You are on page 1of 17

An Analysis of the Origins, Factors, and

the Countermeasures of Cyber Terrorism


and other Cyber Security Threats

CISB 32-A

FINAL PAPER

SUBMITTED TO : MR. LARRY C. REGENCIA

SUBMITTED BY : GEANETTE V. CATACUTAN


Table of Contents
I. History of Phishing ................................................................................................3

II. Background of Phishing .........................................................................................6

What is Phishing? ......................................................................................................6

How does Phishing work? ..........................................................................................6

Who are some of the common target for Phishing attacks? ........................................7

How frequent are these attacks happening? ..............................................................8

What are the effects of Phishing on each domain? .....................................................8

III. Ethical Stand .......................................................................................................9

What are the risks faced by victims? ..........................................................................9

IV. Prevention ........................................................................................................10

Simple Steps To Protect Yourself From Phishing ......................................................11

Internet Security Software: A Stronger Defense ........................................................12

V. References ...........................................................................................................13

VI. Notes................................................................................................................14
I. History of Phishing

Before mid-2003, most phishing scams arrived in text-heavy e-mails. They were rife with
spelling errors and poor grammar that tipped recipients off. But phishers are honing their
writing and design skills, creating messages that are more difficult to discern as forgeries. Here
is a brief timeline of the development of phishing:

September 2003:

• E-mail fraudsters register dozens of lookalike domain names, such as yahoo-billing.com and
ebay-fulfillment.com. They also create Web sites that contain the names of well-known
companies and brands like microsoft.checkinfo.com.

October 2003:

• Phishers embed Web site designs into their e-mails, complete with stolen logos from the
targeted company and return addresses that are "spoofed" or faked so that they appear to come
from the company.

• Virus writers release "Mimail" e-mail worms targeting customers of the online payment
service PayPal, an eBay subsidiary. The recipients are asked to update their credit card
information via a Web page that closely mimics the design of PayPal's member services page.
Later versions demand a Social Security number, date of birth and mother's maiden name --
three pieces of data that financial companies rely on most to verify their customers' identities.

December 2003:

• New attacks include a link to a legitimate banking Web site in the background, but a fake
"login" box placed in front of the real site. Experts say this method is particularly convincing
because the legitimate site and the pop-up appear to be from the same source.

• Reports of e-mail fraud and phishing attacks surge more than 400 percent over the holidays,
according to the Anti-Phishing Working Group.
January 2004:

After giving up personal and financial information on a phishing site, the victim is redirected to
the real homepage of the company being targeted. Experts say this psychological trick helps
erase doubts that victims may harbor about the veracity of the experience and allows more
people to be swindled. This tactic is a standard feature of scams today.

• New scams impersonate the Department of Homeland Security, the Internal Revenue Service
and the Federal Deposit Insurance Corporation.

February 2004:

• Several scams emerge that submit stolen username and password information to a real site to
verify its authenticity. If the phished data fails to generate a successful login, the victim is
prompted to enter a valid user name and password.

April 2004:

• Phishers devise a new way to dress up what is typically the weakest part of their scams: the
dubious Internet addresses that appear in the victim's Web browser when he or she clicks on
the link in a phishing e-mail. Novel programming tricks alter the appearance of the victim's
address bar by replacing the URL of the phishing site with that of the company being
impersonated.

June 2004:

• Phishers use information available to legitimate merchants to check whether stolen credit card
numbers are valid for customers of the targeted bank or credit card company.

• Hundreds of public Web sites are infiltrated by a new virus capable of stealing passwords,
credit card numbers and other personal information when someone visits an infected site. Once
inside a victim's computer, the virus waits until that person visits banking sites, then launches a
pop-up window that requests private account information.
• Research and analysis company Gartner Inc. reports that phishing scams cost businesses and
consumers roughly $2.4 billion during the previous year. Gartner estimates that 57 million U.S.
adults have received a phishing e-mail, and that 1.8 million of them handed over personal
information.

July 2004:

• E-mail scammers send phishing messages via America Online's Instant Messenger (AIM)
program.

August 2004:

• Phishers send e-mails impersonating the Web site of Massachusetts Sen. John F. Kerry's (D)
presidential campaign, intending to skim online campaign contributions.

