Beruflich Dokumente
Kultur Dokumente
The major security drawback in today’s world is due to Phishing attacks. Phishing attack makes
web users believe that they are communicating with a legitimate user the purpose is for stealing
personal information, account information, login credentials, and identity information. We
propose a techniques to detect and prevent the phishing attacks on e-mail. It is an end user
application that uses hyperlink and URL feature set to detect phishing attacks and makes the use
of digital signature to prevent the attack. Phishing attack method most commonly initiated by
sending out e-mails on the user machine with links to spoofed website that harvest the
information. Thus our application will act as an interface between e-mail service and a user to
provide secure communication between them. We believe that this will be more cost effective
and better way to prevent people from losing their private information due to phishing attack.
CHAPTER 1
INTRODUCTION
Phishing is a new word produced from 'fishing', it refers to the act that the attacker allure users to
visit a faked Web site by sending them faked e-mails (or instant messages), and stealthily get
victim's personal information such as user name, password, and national security ID, etc. This
information then can be used for future target advertisements or even identity theft attacks (e.g.,
transfer money from victims' bank account). The frequently used attack method is to send e-
mails to potential victims, which seemed to be sent by banks, online organizations, or ISPs. In
these e-mails, they will make up some causes, e.g., the Password of your credit card had been
miss-entered for many times, or they are providing upgrading services, to allure you visit their
Web site to conform or modify your account number and password through the hyperlink
provided in the e-mail. If you input the account number and password, the attackers then
successfully collect the information at the server side, and is able to perform their next step
actions with that information (e.g., withdraw money out from your account). Phishing itself is
not a new concept, but it's increasingly used by phishers to steal user information and perform
business crime in recent years. Within one to two years,the number of phishing attacks increased
dramatically.
OBJECTIVES
The motivation behind this study is to create a resilient and effective method that uses Data
Mining algorithms and tools to detect e-banking phishing website.
CHAPTER 2
• Deceptive Phishing
Attacker uses spoofed e-mails to lure unsuspecting victims into dummy websites designed to
deceive Recipients into disclosing financial data and personal information such as credit card
numbers, account usernames, passwords and social security numbers. This is called a deceptive
phishing attack. Deceptive refers to any attack that imitate a legitimate company and attempt to
steal the personal information [5].
Deceptive phishing is the messages that are required to confirm information about the account,
requesting users to re- enter their information, fictitious account charges, unwanted account
changes, new free services requiring quick action, and many other malicious sites are send to
many recipients with the hope that the unsuspecting will react by clicking a link to or signing
onto a bogus site where their secret information can be collected.
• Malware-Based Phishing
Malware-Based phishing refers to frauds that involve running malicious script on user’s PCs.
Malware can be as an email attachment, as a downloadable file from a web site for a particular
issue for small and medium businesses (SMBs) who are not always able to keep their software
applications up to date. Web Trojan pop up invisibly when users are attempting to log in. They
collect the personal information from the user and sends to the phisher.
Key loggers also refers to keystroke logging and key words capturing. In which the person is
unaware of that their actions are being monitored. This type of malware tracks the input from the
keyboard and the relevant information which were obtain is send to the hackers through
internet[5]. Key logging is the action of recording (logging) the key struck on a keyboard. They
go into the users' browsers as a small program and run automatically when the browser is started
as well as into system files as device drivers or screen monitors.
• Session Hijacking
The session hijacking is also refers to cookies hijacking. And it exploits the valid computer
session. By the session key attacker gains the unauthorized access to the information and
services to the computer system. This deals with monitoring the activities of the users until they
sign in to the account or transaction and create their important information [5].The infected
software will perform unauthorized actions in the user’s account, such as transferring funds from
user account to the attackers account, without the user's knowledge.
CHAPTER 2.1
CASE STUDIES
A total of 16% (8 employees) agreed to give their user name only and refrained from giving
away their
passwords under any circumstances or excuses what so ever. The remaining 52% (26 employees)
were very cautious and declined to reveal any information regarding their credentials over the
phone. An overview of the results reveals the high risk of social engineering security factor.
Social engineering constitutes a direct internal threat to e-banking web services since its hacks
directly into the accounts of e-bank customers. The results also show the direct need to increase
the awareness of customers not to fall victims of this kind of threat that can lead to devastating
results.
We engineered a website for phishing practice and study. The website was an exact replica of
the original Jordan Ahli Bank website www.ahlionline.com.jo designed to trap users and induce
them by targeted phishing email to submit their credentials (username and password). The
specimen was inclusive of our colleagues at Jordan Ahli Bank after attaining the necessary
authorizations from our management. We deliberately put lots of known phishing features and
factors when creating the faked website in order to measure the user's awareness of these kinds
of risk. For example, using IP address instead of domain name, http instead of https, poor design,
spelling errors, absence of SSL padlock icon and phony security certificate. We targeted 120
employees with our deceiving phishing email, informing them that their e-banking accounts are
at the risk of being hacked and requested them to log into their account through fake link
attached to our email using their usual customer ID and password to verify their balance and then
log out normally. As shown in table 2, The website successfully attracted 52 out of the 120-
targeted employees representing 44%, who interacted positively by following the deceiving
instructions and submitting their actual credentials (customer ID, Password).
Surprisingly IT department employees and IT auditors constituted 8 out of the 120 victims
representing 7%, which shocked me, since we expected them to be more alert than others. From
other departments 44 employees of the 120-targeted employee’s victims representing 37%, fell
into the trap and submitted their credentials without any hesitation. The remaining 68 out of 120
representing 56% were divided as follows: 28 employees supplied incorrect info, which seems to
indicate a wary curiosity
but did not respond at all representing 33%. The results clearly indicate that phishing factor is
extremely dangerous.
