ABSTRACT

The outcomes of phishing attacks are dramatically increasing

every day. Attacks on financial services companies have been
doubling each year compared to previous years. It is very
important for companies to come up with new ways to solve
phishing problems because it can become a major loss to well
known companies. Also, it can cause consumers to lose
confidence in doing business online, which can affect many
companies with an online presence. Not any type of technology
can stop phishing attacks, but there are many ways to enable
phishers from accomplishing their goals. Consumer education can
increase the awareness of the phishing threat and other online
vulnerabilities. Lastly, biometrics should become one of the major
aspects and play an important role to combat phishing because it
provides different steps to authenticate users.

INTRODUCTION
Phishing is the practice where criminals send out unsolicited
Commercial e-mails, masquerading as valid authorities by using
Logos and other formatting to resemble authentic e-mails sent by
the company that they are attempting to impersonate.

Once the users receive such emails; the phishers attempt to lure
them to web sites where personal information such as credit card
number and social security numbers are required in an attempt to
hack into the users’ accounts. The so-called “phishers” try to steal
usernames and passwords for identity and banking theft.

Companies such as PayPal, eBay, Amazon, and most of the banks

have been the biggest target for phishing attacks.

LITERATURE REVIEW

The first phishing attempt occurred in January 1996. A hacker who

was attempting to steal accounts from unexpected AOL Members
coined the term phishing.

Comparison to Spam
The purpose of a phishing message is to acquire sensitive
information about a user. In order to do so, the message needs to
deceive the intended recipient into believing it is from a
legitimate organization. As a form of deception, a phishing
message contains no useful information for the intended recipient
and thus falls under the category of spam. Although phishing is
categorized as spam, it also differs from spam. Amongst other
things, spam tries to sell a product or service, while a phishing
message needs to look like it is from a legitimate organization.
Due to the similarity between phishing and legitimate messages,
techniques that are applied to spam messages cannot be applied
naively to phishing messages. For example, text-based
classification can perform reasonably well in identifying spam, but
as a phishing message is forged to look like a message from a
legitimate organization, text-based classification applied naively
to a phishing message will have a high miss rate.
Anatomy of a phishing message

A raw phishing message can be split into two components: the

content and the headers. These components are commonly
accepted as being the major components of a message.

Content:
The content is the part of the message that the user sees and is
used by phishing message producers to deceive users. It can be
subdivided into two parts.

• The cover is the content which is made to look like a

message from the legitimate organization, and usually
informs the user of a problem with their account. Early
phishing messages could be identified based only on their
cover, due to imperfect grammar or spelling mistakes (which
are uncommon in legitimate messages). Over time, the
covers used in phishing messages have become more
sophisticated, to the point where they even warn the users
about protecting their password and avoiding fraud. An
example of this can be seen in Figure below where the
phishing message tells the victim to “Protect Your Account
Info” by making sure “you never provide your password to
fraudulent websites”.
• The sting is the part of the content that directs the victim
to take remedial actions. It usually takes the form of a
clickable URL that directs the victim to a fake website to log
into their account or enter other personal details. We call this
the sting, as this is the part of the content that inflicts pain,
by means of financial loss or other undesirable action after
the victim enters their details on the website. Typically the
sting is hidden by using HTML to display a legitimate looking
 address, instead of the address of the fake website. An
example of this is shown in above Figure where the address
of the fake website is
http://www.nutristore.com.au/r.htm and the
corresponding displayed text is a legitimate looking
https://www2.paypal.com/cgi-bin/?cmd= login.

