Upload
sabyasachi
View
588
Download
3
Tags:
Embed Size (px)
Citation preview
ABSTRACT
The outcomes of phishing attacks are dramatically increasing every day Attacks
on financial services companies have been doubling each year compared to
previous years It is very important for companies to come up with new ways to
solve phishing problems because it can become a major loss to well known
companies Also it can cause consumers to lose confidence in doing business
online which can affect many companies with an online presence Not any type
of technology can stop phishing attacks but there are many ways to enable
phishers from accomplishing their goals Consumer education can increase the
awareness of the phishing threat and other online vulnerabilities Lastly
biometrics should become one of the major aspects and play an important role to
combat phishing because it provides different steps to authenticate users
INTRODUCTION
Phishing is the practice where criminals send out unsolicited Commercial e-mails
masquerading as valid authorities by using Logos and other formatting to
resemble authentic e-mails sent by the company that they are attempting to
impersonate
Once the users receive such emails the phishers attempt to lure them to web
sites where personal information such as credit card number and social security
numbers are required in an attempt to hack into the usersrsquo accounts The so-
called ldquophishersrdquo try to steal usernames and passwords for identity and banking
theft
Companies such as PayPal eBay Amazon and most of the banks have been the
biggest target for phishing attacks
LITERATURE REVIEW
The first phishing attempt occurred in January 1996 A hacker who was
attempting to steal accounts from unexpected AOL Members coined the term
phishing
Comparison to Spam
The purpose of a phishing message is to acquire sensitive information about a
user In order to do so the message needs to deceive the intended recipient into
believing it is from a legitimate organization As a form of deception a phishing
message contains no useful information for the intended recipient and thus falls
under the category of spam Although phishing is categorized as spam it also
differs from spam Amongst other things spam tries to sell a product or service
while a phishing message needs to look like it is from a legitimate organization
Due to the similarity between phishing and legitimate messages techniques that
are applied to spam messages cannot be applied naively to phishing messages
For example text-based classification can perform reasonably well in identifying
spam but as a phishing message is forged to look like a message from a legitimate
organization text-based classification applied naively to a phishing message will
have a high miss rate
Anatomy of a phishing message
A raw phishing message can be split into two components the content and the
headers These components are commonly accepted as being the major
components of a message
Content
The content is the part of the message that the user sees and is used by phishing
message producers to deceive users It can be subdivided into two parts
The cover is the content which is made to look like a message from the
legitimate organization and usually informs the user of a problem with
their account Early phishing messages could be identified based only on
their cover due to imperfect grammar or spelling mistakes (which are
uncommon in legitimate messages) Over time the covers used in phishing
messages have become more sophisticated to the point where they even
warn the users about protecting their password and avoiding fraud An
example of this can be seen in Figure below where the phishing message
tells the victim to ldquoProtect Your Account Infordquo by making sure ldquoyou never
provide your password to fraudulent websitesrdquo
The sting is the part of the content that directs the victim to take
remedial actions It usually takes the form of a clickable URL that directs the
victim to a fake website to log into their account or enter other personal
details We call this the sting as this is the part of the content that inflicts
pain by means of financial loss or other undesirable action after the victim
enters their details on the website Typically the sting is hidden by using
HTML to display a legitimate looking address instead of the address of the
fake website An example of this is shown in above Figure where the
address of the fake website is httpwwwnutristorecomaurhtm and
the corresponding displayed text is a legitimate looking
httpswww2paypalcomcgi-bincmd= login
Headers
The headers are the part of the message which is primarily used by the mail
servers and the mail client to determine where the message is going and how to
unpack the message Most users do not see these headers but in terms of
determining if a message is phishing or not this part of the message can be quite
useful Headers can be subdivided into three parts based on the entities which
add them to the message
Mail clients typically add headers such as ldquoTordquo ldquoFromrdquo ldquoSubjectrdquo
and some client specific headers Examples of mail client headers are X-
MSMail-Priority X-Mailer and X-MimeOLE and they can be seen in above
figure Phishing messages may try to fake a particular header and in doing
so give away that the message is fake For example if the X-Mailer header
indicates that a HTML message has been composed using MS Outlook but
the message only contains HTML (without plaintext) this is an indication
that the message is fake as MS Outlook cannot send HTML only messages
Mail relays will add headers along the path of the message These are
usually ldquoReceivedrdquo headers which can be used to determine the
originating IP of the message and the path taken by the message
Spam-filters or virus-scanners will usually add headers to the message to
indicate results of the tests run over the message These headers can then
be used by the receiving client to determine (based on a user-set
threshold) what to do with the message
WHY PHISHING ATTACK
Lack of Knowledge
Lack of computer system knowledge Many users lack the
underlying knowledge of how operating systems applications email and
the web work and how to distinguish among these Phishing sites exploit
this lack of knowledge in several ways For example some users do not
understand the meaning or the syntax of domain names and cannot
distinguish legitimate versus fraudulent URLs (eg they may think
wwwebay-members-securitycom belongs to wwwebaycom) Another
attack strategy forges the email header many users do not have the skills
to distinguish forged from legitimate headers
Lack of knowledge of security and security indicators Many
users do not understand security indicators For example many users do
not know that a closed padlock icon in the browser indicates that the page
they are viewing was delivered securely by SSL Even if they understand the
meaning of that icon users can be fooled by its placement within the body
of a web page (this confusion is not aided by the fact that competing
browsers use different icons and place them in different parts of their
display) More generally users may not be aware that padlock icons appear
in the browser ldquochromerdquo (the interface constructed by the browser around
a web page eg toolbars windows address bar status bar) only under
specific conditions (ie when SSL is used) while icons in the content of the
web page can be placed there arbitrarily by designers (or by phishers) to
induce trust Attackers can also exploit usersrsquo lack of understanding of the
verification process for SSL certificates Most users do not know how to
check SSL certificates in the browser or understand the information
presented in a certificate In one spoofing strategy a rogue site displays a
certificate authoritys (CA) trust seal that links to a CA webpage This
webpage provides an English language description and verification of the
legitimate sitersquos certificate Only the most informed and diligent users
would know to check that the URL of the originating site and the legitimate
site described by the CA match
Lack of knowledge of web fraud Some users donrsquot know that
spoofing websites is possible Without awareness phishing is possible
some users simply do not question website legitimacy
Erroneous security knowledge Some users have misconceptions
about which website features indicate security For example participants
assumed that if websites contained professional-looking images
animations and ads they assumed the sites were legitimate (influenced by
well-known trust indicators discussed below) Similarly dedicated login
pages from banks were less trusted than those originating from a
homepage several participants mentioned a lack of images and links as a
reason for their distrust
Visual Deception
Phishers use visual deception tricks to mimic legitimate text images and
windows
Visually deceptive text Users may be fooled by the syntax of a
domain name in ldquotype jackingrdquo attacks which substitute letters that may
go unnoticed (eg wwwpaypaicom uses a lowercase ldquoirdquo which looks
similar to the letter ldquolrdquo and wwwpaypa1com substitutes the number ldquo1rdquo
for the letter ldquolrdquo) Phishers have also taken advantage of non-printing
characters and non-ASCII Unicode characters in domain names
Images masking underlying text One common technique used by
phishers is to use an image of a legitimate hyperlink The image itself
serves as a hyperlink to a different rogue site
Images mimicking windows Phishers use images in the content of a
web page that mimic browser windows or For user convenience some
legitimate organizations allow users to login from non-SSL pages Although
the user data may be transmitted securely there is no visual cue in the
browser to indicate if SSL is used for form submissions To ldquoremedyrdquo this
designers resort to placing a padlock icon in the page content a tactic that
phishers also exploit or dialog windows Because the image looks exactly
like a real window a user can be fooled unless he tries to move or resize
the image
Windows masking underlying windows A common phishing
technique is to place an illegitimate browser window on top of or next to
a legitimate window If they have the same look and feel users may
mistakenly believe that both windows are from the same source
regardless of variations in address or security indicators In the worst case
a user may not even notice that a second window exists (browsers that
allow borderless pop-up windows aggravate the problem)
Deceptive look and feel If images and logos are copied perfectly
sometimes the only cues that are available to the user are the tone of the
language misspellings or other signs of unprofessional design If the
phishing site closely mimics the target site the only cue to the user might
be the type and quantity of requested personal information
WHAT SHOULD BE DONE TO FIGHT
PHISHING(ANTI-PHISHING)
Phishing needs to be followed in a managerial way within the network and its
components such as servers PCs operating systems browsers and other
applications that run off a connection
As considering the danger of both false negative where firewall packet
inspection fails to identify a phishing site and false positive where firewall packet
inspection wrongly rejects the valid sites it is important to minimize these risks
Microsoftrsquos Anti-phishing response team analyzes sites carefully to confirm they
are fraud e-mails before adding them to the blacklist Even then sites that are
concerned can be reconsidered and later removed from the list
Another way of solving this problem can be in a technical way by using a
biometric check up Biometrics refers to technologies that analyze an individualrsquos
physical and behavioral characteristics to automate identification or verification
of the user
To avoid the risk of being locked in by phishers here are few tips
bull Be extremely suspicious of any e-mails with urgent
requests for personal information
bull Do not fill out any forms in e-mail messages especially
from banks
bull Do not use the links that are provided in the e-mails this
can cause installing any malicious malware on your
computer Instead contact the company over the phone
to solve any problems
bull Do not give your credit card numbers or account
information unless you are using a secure Web site or
the telephone If you are using a Web site check the
beginning of the web address in your browsersrsquo address
bar A secure site should up as ldquohttpsrdquo instead of just
http
Verify the real address of a web site Cut and paste the
following text into your browser address bar
javascriptalert(The actual URL of this site has been verified
as + location protocol + + location hostname +)
Ensure that your browser and OS software is up-to-date and
that latest security patches are applied
Possible ways of by-passing AntiPhish with JavaScript
As long as the web page that the user is viewing is pure HTML AntiPhish can
easily mitigate phishing attacks This is because the attacker can only steal the
sensitive information in the page after the user performs a submit Before this can
happen however AntiPhish detects that sensitive information has been typed
into a form and cancels the operation Stopping a phishing attack in an HTML
page that has JavaScript on the other hand is not that easy and special care has
to be taken JavaScript is a powerful language that is widely used in webpage for
providing functionality such as submitting forms opening windows intercepting
events and performing input validity checks At the same time however
JavaScript gives the attacker a wide range of possibilities for by-passing a
monitoring application such as AntiPhish Just as AntiPhish creates hooks for
intercepting user generated events such as key strokes the attacker can also
create such hooks using JavaScript embedded into the HTML page Instead of
waiting for the user to press a submit button to send the information the attacker
could intercept the keys that are pressed and send the information character by
character to a server of her choice Typically this is done by modifying the URL of
an existing or hidden image to a web site that the attacker controls (eg if ldquoa ldquohas
been pressed an image URL may be set to httpattackercomkeya)
Another possibility for the attacker could be to set a simple timer and to capture
ldquosnapshotsrdquo of the information in the forms In this way an important part of the
information could be captured without the user ever hitting a submit button The
easiest solution to the JavaScript problem is to deactivate JavaScript on a page
that contains forms Unfortunately this solution is not feasible because as
mentioned before a large number of Web sites use JavaScript for validation and
submission purposes The solution we use in AntiPhish is to deactivate
JavaScript every time the focus is on an HTML text element and to reactivate it
whenever the focus is lost Using this technique we ensure that the attacker is
not able to create hooks timers and intercept browser events such as key presses
while the user is typing information into a text field At the same time we ensure
that the legitimate JavaScript functionality on a page (eg such as input validation
routines) are preserved By the time the focus is lost from the text element and
Java script is reactivated AntiPhish has already determined if the information that
was typed into the text element is sensitive If the web site is un trusted the
operation can be canceled One side-effect of our approach is that legitimate
event-based Java script functionality such as input validation based on key presses
will not function The use of key press events for input validation however is
uncommon Most web sites perform client-side input validation once before a
form is submitted
Implementation detailsWe implemented the prototype of AntiPhish as a Mozilla browser extension (ie
plug-in)Mozilla browser extensions are written using the Mozilla XML User-
Interface language (XUL) and JavaScript The Mozilla implementation of AntiPhish
has a small footprint and consists of about 900 lines of JavaScript code and 200
lines of XUL user interface code We used Paul Terorsquos JavaScript DES
