Phishing

Phishing is a form of online identity theft in which the “attackers try to trick consumers into divulging sensitive personal information." [1] The primary technique used usually involves a fraudulent e-mail which contains a hyperlink that redirects the user to an illegitimate version of a website. Once there, the user is prompted to enter confidential information such as usernames and passwords. Once this information is submitted by the user, the information becomes successfully “phished.”

The first documented case of phishing occurred on January 2, 1996 at the alt.online-service.america-online Usernet newsgroup. [2] The word “phishing” itself comes from the analogy that cyber criminals used malicious e-mails to “phish” for passwords and financial data from a sea of Internet users. The use of “ph” in the word is mainly attributed to popular hacker naming conventions such as “phreaking” (term for the hacking of telephone systems). [2]

Contents

1. Phishing Techniques

1.1. Trojans and Worms

1.2. Spyware

1.3. Deceit

2. Phishing Targets and the Aftermath

3. Anti-Phishing

3.1. Best Practices - Corporate Businesses

3.2. Best Practices - Consumers

4. References

5. See also

Phishing Techniques

There are three principal methods of approach when conducting a phishing attack. [3] The attacker can try to install Trojan software on the victim’s computer, use deceit to convince the victim to follow certain instructions or use Spyware to intercept legitimate communications between the victim and a legitimate website. Regardless of which method is employed by the attacker, the end to end transaction of a phishing attack is as follows:

· The attacker obtains e-mail addresses of potential victims via semi-guessing or extracts them from an online directory [4]

· The attacker creates an e-mail which appears to be legitimate and sends it to the intended victims

· Depending on which method of phishing is used, the recipient of the e-mail may open a malicious attachment, complete a web-form or visit a fraudulent web site.

· The attacker obtains the victim’s confidential information and conducts some form of criminal activity with it.

There are various ways an attacker can accomplish the tasks listed above. An illustrated version (depicted in Figure 1) of a typical attack tree shows the steps which are executed by the attacker and victim during a successful phishing attack. The “start” of the attack is at the top of the figure and traverses down. The arrows are actions conducted by both the attacker and victim and are correspondingly labeled. Each rectangle contains the resource or condition that the attacker is trying to achieve. [3] If the attack is successfully conducted, then the last arrow traversal goes to the rectangle labeled “Attacker gains sensitive user information.” Otherwise (ie: attack fails), the arrow goes to the rectangle labeled “Attack fails” on its last traversal.

Trojans and Worms

Attackers may choose to use Trojan software or a worm for phishing. Both methods revolve around sending an apparently innocuous e-mail attachment (such as a screensaver or greeting card). However, the attachment is actually an executable program which captures sensitive information being sent between the victim’s computer and a legitimate website. [4] Please refer to Figure 2 for a visual depiction of how this attack takes place and for a summary of possible countermeasures.

Spyware

Spyware which has been installed by a previous worm, Trojan attack or installation of another program can be invoked when the user visits a legitimate website. Typical programs log key strokes, intercept network communications or capture entire files. [5] This information is then sent to the attacker for further analysis and exploitation. Please refer to Figure 3 for a visual depiction of how this attack takes place and for a summary of possible countermeasures.

Deceit

This is the most common method of approach adopted by attackers. The attacker simply sends a fraudulent e-mail to the intended victim and hopes that the recipient clicks on the embedded hyperlink. Once clicked, the user is redirected to a spoofed website where confidential information is released to the attacker. Since many users are becoming more aware of this phishing technique, attackers are simply relying on the law of large numbers to ensure that some of the e-mail recipients become victims. Please refer to Figure 4 for a visual depiction of how this attack takes place and for a summary of possible countermeasures.

Trojans and Worms	Spyware	Deceit

COUNTERMEASURES: Up to date Anti-virus software, host-based intrusion detection and personal firewall software	COUNTERMEASURES: Spyware detection programs Up to date Anti-virus software, host-based intrusion detection and personal firewall software	COUNTERMEASURES: SSL (Secure Socket Layer) offers minimal protection at best. Commercial privacy software which prompts the user to confirm transmission of any sensitive information
Figure 2: Visual Depiction of Phishing attack with Trojans / Worms[3]	Figure 3: Visual Depiction of Phishing attack with Spyware[3]	Figure 4: Visual Depiction of Phishing attack with Deceit[3]

Phishing Targets and the Aftermath

Typically, the targets of choice for phishing attacks have been online financial institutions and online retailers. [5] In particular, eBay’s PayPal service has been the target of choice for attackers, accounting for about 35% of all reported phishing attacks. [4] However, other businesses and banks such as UPS, BestBuy, VISA, eBay, Citibank, Huntington and the Bank of America have fallen victim to this form of cyber-crime. A recent example (February 15, 2005) is the attack on Huntington, a bank located in the United States. A phishing e-mail was sent en masse to Internet users claiming that the bank has just implemented a new security system and required the user to conduct an account verification. The attackers supposedly included a legitimate URL in the e-mail: ‘https://onlinebanking.huntington.com/login.asp’ to the bank’s online banking website. However, the link actually redirected the user to a spoofed page on an alternative server. Figures 5 and 6 show the actual phishing e-mail and website respectively.

