Beruflich Dokumente
Kultur Dokumente
net/publication/322823383
CITATIONS READS
11 7,999
2 authors, including:
SEE PROFILE
All content following this page was uploaded by Sathish A.P Kumar on 11 April 2018.
Phishing – challenges
and solutions
Ike Vayansky and Sathish Kumar, Coastal Carolina University Ike Vayansky Sathish Kumar
15
January 2018 Computer Fraud & Security
FEATURE
16
Computer Fraud & Security January 2018
FEATURE
demonstrating that the link was not trust- per day was documented for each experi- to make them more convincing.
worthy. It would also provide an expla- mental group. The groups had varying There are dangerous new advanced
nation via a comic, which described the levels of anti-phishing training using phishing methods that utilise personal
best way to identify and avoid phishing pre-existing programmes. They then information that is easily available to
emails. The result of the system demon- discussed the results of the experiment the public in order to produce plausible
strated that the system was more effective in relation to key demographics and the and believable attacks that directly target
at reducing successful phishing attacks effect that the different forms of training victims. Methods such as social phishing
than the basic awareness emails. had on susceptibility. and context aware phishing are perfect
‘TrustBar: protecting (even naïve) examples of attacks utilising the mas-
web users from spoofing and phishing “Phishers have become more sive amount of public information to
attacks’: This paper describes yet another skilled at forging websites increase the effectiveness of their scams.
method of defending against phish- to appear identical to the One study shows that victims are 4.5
ing attempts through the application expected location, even times more likely to fall for a phishing
of a user interface system.9 The system including logos and graph- attempt if it is from a personal contact
proposed by the authors is designed to ics in the phishing emails to or personally relates to them.
help users who are not familiar with make them more convincing”
computers and current anti-phishing “Phishers have also started
protections. First they present the ‘Modelling and Preventing Phishing to develop a psychology
security principles that a user interface Attacks’: In this paper, the author has behind their emails that plays
system should follow and briefly go provided a series of visual aids for under- off urgency, greed or trust.
over similar projects that have been standing how phishing attacks are carried Combined with the legitimate
proposed by other researchers. Current out.11 By use of a graph-based model, look and feel of the spoofed
server authentication using the Secure the various components and factors of an websites, even more cautious
Socket Layer (SSL) and Transport Layer attack are represented. The way that these and aware users can fall vic-
Security (TSL) is described, along with factors are represented is also explained tim to their attacks”
its shortfalls. The paper also describes by the authors. An exemplar phishing
the nature of phishing and spoofing (a scenario is described and then visualised These methods all fall within the clas-
key component of a phishing attack) and using these models. The different ways sification of spear-phishing, where the
how they exploit the vulnerabilities of that one attack can be carried out given attacks directly target specific victims
the SSL/TLS protocol as used by web the attacker’s knowledge of the victim is with something in common that they
browsers. The criteria that the design shown. Another, more advanced, form can exploit. Spear-phishing requires
follows in order to prevent spoofing is of phishing known as ‘context aware some information about the victims
listed with the user in mind. Finally, the phishing’ is defined. In order to provide a – their bank, where they work, what
authors present their system for identify- better understanding of how this style of sites they’ve ordered from recently – to
ing protected and trusted sites in a clear attack works, examples are provided and produce a targeted attack, and much of
and visible manner. modelled as well. The different methods this data can easily be found by comb-
‘Who Falls for Phish? A Demographic of victim selection and data collection ing profiles, blogs and other websites.
Analysis of Phishing Susceptibility and and linking are noted. Finally, the paper Some phishing attacks even incorporate
Effectiveness of Interventions’: The concludes with an analysis of the example malware such as worms or trojans into
experiment outlined in this paper dem- attacks described, and possible defences the emails they send, which then directly
onstrates which users appear to be most against such attacks. compromise the security of the victim’s
susceptible to a phishing scam.10 The computer and create another tool from
experiment had a large test group take Problem and challenges which they can select victims and send
the role of students at a fictitious univer- out attacks. Phishers have also started to
sity and gave them an email log to look The problem with phishing is that attack- develop a psychology behind their emails
through and determine what action they ers constantly look for new and creative that plays off urgency, greed or trust.
