThe Parties to a Digital CertificateIn principle there are three different interests associated with a digital certificateThe Requesting Party The party who needs the certificate and will offer it for use by others they will generally provide some or all of the information it containsThe Issuing Party

The party that digitally signs the certificate after creating the information in the certificate or checking its correctnessThe Verifying Party (or Parties) Parties that validate the signature on the certificate and then rely on its contents for some purposeType of Certificate Requesting Party Issuing Party Verifying PartyIdentity The person

concernedThe appropriategovernment agency

Anyone undertaking anidentity check

Accreditation A qualified memberof a profession

The professionalbody

A user of the servicesoffered by the member

Authorization A customer wishing to access a resource

The resource owner The resource owner

Public key CertificateThe combination of standards protocols and software that support digital certificates is called a public key infrastructure or PKI The software that supports this infrastructure generates sets of public-private key pairs Public-private key pairs are codes that are related to one another through a complex mathematical algorithm The key pairs can reside on onersquos computer or on hardware devices such as smart cards or floppy disks Individuals or organizations must ensure the security of their private keys However the public keys that correspond to their private keys can be posted on Web sites or sent across the network Issuers of digital certificates often maintain online repositories of public keys These repositories make it possible to authenticate owners of digital certificates in real timeFor example publishers as service providers will want to authenticate the digital certificate of a faculty member or student in real time This is possible by verifying the digital signature using the public key in the repository

Certificate AuthoritiesDigital certificates are one part of a set of components that make up a public keyinfrastructure (PKI) A PKI includes organizations called certification authorities (CAs) that issue manage and revoke digital certificates organizations called relying parties who use the certificates as indicators of authentication and clientswho request manage and use certificates A CA might create a separate registration authority (RA) to handle the task of identifying individuals who applyfor certificates Examples of certification authorities include VeriSign a wellknowncommercial provider and the CREN Certificate Authority that isavailable for higher education institutions

Types of CertificatesThere are different types of certificates each with different functions and this canbe confusing It helps to differentiate between at least four types of certificatesYou can see samples of some of these different types of certificates in your browserbull Root or authority certificatesThese are certificates that create the base (or root) of a certification authority hierarchy such as Thawte or CREN These certificates are not signed by another CAmdashthey are self signed by the CA that created them When a certificate is self-

signed it means that the name in the Issuer field is the same as the name in the Subject Fieldbull Institutional authority certificates These certificates are also called campus certificates These certificates are signed by a third party verifying the authenticity of a campus certification authority Campuses then use their ldquoauthorityrdquo to issue client certificates for faculty staff and studentsbull Client certificatesThese are also known as end-entity certificates identity certificates or personal certificates The Issuer is typically the campus CAbull Web server certificates These certificates are used to secure communications to and from Web servers for example when you buy something on the Web They are called server-side certificates The Subject name in a server certificate is the DNS name of the server

The CREN Digital Certificate ServicesCREN currently offers an expanded set of certificate authority services to higher education institutionsbull CREN-signed campus certificates for institutionsThese CREN-signed certificates are for institutions issuing certificates for their campus communitymdashin the range of 10 or more Web server certificates and formore than 500-1000 client certificatesbull CREN Web server certificates These certificates are for campuses to use for securing Web servers supporting a range of campus Web applicationsbull Client certificatesCREN has an internal CRENNET service equivalent to a campus certificate-issuing application A registration contact at a campus validatesapproves individuals and CREN issues the certificates

With these three levels of service mdash including the free test certificates mdash CRENcan help campuses get started using digital certificates at a level matching theirparticular campus needs

RECOMMENDATION

It is very important to reduce the risk of phishing in todayrsquos business because

hackers need to stay out of companiesrsquo databases Todayrsquos education is not

enough since phishes are getting better each day and coming with newer trends

to catch innocent customers

The real problem of phishing is because the login systems are very weak and thus

they need to be tighter when it comes to userrsquos authentication The companies

could increase their cryptographic system protection by using more IPSec VPNs

and digital certificates The use of IPSec VPNs customers will need to establish

digital certificates from a certificate authority as well as the merchant Recently

while doing this research we came through an article from PayPal where they are

convincing email providers to block messages that lack digital signatures

The reason for this is that PayPal is known as one of the most highly spoofed

brands that fraudsterrsquos uses today This is a very good idea and a good way to

keep hackers out of PayPal databases As a matter of fact not only PayPal but also

every company that conducts business should come up with a similar strategy like

this Using strategies similar to this will help customers to gain confidence in

doing business and dealing with money issues In addition well-known companies

should increase user awareness by education training and working with FBI to

track down phishers

CONCLUSION

In short the outcomes of phishing attacks are dramatically increasing every day Attacks on financial services companies have been doubling each year compared to previous years It is of crucial importance for companies to come up with new ways to solve phishing problems because it can become a major loss to well-known companies Also it can cause consumers to lose confidence in doing business online which can affect many companies with an online presence Not any type of technologyCan stop phishing attacks but there are many ways to enable Phishes from accomplishing their goals Consumer education can increase the awareness of the phishing threat and other online vulnerabilities Lastly biometrics should become one of the major aspects and play an important role to combat phishing because it provides different steps to authenticate users

REFERENCES

[1] Cannon JC Privacy Pearson Education 2005[2] Hilley Sarah ldquoInternet war picking on the finance Sector-surveyrdquo Computer Fraud amp Security October 2006[3] Bellowin Steven ldquoSpamming Phishing Authentication and Privacyrdquo Inside Risks December

2004 Vol47 No12 144[4] Mulrean Jennifer ldquoPhishing scams How to avoid Getting hookedrdquo DollarWise[5] Hunter Philip ldquoMicrosoft declares war on phishersrdquo Computer Fraud amp Security May 2006 (15-16)[6] Google httpwwwgooglecom

[7] Anti-Phishing Working Group Phishing Activity Trends Report November 2005 [8] Anti-Phishing Working Group Phishing Archivehttpanti-phishingorgphishing_archivehtm[9] Ba S amp P Pavlov Evidence of the Effect of TrustBuilding Technology in Electronic Markets PricePremiums and Buyer Behavior

Page 14: Phishing

create such hooks using JavaScript embedded into the HTML page Instead of

waiting for the user to press a submit button to send the information the attacker

could intercept the keys that are pressed and send the information character by

character to a server of her choice Typically this is done by modifying the URL of

an existing or hidden image to a web site that the attacker controls (eg if ldquoa ldquohas

been pressed an image URL may be set to httpattackercomkeya)

Another possibility for the attacker could be to set a simple timer and to capture

ldquosnapshotsrdquo of the information in the forms In this way an important part of the

information could be captured without the user ever hitting a submit button The

easiest solution to the JavaScript problem is to deactivate JavaScript on a page

that contains forms Unfortunately this solution is not feasible because as

mentioned before a large number of Web sites use JavaScript for validation and

submission purposes The solution we use in AntiPhish is to deactivate

JavaScript every time the focus is on an HTML text element and to reactivate it

whenever the focus is lost Using this technique we ensure that the attacker is

not able to create hooks timers and intercept browser events such as key presses

while the user is typing information into a text field At the same time we ensure

that the legitimate JavaScript functionality on a page (eg such as input validation

routines) are preserved By the time the focus is lost from the text element and

Java script is reactivated AntiPhish has already determined if the information that

was typed into the text element is sensitive If the web site is un trusted the

operation can be canceled One side-effect of our approach is that legitimate

event-based Java script functionality such as input validation based on key presses

will not function The use of key press events for input validation however is

uncommon Most web sites perform client-side input validation once before a

form is submitted

Implementation detailsWe implemented the prototype of AntiPhish as a Mozilla browser extension (ie

plug-in)Mozilla browser extensions are written using the Mozilla XML User-

Interface language (XUL) and JavaScript The Mozilla implementation of AntiPhish

has a small footprint and consists of about 900 lines of JavaScript code and 200

lines of XUL user interface code We used Paul Terorsquos JavaScript DES

implementation for safely storing the sensitive information

ANALYSIS OF A PHISHING DATABASE

The Anti Phishing Working Group maintains a ldquoPhishing Archiverdquo describing phishing attacks dating back to September 2003 We performed a cognitive walkthrough on the approximately 200 sample attacks within this archive (A cognitive walkthrough evaluates the steps required to perform a task and attempts to uncover mismatches between how users think about a task and how the user interface designer thinks about the task) Our goal was to gather information about which strategies are used by attackers and to formulate hypotheses about how lay users would respond to these strategies Below we list the strategies organized along three dimensions lack of knowledge visual deception and lack of attention To aid readers who are unfamiliar with the topic Security Terms and DefinitionsCertificate (digital certificate public key certificate)

