Phishing Attacks And Their Potential Impacts

Published Date: 02 Nov 2017

Phishing is an act of trying to gain information like user credentials (usernames, passwords) or details of credit card by enacting as a trustful entity in the electronic communication. These communications can be from the known web sites like social, online payment or auction sites which are publicly used. Phishing carriers intend to carry malicious form with them like the emails may contain links that are infected and may carry malware along with them (Provos, 2012).

Phishing mainly uses emails spoofing (Dawes, 2012) or instant messaging (Tan, 2006) as their carrier to travel and have the capability to direct the users to fake websites. These fake web sites look almost identical as compared to the original website which is how the users get fooled (Microsoft, 2012). Phishing attacks are considered to be a good example for social engineering methods that are used for deceiving users and exploiting the web security of the application which are weak. These kinds of situations where phishing attacks are increasing, there is a need for public awareness, training and taking appropriate countermeasures to avoid such situations (Josang, et. al. 2007).

Phishing is one of the newer crimes as compared to hacking and viruses and is also becoming one of the common and popular attacks. This is the reason why phishing has now become a severe web privacy and security issue that could cause huge damage and negative impacts to many areas of the society. These problems of phishing could also lead to lot of financial loss to its victims, or personal information getting leaked of the users. This is why these trends and activities have also affected the confidence of users on web. This is the reason why the ISPs (Internet service providers) need to implement anti-phishing techniques and methods to protect the users (Zhang, et. al, 2007).

Following is the list for phishing techniques,

i. Phishing is an act of trying to gain information like user credentials (usernames, passwords) or details of credit card by enacting as a trustful entity in the electronic communication (Basnet et al., 2008).

ii. Spear Phishing, is a type of phishing which always targets to the specific users or organizations. In this attackers always try to gain person information of the users whom they target (Darwish et al., 2012).

iii. Clone Phishing, another type of phishing in which a legitimate or say previously delivered emails are modified such that they contain malicious code or data that is identical to original email and are sent to a user and showing that it has come from the original sender (Basnet et al., 2008).

iv. Whaling, another phishing attack which targets high profile users like senior executives to gain their personal information and identities (Basnet et al., 2008).

Phishing attacks have been a major concern to the privacy of the users. With the combination of website and social engineering forgery techniques, these phishing attacks are able to spoof the identities of any company like bank sites by tricking the Internet users for revealing private or confidential information like login credentials or credit card information. In cases of perfect attacks (perfect attacks refer to those attacks which are difficult to detect) of phishing it gets very difficult for the users to judge whether it is a legitimate website or not because of the similar logos or images and structure, etc. However, if the user tries to examine the website carefully then through the URL as displayed in the address bar, he/she will be able to recognize the usual website. Other type of phishing attacks like pharming attacks are difficult to detect since the legitimate website and visited URL are very similar. This type of attacks aims for corrupting the DNS information so that the users could be redirected to fraudulent website which says in the control of attacker (Gastellier-Prevost et al., 2011).

II. Objectives of the project

Aim of the project: This projects aims to study about different types of phishing attacks which would also demonstrate about the various defenses that can be applied to prevent from such attacks.

Objectives:

Researching the subject.

Study about the different types and classes of Phishing attacks.

Study and research about the various defenses and strategy that can be applied to prevent Phishing attacks.

Critically evaluate and conclude the research study on the attacks and countermeasures.

II. LITERATURE REVIEW

Detection of web page phishing can utilize the same methods that are utilized for checking the plagiarism detection and the evaluation of techniques is used for anti phishing approaches.

Liu et. al. [2006] proposed an assessment method using visual similarity in web pages, due to which a visual approach related to the concept of DOM (Document object model) for phishing detection was introduced. This solution initially decomposes all the web pages in visually distinguishable regions of block. It then evaluates the similarity of the using 3 metrics for similarity i.e. for layout, block level and overall style of web pages similarity (Liu. et.al., 2006).

