Embed Size (px)
Citation preview
A TAXONOMY OF PHISHING
By
Name___________________________
Introduction
Literature Review
The age of Information Technology was first launched in the US in 1968 when the ARPANET (Advanced
Research Projects Agency) network was first developed to exchange information amongst defence
laboratories. It was the ARPANET that first spawned Usenet, the precursor of email in 1979 (Martin et al.,
2007). The Usenet was used as bulletin board and to share and exchange knowledge amongst various
colleges.
The development of personal computers in the ninety seventies gave a big boost to the Usenet which
morphed into email while chat facility was introduced in 1988 (Saunders 2003). The introduction of the
World Wide Web in the 1990’s by Tim Berners and Robert Caillau and the development of browsers and
websites spawned a huge boom in use of the web. Domain registration saw an increase in personalized
websites on the internet. The web registered a phenomenal growth of 341634% by 1995 (Perkins 2010).
Search Engines were released and a large number of browsers developed. Today the internet has become an
integral part of daily lives both personal and professional. Its primary applications include the World Wide
Web, Email, Data / File Transfers and Chat (Rolf 2007). These applications are offered to millions of
computers globally interconnected through a large network.
The key to its popularity lies in its ability to change the way people communicate, do business,
work, socialize, access services and information. The internet continues to grow in terms of size,
processing power and functionalities making it the most rapidly expanding technological innovation
in the history of mankind (Zhang 2007).
A measure of the growth of the internet can be borne by the fact that the APARNET in 1968
connected just 1000 systems (Tally 2004). By 1987 there were 30000 users on the internet. In 1995
this figure rose to 16 million persons comprising 0.4% of the world’s population. The turn of the
century, i.e. 2000 saw an incredible 479 million persons, almost 8%, of the worlds population
hooked to the internet and that figure rose to a phenomenal 2110 million in June 2011 comprising
30.4 % of the world’s population (Salton et al., 2005).
When the internet was first conceived it was in a user friendly neutral environment (Davies 2003). This
meant it was transparent and fostered the development of a variety of applications. It did not incorporate
security measures since the possibility of any form of attack was not considered at that time (Conta et al.
1998). However since its inception, the internet has been a conduit through which various attacks are
perpetrated on users particularly those who use financial services. From the AOL account robberies in the
1990’s, identity theft and large scale fraud of institutions such as banks and their customers have become
more common (Bradner 2006). The annual financial loss in the US alone on account of these attacks is
estimated to be USD 3 billion (Davies 2003).
The loss is not limited to money alone. Classified information, personal / identity data are also vulnerable to
being leaked through unauthorized access. These attacks result in network breakdown, fraud, robbery of
identity and sabotage of industries. The attendant damages include loss of trust, erosion of brand value,
costly lawsuits and reduced usage of online systems and service offerings.
These attacks are called hacking and the perpetrators are called “hackers” or “crackers” due to their ability
hack into system by cracking their security codes.
There are different variants of these attacks with varied levels of technological sophistication. However one
common feature is that they are perpetrated through electronic media, i.e. they are primarily technical in
nature. There are several mechanisms developed by organizations to counter these attacks. These
countermeasures include antiphishing and antivirus mechanisms, intruder detectors, firewalls etc. These
measures have attained a fair degree of success in combating technical attacks.
The increasing success of complex antihacking technological infrastructure has led hackers to now employ
less technical means to conduct their attacks. This is done by attacking the human elements in the target
environment which when combined with technology have resulted in a new variety of called social
engineering.
Social Engineering has been variously defined as hereunder:
Social engineering is a term that describes a non-technical kind of intrusion that relies heavily on human
interaction and often involves tricking other people to break normal security procedures.
The practice of deceiving someone, either in person, over the phone, or using a computer, with the express intent of breaching some level of security either personal or professional.
Social engineering is a collection of techniques used to manipulate people into performing actions or
divulging confidential information.
From the above definitions social engineering can be summarized as the method of attacking computers
through data gleaned from social interactions.
This data includes passwords, PIN Numbers, access codes to an organizations infrastructure and the
targets include telecommunication companies, banks and other financial institutions, military
installations, government agencies, industries and hospitals. Hackers use this data to penetrate security
measures installed by the target institutions.
