Phishing
Phishing
Phishing
The outcomes of phishing attacks are dramatically increasing every day. Attacks on financial services companies have been doubling each year compared to previous years. It is very important for companies to come up with new ways to solve phishing problems because it can become a major loss to well known companies. Also, it can cause consumers to lose confidence in doing business online, which can affect many companies with an online presence. Not any type of technology can stop phishing attacks, but there are many ways to enable phishers from accomplishing their goals. Consumer education can increase the awareness of the phishing threat and other online vulnerabilities. Lastly, biometrics should become one of the major aspects and play an important role to combat phishing because it provides different steps to authenticate users.
INTRODUCTION
Phishing is the practice where criminals send out unsolicited Commercial e-mails, masquerading as valid authorities by using Logos and other formatting to
resemble authentic e-mails sent by the company that they are attempting to impersonate.
Once the users receive such emails; the phishers attempt to lure them to web sites where personal information such as credit card number and social security numbers are required in an attempt to hack into the users accounts. The socalled phishers try to steal usernames and passwords for identity and banking theft.
Companies such as PayPal, eBay, Amazon, and most of the banks have been the biggest target for phishing attacks.
LITERATURE REVIEW
The first phishing attempt occurred in January 1996. A hacker who was attempting to steal accounts from unexpected AOL Members coined the term phishing.
Comparison to Spam
The purpose of a phishing message is to acquire sensitive information about a user. In order to do so, the message needs to deceive the intended recipient into believing it is from a legitimate organization. As a form of deception, a phishing message contains no useful information for the intended recipient and thus falls
under the category of spam. Although phishing is categorized as spam, it also differs from spam. Amongst other things, spam tries to sell a product or service, while a phishing message needs to look like it is from a legitimate organization. Due to the similarity between phishing and legitimate messages, techniques that are applied to spam messages cannot be applied naively to phishing messages. For example, text-based classification can perform reasonably well in identifying spam, but as a phishing message is forged to look like a message from a legitimate organization, text-based classification applied naively to a phishing message will have a high miss rate.
A raw phishing message can be split into two components: the content and the headers. These components are commonly accepted as being the major components of a message.
Content: The content is the part of the message that the user sees and is used by phishing message producers to deceive users. It can be subdivided into two parts.
y The cover is the content which is made to look like a message from the legitimate organization, and usually informs the user of a problem with their account. Early phishing messages could be identified based only on their cover, due to imperfect grammar or spelling mistakes (which are uncommon in legitimate messages). Over time, the covers used in phishing messages have become more sophisticated, to the point where they even warn the users about protecting their password and avoiding fraud. An example of this can be seen in Figure below where the phishing message tells the victim to Protect Your Account Info by making sure you never provide your password to fraudulent websites .
y The sting is the part of the content that directs the victim to take remedial actions. It usually takes the form of a clickable URL that directs the victim to a fake website to log into their account or enter other personal details. We call this the sting, as this is the part of the content that inflicts pain, by means of financial loss or other undesirable action after the victim enters their details on the website. Typically the sting is hidden by using HTML to display a legitimate looking address, instead of the address of the fake website. An example of this is shown in above Figure where the address of
the fake website is http://www.nutristore.com.au/r.htm and the corresponding displayed text is a legitimate looking
https://www2.paypal.com/cgi-bin/?cmd= login.
Headers
The headers are the part of the message which is primarily used by the mail servers and the mail client to determine where the message is going and how to unpack the message. Most users do not see these headers, but in terms of determining if a message is phishing or not, this part of the message can be quite useful. Headers can be subdivided into three parts based on the entities which add them to the message:
y Mail clients typically add headers such as To: , From: , Subject: and some client specific headers. Examples of mail client headers are XMSMail-Priority, X-Mailer, and X-MimeOLE, and they can be seen in above figure. Phishing messages may try to fake a particular header and in doing so, give away that the message is fake. For example, if the X-Mailer header indicates that a HTML message has been composed using MS Outlook but the message only contains HTML (without plaintext), this is an indication that the message is fake, as MS Outlook cannot send HTML only messages.
y Mail relays will add headers along the path of the message. These are usually Received headers, which can be used to determine the
y Spam-filters or virus-scanners will usually add headers to the message to indicate results of the tests run over the message. These headers can then be used by the receiving client to determine (based on a user-set threshold) what to do with the message.
