2.1 definition of phishing
2.2 Various tactics phishers uses in deceiving people
2.4 categories of people that fall for phishing attacks
2.5 phishing email vs. malware phishing
2.6 Phishing Methods
2.7 global trend of phishing
2.8 Preventing a phishing attack before it begins
2.9 Detecting a phishing attack
2.10Preventing the delivery of phishing messages
2.11 Specialized Phishing Email Filters Vs General Purpose Spam Filter
So many experts in the filed of system security bared their minds on the subject topic, each from different perspective of expertise. After consulting many literatures I realize I have to restrict myself to the few core ones that are relevant to the subject matter.
According to (Drake E et al 2007) “Phishing” is an email scam that attempts to swindle people of their private information which may include credit card number, bank account information, social security number, and mother's maiden name. The name phishing was coined because the fraudsters are “fishing” for personal information. Approximately 57 million U.S. adults believe they have received a phishing email message. However, Phishing emails are in addition growing in languages such as Spanish, French, German, and Dutch.
Linninger and vines (2007) defines phishing as an automated identity theft that combines the power of internet with universal human nature of wanting to take advantage of people of their hard earned money. Virtually everyone with email is believed to have received a phishing mail by now These emails use the formatting and look like legitimate business internet presence to trick people into providing their delicate information. Such as the username and password credit card number with expiration date.
Phishing attacks usually appear as an email that purports to be from a trusted entity, for example eBay or Pay Pal. The purpose of such phishing email is to get people to provide information, such as credit/debit card numbers, identity information, or login credentials, often to correct some alleged problem supposedly found with an account. (Santhoshi and Krishna 2009)
Phishing is an internet scam where the user is convinced to give valuable information this is done by redirecting users to a different website through emails, instant messages etc the major intention of phishing is to gain access to the user bank account, passwords and other security information. (EC council 2008)
Bergholz et al (2010) Identifies a numbers of tricks that synonymous with deceptive phishing these includes:
Social engineering: With these plausible stories with methodology are used to produce convincing effect and with the use of personalized information.
Mimicry: in this type of trick authentic target website were mimicked to resemble the original one, Logos, trademarks even email were mimicked.
Email spoofing: Here actual sender's identity is hidden while a counterfeit one is to sent to the user.
URL hiding: Here the phisher also hide the deceptive link addresses that are the both email and the website and try to make the URLs in the email together with fake link appears genuine.
Invisible content: the primary purpose of this trick is to fool the automatic filtering approaches.phishers insert information into the phishing email which is invisible to the user and without the knowledge of the user.
Image content; here attackers produce imagery in graphical form that contains the text of the email.
Consider this below example given by (James 2005) about the trick of the phishing trade how phishers play on human intelligence. The small piece summarizes Lance view on how phishers tricks
“Tricks of the Trade...
Can You Read This?
Phishers use ‘fzuzy' domians to tirck the eye in a smiilar mnaner to tihs apporach. It is less obvuios, but proves effcetive when attacking the viitcm. Tihs is jsut one of the mnay mehtods phihsers exlpoit for web spiofnog, and we wlil dvteoe an etnire cpthear just lnoikog at web exlpoits that are uesd by phihsers. Reaercsh inidaactes taht we raed words as a whole, not the signle lteters, thus the fsirt and lsat lteters need only to be in the rhgit palce. Another technique was one of the first methods used against the human eye because of certain semantics within the URL. A simple example is [email protected] The Web browser will read the right side of the browser address and go to Google. The @ symbol, in most cases in a browser, indicates a user and a password. This formatting looks like “protocol:[//][username[:password]@]host[/resource]” and we have seen this used often with protocols like FTP. An FTP login on a Web browser can look like ftp://username:pass @ftp.site.com. To get more intricate, the phisher would obfuscate the URL by encoding it in an unintelligible manner. This could be done in a number of ways. First we can look up Google's IP address:
Impersonation; this is acclaimed the most popular and most simple trick. It consisted of fake site where users are deceived into visiting. The fake site contains look-alike images and symbols from the genuine site.
