Abstract: analysis to arm themselves against the
Phishing is the new 21st century crime. next phishing scam to reach their in-tray.
The global media runs stories on an
almost daily basis covering the latest
organisation to have their customers Introduction:
targeted and how many victims
succumbed to the attack. While the Tricking others into giving out passwords or
Phishers develop evermore sophisticated other sensitive information has a long
attack vectors, businesses flounder to
tradition in the attacker community.
protect their customers’ personal data
and look to external experts for Traditionally this activity has been
improving email security. Customers too performed through the process of social
have become wary of “official” email, and engineering. In the 1990s, with the
organizations struggle to install increasing growth in interconnected systems
confidence in their communications. and the popularity of the Internet, attackers
While various governments and industry started to automate this process and attack
groups battle their way in preventing the mass consumer market. The first
Spam, organizations can in the meantime systematic research to cover such activity
take a proactive approach in combating was published in 1998 by Gordon and Chess
the phishing threat. By understanding
(Sarah Gordon, David M. Chess: Where
the tools and techniques used by
professional criminals, and analyzing There's Smoke, There's Mirrors: The Truth
flaws in their own perimeter security or about Trojan Horses on the Internet,
applications, organizations can prevent presented at the Virus Bulletin Conference
many of the most popular and successful in Munich, Germany, October 1998).
phishing attack vectors. Gordon and Chess were researching
This paper covers the technologies and malware on AOL, but they were faced with
security flaws Phishers exploit to phishing attempts instead of the expected
conduct their attacks, and provides trojan horse attacks. The term phishing
detailed vendor-neutral advice on what ("password harvesting fishing") describes
organisations can do to prevent future
the fraudulent acquisition, through
attacks. Security professionals and
customers can use this comprehensive deception, of sensitive personal information
such as passwords and credit card details by
masquerading as someone trustworthy with Phishing examples:
a real need for such information.
Recent phishing attempts
Pay Pal phishing example
A chart showing the increase in phishing
reports from October 2004 to June 2005.
More recent phishing attempts have targeted
the customers of banks and online payment
services. E-mails supposedly from the
Internal Revenue Service have also been
used to glean sensitive data from U.S.
taxpayers. While the first such examples
were sent indiscriminately in the hope of An example of a phishing email targeted at
finding a customer of a given bank or PayPal users.
service, recent research has shown that
phishers may in principle be able to In an example PayPal phish (right), spelling
establish what bank a potential victim has a mistakes in the email and the presence of an
relationship with, and then send an IP address in the link (visible in the tooltip
appropriate spoofed email to this victim.. under the yellow box) are both clues that
Targeted versions of phishing have been this is a phishing attempt. Another giveaway
termed spear phishing. Social networking is the lack of a personal greeting, although
sites are also a target of phishing, since the the presence of personal details is not a
personal details in such sites can be used in guarantee of legitimacy.
identity theft. Experiments show a success
rate of over 70% for phishing attacks on
social networks. In late 2006 a computer
worm took over pages on My Space and
altered links to direct surfers to websites The Phishing Threat:
designed to steal login details
Social Engineering Factors
Phishing attacks rely upon a mix of technical email – however it still successful in may
deceit and social engineering practices. In cases.
the majority of cases the Phisher must Techniques used within Phishing emails:
persuade the victim to intentionally perform • Official looking and sounding emails
a series of actions that will provide access to • Copies of legitimate corporate emails with
confidential information. minor URL changes
Communication channels such as email, • HTML based email used to obfuscate
web-pages, IRC and instant messaging target URL information
services are popular. In all cases the • Standard virus/worm attachments to
Phisher must impersonate a trusted source emails
(e.g. the helpdesk of their bank, automated • A plethora of anti spam-detection
support response from their favourite online inclusions
retailer, etc.) for the victim to believe. • Crafting of “personalized” or unique email
To date, the most successful Phishing messages
attacks have been initiated by email – where • Fake postings to popular message boards
the Phisher impersonates the sending and mailing lists
authority (e.g. spoofing the source email • Use of fake “Mail From:” addresses and
address and embedding appropriate open mail relays for disguising the source of
corporate logos). For example, the victim the email
receives an email supposedly from
firstname.lastname@example.org (address is spoofed) B) Web-based Delivery
with the subject line 'security An increasingly popular method of
update’, requesting them to follow the URL conducting phishing attacks is through
www.mybank-validate.info (a domain name malicious web-site content. This content
that belongs to the attacker – not the bank) may be included within a web-site operated
and provide their banking PIN number. by the Phisher, or a thirdparty site hosting
some embedded content.