Uses a digital signature to bind together a public key with an identity If the

browser encounters a certificate that has not been signed by a trusted

certificate authority it issues a warning to the user Some organizations

create and sign their own self signed

Certificates If a browser encounters a self-signed certificate it issues a

warning and allows the user to decide whether to accept the certificate

Certificate Authority (CA)

An entity that issues certificates and attests that a public key belongs to a

particular identity A list of trusted CAs is stored in the browser A certificate

may be issued to a fraudulent website by a CA without a rigorous verification

process

HTTPS

Web browsers use HTTPS rather than HTTP as a prefix to the URL to

indicate that HTTP is sent over SSLTLS

Secure Sockets Layer (SSL) and Transport Layer Security

(TLS)

Cryptographic protocols used to provide authentication and secure

communications over the Internet SSLTLS authenticates a server by

verifying that the server holds a certificate that has been digitally signed by

a trusted certificate authority SSLTLS also allows the client and server to

agree on an encryption algorithm for securing communications

CryptographyCryptography is a method of storing and transmitting data in a form that only those it is intended for can read and process It is a science of protecting information by encoding it into an unreadable format Cryptography is an effective way of protecting sensitive information as it is stored on media or transmitted through network communication pathsAlthough the ultimate goal of cryptography and the mechanisms that make it up is to hide information from unauthorized individuals most algorithms can be broken and the information can be revealed if the attacker has enough time desire and resources So a more realistic goal of cryptography is to make obtaining the information too work-intensive to be worth it to the attacker

Digital Certificates

Digital Certificates are part of a technology called Public Key Infrastructure orPKI Digital certificates have been described as virtual ID cards This is a useful analogy There are many ways that digital certificates and ID cards really are thesame Both ID cards and client digital certificates contain information about usersuch as user name and information about the organization that issued thecertificate or card to user

Creating digital certificates a unique cryptographic key pair is generated One of these keys is referred to as a public key and the other as a private key The certification authoritymdashgenerally on your campusmdashcreates a digital certificate by combining information about user and the issuing organization with the public key and digitally signing the whole thing This is very much like an organizationrsquos ID office filling out an ID card for user and then signing it to make it official

The process defines how a certificate authority establishes that a person or institution is who they say they are Certification may require recipients to appear in person and to present pictures birth certificates or social security numbers Certificates that are issued after rigorous authentication will be more trustworthy than certificates requiring little or no authentication

The contents of a digital certificate are prescribed by the X509 standard developed by the International Standards Organization (ISO) and adopted by the American National Standards Institute (ANSI) and the Internet Engineering Task Force (IETF) The latest version is now X509 v3 The principal elements of a digital certificate are as followsbull Version number of the certificate formatbull Serial number of the certificatebull Signature algorithm identifierbull Issuer of digital certificate a certificate authority with URLbull Validity periodbull Unique identification of certificate holderbull Public key informationThe Parties to a Digital CertificateIn principle there are three different interests associated with a digital certificateThe Requesting Party The party who needs the certificate and will offer it for use by others they will generally provide some or all of the information it containsThe Issuing Party

The party that digitally signs the certificate after creating the information in the certificate or checking its correctnessThe Verifying Party (or Parties) Parties that validate the signature on the certificate and then rely on its contents for some purposeType of Certificate Requesting Party Issuing Party Verifying PartyIdentity The person

concernedThe appropriategovernment agency

Anyone undertaking anidentity check

Accreditation A qualified memberof a profession

The professionalbody

A user of the servicesoffered by the member

Authorization A customer wishing to access a resource

The resource owner The resource owner

Public key CertificateThe combination of standards protocols and software that support digital certificates is called a public key infrastructure or PKI The software that supports this infrastructure generates sets of public-private key pairs Public-private key pairs are codes that are related to one another through a complex mathematical algorithm The key pairs can reside on onersquos computer or on hardware devices such as smart cards or floppy disks Individuals or organizations must ensure the security of their private keys However the public keys that correspond to their private keys can be posted on Web sites or sent across the network Issuers of digital certificates often maintain online repositories of public keys These repositories make it possible to authenticate owners of digital certificates in real timeFor example publishers as service providers will want to authenticate the digital certificate of a faculty member or student in real time This is possible by verifying the digital signature using the public key in the repository

Certificate AuthoritiesDigital certificates are one part of a set of components that make up a public keyinfrastructure (PKI) A PKI includes organizations called certification authorities (CAs) that issue manage and revoke digital certificates organizations called relying parties who use the certificates as indicators of authentication and clientswho request manage and use certificates A CA might create a separate registration authority (RA) to handle the task of identifying individuals who applyfor certificates Examples of certification authorities include VeriSign a wellknowncommercial provider and the CREN Certificate Authority that isavailable for higher education institutions

Types of CertificatesThere are different types of certificates each with different functions and this canbe confusing It helps to differentiate between at least four types of certificatesYou can see samples of some of these different types of certificates in your browserbull Root or authority certificatesThese are certificates that create the base (or root) of a certification authority hierarchy such as Thawte or CREN These certificates are not signed by another CAmdashthey are self signed by the CA that created them When a certificate is self-

signed it means that the name in the Issuer field is the same as the name in the Subject Fieldbull Institutional authority certificates These certificates are also called campus certificates These certificates are signed by a third party verifying the authenticity of a campus certification authority Campuses then use their ldquoauthorityrdquo to issue client certificates for faculty staff and studentsbull Client certificatesThese are also known as end-entity certificates identity certificates or personal certificates The Issuer is typically the campus CAbull Web server certificates These certificates are used to secure communications to and from Web servers for example when you buy something on the Web They are called server-side certificates The Subject name in a server certificate is the DNS name of the server

The CREN Digital Certificate ServicesCREN currently offers an expanded set of certificate authority services to higher education institutionsbull CREN-signed campus certificates for institutionsThese CREN-signed certificates are for institutions issuing certificates for their campus communitymdashin the range of 10 or more Web server certificates and formore than 500-1000 client certificatesbull CREN Web server certificates These certificates are for campuses to use for securing Web servers supporting a range of campus Web applicationsbull Client certificatesCREN has an internal CRENNET service equivalent to a campus certificate-issuing application A registration contact at a campus validatesapproves individuals and CREN issues the certificates

With these three levels of service mdash including the free test certificates mdash CRENcan help campuses get started using digital certificates at a level matching theirparticular campus needs