Headers
The headers are the part of the message which is primarily used
by the mail servers and the mail client to determine where the
message is going and how to unpack the message. Most users do
not see these headers, but in terms of determining if a message is
phishing or not, this part of the message can be quite useful.
Headers can be subdivided into three parts based on the entities
which add them to the message:

• Mail clients typically add headers such as “To:”, “From:”,

“Subject:” and some client specific headers. Examples of
mail client headers are X-MSMail-Priority, X-Mailer, and X-
MimeOLE, and they can be seen in above figure. Phishing
messages may try to fake a particular header and in doing
so, give away that the message is fake. For example, if the
X-Mailer header indicates that a HTML message has been
composed using MS Outlook but the message only contains
HTML (without plaintext), this is an indication that the
 message is fake, as MS Outlook cannot send HTML only
messages.

• Mail relays will add headers along the path of the message.
These are usually “Received” headers, which can be used to
determine the originating IP of the message and the path
taken by the message.

• Spam-filters or virus-scanners will usually add headers

to the message to indicate results of the tests run over the
message. These headers can then be used by the receiving
client to determine (based on a user-set threshold) what to
do with the message.

WHY PHISHING ATTACK!

Lac k of Kno wledge

• Lack of computer system knowledge: Many users lack the

underlying knowledge of how operating systems,

applications, email and the web work and how to distinguish
among these. Phishing sites exploit this lack of knowledge in
several ways. For example, some users do not understand
the meaning or the syntax of domain names and cannot
 distinguish legitimate versus fraudulent URLs (e.g., they may
think www.ebay-members-security.com belongs to
www.ebay.com). Another attack strategy forges the email
header; many users do not have the skills to distinguish
forged from legitimate headers.

• Lack of knowledge of security and security indicators: Many

users do not understand security indicators. For example,

many users do not know that a closed padlock icon in the
browser indicates that the page they are viewing was
delivered securely by SSL. Even if they understand the
meaning of that icon, users can be fooled by its placement
within the body of a web page (this confusion is not aided by
the fact that competing browsers use different icons and
place them in different parts of their display). More
generally, users may not be aware that padlock icons appear
in the browser “chrome” (the interface constructed by the
browser around a web page, e.g., toolbars, windows, address
bar, status bar) only under specific conditions (i.e., when SSL
is used), while icons in the content of the web page can be
placed there arbitrarily by designers (or by phishers) to
induce trust. Attackers can also exploit users’ lack of
understanding of the verification process for SSL certificates.
Most users do not know how to check SSL certificates in the
browser or understand the information presented in a
certificate. In one spoofing strategy, a rogue site displays a
 certificate authority's (CA) trust seal that links to a CA
webpage. This webpage provides an English language
description and verification of the legitimate site’s
certificate. Only the most informed and diligent users would
know to check that the URL of the originating site and the
legitimate site described by the CA match.
• Lack of knowledge of web fraud: Some users don’t know that

spoofing websites is possible. Without awareness phishing is

possible, some users simply do not question website
legitimacy.
• Erroneous security knowledge. Some users have
misconceptions about which website features indicate
security. For example, participants assumed that if websites
contained professional-looking images, animations, and ads,
they assumed the sites were legitimate (influenced by well-
known trust indicators, discussed below). Similarly,
dedicated login pages from banks were less trusted than
those originating from a homepage; several participants
mentioned a lack of images and links as a reason for their
distrust.

V isua l Decept ion

Phishers use visual deception tricks to mimic legitimate text,
images and windows.
• Visually deceptive text. Users may be fooled by the syntax of

a domain name in “type jacking” attacks, which substitute

letters that may go unnoticed (e.g. www.paypai.com uses a
 lowercase “i” which looks similar to the letter “l”, and
www.paypa1.com substitutes the number “1” for the letter
“l”). Phishers have also taken advantage of non-printing
characters and non-ASCII Unicode characters in domain
names.
• Images masking underlying text. One common technique

used by phishers is to use an image of a legitimate

hyperlink. The image itself serves as a hyperlink to a
different, rogue site.
• Images mimicking windows. Phishers use images in the

