Thesis Proposal: Fighting Phishing at the User Interface Chapter 1 ...
Phishing Thesis
127
TRIBHUVAN UNIVERSITY INSTITUTE OF ENGINEERING PULCHOWK CAMPUS Problems in Web Browser's Inbuilt Anti-Phishing Techniques and their Solutions By Rajendra Bahadur Thapa A THESIS SUBMITTED TO DEPARTMENT OF MECHANICAL ENGINEERING IN PARTIAL FULFILLMENT OF THE REQUIREMENTS FOR THE DEGREE OF MASTER OF SCIENCE IN TECHNOLOGY AND INNOVATION MANAGEMENT DEPARTMENT OF MECHANCIAL ENGINEERING LALITPUR, NEPAL February, 2014
-
Upload
thapa-rajendra -
Category
Documents
-
view
187 -
download
7
description
Masters Thesis IOE Pulchowk Campus
Transcript of Phishing Thesis
-
TRIBHUVAN UNIVERSITY
INSTITUTE OF ENGINEERING
PULCHOWK CAMPUS
Problems in Web Browser's Inbuilt Anti-Phishing Techniques and their Solutions
By
Rajendra Bahadur Thapa
A THESIS
SUBMITTED TO DEPARTMENT OF MECHANICAL ENGINEERING
IN PARTIAL FULFILLMENT OF THE REQUIREMENTS FOR THE
DEGREE OF MASTER OF SCIENCE IN
TECHNOLOGY AND INNOVATION MANAGEMENT
DEPARTMENT OF MECHANCIAL ENGINEERING
LALITPUR, NEPAL
February, 2014
-
2
COPYRIGHT
The author has agreed that the library, Department of Mechanical Engineering,
Pulchowk Campus, Institute of Engineering may make this thesis freely available
for inspection. Moreover, the author has agreed that permission for extensive
copying of this thesis for scholarly purpose may be granted by the professor(s)
who supervised the work recorded herein or, in their absence, by the Head of the
Department wherein the thesis was done. It is understood that the recognition will
be given to the author of this thesis and to the Department of Mechanical
Engineering, Pulchowk Campus, Institute of Engineering in any use of the
material of this thesis. Copying or publication or the other use of this thesis for
financial gain without approval of the Department of Mechanical Engineering,
Pulchowk Campus, Institute of Engineering and authors written permission is
prohibited. Request for permission to copy or to make any other use of the
material in this thesis in whole or in part should be addressed to:
Head
Department of Mechanical Engineering
Pulchowk Campus, Institute of Engineering
Lalitpur, Kathmandu
Nepal
-
3
TRIBHUVAN UNIVERSITY
INSTITURE OF ENGINEERING
PULCHOWK CAMPUS
DEPARTMENT OF MECHANICAL ENGINEERING
The undersigned certify that they have read, and recommended to the Institute of
Engineering for acceptance, a thesis entitled "Problems in Web Browsers' Inbuilt
Anti-Phishing Techniques and their Solutions" submitted by Rajendra Bahadur
Thapa in partial fulfillment of the requirements for the degree of Master of Science in
Technology and Innovation Management.
______________________________
Supervisor, Dr. Jyoti Tandukar
Associate Professor,
IOE, Pulchowk Campus
_______________________________
External Examiner,
..
Committee Chairperson,
Name.
Title
Department of Mechanical
Engineering
Date .....................................................
-
4
ABSTRACT
Phishing is a form of crime in which identity theft is accomplished by use of
deceptive electronic mail and a fake site on the World Wide Web. Phishing threatens
financial institutions, retail companies, and consumers daily and phishers remain
successful by researching anti-phishing countermeasures and adapting their attack
methods to the countermeasures, either to exploit them, or completely circumvent
them.
This study attempts to identify solutions to phishing. It consists of an experiment on
browsers inbuilt phishing detection system using walk through inspection and batch
scripting codes to analyse problems in them, meta-analysis of phishing anomalies on
various research works, experimental quiz on users for phishing detection by
developing web application, development of model for phishing prevention and
verification of the proposed model on a extension made to use in Google Chrome.
The experiment using 96 samples of phishing websites from phishtank.com in 5 most
used browsers (Internet Explorer, Google Chrome, Mozilla Firefox, Safari and Opera).
The results show that they can detect 85% of the phish websites with their inbuilt anti-
phishing system on average. Browsers don't provide the solutions after detecting the
phishing websites which is the main problem in the existing anti-phishing system in
the browsers.
The experiment done through web application quiz showed users find most difficult to
detect misspelled/derived names in URL, URLs using http in place of https and URLs
using multiple Top Level Domains (TLD). An anti-phishing solution model
constituting of white list and heuristic approach has been developed where fore
mentioned anomalies in the URL are taken into consideration. An extension plug-in
for Google's Chrome browser is developed and tested with different test cases of
problems in anti phishing system in browsers and the top severe anomalies in the
URL. The proposed model was tested with 96 phishing sites with lack of SSL
anomalies, 66 with lengthy URL, 39 with multiple TLDs, etc from PhishTank could
detect all the phishing websites where Google Chrome detected 86 of them. The lack
of SSL was seen in all the phishing websites and awareness regarding SSL could
definitely prevent users from phishing.
-
5
ACKNOWLEDGEMENT
For the completion of this thesis different people from different sectors, professionals
and non-professionals had helped to their limit. I would like to thanks them all for
devoting their valuable time in this study. I would like to express my heartily
gratitude to supervisor Dr. Jyoti Tandukar, for his guidance and encouragement
throughout my graduate study. His expert knowledge and advice guided me though
this thesis, without which I would not have been able to get this point.
I would like to express my very special thanks for our Program Coordinator of
Masters of Science in Technology and Innovation Management, Prof. Amrit Man
Nakarmi, for his valuable time and coordinating us for the completion of this thesis. I
would like to thank Dr. Rajendra Shrestha, Head of Department of Mechanical
Engineering, Pulchowk Campus, for his regular inspiration and motivation for the
project. I would also like to thank to core member groups of Technology and
Innovation Management Program, without them I would not have got courage for the
completion of thesis.
I would like to gratitude to DIGP Mahesh Singh Kathayat, Ins. Pashupati Ray, Mr.
Shreeniwas Sharma, Mr. Ashish Bhandari, Mr. Sunil Chaudary and others who are
involved and help directly or indirectly for the completion of thesis. I am thankful to
Upveda Technology Pvt. Ltd, Jwagal for providing web app hosting support for the
thesis.
Finally, I would like to express a bouquet full of thanks to all my colleagues of
Technology and Innovation Management and all the friends of Pulchowk Engineering
Campus, IOE. And I cannot forget my family members for their full support to
complete my thesis.