October 2004:

• Scammers open legitimate-looking fake online pharmacies, banks, and mortgage-and-loan


firms to steal credit card numbers. Online security company Websense reports that these
advanced scams now outnumber standard fly-by-night phishing sites.
II. Background of Phishing

Many of us believe that cyber security threats are made by expert hackers using complicated
methods that are hard to discern. But most cyber criminals actually have an easier way to obtain
information from the users. They don’t really bother to get into heavily secured sites and
complex security systems because they have a much more convenient way of stealing
information. Phishing is a rising security threat. It is deemed to be easy to do and can trick a lot
of people.

What is Phishing?
Phishing scams are fraudulent attempts by cybercriminals to obtain private information.
Phishing scams often appear in the guise of email messages designed to appear as though they
are from legitimate sources. It is easy to execute and can produce the results with just little
effort. A fake website which is designed to look almost like the actual website is a form of
phishing attack. The idea of this attack is to trick the user into entering their username and
password into the fake login form which serves the purpose of stealing the identity of the
victim. Every form sent out from the phishing site will not go to the actual server, but the
attacker controlled server.

For example, the message would try to lure you into giving your personal information by
pretending that your bank or email service provider is updating its website and that you must
click on the link in the email to verify your account information and password details.

Phishing appears in the form of fake emails, text messages and websites created to look like
they're from authentic companies. They're sent by criminals to steal personal and financial
information from you. This is also known as “spoofing”.

According to Wombat Security’s 2016 State of the Phish report, not only are more
organizations falling victim to phishing attacks, the number and sophistication level of the
attacks they’re experiencing has gone up. Two-thirds of the organizations they studied reported
experiencing attacks that were targeted and personalized (spear phishing attacks), up 22
percent from the year before. (Wombat Security) See on page 15

Considering the success rate of phishing, perhaps it's no surprise malicious email
attachments and links are two of the top three malware delivery mechanisms of choice for
attackers. That makes email filtering and user education both smart security investments.
(Verizon 2016 DBIR) See on page 15

How does Phishing work?


Hyperlinks: When you hover over a link in an email, the full, genuine URL should appear as a
tooltip. If this link doesn’t match what is written in an email, then there is something suspicious
about it and you shouldn’t go any further.
HTTPS: Banks and other organizations that store personal details should be conducting
Internet transactions (whether monetary or information) with a secure connection. If you are
taken via an email to your bank website and the URL in the address bar doesn’t show https://
then you need to close the window.

Grammar, old logos, bad disguise: If you’re looking for something to prove that the website or
email is fake, you will usually find it. The most common errors that the cyber criminals make
are related to poor English grammar. Banks and credit card companies have whole departments
dedicated to ensuring that anything issued is worded correctly in order to maintain the image
of the organization.

Who are some of the common target for Phishing attacks?

Phishing used to be an exotic threat, but that was years ago when malicious worms dominated
the arena. Much has changed since then, and today phishing routinely hits hard – especially
businesses.

The single purpose is to steal something. Usually it’s data, preferably financial data and
credentials. Phishing is the ultimate kind of social engineering attack. Most of the original
attacks leveraging “weaknesses in human interfaces” were one-on-one attack , effective but not
scalable. Phishing gives the criminals scale and the ability to go after hundreds or thousands of
users, all at once.

Cybercriminals create fake emails and websites, meant to look like a popular online resource (a
social network, online banking services, or online games , the latter are drawing more and more
interest from criminals) and use various social engineering methods to lure users to the website
and make them fill out forms with their personal data. And if users do it, they’ve got them.

For years, phishers increasingly attacked financial services, reaching for the other people’s and
businesses’ money, and phishing in general is undergoing a sort of “commercialization”: tools
to commit crime are bought and sold actively.

Of course, commercial companies are more interesting targets, but to reach the corporate funds
criminals have to phish-up certain employees, preferably high-level ones. Ideally, attackers
would take on accounting/financial officers. But it’s not always possible, so they just throw the
net waiting hoping that someone gets caught.
How frequent are these attacks happening?
See on page Error! Bookmark not defined.

It is estimated that businesses in the United States lose $2 billion dollars per year when their
clients are targeted by phishing scams. Meanwhile 3.6 million adults in the USA were conned
out of $3.2 billion between August 2006 and August 2007; figures like these are expected to rise.

