Phishing Attacks and

Countermeasures
Background
Phishing is a fraudulent attempt, usually made through email, to steal your personal information.
The best way to protect yourself from phishing is to learn how to recognize a phish.

Phishing emails usually appear to come from a well-known organization and ask for your
personal information such as credit card number, social security number, account number or
password. Often times phishing attempts appear to come from sites, services and companies
with which you do not even have an account.

In order for Internet criminals to successfully "phish" your personal information, they must get
you to go from an email to a website. Phishing emails will almost always tell you to click a link
that takes you to a site where your personal information is requested. Legitimate organizations
would never request this information of you via email.

Types of Phishing Attacks

Deceptive Phishing. The term "phishing" originally referred to account theft using
instant messaging but the most common broadcast method today is a deceptive email
message. Messages about the need to verify account information, system failure requiring users
to re-enter their information, fictitious account charges, undesirable account changes, new free
services requiring quick action, and many other scams are broadcast to a wide group of

recipients with the hope that the unwary will respond by clicking a link to or signing onto a bogus
site where their confidential information can be collected.

Malware-Based Phishing refers to scams that involve running malicious software on

users' PCs. Malware can be introduced as an email attachment, as a downloadable file from a
web site, or by exploiting known security vulnerabilities--a particular issue for small and medium
businesses (SMBs) who are not always able to keep their software applications up to date.

Keyloggers and Screenloggers are particular varieties of malware that track keyboard
input and send relevant information to the hacker via the Internet. They can embed themselves
into users' browsers as small utility programs known as helper objects that run automatically
when the browser is started as well as into system files as device drivers or screen monitors.

Session Hijacking describes an attack where users' activities are monitored until they
sign in to a target account or transaction and establish their bona fide credentials. At that point
the malicious software takes over and can undertake unauthorized actions, such as transferring
funds, without the user's knowledge.

Web Trojans pop up invisibly when users are attempting to log in. They collect the
user's credentials locally and transmit them to the phisher.

Hosts File Poisoning. When a user types a URL to visit a website it must first be
translated into an IP address before it's transmitted over the Internet. The majority of SMB
users' PCs running a Microsoft Windows operating system first look up these "host names" in
their "hosts" file before undertaking a Domain Name System (DNS) lookup. By "poisoning" the
hosts file, hackers have a bogus address transmitted, taking the user unwittingly to a fake "look
alike" website where their information can be stolen.

System Reconfiguration Attacks modify settings on a user's PC for malicious

purposes. For example: URLs in a favorites file might be modified to direct users to look alike
websites. For example: a bank website URL may be changed from "bankofabc.com" to
"bancofabc.com".

Data Theft. Unsecured PCs often contain subsets of sensitive information stored
elsewhere on secured servers. Certainly PCs are used to access such servers and can be more
easily compromised. Data theft is a widely used approach to business espionage. By stealing

confidential communications, design documents, legal opinions, and employee related records,
etc., thieves profit from selling to those who may want to embarrass or cause economic damage
or to competitors.

DNS-Based Phishing ("Pharming"). Pharming is the term given to hosts file

modification or Domain Name System (DNS)-based phishing. With a pharming scheme,
hackers tamper with a company's hosts files or domain name system so that requests for URLs
or name service return a bogus address and subsequent communications are directed to a fake
site. The result: users are unaware that the website where they are entering confidential
information is controlled by hackers and is probably not even in the same country as the
legitimate website.

Content-Injection Phishing describes the situation where hackers replace part of the
content of a legitimate site with false content designed to mislead or misdirect the user into
giving up their confidential information to the hacker. For example, hackers may insert malicious
code to log user's credentials or an overlay which can secretly collect information and deliver it
to the hacker's phishing server.

Man-in-the-Middle Phishing is harder to detect than many other forms of phishing. In

these attacks hackers position themselves between the user and the legitimate website or
system. They record the information being entered but continue to pass it on so that users'
transactions are not affected. Later they can sell or use the information or credentials collected
when the user is not active on the system.

Search Engine Phishing occurs when phishers create websites with attractive (often
too attractive) sounding offers and have them indexed legitimately with search engines. Users
find the sites in the normal course of searching for products or services and are fooled into
giving up their information. For example, scammers have set up false banking sites offering
lower credit costs or better interest rates than other banks. Victims who use these sites to save
or make more from interest charges are encouraged to transfer existing accounts and deceived
into giving up their details

Counter Measures for Phishing

1. Auto-Generate Domain-Specific Password

Many researchers have developed a kind of mechanism in which, when you give your
username and password, it turns into a domain-specific password and that is even done via a
transparent method. The basic idea behind this is to hash passwords with a secret key along
with website domain name. The website domain name is very important because it will tell that
password to go into that domain [1].