-
6
TABLE OF CONTENTS
COPYRIGHT ........................................................................................................... 2
ABSTRACT ............................................................................................................. 4
ACKNOWLEDGEMENT ........................................................................................ 5
LIST OF FIGURES ................................................................................................ 10
LIST OF TABLES ................................................................................................. 12
LIST OF ABBREVIATION .................................................................................. 13
CHAPTER ONE ..................................................................................................... 15
INTRODUCTION .................................................................................................. 15
1.1 Background ............................................................................................. 15
1.2 Problem Statement .................................................................................. 16
1.3 Objective of the Study ............................................................................. 18
1.4 Research Questions ................................................................................. 18
1.5 Scope and Limitation of the study .......................................................... 18
1.5.1 Scope ....................................................................................................... 18
1.5.2 Limitation ................................................................................................ 19
1.6 Organization of Thesis ............................................................................ 19
CHAPTER TWO .................................................................................................... 21
LITERATURE REVIEW ....................................................................................... 21
2.1 Phishing ................................................................................................... 21
2.2 Methods of Phishing Attacks .................................................................. 22
2.3 Phishing Medium .................................................................................... 23
2.3.1 Phishing via Social Media ....................................................................... 23
2.3.2 Phishing via Mobile ................................................................................ 24
-
7
2.3.3 Phishing via Apps ................................................................................... 25
2.4 Phishing: International Scenario ............................................................. 26
2.5 Phishing in Nepal .................................................................................... 28
2.5.1 Incident 1: Nabil Bank ............................................................................ 28
2.5.2 Incident 2: Nepal Investment Bank ......................................................... 28
2.5.3 Incident 3: Bank of Asia ......................................................................... 29
2.5.4 Incident 4: Nepal SBI Bank .................................................................... 29
2.6 Phishing Prevention System .................................................................... 31
2.6.1 List Based Methods ................................................................................. 32
2.6.2 Heuristic Method ..................................................................................... 33
2.7 Anti Phishing Techniques in Web Browsers .......................................... 39
2.7.1 Google Chrome ....................................................................................... 41
2.7.2 Mozilla Firefox ........................................................................................ 43
2.7.3 Internet Explorer ..................................................................................... 45
2.7.4 Opera ....................................................................................................... 47
2.7.5 Safari ....................................................................................................... 48
2.7.6 Summary of technology used by anti phishing systems in browsers ...... 50
2.8 Problems in Browsers Inbuilt Phishing Prevention Systems ................. 51
2.9 Organization Working against Phishing ................................................. 52
2.9.1 APWG (Anti phishing Working Group) ................................................. 52
2.9.2 PhishTank ................................................................................................ 53
2.10 Phishing prevention as a social aspect .................................................... 53
2.11 Past research on phishing detection model ............................................. 54
CHAPTER THREE ................................................................................................ 57
-
8
METHODOLOGY ................................................................................................. 57
3.1 Research Design ...................................................................................... 57
3.2 Sources of Data ....................................................................................... 57
3.3 Methodology Insight ............................................................................... 58
3.4 Experimental Research for phishing detection in browser ..................... 59
3.4.1 Size of the sample of phishing websites ................................................. 59
3.4.2 Pre-validation of the setup: ..................................................................... 60
3.5 Development of model and its validation ............................................... 62
3.5.1 Selection of anomalies through web app ................................................ 62
3.5.2 Development of model ............................................................................ 67
3.5.3 Validation of the anti phishing solution model ....................................... 69
3.6 Tools and Technologies Used ................................................................. 71
3.7 Accessing the Web Application and chrome extension/plug-in ............. 71
3.7.1 Accessing the Web Application .............................................................. 71
3.7.2 Assessing the Extension/Plug-in for Google chrome ............................. 72
CHAPTER FOUR .................................................................................................. 74
DATA ANALYSIS / RESULTS ............................................................................ 74
4.1 Detection of phishing websites ............................................................... 74
4.2 Experimental Analysis ............................................................................ 74
4.2.1 Results of Phishing Anomalies in the URL ............................................ 75
4.2.2 Development of Anti Phishing Model .................................................... 78
4.2.3 Test Results and Analysis ....................................................................... 80
4.3 Solutions .................................................................................................. 83
CHAPTER FIVE .................................................................................................... 85
-
9
CONCLUSION AND RECOMMENDATION ..................................................... 85
5.1 Conclusion ............................................................................................... 85
5.2 Recommendation ..................................................................................... 86
5.3 Future Research Work ............................................................................. 88
REFERENCES ....................................................................................................... 89
-
10
LIST OF FIGURES
Figure 1 Cyber crime statistics in Nepal ...................................................................... 16
Figure 2 Internet users in Nepal ................................................................................... 17
Figure 3 Social media network users ........................................................................... 23
Figure 4 Fake PayPal for mobile (left) vs legitimate site (right) ................................. 25
Figure 5 Phishing attacks per year ............................................................................... 26
Figure 6 Daily submittted phishes ............................................................................... 27
Figure 7 Daily verified phishes .................................................................................... 27
Figure 8 Phishing email for the customers of Nepal SBI bank.................................... 30
Figure 9 Classification of phishing prevention system ................................................ 31
Figure 10 World map according to the use of browsers. ............................................. 39
Figure 11 Global statistics of browsers users. ............................................................. 40
Figure 12 Statistics of percentage of browser user in Nepal ....................................... 40
Figure 13 Phishing detection in Google Chrome ......................................................... 43
Figure 14 Anti phishing setting in Mozilla Firefox ..................................................... 44
Figure 15 Enabling SmartScreen filter (IE 8) .............................................................. 46
Figure 16 Phishing detection in IE 8 after using SmartScreen filter ........................... 46
Figure 17 Phishing detection in Opera browser. .......................................................... 48
Figure 18 Checking enable or disable of anti-phishing in safari browsers .................. 50
Figure 19 Phishing detection in Safari ......................................................................... 50
Figure 20 SSL lock icon in Gmail. .............................................................................. 52
Figure 21 Model of research process ........................................................................... 57
-
11
Figure 22 Research Methodologies in block diagram ................................................. 59
Figure 23 Existing phishing prevention systems ......................................................... 67
Figure 24 Proposed phishing prevention system ......................................................... 67
Figure 25 Implementation of the model ....................................................................... 69
Figure 26 Installation of plugin/extension in Google Chrome. .................................. 73
Figure 27 Output of Web App ..................................................................................... 75
Figure 28 Result from web app for recognizing phish site and real site ..................... 76
Figure 29 Detail diagram of proposed phishing prevention system ............................ 78
Figure 30 Educative message provided by the model ................................................. 79
Figure 31 Solutions advised by the model ................................................................... 80
Figure 32 Test Result (n = 96 websites) of the Model ................................................. 81
Figure 33 Information revealed from advice legitimate solution by the model. ......... 82
Figure 34 Analysis of solution on IP addresses ........................................................... 83
-
12
LIST OF TABLES
Table 1 Anomalies found in the URL .......................................................................... 38
Table 2 Messages seen after malware detection in chrome ......................................... 42
Table 3 Technologies used by anti phishing system in browsers. ............................... 51
Table 4 Sampling Methodology................................................................................... 60
Table 5 Environmental variables for experimental test for detection of phishing ....... 61
Table 6 Anomalies in the URL and target brands and organizations .......................... 64
Table 7 List of Messages disseminated to alert users about their mistakes ................. 66
Table 8 Tools and Technologies used .......................................................................... 71
Table 9 Result of Detection of phishing sites by browsers .......................................... 74
Table 10 Rank of Anomalies in the URL based on mistakes from the test users ........ 77
Table 11 Solutions provided by the tools developed. .................................................. 84
Table 12 The Chi-Square Test for detection of phishing website ............................. 108
Table 13 T-Test calculation for detection of phishing websites by browsers. ........... 110
-
13
LIST OF ABBREVIATION
API Application Programming Interface
Apps Applications
APWG Anti Phishing Working Group
ATM Automatic Teller Machine
CCPM Computer Crime Prevention Model
CERT Computer Emergency Response Team
CMU Carnegie Mellon University
CSIRT Computer Security Incident Response Team
DIGP Deputy Inspector General of Police
FINRA Financial Industry Regulatory Authority
FIRST Forum of Incident Response and Security Team
HTML Hypertext Markup Language
ICANN Internet Corporation for Assigned Names and Numbers
ICT Information and Communication Technology
IE Internet Explorer
IP Internet Protocol
IS Information System
ISP Internet Service Provider
IT Information Technology
JSON JavaScript Object Notation
MPCD Metropolitan Police Crime Division
-
14
MS MicroSoft
MTPD Metropolitan Traffic Police Division
NG Not Good
NIBL Nepal Investment Bank Limited
NST Nepal Standard Time
PIN Personal Information Number
SEI Software Engineering Institute
SMS Short Messaging Service
TIM Technology and Innovation Management
TLD Top Level Domain
URL Uniform Resource Locater
W3C World Wide Web Consortium
WOT Web of Trust
-
15
CHAPTER ONE
INTRODUCTION
1.1 Background
With the enormous advancement in Information and Communication Technologies,
computers and related technologies are now being used in almost all walks of life.
Computers today touch every aspect of society including the financial industry,
manufacturing industry, universities, insurance companies, law enforcement, and
governmental agencies. There are numerous benefits of these technologies in every
sector. Along with the benefits, there are several issues, complications and crimes
created associated with these technologies.
Wide popularity in the usage of Information and Communication Technologies (ICT)
has enabled criminals to use them in illegitimate ways (Sen & S, 2001). It is imminent
that technologies including the Internet open doors to numerous opportunities for
enterprises, it has also a dark side, which involves not only hacking and cracking,
fraud and theft, pervasive pornography, pedophile rings etc. but also includes
extortion, money laundering, pirating, corporate espionage, drug trafficking and
criminal organizations. (South Asia Partnership, 2007)
Cybercrime is rapidly rooting even in the developing country like Nepal. Figure
1show the statistics of cybercrime in Nepal (Cybercrime Division Nepal Police).
