Phishing is a tricky and shoddy way of extorting sensitive information from individuals or even corporate organizations. Phishing is a fraudulent means of getting vital information such as credit card numbers, login passwords, and other confidential information through disguise. Fraudsters pose as professionals or cyber security experts to get relevant information from their victims. Phishing is done through hoax or instant messages sent directly to users to lure them into entering their personal information in fake websites that ordinarily look original.
A Little More on What is Phishing
Phishing in any of its form is a cybercrime and there are legislative and technological measures that have been devised to combat this crime. Attackers cloak their identities, share spiteful links, forge addresses and webpages to reach their target audience. Access to users’ accounts result in identity theft, financial loss and even integrity loss. These cyber criminals do not only use emails or texts, they also use voice phishing (vishing), SMS Phishing (smishing) and several other techniques.
The first legal war against phishing was a lawsuit filed against a Californian teenager in 2004. The lawsuit was filed because the teenager imitated a website belonging to “America Online”. Through the use of counterfeit emails and messages, the teenager extracted sensitive information such as passwords and credit card details from users.
There are many attributes of qualities of phishing, the most common features of phishing are;
- They are attractive– Phishers use appealing and captivating statements to lure victims into their traps. These attractive means include prizes claims, extremely low prices or lotteries.
- Imitations that look original– this is another feature that is commonly found in almost all forms of phishing.
- Another attribute of phishing is that they compel victims to act fast, leaving no room for second thoughts.
- Phishing also use hyperlinks that redirect users to clone websites.
- Professionalism in circulation and contents of emails and text messages.
Spear phishing, whale phishing, evil twin phishing, clone phishing, filter evasion and website forgery are forms of phishing that have been discussed earlier. However, other types of phishing that were not expressly discussed are SMS phishing (Smishing), Voice phishing (Vishing) and Pharming.
As the name implies, SMS phishing is a form of attack that use text messages on users’ devices to deceive and launch attacks on unsuspecting victims. Voice phishing on the other hand uses communications, media, VoIP (voice over IP) and POTS (plain old telephone service) to defraud victims. Pharming relies on DNS cache poisoning to launch attacks on victims.
Although, the history of the term ‘phishing’ is vague, the concept of phishing can traced to the 1990s with the experience of ‘America Online’. Phishing is also regarded as a homophone of fishing and just as the methods used in fishing to lure fishes to the net, phishers also deploy similar techniques.
Quite a large number of people have fallen victims of phishing, many have been lured to expose their sensitive information such as passwords and credit card pins without they suspecting any foul play. Phishing is a type of social engineering technique used for fraudulent purposes. These fraudsters pose as legit engineers and trick people into releasing security information after gaining their trust.
The impact of phishing worldwide can be estimated as 5 billion US dollars. Despite the impacts of phishing, several measures which include sensitization, public awareness, technical and legislative measures have been put in place to tackle this crime.
There are different modes or types pf phishing, spear phishing is one of the prominent ones. This type of phishing is target-focused as it is directed as specific individuals or companies. Attackers or fraudsters that use spear phishing always have prior information on individuals or companies before having them as targets. One relevant information are gathered on potential ictimes, they also weigh the success chance of the attack before they launch attacks on their targets.
Fancy Bear, a threat group-4127 targeted emails accounts linked to Hillary Clinton’s 2016 presidential campaign using spear phishing technique. Findings also reveal that more than 1,800 google accounts were attacked using this method.
Another popular type of phishing is clone phishing, this is an attack that focuses in creating cloned emails using original or legitimate emails that have been previously delivered. By crafting counterfeit emails that look like real ones from original senders, attackers are able to gain the trust of unsuspecting victims and have access to their passwords and other essential information. With this trust established with the receivers, phishing then becomes much easy. Hence, clone phishing entails the act of forgery by producing a simulation of previously delivered emails in such a way that it is different for receivers to differentiate the clone versions from the original versions.
Whaling in an ordinary sense means targeting big or magnificent things. Whaling as a term used in spear phishing attackers means a phishing that is targeted at high profile individuals or senior employees at corporate organizations. This type of phishing is specific and goal-oriented. Its targets are superiors of organizations or reputable individuals. A whaling attack can take the form of customer complaints, subpoena or a release of executive statement to reach its targets.
Since, phishing attackers use technological means to trick their suspects, the role of technological deception in phishing cannot be overemphasized. Attackers use link manipulation, clone emails and other tricky means to get information from victims. A popular example of the technological strategy used by attackers is the intentional misspelling of URLs or the use of fake subdomains that rest on real domains.
