Upload
aurox3d
View
96
Download
0
Tags:
Embed Size (px)
Citation preview
Phishing and Its Effect Againts Business Network
Mohd Khairul amin bin Mohd zaki
Universiti Sains Malaysia
Abstract
Phishing, an increasingly common form of online theft, is the act of tricking computer
users into handing over control of their online accounts using, typically, a
combination of a forged email and website. Phishing is done by spamming out
authentic-looking emails that claim to come from a well-known financial or e-
commerce institution such as Citibank, PayPal, eBay or America Online. These
emails contain different messages, but usually follow the same formula: the recipient
is asked to click on a link contained within the message, taking them to what appears
to be a legitimate website. In fact, the website is a clever forgery, often virtually
indistinguishable from the real thing. Phishing methods and tricks are described and
ways of protecting computers and networks from phishing attacks are discussed.
1. Introduction
Phishing represents one aspect of the increasingly complex and converging security
threats facing businesses today. The methods used by spammers have become
more sophisticated, and spam is now increasingly combined with malware and used
as a tool for online fraud or theft, or to propagate malicious code. So phishing can be
considered a combined threat, part of a fast-changing and increasingly complex
threat environment facing networks, which can encompass spam and various kinds
of malware. Although consumers are the main targets of phishers, a phishing attack
can damage the reputation and credibility of the affected business, putting brand
equity at risk and leading to significant costs. Smaller businesses, meanwhile, may
be more directly at risk of falling victim to email fraud, particularly where the
corporate accounts are controlled by one or two people who may not have a great
deal of technical knowledge. While this is less likely with larger organizations, it is
clearly preferable for employees to be protected from fraud attempts arriving in their
inboxes via the corporate network. It is therefore important that businesses use an
integrated, robust solution to defend their email gateway from spam such as phishing
attacks and the many other varieties of emailborne security threat.
Based on my searching from website and other resources there has been a surge in
the number of reported phishing attacks. The Anti-Phishing Working Group tracked
over 3,326 unique phishing sites in May 2005, with that number rising by an average
of 28% per month since July 2004. According to a survey released by research
group Gartner in June 2005, over 2.42 million US adults reported losing money in
phishing attacks, amounting to nearly $929 million in the past year.4. Another report
in October 2004 by research group IDC cited phishing as one of the fastest growing
non-violent crimes
For the real case in malaysia, I find out that public bank is one of the internet banking
that is being targeted by phishers for doing phishing. From date 24th of March 2010
to 22th April 2010 that I have searching through MyCERT, 55 phishing sites targeting
clients of Public Bank have been handled by MyCERT. They have also observed
that the phishers are using Bahasa Malaysia for both phishing emails and domain
names. The reason why the phishers targeting public bank is because may be of
lack of security in their internet banking and the lack of user knowledge on phishing.
The phishers that targeting public bank user only used email as their tool to fool the
user believing that the email is sent from public bank itself. The following picture
shows the list of phishing site of public bank obtain from MyCERT.
Below is an example of how phishing using an email:
2. Phishing technique
There are many kind of phishing technique that can be use to lure victim to give their
confidential information to them.
Man-in-the-Middle Attack
Here, the attacker creates a fake website and catches the attention of users to that
website. Normally, the attacker was able to trick the users by disguising their identity
to make it appear that the message was coming from a trusted source. Once
successful, instead of going to the designated website, users do not realize that they
actually go to the fraudster’s website. The information keyed in during that session
will be captured and the fraudsters can make their own transactions at the same
time.
“Dragnet”
Dragnet method involves the use of spammed emails, bearing falsified corporate
identification (e.g., trademarks, logos, and corporate names), that are addressed to a
large class of people (e.g., customers of a particular financial institution or members
of a particular auction site) to websites or pop-up windows with similarly falsified
identification. Dragnet phishers don’t identify specific prospective victims in advance.