implementation for safely storing the sensitive information
ANALYSIS OF A PHISHING DATABASE
The Anti Phishing Working Group maintains a ldquoPhishing Archiverdquo describing phishing attacks dating back to September 2003 We performed a cognitive walkthrough on the approximately 200 sample attacks within this archive (A cognitive walkthrough evaluates the steps required to perform a task and attempts to uncover mismatches between how users think about a task and how the user interface designer thinks about the task) Our goal was to gather information about which strategies are used by attackers and to formulate hypotheses about how lay users would respond to these strategies Below we list the strategies organized along three dimensions lack of knowledge visual deception and lack of attention To aid readers who are unfamiliar with the topic Security Terms and DefinitionsCertificate (digital certificate public key certificate)
Uses a digital signature to bind together a public key with an identity If the
browser encounters a certificate that has not been signed by a trusted
certificate authority it issues a warning to the user Some organizations
create and sign their own self signed
Certificates If a browser encounters a self-signed certificate it issues a
warning and allows the user to decide whether to accept the certificate
Certificate Authority (CA)
An entity that issues certificates and attests that a public key belongs to a
particular identity A list of trusted CAs is stored in the browser A certificate
may be issued to a fraudulent website by a CA without a rigorous verification
process
HTTPS
Web browsers use HTTPS rather than HTTP as a prefix to the URL to
indicate that HTTP is sent over SSLTLS
Secure Sockets Layer (SSL) and Transport Layer Security
(TLS)
Cryptographic protocols used to provide authentication and secure
communications over the Internet SSLTLS authenticates a server by
verifying that the server holds a certificate that has been digitally signed by
a trusted certificate authority SSLTLS also allows the client and server to
agree on an encryption algorithm for securing communications
CryptographyCryptography is a method of storing and transmitting data in a form that only those it is intended for can read and process It is a science of protecting information by encoding it into an unreadable format Cryptography is an effective way of protecting sensitive information as it is stored on media or transmitted through network communication pathsAlthough the ultimate goal of cryptography and the mechanisms that make it up is to hide information from unauthorized individuals most algorithms can be broken and the information can be revealed if the attacker has enough time desire and resources So a more realistic goal of cryptography is to make obtaining the information too work-intensive to be worth it to the attacker
Digital Certificates
Digital Certificates are part of a technology called Public Key Infrastructure orPKI Digital certificates have been described as virtual ID cards This is a useful analogy There are many ways that digital certificates and ID cards really are thesame Both ID cards and client digital certificates contain information about usersuch as user name and information about the organization that issued thecertificate or card to user
Creating digital certificates a unique cryptographic key pair is generated One of these keys is referred to as a public key and the other as a private key The certification authoritymdashgenerally on your campusmdashcreates a digital certificate by combining information about user and the issuing organization with the public key and digitally signing the whole thing This is very much like an organizationrsquos ID office filling out an ID card for user and then signing it to make it official
The process defines how a certificate authority establishes that a person or institution is who they say they are Certification may require recipients to appear in person and to present pictures birth certificates or social security numbers Certificates that are issued after rigorous authentication will be more trustworthy than certificates requiring little or no authentication
The contents of a digital certificate are prescribed by the X509 standard developed by the International Standards Organization (ISO) and adopted by the American National Standards Institute (ANSI) and the Internet Engineering Task Force (IETF) The latest version is now X509 v3 The principal elements of a digital certificate are as followsbull Version number of the certificate formatbull Serial number of the certificatebull Signature algorithm identifierbull Issuer of digital certificate a certificate authority with URLbull Validity periodbull Unique identification of certificate holderbull Public key informationThe Parties to a Digital CertificateIn principle there are three different interests associated with a digital certificateThe Requesting Party The party who needs the certificate and will offer it for use by others they will generally provide some or all of the information it containsThe Issuing Party
The party that digitally signs the certificate after creating the information in the certificate or checking its correctnessThe Verifying Party (or Parties) Parties that validate the signature on the certificate and then rely on its contents for some purposeType of Certificate Requesting Party Issuing Party Verifying PartyIdentity The person
concernedThe appropriategovernment agency
Anyone undertaking anidentity check
Accreditation A qualified memberof a profession
The professionalbody
A user of the servicesoffered by the member
Authorization A customer wishing to access a resource
The resource owner The resource owner
Public key CertificateThe combination of standards protocols and software that support digital certificates is called a public key infrastructure or PKI The software that supports this infrastructure generates sets of public-private key pairs Public-private key pairs are codes that are related to one another through a complex mathematical algorithm The key pairs can reside on onersquos computer or on hardware devices such as smart cards or floppy disks Individuals or organizations must ensure the security of their private keys However the public keys that correspond to their private keys can be posted on Web sites or sent across the network Issuers of digital certificates often maintain online repositories of public keys These repositories make it possible to authenticate owners of digital certificates in real timeFor example publishers as service providers will want to authenticate the digital certificate of a faculty member or student in real time This is possible by verifying the digital signature using the public key in the repository
Certificate AuthoritiesDigital certificates are one part of a set of components that make up a public keyinfrastructure (PKI) A PKI includes organizations called certification authorities (CAs) that issue manage and revoke digital certificates organizations called relying parties who use the certificates as indicators of authentication and clientswho request manage and use certificates A CA might create a separate registration authority (RA) to handle the task of identifying individuals who applyfor certificates Examples of certification authorities include VeriSign a wellknowncommercial provider and the CREN Certificate Authority that isavailable for higher education institutions
Types of CertificatesThere are different types of certificates each with different functions and this canbe confusing It helps to differentiate between at least four types of certificatesYou can see samples of some of these different types of certificates in your browserbull Root or authority certificatesThese are certificates that create the base (or root) of a certification authority hierarchy such as Thawte or CREN These certificates are not signed by another CAmdashthey are self signed by the CA that created them When a certificate is self-
signed it means that the name in the Issuer field is the same as the name in the Subject Fieldbull Institutional authority certificates These certificates are also called campus certificates These certificates are signed by a third party verifying the authenticity of a campus certification authority Campuses then use their ldquoauthorityrdquo to issue client certificates for faculty staff and studentsbull Client certificatesThese are also known as end-entity certificates identity certificates or personal certificates The Issuer is typically the campus CAbull Web server certificates These certificates are used to secure communications to and from Web servers for example when you buy something on the Web They are called server-side certificates The Subject name in a server certificate is the DNS name of the server
The CREN Digital Certificate ServicesCREN currently offers an expanded set of certificate authority services to higher education institutionsbull CREN-signed campus certificates for institutionsThese CREN-signed certificates are for institutions issuing certificates for their campus communitymdashin the range of 10 or more Web server certificates and formore than 500-1000 client certificatesbull CREN Web server certificates These certificates are for campuses to use for securing Web servers supporting a range of campus Web applicationsbull Client certificatesCREN has an internal CRENNET service equivalent to a campus certificate-issuing application A registration contact at a campus validatesapproves individuals and CREN issues the certificates
With these three levels of service mdash including the free test certificates mdash CRENcan help campuses get started using digital certificates at a level matching theirparticular campus needs
RECOMMENDATION
It is very important to reduce the risk of phishing in todayrsquos business because
hackers need to stay out of companiesrsquo databases Todayrsquos education is not
enough since phishes are getting better each day and coming with newer trends
to catch innocent customers
The real problem of phishing is because the login systems are very weak and thus
they need to be tighter when it comes to userrsquos authentication The companies
could increase their cryptographic system protection by using more IPSec VPNs
and digital certificates The use of IPSec VPNs customers will need to establish
digital certificates from a certificate authority as well as the merchant Recently
while doing this research we came through an article from PayPal where they are
convincing email providers to block messages that lack digital signatures
The reason for this is that PayPal is known as one of the most highly spoofed
brands that fraudsterrsquos uses today This is a very good idea and a good way to
keep hackers out of PayPal databases As a matter of fact not only PayPal but also
every company that conducts business should come up with a similar strategy like
this Using strategies similar to this will help customers to gain confidence in
doing business and dealing with money issues In addition well-known companies
should increase user awareness by education training and working with FBI to
track down phishers
CONCLUSION
In short the outcomes of phishing attacks are dramatically increasing every day Attacks on financial services companies have been doubling each year compared to previous years It is of crucial importance for companies to come up with new ways to solve phishing problems because it can become a major loss to well-known companies Also it can cause consumers to lose confidence in doing business online which can affect many companies with an online presence Not any type of technologyCan stop phishing attacks but there are many ways to enable Phishes from accomplishing their goals Consumer education can increase the awareness of the phishing threat and other online vulnerabilities Lastly biometrics should become one of the major aspects and play an important role to combat phishing because it provides different steps to authenticate users
REFERENCES
[1] Cannon JC Privacy Pearson Education 2005[2] Hilley Sarah ldquoInternet war picking on the finance Sector-surveyrdquo Computer Fraud amp Security October 2006[3] Bellowin Steven ldquoSpamming Phishing Authentication and Privacyrdquo Inside Risks December
2004 Vol47 No12 144[4] Mulrean Jennifer ldquoPhishing scams How to avoid Getting hookedrdquo DollarWise[5] Hunter Philip ldquoMicrosoft declares war on phishersrdquo Computer Fraud amp Security May 2006 (15-16)[6] Google httpwwwgooglecom
[7] Anti-Phishing Working Group Phishing Activity Trends Report November 2005 [8] Anti-Phishing Working Group Phishing Archivehttpanti-phishingorgphishing_archivehtm[9] Ba S amp P Pavlov Evidence of the Effect of TrustBuilding Technology in Electronic Markets PricePremiums and Buyer Behavior
resemble authentic e-mails sent by the company that they are attempting to
impersonate
Once the users receive such emails the phishers attempt to lure them to web
sites where personal information such as credit card number and social security
numbers are required in an attempt to hack into the usersrsquo accounts The so-
called ldquophishersrdquo try to steal usernames and passwords for identity and banking
theft
Companies such as PayPal eBay Amazon and most of the banks have been the
biggest target for phishing attacks
LITERATURE REVIEW
The first phishing attempt occurred in January 1996 A hacker who was
attempting to steal accounts from unexpected AOL Members coined the term
phishing
Comparison to Spam
The purpose of a phishing message is to acquire sensitive information about a
user In order to do so the message needs to deceive the intended recipient into
believing it is from a legitimate organization As a form of deception a phishing
message contains no useful information for the intended recipient and thus falls
under the category of spam Although phishing is categorized as spam it also
differs from spam Amongst other things spam tries to sell a product or service
while a phishing message needs to look like it is from a legitimate organization
Due to the similarity between phishing and legitimate messages techniques that
are applied to spam messages cannot be applied naively to phishing messages
For example text-based classification can perform reasonably well in identifying
spam but as a phishing message is forged to look like a message from a legitimate
organization text-based classification applied naively to a phishing message will
have a high miss rate
Anatomy of a phishing message
A raw phishing message can be split into two components the content and the
headers These components are commonly accepted as being the major
components of a message
Content
The content is the part of the message that the user sees and is used by phishing
message producers to deceive users It can be subdivided into two parts
The cover is the content which is made to look like a message from the
legitimate organization and usually informs the user of a problem with
their account Early phishing messages could be identified based only on
their cover due to imperfect grammar or spelling mistakes (which are
uncommon in legitimate messages) Over time the covers used in phishing
messages have become more sophisticated to the point where they even
warn the users about protecting their password and avoiding fraud An
example of this can be seen in Figure below where the phishing message
tells the victim to ldquoProtect Your Account Infordquo by making sure ldquoyou never
provide your password to fraudulent websitesrdquo
The sting is the part of the content that directs the victim to take
remedial actions It usually takes the form of a clickable URL that directs the
victim to a fake website to log into their account or enter other personal
details We call this the sting as this is the part of the content that inflicts
pain by means of financial loss or other undesirable action after the victim
enters their details on the website Typically the sting is hidden by using
HTML to display a legitimate looking address instead of the address of the
fake website An example of this is shown in above Figure where the
address of the fake website is httpwwwnutristorecomaurhtm and