Nepal police handled 15 cases of cyber crime in fiscal year 2067/68, 46 cases in
2068/69 and 78 in the current fiscal year (2069/70). Cybercrimes dealing with insults
on social networking sites, abuse of photographs, etc. does not seem to be a big issue
in Nepal where political instability and other criminal activities are challenging to the
law enforcing agencies regularly.
-
16
Figure 1 Cyber crime statistics in Nepal
Technical-human resource in the law enforcing agencies has to be developed to
embark upon accelerating computer crimes in Nepal. Rationally, as most of the
processes in organizations are automated through computers, the crime associated
with it will also scale. There has to be systematized monitoring of with crimes borne
from the social networking sites, ATM frauds, etc.
The development of Computer Crime Prevention Model (CCPM) is imperative. This
research particularly deals with the prevention model for a category of computer
crime called phishing. Phishing consists of various on hand tools and techniques
which will be extensively studied through literatures and case studies. The research
also analyzes problems of the existing system and proposes a validated Anti-Phishing
Model.
1.2 Problem Statement
Phishing threatens financial institutions, retail companies, and consumers' cyber
activities daily. Phishers remain successful by researching anti-phishing
countermeasures and adapting their attack methods to exploit the fore mentioned
organizations and completely circumvent them. As people increasingly rely on
Internet to do business, Internet fraud becomes apparent threat to peoples Internet life.
12
2 1 0 0 0 0 0 0 0
32
51 1 2 1 2 2 0 2
57
8
1 03 3
03 2 1
0
10
20
30
40
50
60
2067/68
2068/69
2069/70
Cyber Crime In Nepal
Source: Nepal Police Crime Division, Hanumandhoka
-
17
Internet fraud uses misleading messages online to deceive human users into forming a
wrong belief and then to force them to take dangerous actions to compromise their or
other peoples welfare.
The internet users in Nepal are increasing rapidly. The internet users in Nepal are
increasing in double exponential manner (Annex 2). It is forecasted, there will be
18% internet users by 2015 and 25% by 2018. With this rapid growth of internet user,
the crimes related to internet will also increase.
Figure 2 Internet users in Nepal Source: (The World Bank, 2013)
In addition, financial institutions are flourishing in Nepal. The banking and business
scenarios in Nepal are gradually changing with the enormous application of ICT in
their businesses. These institutions are using ICT technologies in different forms and
serving their customers. More people are adopting internet and mobile to perform
their transactions in these institutions. On the other hand these technologies are
susceptible to the phishers. However, these changing scenarios have also attracted
many cybercriminals (Pritush, 2012; Shrestha, 2013).
Some incidents and phish scams are already seen in the police record. The prevention
of phishing is very important and localization of the solution will provide better
assurance to the Nepalese people. There are several anti-phishing solutions available;
0.00 0.00 0.20 0.83
9.0011.15
15.9718.35
25.47
30.22
0
5
10
15
20
25
30
35
1980 1990 2000 2010 2020 2030
Internet users population of Nepal
Per
centa
ge
of
Popula
tion
-
18
in fact, all the popular web browsers come with inbuilt anti-phishing solutions. There
is no complete measure to stop or prevent Internet users falling prey to phishing
attacks (Dhamija, Tygar, & Hearst, 2006). Every year Internet users lose hundreds of
millions of dollars to phishing attacks (APWG, 2013). In case of Nepal, where
computer literacy is very low, making the internet users to install anti phishing
solution can be cumbersome due to limited knowledge and utility of these tools.
Therefore, such internet users should be facilitated with the effective inbuilt anti-
phishing solutions in browsers.
1.3 Objective of the Study
The main objectives of the study are:
1) To propose a phishing prevention model that increases user awareness
The specific objectives of the study are:
1) To study about phishing detection in web browsers.
2) To explore problems in web browsers inbuilt anti-phishing techniques.
3) To identify URL anomalies that are likely to confuse users in phishing
websites.
4) To ensure a higher level of protection against phishing through user awareness
1.4 Research Questions
For satisfying the objective of the study, the following research questions are prepared.
1) What are the problems in web browsers anti phishing system?
2) How can technology intervene to increase user awareness so that users are not
misled by phishing sites?
1.5 Scope and Limitation of the study
1.5.1 Scope
The scope of this study is stated below:
1) It aware internet user about phishing.
2) It improves the phishing detection.
-
19
3) Protect internet users from falling to phishing attacks and save money as well
as resources.
1.5.2 Limitation
The study is done for the fulfilment of MSTIM program. There are some limitations
of the study. The limiting factors are as follow:
1) The phishing websites taken from phishtank.com are of only one day, which
lacks the varieties in the phishing websites.
2) It is valid for login page or other page which asks for confidential information,
e.g., PIN code, banking information, social security, etc.
1.6 Organization of Thesis
The report is organized in six chapters that are linked to the issues in relation to the
study. It also includes information from various sources related to the study.
Chapter One gives the background of the study, its rationale, objectives and research
questions.
Chapter Two includes literature review on the phishing, methods of phishing,
phishing types, phishing detection tools and techniques, browsers anti phishing tools,
etc.
Chapter Three reviews the research methodology used in the study. It elaborates the
expert survey method and experimental methods used, ways of collecting data,
development of the anti phishing model and experimental set up with test cases
development for the verification of the model.
Chapter Four analyze the different browsers anti phishing system and its detection
with phishing websites. The results from the users accessing the web application
based on the anomalies on the URLs. With these experimental result and based on the
meta analysis of phishing detection a solution model for Nepal is proposed. This
model is verified by developing an extension plug-in in Google chrome. The results
are analyzed in this part.
-
20
Chapter Five contains Conclusion and Recommendation.
-
21
CHAPTER TWO
LITERATURE REVIEW
2.1 Phishing
Phishing is a criminal, fraudulent mechanism which uses the Internet to acquire
susceptible personal information, such as usernames, passwords or credit card details
by masquerading as a reliable business website or electronic communication (Frost &
Sullivan , 2009). It is derived from "fishing". Phishing (also called brand spoofing) is
a term used for a short of fraud where phishers send out spoof email to a random
database to fool the recipient in to divulging personal information like credit cards
details, usernames and passwords, that can be used for identity theft. Phishing is one
of the most well known and fastest growing scams on the Internet today (Singh,
2007). According to Kay, phishing is a technique used to gain personal information
for purposes of identity theft, using fraudulent e-mail messages that appear to come
from legitimate businesses. These authentic-looking messages are designed to fool
recipients into divulging personal data such as account numbers and passwords, credit
card numbers and Social Security numbers.(Kay, 2004)
PhishTank explains phishing as a fraudulent attempt, usually made through email to
steal personal information. The best way to protect users from phishing is to learn
how to recognize a phish. Phishing emails usually appear to come from a well-known
organization and ask for your personal information such as credit card numbers, social
security numbers (USA), account numbers or passwords. Often phishing attempts
appear to come from sites, services and companies with which users do not even have
their account in. In order for Internet criminals to successfully "phish" their personal
information, they must get the users to lure from an email to a website. Phishing
emails will almost always tell the users to click a link that takes you to a site where
users' personal information is requested. Legitimate organizations would never
request this information of via email. (PhishTank, 2013).
-
22
2.2 Methods of Phishing Attacks
Singh mentions four main techniques of phishing. These techniques are briefly
described below: (Singh, 2007)
Dragnet: This method involves the use of spammed E-Mails, bearing falsified
corporate identification (e.g., corporate names, logos and trademarks), which are
addressed to a large group of people (e.g., customers of a particular financial
institution or members of a particular auction site) to websites or pop-up windows
with similarly falsified identification. Dragnet phishers do not identify specific
prospective victims in advance. Instead, they rely on false information included in an
E-Mail to trigger an immediate response by victims typically, clicking on links in
the body of the E-Mail to take the victims to the websites or pop-up windows where
they are requested to enter bank or credit card account data or other personal data.
Rod-and-Reel: This method targets prospective victims with whom initial contact is
already made. Specific prospective victims so defined are targeted with false
information to them to prompt their disclosure of personal and financial data.
Lobsterpot: It consists of creation of websites similar to legitimate corporate
websites which narrowly defined class of victims by phishers. Smaller class of
prospective victims identified in advance, but no triggering of victim response. It is
enough that the victims mistake the spoofed website as a legitimate and trust worthy
site and provides information of personal data.