According to a recently released report, based on a sample of 3 million users collected over a
period of 3 months, approximately 45% of the time, users submitted their login information to
the phishing site they visited.

The study, exclusively monitored users who successfully reached a live phishing site that was
not blocked by their browser's built-in anti-phishing protection or filtered as fraudulent one
(Phishing experiment sneaks through all anti-spam filters), and found out that on average, 12.5
out of one million customers sampled for a particular bank, visited the phishing site.

Some findings include:

 45% of bank customers who are redirected to a phishing site divulge their personal
credentials
 0.47% of a bank’s customers fall victim to Phishing attacks each year, which translates to
between $2.4M-$9.4M in annual fraud losses (per one million online banking clients)
 Each financial institution was targeted, on average, by 16 phishing websites per week
 This translates to 832 phishing attacks per year per brand

What are the effects of Phishing on each domain?

The latest Anti-Phishing Working Group (APWG) Global Phishing Survey, which analyzed
over 100,000 phishing attacks in the first half of 2014, examines the progress that top level
domains (TLDs) are making in responding to phishing attacks that use their TLDs.

The report finds the .INFO domain has the lowest average phishing uptimes as compared to
other TLDs, such as .COM and .NET. See on page 16

Key Findings

1. Apple became the world's most-phished brand in 2014


2. The introduction of new top-level domains did not have an immediate major impact on
phishing
3. Chinese phishers were responsible for 85% of the domain names registered for phishing
4. Malicious domains and subdomain registrations continue at historically high levels,
largely driven by Chinese phishers
5. The average uptimes of phishing attacks remain at historic lows, pointing to some
success by anti-phishing responders
6. The companies and brands targeted for phishing were diverse, with many new targets,
suggesting that e-criminals are looking for new opportunities in new places
7. Mass hackings of vulnerable shared-hosting providers accounted for 20% of all phishing
attacks

III. Ethical Stand

Phishing affects us all. It is one way to steal a person’s identity. These criminals extract
information from innocent citizens through phishing to access their bank details, steal identities,
launder money and more. It is difficult to spot the effects of phishing with an untrained eye.
And successful phishing affects everybody, from the bank manager to small children whose
school may be caught out by this type of scam. The effect of phishing on the economy is also
powerful, but rarely as long lasting, hard-hitting or just downright embarrassing as when they
con an individual. The criminals perpetrating these thefts are clever, and skilled at
deception. In order for phishers to wreak havoc with your personal details, they first need to
get these details from you. People who respond to phishing e-mails, and input the requested
financial or personal information into e-mails, websites, or pop-up windows put themselves
and their institutions at risk.

What are the risks faced by victims?


Personal risk

Data can be used to access a victim’s account and withdraw money or purchase merchandise or services.

Data can be used to open new bank or credit-card accounts in a victim’s names, and use the new account to
cash illegitimate checks or purchase merchandise.

Data can be used install computer viruses and worms on a victim’s computer and disseminate the phishing e-
mails to still more people.

Institutional risk

When phishers successfully obtain user credentials for some systems, they not only gain access
to the accounts that use the credentials, but they can potentially access high-value institutional
data such as social security numbers, banking information (such as direct deposit), health
information, student data, etc.
Internet or financial services companies can blacklist institutions, resulting in reputational
damage.

When an institution is blacklisted, its ability to communicate with members of the community
(prospective students, student athletes, faculty and staff; alumni, partners, friends, etc.) is
diminished.

We use the valuable time of staff members (IT, legal, HR and financial departments) to address
the issues caused by phishing and by blacklisting, rather than applying their skills to more
productive work.

Anyone who uses email can be a target for phishing scammers. Because of these, I conclude that
Phishing scams and all other security threats in general should be stopped, if possible
eradicated. People should also be made aware of these things so that they won’t fall for it and
risk their personal details and identity. In fact, this criminal method of acquiring personal data
via emails and webpages in order to fool a financial institution is a huge threat with many
consequences. Tricking people to input their personal details to steal from them is morally
wrong.

IV. Prevention

Signs of phishing include:

No signature or ‘generic’ signatures: Emails from the IST department are always signed with
the official Dawson College logo, a person’s name, and the department’s name: Information
Systems and Technology.

