Phishing and Its Effect Againts Business Network

Mohd Khairul amin bin Mohd zaki

Universiti Sains Malaysia

Abstract

Phishing, an increasingly common form of online theft, is the act of tricking computer

users into handing over control of their online accounts using, typically, a

combination of a forged email and website. Phishing is done by spamming out

authentic-looking emails that claim to come from a well-known financial or e-

commerce institution such as Citibank, PayPal, eBay or America Online. These

emails contain different messages, but usually follow the same formula: the recipient

is asked to click on a link contained within the message, taking them to what appears

to be a legitimate website. In fact, the website is a clever forgery, often virtually

indistinguishable from the real thing. Phishing methods and tricks are described and

ways of protecting computers and networks from phishing attacks are discussed.

1. Introduction

Phishing represents one aspect of the increasingly complex and converging security

threats facing businesses today. The methods used by spammers have become

more sophisticated, and spam is now increasingly combined with malware and used

as a tool for online fraud or theft, or to propagate malicious code. So phishing can be

considered a combined threat, part of a fast-changing and increasingly complex

threat environment facing networks, which can encompass spam and various kinds

of malware. Although consumers are the main targets of phishers, a phishing attack

can damage the reputation and credibility of the affected business, putting brand

equity at risk and leading to significant costs. Smaller businesses, meanwhile, may

be more directly at risk of falling victim to email fraud, particularly where the

corporate accounts are controlled by one or two people who may not have a great

deal of technical knowledge. While this is less likely with larger organizations, it is

clearly preferable for employees to be protected from fraud attempts arriving in their

inboxes via the corporate network. It is therefore important that businesses use an

integrated, robust solution to defend their email gateway from spam such as phishing

attacks and the many other varieties of emailborne security threat.

Based on my searching from website and other resources there has been a surge in

the number of reported phishing attacks. The Anti-Phishing Working Group tracked

over 3,326 unique phishing sites in May 2005, with that number rising by an average

of 28% per month since July 2004. According to a survey released by research

group Gartner in June 2005, over 2.42 million US adults reported losing money in

phishing attacks, amounting to nearly $929 million in the past year.4. Another report

in October 2004 by research group IDC cited phishing as one of the fastest growing

non-violent crimes

For the real case in malaysia, I find out that public bank is one of the internet banking

that is being targeted by phishers for doing phishing. From date 24th of March 2010

to 22th April 2010 that I have searching through MyCERT, 55 phishing sites targeting

clients of Public Bank have been handled by MyCERT. They have also observed

that the phishers are using Bahasa Malaysia for both phishing emails and domain

names. The reason why the phishers targeting public bank is because may be of

lack of security in their internet banking and the lack of user knowledge on phishing.

The phishers that targeting public bank user only used email as their tool to fool the

user believing that the email is sent from public bank itself. The following picture

shows the list of phishing site of public bank obtain from MyCERT.

Below is an example of how phishing using an email:

2. Phishing technique

There are many kind of phishing technique that can be use to lure victim to give their

confidential information to them.

Man-in-the-Middle Attack

Here, the attacker creates a fake website and catches the attention of users to that

website. Normally, the attacker was able to trick the users by disguising their identity

to make it appear that the message was coming from a trusted source. Once

successful, instead of going to the designated website, users do not realize that they

actually go to the fraudster’s website. The information keyed in during that session

will be captured and the fraudsters can make their own transactions at the same

time.

“Dragnet”

Dragnet method involves the use of spammed emails, bearing falsified corporate

identification (e.g., trademarks, logos, and corporate names), that are addressed to a

large class of people (e.g., customers of a particular financial institution or members

of a particular auction site) to websites or pop-up windows with similarly falsified

identification. Dragnet phishers don’t identify specific prospective victims in advance.

They only rely on the false information they include in the e-mail to trigger an

immediate response by victims by clicking on links in the body of the email to take

them to the websites or pop-up windows where are requested to enter bank or

credit-card account data or other personal data.

“Rod-and-Reel”

For rod and reel method, the phisher target initial contacts with prospective victims.

Then they send e-mails that directed recipients to disclose their specific confidential

information defined in advance, and false information conveyed to trigger responses.

“Lobsterpot”

This technique relies on the use of spoofed websites. It consists in the creation of

spoofed websites, similar to legitimate corporate ones, that a narrowly defined class

of victims is likely to seek out. In lobsterpot phishing, the phishers identify a smaller

class of prospective victims in advance, but do not rely on a call to action to redirect

prospective victims to another site. It is enough that the victims mistake the spoofed

website they discover as a legitimate and trustworthy site. In fact, spoof attacks

occur at the Protocol layer level. When the spoofers goal is to either gain access to a

secured site or to mask his or her true identity, he or she may hijack an unsuspecting

victim’s address by falsifying the message’s routing information so that it appears to

have come from the victim’s account instead of his or her own. He or she may do so

through the use of “sniffers.” Since information intended for a specific computer must

pass through any number of other computers while in transit, the data essentially

becomes fair game, and sniffers may be used to essentially capture the information

en route to its destination. Sniffer software can be programmed to select data

intended for any or every computer.

Gillnet

In gillnet, phishers introduce malicious code into emails and websites. They can, for

example misuse browser functionality by injecting hostile content into another site’s

pop – up window. Merely by opening a particular email, or browsing a particular

website, Internet users may have a Trojan horse introduced into their systems. In

some cases, the malicious code will change settings in user’s systems, so that users

who want to visit legitimate banking websites will be redirected to a phishing site. In

other cases, the malicious code will record user’s keystrokes and passwords when

they visit legitimate banking sites, then transmit those data to phishers for later illegal

access to users’ financial accounts.