Gillnet: In gillnet phishing; phishers introduce malicious code into emails and
websites. They can, for example misuse browser functionality by injecting hostile
content into another sites pop up window. Merely by opening a particular email, or
browsing a particular website, Internet users may have a Trojan horse introduced into
their systems. In some cases, the malicious code will change settings in users
systems, so that users who want to visit legitimate banking websites will be redirected
to a lookalike phishing site. In other cases, the malicious code will record users
keystrokes and passwords when they visit legitimate banking sites, then transmit those
data to phishers for later illegal access to users financial accounts.
-
23
In these all techniques, the phishing schemes seem typically rely on three basic
elements. First, phishing solicitations often use familiar corporate trademarks and
trade names, as well as recognized government agency names and logos. Second, the
solicitations routinely contain warning intended to cause the recipients immediate
concern or worry about access to an existing financial account. Third, the solicitations
rely on two facts pertaining to authentication of the e-mails: (1) online consumers
often lack the tools and technical knowledge to authenticate messages from financial
institutions and e-commerce companies; and (2) the available tools and techniques are
inadequate for robust authentication or can be spoofed.
2.3 Phishing Medium
Internet is a playground for the phishers. Internet is mainly access through the web
browsers. The history of phishing dates back to 1985 in AOL mail where phisher
posed as an AOL staff member and sent an instant message to a victim, asking to
victim reveal his/her password(Wordspy.com). With the uses of internet for social
networking, mobile and apps, these are also being a medium for phishers to find preys.
2.3.1 Phishing via Social Media
The number of social network users worldwide will rise from 1.47 billion in 2012 to
1.73 billion in 2013, an 18% increase Year on Year (YoY) and by 2017, and the
number of users globally will total 2.55 billion. (Sigsworth, 2013)
Figure 3 Social media network users Source: (Sigsworth, 2013)
-
24
Data collected from Fortune's Global 100 revealed that more than 50% of companies
said they have Twitter, Facebook, and YouTube accounts. Facebook membership for
example has increased nearly 10 times since 2008, with over 7 billion unique visitors
per month worldwide. Twitter shows that the number of members increased by a
factor of five over the same period, boasting over 555 million regular users. (EMC
Corporation, Jan, 2013)
With the world turning into a smaller and more social village than ever,
cybercriminals are by no means staying behind. They follow the money and so as user
behavior changes, RSA expects cybercriminals to continue following their target
audience to the virtual hot-spots. According to a Microsoft research study, phishing
via social networks in early 2010 was only used in 8.3% of the attacks- by the end of
2011 that number stood at 84.5% of the total. Phishing via social media increased
through 2012, jumping as much as 13.5% in one month considering Facebook alone.
Another factor affecting the success of phishing via social media is the vast popularity
of social gaming; an activity that brought payments into the social platform. Users
who pay for gaming will not find it suspicious when they are asked for credit card
details and personal information on the social network of their choice.(EMC
Corporation, Jan, 2013)
2.3.2 Phishing via Mobile
Mobile phishing is an emerging threat targeting the customers of popular financial
entities. By the end of 2012, we already saw 4,000 mobile phishing URLs,
representing less than 1% of all our phishing URL detections. Of the total combined
URLs used in phishing attacks against the top targeted entities, 7% were mobile
URLs. (Trend-Micro, Feb, 2013)
The most prominent market trends relevant to the mobile channel have to do with the
growth in mobile device usage in both our personal and work life and the pivotal role
of mobile apps. RSA experts to see more phishing directed at mobile device users
particularly smart phones as we move into 2013. Varying social engineering schemes
will target users by voice (vishing), SMS (smishing), app-based phishing (rouge
-
25
apps), as well as classic email spam that users will receive and open on their mobile
devices. (EMC Corporation, Jan, 2013)
Cybercriminals launch mobile phishing attacks because they can take advantage of
certain limitations of the mobile platform. A mobile devices small screen size, for
example, inhibits the mobile browsers ability to fully display any anti-phishing
security elements a website has. This leaves users no way to verify if the website
theyre logging in to is legitimate or not.(Trend-Micro, Feb, 2013)
Figure 4 Fake PayPal for mobile (left) vs legitimate site (right) Source:(Trend-Micro,
Feb, 2013)
2.3.3 Phishing via Apps
Apps are the central resources for Smartphone users, and that overall popularity of
apps will become just as trendy with cybercriminals.
Nowadays, users download apps designed for just about day-to-day activity, with the
most prominent of those being gaming, social networking and shopping apps. To late
both Apple and Google have surpassed 35 billion app downloads each from their
respective stores. According to research firm Gartner, this umber will grow to over
185 billion by 2015. (EMC Corporation, Jan, 2013). In Nepal also, there are day to
day familiar apps for Nepali calendar (Hamro Patro), load shedding schedule (Batti
Gayo), iMusic, news of Nepal, etc. which are becoming part of day to day
activities.(Techsansar.com, 2013)
In 2013 organizations will continue to aggressively tap into this growing market and
respond by further moving products and services to this channel, delivering
-
26
specialized small-screen adaptations for web browsing and developing native apps
that supply mobile functionality and brand-based services to enable customers
anywhere-anytime access.
Cybercriminals will focus on apps in order to deliver phishing conceal malware,
infect devices and steal data and money from users of different mobile
platform.(EMC Corporation, Jan, 2013)
Google's Android market has a developer-friendly reputation, with open source code
and no strict Apple-like approval process before they can sell their software.
Sometimes that openness is used for nefarious purposes, though, and malware creeps
in. Just recently, the Android Market was hit with its first phishing attack, via some
apps that used fairly standard tactics of mimicking bank websites to deceive users into
entering their passwords.(Hathaway, 2010)
2.4 Phishing: International Scenario
The total number of phishing attacks in 2012 was 59% higher than 2011. It appears
that phishing has been able to set another record year in attack volumes, with global
losses from phishing estimated at 1,5 billion in 2012. This represents a 22% increase
from 2011.(EMC Corporation, Jan, 2013)
Figure 5 Phishing attacks per year Source: (EMC Corporation, Jan, 2013)
PhishTank lists the link of phishing websites. According to statistics phishtank.com,
there are 1,206,474 valid phishes and out of which 12,745 are online. (PhishTank.com,
2013).
-
27
Figure 6 Daily submittted phishes Source: (PhishTank.com, 2013)
Figure 7 Daily verified phishes Source: (PhishTank.com, 2013)
One creative phishing attack offered Australian tax payers a special printable form to
access their refund payments. After the victim entered their sensitive financial
information into the form and clicked print, their private data was sent to the
cybercriminals. Fortunately, the Australian tax authorities discovered the fraud and
worked diligently to shut down the servers hosting the attack. (Merritt, 2009)
-
28
2.5 Phishing in Nepal
The internet users in Nepal are increasing in double exponential manner. It is
forecasted, there will be 18% internet users by 2015 and 25% by 2018. The phishing
incidents are being registered in the Nepal Police Crime Division (Figure 1). Some of
the cases which came in the media are highlighted below.
2.5.1 Incident 1: Nabil Bank
The incident posted on ekantipur.com (Shrestha, 2013). Naresh Lamgade of
Anarmani, Jhapa allegedly hacked into the accounts of Nabil Banks customers by
creating a fake website of the bank. The phiser sent email messages to Nabils e-
banking customers asking them to change their security codes and providing links to
do so. The link was taken to the fake e-banking website of Nabil Bank. Upon entering
the customers' identity and password, the unsuspectingly revealed their private login
details to the phiser.
Using the details obtained by phishing, Lamgade withdrew money from the accounts
of Nabils clients. According to the police, Lamgade has admitted that he has obtained
Rs 32,000 from the accounts of Nabils clients while the bank has claimed that he has
taken Rs 50,000.
2.5.2 Incident 2: Nepal Investment Bank
According to Shrestha (2013), the customers of Nepal Investment Bank Limited
(NIBL) got emails stating that their e-banking accounts had been disabled and telling
them to go to a given link to enable them to ask for a new identity and password. As
its customers clicked on the link, they were informed about enabling of the account.
But it was just an attempt to dupe and collect e-banking account of these customers.
As a result, Rs 1.2 million of active depositors of NIBL was stolen as one who sent
the email got access to the password of the banks client. (Shrestha, 2013).