the corresponding displayed text is a legitimate looking
httpswww2paypalcomcgi-bincmd= login
Headers
The headers are the part of the message which is primarily used by the mail
servers and the mail client to determine where the message is going and how to
unpack the message Most users do not see these headers but in terms of
determining if a message is phishing or not this part of the message can be quite
useful Headers can be subdivided into three parts based on the entities which
add them to the message
Mail clients typically add headers such as ldquoTordquo ldquoFromrdquo ldquoSubjectrdquo
and some client specific headers Examples of mail client headers are X-
MSMail-Priority X-Mailer and X-MimeOLE and they can be seen in above
figure Phishing messages may try to fake a particular header and in doing
so give away that the message is fake For example if the X-Mailer header
indicates that a HTML message has been composed using MS Outlook but
the message only contains HTML (without plaintext) this is an indication
that the message is fake as MS Outlook cannot send HTML only messages
Mail relays will add headers along the path of the message These are
usually ldquoReceivedrdquo headers which can be used to determine the
originating IP of the message and the path taken by the message
Spam-filters or virus-scanners will usually add headers to the message to
indicate results of the tests run over the message These headers can then
be used by the receiving client to determine (based on a user-set
threshold) what to do with the message
WHY PHISHING ATTACK
Lack of Knowledge
Lack of computer system knowledge Many users lack the
underlying knowledge of how operating systems applications email and
the web work and how to distinguish among these Phishing sites exploit
this lack of knowledge in several ways For example some users do not
understand the meaning or the syntax of domain names and cannot
distinguish legitimate versus fraudulent URLs (eg they may think
wwwebay-members-securitycom belongs to wwwebaycom) Another
attack strategy forges the email header many users do not have the skills
to distinguish forged from legitimate headers
Lack of knowledge of security and security indicators Many
users do not understand security indicators For example many users do
not know that a closed padlock icon in the browser indicates that the page
they are viewing was delivered securely by SSL Even if they understand the
meaning of that icon users can be fooled by its placement within the body
of a web page (this confusion is not aided by the fact that competing
browsers use different icons and place them in different parts of their
display) More generally users may not be aware that padlock icons appear
in the browser ldquochromerdquo (the interface constructed by the browser around
a web page eg toolbars windows address bar status bar) only under
specific conditions (ie when SSL is used) while icons in the content of the
web page can be placed there arbitrarily by designers (or by phishers) to
induce trust Attackers can also exploit usersrsquo lack of understanding of the
verification process for SSL certificates Most users do not know how to
check SSL certificates in the browser or understand the information
presented in a certificate In one spoofing strategy a rogue site displays a
certificate authoritys (CA) trust seal that links to a CA webpage This
webpage provides an English language description and verification of the
legitimate sitersquos certificate Only the most informed and diligent users
would know to check that the URL of the originating site and the legitimate
site described by the CA match
Lack of knowledge of web fraud Some users donrsquot know that
spoofing websites is possible Without awareness phishing is possible
some users simply do not question website legitimacy
Erroneous security knowledge Some users have misconceptions
about which website features indicate security For example participants
assumed that if websites contained professional-looking images
animations and ads they assumed the sites were legitimate (influenced by
well-known trust indicators discussed below) Similarly dedicated login
pages from banks were less trusted than those originating from a
homepage several participants mentioned a lack of images and links as a
reason for their distrust
Visual Deception
Phishers use visual deception tricks to mimic legitimate text images and
windows
Visually deceptive text Users may be fooled by the syntax of a
domain name in ldquotype jackingrdquo attacks which substitute letters that may
go unnoticed (eg wwwpaypaicom uses a lowercase ldquoirdquo which looks
similar to the letter ldquolrdquo and wwwpaypa1com substitutes the number ldquo1rdquo
for the letter ldquolrdquo) Phishers have also taken advantage of non-printing
characters and non-ASCII Unicode characters in domain names
Images masking underlying text One common technique used by
phishers is to use an image of a legitimate hyperlink The image itself
serves as a hyperlink to a different rogue site
Images mimicking windows Phishers use images in the content of a
web page that mimic browser windows or For user convenience some
legitimate organizations allow users to login from non-SSL pages Although
the user data may be transmitted securely there is no visual cue in the
browser to indicate if SSL is used for form submissions To ldquoremedyrdquo this
designers resort to placing a padlock icon in the page content a tactic that
phishers also exploit or dialog windows Because the image looks exactly
like a real window a user can be fooled unless he tries to move or resize
the image
Windows masking underlying windows A common phishing
technique is to place an illegitimate browser window on top of or next to
a legitimate window If they have the same look and feel users may
mistakenly believe that both windows are from the same source
regardless of variations in address or security indicators In the worst case
a user may not even notice that a second window exists (browsers that
allow borderless pop-up windows aggravate the problem)
Deceptive look and feel If images and logos are copied perfectly
sometimes the only cues that are available to the user are the tone of the
language misspellings or other signs of unprofessional design If the
phishing site closely mimics the target site the only cue to the user might
be the type and quantity of requested personal information
WHAT SHOULD BE DONE TO FIGHT
PHISHING(ANTI-PHISHING)
Phishing needs to be followed in a managerial way within the network and its
components such as servers PCs operating systems browsers and other
applications that run off a connection
As considering the danger of both false negative where firewall packet
inspection fails to identify a phishing site and false positive where firewall packet
inspection wrongly rejects the valid sites it is important to minimize these risks
Microsoftrsquos Anti-phishing response team analyzes sites carefully to confirm they
are fraud e-mails before adding them to the blacklist Even then sites that are
concerned can be reconsidered and later removed from the list
Another way of solving this problem can be in a technical way by using a
biometric check up Biometrics refers to technologies that analyze an individualrsquos
physical and behavioral characteristics to automate identification or verification
of the user
To avoid the risk of being locked in by phishers here are few tips
bull Be extremely suspicious of any e-mails with urgent
requests for personal information
bull Do not fill out any forms in e-mail messages especially
from banks
bull Do not use the links that are provided in the e-mails this
can cause installing any malicious malware on your
computer Instead contact the company over the phone
to solve any problems
bull Do not give your credit card numbers or account
information unless you are using a secure Web site or
the telephone If you are using a Web site check the
beginning of the web address in your browsersrsquo address
bar A secure site should up as ldquohttpsrdquo instead of just
http
Verify the real address of a web site Cut and paste the
following text into your browser address bar
javascriptalert(The actual URL of this site has been verified
as + location protocol + + location hostname +)
Ensure that your browser and OS software is up-to-date and
that latest security patches are applied
Possible ways of by-passing AntiPhish with JavaScript
As long as the web page that the user is viewing is pure HTML AntiPhish can
easily mitigate phishing attacks This is because the attacker can only steal the
sensitive information in the page after the user performs a submit Before this can
happen however AntiPhish detects that sensitive information has been typed
into a form and cancels the operation Stopping a phishing attack in an HTML
page that has JavaScript on the other hand is not that easy and special care has
to be taken JavaScript is a powerful language that is widely used in webpage for
providing functionality such as submitting forms opening windows intercepting
events and performing input validity checks At the same time however
JavaScript gives the attacker a wide range of possibilities for by-passing a
monitoring application such as AntiPhish Just as AntiPhish creates hooks for
intercepting user generated events such as key strokes the attacker can also
create such hooks using JavaScript embedded into the HTML page Instead of
waiting for the user to press a submit button to send the information the attacker
could intercept the keys that are pressed and send the information character by
character to a server of her choice Typically this is done by modifying the URL of
an existing or hidden image to a web site that the attacker controls (eg if ldquoa ldquohas
been pressed an image URL may be set to httpattackercomkeya)
Another possibility for the attacker could be to set a simple timer and to capture
ldquosnapshotsrdquo of the information in the forms In this way an important part of the
information could be captured without the user ever hitting a submit button The
easiest solution to the JavaScript problem is to deactivate JavaScript on a page
that contains forms Unfortunately this solution is not feasible because as
mentioned before a large number of Web sites use JavaScript for validation and
submission purposes The solution we use in AntiPhish is to deactivate
JavaScript every time the focus is on an HTML text element and to reactivate it
whenever the focus is lost Using this technique we ensure that the attacker is
not able to create hooks timers and intercept browser events such as key presses
while the user is typing information into a text field At the same time we ensure
that the legitimate JavaScript functionality on a page (eg such as input validation
routines) are preserved By the time the focus is lost from the text element and
Java script is reactivated AntiPhish has already determined if the information that
was typed into the text element is sensitive If the web site is un trusted the
operation can be canceled One side-effect of our approach is that legitimate
event-based Java script functionality such as input validation based on key presses
will not function The use of key press events for input validation however is
uncommon Most web sites perform client-side input validation once before a
form is submitted
Implementation detailsWe implemented the prototype of AntiPhish as a Mozilla browser extension (ie
plug-in)Mozilla browser extensions are written using the Mozilla XML User-
Interface language (XUL) and JavaScript The Mozilla implementation of AntiPhish
has a small footprint and consists of about 900 lines of JavaScript code and 200
lines of XUL user interface code We used Paul Terorsquos JavaScript DES
implementation for safely storing the sensitive information
ANALYSIS OF A PHISHING DATABASE
The Anti Phishing Working Group maintains a ldquoPhishing Archiverdquo describing phishing attacks dating back to September 2003 We performed a cognitive walkthrough on the approximately 200 sample attacks within this archive (A cognitive walkthrough evaluates the steps required to perform a task and attempts to uncover mismatches between how users think about a task and how the user interface designer thinks about the task) Our goal was to gather information about which strategies are used by attackers and to formulate hypotheses about how lay users would respond to these strategies Below we list the strategies organized along three dimensions lack of knowledge visual deception and lack of attention To aid readers who are unfamiliar with the topic Security Terms and DefinitionsCertificate (digital certificate public key certificate)
Uses a digital signature to bind together a public key with an identity If the
browser encounters a certificate that has not been signed by a trusted
certificate authority it issues a warning to the user Some organizations
create and sign their own self signed
Certificates If a browser encounters a self-signed certificate it issues a
warning and allows the user to decide whether to accept the certificate
Certificate Authority (CA)
An entity that issues certificates and attests that a public key belongs to a
particular identity A list of trusted CAs is stored in the browser A certificate
may be issued to a fraudulent website by a CA without a rigorous verification
process
HTTPS
Web browsers use HTTPS rather than HTTP as a prefix to the URL to
indicate that HTTP is sent over SSLTLS
Secure Sockets Layer (SSL) and Transport Layer Security
(TLS)
Cryptographic protocols used to provide authentication and secure
communications over the Internet SSLTLS authenticates a server by
verifying that the server holds a certificate that has been digitally signed by
a trusted certificate authority SSLTLS also allows the client and server to
agree on an encryption algorithm for securing communications
CryptographyCryptography is a method of storing and transmitting data in a form that only those it is intended for can read and process It is a science of protecting information by encoding it into an unreadable format Cryptography is an effective way of protecting sensitive information as it is stored on media or transmitted through network communication pathsAlthough the ultimate goal of cryptography and the mechanisms that make it up is to hide information from unauthorized individuals most algorithms can be broken and the information can be revealed if the attacker has enough time desire and resources So a more realistic goal of cryptography is to make obtaining the information too work-intensive to be worth it to the attacker
Digital Certificates
Digital Certificates are part of a technology called Public Key Infrastructure orPKI Digital certificates have been described as virtual ID cards This is a useful analogy There are many ways that digital certificates and ID cards really are thesame Both ID cards and client digital certificates contain information about usersuch as user name and information about the organization that issued thecertificate or card to user
Creating digital certificates a unique cryptographic key pair is generated One of these keys is referred to as a public key and the other as a private key The certification authoritymdashgenerally on your campusmdashcreates a digital certificate by combining information about user and the issuing organization with the public key and digitally signing the whole thing This is very much like an organizationrsquos ID office filling out an ID card for user and then signing it to make it official
The process defines how a certificate authority establishes that a person or institution is who they say they are Certification may require recipients to appear in person and to present pictures birth certificates or social security numbers Certificates that are issued after rigorous authentication will be more trustworthy than certificates requiring little or no authentication