Even if the user uses the same password for every entry point in the world, it gets changed due
to this mechanism, so it becomes really hard for the attacker to get the password because it will
be very unique and long which will be hard to remember.
Advantages:
1. Looks cool.
2. Works fine on a theoretical basis.
Disadvantages:
1. Practical implementation is quite difficult.
2. Many banks use multiple domains and sub-domains.

3. Some sites force the user to use a password with a combination of uppercase,
lowercase, and symbols.
4. Its a static solution: If a user travels without his/her laptop then this mechanism is not
helpful anymore. She/he has to carry his/her device everywhere along with them.
2. Specific Applications
Here I am going to tell about one scenario that happened back in the 1980s. Many corporate
banking systems use some back-up operating system in a portable device such as a CD or
DVD. That device contains their own piece of the operating system. Lets suppose this is a
matter of administration, but if the bank is providing any kind of mobile or desktop application to
use their bank service, it can be a worthwhile target for attack. What the attacker needs to do is
just to tell their victim is Apply our latest upgraded application in order to secure transaction.
The best way to protect against this is a low-cost SSL certificate. This protocol supports
certificates for both servers and client. To find more on this topic, you may visit the link given in
the references. There are basically main two functions of SSL: First, to check the real identity of
its holder and, second, to encrypt and pass data between the client and server. So if SSL is
used, there is very little chance that the phishermen will get his/her victim. The servers
certificate identifies the website that you are visiting through your browser application. The client
certificate is used for the verification and authentication process. Then the data transportation
process gets started.
Advantages:
1. It is not end-to-end security.
2. It is not a bullet-proof secure mechanism.
Disadvantages:
1. The process of certificate management is tedious to handle.
2. Researchers have implemented JavaScripts that can fool browser applications.
3. Malware can steal the information about the certificate.

4. In the very worst case scenario, phisherman may manage to convince her/his victim that
Your certificate expired, so give it back to us for secure demolition.
3. Web Browsers PWD Database
In this type of mechanism, random passwords are generated and stored in the browsers. It has
more advantages than the first method of hashing passwords. It is more secure, as the
browser will only give the credentials to the right URL. So, for instance, if I saved the password
for my website www.chintangurjar.com, then it will pass these credentials only if this URL
appears. If anything changes in the URL, it wont pass credentials. Firefox has this mechanism
that stores passwords after encrypting them, but this feature is not by default, so many people
wont even use that.
Advantages:
1. Its easy to implement.
2. No specialized or purchased software is needed.
Disadvantages:
1. It

doesnt

work

fully

with

subdomains.

If

have

saved

password

for

www.chintangurjar.com and I want to log in through subdomain.chintangurjar.com, it

wont allow me to pass credentials through this URL.
2. Even here, passwords are stored in plain text, so there is always a fear of stealing
password via malware, RAT, or other suspicious activity.
4. Virtual Keyboards
This mechanism was the favorite mechanism for organizations and individuals back in the
1990s. Rather than using the traditional hardware keyboard, people used a virtual keyboard that
appeared on the screen.

People and some banking organizations assumed that attackers wont able to capture their
keyboard activity. This mechanism has been defeated by attackers. Nowadays they have a
method to capture a screen as well as a virtual keyboard.
5. Educating Your People
Many organizations conduct seminars and workshops on ethical hacking and Internet security in
order to educate their employees. This can be a quality step towards security awareness,
though many of their employees may not take it seriously and may not follow the instructions
given at the workshop/seminar. Those kinds of employees can be a potential target of
attackers/phishers.
There are some methods of educating your employees that we can think about. Logical
awareness has to be built. First, they are given instructions to check the English. To respond to
that, the bad guys started writing professional English that is really more than 95% identical to

the original website. Thus victims got exploited. Then phishers started to use the lock symbol,
keeping in mind that, even if some clever employee/person knows about SSL, she/he can be
trapped. Phishers have done this by forging the symbol. They did it by putting lock icons in the
URL (favicon) on the web pages. Banks started putting the last four digits of credit card or other
bank account detail; in response to that, attackers also started putting the first four digits of
those numbers that are constants in the card detail provided by any bank. Thus persons got
exploited again.
Mitigations: Logical awareness has to be raised. Customers have to think on their own about
whether something is legal and legitimate or a fake. When this awareness rises within them,
there wont be any need for workshops or seminars for ethical hacking awareness.
6. Phishing Scam Alert Add-ons/Extensions
Many organizations have built toolbars that use a ton of problem-discovering and -solving
methods to determine whether a URL is fake or not. Even Microsoft also used this feature, built
in to Internet Explorer 7. The concept is like this. If server visits any known fake/phishing URL,
then that tool bar turns red. If that phishing or fake site is the one suspect site, then it turns
yellow. Nowadays some websites use extended validation. This is a new type of certificate that
is sold to the website only after the credentials are checked very carefully and particularly. If a
browser toolbar finds this type of website, then it turns green.
The first method has already been broken by researchers. It was presented in a research paper
whose link is mentioned in the references [8]. That is a very unconventional and unusual semitechnical method for breaking into the victims mind. It uses a picture-in-picture method. Here
the phisher displays a picture of the browser with a green tool bar so that that the user thinks it
is safe to visit and thus she/he is exploited.