Lack of Knowledge y Lack of computer system knowledge: Many users lack the underlying knowledge of how operating systems, applications, email and the web work and how to distinguish among these. Phishing sites exploit this lack of knowledge in several ways. For example, some users do not understand the meaning or the syntax of domain names and cannot distinguish legitimate versus fraudulent URLs (e.g., they may think www.ebaymembers-security.com belongs to www.ebay.com). Another attack strategy forges the email header; many users do not have the skills to distinguish forged from legitimate headers.
y Lack of knowledge of security and security indicators: Many users do not understand security indicators. For example, many users do not know that a closed padlock icon in the browser indicates that the page they are
viewing was delivered securely by SSL. Even if they understand the meaning of that icon, users can be fooled by its placement within the body of a web page (this confusion is not aided by the fact that competing browsers use different icons and place them in different parts of their display). More generally, users may not be aware that padlock icons appear in the browser chrome (the interface constructed by the browser around a web page, e.g., toolbars, windows, address bar, status bar) only under specific conditions (i.e., when SSL is used), while icons in the content of the web page can be placed there arbitrarily by designers (or by phishers) to induce trust. Attackers can also exploit users lack of understanding of the verification process for SSL certificates. Most users do not know how to check SSL certificates in the browser or understand the information presented in a certificate. In one spoofing strategy, a rogue site displays a certificate authority's (CA) trust seal that links to a CA webpage. This webpage provides an English language description and verification of the legitimate site s certificate. Only the most informed and diligent users would know to check that the URL of the originating site and the legitimate site described by the CA match. y Lack of knowledge of web fraud: Some users don t know that spoofing websites is possible. Without awareness phishing is possible, some users simply do not question website legitimacy. y Erroneous security knowledge. Some users have misconceptions about which website features indicate security. For example, participants assumed that if websites contained professional-looking images,
animations, and ads, they assumed the sites were legitimate (influenced by
well-known trust indicators, discussed below). Similarly, dedicated login pages from banks were less trusted than those originating from a homepage; several participants mentioned a lack of images and links as a reason for their distrust. Visual Deception Phishers use visual deception tricks to mimic legitimate text, images and windows. y Visually deceptive text. Users may be fooled by the syntax of a domain name in type jacking attacks, which substitute letters that may go unnoticed (e.g. www.paypai.com uses a lowercase i which looks similar to the letter l , and www.paypa1.com substitutes the number 1 for the letter l ). Phishers have also taken advantage of non-printing characters and non-ASCII Unicode characters in domain names. y Images masking underlying text. One common technique used by phishers is to use an image of a legitimate hyperlink. The image itself serves as a hyperlink to a different, rogue site. y Images mimicking windows. Phishers use images in the content of a web page that mimic browser windows or For user convenience, some legitimate organizations allow users to login from non-SSL pages. Although the user data may be transmitted securely, there is no visual cue in the browser to indicate if SSL is used for form submissions. To remedy this, designers resort to placing a padlock icon in the page content, a tactic that phishers also exploit or dialog windows. Because the image looks exactly like a real window, a user can be fooled unless he tries to move or resize the image.
y Windows masking underlying windows: A common phishing technique is to place an illegitimate browser window on top of, or next to, a legitimate window. If they have the same look and feel, users may mistakenly believe that both windows are from the same source, regardless of variations in address or security indicators. In the worst case, a user may not even notice that a second window exists (browsers that allow borderless pop-up windows aggravate the problem). y Deceptive look and feel. If images and logos are copied perfectly, sometimes the only cues that are available to the user are the tone of the language, misspellings or other signs of unprofessional design. If the phishing site closely mimics the target site, the only cue to the user might be the type and quantity of requested personal information.