The contents of a digital certificate are prescribed by the X509 standard developed by the International Standards Organization (ISO) and adopted by the American National Standards Institute (ANSI) and the Internet Engineering Task Force (IETF) The latest version is now X509 v3 The principal elements of a digital certificate are as followsbull Version number of the certificate formatbull Serial number of the certificatebull Signature algorithm identifierbull Issuer of digital certificate a certificate authority with URLbull Validity periodbull Unique identification of certificate holderbull Public key informationThe Parties to a Digital CertificateIn principle there are three different interests associated with a digital certificateThe Requesting Party The party who needs the certificate and will offer it for use by others they will generally provide some or all of the information it containsThe Issuing Party
The party that digitally signs the certificate after creating the information in the certificate or checking its correctnessThe Verifying Party (or Parties) Parties that validate the signature on the certificate and then rely on its contents for some purposeType of Certificate Requesting Party Issuing Party Verifying PartyIdentity The person
concernedThe appropriategovernment agency
Anyone undertaking anidentity check
Accreditation A qualified memberof a profession
The professionalbody
A user of the servicesoffered by the member
Authorization A customer wishing to access a resource
The resource owner The resource owner
Public key CertificateThe combination of standards protocols and software that support digital certificates is called a public key infrastructure or PKI The software that supports this infrastructure generates sets of public-private key pairs Public-private key pairs are codes that are related to one another through a complex mathematical algorithm The key pairs can reside on onersquos computer or on hardware devices such as smart cards or floppy disks Individuals or organizations must ensure the security of their private keys However the public keys that correspond to their private keys can be posted on Web sites or sent across the network Issuers of digital certificates often maintain online repositories of public keys These repositories make it possible to authenticate owners of digital certificates in real timeFor example publishers as service providers will want to authenticate the digital certificate of a faculty member or student in real time This is possible by verifying the digital signature using the public key in the repository
Certificate AuthoritiesDigital certificates are one part of a set of components that make up a public keyinfrastructure (PKI) A PKI includes organizations called certification authorities (CAs) that issue manage and revoke digital certificates organizations called relying parties who use the certificates as indicators of authentication and clientswho request manage and use certificates A CA might create a separate registration authority (RA) to handle the task of identifying individuals who applyfor certificates Examples of certification authorities include VeriSign a wellknowncommercial provider and the CREN Certificate Authority that isavailable for higher education institutions
Types of CertificatesThere are different types of certificates each with different functions and this canbe confusing It helps to differentiate between at least four types of certificatesYou can see samples of some of these different types of certificates in your browserbull Root or authority certificatesThese are certificates that create the base (or root) of a certification authority hierarchy such as Thawte or CREN These certificates are not signed by another CAmdashthey are self signed by the CA that created them When a certificate is self-
signed it means that the name in the Issuer field is the same as the name in the Subject Fieldbull Institutional authority certificates These certificates are also called campus certificates These certificates are signed by a third party verifying the authenticity of a campus certification authority Campuses then use their ldquoauthorityrdquo to issue client certificates for faculty staff and studentsbull Client certificatesThese are also known as end-entity certificates identity certificates or personal certificates The Issuer is typically the campus CAbull Web server certificates These certificates are used to secure communications to and from Web servers for example when you buy something on the Web They are called server-side certificates The Subject name in a server certificate is the DNS name of the server
The CREN Digital Certificate ServicesCREN currently offers an expanded set of certificate authority services to higher education institutionsbull CREN-signed campus certificates for institutionsThese CREN-signed certificates are for institutions issuing certificates for their campus communitymdashin the range of 10 or more Web server certificates and formore than 500-1000 client certificatesbull CREN Web server certificates These certificates are for campuses to use for securing Web servers supporting a range of campus Web applicationsbull Client certificatesCREN has an internal CRENNET service equivalent to a campus certificate-issuing application A registration contact at a campus validatesapproves individuals and CREN issues the certificates
With these three levels of service mdash including the free test certificates mdash CRENcan help campuses get started using digital certificates at a level matching theirparticular campus needs
RECOMMENDATION
It is very important to reduce the risk of phishing in todayrsquos business because
hackers need to stay out of companiesrsquo databases Todayrsquos education is not
enough since phishes are getting better each day and coming with newer trends
to catch innocent customers
The real problem of phishing is because the login systems are very weak and thus
they need to be tighter when it comes to userrsquos authentication The companies
could increase their cryptographic system protection by using more IPSec VPNs
and digital certificates The use of IPSec VPNs customers will need to establish
digital certificates from a certificate authority as well as the merchant Recently
while doing this research we came through an article from PayPal where they are
convincing email providers to block messages that lack digital signatures
The reason for this is that PayPal is known as one of the most highly spoofed
brands that fraudsterrsquos uses today This is a very good idea and a good way to
keep hackers out of PayPal databases As a matter of fact not only PayPal but also
every company that conducts business should come up with a similar strategy like
this Using strategies similar to this will help customers to gain confidence in
doing business and dealing with money issues In addition well-known companies
should increase user awareness by education training and working with FBI to
track down phishers
CONCLUSION
In short the outcomes of phishing attacks are dramatically increasing every day Attacks on financial services companies have been doubling each year compared to previous years It is of crucial importance for companies to come up with new ways to solve phishing problems because it can become a major loss to well-known companies Also it can cause consumers to lose confidence in doing business online which can affect many companies with an online presence Not any type of technologyCan stop phishing attacks but there are many ways to enable Phishes from accomplishing their goals Consumer education can increase the awareness of the phishing threat and other online vulnerabilities Lastly biometrics should become one of the major aspects and play an important role to combat phishing because it provides different steps to authenticate users
REFERENCES
[1] Cannon JC Privacy Pearson Education 2005[2] Hilley Sarah ldquoInternet war picking on the finance Sector-surveyrdquo Computer Fraud amp Security October 2006[3] Bellowin Steven ldquoSpamming Phishing Authentication and Privacyrdquo Inside Risks December
2004 Vol47 No12 144[4] Mulrean Jennifer ldquoPhishing scams How to avoid Getting hookedrdquo DollarWise[5] Hunter Philip ldquoMicrosoft declares war on phishersrdquo Computer Fraud amp Security May 2006 (15-16)[6] Google httpwwwgooglecom
[7] Anti-Phishing Working Group Phishing Activity Trends Report November 2005 [8] Anti-Phishing Working Group Phishing Archivehttpanti-phishingorgphishing_archivehtm[9] Ba S amp P Pavlov Evidence of the Effect of TrustBuilding Technology in Electronic Markets PricePremiums and Buyer Behavior
under the category of spam Although phishing is categorized as spam it also
differs from spam Amongst other things spam tries to sell a product or service
while a phishing message needs to look like it is from a legitimate organization
Due to the similarity between phishing and legitimate messages techniques that
are applied to spam messages cannot be applied naively to phishing messages
For example text-based classification can perform reasonably well in identifying
spam but as a phishing message is forged to look like a message from a legitimate
organization text-based classification applied naively to a phishing message will
have a high miss rate
Anatomy of a phishing message
A raw phishing message can be split into two components the content and the
headers These components are commonly accepted as being the major
components of a message
Content
The content is the part of the message that the user sees and is used by phishing
message producers to deceive users It can be subdivided into two parts
The cover is the content which is made to look like a message from the
legitimate organization and usually informs the user of a problem with
their account Early phishing messages could be identified based only on
their cover due to imperfect grammar or spelling mistakes (which are
uncommon in legitimate messages) Over time the covers used in phishing
messages have become more sophisticated to the point where they even
warn the users about protecting their password and avoiding fraud An
example of this can be seen in Figure below where the phishing message
tells the victim to ldquoProtect Your Account Infordquo by making sure ldquoyou never
provide your password to fraudulent websitesrdquo
The sting is the part of the content that directs the victim to take
remedial actions It usually takes the form of a clickable URL that directs the
victim to a fake website to log into their account or enter other personal
details We call this the sting as this is the part of the content that inflicts
pain by means of financial loss or other undesirable action after the victim
enters their details on the website Typically the sting is hidden by using
HTML to display a legitimate looking address instead of the address of the
fake website An example of this is shown in above Figure where the
address of the fake website is httpwwwnutristorecomaurhtm and
the corresponding displayed text is a legitimate looking
httpswww2paypalcomcgi-bincmd= login
Headers
The headers are the part of the message which is primarily used by the mail
servers and the mail client to determine where the message is going and how to
unpack the message Most users do not see these headers but in terms of
determining if a message is phishing or not this part of the message can be quite
useful Headers can be subdivided into three parts based on the entities which
add them to the message
Mail clients typically add headers such as ldquoTordquo ldquoFromrdquo ldquoSubjectrdquo
and some client specific headers Examples of mail client headers are X-
MSMail-Priority X-Mailer and X-MimeOLE and they can be seen in above
figure Phishing messages may try to fake a particular header and in doing
so give away that the message is fake For example if the X-Mailer header
indicates that a HTML message has been composed using MS Outlook but
the message only contains HTML (without plaintext) this is an indication
that the message is fake as MS Outlook cannot send HTML only messages
Mail relays will add headers along the path of the message These are
usually ldquoReceivedrdquo headers which can be used to determine the
originating IP of the message and the path taken by the message
Spam-filters or virus-scanners will usually add headers to the message to
indicate results of the tests run over the message These headers can then
be used by the receiving client to determine (based on a user-set
threshold) what to do with the message
WHY PHISHING ATTACK
Lack of Knowledge
Lack of computer system knowledge Many users lack the
underlying knowledge of how operating systems applications email and
the web work and how to distinguish among these Phishing sites exploit
this lack of knowledge in several ways For example some users do not
understand the meaning or the syntax of domain names and cannot
distinguish legitimate versus fraudulent URLs (eg they may think
wwwebay-members-securitycom belongs to wwwebaycom) Another
attack strategy forges the email header many users do not have the skills
to distinguish forged from legitimate headers
Lack of knowledge of security and security indicators Many
users do not understand security indicators For example many users do
not know that a closed padlock icon in the browser indicates that the page
they are viewing was delivered securely by SSL Even if they understand the
meaning of that icon users can be fooled by its placement within the body
of a web page (this confusion is not aided by the fact that competing
browsers use different icons and place them in different parts of their
display) More generally users may not be aware that padlock icons appear
in the browser ldquochromerdquo (the interface constructed by the browser around
a web page eg toolbars windows address bar status bar) only under
specific conditions (ie when SSL is used) while icons in the content of the
web page can be placed there arbitrarily by designers (or by phishers) to
induce trust Attackers can also exploit usersrsquo lack of understanding of the
verification process for SSL certificates Most users do not know how to
check SSL certificates in the browser or understand the information
presented in a certificate In one spoofing strategy a rogue site displays a
certificate authoritys (CA) trust seal that links to a CA webpage This
webpage provides an English language description and verification of the
legitimate sitersquos certificate Only the most informed and diligent users
would know to check that the URL of the originating site and the legitimate
site described by the CA match
Lack of knowledge of web fraud Some users donrsquot know that
spoofing websites is possible Without awareness phishing is possible
some users simply do not question website legitimacy
Erroneous security knowledge Some users have misconceptions
about which website features indicate security For example participants
assumed that if websites contained professional-looking images
animations and ads they assumed the sites were legitimate (influenced by
well-known trust indicators discussed below) Similarly dedicated login
pages from banks were less trusted than those originating from a
homepage several participants mentioned a lack of images and links as a
reason for their distrust
Visual Deception
Phishers use visual deception tricks to mimic legitimate text images and
windows
Visually deceptive text Users may be fooled by the syntax of a
domain name in ldquotype jackingrdquo attacks which substitute letters that may
go unnoticed (eg wwwpaypaicom uses a lowercase ldquoirdquo which looks
similar to the letter ldquolrdquo and wwwpaypa1com substitutes the number ldquo1rdquo
for the letter ldquolrdquo) Phishers have also taken advantage of non-printing
characters and non-ASCII Unicode characters in domain names
Images masking underlying text One common technique used by
phishers is to use an image of a legitimate hyperlink The image itself
serves as a hyperlink to a different rogue site
Images mimicking windows Phishers use images in the content of a
web page that mimic browser windows or For user convenience some
legitimate organizations allow users to login from non-SSL pages Although
the user data may be transmitted securely there is no visual cue in the
browser to indicate if SSL is used for form submissions To ldquoremedyrdquo this
designers resort to placing a padlock icon in the page content a tactic that