RECOMMENDATION

It is very important to reduce the risk of phishing in todayrsquos business because

hackers need to stay out of companiesrsquo databases Todayrsquos education is not

enough since phishes are getting better each day and coming with newer trends

to catch innocent customers

The real problem of phishing is because the login systems are very weak and thus

they need to be tighter when it comes to userrsquos authentication The companies

could increase their cryptographic system protection by using more IPSec VPNs

and digital certificates The use of IPSec VPNs customers will need to establish

digital certificates from a certificate authority as well as the merchant Recently

while doing this research we came through an article from PayPal where they are

convincing email providers to block messages that lack digital signatures

The reason for this is that PayPal is known as one of the most highly spoofed

brands that fraudsterrsquos uses today This is a very good idea and a good way to

keep hackers out of PayPal databases As a matter of fact not only PayPal but also

every company that conducts business should come up with a similar strategy like

this Using strategies similar to this will help customers to gain confidence in

doing business and dealing with money issues In addition well-known companies

should increase user awareness by education training and working with FBI to

track down phishers

CONCLUSION

In short the outcomes of phishing attacks are dramatically increasing every day Attacks on financial services companies have been doubling each year compared to previous years It is of crucial importance for companies to come up with new ways to solve phishing problems because it can become a major loss to well-known companies Also it can cause consumers to lose confidence in doing business online which can affect many companies with an online presence Not any type of technologyCan stop phishing attacks but there are many ways to enable Phishes from accomplishing their goals Consumer education can increase the awareness of the phishing threat and other online vulnerabilities Lastly biometrics should become one of the major aspects and play an important role to combat phishing because it provides different steps to authenticate users

REFERENCES

[1] Cannon JC Privacy Pearson Education 2005[2] Hilley Sarah ldquoInternet war picking on the finance Sector-surveyrdquo Computer Fraud amp Security October 2006[3] Bellowin Steven ldquoSpamming Phishing Authentication and Privacyrdquo Inside Risks December

2004 Vol47 No12 144[4] Mulrean Jennifer ldquoPhishing scams How to avoid Getting hookedrdquo DollarWise[5] Hunter Philip ldquoMicrosoft declares war on phishersrdquo Computer Fraud amp Security May 2006 (15-16)[6] Google httpwwwgooglecom

[7] Anti-Phishing Working Group Phishing Activity Trends Report November 2005 [8] Anti-Phishing Working Group Phishing Archivehttpanti-phishingorgphishing_archivehtm[9] Ba S amp P Pavlov Evidence of the Effect of TrustBuilding Technology in Electronic Markets PricePremiums and Buyer Behavior

Page 15: Phishing

uncommon Most web sites perform client-side input validation once before a

form is submitted

Implementation detailsWe implemented the prototype of AntiPhish as a Mozilla browser extension (ie

plug-in)Mozilla browser extensions are written using the Mozilla XML User-

Interface language (XUL) and JavaScript The Mozilla implementation of AntiPhish

has a small footprint and consists of about 900 lines of JavaScript code and 200

lines of XUL user interface code We used Paul Terorsquos JavaScript DES

implementation for safely storing the sensitive information

ANALYSIS OF A PHISHING DATABASE

The Anti Phishing Working Group maintains a ldquoPhishing Archiverdquo describing phishing attacks dating back to September 2003 We performed a cognitive walkthrough on the approximately 200 sample attacks within this archive (A cognitive walkthrough evaluates the steps required to perform a task and attempts to uncover mismatches between how users think about a task and how the user interface designer thinks about the task) Our goal was to gather information about which strategies are used by attackers and to formulate hypotheses about how lay users would respond to these strategies Below we list the strategies organized along three dimensions lack of knowledge visual deception and lack of attention To aid readers who are unfamiliar with the topic Security Terms and DefinitionsCertificate (digital certificate public key certificate)

Uses a digital signature to bind together a public key with an identity If the

browser encounters a certificate that has not been signed by a trusted

certificate authority it issues a warning to the user Some organizations

create and sign their own self signed

Certificates If a browser encounters a self-signed certificate it issues a

warning and allows the user to decide whether to accept the certificate

Certificate Authority (CA)

An entity that issues certificates and attests that a public key belongs to a

particular identity A list of trusted CAs is stored in the browser A certificate

may be issued to a fraudulent website by a CA without a rigorous verification

process

HTTPS

Web browsers use HTTPS rather than HTTP as a prefix to the URL to

indicate that HTTP is sent over SSLTLS

Secure Sockets Layer (SSL) and Transport Layer Security

(TLS)

Cryptographic protocols used to provide authentication and secure

communications over the Internet SSLTLS authenticates a server by

verifying that the server holds a certificate that has been digitally signed by

a trusted certificate authority SSLTLS also allows the client and server to

agree on an encryption algorithm for securing communications

CryptographyCryptography is a method of storing and transmitting data in a form that only those it is intended for can read and process It is a science of protecting information by encoding it into an unreadable format Cryptography is an effective way of protecting sensitive information as it is stored on media or transmitted through network communication pathsAlthough the ultimate goal of cryptography and the mechanisms that make it up is to hide information from unauthorized individuals most algorithms can be broken and the information can be revealed if the attacker has enough time desire and resources So a more realistic goal of cryptography is to make obtaining the information too work-intensive to be worth it to the attacker

Digital Certificates

Digital Certificates are part of a technology called Public Key Infrastructure orPKI Digital certificates have been described as virtual ID cards This is a useful analogy There are many ways that digital certificates and ID cards really are thesame Both ID cards and client digital certificates contain information about usersuch as user name and information about the organization that issued thecertificate or card to user

Creating digital certificates a unique cryptographic key pair is generated One of these keys is referred to as a public key and the other as a private key The certification authoritymdashgenerally on your campusmdashcreates a digital certificate by combining information about user and the issuing organization with the public key and digitally signing the whole thing This is very much like an organizationrsquos ID office filling out an ID card for user and then signing it to make it official

The process defines how a certificate authority establishes that a person or institution is who they say they are Certification may require recipients to appear in person and to present pictures birth certificates or social security numbers Certificates that are issued after rigorous authentication will be more trustworthy than certificates requiring little or no authentication

The contents of a digital certificate are prescribed by the X509 standard developed by the International Standards Organization (ISO) and adopted by the American National Standards Institute (ANSI) and the Internet Engineering Task Force (IETF) The latest version is now X509 v3 The principal elements of a digital certificate are as followsbull Version number of the certificate formatbull Serial number of the certificatebull Signature algorithm identifierbull Issuer of digital certificate a certificate authority with URLbull Validity periodbull Unique identification of certificate holderbull Public key informationThe Parties to a Digital CertificateIn principle there are three different interests associated with a digital certificateThe Requesting Party The party who needs the certificate and will offer it for use by others they will generally provide some or all of the information it containsThe Issuing Party

The party that digitally signs the certificate after creating the information in the certificate or checking its correctnessThe Verifying Party (or Parties) Parties that validate the signature on the certificate and then rely on its contents for some purposeType of Certificate Requesting Party Issuing Party Verifying PartyIdentity The person

concernedThe appropriategovernment agency

Anyone undertaking anidentity check

Accreditation A qualified memberof a profession

The professionalbody

A user of the servicesoffered by the member

Authorization A customer wishing to access a resource

The resource owner The resource owner

Public key CertificateThe combination of standards protocols and software that support digital certificates is called a public key infrastructure or PKI The software that supports this infrastructure generates sets of public-private key pairs Public-private key pairs are codes that are related to one another through a complex mathematical algorithm The key pairs can reside on onersquos computer or on hardware devices such as smart cards or floppy disks Individuals or organizations must ensure the security of their private keys However the public keys that correspond to their private keys can be posted on Web sites or sent across the network Issuers of digital certificates often maintain online repositories of public keys These repositories make it possible to authenticate owners of digital certificates in real timeFor example publishers as service providers will want to authenticate the digital certificate of a faculty member or student in real time This is possible by verifying the digital signature using the public key in the repository

Certificate AuthoritiesDigital certificates are one part of a set of components that make up a public keyinfrastructure (PKI) A PKI includes organizations called certification authorities (CAs) that issue manage and revoke digital certificates organizations called relying parties who use the certificates as indicators of authentication and clientswho request manage and use certificates A CA might create a separate registration authority (RA) to handle the task of identifying individuals who applyfor certificates Examples of certification authorities include VeriSign a wellknowncommercial provider and the CREN Certificate Authority that isavailable for higher education institutions