PHISHING?(ANTI-PHISHING)
Phishing needs to be followed in a managerial way within the network and its components such as servers, PCs, operating systems, browsers and other applications that run off a connection.
As considering, the danger of both false negative where firewall packet inspection fails to identify a phishing site and false positive where firewall packet inspection wrongly rejects the valid sites, it is important to minimize these risks.
Microsoft s Anti-phishing response team analyzes sites carefully to confirm they are fraud e-mails before adding them to the blacklist. Even then, sites that are concerned can be reconsidered and later removed from the list.
Another way of solving this problem can be in a technical way by using a biometric check up. Biometrics refers to technologies that analyze an individual s physical and behavioral characteristics to automate identification or verification of the user. To avoid the risk of being locked in by phishers here are few tips: Be extremely suspicious of any e-mails with urgent requests for personal information
Do not fill out any forms in e-mail messages especially from banks
Do not use the links that are provided in the e-mails this can cause installing any malicious malware on your computer. Instead contact the company over the phone to solve any problems.
Do not give your credit card numbers or account information unless you are using a secure Web site or the telephone. If you are using a Web site, check the beginning of the web address in your browsers address
bar. A secure site should up as https :// instead of just http://. y Verify the real address of a web site. Cut and paste the following text into your browser address bar.
javascript:alert("The actual URL of this site has been verified as: " + location. protocol + "//" + location. hostname +"/"); y Ensure that your browser and OS software is up-to-date and that latest security patches are applied.
Possible ways of by-passing AntiPhish with JavaScript As long as the web page that the user is viewing is pure HTML, AntiPhish can easily mitigate phishing attacks. This is because the attacker can only steal the sensitive information in the page after the user performs a submit. Before this can happen, however, AntiPhish detects that sensitive information has been typed into a form and cancels the operation. Stopping a phishing attack in an HTML page that has JavaScript, on the other hand, is not that easy and special care has to be taken. JavaScript is a powerful language that is widely used in webpage for providing functionality such as submitting forms, opening windows, intercepting events and performing input validity checks. At the same time, however, JavaScript gives the attacker a wide range of possibilities for by-passing a monitoring application such as AntiPhish. Just as AntiPhish creates hooks for intercepting user generated events such as key strokes, the attacker can also
create such hooks using JavaScript embedded into the HTML page. Instead of waiting for the user to press a submit button to send the information, the attacker could intercept the keys that are pressed and send the information character by character to a server of her choice. Typically, this is done by modifying the URL of an existing or hidden image to a web site that the attacker controls (e.g., if a has been pressed, an image URL may be set to
http://attacker.com/key?a). Another possibility for the attacker could be to set a simple timer and to capture snapshots of the information in the forms. In this way, an important part of the information could be captured without the user ever hitting a submit button. The easiest solution to the JavaScript problem is to deactivate JavaScript on a page that contains forms. Unfortunately, this solution is not feasible because, as mentioned before, a large number of Web sites use JavaScript for validation and submission purposes. The solution we use in AntiPhish is to deactivate JavaScript every time the focus is on an HTML text element and to reactivate it whenever the focus is lost. Using this technique, we ensure that the attacker is not able to create hooks, timers and intercept browser events such as key presses while the user is typing information into a text field. At the same time, we ensure that the legitimate JavaScript functionality on a page (e.g., such as input validation routines) are preserved. By the time the focus is lost from the text element and Java script is reactivated, AntiPhish has already determined if the information that was typed into the text element is sensitive. If the web site is un trusted, the operation can be canceled. One side-effect of our approach is that legitimate event-based Java script functionality such as input validation based on key presses will not function. The use of key press events for
input validation, however, is uncommon. Most web sites perform client-side input validation once before a form is submitted. Implementation details We implemented the prototype of AntiPhish as a Mozilla browser extension (i.e., plug-in).Mozilla browser extensions are written using the Mozilla XML UserInterface language (XUL) and JavaScript. The Mozilla implementation of AntiPhish has a small footprint and consists of about 900 lines of JavaScript code and 200 lines of XUL user interface code. We used Paul Tero s JavaScript DES implementation for safely storing the sensitive information.