Web Wallet (Wu et al., 2006) provides authentication interface. It prompts the users to point for login page explicitly once it detects it. If intention of the page matches current site then it automatically updates the input fields in web page or else a warning is issued to user. This idea of the web wallet has been kept very easy and once if it detects the login page information then it can help prevent the users to enter any credential information. Web wallet was able to provide secure authentications to the users.

PHONEY is also an email detection system for phishing that mimics user responses to provide fake response to websites that are suspicious who request for confidential and critical information. After this the response from the website(s) are forwarded for deciding engine to analyze further (Chandrasekaran et al., 2006).

Emails are one of the ways for the phishers to reach their victims for which they use spam emails to their account. At the emails using filters for anti-phishing could help fight against the phishing at email levels like PILFER (Fette et al., 2007), SpamAssassin (SpamAssassin, 2011) and Spamto (Albrecht et al., 2005). These tools have predefined rules and settings using which they analyze all the emails and filter them to prevent phishing emails. Even the browsers like internet explorer (Microsoft, 2005) have website filters for phishing, Firefox have safe browsing (Mozilla, 2007) and netcraft toolbars (Netcraft, 2007) are being used as the blacklist detections systems for websites anti-phishing.

SpoofGurad (Chou, et.al., 2004) is detection system for phishing that works on signature and rule filters like host name, images used within the websites, URL for detecting the phishing websites. CANTINA (Zhang et al., 2007) however utilizes the TF-IDF algorithm to access the keywords in the current webpage and then uses these keywords through Google to take decision about the phishing of the website.

III. PROJECT PLAN

This is the plan for research project and is estimated as a 69 days effort scheduled to be completed by 24th May 2013. This Gantt chart displays the breakdown of all the objectives of the project that will be accomplished as per the proposed plan.

IV. Progress on project

Following is the progress of the project based on the objectives:

Aim and objectives

Status

1. Research on subject.

done

2. Proposal document.

done

3. Document the Classification of Phishing attacks

done

4. Document the Phishing attacks and their potential impacts

In-progress

5. Document the Detection of Phishing attacks

In-progress

6. Document the Defenses against the phishing attacks

Pending

7. Document the Critical analysis of Phishing attacks and their defenses

Pending

8. Document the Conclusions and Future work

Pending

V. THESIS REPORT AND ORGANISATION

This project would focus on the phishing attacks and defenses and will include the following chapters in the thesis.

Chapter-1: Introduction

This chapter will represent the introduction of the topic chosen in the project which will cover different aspects like background/history, purpose of the research with aims and objectives of the project.

Chapter-2: Literature review

This chapter will represent the previous work that is done in the phishing attacks and defenses. In this chapter a review of the current work literature carried by other researchers will be discussed.

Chapter-3: Classification of Phishing attacks

This chapter would reflect the research and write about the latest phishing attacks that are being done to blind the users. This chapter will also reflect the information about the different phishing attacks that are active and which domain/web applications are mostly vulnerable to these phishing attacks.

Chapter-4: Phishing attacks and their potential impacts

This chapter would reflect some of the critical and known phishing attacks that are active these days with the potentials impacts that they have on the infrastructure. This chapter would also demonstrate the detailed analysis of the most active phishing attacks these days.

Chapter-5: Detection of Phishing attacks

This chapter would discuss about the different detection mechanisms used in the field for tracking and identifying the phishing attacks and how effective these solutions are in terms of detecting the phishing attacks.

Chapter-6: Defenses against the phishing attacks

This chapter would reflect the different defenses against the phishing attacks that can be applied as the countermeasures. This chapter also discusses the different aspects and techniques for applying against the general or specific phishing attacks.

Chapter-7: Critical analysis of Phishing attacks and their defenses

This chapter would show the critical analysis and reflection of the work done in phishing attacks, their detection and then applying countermeasures to defend against these phishing attacks as defense mechanisms.

Chapter-8: Conclusions and Future work

This chapter would conclude the work done, critical findings or evaluation of the work. This chapter would also recommend about the future work and recommendations for phishing attacks and defenses.