While security features are functionally dependent on technology, their success is a measure of the trust
they generate in the authenticity of protection provided. Thus hackers target the weakest chink in
organizations armour, i.e. its people. Social Engineers are technically proficient persons who also possess
very good social skills. They work on certain attributes of the process by which human beings make
decisions called “cognitive biases”. Also called “bugs in the human hardware”, they all rest on the
fundamental human predispositions to “trust”, “to be helpful”, “to be liked”. This tendency to trust is then
exploited in different methods to generate attack vectors. Hackers gain “trust” by manipulating people
into connecting to various emotions such as avarice, sympathy or fear and then divulging sensitive
information. A socially engineered attack successfully perpetrated nullifies large investments in security
infrastructure.
There are many variants by which people are manipulated. However confusion still exists amongst the as
to what exactly is a socially engineered attack leading to varied descriptions. This results in an inability to
devise adequate security measures. A virus can be described as a worm and vice versa by two different
organizations. However the security measures for a virus is different than that of a worm. Hence systems
cannot be protected adequately unless they are identified and classified in a scientific manner.
Hence the need for a Taxonomy of Social Engineering. Taxonomy is derived from the Greek words
“taxis” or “arrangement” and “nomia” or “practice”. Thus Taxonomy may be defined as the art and
science of classification.
The purpose of taxonomy of social engineering is to provide a consistent method to classify attacks. It
provides a structured method to identify attacks. It incorporates previous information to categorize attacks
so that similarities can be made out and suitable computer / network antihacking measures devised. This
enables an organization to successfully combat new variations attacks. It is simultaneously all
encompassing and specific taking into account all aspects of hacking to identify a specific attack vector.
A good taxonomy comprises some essential features. These include”:
Acceptability – A taxonomy must be accepted by the community at large
Comprehensibility – Its language and concepts should be easily understood
Complete – It should exhaustively consider all aspects of all possible attacks and thus provide
categorization
Clarity – Terms must be clearly defined.
Determinants – The process of categorization must be described in an unambigous manner
Mutually Exclusive – There should be no overlap while categorization. Any one attack must be
categorized into one category
Repeatability – Categorizations should be able to be repeated
Terminology – The terms used for describing should be contemporary and relevant. This prevents
confusion
Utility – A taxonomy should be able to be used by industry to recognize and prevent attacks.
While the goal of a good taxonomy is to incorporate all of the above, it may not be necessary to include
all of them in any particular taxonomy.
Existing Taxonomies
The Protection Analysis (PA) Taxonomy of Bisbey and Hollingworth and the Reasearh in Secured
Operating Systems (RISOS ) of Abbot devised a taxonomy based on vulnerabilities. They categorized
faults in security systems and devised similar classification methods. They suffer from ambiguity in
definitions thus violating the mutually exclusivity principle that makes for a good taxonomy. The primary
utility of these two taxononmies is the foundation provided to develop more advanced variants.
Bishops Vulnerability Taxonomy
Bishop conducted an evaluation of the PA and RISOS taxonomies and used the base of susceptibilities to construct his own vulnerability taxonomy. His main contribution was to create a classification according to six axes including the nature, time, gains, effect, number & source of the attack. This method replaced the hitherto flat method of classification. He postulated the requirements of a good taxonomy.
Howard’s taxonomy
This taxonomy is based on processes used to perpetrate attacks. It classifies attacks according to five processes involved in an attack. These include the hackers, implements used, access, effects and motivation. This primary contribution of this taxonomy is its all encompassing approach including all aspects of an attack. However it is not mutually exclusive. Eg. the hackers category can contain overlap, i.e. the terrorist can also be spy.
Lough’s VERDICT Taxonomy
This taxonomy is the Validation Exposure Randomness Deallocation Improper Conditions Taxonomy (VERDICT). It focuses on 4 characteristics of a hacking attempt. These include Improper Validation – lack of authentication mechanisms results in unauthorized access to systemsImproper Exposure – A system that is exposed to attack and not adequately protectedImproper Randomness – attacks can occur at random Improper Deallocation – Confidential data is available for copying due to faulty deletion.
The VERDICT Taxonomy while being all encompassing in concept does not allow for identification to specific cases.