ANALYSIS OF A PHISHING DATABASE The Anti Phishing Working Group maintains a Phishing Archive describing phishing attacks dating back to September 2003. We performed a cognitive walkthrough on the approximately 200 sample attacks within this archive. (A cognitive walkthrough evaluates the steps required to perform a task and attempts to uncover mismatches between how users think about a task and how the user interface designer thinks about the task.) Our goal was to gather information about which strategies are used by attackers and to formulate hypotheses about how lay users would respond to these strategies. Below we list the strategies, organized along three dimensions: lack of knowledge, visual deception, and lack of attention. To aid readers who are unfamiliar with the topic, Security Terms and Definitions Certificate (digital certificate, public key certificate):
Uses a digital signature to bind together a public key with an identity. If the browser encounters a certificate that has not been signed by a trusted certificate authority, it issues a warning to the user. Some organizations create and sign their own self signed Certificates. If a browser encounters a self-signed certificate, it issues a warning and allows the user to decide whether to accept the certificate.
An entity that issues certificates and attests that a public key belongs to a particular identity. A list of trusted CAs is stored in the browser. A certificate may be issued to a fraudulent website by a CA without a rigorous verification process.
HTTPS:
Web browsers use "HTTPS", rather than "HTTP" as a prefix to the URL to indicate that HTTP is sent over SSL/TLS.
Cryptography
Cryptography is a method of storing and transmitting data in a form that only those it is intended for can read and process. It is a science of protecting information by encoding it into an unreadable format. Cryptography is an effective way of protecting sensitive information as it is stored on media or transmitted through network communication paths. Although the ultimate goal of cryptography, and the mechanisms that make it up, is to hide information from unauthorized individuals, most algorithms can be broken and the information can be revealed if the attacker has enough time, desire, and resources. So a more realistic goal of cryptography is to make obtaining the information too work-intensive to be worth it to the attacker.
Digital Certificates
Digital Certificates are part of a technology called Public Key Infrastructure or PKI. Digital certificates have been described as virtual ID cards. This is a useful analogy. There are many ways that digital certificates and ID cards really are the
same. Both ID cards and client digital certificates contain information about user, such as user name and information about the organization that issued the certificate or card to user. Creating digital certificates a unique cryptographic key pair is generated. One of these keys is referred to as a public key and the other as a private key. The certification authority generally on your campus creates a digital certificate by combining information about user and the issuing organization with the public key and digitally signing the whole thing. This is very much like an organization s ID office filling out an ID card for user and then signing it to make it official. The process defines how a certificate authority establishes that a person or institution is who they say they are. Certification may require recipients to appear in person and to present pictures, birth certificates, or social security numbers. Certificates that are issued after rigorous authentication will be more trustworthy than certificates requiring little or noi authentication. The contents of a digital certificate are prescribed by the X.509 standard, developed by the International Standards Organization (ISO) and adopted by the American National Standards Institute (ANSI) and the Internet Engineering Task Force (IETF). The latest version is now X509 v3. The principal elements of a digital certificate are as follows: Version number of the certificate format Serial number of the certificate Signature algorithm identifier Issuer of digital certificate: a certificate authority with URL Validity period Unique identification of certificate holder Public key information
Parties that validate the signature on the certificate and then rely on its contents for some purpose.