Attacks such as these on large financial institutions are having a significant financial impact on both the businesses and the consumers. Businesses not only need to purchase insurance, but are now setting aside additional funds to actively combat this form of cyber-crime as well as handle any damages caused by a successful attack. When NatWest Bank (a large Scottish bank) became a victim of phishing, it had to incur the added expense of setting up and managing a telephone number that consumers could call. [5] When consumers become victims, attackers masquerade themselves as the victim and can steal all of the funds of a compromised account.

In terms of total damages, approximately 1.2 million computer users in the United States suffered losses caused by phishing, totaling approximately $929 million USD. U.S. businesses lose an estimated $2 billion USD a year as their clients become victims. [6]

Anti-Phishing

A variety of anti-phishing software solutions have been devised by various companies to combat the growing phishing threat. One of the most notable one’s is Passmark’s two-factor authentication system. This system is designed to prevent phishing attacks by requiring users to use two-factor authentication. “One factor is a user ID and password, and the other is an authenticating image and phrase that the participant pre-selects with a financial institution or e-business.” [7] Essentially, the authenticating image and phrase will be present in any e-mails sent by the company. The presence of these two items will be clear proof to the user that the e-mail is legitimate, and that it is safe to follow any instructions provided on the e-mail. This software solution has become so effective that the US Federal Deposit Insurance Corp. (FDIC) has offered a full recommendation for US banks to adopt it. [7] However, certain banks and e-businesses have been reluctant to do so, stating that users may be deterred to conduct online transactions due to the added effort involved.

Best Practices - Corporate Businesses

· Create corporate policies and communicate them to consumers: Businesses should create policies to address items such as what should be expected in an e-mail so that fraudulent e-mails cannot be mistaken for legitimate ones. Customers then must be educated on these policies so that they are understood and adhered to.

· Provide a method for the customer to validate the e-mail is legitimate: The customer must be given a mechanism to identify that the e-mail is legitimate. The use of software such as PassMark’s two-factor authentication system would greatly assist in achieving this goal.

· Create a dedicated taskforce for finding phishing websites: In most cases, the fraudulent website appears on the Internet several days before the launch of the phishing e-mails. [3] Users can then be notified about these sites.

· Implement anti-virus and content filtering software at the Internet Gateway: Gateway anti-virus scanning provides an additional layer of defense against Trojans and Worms. Software solutions can also be utilized to filter and block phishing sites at the gateway. Gateway anti-spam filtering also helps users avoid receiving phishing e-mails.

Best Practices – Consumers

· Implement anti-spam filters for all e-mail accounts: Turn on spam detector features for all e-mail accounts. This is the first line of defence and can essentially prevent phishing e-mail from every being opened. However, these filters are not fool proof, requiring the user to exercise some caution as well.

· Implement up to date anti-virus/ anti-spyware software: Phishing attacks using Trojans or Worms can be detected and removed by many anti-virus software solutions before they can do any harm. Even ehwn spyware has been installed on the system, most anti-spyware software can remove them from the victim’s system.

· Block automatic delivery of sensitive information: Turn on the internet browser features which require the user to approve transmission of sensitive information. Most browsers have popup prompt boxes which require the user’s acknowledgement before transmitting the information.

· Be suspicious: The safest way to prevent becoming a victim of phishing is to be on guard for malicious e-mails. If the legitimacy of an e-mail cannot be immediately verified, contact the business which allegedly sent it via a previously verified communication channel. In general, if the e-mail looks suspicious, it is probably malicious.

References

Larcom, Guy, and A.j. Elbirt. "Gone Phishing." IEEE Technology and Society Magazine (2006): 52-56.
Ollmann, Gunter. “Phishing History.” Phishing – Understanding and Preventing Phishing Attacks. 2005. 24 Mar. 2007 <http://www.technicalinfo.net/papers/Phishing2.html>
Tally, Greg, Roshan Thomas, and Tom Van Vleck. Anti-Phishing: Best Practices for Institutions and Consumers. McAfee Research. Santa Clara: McAfee Inc., 2004. 1-28. 24 Mar. 2007 <http://www.antiphishing.org/sponsors_technical_papers/Anti-Phishing_Best_Practices_for_Institutions_Consumer0904.pdf>
Hinde, Stephen. "All You Need to Be a Phisherman is Patience and a Worm." Computer Fraud and Security (2004): 4-6.
Engin, Kirda, and Kruegel Christopher. "Protecting Users Against Phishing Attacks." The Computer Journal 49 (2006): 554-561.
Kerstein, Paul L. "How Can We Stop Phishing and Pharming Scams?" CSO. 19 July 2005. 27 Mar. 2007 <http://www.csoonline.com/talkback/071905.htm>.
Geer, D. “Security Technologies Go Phishing.” IEEE Computer Society. 2005. 18 Mar.2007