content of a web page that mimic browser windows or For

user convenience, some legitimate organizations allow users
to login from non-SSL pages. Although the user data may be
transmitted securely, there is no visual cue in the browser to
indicate if SSL is used for form submissions. To “remedy”
this, designers resort to placing a padlock icon in the page
content, a tactic that phishers also exploit or dialog
windows. Because the image looks exactly like a real
window, a user can be fooled unless he tries to move or
resize the image.
• Windows masking underlying windows: A common phishing

technique is to place an illegitimate browser window on top

of, or next to, a legitimate window. If they have the same
look and feel, users may mistakenly believe that both
windows are from the same source, regardless of variations
in address or security indicators. In the worst case, a user
may not even notice that a second window exists (browsers
 that allow borderless pop-up windows aggravate the
problem).
• Deceptive look and feel. If images and logos are copied

perfectly, sometimes the only cues that are available to the

user are the tone of the language, misspellings or other
signs of unprofessional design. If the phishing site closely
mimics the target site, the only cue to the user might be the
type and quantity of requested personal information.

WHAT SHOULD BE DONE TO FIGHT

.

PHISHING?(ANTI-PHISHING)

Phishing needs to be followed in a managerial way within the

network and its components such as servers, PCs, operating
systems, browsers and other applications that run off a
connection.

As considering, the danger of both false negative where firewall

packet inspection fails to identify a phishing site and false positive
where firewall packet inspection wrongly rejects the valid sites, it
is important to minimize these risks.

Microsoft’s Anti-phishing response team analyzes sites carefully to

confirm they are fraud e-mails before adding them to the
blacklist. Even then, sites that are concerned can be reconsidered
and later removed from the list.

Another way of solving this problem can be in a technical way by

using a biometric check up. Biometrics refers to technologies that
analyze an individual’s physical and behavioral characteristics to
automate identification or verification of the user.
To avoid the risk of being locked in by phishers here are few tips:
• Be extremely suspicious of any e-mails with urgent
requests for personal information

• Do not fill out any forms in e-mail messages

especially
from banks

• Do not use the links that are provided in the e-mails

this
can cause installing any malicious malware on your
computer. Instead contact the company over the
phone
to solve any problems.

• Do not give your credit card numbers or account

information unless you are using a secure Web site or
the telephone. If you are using a Web site, check the
beginning of the web address in your browsers’
address
 bar. A secure site should up as “https”:// instead of
just http://.
• Verify the real address of a web site. Cut and paste
the following text into your browser address bar.
javascript:alert("The actual URL of this site
has been verified as: " + location. protocol +
"//" + location. hostname +"/");
• Ensure that your browser and OS software is up-to-
date and that latest security patches are applied.