As you can clearly see that the malicious URL is not https://www.paypal.com/uk that is inside
the browsers top window but it is displayed in the log-in window. The attacker also puts the
favicon and outside logo to prove the legitimacy of his work. Thus, people think that this is the
real page and they log in to the website and their credentials are compromised. The second
scenario, which is extended validation, can be broken by URL manipulation. Attackers use an
almost identical URL and they buy their own certificate and install it on their server. Now the
URL of the phishing site and the original site are almost identical, as shown below:
Original

Site:

www.chintanwov.com
Phishing Site: www.chintanvvov.com
As you can see, in the first URL its wov and in the second URL the attacker put vvov; vv
looks like w and the client thinks that its a genuine website and logs in. Thus, how their
credentials gets stolen and they get exploited. These types of phishing sites are called dodgy
sites.
7. 2FATwo-Factor Authentication
Two-factor authentication is also known as 2FA, two-step verification, or multi-factor
authentication. It requires not only a username and password, but also some piece of

information that only the user knows. That piece of information is known as a physical token.
Using traditional credentials along with the physical token makes it very hard for a phisher to
exploit his/her victim.
The concept of two-factor authentication is explained in the pic below. Lets suppose you are
going to access a VPN website. (1) Here the first authentication is done via traditional
credentials such as username and password. This is called primary authentication. (2) Then the
domain controller calls on the users mobile phone or any other device (mobile is a standard
device that all users will have) and it will send a token code or an automated call. (3) Then it
checks for the right identity. (4) If the credentials are verified, the user will be given authorization
to access the VPN as shown in the pic below.

In the UK, some banks are using two-factor authentication, but not in this traditional mobile
token way. They have given their customers password calculators that have multi functions,

such as generating a real-time security code to log in to the customers account and even to
make a transaction.
Lets take a real-life scenario from the UK. One of the top famous banks, Barclays, uses a small
device called PINentry. Each device is registered with a unique card that is given to their
customers. The device looks:

If you want to log in to your online Barclays account, you need to give your basic details such as
last name and card number. Once you click on Login, it will ask you for the security code. Now
you need to verify your identity by inserting your card into this PINentry and clicking on
Identity. Give your secret PIN and it will auto-generate a random number. Once you type that
number on the website it will allow you to login. Now if a phisher stole this device and put his
card into this, it will flash the message shown in the picture below:

If a customer wants to make a payment, it will also ask for the security code, which you will have
to get from this machine. Not only that, but it will also ask you to input the exact amount of
money that you have already entered in the website. If both figures match, you will be allowed to
make a transaction.
Thus two-factor authentication works. No doubt its very effective and promisingly secure.
However to pass through all these processes just to log in is a tedious, time-consuming method
from the customers point of view.
8. TPM Chip Trusted Computing Mechanism
This mechanism is set up by TPM chips, short for Trusted Platform Module. If two computers
are doing regular transactions, then this chip is physically placed on motherboard to tie them
together.

As you can see from the diagram, this whole mechanism can be implemented on a single chip.
However this mechanism has a portability/roaming problem. Roaming cannot be done easily on
these devices.

This chip is placed on an endpoint device that stores an RSA key. It makes an RSA key pair that
is saved within the chip and cannot be accessed by any software. The SRK (storage root key) is
generated only when the system administrator accesses the computer. There is a second key,
known as the AIK (attestation identity key). It is there to protect the chip from unauthorized
access. They create hashes. If the system wants to connect to the network or end device, it
passes the hash and gets verified by the network or another end device. If the match fails,
access is denied. This is how it gives complete bullet-proof security against phishing.
9. Encrypted Key Exchange ProcessPrevent Dictionary Attacks
Many researchers came up with a new authentication protocol. They implemented a series of
protocols for encrypted key exchange. This key is generated by combining the shared
password. And this process takes place in such a way that the phisher (who is the man in the
middle) cant guess it. Those protocols were awkward to implement and use and they were also
too time-consuming.

Major Issues (Problems, Concerns & Questions)

Examples
References
https://www.phishtank.com/what_is_phishing.php
http://www.pcworld.com/article/135293/article.html
https://www.grc.com/sqrl/phishing.htm
http://www.infoworld.com/article/2865821/security/prevent-phishing-attacks-viaopendns-minority-report-style.html

(GOOD

READ

AND

LATEST

CONTERMEASURE)
https://www.grc.com/sqrl/phishing.htm (MORE COUNTERMEASURES)
http://www.microsoft.com/security/online-privacy/phishing-symptoms.aspx
http://computer.howstuffworks.com/phishing.htm