They only rely on the false information they include in the e-mail to trigger an
immediate response by victims by clicking on links in the body of the email to take
them to the websites or pop-up windows where are requested to enter bank or
credit-card account data or other personal data.
“Rod-and-Reel”
For rod and reel method, the phisher target initial contacts with prospective victims.
Then they send e-mails that directed recipients to disclose their specific confidential
information defined in advance, and false information conveyed to trigger responses.
“Lobsterpot”
This technique relies on the use of spoofed websites. It consists in the creation of
spoofed websites, similar to legitimate corporate ones, that a narrowly defined class
of victims is likely to seek out. In lobsterpot phishing, the phishers identify a smaller
class of prospective victims in advance, but do not rely on a call to action to redirect
prospective victims to another site. It is enough that the victims mistake the spoofed
website they discover as a legitimate and trustworthy site. In fact, spoof attacks
occur at the Protocol layer level. When the spoofers goal is to either gain access to a
secured site or to mask his or her true identity, he or she may hijack an unsuspecting
victim’s address by falsifying the message’s routing information so that it appears to
have come from the victim’s account instead of his or her own. He or she may do so
through the use of “sniffers.” Since information intended for a specific computer must
pass through any number of other computers while in transit, the data essentially
becomes fair game, and sniffers may be used to essentially capture the information
en route to its destination. Sniffer software can be programmed to select data
intended for any or every computer.
Gillnet
In gillnet, phishers introduce malicious code into emails and websites. They can, for
example misuse browser functionality by injecting hostile content into another site’s
pop – up window. Merely by opening a particular email, or browsing a particular
website, Internet users may have a Trojan horse introduced into their systems. In
some cases, the malicious code will change settings in user’s systems, so that users
who want to visit legitimate banking websites will be redirected to a phishing site. In
other cases, the malicious code will record user’s keystrokes and passwords when
they visit legitimate banking sites, then transmit those data to phishers for later illegal
access to users’ financial accounts.
3. List of real cases
Beside Malaysia there are many kind of phishing attack that happen around the
world. Below is several of them:
a. Douglas Havard and Lee Elwood Case: they have netted over 6.5 million
pounds during 2003-04 in UK (Roberts (2005)). They reportedly received
large groups of stolen credit card information and passwords from unnamed
individuals in Russia, then used those to purchase goods online and resell
them, pocketing the proceeds and passing a cut along to their counterparts in
Russia through money exchanges. They also trafficked in stolen identity
information and documents, including driver's licenses, passports and birth
certificates.
b. Shelly S. Perry Case: Perry operated an "Internet Business" having a website
address of "www.paylessfurniture.com" from her private residence in
Memphis, Tennessee. Perry defrauded many individuals, located throughout
the country, who were attempting to purchase furniture via the said Internet
website, auction sites, and personal contact with her. More than 70 citizen
victims sent her $110,000.00 in access.
c. Citibank Case: The financial losses of Russian businesses caused by “carder”
reached $20’000’000. Carders specialized on counterfeiting plastic cards use
Internet for receiving information on card holders and card’s numbers.
Phishing Messages are received by customers of Citibank. The Russian
message reads as “Your personal account has accepted wire transfer in
foreign currency more than $ 2’000. According to the agreement of CitibankR
Online you have to confirm you data for successful accepting money to the
account. To confirm this operation it is necessary to run program of account
management and fallow proposed instruction. In case of un-confirmation wire
transfer will be returned to sender”. SAYTARLY (2004).
d. Bank of Ireland Case: Some of the customers of Bank of Ireland had lost
more than €110,000 to the scammers. One customer claims to have lost more
than €49,000 and other reported losses between €5,000 to €16,900 (O’Brein
(2006a)). Bank had agreed to refund about €160,000
How to avoid being phished
There are many methods to combat bank frauds in general and phishing in
particular. Most of the financial institutions are educating their customers of regular
basis about phishing websites. In addition to these educative e-mails from the
institutions the following measures can reduces frauds with phishing includes
measures for customers, induction of new technology.