In fact while the above taxonomies fulfill most of the conditions that make for good taxonomies, they are too general in nature. Hence the need for a taxonomy that is practical and specific that will adequately fulfill the “usefulness” criteria of a good taxonomy. This will fulfill the end goal of this dissertation which is to provide a pragmatic approach for organizations to detect a socially engineered attack and prevent it during the daily course of events.
There are three stages of a social engineering attack. These are the:
1) Preparatory Stage2) The Implementation or Attack Stage3) Post Attack Stage
The Taxonomy proposed in this report will focus on the Implementation or Attack Stage as this is specific to Social Engineering. Any attack, even non socially engineered ones will require a preparatory and post attack stage.
For an attack to be classified as being socially engineered it must follow the Social Engineering Cycle which consists of four distinct stages including:
1) Research
During this stage, the hacker conducts a background search on the organization and its people to find out those persons who potentially hold classified data and who are vulnerable to attack.
2) Development of TrustAll humans are predisposed to “trust”. The hacker exploits this tendency by a series of social interactions / communications that result in gaining the victims trust . This is done by persuasive techniques that either connect the victim’s ability to reason or to human emotions such as avarice, sympathy and fear. Persuasion through reasoning is called the central route while persuasion through emotion is called the peripheral route. The aim of gaining the victims trust is to get them to then respond
3) Exploitation of TrustThe victim is then coaxed to divulge sensitive, classified information to the supposedly trustworthy entity, i.e. the hacker. This information typically includes passwords, user id’s, PIN numbers and access codes.
4) Utilization of Trust
The hacker then utilizes this data to access services available to the genuine user. These can be both financial and non financial in nature. The former includes actual siphoning of funds, purchase of expensive goods etc, while the latter includes unauthorized access to an organization’s infrastructure such as a data bank. All Social Engineering attacks can be divided into two broad categories
1) Human based social engineering (Man to Man) 2) Technology based social engineering (Man to Man via Media)
The two other methods of obtaining classified information includes open source research or shoulder surfing and covert searches or dumpster diving. However these two methods do not rely on any form of social interactions which is a primary requirement for an attack to be classified as being socially engineered.
While the human based approach involves face to face interactions that exploit a human beings possible ignorance and natural inclination to trust, the technology based approach exploits the users through communications through contemporary media. D
This brings us to the Fundamental Research Question of this Dissertation:
How does a Taxonomy of Phishing aid in identifying pishing attacks and hence the development of
effective anti phishing mechanisms?
Aim of the Dissertation
This dissertation aims to construct the taxonomy of phishing attacks based on the social engineering
techniques use for perpetration. This study will provide an insight into the nature of these attacks
thereby aiding in the development of detective and preventive mechanisms.
Objectives
To construct a Taxonomy of Phishing based on the use of Social Engineering Techniques
To identify the current taxonomies present and discuss their advantages and disadvantages
To experimentally demonstrate the effectiveness of Social Engineering Techniques
To educate, alert and sensitize the public as to the dangers of phishing and the insidious
methods used for perpetration
To use the insights gained from the above study to devise suitable antiphishing mechanisms
Research Flow
Chapter 1 – Introduction
This chapter will introduce the reader to the phenomenon of phishing. The research question, aims
and objectives of the dissertation will be discussed here.
Chapter 2 – Literature Review
This chapter is a compendium of extant literature on various Taxonomies of Phishing. Their
advantages and disadvantages will be highlighted after which Phishing Attacks will be classified
based on their method of perpetration. The different techniques will be elaborated upon.
Chapter 3 – Methodology
This chapter is an expose on the quantitative and qualitative techniques that will be used to conduct
the experiment that will demonstrate the effectiveness of social engineering techniques used to
perpetrate phishing attacks.
Chapter 4- Findings
This chapter is an elaboration of the experiment and its findings
Chapter 5 – Analysis and Discussion
The findings will be analyzed using the Descriptive Statistics tool. The deductions arrived at will be
discussed to show how successful social engineering techniques are in deceiving the larger public.
Chapter 6 – Conclusion, Limitations, Future Scope
This chapter summarizes the entire dissertation. Those aspects of phishing not yet discussed leaving
them open for future study will be highlighted
Methodology
This chapter critically evaluates those methodologies that will achieve our research objectives.