would take with each from a given list of ways to fool users into believing their Combined with the legitimate look and
actions. The composition of the groups actions involve a legitimate website or feel of the spoofed websites, even more
by gender, education, whether they email. Phishers have become more skilled cautious and aware users can fall victim
originated from the US, if they were a at forging websites to appear identical to their attacks.
student, the average years of experience to the expected location, even including Phishing by its nature is also wide-
on the Internet, and the average emails logos and graphics in the phishing emails spread: in the final quarter of 2009, the
17
January 2018 Computer Fraud & Security
FEATURE
Anti-Phishing Working Group (APWG) benefits and downsides, but the best emails. Some examples of these are the
found over 90,000 unique phishing method is an approach utilising a mix use of URLs containing an IP address,
emails and over 130,000 unique phish- of all three. Phishing is evolving every non-matching ‘href’ attributes and link
ing websites. The estimates for the day to avoid detection and bypass these text, the number of dots contained within
annual monetary losses associated with defences, so by taking on all three we a domain name and checking the domain
phishing are varied because of the lack increase the chances that they will be names against the email sender. There are
of data from banks and other financial found and stopped. Figure 2 shows our also a few simple keywords that the pro-
institutions, but are reported to be any- approach and the proposed anti-phish- gram looks for, such as ‘urgent’, ‘update’,
where between $100m and $3bn just ing solution framework. ‘suspend’ and ‘verify’. The result of their
from victims in the US. Financial and Step 1 – Prevent phishing: Phishing experiment showed an accuracy of 99.7%
banking services find themselves the can be stopped before it reaches the with a very small false positive rate of
focus of most attacks, making up almost user either by blacklisting or blocking about 0.06%. This indicates this method
93% of reported attacks. phishing sites or by filtering out phish- is a very effective method of combating
Phishing affects people globally and is ing emails. The first method is carried phishing, even more so since the machine
conducted internationally, making it dif- out by looking at the URLs and the sites learning technique can evolve with the
ficult to track and prosecute the crimi- that they claim to be, either manually or evolving phishing attacks.
nals behind it. One common technique automated through the use of machine Step 2 – Detect phishing: Since
that phishers have utilised is called ‘fast learning. Although this may catch some attackers use sophisticated methods to
flux’, where a large pool of proxies and sites, there is little hope of catching all ensure that phishing emails and web-
URLs is used to keep the true location of them, since a phisher can easily just sites reach vulnerable users, a method is
of the phishing site hidden. By doing make a new site once one is taken down. sought to either identify possible phish-
this, it is harder to blacklist the site and The second method can be seen as ing sites or indicate to the user to avoid
the server being used takes more work more effective, because if successfully car- malicious sites (or avoid giving malicious
to find. The attackers have also begun ried out it will stop the user from ever information in these emails or sites)
to produce networks, where each part being exposed to the link for the phishing even if they have received (and opened)
of the attack is carried out by a different sites. There are many successful spam fil- a malicious email. Many web browsers
person. For instance, one person who is ters used by email servers, but few phish- already have defences in place against
good at producing a forged site might ing filters due to its more complex nature. phishing sites, which will either have a
produce a toolkit for other phishers to Filters for phishing are being designed passive indicator or an active indicator.
use, only requiring them to select a site using machine learning techniques as Active indicators will have pop-up win-
to copy and where to send the informa- well. In ‘Classification of Phishing Email dows with a warning that the site they
tion. These toolkit users would then Using Random Forest Machine Learning are on is a suspected forgery or that it is
only need to select victims and send Technique’ the authors discuss the char- not considered safe, while passive indica-
emails. Interestingly, as many as a third acteristics used for classifying phishing tors do not interrupt the user’s task.
of these toolkits would actually send the
stolen data somewhere else. This way the
person who created the toolkit has essen-
tially recruited inexperienced phishers to
do all the work and take the blame but
reap none of the rewards. In this way,
the true phisher could get away without
detection.