Measures for customer
For the customer it is essential that they must never share their password (Security
related information) under any circumstance. They also should never click on an e-
mail that is purportedly from a bank advising you for updated antivirus software, and
which can be downloaded from the bank’s website. Third, the customer should pay
attention on all activities that is going on in the websites of their bank by browse the
bank’s notification system on regular basis so that one can see the activities of
his/her account. Fourth, whenever one wants to visit the website of the bank, type
full URL or web address. It is secure and will avoid the logon to spoof sites such as
http://www.citbank.com for http://www.citibank.com , and www.idbiibank.com for
http://www.idbibank.com. The customer should not do internet banking in wireless
internet environments or at Internet café. The customer should continuously read the
posting of their banker for security updates. For example rather type the address
directly into the browser address bar.
Induction of new technology
For the technology the customer should use browsers such as Firefox 7, Opera and
Internet Explorer 8 (all latest versions) which include phishing shields and has better
anti-fraud features in comparison to others. Second the banks must implement anti-
phishing programs as implemented by HSBC in Hong Kong. Security firms such as
Symantec and McAfee are marketing anti-phishing software’s. Bank must install
security software’s from Symantec Corp and McAfee Inc. There are many more
companies which either developing or marketing anti-phishing solutions. These
solutions can safeguard banks /financial institutions against fishing.
Other approached to avoid phished
The customer should be cautious with emails and confidential data. Most banks have
a security page on their website with information on carrying out safe transactions,
along with the usual advice relating to confidential data. Customer also should avoid
opening or replying to spam emails as this may give the sender confirmation that
they have reached a live address. Use common sense when reading emails. If
something seems implausible or too good to be true, then it probably is.
If you receive an email you suspect is not genuine, forward it to the organization it
fraudulently claims to have come from. Many companies have a dedicated email
address for reporting such phishing attempts. Legislation against online criminals is
having an effect. there have been arrests of suspected phishers in several countries,
including the UK and Brazil, while in Australia an email scammer who stole millions
of dollars in an email fraud was sentenced to five years in prison.
The threat of Trojans being used in phishing attacks raises the possibility of a
backdoor. It is being opened to allow attackers access to the affected computer or
network. To prevent and avoid this, installing a personal firewall will provide some
measure of protection. As we have seen, keeping operating systems up to date with
the latest security patches is also important in countering some of the phishing tricks
already described, such as disguising headers and URLs. However, firewalls and
patches will not stop users entering their details onto a forged an organizations
customer base. Message samples and additional information on the website owners
are provided in the alerts to help customers quickly respond to the attack by shutting
down the fraudulent website and communicating with their customers. This service
most obviously benefits financial institutions and online retailers, but other
organizations with an online presence should also subscribe to the service,
especially those who conduct a significant portion of their customer transactions
online. Phishing attacks are also broadening out to target other customer bases such
as charity donors.
Conclusion In conclusion, there are many ways that the phisher can use to get our personal
information. It is up to ourselves to be alert and caution on this phishing scam. There
are also many kind of security that can prevent this kind of threat.
References 1. http://www.antiphishingscams.com/email-phishing.html
2. http://fraudwatchinternational.com/phishing-fraud/phishing-email-methods/
3. http://labs.m86security.com/2011/03/phishing-scam-in-an-html-attachment/
4. http://www.darknet.org.uk/2007/12/dns-poisoning-getting-serious-phishing-
from-open-recursive-dns-servers/
5. http://www.esecurityplanet.com/trends/article.php/3488216/DNSBased-
Phishing-Attacks-on-The-Rise.htm
6. Phishing and the threat to corporate networks, Sophos Plc.
7. Journal of Internet Banking and Commerce, N. P. Singh 8. HOW TO MAKE ONLINE BANKING SECURE, Ahmad Nasir mohd zin