ADVANCED E-SECURITY

PREFACE

The Phishing is sending an e-mail to a user falsely claiming to be an established

enterprise to scam the user into submitting private information that will be used for identity
theft. This kind of e-mail directs the user to visit a Web site where they are asked to update
personal information and other import security details. The Web site, however, is designed
and set up only to steal the user’s data.

I have chosen this research title, why because I used to receive around 300 mails per
day; out of it 200 mails are scams and phishing mails. So I am going to prepare peace of the
research report, which will give more ways of how to protect and away from Phishing.
ABSTARCT

Phishing is a model problem for illustrating usability concerns of privacy and security because
both system designers and attackers battle using user interfaces to guide (or misguide) users.
We propose a new scheme, Dynamic Security Skins, that allows a remote web server to prove
its identity in a way that is easy for a human user to verify and hard for an attacker to spoof.
We describe the design of an extension to the Mozilla Firefox browser that implements this
scheme. We present two novel interaction techniques to prevent spoofing. First, our browser
extension provides a trusted window in the browser dedicated to username and password
entry. We use a photographic image to create a trusted path between the user and this window
to prevent spoofing of the window and of the text entry fields. Second, our scheme allows the
remote server to generate a unique abstract image for each user and each transaction. This
image creates a "skin" that automatically customizes the browser window or the user interface
elements in the content of a remote web page. Our extension allows the user's browser to
independently compute the image that it expects to receive from the server. To authenticate
content from the server, the user can visually verify that the images match. We contrast our
work with existing anti-phishing proposals. In contrast to other proposals, our scheme places a
very low burden on the user in terms of effort, memory and time. To authenticate himself, the
user has to recognize only one image and remember one low entropy password, no matter how
many servers he wishes to interact with. To authenticate content from an authenticated server,
the user only needs to perform one visual matching operation to compare two images.
Furthermore, it places a high burden of effort on an attacker to spoof customized security
indicators.
LITERATURE REVIEW

Research on phishing can be categorized into two groups: technical research and phenomenal
study. For technical research, most researchers focus on the development of new anti-phishing
tools to combat phishing attacks. Recent research products include Dynamic Security Skin
[12], Web Wallet [11], TrustBar [2], and AntiPhish [5]. Though many innovative anti-
phishing products exists, not many of them are adopted by ecommerce companies and it was
observed that some banks were not well prepared against or even unaware to phishing at all
[1].

Another stream of phishing research focuses on phenomenal study. Social engineering skills,
lack of knowledge, visual deception, and lack of attention [12, 14] were found to be critical
factors of success of phishing attacks. Nevertheless the analysis of indirect financial loss is
scarce in phishing literature. This research may help to fill in the research gap. We hope to
raise the awareness of e-commerce companies to understand the seriousness of phishing so as
to adopt better anti-phishing measures to deter the crime and minimize the potential indirect
loss due to the threat.

To study the indirect impact due to sudden events, in the field of Management of Information
Systems (MIS), there are quite a number of researches utilizing the event study methodology
to analyze the change of market value of companies due to the sudden events. Dos Santos et
al. first used the methodology to analyze impact of IT investment to firm value in the field of
MIS [4]. The study was later refined by Im et al [8]. Same research methodology was also
applied to e-commerce announcements [10] and denial-of-service attacks [3]. Our research
used the same methodology adopted by Dos Santos et al. but applied it in a different context
to analyze the impact of phishing announcements on firm value.

Methodology
APWG continues to refine and develop our tracking and reporting methodology and to
incorporate new data sources into our quarterly reports. We have re-instated the tracking and
reporting of unique phishing reports (email campaigns) in addition to unique phishing sites.
An email campaign is a unique email sent out to multiple users,directing them to a specific
phishing web site (multiple campaigns may point to the same web site). APWG counts
unique phishing report emails as those in a given month with the same subject line in the
email.
APWG also tracks the number of unique phishing websites. This is now determined by the
unique base URLs of the phishing sites. APWG additionally tracks crimeware instances
(unique software applications as determined by MD5 hash of the crimeware sample) as well
as unique sites that are distributing crimeware (typically via browser drive-by exploits).