Pos si ble ways of by- pas sing Ant iPh is h with

JavaScr ipt
As long as the web page that the user is viewing is pure HTML,
AntiPhish can easily mitigate phishing attacks. This is because the
attacker can only steal the sensitive information in the page after
the user performs a submit. Before this can
happen, however, AntiPhish detects that sensitive information has
been typed into a form and cancels the operation. Stopping a
phishing attack in an HTML page that has JavaScript, on the other
hand, is not that easy and special care has to be taken. JavaScript
is a powerful language that is widely used in webpage for
providing functionality such as submitting forms, opening
windows, intercepting events and performing input validity
checks. At the same time, however, JavaScript gives the attacker
a wide range of possibilities for by-passing a monitoring
application such as AntiPhish. Just as AntiPhish creates hooks for
intercepting user generated events such as key strokes, the
attacker can also create such hooks using JavaScript embedded
into the HTML page. Instead of waiting for the user to press a
submit button to send the information, the attacker could
intercept the keys that are pressed and send the information
character by character to a server of her choice. Typically, this is
done by modifying the URL of an existing or hidden image to a
web site that the attacker controls (e.g., if “a “has been pressed,
an image URL may be set to http://attacker.com/key?a). Another
possibility for the attacker could be to set a simple timer and to
capture “snapshots” of the information in the forms. In this way,
an important part of the information could be captured without
the user ever hitting a submit button. The easiest solution to the
JavaScript problem is to deactivate JavaScript on a page that
contains forms. Unfortunately, this solution is not feasible
because, as mentioned before, a large number of Web sites use
JavaScript for validation and submission purposes. The solution
we use in AntiPhish is to deactivate JavaScript every time the
focus is on an HTML text element and to reactivate it whenever
the focus is lost. Using this technique, we ensure that the attacker
is not able to create hooks, timers and intercept browser events
such as key presses while the user is typing information into a
text field. At the same time, we ensure that the legitimate
JavaScript functionality on a page (e.g., such as input validation
routines) are preserved. By the time the focus is lost from the text
element and Java script is reactivated, AntiPhish has already
determined if the information that was typed into the text
element is sensitive. If the web site is un trusted, the operation
can be canceled. One side-effect of our approach is that
legitimate event-based Java script functionality such as input
validation based on key presses will not function. The use of key
press events for input validation, however, is uncommon. Most
web sites perform client-side input validation once before a form
is submitted.
Implementation details
We implemented the prototype of AntiPhish as a Mozilla browser
extension (i.e., plug-in).Mozilla browser extensions are written
using the Mozilla XML User-Interface language (XUL) and
JavaScript. The Mozilla implementation of AntiPhish has a small
footprint and consists of about 900 lines of JavaScript code and
200 lines of XUL user interface code. We used Paul Tero’s
JavaScript DES implementation for safely storing the sensitive
information.

ANALYSIS OF A PHISHING DATABASE

The Anti Phishing Working Group maintains a “Phishing Archive”
describing phishing attacks dating back to September 2003. We
performed a cognitive walkthrough on the approximately 200
sample attacks within this archive. (A cognitive walkthrough
evaluates the steps required to perform a task and attempts to
uncover mismatches between how users think about a task and
how the user interface designer thinks about the task.) Our goal
was to gather information about which strategies are used by
attackers and to formulate hypotheses about how lay users would
respond to these strategies. Below we list the strategies,
organized along three dimensions: lack of knowledge, visual
deception, and lack of attention. To aid readers who are unfamiliar
with the topic, Security Terms and Definitions
Certificate (digital certificate, public key certificate):
Uses a digital signature to bind together a public key with an identity. If the
browser encounters a certificate that has not been signed by a trusted
certificate authority, it issues a warning to the user. Some organizations
create and sign their own self signed
Certificates. If a browser encounters a self-signed certificate, it issues a
warning and allows the user to decide whether to accept the certificate.
Certificate Authority (CA):
An entity that issues certificates and attests that a public key belongs to a
particular identity. A list of trusted CAs is stored in the browser. A certificate
may be issued to a fraudulent website by a CA without a rigorous
verification process.
HTTPS:
Web browsers use "HTTPS", rather than "HTTP" as a prefix to the URL to
indicate that HTTP is sent over SSL/TLS.

Secure Sockets Layer (SSL) and Transport Layer Security

(TLS):
Cryptographic protocols used to provide authentication and secure
communications over the Internet. SSL/TLS authenticates a server by
verifying that the server holds a certificate that has been digitally signed by
a trusted certificate authority. SSL/TLS also allows the client and server to

agree on an encryption algorithm for securing communications.

Cryptography
Cryptography is a method of storing and transmitting data in a
form that only those it is intended for can read and process. It is a
science of protecting information by encoding it into an
unreadable format. Cryptography is an effective way of protecting
sensitive information as it is stored on media or transmitted
through network communication paths.
Although the ultimate goal of cryptography, and the mechanisms
that make it up, is to hide information from unauthorized
individuals, most algorithms can be broken and the information
can be revealed if the attacker has enough time, desire, and
resources. So a more realistic goal of cryptography is to make
obtaining the information too work-intensive to be worth it to the
attacker.