phishers also exploit or dialog windows Because the image looks exactly
like a real window a user can be fooled unless he tries to move or resize
the image
Windows masking underlying windows A common phishing
technique is to place an illegitimate browser window on top of or next to
a legitimate window If they have the same look and feel users may
mistakenly believe that both windows are from the same source
regardless of variations in address or security indicators In the worst case
a user may not even notice that a second window exists (browsers that
allow borderless pop-up windows aggravate the problem)
Deceptive look and feel If images and logos are copied perfectly
sometimes the only cues that are available to the user are the tone of the
language misspellings or other signs of unprofessional design If the
phishing site closely mimics the target site the only cue to the user might
be the type and quantity of requested personal information
WHAT SHOULD BE DONE TO FIGHT
PHISHING(ANTI-PHISHING)
Phishing needs to be followed in a managerial way within the network and its
components such as servers PCs operating systems browsers and other
applications that run off a connection
As considering the danger of both false negative where firewall packet
inspection fails to identify a phishing site and false positive where firewall packet
inspection wrongly rejects the valid sites it is important to minimize these risks
Microsoftrsquos Anti-phishing response team analyzes sites carefully to confirm they
are fraud e-mails before adding them to the blacklist Even then sites that are
concerned can be reconsidered and later removed from the list
Another way of solving this problem can be in a technical way by using a
biometric check up Biometrics refers to technologies that analyze an individualrsquos
physical and behavioral characteristics to automate identification or verification
of the user
To avoid the risk of being locked in by phishers here are few tips
bull Be extremely suspicious of any e-mails with urgent
requests for personal information
bull Do not fill out any forms in e-mail messages especially
from banks
bull Do not use the links that are provided in the e-mails this
can cause installing any malicious malware on your
computer Instead contact the company over the phone
to solve any problems
bull Do not give your credit card numbers or account
information unless you are using a secure Web site or
the telephone If you are using a Web site check the
beginning of the web address in your browsersrsquo address
bar A secure site should up as ldquohttpsrdquo instead of just
http
Verify the real address of a web site Cut and paste the
following text into your browser address bar
javascriptalert(The actual URL of this site has been verified
as + location protocol + + location hostname +)
Ensure that your browser and OS software is up-to-date and
that latest security patches are applied
Possible ways of by-passing AntiPhish with JavaScript
As long as the web page that the user is viewing is pure HTML AntiPhish can
easily mitigate phishing attacks This is because the attacker can only steal the
sensitive information in the page after the user performs a submit Before this can
happen however AntiPhish detects that sensitive information has been typed
into a form and cancels the operation Stopping a phishing attack in an HTML
page that has JavaScript on the other hand is not that easy and special care has
to be taken JavaScript is a powerful language that is widely used in webpage for
providing functionality such as submitting forms opening windows intercepting
events and performing input validity checks At the same time however
JavaScript gives the attacker a wide range of possibilities for by-passing a
monitoring application such as AntiPhish Just as AntiPhish creates hooks for
intercepting user generated events such as key strokes the attacker can also
create such hooks using JavaScript embedded into the HTML page Instead of
waiting for the user to press a submit button to send the information the attacker
could intercept the keys that are pressed and send the information character by
character to a server of her choice Typically this is done by modifying the URL of
an existing or hidden image to a web site that the attacker controls (eg if ldquoa ldquohas
been pressed an image URL may be set to httpattackercomkeya)
Another possibility for the attacker could be to set a simple timer and to capture
ldquosnapshotsrdquo of the information in the forms In this way an important part of the
information could be captured without the user ever hitting a submit button The
easiest solution to the JavaScript problem is to deactivate JavaScript on a page
that contains forms Unfortunately this solution is not feasible because as
mentioned before a large number of Web sites use JavaScript for validation and
submission purposes The solution we use in AntiPhish is to deactivate
JavaScript every time the focus is on an HTML text element and to reactivate it
whenever the focus is lost Using this technique we ensure that the attacker is
not able to create hooks timers and intercept browser events such as key presses
while the user is typing information into a text field At the same time we ensure
that the legitimate JavaScript functionality on a page (eg such as input validation
routines) are preserved By the time the focus is lost from the text element and
Java script is reactivated AntiPhish has already determined if the information that
was typed into the text element is sensitive If the web site is un trusted the
operation can be canceled One side-effect of our approach is that legitimate
event-based Java script functionality such as input validation based on key presses
will not function The use of key press events for input validation however is
uncommon Most web sites perform client-side input validation once before a
form is submitted
Implementation detailsWe implemented the prototype of AntiPhish as a Mozilla browser extension (ie
plug-in)Mozilla browser extensions are written using the Mozilla XML User-
Interface language (XUL) and JavaScript The Mozilla implementation of AntiPhish
has a small footprint and consists of about 900 lines of JavaScript code and 200
lines of XUL user interface code We used Paul Terorsquos JavaScript DES
implementation for safely storing the sensitive information
ANALYSIS OF A PHISHING DATABASE
The Anti Phishing Working Group maintains a ldquoPhishing Archiverdquo describing phishing attacks dating back to September 2003 We performed a cognitive walkthrough on the approximately 200 sample attacks within this archive (A cognitive walkthrough evaluates the steps required to perform a task and attempts to uncover mismatches between how users think about a task and how the user interface designer thinks about the task) Our goal was to gather information about which strategies are used by attackers and to formulate hypotheses about how lay users would respond to these strategies Below we list the strategies organized along three dimensions lack of knowledge visual deception and lack of attention To aid readers who are unfamiliar with the topic Security Terms and DefinitionsCertificate (digital certificate public key certificate)
Uses a digital signature to bind together a public key with an identity If the
browser encounters a certificate that has not been signed by a trusted
certificate authority it issues a warning to the user Some organizations
create and sign their own self signed
Certificates If a browser encounters a self-signed certificate it issues a
warning and allows the user to decide whether to accept the certificate
Certificate Authority (CA)
An entity that issues certificates and attests that a public key belongs to a
particular identity A list of trusted CAs is stored in the browser A certificate
may be issued to a fraudulent website by a CA without a rigorous verification
process
HTTPS
Web browsers use HTTPS rather than HTTP as a prefix to the URL to
indicate that HTTP is sent over SSLTLS
Secure Sockets Layer (SSL) and Transport Layer Security
(TLS)
Cryptographic protocols used to provide authentication and secure
communications over the Internet SSLTLS authenticates a server by
verifying that the server holds a certificate that has been digitally signed by
a trusted certificate authority SSLTLS also allows the client and server to
agree on an encryption algorithm for securing communications
CryptographyCryptography is a method of storing and transmitting data in a form that only those it is intended for can read and process It is a science of protecting information by encoding it into an unreadable format Cryptography is an effective way of protecting sensitive information as it is stored on media or transmitted through network communication pathsAlthough the ultimate goal of cryptography and the mechanisms that make it up is to hide information from unauthorized individuals most algorithms can be broken and the information can be revealed if the attacker has enough time desire and resources So a more realistic goal of cryptography is to make obtaining the information too work-intensive to be worth it to the attacker
Digital Certificates
Digital Certificates are part of a technology called Public Key Infrastructure orPKI Digital certificates have been described as virtual ID cards This is a useful analogy There are many ways that digital certificates and ID cards really are thesame Both ID cards and client digital certificates contain information about usersuch as user name and information about the organization that issued thecertificate or card to user
Creating digital certificates a unique cryptographic key pair is generated One of these keys is referred to as a public key and the other as a private key The certification authoritymdashgenerally on your campusmdashcreates a digital certificate by combining information about user and the issuing organization with the public key and digitally signing the whole thing This is very much like an organizationrsquos ID office filling out an ID card for user and then signing it to make it official
The process defines how a certificate authority establishes that a person or institution is who they say they are Certification may require recipients to appear in person and to present pictures birth certificates or social security numbers Certificates that are issued after rigorous authentication will be more trustworthy than certificates requiring little or no authentication
The contents of a digital certificate are prescribed by the X509 standard developed by the International Standards Organization (ISO) and adopted by the American National Standards Institute (ANSI) and the Internet Engineering Task Force (IETF) The latest version is now X509 v3 The principal elements of a digital certificate are as followsbull Version number of the certificate formatbull Serial number of the certificatebull Signature algorithm identifierbull Issuer of digital certificate a certificate authority with URLbull Validity periodbull Unique identification of certificate holderbull Public key informationThe Parties to a Digital CertificateIn principle there are three different interests associated with a digital certificateThe Requesting Party The party who needs the certificate and will offer it for use by others they will generally provide some or all of the information it containsThe Issuing Party
The party that digitally signs the certificate after creating the information in the certificate or checking its correctnessThe Verifying Party (or Parties) Parties that validate the signature on the certificate and then rely on its contents for some purposeType of Certificate Requesting Party Issuing Party Verifying PartyIdentity The person
concernedThe appropriategovernment agency
Anyone undertaking anidentity check
Accreditation A qualified memberof a profession
The professionalbody
A user of the servicesoffered by the member
Authorization A customer wishing to access a resource
The resource owner The resource owner
Public key CertificateThe combination of standards protocols and software that support digital certificates is called a public key infrastructure or PKI The software that supports this infrastructure generates sets of public-private key pairs Public-private key pairs are codes that are related to one another through a complex mathematical algorithm The key pairs can reside on onersquos computer or on hardware devices such as smart cards or floppy disks Individuals or organizations must ensure the security of their private keys However the public keys that correspond to their private keys can be posted on Web sites or sent across the network Issuers of digital certificates often maintain online repositories of public keys These repositories make it possible to authenticate owners of digital certificates in real timeFor example publishers as service providers will want to authenticate the digital certificate of a faculty member or student in real time This is possible by verifying the digital signature using the public key in the repository
Certificate AuthoritiesDigital certificates are one part of a set of components that make up a public keyinfrastructure (PKI) A PKI includes organizations called certification authorities (CAs) that issue manage and revoke digital certificates organizations called relying parties who use the certificates as indicators of authentication and clientswho request manage and use certificates A CA might create a separate registration authority (RA) to handle the task of identifying individuals who applyfor certificates Examples of certification authorities include VeriSign a wellknowncommercial provider and the CREN Certificate Authority that isavailable for higher education institutions
Types of CertificatesThere are different types of certificates each with different functions and this canbe confusing It helps to differentiate between at least four types of certificatesYou can see samples of some of these different types of certificates in your browserbull Root or authority certificatesThese are certificates that create the base (or root) of a certification authority hierarchy such as Thawte or CREN These certificates are not signed by another CAmdashthey are self signed by the CA that created them When a certificate is self-
signed it means that the name in the Issuer field is the same as the name in the Subject Fieldbull Institutional authority certificates These certificates are also called campus certificates These certificates are signed by a third party verifying the authenticity of a campus certification authority Campuses then use their ldquoauthorityrdquo to issue client certificates for faculty staff and studentsbull Client certificatesThese are also known as end-entity certificates identity certificates or personal certificates The Issuer is typically the campus CAbull Web server certificates These certificates are used to secure communications to and from Web servers for example when you buy something on the Web They are called server-side certificates The Subject name in a server certificate is the DNS name of the server
The CREN Digital Certificate ServicesCREN currently offers an expanded set of certificate authority services to higher education institutionsbull CREN-signed campus certificates for institutionsThese CREN-signed certificates are for institutions issuing certificates for their campus communitymdashin the range of 10 or more Web server certificates and formore than 500-1000 client certificatesbull CREN Web server certificates These certificates are for campuses to use for securing Web servers supporting a range of campus Web applicationsbull Client certificatesCREN has an internal CRENNET service equivalent to a campus certificate-issuing application A registration contact at a campus validatesapproves individuals and CREN issues the certificates
With these three levels of service mdash including the free test certificates mdash CRENcan help campuses get started using digital certificates at a level matching theirparticular campus needs
RECOMMENDATION
It is very important to reduce the risk of phishing in todayrsquos business because
hackers need to stay out of companiesrsquo databases Todayrsquos education is not