DATA SAMPLING:

With this edition the APWG supplements the data sets utilized in establishing trend lines for
the numbers of brands under phishing attack as well as the concentration of those attacks
in targeted industrial sectors, incorporating phishing attack data from APWG member and
phish attack data correspondent MarkMonitor. The APWG Phishing Activity Trends Report is
incorporating specifically the company’s ‘Unique Brand’ data and attack data delineating
industry sectors targeted in those phishing attacks.

Procedures

-> Tools

The following lists information about such tools (in alphabetical order). The information was
gathered from various technical publications (thanks go to PCMag and eWeek). I did not test
all of the products.

Cloudmark SafetyBar:
Another good option for less-techie users, the Cloudmark SafetyBar, also supports only
Internet Explorer. Cloudmark characterizes sites using green happy, red sad, and yellow
neutral faces, and users can block and unblock individual pages. The ratings are based on the
consensus of the community of Cloudmark users, under which each user has a reputation.
Your reputation is based on the extent to which your ratings correspond to the consensus.

EartkLink Toolbar:
Users who are less sophisticated may be better served by the EarthLink Toolbar, which is also
available rebranded through third parties such as Equifax. The toolbar, which supports only
Internet Explorer, also includes a pop-up blocker. When you visit a site you get a green
thumbs-up, a red thumbs-down, or a "neutral" indicator. EarthLink maintains its own list of
known phishing sites, and if you attempt to visit one you will instead be brought to a page
with warnings and explanations. If you're suspicious, you can view a page analysis, similar to
Netcraft's, which looks at technical characteristics to see if the page exhibits phishing-like
behavior.

FraudEliminator: (from homepage description)

FraudEliminator Pro is a toolbar for Internet Explorer or Firefox that warns you if the web site
you're visiting is not what it seems. When you visit a known fraudulent site it will alert you
with a popup. It can also alert you to sites with questionable features such as status bar
misdirection or URLs that contain IP addresses. For every site you visit it displays the country
of origin and date the domain was created – hovering the mouse over this information
displays full WHOIS data in a popup window. A free version is available with less-frequent
database updates.

Netcraft Toolbar:
It is now available for both Microsoft Internet Explorer and Firefox. It has compiled a list of
known phishing sites from its own survey data and from user input. Users are encouraged to
report sites, and a menu option on the toolbar makes it easy. If you attempt to visit a known
phishing site, the toolbar will block it and warn you. With other sites the toolbar includes a
"risk rating" indicator that slides from green to red, based on technical factors in the page that
may be typical of phishing. A nice feature of the Netcraft toolbar is the historical database. It
will show how long the site you're viewing has been monitored. If you think you are going to
Paypal but the site is new, that's a clue that it's not really Paypal. And you can see the country
in which the site is running (hint: Paypal.com is not hosted in South Korea) and the site's
network provider.
The Netcraft Toolbar provides great information but is better suited to more savvy users, who
will also appreciate the research links available through its menus. Some third parties,
including banks, rebrand the Netcraft Toolbar as their own.

Two other toolbars are more limited but are useful nonetheless:
SpoofStick: for IE or Firefox—makes it easier to spot a spoofed Web site by prominently
displaying the actual domain name of the site. Where phishing sites may use tricks to conceal
the actual domain name, SpoofStick will state clearly "You're on pcmag.com" or "You're on
123.234.221.12."

The mozdev.org TrustBar: (Firefox only) lets you know whether you are on a secure Web
site. It also displays the name that signed the certificate and the certificate authority, if any,
that issued the certificate.