Digital Certificates
Digital Certificates are part of a technology called Public Key
Infrastructure or
PKI. Digital certificates have been described as virtual ID cards.
This is a useful analogy. There are many ways that digital
certificates and ID cards really are the
same. Both ID cards and client digital certificates contain
information about user,
such as user name and information about the organization that
issued the
certificate or card to user.
Creating digital certificates a unique cryptographic key pair is
generated. One of these keys is referred to as a public key and
the other as a private key. The certification authority—generally
on your campus—creates a digital certificate by combining
information about user and the issuing organization with the
public key and digitally signing the whole thing. This is very much
like an organization’s ID office filling out an ID card for user and
then signing it to make it official.
The process defines how a certificate authority establishes that a
person or institution is who they say they are. Certification may
require recipients to appear in person and to present pictures,
birth certificates, or social security numbers. Certificates that are
issued after rigorous authentication will be more trustworthy than
certificates requiring little or no authentication.
The contents of a digital certificate are prescribed by the X.509
standard, developed by the International Standards Organization
(ISO) and adopted by the American National Standards Institute
(ANSI) and the Internet Engineering Task Force (IETF). The latest
version is now X509 v3. The principal elements of a digital
certificate are as follows:
• Version number of the certificate format
• Serial number of the certificate
• Signature algorithm identifier
• Issuer of digital certificate: a certificate authority with URL
• Validity period
• Unique identification of certificate holder
• Public key information
The Parties to a Digital Certificate
In principle there are three different interests associated with a digital certificate:
The Requesting Party
The party who needs the certificate and will offer it for use by others they will
generally provide some or all of the information it contains.
The Issuing Party
The party that digitally signs the certificate after creating the information in the
certificate or checking its correctness.
The Verifying Party (or Parties)
Parties that validate the signature on the certificate and then rely on its contents for
some purpose.
Type of Certificate Requesting Party Issuing Party Verifying Party
Identity The person The appropriate Anyone undertaking
concerned government agency an
identity check
Accreditation A qualified member The professional A user of the services
of a profession body offered by the
member
Authorization A customer wishing to The resource owner The resource owner
 access a resource

Public key Certificate

The combination of standards, protocols, and software that
support digital certificates is called a public key infrastructure, or
PKI. The software that supports this infrastructure generates sets
of public-private key pairs. Public-private key pairs are codes that
are related to one another through a complex mathematical
algorithm. The key pairs can reside on one’s computer or on
hardware devices such as smart cards or floppy disks. Individuals
or organizations must ensure the security of their private keys.
However, the public keys that correspond to their private keys can
be posted on Web sites or sent across the network. Issuers of
digital certificates often maintain online repositories of public
keys. These repositories make it possible to authenticate owners
of digital certificates in real time.
For example, publishers, as service providers, will want to
authenticate the digital certificate of a faculty member or student
in real time. This is possible by verifying the digital signature
using the public key in the repository.
Certificate Authorities
Digital certificates are one part of a set of components that make
up a public key
infrastructure (PKI). A PKI includes organizations called
certification authorities (CAs) that issue, manage, and revoke
digital certificates; organizations called relying parties who use
the certificates as indicators of authentication, and clients
who request, manage, and use certificates. A CA might create a
separate registration authority (RA) to handle the task of
identifying individuals who apply
for certificates. Examples of certification authorities include
VeriSign, a wellknown
commercial provider, and the CREN Certificate Authority that is
available for higher education institutions.

Types of Certificates
There are different types of certificates, each with different functions and this can
be confusing. It helps to differentiate between at least four types of certificates.
You can see samples of some of these different types of certificates in your
browser.
• Root or authority certificates
These are certificates that create the base (or root) of a certification authority
hierarchy, such as Thawte or CREN. These certificates are not signed by another
CA—they are self signed by the CA that created them. When a certificate is self-
signed, it means that the name in the Issuer field is the same as the name in the
Subject Field.
• Institutional authority certificates
These certificates are also called campus certificates. These certificates are signed
by a third party verifying the authenticity of a campus certification authority.
Campuses then use their “authority” to issue client certificates for faculty, staff,
and students.
• Client certificates
These are also known as end-entity certificates, identity certificates, or personal
certificates. The Issuer is typically the campus CA.
• Web server certificates
These certificates are used to secure communications to and from Web servers, for
example when you buy something on the Web. They are called server-side
certificates. The Subject name in a server certificate is the DNS name of the server.

