Phishing And Its Types: Protection Against Phishing Attacks
Types of Phishing
Describe the phishing and its type and what is Protection of phishing Attacks?
According to Agarwal et al. (2007) PHISHING is the process of criminal fraudulent that acquire sensitive information including details of credit or debit card, information of computer via web browser, user id, password, etc. The technology of PHISHING was built using the masquerading entity based on trustworthy in the electronic communication system. PHISHING is the term that available in computer security system. Huang et al. (2012) argued that in computer security system, PHISHING is the system of email fraudulent that divulge the user’s personal data for using the illegitimate purpose. The tools and techniques of PHISHING allows to hack the additional information such as user id and password of debit or credit card number, details of bank account with digital signature, security of numbers of social, etc. The technology of PHISHING creates high risks especially for the online business. Using PHISHING technology, attackers is able to steal credential information in an indirect way.
In these days of new innovative technology, PHISHING has spread in the overall email services such as SMS, social networking, sites, multiplayer game, instant messaging, VOIP, etc. There are several categories of PHISHING such as Spear PHISHING, Phone PHISHING, Clone PHISHING, etc.
Figure 1: Types of PHISHING
(Source: Jansson & Von Solms, 2013, pp- 587 )
This type of PHISHING technology targets the specific group such as bankers, big business man, dealers, raw materials suppliers of MNC companies, etc. Spear phishers targets people based on sections or group of an organisation instead of targeting individual people. Whaling is the main type of attack of spear phishers. For instance, it has been identified that in 2008 several CEOs (Chief Executive Officers) in USA were targeted by the spear phishers (Roughan & Chang, 2013). It affected in the system of CEOs during the view of the attachment. Apart from that, majority of big organisation such Prime Minister’s Office of Australia, Government of Canada, Federal, National Laboratory of Oak Ridge, HBGray and much more were the victims of spear PHISHING in late 2010 to 2011.
Figure 2: Examples of Spear PHISHING
(Source: Wenyin et al. 2012, pp- 59)
Examples of Phishing
Clone PHISHING is the most common attack techniques that used by the hackers. Phishers of clone PHISHING creates the technology of cloned email. Clone phishers send some malicious links through emails to the users and access information about the email users such as user id and password (Jingguo et al. 2012). Apart from that, clone phishers include spoofing technology that helps in showing the end user that emails comes from the original sender such as MNC companies, Big telecommunication organisations, Respectable person etc. In order to mitigate this problem, end user has it use updated trapping strategy or re-send the emails to original sender.
Figure 3: Example of Clone PHISHING
(Source: Jingguo et al. 2012, pp- 361)
Phone PHISHING is also an important technology from the view point of attack. This type of phishers send message to end users by describing to dial a phone number to know the bank account details. The equipment of traditional phone has dedicated the lines such as being busy to manipulate, voice over IP etc. Using this technology, phishers provides the voice over IP and prompts to put the bank account numbers along with pin to the end user. In order to avoid phone PHISHING, user has to use caller ID spoofing. Caller ID Spoofing helps in prohibiting the Voice over IP according to law suite of calling. Apart from that, Caller ID Spoofing allows only the trusted sources call into the mobile phone device of users.
Figure 4: Phone PHISHING examples
(Source: Yearwood et al. 2011, pp- 11)
There are several examples of email PHISHING has been seen since last few years.
In 13th January, 2015, one email has been in the campus of Cornell University. The IT department of Cornell University was received one email which subject was IT Service Desk Support. In the body of this email it was identified that the sender was IT Service providers of Cornell University. Sender of this emails advices to the IT department for re-activated their email account. Apart from that, it was also seen that sender of this email suggested to upgrade the email account of IT department of Cornell University into Microsoft Outlook 2015. Moreover, in that email, sender was also mentioned that if the user ignore or do not complete the procedure then emails account of IT department of Cornell University inactivated. Following is the snapshot of incoming email for IT department of Cornell University –
Figure 5: Example of Phishing
(Source: Itservices.stanford.edu, 2015)
In 20th June, 2014, student of Stanford University of Computer Science department received mail that their cs-standford.edu email account had been affected by the virus system. Therefore, the mail delivery system does not work properly. Moreover, the sender of this mail suggested in updating the email account setting in order to protect email from virus. Following snapshot demonstrates the incoming mail details for Computer Science students of Stanford University –
Figure 6: Example of Phishing
(Source: Utdallas.edu, 2015)
Phishers send one email as helpdesk service providers of The University of Texas at Dallas into the email of [email protected] This mail was about to become webmaster to the students. Through the email, sender explained that students are able to create account from new computer of the University and for security maintenance of the account has to click a link. Sender attached one link and below described that if the user is able to get good security practice as well as upgrade their online account of University of Texas at Dallas by clicking on that link. Following figure demonstrates the exact details of email PHISHING at University of Texas at Dallas –
Figure 7: Example of Phishing
(Source: Custom Web Development, 2015)
Figure 8: PHISHING Techniques
(Source: Jingguo et al. 2012, pp- 349)
Web spoofing is the greatest technology of accessing information of users. Phishers using the technology of web spoofing design a fake website that looks like original. Therefore, victims enter their information such as user id, password, and personal information into the layout page of fake website. Clone phishers designs these types of websites using the copy paste techniques of front code of a genuine websites. For example, clone phishers designed there site paypel.com from the genuine source of paypal.com. In order to design these types of websites, phishers used Fiddler2 or squid proxy software. This function allows in designing the all sign in methodology or service of the genuine sources to clone phishers.