The Central Investigation Bureau (CIB) of the Nepal Police was investigating the
incident. The police said that the IP address of the email is from outside the country.
However, the issue has got less priority as the bank has not lodged a formal complaint
yet on the issue, said a CIB official.
-
29
2.5.3 Incident 3: Bank of Asia
(Shrestha, 2013) A customer having an e-banking account with the Bank of Asia
(BoA) received an email telling him to change the security code of his account. The
customer, who is also an employee of NMB Bank, asked the BoA why they had sent
such an email. After finding out that a fake email had been sent to its customer, the
BoA, lodged a complaint at the cyber crime cell of Metropolitan Police Range,
Hanuman Dhoka.
Shrestha states that not all the incidents of phishing have been reported so far. So
there might be many other cases of phishing and many lose which are not lodged or
unknown yet.
2.5.4 Incident 4: Nepal SBI Bank
Online Internet Banking is sort of new topic among the Nepali internet users.
Currently lots of Nepali users are getting phishing email which is claimed to be from
reputed banks like Nepal Investment Bank, SBI Bank, Nabil bank etc. (Pritush, 2012)
.
The email gives you the warning that you account has been suspended and to
reactivate it you have to go to web address listed in your email address and put your
password. Below we have attached some pictures of phishing email you might
receive. Before login check if the address is of banks and connection is secure (https).
-
30
Figure 8 Phishing email for the customers of Nepal SBI bank Source: (Pritush, 2012)
-
31
2.6 Phishing Prevention System
Phishing prevention systems build awareness of potential phishing attempts, and
developing and promoting innovative technology solutions that help protect user
against phishing. They implement prevention and detection measures. The prevention
measure focuses to practices and technical solutions that either reduces the frequency
of phishing attempts users receive or that educate users so that they are less likely to
respond to phishing attempts (American Bankers Assocation, 2005). There are
number of techniques that can be used in the prevention systems, however the most
reliable is educating the users. Then other is detection measure which includes the
techniques and tools used to detect the phishing. There is no standard solution in order
to address and manages phishing attacks, however any solution that attempts to
approach phishing in a holistic way needs to focus on both consumer and business
audiences to help create trustworthy e-commerce system in which all parties are
protected and aware of potential hazards. (Microsoft, 2005).
The phishing prevention systems can broadly be classified into Technical and Non-
Technical types. The technical type can be further sub classified into list based
method and heuristic method. (Chaudhary, 2012). The Non-technical includes
Education and Awareness is kept in this classification based on the description of non
technical methods.
Figure 9 Classification of phishing prevention system
Many anti-phishing applications are developed on the client side. These are automated
techniques such as browser toolbars and plug-ins. Meanwhile, more and more
researchers on the topics of security realize the need for improving server security, in
Phishing Prevention Systems
Technical
List Based Methods
Black List White List
Heuristic Methods
Anomalies on URL
Anomalies on Source code
Search Enginesvisual similarities
Non-Technical
Education & Awareness
-
32
order to protect against phishing by considering both the client and the server.
However, the awareness about phishing in users is the most effective way for phishing
prevention. It is important that users get familiar with widely used techniques and
tricks of social engineering, psychology of manipulating people into divulging
confidential information and performing unwitting actions.
The client based solutions include techniques like: e-mail analysis (use Bayesian filter
and content analysis), blacklist filter (queried URLs identified as malicious),
information flow (keep track of the sensitive information that the user enters into web
forms and raise an alert if something is considered unsafe like URL obfuscation, a
fake domain name), similarity of layouts (compare visible similarity), etc. Similarly,
the server based solutions include techniques like: brand monitoring (crawling on-line
to identify clones and add suspected to a centralized blacklist), behavior detection
(detect anomalies in the behavior of users), security event monitoring (identifies
anomalies activity or post mortem analysis to detect attack or fraud), strong
authentication (use of more than one identification factor), new authentication
techniques (use of latest authentication techniques), etc.
Lastly, education and awareness are related to developing user ability to identify a
phishing attack mechanisms and about precautionary actions needed to safeguard their
personal and confidential data or information. This is also the most difficult methods,
since user need to guard their data or information from the vulnerabilities generated
by their own activities.
The technical phishing prevention methods explained in details below.
2.6.1 List Based Methods
List based methods are reactive techniques for phishing prevention. They maintain a
lookup of either trusted websites (white list) or malicious website (blacklist). These
list may be hosted either locally or hosted at the central server.
a) White-list Method
White list is the list of trusted websites that an Internet user visits in regular basis.
When the white list is exclusive, it allows access to only those websites which are
-
33
considered trusted and thus is highly effective against zero hour phishing. It also does
not produce any false positive results unless there is any wrong entry in the white-list.
However, it is very difficult to determine beforehand all the websites which users may
want to browse and accordingly update the list on time. (Chaudhary, 2012).
b) Blacklist Method
Blacklist is the list of IP addresses or domain names or URLs of treacherous websites,
although, IP addresses and domain names used by the scammer can be blocked.
However, many times phishers use hacked Domain Names (DN) and servers. So,
blocking the whole DNs or IP addresses can unintentionally block many legitimate
websites which share the same IP addresses and DNs. Therefore, blacklisting URLs
is, comparatively more appropriate for blacklist (Chaudhary, 2012).
Compiling and distributing a blacklist is a multi-step process. First, a blacklist vendor
enters into contracts with various data sources for suspicious phishing emails and
URLs to be reviewed. These data sources may include emails that are gathered from
spam traps or detected by spam filters, user reports (eg. Phishtank or APWG), or
verified phish compiled by other parties such as takedown vendors or financial
institutions. Depending on the quality of these sources, additional verification steps
may be needed. Verification often relies on human reviewers. The reviewers can be a
dedicated team of experts or volunteers, as in the case of Phishtank. To further reduce
false positives, multiple reviewers may need to agree on a phish before it is added to
the blacklist. For example, Phishtank requires votes from four users in order to
classify a URL in question as a phish.(Cranor, Wardman, Warner, & Zhang, 2009)
2.6.2 Heuristic Method
Heuristic-based approaches check one or more characteristics of a website to detect
phishing rather than look in a list. Those characteristics can be the Uniform Resource
Locater (URL), the Hypertext Markup Language (HTML) code, or the page content
itself. (Alkhozae & Batarfi, 2011). These characteristics are anomalies in the
components of phishing websites. In fact, even the automatic verification of phishing
websites used to maintain blacklists employs heuristic methods. Some of the heuristic
methods are next analyzed.
-
34
a) Visual similarity measures
Phishing websites often imitate the look and feel of official websites with the same
layouts, styles, key regions, rendering, blocks, and most of the contents. They use
various non-text elements, such as images and flash objects to display contents. Such
mimic of an authentic website with only minimal required changes are often difficult
for Internet users to distinguish. Moreover, the use of non-text elements to display
web contents makes it even harder for general content based anti-phishing techniques.
(Chaudhary, 2012)
b) Use of search engines
There are several search engines (e.g., Google, Bing, Yahoo!, Baidu) that maintain
crawl database and perform page ranking to display search results. Page-Rank
algorithm that was formulated by Google founder Larry Page and Sergey Brown uses
factors, such as number of inbound links, number of outbound links, and other
damping factors. Moreover, there is a set of recommended guidelines from Google
web master to prevent removable of websites from Google search engine index.
(Source: Google webmaster guidelines). Phishing websites have short duration and
have low page rank in the search engines (Chaudhary, 2012).
Google will display results for the search. Google Search will not rank the phishing
websites due to following nature of phishing websites.
1) Life span is very less. (The average uptime of phishing attacks dropped to a
record low of 23 hours and 10 minutes in the first half of 2012.(APWG,
2012))
2) Google's top ranking need to be accessed from long time and should be
genuine. (Google, 2013)
3) Phishing websites are either absent in the search results or possess a very low
page rank. (Chaudhary, 2012, p. 46)
c) Anomalies in URL
The anomalies found in the URL are as follows.
-
35
Anomalies in URL Short Description
Use IP address in
URLs.
APWG reported that 1.19%, 1.4%, and 2.09% of the phishing
websites had used URLs containing IP address during the first
quarter of 2012. An example of such URL is:
http://184.173.179.200/~agarwal/rbc/. However, some genuine
web applications usually used in intranet also can contain IP
address in URL.(APWG, 2012)
URLs contain brand,
or domain, or host
name.