Analysis
Phishing Email Reports and Phishing Site Trends – 4th Quarter 2009

More Brands Under Attack Than Ever

Before, Hitting Record High in Q4 2009
Top Phishing Regions

No. Region Rate [%]

 1 North America 44.44%

2 Europe 41.67%

3 Asia 5.56%

4 Oceania 2.78%

5 Eurasia 2.78%

Statistical Highlights for 4th Quarter, 2009

Octob Novemb Decem
er er ber
Number of unique phishing email reports
received by APWG from 33,254 30,490 28,897
Number of unique phishing web sites detected 46,522 44,907 46,190
Number of brands hijacked by phishing
campaigns 356 306 249
Country hosting the most phishing websites USA USA USA
67.49
Contain some form of target name in URL % 40.09% 42.14%
No hostname; just IP address 0.34% 0.38% 1.65%

Percentage of sites not using port 80 0.03% 0.05% 0.15%

Scanning and Sampling Methodology:

Panda Labs gathers data from millions of computers worldwide through its scanning
service to give a statistically valid view of the security situation at the desktop. The
scanned computers belong to both corporate and consumer users in more than 100
countries. Though the scanning system checks for many different kinds of potentially
unwanted software, for this report, Panda Labs has segmented out ‘Downloaders’ and
‘Banking rojans/Password Stealers’ as they are most often associated with financial
crimes such as automated phishing schemes.

Result

open emails that are from people you don’t know. Set your junk and spam mail filter to deliver
only content from those in your address book.
2. Sidestep those links: What happens if your spam filter is fooled into delivering junk mail to
your inbox, and you happen to open it? Simple – NEVER click on links embedded in your email.
3. Guard your privacy: Your mouse just happened to move over the link and lo and behold,
you’re transported to another website where you’re asked to provide sensitive information like
user names, account numbers, password and credit card and social security numbers. Just one
word for you - DON’T.
4. Fear Not: More often than not, these phony websites come with threats or warnings that your
account is in danger of being deactivated if you don’t confirm your user information, or that the
IRS is due to pay you a visit if you don’t comply with what’s written on the page. Just IGNORE
them.
5. Pick up the phone and call: If you are in doubt that it just may be a legitimate request, and
that your bank is actually asking you to reveal sensitive information online, CALL your customer
service representative before you do anything foolhardy.
6. Use the keypad, not the mouse: TYPE in URLs instead of clicking on links to online shopping
and banking sites that typically ask for credit card and account numbers.
7. Look for the lock: Valid sites that use encryption to securely transfer sensitive information are
characterized by a lock on the bottom right of your browser window, NOT your web page. They
also have addresses that begin with https:// rather than the usual http://.
8. Spot the difference: Sometimes, just the presence of the lock alone is proof enough that the
site is authentic. To verify its genuineness, double-click the lock to display the site’s security
certificate, and CHECK if the name on the certificate and the address bar match. If they don’t
you’re on a problem site, so get the hell out of there.
9. Second time right: If you’re worried that you’ve reached a phishing site that’s masquerading
as your banking page, sometimes the easiest way to check is to enter a WRONG password. The
fake site will accept it, and then you’re usually redirected to a page that says they’re having
technical difficulties, so could you please check back later? Your original banking site will not
allow you entry.
10. Different is the keyword here: Use DIFFERENT passwords for different sites; I know it’s a
tough ask these days when most functions of the brain are being passed on to technology, but
this is a good way to prevent phishers from getting at all your sensitive transactions, even if
they’ve managed to compromise one.
11. Keep your eyes open: A spam email is littered with grammatical errors, is generally not
personalized, and usually has either some link or a suspicious attachment. RECOGNIZE and
report them as spam.
12. Familiarity breeds contempt: Not sure that you can spot a phisher’s email when you receive
one? Well, take a LOOK at these and you’ll know how they’re generally framed. By and by, you’ll
learn how to spot the fake ones.
13. Greed doesn’t pay: NEVER be taken in by offers of money for participating in surveys that
ask for sensitive information. These are always fraudulent attempts to get hold of your personal
details. You may get the $20 that’s promised, but there’s also a high probability that you may find
your account cleaned out.
14. No stepping out: Do not leave your computer UNATTENDED when logged into your bank
account or when you’ve provided credit card information on a shopping site.
15. Proper exits count: Once you’ve finished your business, LOG OUT properly instead of just
closing the browser window, especially if you’re using a public terminal.
16. You can never be too careful: LOG INTO your bank account on a regular basis and keep
tabs on your money. You don’t want to wake up one fine day and find that a phisher’s been
siphoning off a few hundred dollars every now and then.
17. A little knowledge is not dangerous: Keep yourself up to date with the latest news and
INFORMATION on phishing.
18. Hard evidence: Be very careful when disposing of old computers and hard disks. Recycled
computers have been found to retain confidential information pertaining to Internet banking. Use
software to ERASE and over-write data on your hard disk to ensure that it is not recoverable.