Research Approaches
All research methodologies can be classified as Inductive and Deductive, Quantitative and
Qualitative (Florencio & Hurley 2007). Deductive methodologies apply a general postulate or
hypothesis to specific individual cases while Inductive methodologies start with individual cases and
arrive at a hypothesis or postulate. Deductive methodologies move from the general to the specific
while Inductive methodologies move from the specific to the general (Gutmann 2007)
An inductive approach starts with experiments and observation under scientific conditions resulting
in the collection of primary data. This data is then subject to empirical analysis and a general
theories or hypotheses arrived at. This method is numbers based and is hence quantitative in nature
(Litan 2009).
The deductive approach employs descriptive, theoretical data for its analysis and is hence qualitative
in nature.
Research Strategies
The method of approach in this dissertation is both inductive & deductive in nature.
The deductive approach to be used in this dissertation will first entail detailed study of literature
available. This includes study of books, various research articles and reputed journals. The purpose of
the study is to identify the various taxonomies used to classify phishing attacks and highlight their
advantages and disadvantages. The author will propose a method of classification based on social
engineering techniques used to perpetrate these attacks. A detailed explanation of the methodology of
each attack will be given. Insofar as this method is theoretical and descriptive it is qualitative in
nature.
The inductive approach to be used in this dissertation involves perpetration of a simulated attack on
facebook accounts of a select audience. The findings of each attack in terms of ease of deception, the
effectiveness of the social engineering techniques used etc will be analyzed and discussed.
Insofar as this method is going to be experimental in nature and will use numbers and analysis to
arrive at conclusions it is inductive or quantitative in nature.
The research tools used will include the following:
Creation of a simulated phishing environment using PERL & Web scripting on a Facebook
Page. Spoofed Email Addresses will be used to send typical phishing messages to an identified
target audience. This message will be socially engineered and will contain a link that will
direct users to a webpage with the same look and feel of a facebook login page. The page will
prompt them to enter their login id’s and passwords. The success rate of these attempts will
then be measured.
The data from the above experiment will be collected and analyzed using The Descriptive
Univariate Statistics Analysis Tool in Excel.
PERL Scripting and Facebook
PERL is multipurpose, feature rich programming languages capable of being run on over 100
platforms and interfaced with several third party modules (Jackson & Simon 2007). It web
development capabilities will be used to create a phisher site with the same look and feel of a
facebook login page. It was chosen since it is easily available on the net, can be configured to most
platforms and can be used for programming by anybody with basic Web Scripting Knowledge.
Facebook Accounts were chosen since real phishers frequently hack into social networking sites
such as Linked in, My Space and Orkut as also Facebook to steal personal information which can
then be maliciously used (Fette & Sadeh 2006). Facebook being one of the most popular social
networking sites is frequently subject to phishing attacks. Hence it was chosen as part of this
experiment.
Population Sample
Sampling involves choosing a select representative group relevant to the research at hand from
amongst the general population (Allan & Heiser, 2006) and administering the experiment to them.
According to Bellovin (1995) budget and time constraints have to be considered when selecting a
sampling method. Sampling method is hence divided into two different categories. Probability
sampling is conducted with a determined number of persons while non-probability sampling is sent
to an indeterminate number of persons (Bignell 2006).
To identify the sample population for this experiment, probability sampling method will be used.
This method consists of identifying from amongst the larger population those individuals whose
responses would most suit our research purposes (Dasgupta & Chatha 2006). Probability sampling
also allows for quick collection of data since the sample audience is limited (Dierks & Rescorla
2006). The sample audience will be chosen from amongst friends, associates and their references.
This method will be chosen since it is obviously not possible to contact everyone in the research
population. Only a select 30 persons identified on account of their willingness to participate in this
experiment will be chosen. The strategy that will be used will not be disclosed to the participants to
prevent any pre – emption or increased alertness that will result in biased responses.
Permission to participate in the experiment will be sought through an email sent from the authors
ID. Only after receiving their confirmation will the spoofed email be sent to them.
Descriptive Statistical Analysis Tool
Univariate analysis or Frequency Count is the simplest form of Quantitative Statistical Analysis.
It summarizes individual variables in a given data set. (Franklin 2007). The responses from the
target audience will be fed into a summary excel sheet and then subject to this analysis. Given
that the responses are limited in terms of whether the respondents actually logged in or not, it
was thought fit to use the univariate method of analysis.