enough since phishes are getting better each day and coming with newer trends
to catch innocent customers
The real problem of phishing is because the login systems are very weak and thus
they need to be tighter when it comes to userrsquos authentication The companies
could increase their cryptographic system protection by using more IPSec VPNs
and digital certificates The use of IPSec VPNs customers will need to establish
digital certificates from a certificate authority as well as the merchant Recently
while doing this research we came through an article from PayPal where they are
convincing email providers to block messages that lack digital signatures
The reason for this is that PayPal is known as one of the most highly spoofed
brands that fraudsterrsquos uses today This is a very good idea and a good way to
keep hackers out of PayPal databases As a matter of fact not only PayPal but also
every company that conducts business should come up with a similar strategy like
this Using strategies similar to this will help customers to gain confidence in
doing business and dealing with money issues In addition well-known companies
should increase user awareness by education training and working with FBI to
track down phishers
CONCLUSION
In short the outcomes of phishing attacks are dramatically increasing every day Attacks on financial services companies have been doubling each year compared to previous years It is of crucial importance for companies to come up with new ways to solve phishing problems because it can become a major loss to well-known companies Also it can cause consumers to lose confidence in doing business online which can affect many companies with an online presence Not any type of technologyCan stop phishing attacks but there are many ways to enable Phishes from accomplishing their goals Consumer education can increase the awareness of the phishing threat and other online vulnerabilities Lastly biometrics should become one of the major aspects and play an important role to combat phishing because it provides different steps to authenticate users
REFERENCES
[1] Cannon JC Privacy Pearson Education 2005[2] Hilley Sarah ldquoInternet war picking on the finance Sector-surveyrdquo Computer Fraud amp Security October 2006[3] Bellowin Steven ldquoSpamming Phishing Authentication and Privacyrdquo Inside Risks December
2004 Vol47 No12 144[4] Mulrean Jennifer ldquoPhishing scams How to avoid Getting hookedrdquo DollarWise[5] Hunter Philip ldquoMicrosoft declares war on phishersrdquo Computer Fraud amp Security May 2006 (15-16)[6] Google httpwwwgooglecom
[7] Anti-Phishing Working Group Phishing Activity Trends Report November 2005 [8] Anti-Phishing Working Group Phishing Archivehttpanti-phishingorgphishing_archivehtm[9] Ba S amp P Pavlov Evidence of the Effect of TrustBuilding Technology in Electronic Markets PricePremiums and Buyer Behavior
A raw phishing message can be split into two components the content and the
headers These components are commonly accepted as being the major
components of a message
Content
The content is the part of the message that the user sees and is used by phishing
message producers to deceive users It can be subdivided into two parts
The cover is the content which is made to look like a message from the
legitimate organization and usually informs the user of a problem with
their account Early phishing messages could be identified based only on
their cover due to imperfect grammar or spelling mistakes (which are
uncommon in legitimate messages) Over time the covers used in phishing
messages have become more sophisticated to the point where they even
warn the users about protecting their password and avoiding fraud An
example of this can be seen in Figure below where the phishing message
tells the victim to ldquoProtect Your Account Infordquo by making sure ldquoyou never
provide your password to fraudulent websitesrdquo
The sting is the part of the content that directs the victim to take
remedial actions It usually takes the form of a clickable URL that directs the
victim to a fake website to log into their account or enter other personal
details We call this the sting as this is the part of the content that inflicts
pain by means of financial loss or other undesirable action after the victim
enters their details on the website Typically the sting is hidden by using
HTML to display a legitimate looking address instead of the address of the
fake website An example of this is shown in above Figure where the
address of the fake website is httpwwwnutristorecomaurhtm and
the corresponding displayed text is a legitimate looking
httpswww2paypalcomcgi-bincmd= login
Headers
The headers are the part of the message which is primarily used by the mail
servers and the mail client to determine where the message is going and how to
unpack the message Most users do not see these headers but in terms of
determining if a message is phishing or not this part of the message can be quite
useful Headers can be subdivided into three parts based on the entities which
add them to the message
Mail clients typically add headers such as ldquoTordquo ldquoFromrdquo ldquoSubjectrdquo
and some client specific headers Examples of mail client headers are X-
MSMail-Priority X-Mailer and X-MimeOLE and they can be seen in above
figure Phishing messages may try to fake a particular header and in doing
so give away that the message is fake For example if the X-Mailer header
indicates that a HTML message has been composed using MS Outlook but
the message only contains HTML (without plaintext) this is an indication
that the message is fake as MS Outlook cannot send HTML only messages
Mail relays will add headers along the path of the message These are
usually ldquoReceivedrdquo headers which can be used to determine the
originating IP of the message and the path taken by the message
Spam-filters or virus-scanners will usually add headers to the message to
indicate results of the tests run over the message These headers can then
be used by the receiving client to determine (based on a user-set
threshold) what to do with the message
WHY PHISHING ATTACK
Lack of Knowledge
Lack of computer system knowledge Many users lack the
underlying knowledge of how operating systems applications email and
the web work and how to distinguish among these Phishing sites exploit
this lack of knowledge in several ways For example some users do not
understand the meaning or the syntax of domain names and cannot
distinguish legitimate versus fraudulent URLs (eg they may think
wwwebay-members-securitycom belongs to wwwebaycom) Another
attack strategy forges the email header many users do not have the skills
to distinguish forged from legitimate headers
Lack of knowledge of security and security indicators Many
users do not understand security indicators For example many users do
not know that a closed padlock icon in the browser indicates that the page
they are viewing was delivered securely by SSL Even if they understand the
meaning of that icon users can be fooled by its placement within the body
of a web page (this confusion is not aided by the fact that competing
browsers use different icons and place them in different parts of their
display) More generally users may not be aware that padlock icons appear
in the browser ldquochromerdquo (the interface constructed by the browser around
a web page eg toolbars windows address bar status bar) only under
specific conditions (ie when SSL is used) while icons in the content of the
web page can be placed there arbitrarily by designers (or by phishers) to
induce trust Attackers can also exploit usersrsquo lack of understanding of the
verification process for SSL certificates Most users do not know how to
check SSL certificates in the browser or understand the information
presented in a certificate In one spoofing strategy a rogue site displays a
certificate authoritys (CA) trust seal that links to a CA webpage This
webpage provides an English language description and verification of the
legitimate sitersquos certificate Only the most informed and diligent users
would know to check that the URL of the originating site and the legitimate
site described by the CA match
Lack of knowledge of web fraud Some users donrsquot know that
spoofing websites is possible Without awareness phishing is possible
some users simply do not question website legitimacy
Erroneous security knowledge Some users have misconceptions
about which website features indicate security For example participants
assumed that if websites contained professional-looking images
animations and ads they assumed the sites were legitimate (influenced by
well-known trust indicators discussed below) Similarly dedicated login
pages from banks were less trusted than those originating from a
homepage several participants mentioned a lack of images and links as a
reason for their distrust
Visual Deception
Phishers use visual deception tricks to mimic legitimate text images and
windows
Visually deceptive text Users may be fooled by the syntax of a
domain name in ldquotype jackingrdquo attacks which substitute letters that may
go unnoticed (eg wwwpaypaicom uses a lowercase ldquoirdquo which looks
similar to the letter ldquolrdquo and wwwpaypa1com substitutes the number ldquo1rdquo
for the letter ldquolrdquo) Phishers have also taken advantage of non-printing
characters and non-ASCII Unicode characters in domain names
Images masking underlying text One common technique used by
phishers is to use an image of a legitimate hyperlink The image itself
serves as a hyperlink to a different rogue site
Images mimicking windows Phishers use images in the content of a
web page that mimic browser windows or For user convenience some
legitimate organizations allow users to login from non-SSL pages Although
the user data may be transmitted securely there is no visual cue in the
browser to indicate if SSL is used for form submissions To ldquoremedyrdquo this
designers resort to placing a padlock icon in the page content a tactic that
phishers also exploit or dialog windows Because the image looks exactly
like a real window a user can be fooled unless he tries to move or resize
the image
Windows masking underlying windows A common phishing
technique is to place an illegitimate browser window on top of or next to
a legitimate window If they have the same look and feel users may
mistakenly believe that both windows are from the same source
regardless of variations in address or security indicators In the worst case
a user may not even notice that a second window exists (browsers that
allow borderless pop-up windows aggravate the problem)
Deceptive look and feel If images and logos are copied perfectly
sometimes the only cues that are available to the user are the tone of the
language misspellings or other signs of unprofessional design If the
phishing site closely mimics the target site the only cue to the user might
be the type and quantity of requested personal information
WHAT SHOULD BE DONE TO FIGHT
PHISHING(ANTI-PHISHING)
Phishing needs to be followed in a managerial way within the network and its
components such as servers PCs operating systems browsers and other
applications that run off a connection
As considering the danger of both false negative where firewall packet
inspection fails to identify a phishing site and false positive where firewall packet
inspection wrongly rejects the valid sites it is important to minimize these risks
Microsoftrsquos Anti-phishing response team analyzes sites carefully to confirm they
are fraud e-mails before adding them to the blacklist Even then sites that are
concerned can be reconsidered and later removed from the list
Another way of solving this problem can be in a technical way by using a
biometric check up Biometrics refers to technologies that analyze an individualrsquos
physical and behavioral characteristics to automate identification or verification
of the user
To avoid the risk of being locked in by phishers here are few tips
bull Be extremely suspicious of any e-mails with urgent
requests for personal information
bull Do not fill out any forms in e-mail messages especially
from banks
bull Do not use the links that are provided in the e-mails this
can cause installing any malicious malware on your
computer Instead contact the company over the phone
to solve any problems
bull Do not give your credit card numbers or account
information unless you are using a secure Web site or
the telephone If you are using a Web site check the
beginning of the web address in your browsersrsquo address
bar A secure site should up as ldquohttpsrdquo instead of just
http
Verify the real address of a web site Cut and paste the
following text into your browser address bar
javascriptalert(The actual URL of this site has been verified
as + location protocol + + location hostname +)
Ensure that your browser and OS software is up-to-date and
that latest security patches are applied
Possible ways of by-passing AntiPhish with JavaScript
As long as the web page that the user is viewing is pure HTML AntiPhish can
easily mitigate phishing attacks This is because the attacker can only steal the
sensitive information in the page after the user performs a submit Before this can
happen however AntiPhish detects that sensitive information has been typed
into a form and cancels the operation Stopping a phishing attack in an HTML
page that has JavaScript on the other hand is not that easy and special care has
to be taken JavaScript is a powerful language that is widely used in webpage for
providing functionality such as submitting forms opening windows intercepting
events and performing input validity checks At the same time however
JavaScript gives the attacker a wide range of possibilities for by-passing a
monitoring application such as AntiPhish Just as AntiPhish creates hooks for
intercepting user generated events such as key strokes the attacker can also
create such hooks using JavaScript embedded into the HTML page Instead of
waiting for the user to press a submit button to send the information the attacker
could intercept the keys that are pressed and send the information character by
character to a server of her choice Typically this is done by modifying the URL of
an existing or hidden image to a web site that the attacker controls (eg if ldquoa ldquohas
been pressed an image URL may be set to httpattackercomkeya)
Another possibility for the attacker could be to set a simple timer and to capture
ldquosnapshotsrdquo of the information in the forms In this way an important part of the
information could be captured without the user ever hitting a submit button The
easiest solution to the JavaScript problem is to deactivate JavaScript on a page
that contains forms Unfortunately this solution is not feasible because as
mentioned before a large number of Web sites use JavaScript for validation and
submission purposes The solution we use in AntiPhish is to deactivate
JavaScript every time the focus is on an HTML text element and to reactivate it
whenever the focus is lost Using this technique we ensure that the attacker is
not able to create hooks timers and intercept browser events such as key presses
while the user is typing information into a text field At the same time we ensure
that the legitimate JavaScript functionality on a page (eg such as input validation
routines) are preserved By the time the focus is lost from the text element and
Java script is reactivated AntiPhish has already determined if the information that
was typed into the text element is sensitive If the web site is un trusted the
operation can be canceled One side-effect of our approach is that legitimate
event-based Java script functionality such as input validation based on key presses
will not function The use of key press events for input validation however is
uncommon Most web sites perform client-side input validation once before a
form is submitted
Implementation detailsWe implemented the prototype of AntiPhish as a Mozilla browser extension (ie
plug-in)Mozilla browser extensions are written using the Mozilla XML User-
Interface language (XUL) and JavaScript The Mozilla implementation of AntiPhish