Type of Certificate
Identity
Requesting Party
The person concerned A qualified member of a profession A customer wishing to access a resource
Issuing Party
The appropriate government agency The professional body The resource owner
Verifying Party
Anyone undertaking an identity check A user of the services offered by the member The resource owner
Accreditation
Authorization
Certificate Authorities
Digital certificates are one part of a set of components that make up a public key infrastructure (PKI). A PKI includes organizations called certification authorities (CAs) that issue, manage, and revoke digital certificates; organizations called relying parties who use the certificates as indicators of authentication, and clients who request, manage, and use certificates. A CA might create a separate registration authority (RA) to handle the task of identifying individuals who apply for certificates. Examples of certification authorities include VeriSign, a wellknown commercial provider, and the CREN Certificate Authority that is available for higher education institutions. Types of Certificates There are different types of certificates, each with different functions and this can be confusing. It helps to differentiate between at least four types of certificates. You can see samples of some of these different types of certificates in your browser. Root or authority certificates These are certificates that create the base (or root) of a certification authority hierarchy, such as Thawte or CREN. These certificates are not signed by another CAthey are self signed by the CA that created them. When a certificate is self-
signed, it means that the name in the Issuer field is the same as the name in the Subject Field. Institutional authority certificates These certificates are also called campus certificates. These certificates are signed by a third party verifying the authenticity of a campus certification authority. Campuses then use their authority to issue client certificates for faculty, staff, and students. Client certificates These are also known as end-entity certificates, identity certificates, or personal certificates. The Issuer is typically the campus CA. Web server certificates These certificates are used to secure communications to and from Web servers, for example when you buy something on the Web. They are called server-side certificates. The Subject name in a server certificate is the DNS name of the server.
RECOMMENDATION
It is very important to reduce the risk of phishing in today s business because hackers need to stay out of companies databases. Today s education is not enough since phishes are getting better each day and coming with newer trends to catch innocent customers. The real problem of phishing is because the login systems are very weak and thus they need to be tighter when it comes to user s authentication. The companies could increase their cryptographic system protection by using more IPSec VPNs and digital certificates. The use of IPSec VPNs, customers will need to establish digital certificates from a certificate authority as well as the merchant. Recently, while doing this research we came through an article from PayPal where they are convincing email providers to block messages that lack digital signatures. The reason for this is that PayPal is known as one of the most highly spoofed brands that fraudster s uses today .This is a very good idea and a good way to keep hackers out of PayPal databases. As a matter of fact, not only PayPal but also every company that conducts business should come up with a similar strategy like
this. Using strategies similar to this will help customers to gain confidence in doing business and dealing with money issues. In addition, well-known companies should increase user awareness by education, training and working with FBI to track down phishers.
CONCLUSION
In short, the outcomes of phishing attacks are dramatically increasing every day. Attacks on financial services companies have been doubling each year compared to previous years. It is of crucial importance for companies to come up with new ways to solve phishing problems because it can become a major loss to wellknown companies. Also, it can cause consumers to lose confidence in doing business online, which can affect many companies with an online presence. Not any type of technology Can stop phishing attacks, but there are many ways to enable Phishes from accomplishing their goals. Consumer education can increase the awareness of the phishing threat and other online vulnerabilities. Lastly, biometrics should become one of the major aspects and play an important role to combat phishing because it provides different steps to authenticate users.
REFERENCES
[1] Cannon, J.C. Privacy. Pearson Education, 2005. [2] Hilley, Sarah. Internet war: picking on the finance Sector-survey. Computer Fraud & Security, October 2006. [3] Bellowin, Steven. Spamming, Phishing, Authentication and Privacy. Inside Risks, December
2004 Vol.47, No.12. 144. [4] Mulrean, Jennifer. Phishing scams: How to avoid Getting hooked. DollarWise. [5] Hunter, Philip. Microsoft declares war on phishers. Computer Fraud & Security May 2006: (15-16). [6] Google. http://www.google.com [7] Anti-Phishing Working Group. Phishing Activity Trends Report November 2005 [8] Anti-Phishing Working Group Phishing Archive. http://anti-phishing.org/phishing_archive.htm [9] Ba, S. & P. Pavlov. Evidence of the Effect of Trust Building Technology in Electronic Markets: Price Premiums and Buyer Behavior.
i