CHAPTER 3
& Java script, Page Style & Contents, Web Address Bar
and Social Human Factor ), and each criteria has its own
To avoid the users from phishing attack, the Anti-phishing technique is used. In this technique,
Anti-Phish it will trace the personal information which will be filled by the user and it will
generate an alert to the user if the user is using untrusted website. We can train the users about
this type of phishing attacks. However, the napproach is not real, any user can get tricked. To
avoid this, it becomes mandatory to the associates to solve this problem.
It is very complex to identify phishing websites, which are used mainly for e-banking services.
Certain data mining techniques may keep the e-commerce website safe since it deals with
various factors than exact values. In this paper, we are applying fuzzy logics along with data
mining algorithms for various effective factors of the e-banking phishing website. [1] Phishing
victims often do not realize that they have been tricked. The first phase in preventing phishing
problem is the detection of a phishing attack. Human detection and machine detection are the
two types of detection techniques.
• Human Detection:
All technology users are not the same. Some users are more knowledgeable about security issues
and some think longer before they click on a suspicious link. Internet users at their work may
receive training but otherwise most users are not particularly knowledgeable. Within an
organizational setting common operational procedure, knowledge sharing, and double
verification processes can reduce problems. Many technology workers are unaware of
theinformation systems to the user interaction model that they use. Hence it becomes easier for
the phishing attackers to present the web interface of some familiar webpage and lure the user to
enter their private information that is then transmitted to the attackers[4].
• Machine Detection:
PROPOSED SYSTEM
phishing website.
proposed.
their legitimacy.
This application can be use by many e-commerce enterprises in order to make the whole
transaction process secure.
classifications algorithms.
. HOW IT WORKS?
process secure.
classifications algorithms.
CHAPTER 4
SOFTWARE REQUIREMENTS
Netbeans
JDK 8
Mysql
CHAPTER 4.1
SOFTWARE DISCRIPTION
NETBEANS
JDK8
The Java Platform, Standard Edition 8 Development Kit (JDK 8) is a feature release of the Java
SE platform. It contains new features and enhancements in many functional areas. The Java
Development Kit (JDK) is an implementation of either one of the Java Platform, Standard
Edition, Java Platform, Enterprise Edition, or Java Platform, Micro Edition platforms[1] released
by Oracle Corporation in the form of a binary product aimed at Java developers
on Solaris, Linux, macOS or Windows. The JDK includes a private JVM and a few other
resources to finish the development of a Java Application.[2] Since the introduction of
the Java platform, it has been by far the most widely used Software Development Kit
(SDK).[citation needed]
On 17 November 2006, Sun announced that they would release it under
the GNU General Public License (GPL), thus making it free software. This happened in large
part on 8 May 2007, when Sun contributed the source code to theOpenJDK.[3
MYSQL
MySQL is an open source relational database management system (RDBMS).[6] Its name is a
combination of "My", the name of co-founder Michael Widenius's daughter,[7] and "SQL", the
abbreviation for Structured Query Language.
MySQL is free and open-source software under the terms of the GNU General Public License,
and is also available under a variety of proprietary licenses. MySQL was owned and sponsored
by the Swedish company MySQL AB, which was bought by Sun Microsystems (now Oracle
Corporation).[8] In 2010, when Oracle acquired Sun, Monty Widenius forked the open-
source MySQL project to create MariaDB.
MySQL is a component of the LAMP web application software stack (and others), which is an
acronym for Linux, Apache, MySQL, Perl/PHP/Python. MySQL is used by many database-
driven web applications, including WordPress, Drupal, and phpBB. MySQL is also used by
many popular websites, including Google[
CHAPTER 4.3
PROJECT MODULES
The main aim of phishing attack is to steal personal information of user through online such as
passwords and credit card information from various users. According to EnginKirda and
Christopher Kruegel, phishing attacks have been rising and growing and they make available an
Anti-Phish technique which protects the inexperienced or new users from the web-site based
phishing attack[2]. Anti-Phish is an application that will be embedded into the browser and it
tracks the user’s information and prevents them from entering into the untrusted website. The
figure-1depicts the proposed working model for analysis of anti-phishing attacks. Modules of
proposed system are-
CHAPTER 5
CHAPTER 6
FEATURES
A. Load Balancing
Since the system will be available only the admin logs in the amount of load on server will be
limited to time period of admin access.
B. Easy Accessibility:
Records can be easily accessed and store and other information respectively.
C. User Friendly:
The Website will be giving a very user friendly approach for all users.
E. Easy Maintenance:
CHAPTER 7
SCREENSHOTS
ADVANTAGES
This system can be used by many E-commerce Websites in order to have good customer
relationship.
Data mining algorithm used in this system provides better performance as compared to
other traditional classifications algorithms.
With the help of this system user can also purchase products online without any
hesitation.
CONCLUSION
Phishing is one of the critical problem that may results in a continual threat and the risk is high in
social media. Phishing takes advantage of the trust that the user may not be capable to tell that
the site being visited, or program being used, is not actual; therefore, when this happens, the
hacker has the chance to gain the personal information of the targeted user, such as usernames,
security codes, passwords, and credit card numbers, among other things. [3] This paper discuss
about the various types of phishing attacks and various anti phishing techniques used to prevent
phishing attack.
FUTURE WORK