has a small footprint and consists of about 900 lines of JavaScript code and 200
lines of XUL user interface code We used Paul Terorsquos JavaScript DES
implementation for safely storing the sensitive information
ANALYSIS OF A PHISHING DATABASE
The Anti Phishing Working Group maintains a ldquoPhishing Archiverdquo describing phishing attacks dating back to September 2003 We performed a cognitive walkthrough on the approximately 200 sample attacks within this archive (A cognitive walkthrough evaluates the steps required to perform a task and attempts to uncover mismatches between how users think about a task and how the user interface designer thinks about the task) Our goal was to gather information about which strategies are used by attackers and to formulate hypotheses about how lay users would respond to these strategies Below we list the strategies organized along three dimensions lack of knowledge visual deception and lack of attention To aid readers who are unfamiliar with the topic Security Terms and DefinitionsCertificate (digital certificate public key certificate)
Uses a digital signature to bind together a public key with an identity If the
browser encounters a certificate that has not been signed by a trusted
certificate authority it issues a warning to the user Some organizations
create and sign their own self signed
Certificates If a browser encounters a self-signed certificate it issues a
warning and allows the user to decide whether to accept the certificate
Certificate Authority (CA)
An entity that issues certificates and attests that a public key belongs to a
particular identity A list of trusted CAs is stored in the browser A certificate
may be issued to a fraudulent website by a CA without a rigorous verification
process
HTTPS
Web browsers use HTTPS rather than HTTP as a prefix to the URL to
indicate that HTTP is sent over SSLTLS
Secure Sockets Layer (SSL) and Transport Layer Security
(TLS)
Cryptographic protocols used to provide authentication and secure
communications over the Internet SSLTLS authenticates a server by
verifying that the server holds a certificate that has been digitally signed by
a trusted certificate authority SSLTLS also allows the client and server to
agree on an encryption algorithm for securing communications
CryptographyCryptography is a method of storing and transmitting data in a form that only those it is intended for can read and process It is a science of protecting information by encoding it into an unreadable format Cryptography is an effective way of protecting sensitive information as it is stored on media or transmitted through network communication pathsAlthough the ultimate goal of cryptography and the mechanisms that make it up is to hide information from unauthorized individuals most algorithms can be broken and the information can be revealed if the attacker has enough time desire and resources So a more realistic goal of cryptography is to make obtaining the information too work-intensive to be worth it to the attacker
Digital Certificates
Digital Certificates are part of a technology called Public Key Infrastructure orPKI Digital certificates have been described as virtual ID cards This is a useful analogy There are many ways that digital certificates and ID cards really are thesame Both ID cards and client digital certificates contain information about usersuch as user name and information about the organization that issued thecertificate or card to user
Creating digital certificates a unique cryptographic key pair is generated One of these keys is referred to as a public key and the other as a private key The certification authoritymdashgenerally on your campusmdashcreates a digital certificate by combining information about user and the issuing organization with the public key and digitally signing the whole thing This is very much like an organizationrsquos ID office filling out an ID card for user and then signing it to make it official
The process defines how a certificate authority establishes that a person or institution is who they say they are Certification may require recipients to appear in person and to present pictures birth certificates or social security numbers Certificates that are issued after rigorous authentication will be more trustworthy than certificates requiring little or no authentication
The contents of a digital certificate are prescribed by the X509 standard developed by the International Standards Organization (ISO) and adopted by the American National Standards Institute (ANSI) and the Internet Engineering Task Force (IETF) The latest version is now X509 v3 The principal elements of a digital certificate are as followsbull Version number of the certificate formatbull Serial number of the certificatebull Signature algorithm identifierbull Issuer of digital certificate a certificate authority with URLbull Validity periodbull Unique identification of certificate holderbull Public key informationThe Parties to a Digital CertificateIn principle there are three different interests associated with a digital certificateThe Requesting Party The party who needs the certificate and will offer it for use by others they will generally provide some or all of the information it containsThe Issuing Party
The party that digitally signs the certificate after creating the information in the certificate or checking its correctnessThe Verifying Party (or Parties) Parties that validate the signature on the certificate and then rely on its contents for some purposeType of Certificate Requesting Party Issuing Party Verifying PartyIdentity The person
concernedThe appropriategovernment agency
Anyone undertaking anidentity check
Accreditation A qualified memberof a profession
The professionalbody
A user of the servicesoffered by the member
Authorization A customer wishing to access a resource
The resource owner The resource owner
Public key CertificateThe combination of standards protocols and software that support digital certificates is called a public key infrastructure or PKI The software that supports this infrastructure generates sets of public-private key pairs Public-private key pairs are codes that are related to one another through a complex mathematical algorithm The key pairs can reside on onersquos computer or on hardware devices such as smart cards or floppy disks Individuals or organizations must ensure the security of their private keys However the public keys that correspond to their private keys can be posted on Web sites or sent across the network Issuers of digital certificates often maintain online repositories of public keys These repositories make it possible to authenticate owners of digital certificates in real timeFor example publishers as service providers will want to authenticate the digital certificate of a faculty member or student in real time This is possible by verifying the digital signature using the public key in the repository
Certificate AuthoritiesDigital certificates are one part of a set of components that make up a public keyinfrastructure (PKI) A PKI includes organizations called certification authorities (CAs) that issue manage and revoke digital certificates organizations called relying parties who use the certificates as indicators of authentication and clientswho request manage and use certificates A CA might create a separate registration authority (RA) to handle the task of identifying individuals who applyfor certificates Examples of certification authorities include VeriSign a wellknowncommercial provider and the CREN Certificate Authority that isavailable for higher education institutions
Types of CertificatesThere are different types of certificates each with different functions and this canbe confusing It helps to differentiate between at least four types of certificatesYou can see samples of some of these different types of certificates in your browserbull Root or authority certificatesThese are certificates that create the base (or root) of a certification authority hierarchy such as Thawte or CREN These certificates are not signed by another CAmdashthey are self signed by the CA that created them When a certificate is self-
signed it means that the name in the Issuer field is the same as the name in the Subject Fieldbull Institutional authority certificates These certificates are also called campus certificates These certificates are signed by a third party verifying the authenticity of a campus certification authority Campuses then use their ldquoauthorityrdquo to issue client certificates for faculty staff and studentsbull Client certificatesThese are also known as end-entity certificates identity certificates or personal certificates The Issuer is typically the campus CAbull Web server certificates These certificates are used to secure communications to and from Web servers for example when you buy something on the Web They are called server-side certificates The Subject name in a server certificate is the DNS name of the server
The CREN Digital Certificate ServicesCREN currently offers an expanded set of certificate authority services to higher education institutionsbull CREN-signed campus certificates for institutionsThese CREN-signed certificates are for institutions issuing certificates for their campus communitymdashin the range of 10 or more Web server certificates and formore than 500-1000 client certificatesbull CREN Web server certificates These certificates are for campuses to use for securing Web servers supporting a range of campus Web applicationsbull Client certificatesCREN has an internal CRENNET service equivalent to a campus certificate-issuing application A registration contact at a campus validatesapproves individuals and CREN issues the certificates
With these three levels of service mdash including the free test certificates mdash CRENcan help campuses get started using digital certificates at a level matching theirparticular campus needs
RECOMMENDATION
It is very important to reduce the risk of phishing in todayrsquos business because
hackers need to stay out of companiesrsquo databases Todayrsquos education is not
enough since phishes are getting better each day and coming with newer trends
to catch innocent customers
The real problem of phishing is because the login systems are very weak and thus
they need to be tighter when it comes to userrsquos authentication The companies
could increase their cryptographic system protection by using more IPSec VPNs
and digital certificates The use of IPSec VPNs customers will need to establish
digital certificates from a certificate authority as well as the merchant Recently
while doing this research we came through an article from PayPal where they are
convincing email providers to block messages that lack digital signatures
The reason for this is that PayPal is known as one of the most highly spoofed
brands that fraudsterrsquos uses today This is a very good idea and a good way to
keep hackers out of PayPal databases As a matter of fact not only PayPal but also
every company that conducts business should come up with a similar strategy like
this Using strategies similar to this will help customers to gain confidence in
doing business and dealing with money issues In addition well-known companies
should increase user awareness by education training and working with FBI to
track down phishers
CONCLUSION
In short the outcomes of phishing attacks are dramatically increasing every day Attacks on financial services companies have been doubling each year compared to previous years It is of crucial importance for companies to come up with new ways to solve phishing problems because it can become a major loss to well-known companies Also it can cause consumers to lose confidence in doing business online which can affect many companies with an online presence Not any type of technologyCan stop phishing attacks but there are many ways to enable Phishes from accomplishing their goals Consumer education can increase the awareness of the phishing threat and other online vulnerabilities Lastly biometrics should become one of the major aspects and play an important role to combat phishing because it provides different steps to authenticate users
REFERENCES
[1] Cannon JC Privacy Pearson Education 2005[2] Hilley Sarah ldquoInternet war picking on the finance Sector-surveyrdquo Computer Fraud amp Security October 2006[3] Bellowin Steven ldquoSpamming Phishing Authentication and Privacyrdquo Inside Risks December
2004 Vol47 No12 144[4] Mulrean Jennifer ldquoPhishing scams How to avoid Getting hookedrdquo DollarWise[5] Hunter Philip ldquoMicrosoft declares war on phishersrdquo Computer Fraud amp Security May 2006 (15-16)[6] Google httpwwwgooglecom
[7] Anti-Phishing Working Group Phishing Activity Trends Report November 2005 [8] Anti-Phishing Working Group Phishing Archivehttpanti-phishingorgphishing_archivehtm[9] Ba S amp P Pavlov Evidence of the Effect of TrustBuilding Technology in Electronic Markets PricePremiums and Buyer Behavior
The cover is the content which is made to look like a message from the
legitimate organization and usually informs the user of a problem with
their account Early phishing messages could be identified based only on
their cover due to imperfect grammar or spelling mistakes (which are
uncommon in legitimate messages) Over time the covers used in phishing
messages have become more sophisticated to the point where they even
warn the users about protecting their password and avoiding fraud An
example of this can be seen in Figure below where the phishing message
tells the victim to ldquoProtect Your Account Infordquo by making sure ldquoyou never
provide your password to fraudulent websitesrdquo
The sting is the part of the content that directs the victim to take
remedial actions It usually takes the form of a clickable URL that directs the
victim to a fake website to log into their account or enter other personal
details We call this the sting as this is the part of the content that inflicts
pain by means of financial loss or other undesirable action after the victim
enters their details on the website Typically the sting is hidden by using
HTML to display a legitimate looking address instead of the address of the
fake website An example of this is shown in above Figure where the
address of the fake website is httpwwwnutristorecomaurhtm and
the corresponding displayed text is a legitimate looking
httpswww2paypalcomcgi-bincmd= login
Headers
The headers are the part of the message which is primarily used by the mail
servers and the mail client to determine where the message is going and how to
unpack the message Most users do not see these headers but in terms of
determining if a message is phishing or not this part of the message can be quite
useful Headers can be subdivided into three parts based on the entities which
add them to the message
Mail clients typically add headers such as ldquoTordquo ldquoFromrdquo ldquoSubjectrdquo
and some client specific headers Examples of mail client headers are X-
MSMail-Priority X-Mailer and X-MimeOLE and they can be seen in above
figure Phishing messages may try to fake a particular header and in doing
so give away that the message is fake For example if the X-Mailer header
indicates that a HTML message has been composed using MS Outlook but
the message only contains HTML (without plaintext) this is an indication
that the message is fake as MS Outlook cannot send HTML only messages
Mail relays will add headers along the path of the message These are
usually ldquoReceivedrdquo headers which can be used to determine the
originating IP of the message and the path taken by the message
Spam-filters or virus-scanners will usually add headers to the message to
indicate results of the tests run over the message These headers can then
be used by the receiving client to determine (based on a user-set
threshold) what to do with the message
WHY PHISHING ATTACK
Lack of Knowledge
Lack of computer system knowledge Many users lack the
underlying knowledge of how operating systems applications email and
the web work and how to distinguish among these Phishing sites exploit
this lack of knowledge in several ways For example some users do not
understand the meaning or the syntax of domain names and cannot