A) Email and Spam Web-based delivery techniques include:
• The inclusion of HTML disguised links
(such as the one presented in the Westpac
Phishing attacks initiated by email are the Email example). Within popular web-sites,
most common. Using techniques and tools message boards.
used by Spammers, Phishers can deliver • The use of third-party supplied, or fake,
specially crafted emails to millions of banner advertising graphics to lure
legitimate “live” email addresses within a few customers to the Phishers web-site.
hours (or minutes using distributed Trojan • The use of web-bugs (hidden items within
networks). In many cases, the lists of the page – such as a zero-sized graphic) to
addresses used to deliver the phishing Track a potential customer in preparation for
emails are purchased from the same a phishing attack.
sources as conventional spam. • The use of pop-up or frameless windows to
Utilizing well known flaws in the common disguise the true source of the Phishers
mail server communication protocol (SMTP), message.
Phishers are able to create emails with fake • Embedding malicious content within the
“Mail From:” headers and impersonate any viewable web-page that exploits a known
Organisation they choose. In some cases, Vulnerability within the customers web
they may also set the “RCPT To:” field to an browser software and installs software of the
email address of their choice (one which Phishers choice (e.g. key-loggers, screen-
they can pickup email from); whereby any grabbers, back-doors and other Trojan
customer replies to the phishing email will Horse programs).
be sent to them. The growing press • Abuse of trust relationships within the
coverage over phishing attacks customers web-browser configuration to
has meant that most customers are very make use of site-authorized scriptable
wary of sending confidential information components or data storage areas
(such as passwords and PIN information) by
c) Fake Banner Advertising
Banner advertising is a very simple
method .Phishers may use to redirect an Defence Mechanisms
organizations customer to a fake web-
site and capture confidential
information. Using copied banner a) Countering the Threat
As already shown in Section 2, the Phisher
has a large number of methods at their
disposal –consequently there is no single
solution capable of combating all these
different attack vectors. However, it is
possible to prevent current and future
Phishing attacks by utilizing a mix of
information security technologies and
For best protection, these security
technologies and techniques must be
deployed at three
d) Trojaned Hosts logical layers:
While the delivery medium for the phishing 1. The Client-side – this includes the users
attack may be varied, the delivery source is PC.
Increasingly becoming home PC’s that have 2. The Server-side – this includes the
been previously compromised. As part of businesses Internet visible systems and
this compromise, a Trojan horse program custom applications.
has been installed which allows Phishers 3. Enterprise Level – distributed
(along with Spammers, Warez Pirates, technologies and third-party management
DDoS Bots, etc.) to use the PC as a services
message propagator. This section details the different defence
Consequently, tracking back a Phishing mechanisms available at each logical layer.
attack to an individual initiating criminal is B) Client-side
extremely difficult. The client-side should be seen as
It is important to note that the installation of representing the forefront of anti-phishing
Trojan horse software is on the increase, security. Given the distributed nature of
despite the efforts of large anti-virus home computing and the widely varying
companies. Many malicious or criminal state of customer skill levels and awareness,
groups have developed highly successful client-side security is generally much poorer
techniques for tricking home users into than a managed corporate
installing the software, and now workstation deployment. However, many
operate large networks of Trojan solutions exist for use within both the home
deployments (networks consisting of and corporate environments.
thousands of hosts are not uncommon) At the client-side, protection against
capable of being used as Phishing email Phishing can be afforded by:
propagators or even hosting • Desktop protection technologies
Fraudulent web-sites. • Utilization of appropriate less sophisticated
That is not to say that Phishers are not communication settings
capable of using Trojan horse software • User application-level monitoring solutions
against a customer specifically to observe • Locking-down browser capabilities
their confidential information. In fact, to • Digital signing and validation of email
harvest the confidential information of • General security awareness
several thousand customers simultaneously,
Phishers must be selective about the
information they wish to record or be faced Desktop Protection Agents
with information overload. Most users of desktop systems are familiar
with locally installed protection software,
in the form of a common anti-virus solution.
Ideally, desktop systems should be
configured to use multiple desktop
protection agents (even if this functionality
duplicates any corporate perimeter
protection services), and be capable of Enterprise level
performing the following services: Businesses and ISP’s may take enterprise-
• Local Anti-Virus protection level steps to secure against Phishing
• Personal Firewall scams –
• Personal IDS Thereby protecting both their customers and
• Personal Anti-Spam internal users. These enterprise security
• Spy ware Detection solutions work in combination with client-
Many desktop protection software providers side and server-side security mechanisms,
(e.g. Symantec, McAfee, Microsoft, etc.) offering considerable defence-in-depth
now provide solutions that are capable of against phishing and a multitude of other
fulfilling one or more of these functions. current threats.