Solution approach
We propose that there are three ways
in which the solution to phishing can
be approached: detect phishing attacks
before they reach the user, detect once
the user has reached the phishing site,
or train users to detect or prevent them
Figure 2: Proposed solution for phishing challenges.
by themselves. Each option has its own
18
Computer Fraud & Security January 2018
FEATURE
As expected, many users would ignore The other method, embedded train- scale would be to incorporate the pro-
or simply not notice the passive indica- ing, can be useful because by sending posed anti-phishing solution framework
tor and active indicators were much mock phishing emails, users who are described in the previous section into
more effective. However, some users not trained in avoiding phishing scams email provider servers, such as Gmail,
trust that the sites they are going to will be trained by default. In the report Yahoo and Hotmail. This would ensure
are what they expect because they were ‘Protecting People from Phishing: the that even those not experienced with com-
originally sites they trusted. To combat design and evaluation of an embed- puters and phishing risks are still protected
this, applying a verification system for ded training email system’, the authors at the most basic level. It would be even
sites that are trusted and secure can outline a system that would send mock more effective if these servers also incorpo-
be helpful. If users see that verifica- phishing emails which, if users opened rated embedded training systems into their
tion every time they visit the genuine and followed the link, would direct email services, because then the users will
site, they are more likely to notice its them to a page notifying them what was become more educated on how to protect
absence on the fake website. The provi- wrong with the email and what they themselves in the future, which will lead to
sion of the certified identification and should look for in the future to avoid a society of aware users and make it very
branding attracts the eye and helps being phished. Another approach was difficult for phishers to successfully launch
assure the user that they are on the cor- to use a comic to outline some key tips attacks.
rect site. to help users avoid compromising their
Step 3 – Stakeholder training: personal information. Both groups per- Conclusion
Training users to avoid falling for formed better than the control group,
phishing scams is the third approach which only received security notice Phishing is becoming an ever-growing
in our solution methodology. Most emails. This is a useful method because threat to users as the attacks evolve and
existing general phishing training is if the user is using the email server and become more difficult to distinguish.
broad and does not combat the current clicking on the bait emails, then they The criminals who carry out these
more advanced phishing attacks, plus will encounter the training email and attacks are increasingly hard to catch.
it depends on users actually engaging become more aware of the risks, turning To combat these challenges, we have
with and reading the material. Emailing a premium phishing victim into an edu- proposed a three-pronged approach. The
warnings or material about phishing cated user. use of a filtration system helps lessen the
generally does not work because most number of phishing emails that reach
users have been conditioned to disregard Recommendations for the user, decreasing the chances that
such emails and believe that they know they will be phished. The user interface
how to protect themselves.
future work model provides users with warnings
In our solution, we propose anti- Phishing is increasing in complexity when the site they are visiting is not
phishing training methods using games and is becoming harder to identify for trusted, therefore defending against
or embedding training systems into an cyber-security professionals. On the the chance that a convincing email has
email server. Researchers are working other hand, phishing is also becoming led them to a phishing site. Finally, by
on such games. For example, one of the more complicated for attackers due to engaging users with educative games or
most successful examples of the game the increase in online security in recent embedded training, the users themselves
format is ‘Anti-Phishing Phil’, a micro years. Phishing is also getting more com- can start to practise methods of prevent-
game that helps teach users to identify plicated for victims because new meth- ing phishing.
suspicious URLs and other components ods of attack make it harder for the lay Even though attackers keep updat-
of phishing scams. This approach is both person to distinguish phishing activity ing phishing tactics and it’s becoming a
engaging for the user as well as informa- from normal activity. more complex task to prevent and detect
tive, but users must still go to this pro- We believe that the best defence to phishing, staying up to date with
gram for themselves. protect against phishing on a widespread Continued on page 13...
AS
SUBS
SUUB
BSCR
BSSC
CRIP
CRRIP
R IPTI
IIP
PTI
TION
T IION
ON
O N IINC
NCLU
NC
N CLU
LUDE
L
LUD
UD
DES:
DEES
S::
Online access for 5 users
An archive of back issues
www.
ww w..co
comp
mp
put
uter
e fr
erfrau
auda
au dand
dand
dse
secu
curi
cu rity
ty
y.c
.com
o
om
19
January 2018 Computer Fraud & Security
FEATURE/CALENDAR
20
Computer Fraud & Security January 2018