VI. REFERENCES

Dawes, A. (2012). Landing another blow against email phishing. Available at: http://gmailblog.blogspot.co.uk/2012/01/landing-another-blow-against-email.html. Accessed: 27th March 2013.

Provos, N. (2012). Safe Browsing - Protecting Web Users for 5 years and Counting. Available at: http://googleonlinesecurity.blogspot.co.uk/2012/06/safe-browsing-protecting-web-users-for.html. Accessed: 25th March 2013.

Josang, A., Alfayyadh, B., Grandison, T., Alzomi, M. and Mcnamara, J. (2007). Security Usability Principles for Vulnerability Analysis and Risk Assessment. Proceedings of the Annual Computer Security Applications Conference. Available at: http://www.almaden.ibm.com/cs/projects/iis/hdb/Publications/papers/ACSAC2007.pdf. Accessed: 3rd April 2013

Microsoft. (2012). What is social engineering?. Available at: http://www.microsoft.com/en-gb/security/resources/socialengineering-whatis.aspx. Accessed: 2nd April 2013

Tan, K.Y. (2006). Phishing and Spamming via IM (SPIM). Available at: https://isc.sans.edu/diary/Phishing+and+Spamming+via+IM+(SPIM)/1905. Accessed: 1st April 2013.

Gastellier-Prevost, S., Granadillo, G.G and Laurent, M. (2011). A dual approach to detect pharming attacks at the client-side. 4th IFIP International Conference on New Technologies, Mobility and Security (NTMS). Page: 1-5

Basnet, R.B., Mukkamala, S., and Sung, A. H. (2008). Detection of phishing attacks: A machine learning approach. Prasad, B.ed. Studies in Fuzziness and Soft Computing. Vol 226. Pages: 373-383.

Zhang, Y., Hong, J., and Cranor, L. (2007). CANTINA: A Content-Based Approach to Detecting Phishing Web Sites. Proc. Alberta, Canada.

Darwish, A., Zarka, A.E. and Aloul, F. Towards Understanding Phishing Victims' Profile. International Conference on Computer Systems and Industrial Informatics (ICCSII). 2012. Pages: 1-5.

Liu W., Deng X, Huang G and Fu A. Y., (2006). An Anti-Phishing Strategy based on Visual Similarity Assessment. IEEE Internet Computing. Vol. 10, No. 2. Pages: 58-65.

SpamAssassin. 2011. The Apache SpamAssassin Project. Available at: http://spamassassin.apache.org/.

Albrecht, K., Burri, N. and Wattenhofer, R. (2005). Spamato—An Extendable Spam Filter System. 2nd Conference on Email and Anti-Spam (CEAS), Stanford University, California, USA.

Chandrasekaran, M., Chinchain, R., and Upadhyaya, S. (2006). Mimicking user response to prevent phishing attacks. IEEE International Symposium on a World of Wireless, Mobile, and Multimedia networks.

Chou,N., Ledesma, R., Teraguchi, Y., Boneh, D. and Mitchell, J. C. (2004). Client-side defense against web-based identity theft. Proceedings of 11th Annual Network and Distributed System Security Symposium.

Fette, I., Sadeh, N. and Tomasic, A. (2007). Learning to detect phishing emails. Proceedings of the 16th international conference on World Wide Web. Pages: 649–656.

Microsoft. (2005). Anti-phishing white paper. Technical report, Microsoft.

Mozilla. (2007). Phishing protection. Available at: http://www.mozilla.com/en-US/firefox/phishing-protection/.

Netcraft. (2007). Available at: http://toolbar.netcraft.com/.

Zhang, Y., Hong, J. I. and Cranor, L. F. (2007). Cantina: a content-based approach to detecting phishing web sites. Proceedings of 16th international conference on World Wide Web. Pages: 639–648.

Wu, M., Miller, R. C. and Little, G. (2006). Web wallet: preventing phishing attacks by revealing user intentions. Pages: 102–113.

VII. APPENDIX

a. Proposal document

b. Ethics form