However, majority of modern web browser such as Safari, Google Chrome, Firefox, etc built on the basis of internal security in order to protect the users from phishing scams including the indicators of https (Hyper Text Transfer Protocol Layer Security). Https padlock provides the secure transformation methods via public key infrastructure (Maurer & Huaymann, 2014). Therefore, in modern browser if the user visit website and that website does not authenticated or from genuine source it displays the un-trusted certificates.
This technology used widely by the attackers in terms of knowing personal information of users. Attackers using the UNIX system claims a mail to user account that looks it comes from original sources whenever, it was generated from different sources. It is the most appropriate and common used technology by the phishers. Phishers are able to provide spoofed mails to the user account because core of Simple Mail Transfer Protocol does not make any authenticity. At the transport level, Simple Mail Transfer Protocol cannot authenticated and do not maintain the real mail security in the message body such as Multipurpose Internet Mail Extensions (MIME), Pretty Good Privacy (PGP), etc. Apart from that, SPF (Sender Policy Framework) in email service is open standard. Therefore, the technology of Sender Policy Framework is not able to protect forgery of sender address.
In order to protect the email spoofing, user has to use Heuristics based detection methodology. This type of techniques allows users in identifying phishing emails into mailbox. Therefore, technology of heuristic is the observation and showing toolkit that demonstrates the high degree of similarity.
Majority of phishers uses several types of technical deception in order to design a link in mail for organizing spoofed. Majority of phishers uses the sub domains system or misspelled URLs for phishing the information such as paypel.com instead of paypal.com. Apart from that, phishers uses also another trick named anchor text in order to make the appearance of created link like valid or original sources.
However, this type of technology allows phishers in accessing user’s personal information via the generated fake link. In earlier, majority of phishers uses the symbol of @ for creating a link because it is the original intended way of accessing information such as username and password in a web link. This type of emails disable in the Internet Explorer where as Opera Mini web browser or Mozilla Firefox or Google Chrome opted a warning message about the wrong authentication and ask queries to users for further progress. Majority of users are not able to handle Internationalized Domain Name (IDN) in the web browser.
IDN modification or appropriate setting in web browser protect the user from accessing unauthorized web address and lead the unauthenticated web browser in another way such as malicious. Setting of IDN in web browser provides advantage to protect attacks from phishers.
PDF Documents Phishing:
In the electronics text format, PDF (Portable Documents Format) is the trusted and most popular description format. Therefore, phishers tracks the PDF using portability and interoperability in different platforms. In order to view the documents, PDF was design with wide range of program with string execution feature. Therefore, attackers or phishers remove some features or misused the functionalism and take the advantage of extracting user’s information. In order to protect the phishing via PDF documents, user has to modify the AcroRd32.dll and RdLang.FRA files in PDF document files along with malware.
According to Dodge & Futcher (2013), phishing is the technology that damaged user’s email account, create substantial financial loss, unauthenticated report when access account that created by the user oneself. In these days of internet technology, phishing style is becoming the most popular identity. Majority of people is not understood the exact technical fault or fake website. Therefore, these type of people often divulge their personal information to phishers such as name, age, date of birth, credit or debit card number, maiden name, social security numbers, etc.
Using this information, phishers access the public records and misused it such as pan card number, details of passport, etc. After accessing user’s personal details, phishers creates one fake account using the name of user and debit the whole amount from victim’s account. Roughan & Chang (2013) argued that in USA more than $929 million in USA credit or debit the phishers during 2004 to 2005. Apart from that, in USA due to phishing business of the country faced total $2 billion on that year. On the other hand, Australia is best known for web banking fraud that mostly occurs from the viewpoint or using technology of phishing. Yearwoodet al. (2011) opined that in 2005, United Kingdom loses total 1.8 billion that caused by the phishing.
Phishing is a criminal activity that acquires sensitive information about the organization or any individual like the usernames, passwords and details of credit cards. In order to prevent the phishing activity, various techniques can be adopted. Various legislation and technology can be adopted to protect phishing activities.