System Requirements
Hardware Requirements:
• PROCESSOR : PENTIUM IV 2.6 GHz
• RAM :512 MB RAM
• MONITOR :15” COLOR
• HARD DISK :20 GB
• KEYBOARD :STANDARD 102 KEYS
• NETWORK : ACCESS TO INTERNET
Software Requirements:
• FRONT END : Facebook Connectivity
• OPERATING SYSTEM : Window’s XP
• BACK END : Ms Excel
PERL Scripting
HTML Scripting
Research Ethics
Ethical considerations must be involved in every stage of the research process to ensure
transparency, reliability, confidentiality and to present original data and not a plagiarized version.
All the ethical guidelines issues by Sheffield Hallam University will be implemented throughout the
research. Compliances with regard to the university’s IT policy will be maintained at all times. Only
those who confirm their participation in the experiment will form the target audience of 30.
Risk Assessment and Limitations
The main limitations of this research are that Quantitative research methods are highly subjective.
(Fielding et al., 1999). Risks incurred and mitigations mechanisms put in place to counter these will
be discussed.
Approximate Time-line
August 11 September 11 October 11 November 11 December 11
Early Mid End Early Mid End Early Mid End Early Mid End Early Mid End
Collection of books, journals and other literature
Writing of Introduction, Research Question, Aims & Objectives, and Questionnaire. First Submission
Obtain feedback, incorporate them and submit revised proposal
Identify target audience, obtain their permission, send them Spoofed Mails
Collect Data and analyze
Finish the Dissertation and submit
Phase 1
Phase 2
Phase 3
Phase 4
Phase 5
Phase 6
References
ABAD, C. (2005). The Economy of Phishing: A survey of the operations of the phishing market.
New York. Cloudmark.
ADIDA, B, HOHENBERGER and RIVEST, R.L. (2005). Fighting Phishing Attacks: A
Lightweight Trust Architecture for Detecting Spoofed Emails. New York. ACM Press.
ALLAN, A. and HESIER, J. (2006). State of the Art for Online Consumer Authentication. New
York. Gartner.
ALSAID, A and MITCHELL, C.J. (2006). Preventing Phishing Attacks using Trusted
Computing Technology. Plymouth. ACM Press.
ANTI PHISHING WORKING GROUP. (2003). Proposed Solutions to Address the Threat of
Email Spoofing Scams. Available: http://www.antiphishing.org. Last Accessed: 19 September
2011.
BARROSO, D. (2007). Botnets – The Silent Threat, European Network and Information
Security Agency (ENISA).
BELLOVIN, S.M. (1995). Using the Domain Name System for System Break-ins. Proceedings
of Fifth Usenix UNIX Security Symposium. New York.
BIGNELL, K.D. (2006). Authentication in an Internet Banking Environment: Towards
Developing a Strategy for Fraud Detection. International Conference on Internet Surveillance
and Protection. Plymouth.
CHRISTODORESCU, M. and JHA, S. (2004). Testing Malware Detectors. New York. ISSTA.
CLAYTON, R. (2005). Who’d phish from the summit of Kilimanjaro? ISBN 9783-540-26656-3.
CLAYTON, R. (2005). A Chat at the Old Phishin’ Hole. Lecture Notes in Computer Science,
Stockholm.Springer-Verlag.
CLOSE, Tyler. (2004). Trust Management for Humans. Waterken Technical Report.
CRANOR, L. and ENGELMAN, S. (2006). Phinding Phish: An Evaluation of Anti Phishing
Toolbars.CyLab Technical Report. New York.
DAPENG, J. (2007). Personal Firewall Usability – A Survey. New York. McGraw & Hill.
DASGUPTA, P and CHATHA, K. (2006). Personal Authenticators: Identity Assurance under
the Viral Threat Model. New York. ACM Press.
DELPHA, L. and RASHID, M. (2004). Smartphone Security Issues. Europe.
Black Hat Briefings.
DEPARTMENT OF DEFENCE, (1985). Trusted Computer System Evaluation Criteria. Dod
5200.28-STD. In the Glossary under entry Trusted Computing Base (TCB). New York.
DHAMIJA, R. TYGAR, J.D. & HEARST, M. (2006). Why Phishing Works, New York.
McGraw-Hill.
DIERKS, T. and RESCORLA, E. (2006). The Transport Layer Security. New York. RFC.