Another trick that attackers use is to place a link text that literarily suggest a real destination but it’s not. So, through a general manipulation of links and web addresses, attackers can have their preys. Phishers also create clone web addresses that are similar to legitimate ones but a click on them directs users to malicious destinations.
Filters are designed to create a restriction for counterfeit texts or addresses. Filters address the vulnerability of internet exploration by limiting unwarranted texts or characters. For example, net filters disallow alphabets inserted after the < character, this is a way to limit net vulnerabilities, However, due to exposure to diverse technological techniques, phishers use images in place of texts and this is difficult for filter to detect. Anti-phishing filters experience great difficulty in detecting images as they commonly snoof and detect texts, hence, with this awareness, phishers have drifted towards the use of images instead of texts. Nevertheless, in reaction to this, anti-phishing filters detect hidden texts from images using OCR (optical character recognition).
Also, phishers study legitimate websites and highlight their deficiency to produce fake websites in the case of using PayPal flaws in 2016. Website forgery, especially cross-site scripting poses a lot of problems as users easily fall preys of these fake websites and expose security information.
Another technique that attackers use to reach their targets is the covert redirect technique which refers to a subtle means of making links look real but these links redirect users to attacker’s websites. This technique is as a result of security flaws based on the domains of legitimate sites, redirect and XSS vulnerabilities in websites can be used. Also, attackers use spiteful browser extensions to redirect users to phishing sites.
However, users can easily spot malicious page’s URL because they are not the same as original link sites. Through covert redirect, phishers use fraudulent means to extract information from unsuspecting site users.
Aside from the common techniques used by phishers that are listed above, there are other techniques that might not be as prominent as the listed ones. Examples of these techniques include using popup window to request a client’s credentials on a bank’s legitimate website, this will look like it is the bank that is requesting the information.
Tabnabbing which refers to phishers taking advantage of multiple open tabs in a window is another technique. The creation of fake wireless network similar to original one is another technique, this is called evil twins technique. The fake wireless network can be found in public places.
References for Phishing
Academic Research on Phishing
• Why phishing works, Dhamija, R., Tygar, J. D., & Hearst, M. (2006, April). In Proceedings of the SIGCHI conference on Human Factors in computing systems (pp. 581-590). ACM. Before phishing can be effectively tackled from its roots, designers need to how it works. This paper presents an analysis of phishing attacks which will provide proof on how the strategies of attackers work on their victims. The empirical analysis was conducted using the ability of 22 participants to differentiate legitimate websites from fraudulent ones, 20 different sites were shown to the participants. The analysis revealed that many participants are fooled by visual deception and they do not take cognisance of factors that indicate the legitimacy of a website. 23% were said to have made wrong choices. This paper therefore show strategies that phishers use to defraud people.
• Social phishing, Jagatic, T. N., Johnson, N. A., Jakobsson, M., & Menczer, F. (2007). Communications of the ACM, 50(10), 94-100. This paper is a discussion of social phishing and how it is an effective strategy that attackers use to lure their victims. Social phishing is often done in a friendly manner, in such a way that receivers would believe that the sender has their interest in mind. In this type of phishing, emails are sent to receivers and they are tricked to reveal more than the required information.
• Do security toolbars actually prevent phishing attacks?, Wu, M., Miller, R. C., & Garfinkel, S. L. (2006, April). In Proceedings of the SIGCHI conference on Human Factors in computing systems (pp. 601-610). ACM. This paper examines the role security toolbars play in safeguarding users from phishing attacks. This paper conducts a study on three security toolbars popularly used by people. This study however finds out that not only are security toolbars ineffective in preventing phishing attacks, browsing security devices are also lacking in detecting these attacks. The study further finds out that if peradventure security toolbars detect a foul play and alerts users, many users failed to look at it. Some users shun the warnings of security toolbars and this explains that some users don’t understand phishing attacks work.
• The state of phishing attacks, Hong, J. (2012). Communications of the ACM, 55(1), 74-81. This paper evaluates and studies the present state on phishing attacks in line with its strategies and potency on individuals and even corporate organizations. The study looks into the systems and strategies that are formerly in use and how phishers take advantage of the systems. A good understanding of the state of phishing is crucial to the development of effective measures to mitigate it.