Figure 9: Anti Phishing
(Source: Jakobsson & Myers, 2007, pp- 65)
1. Social response
The users have to be trained to deal with the various attempts of phishing. Spear phishing has been adopted as a new tactics which using phishing emails targeted at a specific company. The users are trained at various locations. They were also trained at West Point Military Academy. An experiment was performed using spear phishing in which the cadets of the academy were sent fake email. They revealed their personal information on receiving the email.
Modification of the browsing habits can prevent the users from phishing attempts. The users receiving emails for verification of their accounts can contact the company sending the email directly before opting for the verification.
The email messages from the companies that are legitimate to their customers will contain information that cannot be availed by the phishers. There are several companies, for e.g. Pay Pal which address their customers by the username in emails. Therefore, if the user receive an email in the generic fashion (Dear Pay Pal customer), it can be consider as an attempt of phishing. Personal information alone cannot be a sign of legitimacy. The success rate of the phishing attacks does not always depend on the information provided.
With the development of technology, people are becoming aware of the various phishing techniques. Thus the conventional techniques of phishing will become obsolete in the near future as they are becoming aware of the social engineering techniques that are used by the phishers (Jakobsson & Myers, 2007).
2. Technical response
The measures of anti phishing have been implemented as features that have been embedded in browsers, as extension of the tool bars for the browsers and part of the login procedures of the websites. The various approaches to the problem are as follows –
Users has to identify the legitimate sites
The act of phishing is based on impersonation. The prevention of phishing will depend on the user’s use of information in a reliable manner so that they are able to identify the websites that they are dealing with. The pet name extension for Firefox helps the users to provide own labels for the websites. This helps them to recognize whether they are back at the correct site. If the user suspects the site, then software will warn the user of some potential malware.
Alerting users about the fraudulent websites
Another way the user can fight against phishing is via maintaining a list of the various phishing sites and checks the websites against the list. Mozilla Firefox 2.0, Opera contain anti phishing measures. The anti phishing software used by Firefox 2 is that of Google. However in some cases the privacy of the user is under threat as the implementations send the URLs to the central service so that it is checked.
Another method of Anti Phishing introduced in the year 2006 involves switching to using special DNS service. In this service, the known phishing domains are filtered out that can work with any browser. The principle is very similar to using host file to block the web averts. The problem of phishing can be mitigated by spoofing a victim site and embedding the images in the spoof site. In this way phishing activity can be detected.
Augmenting login passwords
In order to prevent phishing activity, Bank of America has asked the user to select a personal image and the user personal image is displayed along with the password. The users are asked to select the password when they see the selected image. If the image is not correct then the site cannot be considered to be legitimate.
Elimination of the phishing mails
Elimination of the phishing mails can be done by using spam filters. This will reduce the number of phishing emails that is received by the users (Anti-abuse.org, 2015).
3. Legal aspects
There is not much legislation related to phishing. Lack of Government awareness can be a major reason behind such activity. The technical and educational solutions against phishing can be possible with support from the Government.
The UK Fraud Act 2005 covers the fraud that occurs by false representation. However this does not specifically mention to phishing. The end user along with Government is unaware of the various phishing activities. In 2005, a bill named Anti – Phishing Act was implemented. The bill criminalized the internet scams involving fraudulent activities obtaining the personal information which is known as phishing was presented to the senate of United States to combat activities of phishing. A five year prison sentence was announced for falsifying the websites of the corporate and emails.
However the Anti – phishing Act has not been implemented at the Federal level but there are few states like Arizona, California and New Mexico having strict laws of anti phishing (Shi & Saleem, 2015).
Detection of Phishing Attack: In order to protect phishing attack, user has to be wary about the asking of confidential information in emails. User of email has to be much careful during they provide their financial information in reply of an email. People have to be aware about their legitimating information because authenticated organisations never ask or request for sensitive information through email. Wenyin et al. (2012) argued that bank of industry never ask the users for account details or related sensitive information such as maiden name, nominee name of bank account or IFSC code without aware people manually or contacting with them.
Prevent the delivery of Phishing message: User has to use secure tactics during information providing or updating the emails account. User has to use the following methods for preventing the delivery of phishing message such as –
Filtering – User has to use the proof point MLX filters for structural tests as well as the detection of malicious. Apart from that, user has to examine the context and content of emails using URL detection technology. Moreover, user required to set or target the rules in term of phishing attacks via accurate filtering.
Authentication – Majority of phishers attacks or target those account that domain are not protected. In order to prevent spam message or protect phishing, user has to set up their email account according to the providing guideline oh help pages such as DMRAC, SPF, DKIM, etc.