An invitation to click on a link to reset or validate password/account. The IST department


never send links to change or validate an account/password.

Ultimatum: An urgent warning attempts to intimidate you into responding without


thinking. ‘Warning! You will lose your email permanently unless you respond within 7 days’.

Incorrect URLs: Scammers may obscure URLs by using hyperlinks that appear to go to a
reputable site. Hover your mouse over any suspicious links to view the address of the link.
Illegitimate links often contain a series of numbers or unfamiliar web addresses.

Too good to be true offer: Messages about contests you did not enter or offers for goods or
services at an unbelievable price are likely fraudulent.
Style inconsistencies: Pop up windows that claim to be from your operating system or other
software may have a different style or colors than authentic notifications.

Simple Steps To Protect Yourself From Phishing

Phishing tricks victims into giving over credentials for all sorts of sensitive accounts, such as
email, corporate intranets and more. Even for cautious users, it's sometimes difficult to detect a
phishing attack. These attacks become more sophisticated over time, and hackers find ways to
tailor their scams and give very convincing messages that can easily trip people up.

The first thing you can do to protect yourself when using the Internet is to employ common
sense before handing over sensitive information. When you get an alert from your bank or other
major institution, never click the link in the email. Instead, open your browser window and type
the address directly into the URL field so you can make sure the site is real.

Another major indicator of a phishing site: The message has typos and the site looks
unprofessional. Because hackers often rush to get phishing sites up, some of them will look
significantly different from the original company.

 Educate your employees and conduct training sessions with mock phishing scenarios.
 Deploy a SPAM filter that detects viruses, blank senders, etc.
 Keep all systems current with the latest security patches and updates.
 Install an antivirus solution, schedule signature updates, and monitor the antivirus
status on all equipment.
 Develop a security policy that includes but isn't limited to password expiration and
complexity.
 Deploy a web filter to block malicious websites.
 Encrypt all sensitive company information.
 Convert HTML email into text only email messages or disable HTML email messages.
 Require encryption for employees that are telecommuting.

There are multiple steps a company can take to protect against phishing. They must keep a
pulse on the current phishing strategies and confirm their security policies and solutions can
eliminate threats as they evolve. It is equally as important to make sure that their employees
understand the types of attacks they may face, the risks, and how to address them. Informed
employees and properly secured systems are key when protecting your company from phishing
attacks.
Internet Security Software: A Stronger Defense

One of the simplest ways to protect yourself from becoming a victim of a phishing scheme is to
install and use proper Internet security software on your computer. Internet security software is
vital for any user because it provides multiple layers of protection in one simple-to-manage
suite. By combining the firewall, anti-spam and anti-malware into one package, you can
provide extra backups that keep your system from being compromised if you do accidentally
click on a dangerous link.

Anti-spam software is designed to protect your email account from phishing and junk emails.
Aside from working with pre-defined blacklists created by security researchers, anti-spam
software has intelligence capabilities to learn over time which items are junk and which are not.
So while you still should be vigilant, you'll get some comfort from knowing that the software is
also filtering out potential trouble.

Anti-malware is included to prevent other types of threats. Similar to anti-spam software, anti-
malware software is programmed by security researchers to spot even the stealthiest malware.
With ongoing updates from vendors, the software continues to become more intelligent and
better able to deal with the latest threats. By using a free anti-malware package, you can protect
yourself from viruses, Trojans, worms and more.

While technology is a rapidly evolving field, by using a security package from a reputable
security vendor, you can protect yourself from phishing and other malware threats.
V. References
VI. Notes

Figure 1
Figure 2

source: Wombat 2016 State of the Phish

Figure 3
Figure 4

Figure 5

Malicious Domains per 10,000 Domains. This ratio reveals how many domains in a TLD
were "malicious" registrations (domains reported for phishing shortly after being registered)
as compared to the total number of registered domains names in that TLD, revealing
whether a TLD has a higher or lower incidence of malicious registrations relative to others.

TLD Phishing Domains/10,000 Malicious Domains/10,000

.com 4.1 1.2

.net 2.9 0.5

.org 3.2 0.2

.info 2.1 0.4

.biz 1.6 0.1