Types of CertificatesThere are different types of certificates each with different functions and this canbe confusing It helps to differentiate between at least four types of certificatesYou can see samples of some of these different types of certificates in your browserbull Root or authority certificatesThese are certificates that create the base (or root) of a certification authority hierarchy such as Thawte or CREN These certificates are not signed by another CAmdashthey are self signed by the CA that created them When a certificate is self-

signed it means that the name in the Issuer field is the same as the name in the Subject Fieldbull Institutional authority certificates These certificates are also called campus certificates These certificates are signed by a third party verifying the authenticity of a campus certification authority Campuses then use their ldquoauthorityrdquo to issue client certificates for faculty staff and studentsbull Client certificatesThese are also known as end-entity certificates identity certificates or personal certificates The Issuer is typically the campus CAbull Web server certificates These certificates are used to secure communications to and from Web servers for example when you buy something on the Web They are called server-side certificates The Subject name in a server certificate is the DNS name of the server

The CREN Digital Certificate ServicesCREN currently offers an expanded set of certificate authority services to higher education institutionsbull CREN-signed campus certificates for institutionsThese CREN-signed certificates are for institutions issuing certificates for their campus communitymdashin the range of 10 or more Web server certificates and formore than 500-1000 client certificatesbull CREN Web server certificates These certificates are for campuses to use for securing Web servers supporting a range of campus Web applicationsbull Client certificatesCREN has an internal CRENNET service equivalent to a campus certificate-issuing application A registration contact at a campus validatesapproves individuals and CREN issues the certificates

With these three levels of service mdash including the free test certificates mdash CRENcan help campuses get started using digital certificates at a level matching theirparticular campus needs

RECOMMENDATION

It is very important to reduce the risk of phishing in todayrsquos business because

hackers need to stay out of companiesrsquo databases Todayrsquos education is not

enough since phishes are getting better each day and coming with newer trends

to catch innocent customers

The real problem of phishing is because the login systems are very weak and thus

they need to be tighter when it comes to userrsquos authentication The companies

could increase their cryptographic system protection by using more IPSec VPNs

and digital certificates The use of IPSec VPNs customers will need to establish

digital certificates from a certificate authority as well as the merchant Recently

while doing this research we came through an article from PayPal where they are

convincing email providers to block messages that lack digital signatures

The reason for this is that PayPal is known as one of the most highly spoofed

brands that fraudsterrsquos uses today This is a very good idea and a good way to

keep hackers out of PayPal databases As a matter of fact not only PayPal but also

every company that conducts business should come up with a similar strategy like

this Using strategies similar to this will help customers to gain confidence in

doing business and dealing with money issues In addition well-known companies

should increase user awareness by education training and working with FBI to

track down phishers

CONCLUSION

In short the outcomes of phishing attacks are dramatically increasing every day Attacks on financial services companies have been doubling each year compared to previous years It is of crucial importance for companies to come up with new ways to solve phishing problems because it can become a major loss to well-known companies Also it can cause consumers to lose confidence in doing business online which can affect many companies with an online presence Not any type of technologyCan stop phishing attacks but there are many ways to enable Phishes from accomplishing their goals Consumer education can increase the awareness of the phishing threat and other online vulnerabilities Lastly biometrics should become one of the major aspects and play an important role to combat phishing because it provides different steps to authenticate users

REFERENCES

[1] Cannon JC Privacy Pearson Education 2005[2] Hilley Sarah ldquoInternet war picking on the finance Sector-surveyrdquo Computer Fraud amp Security October 2006[3] Bellowin Steven ldquoSpamming Phishing Authentication and Privacyrdquo Inside Risks December

2004 Vol47 No12 144[4] Mulrean Jennifer ldquoPhishing scams How to avoid Getting hookedrdquo DollarWise[5] Hunter Philip ldquoMicrosoft declares war on phishersrdquo Computer Fraud amp Security May 2006 (15-16)[6] Google httpwwwgooglecom

[7] Anti-Phishing Working Group Phishing Activity Trends Report November 2005 [8] Anti-Phishing Working Group Phishing Archivehttpanti-phishingorgphishing_archivehtm[9] Ba S amp P Pavlov Evidence of the Effect of TrustBuilding Technology in Electronic Markets PricePremiums and Buyer Behavior

Page 16: Phishing

Certificate Authority (CA)

An entity that issues certificates and attests that a public key belongs to a

particular identity A list of trusted CAs is stored in the browser A certificate

may be issued to a fraudulent website by a CA without a rigorous verification

process

HTTPS

Web browsers use HTTPS rather than HTTP as a prefix to the URL to

indicate that HTTP is sent over SSLTLS

Secure Sockets Layer (SSL) and Transport Layer Security

(TLS)

Cryptographic protocols used to provide authentication and secure

communications over the Internet SSLTLS authenticates a server by

verifying that the server holds a certificate that has been digitally signed by

a trusted certificate authority SSLTLS also allows the client and server to

agree on an encryption algorithm for securing communications

CryptographyCryptography is a method of storing and transmitting data in a form that only those it is intended for can read and process It is a science of protecting information by encoding it into an unreadable format Cryptography is an effective way of protecting sensitive information as it is stored on media or transmitted through network communication pathsAlthough the ultimate goal of cryptography and the mechanisms that make it up is to hide information from unauthorized individuals most algorithms can be broken and the information can be revealed if the attacker has enough time desire and resources So a more realistic goal of cryptography is to make obtaining the information too work-intensive to be worth it to the attacker

Digital Certificates

Digital Certificates are part of a technology called Public Key Infrastructure orPKI Digital certificates have been described as virtual ID cards This is a useful analogy There are many ways that digital certificates and ID cards really are thesame Both ID cards and client digital certificates contain information about usersuch as user name and information about the organization that issued thecertificate or card to user

Creating digital certificates a unique cryptographic key pair is generated One of these keys is referred to as a public key and the other as a private key The certification authoritymdashgenerally on your campusmdashcreates a digital certificate by combining information about user and the issuing organization with the public key and digitally signing the whole thing This is very much like an organizationrsquos ID office filling out an ID card for user and then signing it to make it official

The process defines how a certificate authority establishes that a person or institution is who they say they are Certification may require recipients to appear in person and to present pictures birth certificates or social security numbers Certificates that are issued after rigorous authentication will be more trustworthy than certificates requiring little or no authentication

The contents of a digital certificate are prescribed by the X509 standard developed by the International Standards Organization (ISO) and adopted by the American National Standards Institute (ANSI) and the Internet Engineering Task Force (IETF) The latest version is now X509 v3 The principal elements of a digital certificate are as followsbull Version number of the certificate formatbull Serial number of the certificatebull Signature algorithm identifierbull Issuer of digital certificate a certificate authority with URLbull Validity periodbull Unique identification of certificate holderbull Public key informationThe Parties to a Digital CertificateIn principle there are three different interests associated with a digital certificateThe Requesting Party The party who needs the certificate and will offer it for use by others they will generally provide some or all of the information it containsThe Issuing Party

The party that digitally signs the certificate after creating the information in the certificate or checking its correctnessThe Verifying Party (or Parties) Parties that validate the signature on the certificate and then rely on its contents for some purposeType of Certificate Requesting Party Issuing Party Verifying PartyIdentity The person

concernedThe appropriategovernment agency

Anyone undertaking anidentity check

Accreditation A qualified memberof a profession

The professionalbody

A user of the servicesoffered by the member

Authorization A customer wishing to access a resource

The resource owner The resource owner

Public key CertificateThe combination of standards protocols and software that support digital certificates is called a public key infrastructure or PKI The software that supports this infrastructure generates sets of public-private key pairs Public-private key pairs are codes that are related to one another through a complex mathematical algorithm The key pairs can reside on onersquos computer or on hardware devices such as smart cards or floppy disks Individuals or organizations must ensure the security of their private keys However the public keys that correspond to their private keys can be posted on Web sites or sent across the network Issuers of digital certificates often maintain online repositories of public keys These repositories make it possible to authenticate owners of digital certificates in real timeFor example publishers as service providers will want to authenticate the digital certificate of a faculty member or student in real time This is possible by verifying the digital signature using the public key in the repository