In this form of phishing websites' URLs, the targets company
brand or domain or host name is included in the path segment
of URLs. McGrath and Gupta found that 50%-75% of phishing
websites URLs with targeted brand or domain or host
name.(McGrath & Gupta, 2008)The report of APWG (APWG,
2012) found that 49.53%, 45.39%, and 55.42% of the phishing
websites used URLs containing targeted companys brand, or
domain, or host name in their URLs.
An example of such URL is: http://abc.com/paypal.html.
URLs use http in
place of https, i.e.,
abnormal SSL
certificate.
For SSL-enabled phishing sites, public key certificates are
employed. In many phishing attacks, the Distinguished Names
(DN) in their certificates are inconsistent with the claimed
identities.(Pan & Ding, 2006)
URLs contain
misspelled or derived
domain name.
There are various tricks used by phishers to derive domain
name that looks similar to genuine domain name but disobey
the URL naming conventions. Some of the techniques used to
generate derive domain name for phishing websites are: like
replacing the characters of real domain name with similar
looking elements (can be Hexadecimal, Integer). An example
of such URL is:
http://paypa1.com, where character l is replaced by number
one, introduces a hyphen (-) in domain name, etc.(Chaudhary,
2012)
URLs using long host
name
There is no exact URL length limitation for both phishing and
legitimate websites. But phishing websites are usually longer
-
36
than normal URLs. Example of such URL is:
http://m.cgiebay.asmodeiproductions.com/
6872289d0ce2ae531422edfcc5b1fdc0/
8dfe2e5502027428ec505c6f138b9db7/?
pagein=http://www.ebay.com/itm/200942010334?
ru=http://www.ebay.com/sch/i.html?_from=
R40&_sacat=0&_nkw=261164572330&_rdc=1
According to McGrath and Gupta, URL lengths peak at 67 for
PhishTank and at 107 for MarkMonitor.(McGrath & Gupta,
2008).
Use short URLs.
Some phishing websites use URLs shortening services, such as
TinyURL to shorten their URLs which ultimately redirect to
long URLs. An example of such URL is:
http://prophor.com.ar/prophor/wells/alerts.php that redirected
to URL http://specialneedssvg.org/wp/wpadmin/import/
wellsfargo/wellsfargo/wellsfargo2011/indx.php(McGrath &
Gupta, 2008)
Use // character in
URLs path.
When URLs path contains // character, it is suspicious and
there is greater chance that it will redirect. An example of
such URL is: http://bganketa.com/libraries/eBaiISAPI.dll.htm?
https://signin.ebay.co.uk/ws/eBayISAPI.dll?SignIn (Gastellier-
Prevost, Granadillo, & Laurent, 2011).
URLs use unknown
or unrelated domain
name.
Sometime phishers use a domain name that is either
completely unknown or unrelated. An example of such URL
targeted to Facebook is: http://www.ckku.com/includes/In.htm
URLs use multiple
Top Level Domains
(TLD) within domain
name.
Some phishing websites URLs use multiple TLDs within
domain name. Such URLs can be detected from the number of
dots (.) used in URLs. (Zhang, Hong, & Cranor, 2007)
http://paypal.com.bin.webscr.skin.
a5s4d6a5sdas56d6554y65564y65564y4a56s4d56as4d65sad4.
shoppingcarblumenau.com.br/
-
37
URLs use different
port number.
Some phishing websites use port other than port 80.(Gastellier-
Prevost, Granadillo, & Laurent, 2011) Example:
http://27.251.96.35:8888.
URLs with abnormal
DNS record.
Legitimate websites usually have record in DNS record;
however, phishing websites usually do not have record. In case
if they have, most of the information remains empty.
:http://27.251.96.35:8888 used for Paypal. (Zhang, Hong, &
Cranor, 2007)
Life of Domain.
In general, the life of phishing sites is not long. Even when
they have registered domain, it is usually a recently registered
one. However, everyday many recently registered legitimate
websites are added to Internet.(APWG, 2012)
Use of free web
hosting.
Free web hosting services are widely misused by phishers to
host their phishing websites. (McGrath & Gupta, 2008)
An example of such URL is:
http://arnodits.net/ysCntrlde/webscr_prim.php?YXJub2RpdH
M ubmV0NTAxNmNmYTVjMzY4NQ==M TM0
MzY3MjIyOQ.
URLs hosted by
geographical
location.
The majority of phishing websites are hosted in USA (APWG,
2012). This might be because USA hosts the highest number
of other websites as well.
Use of special
character "@"
Special character "@" is used to redirect the user to a website
different from that appears within the address bar. An example
of such URL is:
http://www.amazon.com:[email protected]
42.34(Zhang, Hong, & Cranor, 2007). Here the website is
redirected to 69.10.142.34.
Use of sensitive
words
Phishing URLs are found to contain several suggestive word
tokens. For example the words login and signin are very often
found in a phishing URL. (Garera, Provos, Chew, & Rubin,
-
38
2007). They stated 8 words as "secure", "account", "webscr",
"webscr", "login", "ebayisapi", "signin", "banking" and
"confirm"
Table 1 Anomalies found in the URL
However, these anomalies can be seen in the real websites also. So, these are not the
sure shot for phishing detection.
d) Anomalies found in the source codes of phishing websites
According to Chaudary, phishing websites are built in hurry and in cheap manner. So
it contents may have flaws and anomalies in the source code too.(Chaudhary, 2012).
These are listed below:
Abnormal anchor URLs.
Genuine websites link use an anchor to provide navigational guidance. The URLs
used in the anchor are usually from their own domain and sometime to different
domain. However, in phishing sites such anchor URLs are mostly from different
domain. It has been also found that sometimes the anchor in phishing websites does
not link to any pages, for example, AURL can be file:///E/ or #.
Abnormal Server Form Handler (SFH).
Security is one of the prime concerns for organizations that do online transactions.
Such organizations require credentials for login which are generally username and
password. Thus, their websites include SFH. Legitimate websites always take actions
upon the submission of form; however, phishing websites can either contain
about:blank or #. Moreover, legal sites SFHs are handled by the server of the
same domain. So whenever the form is handled by any foreign domain server, it
makes the websites suspicious.
Similarly there are many other anomalies like abnormal request URLs, abnormal
cookie, Mismatch hyperlink, use of authentic logos, illegal use of pop-ups, etc. are
found in the source code of phishing websites.
-
39
2.7 Anti Phishing Techniques in Web Browsers
According to Statcounter.com, statistics of browser's users are shown in the figure
below. In the figure, the map of the world is segmented according to the number of
users using browsers in that country or region. The users using Google Chrome are
shown in green color, Inter Explorer (IE) are shown in blue color, Mozilla Firefox are
shown in orange color, Safari users are shown in light grey color and Opera users are
shown in red color.
Figure 10 World map according to the use of browsers. Source: (statcounter.com,
2013)
-
40
Figure 11 Global statistics of browsers users. Source: (statcounter.com, 2013)
Thus, the top five browsers with respect to the number of users are Google Chrome,
Internet Explorer, Mozilla Firefox, Safari and Opera. (statcounter.com, 2013)
Similarly the statistic of browser's user in Nepal is shown below:
Figure 12 Statistics of percentage of browser user in Nepal Source: (statcounter.com,
2013)
From Figure 12, 5 most used browsers in Nepal in June, 2013 to August, 2013 are
Chrome (53.9%), Firefox (32%), Internet Explorer (7.48%), Safari (2.81%) and Opera
(2.05%). So, these 5 browsers are selected for the study purpose.
Browsers have various options for protection against phishing. Some of the options
are directly related to phishing while others too can be used against phishing. These
options are briefly described:
a) Block pop-ups windows: Online thieves use pop-up window in the legitimate
website and direct user to perform activity via which the phishers can fulfill
their motives. Blocking the pop-up window when not required can be done.
(Hacker Factor Solutions, 2005)
b) Enable JavaScript: JavaScript is being used in phishing purpose. There are
several flaws in JavaScript which would enable malicious web sites to install
something bad on user computer or even probe the details of other computers
on users private network. Many phishing attacks claims to be security
warnings, alerting users to suspicious activity in their account or offering a
-
41
new security mechanisms using JavaScript. In addition to that, traceable
JavaScript function is being used that allows phishers to check if a user is
logged into certain websites, hence the in-session name given to this attack
and the code would generate a web-based pop-up claiming to from website.