Forwarding users' data are forwarded to phisher server with a flawless continuity that victims may never know that they were phisher.it works in a way that an email is sent to the user with the content of typically real web site graphics and logins. The victim thus login into forwarding email link. This trick is typical of eBay Paypal and Amazon customers.
Popups this trick was first discovered during barrage of phishing attacks on Citibank in September, 2003, it is basically a link that one clicked within ones email and a hostile pop up is posted, it work such that behind popup was the real object that the attacker were trying to steal data from. Please note that popup blocker installed by (Mozilla/FireFox and Service Pack2 for XP) has made this trick ineffective.
Drake C.E, Oliver J.J and koontz E.J. (2009) points out that spoofing reputable companies is one of the many ways phishers deceive users. Most reputable were mimicked to gain user trust so as to get their information.
Lack of computer system Knowledge. Many computer users are ignorant of how emails and web actually works and this can be subjugated by the phishers to get sensitive information.
Lack of Knowledge of system security; many users lack knowledge of various system security measures. Moreover, many users don't give proper attention to read warming messages and security indicators.
However, visual deception can make vulnerable to phishing attack; visual deception may in diverse way like fooling user by convincing them to get into fake website with the domain name slightly different from the original website which is difficult to notice.
They use image legitimate hyperlink which itself helps as a hyperlinked to an unauthorized website.
Phishers tracks the users by using the images in the content of a web page that looks like a browser window
Keeping an unauthorized browser window on top of or next to a legitimate window having same looks will make the user believe that they are from the same source.
The language tone is set as the authentic website.
Furthermore, inadequate attention to security indicators by users is another reasons people falls for phishing attacks.
In this, people do not usually give adequate/proper attention to read the warning messages and/or security indicators.
Just like the tech -savvy youths elders are turning to internet for various reasons with is not limited to accessing healthcare information, seek entertainment, take on in commercial transactions and keeping in touch with family and friends.
In United Kingdom the most recent survey result of internet access in the UK revealed that in 2009, 37.4 million adults (76 per cent of the UK adult population) accessed the Internet. This showed an increase of 10.3 per cent (3.5 million adults) from 2008 result. The youngest age group (that is aged 16-24) had the highest level of access, at 96 per cent, the major increase in the proportion of those accessing the Internet was in the oldest age group (65 plus). Access by those aged 65 plus increased proportionally by 15 per cent, compared with an increase of 3 per cent for the 16-24 age groups.
In like manner when checked USA last census (Eric L. Carlson 2007) gives the account of the last census for the United States of American, he claimed that elderly population in the United States elderly population in the United States is increasing at an astonishing rate. According to the result of the census; there are thirty-five million people sixty-five years of age or older living in the United States that is 12.4% of the total U.S. population. This represents that, the growth rate of the elderly population was much larger than the growth rate of the general population. In 2011, the oldest members of the baby boomer generation will begin to turn sixty-five, and the sixty-five and older population is projected to double to seventy million by the year 2030 Further, projections indicate that by the year 2030, 20% of all Americans will be Sixty-five years of age or older. As the elderly population grows exponentially, so, too, does the presence of the elderly on the Internet and so the target of them for phishing attacks.
In 2009 the 16-24 age bracket accessed the Internet the most, with 86 per cent using it every day or almost every day. The 65 plus age group used it the least, with 52 per cent using it every day or almost every day. The most popular activity of recent Internet users was sending and receiving emails, with stand at 90 per cent.
The for the most part popular activity of current Internet users was sending and receiving emails, standing at 90 per cent. Though, there was boom in social networking in 2009. 40 per cent of recent Internet users stated that they posted messages to chat sites, blogs and newsgroups this was up from 20 per cent in 2008.There was an increase from 24 per cent to 40 per cent of recent Internet users who stated they uploaded self created content. Online banking and other financial online services also saw a tremendous increase of late. The use of the Internet for online audiovisual actions also saw momentous developments in 2009.