DYNES, S, BRECHBUL, H. and JOHNSON, M.E. (2009) Information Security in the Extended
Enterprise: Some Initial Results from a field study of an Industrial Farm. Harvard University.
Available: http:// infosecon.net/workshop/pdf/51.pdf. Last Accessed: 18 June 2011.
EGELMAN, S. and CRANOR, F. (2008). You’ve been warned: An empirical study of the
effectiveness of web browser phishing warnings. ACM Press. New York.
EMIGH, A. (2011). Online Identity Theft: Phishing Technology, Chokepoints and
Countermeasures, Identity Theft Technology Council, Available:
http://www.antiphishing.org/phishing-dhs-report.pdf. Last Accessed: 19 June 2011
FETTE, I. and SADEH, N. (2006). Learning to Detect Phishing Emails. New York. Carnegie
Mellon Cyber Laboratory Technical Report.
FLORENCIO, D and HERLEY, C. (2007). A large scale study of web password habits. New
York. ACM Press.
FRANKLIN, J. (2007). An Inquiry into the Nature and Causes of the Wealth of Internet
Miscreants. New York. ACM Press.
FIELDING, R. GETTYS, J & MOGUL, J. (1999). Hypertext Transfer Protocol Request for
Comments. ACM Press.
GUHRING, P. (2007). Concepts against Man in the Browser Attacks, Financial Cryptography.
New York. ACM Press.
GUTMANN, P. (2007). Phishing Tips & Techniques. Cambridge.
HALLAWELL, A and LITAN, A. (2007). Brand Monitoring and Anti Phishing Services
Intersect Several Security Markets. Gartner Publications.
JACKSON, C. and SIMON, D.R. (2007). An Evaluation of Extended Validation and Picture in-
Picture Phishing Attacks. New York. USEC.
JAKOBSSON, M. (2007). Phishing and Countermeasures: Understanding the Increasing
Problem of Electronic Identity Theft. Wiley. ISBN: 978-0-471-78245-2.
JAKOBSSON, M. (2005). Modeling and Preventing Phishing Attacks. Phishing Panel of
Financial Cryptography. New York.
JAKOBSSON, M. & RATKIEWICZ, J. (2006). Designing Ethical Phishing Experiments: A
study of ROT13 query features, International Conference on World Wide Web.
JAMES, L. (2005). Phishing Exposed. Syngress. ISBN: 978-1-597-49030-6.
KAMINSKY, D. (2004). Black Ops of DNS. Black Hat Briefings.
LITAN, A. (2009). The War on Phishing is Far from Over. New York. Gartner Group Report.
MCMILLAN, R & GARTNER (2006). Consumers to Lose $ 2.8 Billion to Phishers in 2006.
New York. Network World.
MOORE, T. and CLAYTON, R. (2009). Evil Searching: Compromise and Recompromise of
Internet Hosts for Phishing. Barbados.
MORRIS, R.T. (1985). A Weakness in the 4.2 BSD UNIX TCP / IP software. Computing
Science Technical Report. AT & T Bell Laboratories.
MUTTON, P. (2006). PayPal Security Flaw Allows Identity Theft. New York. Netcraft.
OLLMAN, G. (2004). The Phishing Guide: Understanding & Preventing Phishing Attacks.
NGS Software Insight Security Research. New York.
PARNO, B. and KUO, C. (2006) Phoolproof Phishing Prevention. Available:
http://sparrow.eco.cmu.edu/-adrian/projects/;phishign.pdf. Last Accessed 15 July 2011
PHILIPPSOHN, S. (2001). Trends in Cybercrime – An Overview of Current Financial Crimes
on the Internet. Computers & Security Publications. New York.
ROWE, R. and Gallaher, M.P. (2009). Private Sector Cyber Security Investment: An Empirical
Analysis. Cambridge. Available: http://weis2006.econinfosec.org/docs/18.pdf. Last Accessed:
10 June 2009.
SALTON, G. MCGILL, M.J. (1986). Introduction to Modern Information Retrieval. New York.
McGraw-Hill.
TALLY, G. THOMAS, R. and VAN VLECK, T. (2004). Anti-Phishing: Best Practices for
Institutions and Consumers, New York. McAfee.
ZHANG, Yue & Jason. (2007). A context Based Approach to Detecting Phishing Web Sites.
New York. McGraw-Hill.