Certificate AuthoritiesDigital certificates are one part of a set of components that make up a public keyinfrastructure (PKI) A PKI includes organizations called certification authorities (CAs) that issue manage and revoke digital certificates organizations called relying parties who use the certificates as indicators of authentication and clientswho request manage and use certificates A CA might create a separate registration authority (RA) to handle the task of identifying individuals who applyfor certificates Examples of certification authorities include VeriSign a wellknowncommercial provider and the CREN Certificate Authority that isavailable for higher education institutions

Types of CertificatesThere are different types of certificates each with different functions and this canbe confusing It helps to differentiate between at least four types of certificatesYou can see samples of some of these different types of certificates in your browserbull Root or authority certificatesThese are certificates that create the base (or root) of a certification authority hierarchy such as Thawte or CREN These certificates are not signed by another CAmdashthey are self signed by the CA that created them When a certificate is self-

signed it means that the name in the Issuer field is the same as the name in the Subject Fieldbull Institutional authority certificates These certificates are also called campus certificates These certificates are signed by a third party verifying the authenticity of a campus certification authority Campuses then use their ldquoauthorityrdquo to issue client certificates for faculty staff and studentsbull Client certificatesThese are also known as end-entity certificates identity certificates or personal certificates The Issuer is typically the campus CAbull Web server certificates These certificates are used to secure communications to and from Web servers for example when you buy something on the Web They are called server-side certificates The Subject name in a server certificate is the DNS name of the server

The CREN Digital Certificate ServicesCREN currently offers an expanded set of certificate authority services to higher education institutionsbull CREN-signed campus certificates for institutionsThese CREN-signed certificates are for institutions issuing certificates for their campus communitymdashin the range of 10 or more Web server certificates and formore than 500-1000 client certificatesbull CREN Web server certificates These certificates are for campuses to use for securing Web servers supporting a range of campus Web applicationsbull Client certificatesCREN has an internal CRENNET service equivalent to a campus certificate-issuing application A registration contact at a campus validatesapproves individuals and CREN issues the certificates

With these three levels of service mdash including the free test certificates mdash CRENcan help campuses get started using digital certificates at a level matching theirparticular campus needs

RECOMMENDATION

It is very important to reduce the risk of phishing in todayrsquos business because

hackers need to stay out of companiesrsquo databases Todayrsquos education is not

enough since phishes are getting better each day and coming with newer trends

to catch innocent customers

The real problem of phishing is because the login systems are very weak and thus

they need to be tighter when it comes to userrsquos authentication The companies

could increase their cryptographic system protection by using more IPSec VPNs

and digital certificates The use of IPSec VPNs customers will need to establish

digital certificates from a certificate authority as well as the merchant Recently

while doing this research we came through an article from PayPal where they are

convincing email providers to block messages that lack digital signatures

The reason for this is that PayPal is known as one of the most highly spoofed

brands that fraudsterrsquos uses today This is a very good idea and a good way to

keep hackers out of PayPal databases As a matter of fact not only PayPal but also

every company that conducts business should come up with a similar strategy like

this Using strategies similar to this will help customers to gain confidence in

doing business and dealing with money issues In addition well-known companies

should increase user awareness by education training and working with FBI to

track down phishers

CONCLUSION

In short the outcomes of phishing attacks are dramatically increasing every day Attacks on financial services companies have been doubling each year compared to previous years It is of crucial importance for companies to come up with new ways to solve phishing problems because it can become a major loss to well-known companies Also it can cause consumers to lose confidence in doing business online which can affect many companies with an online presence Not any type of technologyCan stop phishing attacks but there are many ways to enable Phishes from accomplishing their goals Consumer education can increase the awareness of the phishing threat and other online vulnerabilities Lastly biometrics should become one of the major aspects and play an important role to combat phishing because it provides different steps to authenticate users

REFERENCES

[1] Cannon JC Privacy Pearson Education 2005[2] Hilley Sarah ldquoInternet war picking on the finance Sector-surveyrdquo Computer Fraud amp Security October 2006[3] Bellowin Steven ldquoSpamming Phishing Authentication and Privacyrdquo Inside Risks December

2004 Vol47 No12 144[4] Mulrean Jennifer ldquoPhishing scams How to avoid Getting hookedrdquo DollarWise[5] Hunter Philip ldquoMicrosoft declares war on phishersrdquo Computer Fraud amp Security May 2006 (15-16)[6] Google httpwwwgooglecom

[7] Anti-Phishing Working Group Phishing Activity Trends Report November 2005 [8] Anti-Phishing Working Group Phishing Archivehttpanti-phishingorgphishing_archivehtm[9] Ba S amp P Pavlov Evidence of the Effect of TrustBuilding Technology in Electronic Markets PricePremiums and Buyer Behavior

Page 17: Phishing

Digital Certificates are part of a technology called Public Key Infrastructure orPKI Digital certificates have been described as virtual ID cards This is a useful analogy There are many ways that digital certificates and ID cards really are thesame Both ID cards and client digital certificates contain information about usersuch as user name and information about the organization that issued thecertificate or card to user

Creating digital certificates a unique cryptographic key pair is generated One of these keys is referred to as a public key and the other as a private key The certification authoritymdashgenerally on your campusmdashcreates a digital certificate by combining information about user and the issuing organization with the public key and digitally signing the whole thing This is very much like an organizationrsquos ID office filling out an ID card for user and then signing it to make it official

The process defines how a certificate authority establishes that a person or institution is who they say they are Certification may require recipients to appear in person and to present pictures birth certificates or social security numbers Certificates that are issued after rigorous authentication will be more trustworthy than certificates requiring little or no authentication

The contents of a digital certificate are prescribed by the X509 standard developed by the International Standards Organization (ISO) and adopted by the American National Standards Institute (ANSI) and the Internet Engineering Task Force (IETF) The latest version is now X509 v3 The principal elements of a digital certificate are as followsbull Version number of the certificate formatbull Serial number of the certificatebull Signature algorithm identifierbull Issuer of digital certificate a certificate authority with URLbull Validity periodbull Unique identification of certificate holderbull Public key informationThe Parties to a Digital CertificateIn principle there are three different interests associated with a digital certificateThe Requesting Party The party who needs the certificate and will offer it for use by others they will generally provide some or all of the information it containsThe Issuing Party

The party that digitally signs the certificate after creating the information in the certificate or checking its correctnessThe Verifying Party (or Parties) Parties that validate the signature on the certificate and then rely on its contents for some purposeType of Certificate Requesting Party Issuing Party Verifying PartyIdentity The person

concernedThe appropriategovernment agency

Anyone undertaking anidentity check

Accreditation A qualified memberof a profession

The professionalbody

A user of the servicesoffered by the member

Authorization A customer wishing to access a resource

The resource owner The resource owner

Public key CertificateThe combination of standards protocols and software that support digital certificates is called a public key infrastructure or PKI The software that supports this infrastructure generates sets of public-private key pairs Public-private key pairs are codes that are related to one another through a complex mathematical algorithm The key pairs can reside on onersquos computer or on hardware devices such as smart cards or floppy disks Individuals or organizations must ensure the security of their private keys However the public keys that correspond to their private keys can be posted on Web sites or sent across the network Issuers of digital certificates often maintain online repositories of public keys These repositories make it possible to authenticate owners of digital certificates in real timeFor example publishers as service providers will want to authenticate the digital certificate of a faculty member or student in real time This is possible by verifying the digital signature using the public key in the repository

Certificate AuthoritiesDigital certificates are one part of a set of components that make up a public keyinfrastructure (PKI) A PKI includes organizations called certification authorities (CAs) that issue manage and revoke digital certificates organizations called relying parties who use the certificates as indicators of authentication and clientswho request manage and use certificates A CA might create a separate registration authority (RA) to handle the task of identifying individuals who applyfor certificates Examples of certification authorities include VeriSign a wellknowncommercial provider and the CREN Certificate Authority that isavailable for higher education institutions