Age is a factor in the types of goods and services purchased online. While the younger age groups preferential purchases clothes and sports goods, the most popular purchase for the oldest age group were books, magazines, newspapers or e-learning material, aged under 70 who had a degree or equivalent qualification were estimated to live in a household with Internet access. Those who had no formal qualifications were least likely to have an Internet connection.
Checking for difference between the classes of phishing that is phishing email and phishing malware is undoubtedly necessary for users' awareness. (James 2005 pp.23-25) explicitly express the differences between the two in a tabular form shown below.
Phishing E- Mails
Phishing Malware/Key Loggers
Average number of accounts compromised in a week
Type of information compromised
Volume of data generated
How often is the method viable?
Total development cost to phishers?
Name, address, phone, SSN, credit card, VCC2, bank account numbers, logins and passwords, and even items such as mother's maiden name or the answer to the “forgot your password” prompt.
Generally, victims provide all the information asked for.
Each victim result in less than 500 bytes of data. A week's worth of data is generally less than 50 Kbytes.
A single person can process the data in minutes.
Reused regularly for weeks or months before requiring a change. Due simple changes in the mailing list, a variety of people can be solicited; information is almost never collected from the same person twice.
A single phishing server may take one week to develop. The server can then be applied to hundreds of blind - drop servers and reused for weeks or longer. Changes to the phishing e-mail content (bait) can be measured in hours and might not need a change to the phishing server.
Account login or credit card number with expiration date and address.
Generally, a single victim loses only a single amount of information. Few victims lose more than one type of information.
The information compromised might not match the information desired by the phisher.
A single key - logging Trojan can generate hundreds of megabytes of data in a week. The data is not processes by hand. Instead, scripts are used to filter the information. Potentially valuable information is frequently ignored due to the filtering process. The newer malware is more intelligent and does the processing from the Trojan itself.
Most malware is effective for a week before antivirus vendors develop signatures.
Some phishing groups use malware in limited distributions.
These programs can exist for much longer durations, but they generally collect less information.
A single person whose computer is infected may compromise the same information multiple times.
A single malware system, including Trojan and receiving server, may take months to develop. Each variant may take a week or longer to develop.
When generic antivirus signatures appear, redevelopment can take weeks or months.
The above table shows that phishing email is more effective than phishing malware although the former number of victims is much smaller than the latter. The basic difference between the two is kind of information desired.
Phishing email desires specific information from specific victims with a low development cost and consequently low rate of return whereas phishing walware hunt for any information any victim chosen at random though with a high a development cost and high rate of return. However, information collected by phisher from phishing email is of immediate value and can use repeatedly while the ones colleted from phishing malware might not be of immediate value.
A large amount of the phishing attacks are done through email by which Phishers is capable of sending millions of emails to legitimate email addresses by using the techniques and tools chosen by the Phisher.
Phishers will make the users unknowingly to install the Trojan software which helps in email broadcasting and hosting fraudulent websites.
The global trend in phishing activities keepingchanging with phishers coming outin diverse colours according to (APWG 2009) unique report. There is a high of 37,165 in May 2009, about seven per cent higher than last year's second quarter high of 34,758 in October. The number of unique phishing websites detected in June rose to 49,084, the highest recorded since April, 2007's record of 55,643.The brand domain pairs increased to a record 21,085 in June, up 92 per cent from the beginning of 2009.Moreover, the number of hijacked brands soared to a high of 310 at the end of first quarter of 2009.The payment Services sector emerged most targeted putting out of place financial Services in first quarter of 2009. Banking Trojan/password stealing was also on the increase in the second quarter.Crime ware infections detected increased during more than 186 percent between in the fourth quarter of 2008 and second quarter, 2009.
The total number of infected computers increased more than 66 percent between the fourth quarter of 2008 and the end of the half, 2009 to 11,937,944, representing more than 54 percent of the total sample of scanned computers. Sweden dislodged the United States to become number one nation hosting the most phish websites at the half's end. China hosted the most websites harboring Trojans and Downloader from March through June.2009
Current Phishing Targets
This chart highlights which institutions were targeted in phishing attacks for Week ending February 21, 2010.