Disabling JavaScript when not required can be helpful against phishing.
c) Protocols (Use SSL 3.0, Use TLS 1.0): These Secure Socket Layer (SSL) and
Transfer Layer Socket (TLS) are cryptographic protocols and helpful in war
against phishing. TLS and SSL encrypt the segments of network connections
above the Transport Layer, using symmetric cryptographic for privacy and a
keyed message authentication code for message reliability. For example:
Gmail, Hotmail use 128-bit encryption and TLS 1.0 while Yahoo mail uses
256-bit encryption and TLS 1.0.
d) When a server requests my personal certificate (Ask one automatically, Ask
me every time): Setting ask me every time can be safer against phishing.
e) Warn me when sites try to install add-ons, Block reported attack sites, and
block reported web forgeries are three options made for phishing
preventions.
2.7.1 Google Chrome
Google Chrome is a free, open-source web browser developed by Google. It was
released in 2008, and has grown to be one of the most popular browsers today.
When Google decided to make a browser, they wanted to completely rethink the
browser, as browsing now is very different from browsing simple text pages. Now we
email, shop, pay bills, and run large application in our browsers.
(www.w3schools.com, 2013).
Google discovers suspicious websites during constant crawl and re-crawl of the web.
Suspicious websites are the website that may look like a phishing website, designed to
steal personal information, or it may contain signs of potentially malicious activity
that would install malware onto users PC without consent. Any website that looks like
its a phishing page; it gets added to a list of suspected phishing websites. If found a
website that contains signs of potentially malicious activity, a virtual machine is
-
42
started, the website is browsed, and watched its activity. If malicious activities occur,
the website is added to a list of suspected malware infected websites. These black lists
maintained by Google are used by Google Chrome.(Provos, McNamee,
Mavrommatis, Wang, & Modadugu, 2007)
All the above options are also in Google Chrome. These options have same benefits
as mentioned:
1) Check for server certificate revocation,
2) Use SSL 3.0., Use TLS 1.0
3) Allow all sites to run JavaScript
4) Do not allow any sites to show pop-ups
5) Enable phishing and malware protection (precisely for phishing).
Steps to disable phishing and malware protection:
1) Click the Chrome menu on the browser toolbar.
2) Select Settings.
3) Click Show advanced settings and find the "Privacy" section.
4) Deselect the "Enable phishing and malware protection" checkbox.
Here are the messages users may see when phishing and malware detection is
enabled:
Message What it means
The Website Ahead
Contains Malware!
This message appears if Google Chrome detects that the
site you're trying to visit may have malware.
Danger: Malware Ahead! This message appears if Google Chrome detects that the
web page you're trying to visit may have malware.
Reported Phishing Website
Ahead!
This message appears if Google Chrome detects that the
site youre trying to visit is suspected of being a phishing
site.
Table 2 Messages seen after malware detection in chrome
-
43
Figure 13 Phishing detection in Google Chrome
2.7.2 Mozilla Firefox
Firefox contains built-in Phishing and Malware Protection to help keep you safe
online. These features will warn user when a page user visit has been reported as a
Web Forgery of a legitimate site (sometimes called phishing pages) or as an Attack
Site designed to harm users' computer (otherwise known as malware).(Firefox, 2013)
Mozilla Firefoxs Phishing feature provides two modes of operation, local and third
party mode. Under the local mode, it uses inbuilt Phishing and Malware protection
that warn users when a visited page has been reported as a web forgery of a legitimate
site or an attack site designed to harm users computers. These lists are automatically
downloaded and updated every 30 minutes or so when the Phishing and Malware
protection features are enabled.
There are two times when Firefox communicates with Mozillas partners that manage
the lists while using Phishing and Malware protection. The first is during regular
updates to the lists of reporting phishing and malware sites. No information about user
or the sites visited is communicated during lists updates. The second is when a
reported phishing or malware sites is encountered. Before blocking the site, Firefox
requests a double check to ensure that the reported site has not been removed from the
lists since the last update. In case of a visited URL matches a URL in the list of
known phishing sites, the browser block the website and displays a warning message
to the user. (Mozilla iSEC Partner, 2006)
-
44
This way the local mode provides security from phishing website to the user and is
able to ensure the integrity of a users browsing experience as well as the privacy of
their browsing activity. The third party mode uses online third party service (the
default third party service used by the browser is Google) and allows user to have
immediate check of a URL in real time. Users can test to see if Phishing Protection is
active by trying to visit Firefox phishing test site.(Firefox, 2013)
Alike Google chrome, Mozilla Firefox has also many options for phishing prevention.
1) Block pop-up windows (Can be accessed by going to Main Menu =>
Options=> Content)
2) Enable JavaScript
3) Protocols (use SSL 3.0, use TLS 1.0)
4) When a server requests my personal certificate (Select one automatically,
Ask me every time): Setting ask me every time can be safer against
phishing.
5) Warn me when sites try to install add-ons, block reported attack sites, and
block reported web forgeries are three options made for phishing
preventions.
Figure 14 Anti phishing setting in Mozilla Firefox
-
45
2.7.3 Internet Explorer
Internet Explorer has a built-in Anti-Phishing feature using phishing filter. Phishing
filter in Internet Explorer, also called SmartScreen filter helps detect phishing
websites.
Phishing filter uses three methods to help protect you from phishing scams. First, it
compares the addresses of websites user visit against a list of sites reported to
Microsoft as legitimate. This list is stored on user's computer. Second, it helps analyze
the sites user's visit to see if they have the characteristics common to a phishing
website. Third, with user's consent, phishing filter sends some website addresses to
Microsoft to be further checked against a frequently updated list of reported phishing
websites.
If the site users are visiting is on the list of reported phishing websites, Internet
Explorer will display a warning webpage and a notification on the address bar. From
the warning webpage, user can continue or close the page. If the website contains
characteristics common to a phishing site but isnt on the list, Internet Explorer will
only notify user in the address bar that it might possibly be a phishing website.
When users install and run Internet Explorer for the first time, it will prompt to user to
enable phishing-filter. However, if users choose not to turn on, s/he can enable
phishing-filter as follows:
Similar to above two browsers, MS IE too contains options for phishing prevention:
1) Trusted sites and restricted sites: These two options have facility to list
trusted and restricted websites respectively. Any website suspicious to be
phishing can be made restricted website.
2) Turn on pop-up blocker: Has feature to list the website in which pop-up
can be allowed.
3) Active scripting: This is to enable and disable JavaScript.
The options primarily for phishing or is a part of phishing prevention systems of IE
are below:
-
46
1) Report unsafe website: This options can be use to determine if the website
is unsafe or not. It sends requests to Microsoft server which checks their
list to verify whether the website is phishing or legitimate.
2) Check this website and Turn on SmartScreen filter:
Figure 15 Enabling SmartScreen filter (IE 8)
Figure 16 Phishing detection in IE 8 after using SmartScreen filter
-
47
2.7.4 Opera
With Opera, every webpage user request is subjected to phishing and malware filters.
The security status of the page is displayed in a security badge in the address field. If
a website is found on lists of known, suspicious sites, a warning page may display
before the page is shown. Users decide whether to visit the questionable website, to
return safely to the browser home page, or to read additional information about the
status of the page. If users open a phishing or malware page, it will be marked with a
red warning badge.(Opera, 2013).
Opera have given more selectable options in particular sections of the option. These
are explained below:
1) Pop-ups: Users can handle pop-ups in their own preference as below.
a) Open all pop-ups
b) Open pop-ups in background
c) Block unwanted pop-ups.
d) Block all pop-ups.
2) Check box for "Enable JavaScript has also JavaScript options button which pop-
ups JavaScript options are below:
a) Allow resizing of windows
b) Allow moving of windows
c) Allow raising of windows
d) Allow lowering of windows
e) Allow changing of status field
f) Allow scripts to detect context menu events.
g) Allow scripts to hide address bar
h) Open console for error.
i) User JavaScript folder path text box.
3) Enable plug-ins has inner check box to enable plug-ins only on demand.
4) Manage site preferences: This option facilitates users to add, edit and delete the
website to be allowed. The added websites can be customized for pop-ups,
cookies, content, JavaScript, etc. This is like maintaining white list from the users
side.