Specific to Key steps to anti-phishing enterprise-level
Phishing attack vectors, these solutions (or security includes:
a combination of) should provide the • Automatic validation of sending email
following server addresses,
functionality: • Digital signing of email services,
• The ability to detect and block “on the fly” • Monitoring of corporate domains and
attempts to install malicious software (such notification of “similar” registrations,
as Trojan horses, key-loggers, screen- • Perimeter or gateway protection agents,
grabbers and creating backdoors) through • Third-party managed services.
email attachments, file downloads, dynamic
HTML and scripted content. a) Mail Server Authentication
Multiple methods have been proposed to
Browser Capabilities authenticating sending mail servers. In
The common web browser may be used as essence,
a defense against phishing attacks – if it is the senders mail server is validated (e.g.
Configured securely. Similar to the problems reverse resolution of Domain information to
with email applications, web browsers also a specific IP address or range) by the
offer extended functionality that may be receiving mail server. If the senders IP
abused (often to a higher degree than email address is not an
clients). For most users, their web browser Authorized address for the email domain,
is probably the most technically the email is dropped by the receiving mail
sophisticated application they use. server.
The most popular web browsers offer such a Alternatively, through the use of Secure
fantastic array of functionality – catering to SMTP, email transport could be conducted
all users in all environments – that they over an encrypted SSL/TLS link. When the
• Disable all window pop-up functionality sender mail server connects to the recipient
• Disable Java runtime support mail server, certificates are exchanged
• Disable ActiveX support before an encrypted link is established.
• Disable all multimedia and auto-play/auto- Validation of the certificate
execute extensions can be used to uniquely identify a trusted
• Prevent the storage of non-secure cookies sender. Missing, invalid or revoked
• Ensure that any downloads cannot be certificates will prevent a secure connection
automatically run from the browser, and from occurring and not allow delivery of
must Instead be downloaded into a directory emails.
for anti-virus inspect If desired, an additional check with the DNS
server can be used to ensure that only
authorized mail servers may send email
over the secure SMTP connection.
binary attachments that contain Trojan horse
• Gateway Anti-Spam Filtering – rule-based
inspection of email content for key phrases
(such as Viagra) and bad words, typically
used to identify common spam, but also
capable of stopping many forms of phishing
attack that are designed to look like
• Gateway Content Filtering – inspection of
many types of communication methods
(e.g. email, IM, AOL, HTTP, FTP) for bad
content or requests. Simple protection
against users visiting known bad or
b) Digitally Signed Email dangerous websites.
• Proxy Services – management
concatenation of Internet protocols and
Extending the processes for digitally signed
email, enterprises can configure their
types of degress communications.
receiving email servers to automatically
Protection against inbound attacks through
validate digitally signed emails before they
reach the recipient. This process may prove
of network address translation. Good
to be more efficient for an organisation, and
protection against common information
automatic steps can be taken to alert
recipients of invalid or unsigned emails.
of internal network configurations.
In addition, the enterprise email server can
be configured to always sign outbound
email. By doing so, a single “corporate”
It is far easier, and faster, for a large
digital certificate can be used and customers
institution to update a relatively small
who receive these
signed emails can be confident that their
of gateway scanner than it is to ensure that
received message is legitimate
all desktop scanners are up to date.
Automated desktop virus scan updates help,
but is still somewhat slower than gateway
Gateway content filtering is very effective at
blocking access to known phishing sites or
content, without waiting for an ISP to
remove the offending phishing site.
Malicious code can be blocked from entering
c)Gateway Services the network.
The enterprise network perimeter is an ideal Traffic Limitations
place for adding gateway protection services Some forms of network traffic cannot be
that can monitor and control both inbound Scanned.
and outbound communications. These Firewall Changes
services can be used to identify malicious Some gateway implementations may require
Phishing content; whether it be located manual configuration of firewalls and other
within email or other communication gateway devices to implement blocking
Typical enterprise-level gateway services Roaming User Protection
include: Roaming users such as mobile salesmen
• Gateway Anti-Virus Scanning – used to are not protected by the gateway services.
detect viruses, malicious scripting code and
By understanding the tools and technologies
Phishers have in their arsenal, businesses
and their customers can take a proactive
stance in defending against future attacks.
Organizations have within their grasp
numerous techniques and processes that
may be used to protect the trust and integrity
of their customers personal data. The points
raised within this paper, and the solutions
proposed, represent key steps in securing
online services from fraudulent phishing
attacks – and also go a long way in
protecting against many other popular
Hacking or criminal attack vectors.
By applying a multi-tiered approach to their
security model (client-side, server-side and
enterprise) organizations can easily manage
their protection technologies against today’s
and tomorrows threats – without relying
upon proposed improvements in
communication security that are unlikely to
be adopted globally for many years to come.
Tan, Koon. Phishing and Spamming via IM
Ollmann, Gunter. The Phishing Guide:
Understanding and Preventing Phishing