Phishing Sources by Country
This chart measures phishing by country of origin as a percentage of all phishing email.
Phishing Sources by Continent
This chart measures phishing by continent of origin as a percentage of all phishing email. Europe maintains dominance source of phishing emails.
Phishing Percentage over Time
Phishing Percentage over Time
Phishing email as a percentage of all spam over time.
Andre Bergholz,Jan De Beer,Sebastian Glohn,Marie -francine Moens,Gerhard baAB
And Siehyun -Strobel .Journal of computer security 18(2010)7-35 (9)
IOS press.these are scholars from the University of Durham
2.8 Preventing a phishing attack before it begins
|A simplified flow of information in a phishing attack is as follows:
Steps 3 and 5 above are of interest primarily to law enforcement agents to identify and prosecute phishers.
This is how it goes; a phisher sets up a domain to receive phishing data. However, Pre-emptive domain registration may perhaps cut down the availability of deceptively named domains. Furthermore, there are bids made to institute a “holding period” for new domain registrations at some point in which trademark holders could object to a new registration before it was granted. This could be of help with the problem of deceptively named domains, but would not necessarily address the ability of phishers to masquerade sites. while email authentication knowledge become more widespread, email authentication could become a valuable preventive measure by preventing fake or misleading email return addresses. a few services attempt to search the web and identify new phishing sites before they go “live,” but phishing sites may not be accessible to search spiders, and do not need to be up for lengthy period of time, as most of the revenues are gained in the earliest period of operation. An average phishing site stays active not more than 54 hours (Aaron Emigh E et al 2005)
There are many various technologies that may be employed to detect a phishing attack, these includes
Providing a spoof-reporting email address whereby customers may send spoof
emails to. This may both provide feedback to customers on whether
Communications are legitimate, and provide warning that an attack is
about to happen.
By checking from to time to time “bounced” email messages, reason being that scores of phishers send bulk email lists which usually include nonexistent email addresses, using return addresses belonging to the targeted institution.
There are many contractors that will perform many of these services. Knowing when an attack is about to happen can be valuable, in that it may permit a targeted organization to set up procedural countermeasures, initiate an investigation with law enforcement, and staff up for the attack in a well-timed.
By checking account activities for irregularity activities such as unusual
volume of logins, modification of passwords , withdrawals, transfers, etc.
Also by monitoring the use of images that shows an organization's corporate logos. Phishers will frequently use the target organization(s) to host artwork
which are used to deceive innocent customers. In detecting this, a web server via a blank or anomalous “referrer” for the image will be employed.
By setting up “honeypots” and monitoring it for email allegedly to be from the organization.
Establish easy understandable policies on your email practices, for instance never asking for personal information and/or never providing a clickable link in an email. Be certain that your policies are acceptable to all concerns in your
Organization. Make sure you enforce your policies with all third parties that send email on your behalf. Communicate adequately your policies to your customers regularly, preferably in every email communication and in other media.
Consider digitally signing all outgoing emails to your customers. This can
be performed at an email gateway if it is not feasible to do so on your mail
This is the cheapest insurance you can buy is to register the most deceptive available domain names analogous to your brands.
Do not use web sites with unusual or irregular names for customer
Ensure that your web site uses SSL and that all certificates are up to date.
Always remove any open URL redirects from your web site.
Ensure you trademark your domain names to provide resort against a party who
registers deceptively similar domain names
Last but not the least monitor current domain registrations and take action against parties registering domain names illusorily similar to yours.
The best way to prevent phishing attack is to prevent a phishing message from ever reaching a user. There are many countermeasures that may be employed, these may include;
This is the cheapest insurance you can buy is to register the most deceptive available domain names analogous to your brands.
Spam (Email) filters are often efficient in fighting phishing as well. For instance Signature-based anti-spam filters may be configured to recognize specific
known phishing messages and prevent them from getting to a user.