Types of CertificatesThere are different types of certificates each with different functions and this canbe confusing It helps to differentiate between at least four types of certificatesYou can see samples of some of these different types of certificates in your browserbull Root or authority certificatesThese are certificates that create the base (or root) of a certification authority hierarchy such as Thawte or CREN These certificates are not signed by another CAmdashthey are self signed by the CA that created them When a certificate is self-

signed it means that the name in the Issuer field is the same as the name in the Subject Fieldbull Institutional authority certificates These certificates are also called campus certificates These certificates are signed by a third party verifying the authenticity of a campus certification authority Campuses then use their ldquoauthorityrdquo to issue client certificates for faculty staff and studentsbull Client certificatesThese are also known as end-entity certificates identity certificates or personal certificates The Issuer is typically the campus CAbull Web server certificates These certificates are used to secure communications to and from Web servers for example when you buy something on the Web They are called server-side certificates The Subject name in a server certificate is the DNS name of the server

The CREN Digital Certificate ServicesCREN currently offers an expanded set of certificate authority services to higher education institutionsbull CREN-signed campus certificates for institutionsThese CREN-signed certificates are for institutions issuing certificates for their campus communitymdashin the range of 10 or more Web server certificates and formore than 500-1000 client certificatesbull CREN Web server certificates These certificates are for campuses to use for securing Web servers supporting a range of campus Web applicationsbull Client certificatesCREN has an internal CRENNET service equivalent to a campus certificate-issuing application A registration contact at a campus validatesapproves individuals and CREN issues the certificates

With these three levels of service mdash including the free test certificates mdash CRENcan help campuses get started using digital certificates at a level matching theirparticular campus needs

RECOMMENDATION

It is very important to reduce the risk of phishing in todayrsquos business because

hackers need to stay out of companiesrsquo databases Todayrsquos education is not

enough since phishes are getting better each day and coming with newer trends

to catch innocent customers

The real problem of phishing is because the login systems are very weak and thus

they need to be tighter when it comes to userrsquos authentication The companies

could increase their cryptographic system protection by using more IPSec VPNs

and digital certificates The use of IPSec VPNs customers will need to establish

digital certificates from a certificate authority as well as the merchant Recently

while doing this research we came through an article from PayPal where they are

convincing email providers to block messages that lack digital signatures

The reason for this is that PayPal is known as one of the most highly spoofed

brands that fraudsterrsquos uses today This is a very good idea and a good way to

keep hackers out of PayPal databases As a matter of fact not only PayPal but also

every company that conducts business should come up with a similar strategy like

this Using strategies similar to this will help customers to gain confidence in

doing business and dealing with money issues In addition well-known companies

should increase user awareness by education training and working with FBI to

track down phishers

CONCLUSION

In short the outcomes of phishing attacks are dramatically increasing every day Attacks on financial services companies have been doubling each year compared to previous years It is of crucial importance for companies to come up with new ways to solve phishing problems because it can become a major loss to well-known companies Also it can cause consumers to lose confidence in doing business online which can affect many companies with an online presence Not any type of technologyCan stop phishing attacks but there are many ways to enable Phishes from accomplishing their goals Consumer education can increase the awareness of the phishing threat and other online vulnerabilities Lastly biometrics should become one of the major aspects and play an important role to combat phishing because it provides different steps to authenticate users

REFERENCES

[1] Cannon JC Privacy Pearson Education 2005[2] Hilley Sarah ldquoInternet war picking on the finance Sector-surveyrdquo Computer Fraud amp Security October 2006[3] Bellowin Steven ldquoSpamming Phishing Authentication and Privacyrdquo Inside Risks December

2004 Vol47 No12 144[4] Mulrean Jennifer ldquoPhishing scams How to avoid Getting hookedrdquo DollarWise[5] Hunter Philip ldquoMicrosoft declares war on phishersrdquo Computer Fraud amp Security May 2006 (15-16)[6] Google httpwwwgooglecom

[7] Anti-Phishing Working Group Phishing Activity Trends Report November 2005 [8] Anti-Phishing Working Group Phishing Archivehttpanti-phishingorgphishing_archivehtm[9] Ba S amp P Pavlov Evidence of the Effect of TrustBuilding Technology in Electronic Markets PricePremiums and Buyer Behavior

Page 18: Phishing

The party that digitally signs the certificate after creating the information in the certificate or checking its correctnessThe Verifying Party (or Parties) Parties that validate the signature on the certificate and then rely on its contents for some purposeType of Certificate Requesting Party Issuing Party Verifying PartyIdentity The person

concernedThe appropriategovernment agency

Anyone undertaking anidentity check

Accreditation A qualified memberof a profession

The professionalbody

A user of the servicesoffered by the member

Authorization A customer wishing to access a resource

The resource owner The resource owner

Public key CertificateThe combination of standards protocols and software that support digital certificates is called a public key infrastructure or PKI The software that supports this infrastructure generates sets of public-private key pairs Public-private key pairs are codes that are related to one another through a complex mathematical algorithm The key pairs can reside on onersquos computer or on hardware devices such as smart cards or floppy disks Individuals or organizations must ensure the security of their private keys However the public keys that correspond to their private keys can be posted on Web sites or sent across the network Issuers of digital certificates often maintain online repositories of public keys These repositories make it possible to authenticate owners of digital certificates in real timeFor example publishers as service providers will want to authenticate the digital certificate of a faculty member or student in real time This is possible by verifying the digital signature using the public key in the repository

Certificate AuthoritiesDigital certificates are one part of a set of components that make up a public keyinfrastructure (PKI) A PKI includes organizations called certification authorities (CAs) that issue manage and revoke digital certificates organizations called relying parties who use the certificates as indicators of authentication and clientswho request manage and use certificates A CA might create a separate registration authority (RA) to handle the task of identifying individuals who applyfor certificates Examples of certification authorities include VeriSign a wellknowncommercial provider and the CREN Certificate Authority that isavailable for higher education institutions

Types of CertificatesThere are different types of certificates each with different functions and this canbe confusing It helps to differentiate between at least four types of certificatesYou can see samples of some of these different types of certificates in your browserbull Root or authority certificatesThese are certificates that create the base (or root) of a certification authority hierarchy such as Thawte or CREN These certificates are not signed by another CAmdashthey are self signed by the CA that created them When a certificate is self-

signed it means that the name in the Issuer field is the same as the name in the Subject Fieldbull Institutional authority certificates These certificates are also called campus certificates These certificates are signed by a third party verifying the authenticity of a campus certification authority Campuses then use their ldquoauthorityrdquo to issue client certificates for faculty staff and studentsbull Client certificatesThese are also known as end-entity certificates identity certificates or personal certificates The Issuer is typically the campus CAbull Web server certificates These certificates are used to secure communications to and from Web servers for example when you buy something on the Web They are called server-side certificates The Subject name in a server certificate is the DNS name of the server

The CREN Digital Certificate ServicesCREN currently offers an expanded set of certificate authority services to higher education institutionsbull CREN-signed campus certificates for institutionsThese CREN-signed certificates are for institutions issuing certificates for their campus communitymdashin the range of 10 or more Web server certificates and formore than 500-1000 client certificatesbull CREN Web server certificates These certificates are for campuses to use for securing Web servers supporting a range of campus Web applicationsbull Client certificatesCREN has an internal CRENNET service equivalent to a campus certificate-issuing application A registration contact at a campus validatesapproves individuals and CREN issues the certificates

With these three levels of service mdash including the free test certificates mdash CRENcan help campuses get started using digital certificates at a level matching theirparticular campus needs