3. List of real cases

Beside Malaysia there are many kind of phishing attack that happen around the

world. Below is several of them:

a. Douglas Havard and Lee Elwood Case: they have netted over 6.5 million

pounds during 2003-04 in UK (Roberts (2005)). They reportedly received

large groups of stolen credit card information and passwords from unnamed

individuals in Russia, then used those to purchase goods online and resell

them, pocketing the proceeds and passing a cut along to their counterparts in

Russia through money exchanges. They also trafficked in stolen identity

information and documents, including driver's licenses, passports and birth

certificates.

b. Shelly S. Perry Case: Perry operated an "Internet Business" having a website

address of "www.paylessfurniture.com" from her private residence in

Memphis, Tennessee. Perry defrauded many individuals, located throughout

the country, who were attempting to purchase furniture via the said Internet

website, auction sites, and personal contact with her. More than 70 citizen

victims sent her $110,000.00 in access.

c. Citibank Case: The financial losses of Russian businesses caused by “carder”

reached $20’000’000. Carders specialized on counterfeiting plastic cards use

Internet for receiving information on card holders and card’s numbers.

Phishing Messages are received by customers of Citibank. The Russian

message reads as “Your personal account has accepted wire transfer in

foreign currency more than $ 2’000. According to the agreement of CitibankR

Online you have to confirm you data for successful accepting money to the

account. To confirm this operation it is necessary to run program of account

management and fallow proposed instruction. In case of un-confirmation wire

transfer will be returned to sender”. SAYTARLY (2004).

d. Bank of Ireland Case: Some of the customers of Bank of Ireland had lost

more than €110,000 to the scammers. One customer claims to have lost more

than €49,000 and other reported losses between €5,000 to €16,900 (O’Brein

(2006a)). Bank had agreed to refund about €160,000

How to avoid being phished

There are many methods to combat bank frauds in general and phishing in

particular. Most of the financial institutions are educating their customers of regular

basis about phishing websites. In addition to these educative e-mails from the

institutions the following measures can reduces frauds with phishing includes

measures for customers, induction of new technology.

Measures for customer

For the customer it is essential that they must never share their password (Security

related information) under any circumstance. They also should never click on an e-

mail that is purportedly from a bank advising you for updated antivirus software, and

which can be downloaded from the bank’s website. Third, the customer should pay

attention on all activities that is going on in the websites of their bank by browse the

bank’s notification system on regular basis so that one can see the activities of

his/her account. Fourth, whenever one wants to visit the website of the bank, type

full URL or web address. It is secure and will avoid the logon to spoof sites such as

http://www.citbank.com for http://www.citibank.com , and www.idbiibank.com for

http://www.idbibank.com. The customer should not do internet banking in wireless

internet environments or at Internet café. The customer should continuously read the

posting of their banker for security updates. For example rather type the address

directly into the browser address bar.

Induction of new technology

For the technology the customer should use browsers such as Firefox 7, Opera and

Internet Explorer 8 (all latest versions) which include phishing shields and has better

anti-fraud features in comparison to others. Second the banks must implement anti-

phishing programs as implemented by HSBC in Hong Kong. Security firms such as

Symantec and McAfee are marketing anti-phishing software’s. Bank must install

security software’s from Symantec Corp and McAfee Inc. There are many more

companies which either developing or marketing anti-phishing solutions. These

solutions can safeguard banks /financial institutions against fishing.

Other approached to avoid phished

The customer should be cautious with emails and confidential data. Most banks have

a security page on their website with information on carrying out safe transactions,

along with the usual advice relating to confidential data. Customer also should avoid

opening or replying to spam emails as this may give the sender confirmation that

they have reached a live address. Use common sense when reading emails. If

something seems implausible or too good to be true, then it probably is.

If you receive an email you suspect is not genuine, forward it to the organization it

fraudulently claims to have come from. Many companies have a dedicated email

address for reporting such phishing attempts. Legislation against online criminals is

having an effect. there have been arrests of suspected phishers in several countries,

including the UK and Brazil, while in Australia an email scammer who stole millions

of dollars in an email fraud was sentenced to five years in prison.

The threat of Trojans being used in phishing attacks raises the possibility of a

backdoor. It is being opened to allow attackers access to the affected computer or

network. To prevent and avoid this, installing a personal firewall will provide some

measure of protection. As we have seen, keeping operating systems up to date with

the latest security patches is also important in countering some of the phishing tricks

already described, such as disguising headers and URLs. However, firewalls and

patches will not stop users entering their details onto a forged an organizations

customer base. Message samples and additional information on the website owners

are provided in the alerts to help customers quickly respond to the attack by shutting

down the fraudulent website and communicating with their customers. This service

most obviously benefits financial institutions and online retailers, but other

organizations with an online presence should also subscribe to the service,

especially those who conduct a significant portion of their customer transactions

online. Phishing attacks are also broadening out to target other customer bases such

as charity donors.

Conclusion In conclusion, there are many ways that the phisher can use to get our personal

information. It is up to ourselves to be alert and caution on this phishing scam. There

are also many kind of security that can prevent this kind of threat.

References 1. http://www.antiphishingscams.com/email-phishing.html

2. http://fraudwatchinternational.com/phishing-fraud/phishing-email-methods/

3. http://labs.m86security.com/2011/03/phishing-scam-in-an-html-attachment/

4. http://www.darknet.org.uk/2007/12/dns-poisoning-getting-serious-phishing-

from-open-recursive-dns-servers/

5. http://www.esecurityplanet.com/trends/article.php/3488216/DNSBased-

Phishing-Attacks-on-The-Rise.htm

6. Phishing and the threat to corporate networks, Sophos Plc.

7. Journal of Internet Banking and Commerce, N. P. Singh 8. HOW TO MAKE ONLINE BANKING SECURE, Ahmad Nasir mohd zin