For business as usual…

19. I know him, or do I? Beware of SPEAR PHISHING – when your corporate account is
compromised and emails soliciting private information reportedly come from your colleagues or
higher-ups, it’s better to call the person concerned and verify the authenticity of the email.
20. Peruse those records: As part of a business organization, there’s much you can do to
prevent phishers from compromising your firm’s security. Set up firewalls and get you’re your anti-
virus systemsin place. MONITOR the logs from your DNS and proxy servers, firewalls and
other intrusion detection systems on a regular basis to check if you’ve been infected.
21. Policy is the best policy: Set strict POLICIES for the creation of passwords for your clients,
servers and routers, and ensure that your personnel follow them diligently.
22. No intruding: Establish intrusion detection and prevention systems that protect your network
content and prevent the sending and receipt of phishing emails. Protect your GATEWAY with anti-
phishing and anti-virus tools and firewalls.
23. Watch the company you keep: Maintain a list of approved DEVICES that are allowed to
connect to your firm’s network.

Taking technology on your side…

24. It’s a matter of trust: An important question is, can you trust the site’s certificate to be
authentic?VeriSign was guilty of issuing security certificates to sites that claimed to be part of
Microsoft not so long ago. The latest versions of browsers, IE 7 and Opera 9 will soon be able to
provide users with EV SSL (Extended Validation SSL) certificates that assure them of being on a
genuine site. The address bar shows green for the good guys and red for the doubtful ones.
25. From phishers with greed: Emails can also be spoofed. The only way you can be sure they
are not, is to use clients that support S/MIME digital signatures. First check if the sender’s
address is correct, and then look for the digital signature. This is a pretty effective anti-phishing
tactic as the signature is generated by the client after the mail has been opened and
authenticated, and because it’s based on robust cryptographic techniques.
26. Keep up or else: Make sure your operating system and browsers are UPDATED regularly.
Check for the latest patches and apply them immediately.
27. Build that fence: PROTECT your computer with effective anti-virus and anti-spam software,
and set up firewalls to keep those sneaky Trojan horses out. They are capable of the worst kind of
phishing – installing surreptitious key-logging software on your system that captures all your
keystrokes and transports them to the crooks in some unknown location. What’s worse is that the
infection spreads from your PC to other systems on your network, till all the computers are
compromised.
28. Two are better than one: Use two-factor authentication to log on to sensitive sites. The
COMBINATION of a software token like a password and a hardware device like an ATM card
make it doubly hard to crack open an account with just one or none of the two verification factors.
29. Step by step: It’s harder for phishers to gain access to your password if you SPLIT the login
process into two phases – entering your user ID in the first and other credentials in the second.
The process is even more secure when you enter identification details in the second phase only if
the input window is personalized in some way, for example, if an image explicitly selected by you
is displayed.
30. Not just a token: Consider using an ID Vault USB TOKEN that encrypts all your user ids and
passwords and stores them on a flash drive, which can then be used to securely log onto
websites. Most tokens come with a list of legitimate sites and also prevent key-logging software
from working effectively. The device itself is password-protected, so thieves have an added layer
of encryption to tackle.
31. Hashing to confuse: Software plug-ins are joining in the fight against phishing, an example
being the PwdHash, or password HASH tool developed by two Stanford professors that
scrambles any password you type, and creates a unique sign-on for each site you visit. Even if
phishers are given a password, it’s the wrong one.
32. I spy no spies: Another application developed along the lines of PwdHash, and also created
by the same two Stanford professors, the SPYBLOCK tool prevents Trojan horse key-logging
programs from stealing your passwords.
33. Extending protection: Browser extensions like Antiphish used as a plug-in by Mozilla’s
Firefox offer protection against phishing attacks by maintaining LISTS of passwords and other
sensitive information, and issuing warnings when users type this information on fishy sites.
34. Framing policies: Banks and online business houses would do well to use the open-source
SPF(Sender Policy Framework) standard which prevents email addresses from being spoofed by
listing servers that are allowed to send mail.
35. Taking on trust: As an alternative, they could use a TRUST SERVICE like GeoTrust’s True
Sitethat allows customers to verify a website’s authenticity.
Prospective protection against phishing…
36. Sending positive signals: New technologies like the Sender ID Framework (SIDF) are
joining in the fight against spoofing websites by verifying the source of each email. In the pipeline
from Microsoft and CipherTrust.
37. Not barring trust: TrustBars, which are secure and tamper-proof components of browsers,
allow VISUALIZATION of information related to sites. Users are alerted by visible warnings when
there is a discrepancy in the visualization on the bar.
38. Slow down those attacks: Another technique, the Delayed Password Disclosure (DPD),
protests against pop-up windows that ask for sensitive details (aptly termed doppelganger
window attacks) works against phishing attacks when users enter passwords letter by letter, one
following the other only after a corresponding image is recognized.
39. Proof positive: Websites that wish to prove they are authentic can use HTML extensions
calledPROOFLETS to enhance a server’s contents. These are verified by browsers through the
use of special web services.