RECOMMENDATION

It is very important to reduce the risk of phishing in todayrsquos business because

hackers need to stay out of companiesrsquo databases Todayrsquos education is not

enough since phishes are getting better each day and coming with newer trends

to catch innocent customers

The real problem of phishing is because the login systems are very weak and thus

they need to be tighter when it comes to userrsquos authentication The companies

could increase their cryptographic system protection by using more IPSec VPNs

and digital certificates The use of IPSec VPNs customers will need to establish

digital certificates from a certificate authority as well as the merchant Recently

while doing this research we came through an article from PayPal where they are

convincing email providers to block messages that lack digital signatures

The reason for this is that PayPal is known as one of the most highly spoofed

brands that fraudsterrsquos uses today This is a very good idea and a good way to

keep hackers out of PayPal databases As a matter of fact not only PayPal but also

every company that conducts business should come up with a similar strategy like

this Using strategies similar to this will help customers to gain confidence in

doing business and dealing with money issues In addition well-known companies

should increase user awareness by education training and working with FBI to

track down phishers

CONCLUSION

In short the outcomes of phishing attacks are dramatically increasing every day Attacks on financial services companies have been doubling each year compared to previous years It is of crucial importance for companies to come up with new ways to solve phishing problems because it can become a major loss to well-known companies Also it can cause consumers to lose confidence in doing business online which can affect many companies with an online presence Not any type of technologyCan stop phishing attacks but there are many ways to enable Phishes from accomplishing their goals Consumer education can increase the awareness of the phishing threat and other online vulnerabilities Lastly biometrics should become one of the major aspects and play an important role to combat phishing because it provides different steps to authenticate users

REFERENCES

[1] Cannon JC Privacy Pearson Education 2005[2] Hilley Sarah ldquoInternet war picking on the finance Sector-surveyrdquo Computer Fraud amp Security October 2006[3] Bellowin Steven ldquoSpamming Phishing Authentication and Privacyrdquo Inside Risks December

2004 Vol47 No12 144[4] Mulrean Jennifer ldquoPhishing scams How to avoid Getting hookedrdquo DollarWise[5] Hunter Philip ldquoMicrosoft declares war on phishersrdquo Computer Fraud amp Security May 2006 (15-16)[6] Google httpwwwgooglecom

[7] Anti-Phishing Working Group Phishing Activity Trends Report November 2005 [8] Anti-Phishing Working Group Phishing Archivehttpanti-phishingorgphishing_archivehtm[9] Ba S amp P Pavlov Evidence of the Effect of TrustBuilding Technology in Electronic Markets PricePremiums and Buyer Behavior

Page 19: Phishing

Certificate AuthoritiesDigital certificates are one part of a set of components that make up a public keyinfrastructure (PKI) A PKI includes organizations called certification authorities (CAs) that issue manage and revoke digital certificates organizations called relying parties who use the certificates as indicators of authentication and clientswho request manage and use certificates A CA might create a separate registration authority (RA) to handle the task of identifying individuals who applyfor certificates Examples of certification authorities include VeriSign a wellknowncommercial provider and the CREN Certificate Authority that isavailable for higher education institutions

Types of CertificatesThere are different types of certificates each with different functions and this canbe confusing It helps to differentiate between at least four types of certificatesYou can see samples of some of these different types of certificates in your browserbull Root or authority certificatesThese are certificates that create the base (or root) of a certification authority hierarchy such as Thawte or CREN These certificates are not signed by another CAmdashthey are self signed by the CA that created them When a certificate is self-

signed it means that the name in the Issuer field is the same as the name in the Subject Fieldbull Institutional authority certificates These certificates are also called campus certificates These certificates are signed by a third party verifying the authenticity of a campus certification authority Campuses then use their ldquoauthorityrdquo to issue client certificates for faculty staff and studentsbull Client certificatesThese are also known as end-entity certificates identity certificates or personal certificates The Issuer is typically the campus CAbull Web server certificates These certificates are used to secure communications to and from Web servers for example when you buy something on the Web They are called server-side certificates The Subject name in a server certificate is the DNS name of the server

The CREN Digital Certificate ServicesCREN currently offers an expanded set of certificate authority services to higher education institutionsbull CREN-signed campus certificates for institutionsThese CREN-signed certificates are for institutions issuing certificates for their campus communitymdashin the range of 10 or more Web server certificates and formore than 500-1000 client certificatesbull CREN Web server certificates These certificates are for campuses to use for securing Web servers supporting a range of campus Web applicationsbull Client certificatesCREN has an internal CRENNET service equivalent to a campus certificate-issuing application A registration contact at a campus validatesapproves individuals and CREN issues the certificates

With these three levels of service mdash including the free test certificates mdash CRENcan help campuses get started using digital certificates at a level matching theirparticular campus needs

RECOMMENDATION

It is very important to reduce the risk of phishing in todayrsquos business because

hackers need to stay out of companiesrsquo databases Todayrsquos education is not

enough since phishes are getting better each day and coming with newer trends

to catch innocent customers

The real problem of phishing is because the login systems are very weak and thus

they need to be tighter when it comes to userrsquos authentication The companies

could increase their cryptographic system protection by using more IPSec VPNs

and digital certificates The use of IPSec VPNs customers will need to establish

digital certificates from a certificate authority as well as the merchant Recently

while doing this research we came through an article from PayPal where they are

convincing email providers to block messages that lack digital signatures

The reason for this is that PayPal is known as one of the most highly spoofed

brands that fraudsterrsquos uses today This is a very good idea and a good way to

keep hackers out of PayPal databases As a matter of fact not only PayPal but also

every company that conducts business should come up with a similar strategy like

this Using strategies similar to this will help customers to gain confidence in

doing business and dealing with money issues In addition well-known companies

should increase user awareness by education training and working with FBI to

track down phishers

CONCLUSION

In short the outcomes of phishing attacks are dramatically increasing every day Attacks on financial services companies have been doubling each year compared to previous years It is of crucial importance for companies to come up with new ways to solve phishing problems because it can become a major loss to well-known companies Also it can cause consumers to lose confidence in doing business online which can affect many companies with an online presence Not any type of technologyCan stop phishing attacks but there are many ways to enable Phishes from accomplishing their goals Consumer education can increase the awareness of the phishing threat and other online vulnerabilities Lastly biometrics should become one of the major aspects and play an important role to combat phishing because it provides different steps to authenticate users

REFERENCES

[1] Cannon JC Privacy Pearson Education 2005[2] Hilley Sarah ldquoInternet war picking on the finance Sector-surveyrdquo Computer Fraud amp Security October 2006[3] Bellowin Steven ldquoSpamming Phishing Authentication and Privacyrdquo Inside Risks December

2004 Vol47 No12 144[4] Mulrean Jennifer ldquoPhishing scams How to avoid Getting hookedrdquo DollarWise[5] Hunter Philip ldquoMicrosoft declares war on phishersrdquo Computer Fraud amp Security May 2006 (15-16)[6] Google httpwwwgooglecom

[7] Anti-Phishing Working Group Phishing Activity Trends Report November 2005 [8] Anti-Phishing Working Group Phishing Archivehttpanti-phishingorgphishing_archivehtm[9] Ba S amp P Pavlov Evidence of the Effect of TrustBuilding Technology in Electronic Markets PricePremiums and Buyer Behavior

Page 20: Phishing

signed it means that the name in the Issuer field is the same as the name in the Subject Fieldbull Institutional authority certificates These certificates are also called campus certificates These certificates are signed by a third party verifying the authenticity of a campus certification authority Campuses then use their ldquoauthorityrdquo to issue client certificates for faculty staff and studentsbull Client certificatesThese are also known as end-entity certificates identity certificates or personal certificates The Issuer is typically the campus CAbull Web server certificates These certificates are used to secure communications to and from Web servers for example when you buy something on the Web They are called server-side certificates The Subject name in a server certificate is the DNS name of the server

The CREN Digital Certificate ServicesCREN currently offers an expanded set of certificate authority services to higher education institutionsbull CREN-signed campus certificates for institutionsThese CREN-signed certificates are for institutions issuing certificates for their campus communitymdashin the range of 10 or more Web server certificates and formore than 500-1000 client certificatesbull CREN Web server certificates These certificates are for campuses to use for securing Web servers supporting a range of campus Web applicationsbull Client certificatesCREN has an internal CRENNET service equivalent to a campus certificate-issuing application A registration contact at a campus validatesapproves individuals and CREN issues the certificates