-
48
5) Blocked content: This option facilitates users to add, edit and delete the websites
to be blocked.
The options primarily for phishing prevention systems are as follow
6) Enable "Fraud and Malware Protection"
7) Manage Certificates: It provides options to import, export, and view and delete
certificates of personal (client certificates) and authorities (authority certificates
like VeriSign, Go Daddy, Entrust, etc.). These certificates can be kept in
intermediate, approved and rejected group.
8) Security Protocols: The options of enabling security protocols like Enable SSL3,
Enable TLS1, etc.
9) Trusted Websites: There is provision of add, delete and edit the trusted websites.
Figure 17 Phishing detection in Opera browser.
2.7.5 Safari
Safari employs sandboxing techniques to isolate Web content and applications from
other information on systems, and also include malicious code blocking capabilities.
As with the other browsers, Safari also relies on current reports about malicious and
fraudulent websites to warn and protect its users. If a website contains malicious code
intended to capture personal data or tamper with users' computer, sandboxing
provides a built-in blocker that restricts the code from doing harm.(Tittel, 2011)
-
49
User personal data is safer on Safari. Thats because Safari protects user from cross-
site scripting, phishing, and malware attacks that try to obtain user's personal data. So
if users visit a site that might contain phishing or malware content, Safari alerts users
and wont open the page. Safari makes it easy to see when user's connection to a
website is encrypted. (Safari, 2013)
When users first launch Safari 3.2, it connects to safebrowsing.clients.google.com and
requests information on the two main blacklists that Google maintains: a list of known
phishing sites, and a list of known malware sites. Google returns the list of hashed
URLs to your computer in chunks, starting with the freshest information first and
gradually filling in older information. Once users find that folder, users will see two
files within it: "cache.db" and "SafeBrowsing.db". The former is indeed Safaris
cache. The latter file contains the blacklists from Googles Safe Browsing initiative
user will notice that the file was most likely created right about the time users first
launched Safari 3.2, and if users have the browser open, the file should have been
modified within the past 30 minutes. (Macworld.com, 2008)
Safari contains following option for phishing prevention.
1) Enable plug-ins: Check box for enable plug-ins.
2) Enable Java: This is for enabling Java
3) Enable JavaScript
4) Block pop-up windows
The options primarily for phishing or is a part of phishing prevention systems of
Safari are as follow:
1) Warn when visiting a fraudulent website. (Uses Google Safe Browsing
Service)
2) Ask before sending a non-secure form to secure website.
By default the anti-phishing system is on in safari. It can be checked by going to
Setting=>Preference=> Security
-
50
Figure 18 Checking enable or disable of anti-phishing in safari browsers
Figure 19 Phishing detection in Safari
2.7.6 Summary of technology used by anti phishing systems in browsers
Browsers Detection Technology Used Remarks
Google Chrome Blacklist and heuristic on
web crawl data
Safe browsing API
Internet Explorer white list,
blacklist and heuristic
smart screen filters
Mozilla Firefox local mode: black list
third party mode: Google
Safe browsing API
Safari blacklist: Google
heuristic
Safe browsing API;
Third party cookie blocking
-
51
Opera blacklist: PhishTank PhishTank; Netcraft
Table 3 Technologies used by anti phishing system in browsers.
2.8 Problems in Browsers Inbuilt Phishing Prevention Systems
The technical and non-technical issues are mentioned below:
1) Warning and pop ups message is another problem which can be irritating to user.
A further difficulty is that of warning the user (or taking other action when
phishing is detected or suspected). Halting the browser connection (i.e. refusing to
connect to the site) is usually unacceptable unless it is absolutely certain that the
site is phishing. (Dhamija, Tygar, & Hearst, 2006; Wu, Miller, & Garfinkel, 2006;
Li & Helenius, 2007; Egelman, Cranor, & Hong, 2008)
2) The above mentioned browsers use blacklist approaches in their default anti-
phishing systems. The problems of blacklist approach are false positive, false
negative, and list update. The anti-phishing systems have to struggle with effort to
maintain both false positives and false negatives error rate low. The false positives
erode trust in the system and cause inconvenience and possible loss to website that
are erroneously classified as phishing. Similarly, the false negative can turn the
effort to protect phishing futile. Furthermore, to halt the browser connection to
certain website unless it is not confirmed that it is phishing is unacceptable.
Moreover, blacklist approach attempt to inform clients of phishing sites either
pushing an update list to the client or having the clients check with server to
request information on a URL it is visiting (Florencio & Herley, 2006; Cranor,
Wardman, Warner, & Zhang, 2009). Both of these approaches are inconvenient
because they can cause definite latency and serve over load respectively.
3) There are many rules or heuristics that can appear promising when run on training
data. They can even perform worthwhile to protect small fraction of overall
population. However, their efficiency is inverse relation to their scale of
deployment: the more people use them the less effective they are. (Islam &
Abawajy, 2013)
4) There is white-list approach that is maintained by user. This is used to reduce the
traffic to server and can only be used in conjunction with sites that have high
-
52
security standards, and do not host personal pages.(Dhamija, Tygar, & Hearst,
2006; Odaro & Sanders, 2010)
5) Secure Sockets Layer (SSL) is a protocol commonly used in validating the
identity of a website and enabling the transmission of private information over the
Internet. It makes use of cryptographic keys to encrypt the data being transmitted
and to provide a signature used in identification. Browser SSL certificates are
electronic documents that enable encryption on secure websites, and also contain
information about the certificate holder. The use of these certificates (and the
related well known SSL lock icon) has traditionally been one way of providing
identity information to the user, but studies have shown that many users have
difficulty interpreting certificates or may not even be aware that they exist. There
are many other options in the browser which users rarely use due to lack or very
little knowledge about them.
Finally, the biggest problem is getting users to alter their behavior. Even study
showed that either user tend to ignore or fail on to act on security warning. This is
highest threat for several anti-phishing solutions. (Odaro & Sanders, 2010)
Figure 20 SSL lock icon in Gmail.
2.9 Organization Working against Phishing
There are many organizations working against phishing. These organizations are the
resources for studying and tackling against phishing. Some of the main organizations
are as follow:
2.9.1 APWG (Anti phishing Working Group)
The APWG is a worldwide coalition unifying the global response to cybercrime
across industry, government and law-enforcement sectors. APWGs membership of
more than 2000 institutions worldwide is as global as its outlook, with its directors,
-
53
managers and research fellows advising: national governments; global governance
bodies like ICANN; hemispheric and global trade groups; and multilateral treaty
organizations such as the European Commission, Council of Europe's Convention on
Cybercrime, United Nations Office of Drugs and Crime, Organization for Security
and Cooperation in Europe and the Organization of American States. (APWG, 2013)
Websites of APWG public-service enterprises include its public website,
; the website of public awareness program, "STOP.
THINK. CONNECT." messaging convention and
the APWGs research website . These serve as
resources about the problem of phishing and electronic frauds perpetrated against
personal computers and their users and resources for countering these threats.
(APWG, 2013)
The APWG collects, analyzes, and exchanges lists of verified credential collection
sites, like those used in phishing. (APWG, 2013)
2.9.2 PhishTank
PhishTank is an anti-phishing website. PhishTank was launched in October 2006 by
entrepreneur David Ulevitch as an offshoot of OpenDNS. The company offers a
community-based phish verification system where users submit suspected phishes and
other users "vote" if it is a phish or not. PhishTank is used by Opera, WOT (Web of
Trust), Yahoo! Mail, McAfee, APWG, CMU, Mozilla, Kaspersky, Firetrust, Officer
Blue, FINRA, Message Level, SURBL < http://www.surbl.org/ >, Site Truth, Avira,
CSIRT and by PhishTank SiteChecker.(Wikipedia, 2013)
PhishTank data is provided gratis for download or for access via an API call but only
under an extremely limited, restrictive license. PhishTank SiteChecker is a tool
available for Mozilla Firefox browser to check the user site against phishing.
2.10 Phishing prevention as a social aspect
The social aspects that are vital for the phishing prevention mentioned in American
Bankers Association report are:
-
54
1) Public Education on Phishing: Since phishing is a form of identity theft that
differs substantially from other physical based identity theft techniques, it is
the responsibility of government and private sector towards public to update
them about latest phishing techniques and method to recognize them.
2) Authentication: No doubt education of phishing is helpful to fight against
ph
