Phishing is a form of online identity theft in which the “attackers try to trick consumers into divulging sensitive personal information."  The primary technique used usually involves a fraudulent e-mail which contains a hyperlink that redirects the user to an illegitimate version of a website. Once there, the user is prompted to enter confidential information such as usernames and passwords. Once this information is submitted by the user, the information becomes successfully “phished.”
The first documented case of
phishing occurred on January 2, 1996 at the alt.online-service.america-online
Usernet newsgroup.  The
word “phishing” itself comes from the analogy that cyber criminals
used malicious e-mails to “phish” for
passwords and financial data from a
1.1. Trojans and Worms
5. See also
There are three principal methods of approach when conducting a phishing attack.  The attacker can try to install Trojan software on the victim’s computer, use deceit to convince the victim to follow certain instructions or use Spyware to intercept legitimate communications between the victim and a legitimate website. Regardless of which method is employed by the attacker, the end to end transaction of a phishing attack is as follows:
· The attacker obtains e-mail addresses of potential victims via semi-guessing or extracts them from an online directory 
· The attacker creates an e-mail which appears to be legitimate and sends it to the intended victims
· Depending on which method of phishing is used, the recipient of the e-mail may open a malicious attachment, complete a web-form or visit a fraudulent web site.
· The attacker obtains the victim’s confidential information and conducts some form of criminal activity with it.
There are various ways an attacker can accomplish the tasks listed above. An illustrated version (depicted in Figure 1) of a typical attack tree shows the steps which are executed by the attacker and victim during a successful phishing attack. The “start” of the attack is at the top of the figure and traverses down. The arrows are actions conducted by both the attacker and victim and are correspondingly labeled. Each rectangle contains the resource or condition that the attacker is trying to achieve.  If the attack is successfully conducted, then the last arrow traversal goes to the rectangle labeled “Attacker gains sensitive user information.” Otherwise (ie: attack fails), the arrow goes to the rectangle labeled “Attack fails” on its last traversal.
Attackers may choose to use Trojan software or a worm for phishing. Both methods revolve around sending an apparently innocuous e-mail attachment (such as a screensaver or greeting card). However, the attachment is actually an executable program which captures sensitive information being sent between the victim’s computer and a legitimate website.  Please refer to Figure 2 for a visual depiction of how this attack takes place and for a summary of possible countermeasures.
Spyware which has been installed by a previous worm, Trojan attack or installation of another program can be invoked when the user visits a legitimate website. Typical programs log key strokes, intercept network communications or capture entire files.  This information is then sent to the attacker for further analysis and exploitation. Please refer to Figure 3 for a visual depiction of how this attack takes place and for a summary of possible countermeasures.
This is the most common method of approach adopted by attackers. The attacker simply sends a fraudulent e-mail to the intended victim and hopes that the recipient clicks on the embedded hyperlink. Once clicked, the user is redirected to a spoofed website where confidential information is released to the attacker. Since many users are becoming more aware of this phishing technique, attackers are simply relying on the law of large numbers to ensure that some of the e-mail recipients become victims. Please refer to Figure 4 for a visual depiction of how this attack takes place and for a summary of possible countermeasures.
COUNTERMEASURES: Up to date Anti-virus software, host-based intrusion detection and personal firewall software
COUNTERMEASURES: Spyware detection programs Up to date Anti-virus software, host-based intrusion detection and personal firewall software
COUNTERMEASURES: SSL (Secure Socket Layer) offers minimal protection at best. Commercial privacy software which prompts the user to confirm transmission of any sensitive information
Figure 2: Visual Depiction of
Phishing attack with Trojans /
Figure 3: Visual Depiction of Phishing attack with Spyware
Figure 4: Visual Depiction of Phishing attack with Deceit
Typically, the targets of choice for phishing attacks
have been online financial institutions and online retailers. 
In particular, eBay’s PayPal service has been
the target of choice for attackers, accounting for about 35% of all reported
phishing attacks.  However, other businesses and banks
such as UPS, BestBuy, VISA, eBay,
Citibank, Huntington and the Bank of America have fallen victim to this form of
cyber-crime. A recent example (February 15, 2005) is the attack on
Attacks such as these on large financial institutions are having a significant financial impact on both the businesses and the consumers. Businesses not only need to purchase insurance, but are now setting aside additional funds to actively combat this form of cyber-crime as well as handle any damages caused by a successful attack. When NatWest Bank (a large Scottish bank) became a victim of phishing, it had to incur the added expense of setting up and managing a telephone number that consumers could call.  When consumers become victims, attackers masquerade themselves as the victim and can steal all of the funds of a compromised account.
In terms of total damages, approximately 1.2 million
computer users in the
A variety of anti-phishing software solutions have been devised by various companies to combat the growing phishing threat. One of the most notable one’s is Passmark’s two-factor authentication system. This system is designed to prevent phishing attacks by requiring users to use two-factor authentication. “One factor is a user ID and password, and the other is an authenticating image and phrase that the participant pre-selects with a financial institution or e-business.”  Essentially, the authenticating image and phrase will be present in any e-mails sent by the company. The presence of these two items will be clear proof to the user that the e-mail is legitimate, and that it is safe to follow any instructions provided on the e-mail. This software solution has become so effective that the US Federal Deposit Insurance Corp. (FDIC) has offered a full recommendation for US banks to adopt it.  However, certain banks and e-businesses have been reluctant to do so, stating that users may be deterred to conduct online transactions due to the added effort involved.
· Create corporate policies and communicate them to consumers: Businesses should create policies to address items such as what should be expected in an e-mail so that fraudulent e-mails cannot be mistaken for legitimate ones. Customers then must be educated on these policies so that they are understood and adhered to.
· Provide a method for the customer to validate the e-mail is legitimate: The customer must be given a mechanism to identify that the e-mail is legitimate. The use of software such as PassMark’s two-factor authentication system would greatly assist in achieving this goal.
· Create a dedicated taskforce for finding phishing websites: In most cases, the fraudulent website appears on the Internet several days before the launch of the phishing e-mails.  Users can then be notified about these sites.
Implement anti-virus and content filtering software
at the Internet Gateway: Gateway
anti-virus scanning provides an additional layer of defense against Trojans and
· Implement anti-spam filters for all e-mail accounts: Turn on spam detector features for all e-mail accounts. This is the first line of defence and can essentially prevent phishing e-mail from every being opened. However, these filters are not fool proof, requiring the user to exercise some caution as well.
Implement up to date anti-virus/ anti-spyware software:
Phishing attacks using Trojans or
· Block automatic delivery of sensitive information: Turn on the internet browser features which require the user to approve transmission of sensitive information. Most browsers have popup prompt boxes which require the user’s acknowledgement before transmitting the information.
· Be suspicious: The safest way to prevent becoming a victim of phishing is to be on guard for malicious e-mails. If the legitimacy of an e-mail cannot be immediately verified, contact the business which allegedly sent it via a previously verified communication channel. In general, if the e-mail looks suspicious, it is probably malicious.
Social Engineering by Jason Messier
Social Engineering by Robert Zagorac
Crimeware by Anthony Petta
Computer Surveillance by Chris Brown
Computer Hijacking by Eugene Veeden
Author: Richard K. Chan
Last update : April 1, 2007