Never respond for the emails related to personal financial information: Bank or other authenticated e-commerce companies design their email and personalize their emails several times, but phishers are not. Majority of phishers uses false but sensational message such as urgent, update required. Apart from that, reputed companies like Bank never ask for username and password until the user gives a phone call or inform before sending mail to user. Sender Policy Framework (SPF) has to use in the setting of emails by the users. This technology is the most valuable or appropriate forgery solution of phishing attack. SPF involves with the publication of links that list details about the incoming server.
Checking of Security of Website: In order to submit the bank details, user need to check website’s security. Following steps has to use for protecting personal data in order to protect phishing –
Type the incoming web address in address bar of web browser. Check that websites browse through secure server and it start with https:// instead of https://. (https is stand for hyper text transfer protocol layer secure).
Need to check the lock icons in web address bar of browser’s status bar. Apart from that need to check for the encryption and the expressed in bits without moving cursor.
Understand that website necessarily used encryption method in terms of sending data.
In order protect the cross site scripting problems; user has to implement PHP anitXSS in their web browser. The programming language of PHP library will allow user in adding extra secure layer of protection. Jansson & Von Solms (2013) depicted that it automatically detect methods of encoding that filtered. Xss_clean.php. filter will be the technology of strong filtering. It cleans wide range of URL encoding and nested exploits. Moreover, user has to set the flag for cookies HttpOnly in the scripting language. It helps user in accessing only trusted web site instead of fake websites.
This study deals in describing the overview of PHISHING. Use of internet is increased day to day; therefore chance of attack or hack is also increased. In this report, it has been seen that there were three types of PHISHING including Spear, Clone and Phone. Spear phishers sent fake subpoena with the attachment file where included smaller malware services. Through the cloned email, they can generate information about the hosting computers. However, here analyst explains the four different techniques of PHISHING such as web spoofing, email spoofing, link manipulations and PDF Document Phishing. Describe the anti phishing technology such as social response, technical response and legal response. Moreover, provides mentioned the process of protecting PHISHING to users.
Dodge, R., & Futcher, L. (2013). Information assurance and security education and training. Berlin: Springer.
Jakobsson, M., & Myers, S. (2007). Phishing and countermeasures. Hoboken, N.J.: Wiley-Interscience.
Maurer, M., & Huaymann, H. (2014). Counteracting phishing through HCI. MuÌˆnchen: UniversitaÌˆtsbibliothek der Ludwig-Maximilians-UniversitaÌˆt.
Roughan, M., & Chang, R. (2013). Passive and active measurement. Berlin: Springer.
Agarwal, N., Renfro, S., & Bejar, A. (2007). Phishing forbidden. Queue, 5(5), 28.
Huang, H., Qian, L., & Wang, Y. (2012). A SVM-based Technique to Detect Phishing URLs. Information Technology J., 11(7), 921-925.
Jansson, K., & von Solms, R. (2013). Phishing for phishing awareness. Behaviour & Information Technology, 32(6), 584-593.
Jingguo W., Herath, T., Rui Chen, Vishwanath, A., & Rao, H. (2012). Research Article Phishing Susceptibility: An Investigation Into the Processing of a Targeted Spear Phishing Email. IEEE Trans. Profess. Commun., 55(4), 345-362.
Wenyin, L., Liu, G., Qiu, B., & Quan, X. (2012). Antiphishing through Phishing Target Discovery. IEEE Internet Comput., 16(2), 52-61.
Yearwood, J., Mammadov, M., & Webb, D. (2011). Profiling phishing activity based on hyperlinks extracted from phishing emails. Soc. Netw. Anal. Min., 2(1), 5-16
Anti-abuse.org,. (2015). Phishing: General Information | The Anti-Abuse Project. Retrieved 20 January 2015, from https://www.anti-abuse.org/phishing-general-information/
Utdallas.edu, (2015). Information Security – The University of Texas at Dallas. Retrieved 20 January 2015, from https://www.utdallas.edu/infosecurity/Phishing.html Cs.arizona.edu, (2015). Retrieved 20 January 2015, from https://www.cs.arizona.edu/~collberg/Teaching/466-566/2012/Resources/presentations/2012/topic5-final/report.pdf
Custom Web Development, C. (2015). IT: Example of “Phishing” Email. It.cornell.edu. Retrieved 20 January 2015, from https://www.it.cornell.edu/security/phish.cfm?doc=573
Itservices.stanford.edu, (2015). Recent examples of phishing | IT Services. Retrieved 20 January 2015, from https://itservices.stanford.edu/phishing
Shi, J., & Saleem, S. (2015). Phishing (1st ed., pp. 2-11). Retrieved from https://www.cs.arizona.edu/~collberg/Teaching/466-566/2012/Resources/presentations/2012/topic5-final/report.pdf