Also statistical or heuristic anti-spam filters may possibly partially efficient against phishing, but note that a phishing message may resemble a legitimate message, this may stand a risk of erroneously blocking legitimate email especially if the filter is configured to be sufficiently responsive to identify phishing email.
Another one is to be able to identify an unauthorized imagery in emails, since the target of phishers is to make their mail appear as if its comes from a trusted
(Aaron Emigh e etc 2005) confirms Sender-ID among many Message authentication techniques prevents return address forgery by monitoring DNS records to determine whether the IP address of a broadcasting mail transfer agent is authorized to send a message from the sender's domain. Example of such is Yahoo! Domain Keys, using a domain-level cryptographic signature that can be verified through DNS records.
It is worthy to note that some form of lightweight message authentication may be very valuable in the nearest future in combating phishing.
To compare specialized phishing email filters to general purpose spam filter .some spam filters use hundreds of features to detect unwanted emails, but for the purpose of this research work due to time constraint we shall be limited to the ten features that are used in PILFER, which are binary and continuous numeric features. As the characteristic of
Phishing attacks changes; additional features may also become more powerful, making PILFER more easily adapted by given that such new features to the classifier.
PILFER is a machine-learning based approach to classifying emails which is compare with Spam Assassin for the purpose of this study
Phishing though is a subset of spam. To detect phishing emails with high accuracy, using a specialized filter, with features that are more directly applicable to phishing emails than those employed by general purpose spam filters. It is characterized by certain unique properties that (Ian Fette e et al 2006) have identified.
Features of filters
Number of links
Age of linked-to domain names
Number of domains
Number of dots
links to non-modal domain
Contains java script
Because of the nature of phishing one might have a tendency to think that phishing emails may be tough to be detected than general spam emails. Nevertheless, phishing emails are intended to sound like an email from a trusted entity mostly bodies, persons or entity
with which the attacker anticipate the user has an existing relationship with. With that said, phishing emails present unique opportunities for detection that are not present in general spam emails. In general spam emails, the sender do not need to misrepresent their identity unlike phishing email whereby the mis-representation of sender identity is chief to the identification of phishing emails,(Ian Fette e et al 2006)
Using united state of America as a case study (James 2005 pp 24-28) exposed several laws on both the state and federal government that addresses identity theft and fraud, with just very few addressing core phishing attacks. This has denied my innocent victims of getting justice. Although, according to (James 2005) the below table shows federal statutes that are viable legal tools to stop identified phishers, as shown in table12.1.1
Identity Theft 18 U.S.C. 1028(a)(7) H.R 1731
Access device fraud 18 U.S.C. 1029
Computer fraud 18 U.S.C. 1030
CAN-SPAM 18 U.S.C. 1037
Mail fraud 18 U.S.C. 1341
Wire fraud 18 U.S.C. 1343
Bank fraud 18 U.S.C. 1344
However all hope is not lost as there are promising legislation springing up from both federal and state government levels to officially address core phishing for example the new Identity Theft Penalty Enhancement Act (HR-1731) tackle the central tactic of internet scammers; it make the creation of e-mail that characterize self as an authentic message to deceives the recipient into revealing confidential information with intention of swindle the recipient's identity as illegal and put a ban on it.
This has stir up hope in all in that this legislation will bring about quicker response time for arrests, and more importantly, the capacity of the courts to convict culprits. The conviction carries a mandatory two- year sentence. Meaning that reporting phishers to law enforcement agencies could simply fill out their incoming mailbox.
Senator Patrick Leahy (D-Vermont) in 2004 proposed the Anti- Phishing Act of 2004 http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=108_cong_bills&docid=f:s263istxt.pdf), which makes phishing to be considered a federal crime. The bill banned the act of spoofing web site for the purpose of obtaining another person's identity. The good news is that this bill will enable law enforcement to respond to specific phishing attack in a swift timely manner, will it in fact help in tracking down phishers more pro actively and eventual arrest and prosecution. (James 2005)