With these three levels of service mdash including the free test certificates mdash CRENcan help campuses get started using digital certificates at a level matching theirparticular campus needs

RECOMMENDATION

It is very important to reduce the risk of phishing in todayrsquos business because

hackers need to stay out of companiesrsquo databases Todayrsquos education is not

enough since phishes are getting better each day and coming with newer trends

to catch innocent customers

The real problem of phishing is because the login systems are very weak and thus

they need to be tighter when it comes to userrsquos authentication The companies

could increase their cryptographic system protection by using more IPSec VPNs

and digital certificates The use of IPSec VPNs customers will need to establish

digital certificates from a certificate authority as well as the merchant Recently

while doing this research we came through an article from PayPal where they are

convincing email providers to block messages that lack digital signatures

The reason for this is that PayPal is known as one of the most highly spoofed

brands that fraudsterrsquos uses today This is a very good idea and a good way to

keep hackers out of PayPal databases As a matter of fact not only PayPal but also

every company that conducts business should come up with a similar strategy like

this Using strategies similar to this will help customers to gain confidence in

doing business and dealing with money issues In addition well-known companies

should increase user awareness by education training and working with FBI to

track down phishers

CONCLUSION

In short the outcomes of phishing attacks are dramatically increasing every day Attacks on financial services companies have been doubling each year compared to previous years It is of crucial importance for companies to come up with new ways to solve phishing problems because it can become a major loss to well-known companies Also it can cause consumers to lose confidence in doing business online which can affect many companies with an online presence Not any type of technologyCan stop phishing attacks but there are many ways to enable Phishes from accomplishing their goals Consumer education can increase the awareness of the phishing threat and other online vulnerabilities Lastly biometrics should become one of the major aspects and play an important role to combat phishing because it provides different steps to authenticate users

REFERENCES

[1] Cannon JC Privacy Pearson Education 2005[2] Hilley Sarah ldquoInternet war picking on the finance Sector-surveyrdquo Computer Fraud amp Security October 2006[3] Bellowin Steven ldquoSpamming Phishing Authentication and Privacyrdquo Inside Risks December

2004 Vol47 No12 144[4] Mulrean Jennifer ldquoPhishing scams How to avoid Getting hookedrdquo DollarWise[5] Hunter Philip ldquoMicrosoft declares war on phishersrdquo Computer Fraud amp Security May 2006 (15-16)[6] Google httpwwwgooglecom

[7] Anti-Phishing Working Group Phishing Activity Trends Report November 2005 [8] Anti-Phishing Working Group Phishing Archivehttpanti-phishingorgphishing_archivehtm[9] Ba S amp P Pavlov Evidence of the Effect of TrustBuilding Technology in Electronic Markets PricePremiums and Buyer Behavior

Page 21: Phishing

RECOMMENDATION

It is very important to reduce the risk of phishing in todayrsquos business because

hackers need to stay out of companiesrsquo databases Todayrsquos education is not

enough since phishes are getting better each day and coming with newer trends

to catch innocent customers

The real problem of phishing is because the login systems are very weak and thus

they need to be tighter when it comes to userrsquos authentication The companies

could increase their cryptographic system protection by using more IPSec VPNs

and digital certificates The use of IPSec VPNs customers will need to establish

digital certificates from a certificate authority as well as the merchant Recently

while doing this research we came through an article from PayPal where they are

convincing email providers to block messages that lack digital signatures

The reason for this is that PayPal is known as one of the most highly spoofed

brands that fraudsterrsquos uses today This is a very good idea and a good way to

keep hackers out of PayPal databases As a matter of fact not only PayPal but also

every company that conducts business should come up with a similar strategy like

this Using strategies similar to this will help customers to gain confidence in

doing business and dealing with money issues In addition well-known companies

should increase user awareness by education training and working with FBI to

track down phishers

CONCLUSION

In short the outcomes of phishing attacks are dramatically increasing every day Attacks on financial services companies have been doubling each year compared to previous years It is of crucial importance for companies to come up with new ways to solve phishing problems because it can become a major loss to well-known companies Also it can cause consumers to lose confidence in doing business online which can affect many companies with an online presence Not any type of technologyCan stop phishing attacks but there are many ways to enable Phishes from accomplishing their goals Consumer education can increase the awareness of the phishing threat and other online vulnerabilities Lastly biometrics should become one of the major aspects and play an important role to combat phishing because it provides different steps to authenticate users

REFERENCES

[1] Cannon JC Privacy Pearson Education 2005[2] Hilley Sarah ldquoInternet war picking on the finance Sector-surveyrdquo Computer Fraud amp Security October 2006[3] Bellowin Steven ldquoSpamming Phishing Authentication and Privacyrdquo Inside Risks December

2004 Vol47 No12 144[4] Mulrean Jennifer ldquoPhishing scams How to avoid Getting hookedrdquo DollarWise[5] Hunter Philip ldquoMicrosoft declares war on phishersrdquo Computer Fraud amp Security May 2006 (15-16)[6] Google httpwwwgooglecom

[7] Anti-Phishing Working Group Phishing Activity Trends Report November 2005 [8] Anti-Phishing Working Group Phishing Archivehttpanti-phishingorgphishing_archivehtm[9] Ba S amp P Pavlov Evidence of the Effect of TrustBuilding Technology in Electronic Markets PricePremiums and Buyer Behavior

Page 22: Phishing

this Using strategies similar to this will help customers to gain confidence in

doing business and dealing with money issues In addition well-known companies

should increase user awareness by education training and working with FBI to

track down phishers

CONCLUSION

In short the outcomes of phishing attacks are dramatically increasing every day Attacks on financial services companies have been doubling each year compared to previous years It is of crucial importance for companies to come up with new ways to solve phishing problems because it can become a major loss to well-known companies Also it can cause consumers to lose confidence in doing business online which can affect many companies with an online presence Not any type of technologyCan stop phishing attacks but there are many ways to enable Phishes from accomplishing their goals Consumer education can increase the awareness of the phishing threat and other online vulnerabilities Lastly biometrics should become one of the major aspects and play an important role to combat phishing because it provides different steps to authenticate users

REFERENCES

[1] Cannon JC Privacy Pearson Education 2005[2] Hilley Sarah ldquoInternet war picking on the finance Sector-surveyrdquo Computer Fraud amp Security October 2006[3] Bellowin Steven ldquoSpamming Phishing Authentication and Privacyrdquo Inside Risks December

2004 Vol47 No12 144[4] Mulrean Jennifer ldquoPhishing scams How to avoid Getting hookedrdquo DollarWise[5] Hunter Philip ldquoMicrosoft declares war on phishersrdquo Computer Fraud amp Security May 2006 (15-16)[6] Google httpwwwgooglecom

[7] Anti-Phishing Working Group Phishing Activity Trends Report November 2005 [8] Anti-Phishing Working Group Phishing Archivehttpanti-phishingorgphishing_archivehtm[9] Ba S amp P Pavlov Evidence of the Effect of TrustBuilding Technology in Electronic Markets PricePremiums and Buyer Behavior

Page 23: Phishing

2004 Vol47 No12 144[4] Mulrean Jennifer ldquoPhishing scams How to avoid Getting hookedrdquo DollarWise[5] Hunter Philip ldquoMicrosoft declares war on phishersrdquo Computer Fraud amp Security May 2006 (15-16)[6] Google httpwwwgooglecom

[7] Anti-Phishing Working Group Phishing Activity Trends Report November 2005 [8] Anti-Phishing Working Group Phishing Archivehttpanti-phishingorgphishing_archivehtm[9] Ba S amp P Pavlov Evidence of the Effect of TrustBuilding Technology in Electronic Markets PricePremiums and Buyer Behavior