The CREN Digital Certificate Services

CREN currently offers an expanded set of certificate authority services to higher
education institutions.
• CREN-signed campus certificates for institutions
These CREN-signed certificates are for institutions issuing certificates for their
campus community—in the range of 10 or more Web server certificates and for
more than 500-1000 client certificates.
• CREN Web server certificates
These certificates are for campuses to use for securing Web servers, supporting a
range of campus Web applications.
• Client certificates
CREN has an internal CREN.NET service equivalent to a campus certificate-
issuing application. A registration contact at a campus validates/approves
individuals and CREN issues the certificates.

With these three levels of service — including the free test certificates — CREN
can help campuses get started using digital certificates at a level matching their
particular campus needs.
RECOMMENDATION
It is very important to reduce the risk of phishing in today’s
business because hackers need to stay out of companies’
databases. Today’s education is not enough since phishes are
getting better each day and coming with newer trends to catch
innocent customers.
The real problem of phishing is because the login systems are
very weak and thus they need to be tighter when it comes to
user’s authentication. The companies could increase their
cryptographic system protection by using more IPSec VPNs and
digital certificates. The use of IPSec VPNs, customers will need to
establish digital certificates from a certificate authority as well as
the merchant. Recently, while doing this research we came
through an article from PayPal where they are convincing email
providers to block messages that lack digital signatures.
The reason for this is that PayPal is known as one of the most
highly spoofed brands that fraudster’s uses today .This is a very
good idea and a good way to keep hackers out of PayPal
databases. As a matter of fact, not only PayPal but also every
company that conducts business should come up with a similar
strategy like this. Using strategies similar to this will help
customers to gain confidence in doing business and dealing with
money issues. In addition, well-known companies should increase
user awareness by education, training and working with FBI to
track down phishers.

CONCLUSION
In short, the outcomes of phishing attacks are dramatically
increasing every day. Attacks on financial services companies
have been doubling each year compared to previous years. It is of
crucial importance for companies to come up with new ways to
solve phishing problems because it can become a major loss to
well-known companies.
Also, it can cause consumers to lose confidence in doing business
online, which can affect many companies with an online presence.
Not any type of technology
Can stop phishing attacks, but there are many ways to enable
Phishes from accomplishing their goals.
Consumer education can increase the awareness of the phishing
threat and other online vulnerabilities. Lastly, biometrics should
become one of the major aspects and play an important role to
combat phishing because it provides different steps to
authenticate users.
REFERENCES
[1] Cannon, J.C. Privacy. Pearson Education, 2005.
[2] Hilley, Sarah. “Internet war: picking on the finance
Sector-survey.” Computer Fraud & Security, October
2006.
[3] Bellowin, Steven. “Spamming, Phishing,
Authentication and Privacy.” Inside Risks, December
2004 Vol.47, No.12. 144.
[4] Mulrean, Jennifer. “Phishing scams: How to avoid
Getting hooked.” DollarWise.
[5] Hunter, Philip. “Microsoft declares war on phishers.”
Computer Fraud & Security May 2006: (15-16).
[6] Google. http://www.google.com

[7] Anti-Phishing Working Group. Phishing Activity

Trends Report November 2005
[8] Anti-Phishing Working Group Phishing Archive.
http://anti-phishing.org/phishing_archive.htm
[9] Ba, S. & P. Pavlov. Evidence of the Effect of Trust
Building Technology in Electronic Markets: Price
Premiums and Buyer Behavior.