Alternative approaches…
40. Mobility in scams: As consumers are wising up to their scams, phishers are moving on to
newer media to launch their scams. Mobile phones, a necessity in today’s world, are the latest
targets. Text messages purporting to originate from your bank warn you that unless you confirm
your account information, it will be deactivated. IGNORE these messages, they are always spam.
41. Voicing doubts: Another hot sphere of activity, the VoIP technology, is being harnessed as a
phishing tool with alarming regularity. The crooks find it COST-EFFECTIVE to make numerous
calls and earn a sum well above the incurred expenses. This is doubly dangerous because
people, who would look at an email in with suspicion, generally tend to believe phone calls.

Make a difference…
42. Join the fight: If you come across a phishing scam, REPORT it at once to the Anti-Phishing
Working Group, the U.S. Federal Trade Commission (FTC) and the FBI through the Internet
Fraud Complaint Center, both of whom work to shut down phishing sites and catch those
responsible.
43. Say goodbye: If any of your accounts have been compromised, CLOSE them at once.
44. Change is good: If you even suspect that your any one of your passwords has gone to the
wrong hands, CHANGE all your passwords and pin numbers on online accounts immediately.

Discussion

Conclusion

If you received an E-mail message from your bank saying that your checking account was overdrawn because of a check
that you didn’t write, what would you do? Before you answer, it’s important to realize that you may not really be
overdrawn and that there is a good chance that someone is trying to scam you. In this article, I will explain exactly how
this type of scam works and how to avoid being a victim.

Imagine that tomorrow morning, you get up out of bed and check your E-mail. There is a message from your bank
indicating that you are overdrawn on your checking account because a check that you wrote for $2457.83 bounced. You
don’t remember writing a check for this amount. What do you do?

Hopefully, you answered that you would call the bank rather than logging onto the bank’s Web site to check out the
problem for yourself. The situation that I just described is known as a Phishing (pronounced fishing) scam. Here’s how it
works.

The person who is initiating the scam sends an E-mail to millions of people. The E-mail message is designed to appear
to come from a bank, Internet Service Provider, online auction company, or from anyone else that you could potentially
have regular business dealings with. The From header on the message is spoofed, and the message is designed to look
as official as possible. The message’s sole purpose is to gather information.

Let’s go back to my earlier example in which a message allegedly came from your bank indicating that your account is
overdrawn because of a check that you didn’t write. The vast majority of the people who receive the message don’t even
use the bank that the message claims to be from. In this case though, the message just happens to appear to be from
the bank that you use. Because the message appears to be related to a serious matter involving your bank, the person
initiating the scam now has your attention.

Typically, such a message will urge you to take action and will provide a link to the bank’s Web site and / or the banks’
phone number. Although the phone number may or may not actually be the bank’s phone number, the Web site URL is
never legitimate even if it appears to be legitimate.