• Decision strategies and susceptibility to phishing, Downs, J. S., Holbrook, M. B., & Cranor, L. F. (2006, July). In Proceedings of the second symposium on Usable privacy and security (pp. 79-90). ACM. It is no longer news that phishers coin brilliant strategies to attack people, this paper studies the decision strategies of users and the susceptibility of individuals or corporate organizations to these strategies. This study aims to find out the strategies of phishing, how people fall into these tricks and why they become susceptible to the strategies. An analysis carried out using 20 beginners in computer reveal that decision strategies on the part of the users is linked to their awareness and ability to identify suspecting emails. When people are aware of certain risks, there is a higher chance they will manage the risk well. This study examines the strategies people use in identifying and evade phishing attacks.
• An empirical analysis of phishing blacklists, Sheng, S., Wardman, B., Warner, G., Cranor, L., Hong, J., & Zhang, C. (2009, July). In Sixth conference on email and anti-spam (CEAS). This paper presents an empirical study of phishing blacklists and their impacts. It examines how blacklists protect users from phish.An analysis used 191 phish to conduct tests on eight major anti-phishing toolbars. This funding show that as at hour zero, blacklists were unable to catch up to 20% of phish, this reflect to a large extent how ineffective blacklists are in protecting users from phish. The paper discusses why anti-phishing tools need to be improved on and how they can become effective in protecting users.
• A framework for detection and measurement of phishing attacks, Garera, S., Provos, N., Chew, M., & Rubin, A. D. (2007, November). In Proceedings of the 2007 ACM workshop on Recurring malcode (pp. 1-8). ACM. If phishing will be effectively combated and individuals and organizations be made free of phishing attacks, there is the need to develop a substantial framework. This paper studies the framework that is vital to the detection of phishing and also measure the degree of phishing attacks. This framework will enable statutory bodies to come up with regulations imperative for the protection of users against phishing attacks.
• Phishing for user security awareness, Dodge Jr, R. C., Carver, C., & Ferguson, A. J. (2007). Computers & Security, 26(1), 73-80. For phishing to be effectively combated, there is a level of security awareness and education that is required. However, it is important to note that security education will only be effective if willing and yielding people are educated. This study examines how frequently statutory bodies conduct security education and awareness in order to equip users with adequate knowledge about phishing and how they can resist its attacks. It also studies the attitudes and responses of users to phishing attacks in form of emails using an unannounced test.
• Large-Scale Automatic Classification of Phishing Pages., Whittaker, C., Ryner, B., & Nazif, M. (2010, February). In NDSS(Vol. 10, p. 2010). This paper discusses how phishing sites are detected using the automatic classification of pages. Internet users spend a fortune every year accessing counterfeit websites designed by phishers. This paper examine the role of scalable machine learning classified in detecting phishing pages and separating fraudulent websites from original ones. This includes an analysis of URL and contents of a page to detect phishing pages. This paper examines how the classifier achieves this and the validity of the pages screened by a classifier.
• Anomaly based web phishing page detection, Pan, Y., & Ding, X. (2006, December). In null (pp. 381-392). IEEE. There are many anti-phishing schemes that are designed to wage war against phishing but sadly, with their enormous number, phishing has not been fully mitigated. As new anti-phishing schemes are deviced, attackers also device newer strategies. This paper presents an approach that will study the anomalities in web pages in terms of structure and identity. This is novel approach, independent of any form of phishing and it proves to be a little more effective than some other anti-phishing methods.
• Detection of phishing webpages based on visual similarity, Wenyin, L., Huang, G., Xiaoyue, L., Min, Z., & Deng, X. (2005, May). In Special interest tracks and posters of the 14th international conference on World Wide Web (pp. 1060-1061). ACM. Phishing webpages are often similar to legitimate web pages but they can still be differentiated. Visual similarity as a proposed strategy that is helpful in the detection of phishing webpages is discussed in this paper. This paper identifies that visual similarity can be a solution for anti-phishing strategies. With visual similarity, owners of legitimate webpages can easily track down counterfeit pages similar to the original. page. Experiment however reveal that visual similarity as an approach that can effectively detect phishing webpages.
• Phishing email detection based on structural properties, Chandrasekaran, M., Narayanan, K., & Upadhyaya, S. (2006, June). In NYS cyber security conference (Vol. 3). This paper on cyber security and security awareness examines how phishing emails are detected based on structural properties. phishing emails are often constructed like original ones, so many find it difficult to differentiate phishing emails from real ones. in this study, the techniques that individuals or organizations can use in detecting phishing emails bases of structural properties will be discussed.