Sometimes a person involved in a Phishing scheme will put the bank’s actual phone number in the E-mail in hopes of
making the message seem more authentic. Other times though, they will put another number and have someone just
waiting for calls from panicked bank customers. This person will typically ask the person who is calling for an account
number, a PIN number, and any other information that might be useful, such as a social security number or birth date.
The phony bank employee will then pretend to solve the problem while you are on the phone. In actuality though, the
problem is just beginning. You weren’t actually overdrawn on your checking account, and now you have given your
account information directly to a thief who can use it to clean out your bank account or to launch other identity theft
scams.

As you can imagine, countless people fall victims to Phishing scams each year. These scams end up costing the victims
millions of dollars. In this article, I have explained how to spot and avoid being victimized by this type of scam.
REFERENCES:

1. C. M. Leung and I. Bose, "Assessing Anti-phishing preparedness among Singapore

Banks" in International Multiconference of Engineers and Computer Scientists 2007,
Hong Kong, 2007, pp. 1020-1025.

2. Herzberg and A. Gbara, "TrustBar: Protecting (even Naïve) Web Users from Spoofing and
Phishing Attacks," 2004.

3. Hovav and J. D'Arcy, "The impact of Denial-of- Service attack announcements on the
market value of firms," Risk Management and Insurance Review, vol. 6, p. 97, 2003.

4. L. Dos Santos, K. Peffers, and D. C. Mauer, "The impact of information technology

investment announcements on the market value of the firm," Information Systems
Research, vol. 4, pp. 1-24, 1993.

5. E. Kirda and C. Kruegel, "Protecting users against phishing attacks with AntiPhish," in
Proceedings of the Twenty-ninth Annual International Conference on Computer Software
and Applications, 2005, pp. 517- 524 Vol. 2.

6. GSI Commerce, "GSI E-Commerce Solutions, Reports Net Revenue Growth," GSI
Commerce 2007.

7. Bose and A. C. M. Leung, "Unveiling the mask of phishing: Threats, preventive measures,
and responsibilities," Communications of the Association for Information Systems, vol.
19, pp. 544-566, 2007.

8. K. S. Im, K. E. Dow, and V. Grover, "Research report: A reexamination of IT investment

and the market value of the firm - An event study methodology," Information Systems
Research, vol. 12, p. 103, 2001.

9. M. Jakobsson and S. Myers, Phishing and countermeasures : understanding the increasing

problem of electronic identity theft. Hoboken, N.J.: Wiley-Interscience, 2007.

10. M. Subramani and E. Walden, "The impact of ecommerce announcements on the market
value of firms," Information Systems Research, vol. 12, p. 135, 2001.
11. M. Wu, R. C. Miller, and G. Little, "Web wallet: preventing phishing attacks by revealing
user intentions," in Proceedings of the Second Symposium on Usable Privacy and
Security, Pittsburgh, Pennsylvania, 2006, pp. 102-113.

12. R. Dhamija and J. D. Tygar, "The battle against phishing: Dynamic Security Skins," in
Proceedings of the 2005 Symposium on Usable Privacy and Security, Pittsburgh,
Pennsylvania, 2005, pp. 77-88

13. S. Carter, "Scam artists are phishing for your information," in Warricknews, 2007.
Available: http://www.tristatemedia. com/articles/2007/05/02/warricknews/editorial/0
1carter.txt

14. T. Jagatic, N. Johnson, M. Jakobsson, and F. Menczer, "Social phishing,"

Communications of the ACM, vol. forthcoming, pp. 1-10, 2006.

15. Verisign, Verisign Secured Seal Program, http://www.verisign.com/products-

services/security-services/secured-seal/

16. Visa, Verified by Visa, http://www.visa.com/

17. Waterken Inc., Waterken YURL Trust Management for Humans,

http://www.waterken.com/dev/YURL/Name/

18. Wu, T., SRP-6: Improvements and Refinements to the Secure Remote Password Protocol.
2002: Submission to the IEEE P1363 Working Group

19. Wu, T., The Secure Remote Password Protocol. Proceedings of the 1998 Internet Society
Network and Distributed System Security Symposium, San Diego, CA, 1998: p. 97--111.

20. Zishuang (Eileen) Ye , Sean Smith, Trusted Paths for Browsers, Proceedings of the 11th
USENIX Security Symposium, p.263-279, August 05-09, 2002.