distinguish legitimate versus fraudulent URLs (eg they may think
wwwebay-members-securitycom belongs to wwwebaycom) Another
attack strategy forges the email header many users do not have the skills
to distinguish forged from legitimate headers
Lack of knowledge of security and security indicators Many
users do not understand security indicators For example many users do
not know that a closed padlock icon in the browser indicates that the page
they are viewing was delivered securely by SSL Even if they understand the
meaning of that icon users can be fooled by its placement within the body
of a web page (this confusion is not aided by the fact that competing
browsers use different icons and place them in different parts of their
display) More generally users may not be aware that padlock icons appear
in the browser ldquochromerdquo (the interface constructed by the browser around
a web page eg toolbars windows address bar status bar) only under
specific conditions (ie when SSL is used) while icons in the content of the
web page can be placed there arbitrarily by designers (or by phishers) to
induce trust Attackers can also exploit usersrsquo lack of understanding of the
verification process for SSL certificates Most users do not know how to
check SSL certificates in the browser or understand the information
presented in a certificate In one spoofing strategy a rogue site displays a
certificate authoritys (CA) trust seal that links to a CA webpage This
webpage provides an English language description and verification of the
legitimate sitersquos certificate Only the most informed and diligent users
would know to check that the URL of the originating site and the legitimate
site described by the CA match
Lack of knowledge of web fraud Some users donrsquot know that
spoofing websites is possible Without awareness phishing is possible
some users simply do not question website legitimacy
Erroneous security knowledge Some users have misconceptions
about which website features indicate security For example participants
assumed that if websites contained professional-looking images
animations and ads they assumed the sites were legitimate (influenced by
well-known trust indicators discussed below) Similarly dedicated login
pages from banks were less trusted than those originating from a
homepage several participants mentioned a lack of images and links as a
reason for their distrust
Visual Deception
Phishers use visual deception tricks to mimic legitimate text images and
windows
Visually deceptive text Users may be fooled by the syntax of a
domain name in ldquotype jackingrdquo attacks which substitute letters that may
go unnoticed (eg wwwpaypaicom uses a lowercase ldquoirdquo which looks
similar to the letter ldquolrdquo and wwwpaypa1com substitutes the number ldquo1rdquo
for the letter ldquolrdquo) Phishers have also taken advantage of non-printing
characters and non-ASCII Unicode characters in domain names
Images masking underlying text One common technique used by
phishers is to use an image of a legitimate hyperlink The image itself
serves as a hyperlink to a different rogue site
Images mimicking windows Phishers use images in the content of a
web page that mimic browser windows or For user convenience some
legitimate organizations allow users to login from non-SSL pages Although
the user data may be transmitted securely there is no visual cue in the
browser to indicate if SSL is used for form submissions To ldquoremedyrdquo this
designers resort to placing a padlock icon in the page content a tactic that
phishers also exploit or dialog windows Because the image looks exactly
like a real window a user can be fooled unless he tries to move or resize
the image
Windows masking underlying windows A common phishing
technique is to place an illegitimate browser window on top of or next to
a legitimate window If they have the same look and feel users may
mistakenly believe that both windows are from the same source
regardless of variations in address or security indicators In the worst case
a user may not even notice that a second window exists (browsers that
allow borderless pop-up windows aggravate the problem)
Deceptive look and feel If images and logos are copied perfectly
sometimes the only cues that are available to the user are the tone of the
language misspellings or other signs of unprofessional design If the
phishing site closely mimics the target site the only cue to the user might
be the type and quantity of requested personal information
WHAT SHOULD BE DONE TO FIGHT
PHISHING(ANTI-PHISHING)
Phishing needs to be followed in a managerial way within the network and its
components such as servers PCs operating systems browsers and other
applications that run off a connection
As considering the danger of both false negative where firewall packet
inspection fails to identify a phishing site and false positive where firewall packet
inspection wrongly rejects the valid sites it is important to minimize these risks
Microsoftrsquos Anti-phishing response team analyzes sites carefully to confirm they
are fraud e-mails before adding them to the blacklist Even then sites that are
concerned can be reconsidered and later removed from the list
Another way of solving this problem can be in a technical way by using a
biometric check up Biometrics refers to technologies that analyze an individualrsquos
physical and behavioral characteristics to automate identification or verification
of the user
To avoid the risk of being locked in by phishers here are few tips
bull Be extremely suspicious of any e-mails with urgent
requests for personal information
bull Do not fill out any forms in e-mail messages especially
from banks
bull Do not use the links that are provided in the e-mails this
can cause installing any malicious malware on your
computer Instead contact the company over the phone
to solve any problems
bull Do not give your credit card numbers or account
information unless you are using a secure Web site or
the telephone If you are using a Web site check the
beginning of the web address in your browsersrsquo address
bar A secure site should up as ldquohttpsrdquo instead of just
http
Verify the real address of a web site Cut and paste the
following text into your browser address bar
javascriptalert(The actual URL of this site has been verified
as + location protocol + + location hostname +)
Ensure that your browser and OS software is up-to-date and
that latest security patches are applied
Possible ways of by-passing AntiPhish with JavaScript
As long as the web page that the user is viewing is pure HTML AntiPhish can
easily mitigate phishing attacks This is because the attacker can only steal the
sensitive information in the page after the user performs a submit Before this can
happen however AntiPhish detects that sensitive information has been typed
into a form and cancels the operation Stopping a phishing attack in an HTML
page that has JavaScript on the other hand is not that easy and special care has
to be taken JavaScript is a powerful language that is widely used in webpage for
providing functionality such as submitting forms opening windows intercepting
events and performing input validity checks At the same time however
JavaScript gives the attacker a wide range of possibilities for by-passing a
monitoring application such as AntiPhish Just as AntiPhish creates hooks for
intercepting user generated events such as key strokes the attacker can also
create such hooks using JavaScript embedded into the HTML page Instead of
waiting for the user to press a submit button to send the information the attacker
could intercept the keys that are pressed and send the information character by
character to a server of her choice Typically this is done by modifying the URL of
an existing or hidden image to a web site that the attacker controls (eg if ldquoa ldquohas
been pressed an image URL may be set to httpattackercomkeya)
Another possibility for the attacker could be to set a simple timer and to capture
ldquosnapshotsrdquo of the information in the forms In this way an important part of the
information could be captured without the user ever hitting a submit button The
easiest solution to the JavaScript problem is to deactivate JavaScript on a page
that contains forms Unfortunately this solution is not feasible because as
mentioned before a large number of Web sites use JavaScript for validation and
submission purposes The solution we use in AntiPhish is to deactivate
JavaScript every time the focus is on an HTML text element and to reactivate it
whenever the focus is lost Using this technique we ensure that the attacker is
not able to create hooks timers and intercept browser events such as key presses
while the user is typing information into a text field At the same time we ensure
that the legitimate JavaScript functionality on a page (eg such as input validation
routines) are preserved By the time the focus is lost from the text element and
Java script is reactivated AntiPhish has already determined if the information that
was typed into the text element is sensitive If the web site is un trusted the
operation can be canceled One side-effect of our approach is that legitimate
event-based Java script functionality such as input validation based on key presses
will not function The use of key press events for input validation however is
uncommon Most web sites perform client-side input validation once before a
form is submitted
Implementation detailsWe implemented the prototype of AntiPhish as a Mozilla browser extension (ie
plug-in)Mozilla browser extensions are written using the Mozilla XML User-
Interface language (XUL) and JavaScript The Mozilla implementation of AntiPhish
has a small footprint and consists of about 900 lines of JavaScript code and 200
lines of XUL user interface code We used Paul Terorsquos JavaScript DES
implementation for safely storing the sensitive information
ANALYSIS OF A PHISHING DATABASE
The Anti Phishing Working Group maintains a ldquoPhishing Archiverdquo describing phishing attacks dating back to September 2003 We performed a cognitive walkthrough on the approximately 200 sample attacks within this archive (A cognitive walkthrough evaluates the steps required to perform a task and attempts to uncover mismatches between how users think about a task and how the user interface designer thinks about the task) Our goal was to gather information about which strategies are used by attackers and to formulate hypotheses about how lay users would respond to these strategies Below we list the strategies organized along three dimensions lack of knowledge visual deception and lack of attention To aid readers who are unfamiliar with the topic Security Terms and DefinitionsCertificate (digital certificate public key certificate)
Uses a digital signature to bind together a public key with an identity If the
browser encounters a certificate that has not been signed by a trusted
certificate authority it issues a warning to the user Some organizations
create and sign their own self signed
Certificates If a browser encounters a self-signed certificate it issues a
warning and allows the user to decide whether to accept the certificate
Certificate Authority (CA)
An entity that issues certificates and attests that a public key belongs to a
particular identity A list of trusted CAs is stored in the browser A certificate
may be issued to a fraudulent website by a CA without a rigorous verification
process
HTTPS
Web browsers use HTTPS rather than HTTP as a prefix to the URL to
indicate that HTTP is sent over SSLTLS
Secure Sockets Layer (SSL) and Transport Layer Security
(TLS)
Cryptographic protocols used to provide authentication and secure
communications over the Internet SSLTLS authenticates a server by
verifying that the server holds a certificate that has been digitally signed by
a trusted certificate authority SSLTLS also allows the client and server to
agree on an encryption algorithm for securing communications
CryptographyCryptography is a method of storing and transmitting data in a form that only those it is intended for can read and process It is a science of protecting information by encoding it into an unreadable format Cryptography is an effective way of protecting sensitive information as it is stored on media or transmitted through network communication pathsAlthough the ultimate goal of cryptography and the mechanisms that make it up is to hide information from unauthorized individuals most algorithms can be broken and the information can be revealed if the attacker has enough time desire and resources So a more realistic goal of cryptography is to make obtaining the information too work-intensive to be worth it to the attacker
Digital Certificates
Digital Certificates are part of a technology called Public Key Infrastructure orPKI Digital certificates have been described as virtual ID cards This is a useful analogy There are many ways that digital certificates and ID cards really are thesame Both ID cards and client digital certificates contain information about usersuch as user name and information about the organization that issued thecertificate or card to user
Creating digital certificates a unique cryptographic key pair is generated One of these keys is referred to as a public key and the other as a private key The certification authoritymdashgenerally on your campusmdashcreates a digital certificate by combining information about user and the issuing organization with the public key and digitally signing the whole thing This is very much like an organizationrsquos ID office filling out an ID card for user and then signing it to make it official
The process defines how a certificate authority establishes that a person or institution is who they say they are Certification may require recipients to appear in person and to present pictures birth certificates or social security numbers Certificates that are issued after rigorous authentication will be more trustworthy than certificates requiring little or no authentication
The contents of a digital certificate are prescribed by the X509 standard developed by the International Standards Organization (ISO) and adopted by the American National Standards Institute (ANSI) and the Internet Engineering Task Force (IETF) The latest version is now X509 v3 The principal elements of a digital certificate are as followsbull Version number of the certificate formatbull Serial number of the certificatebull Signature algorithm identifierbull Issuer of digital certificate a certificate authority with URLbull Validity periodbull Unique identification of certificate holderbull Public key informationThe Parties to a Digital CertificateIn principle there are three different interests associated with a digital certificateThe Requesting Party The party who needs the certificate and will offer it for use by others they will generally provide some or all of the information it containsThe Issuing Party
The party that digitally signs the certificate after creating the information in the certificate or checking its correctnessThe Verifying Party (or Parties) Parties that validate the signature on the certificate and then rely on its contents for some purposeType of Certificate Requesting Party Issuing Party Verifying PartyIdentity The person
concernedThe appropriategovernment agency
Anyone undertaking anidentity check
Accreditation A qualified memberof a profession
The professionalbody
A user of the servicesoffered by the member
Authorization A customer wishing to access a resource
The resource owner The resource owner
Public key CertificateThe combination of standards protocols and software that support digital certificates is called a public key infrastructure or PKI The software that supports this infrastructure generates sets of public-private key pairs Public-private key pairs are codes that are related to one another through a complex mathematical algorithm The key pairs can reside on onersquos computer or on hardware devices such as smart cards or floppy disks Individuals or organizations must ensure the security of their private keys However the public keys that correspond to their private keys can be posted on Web sites or sent across the network Issuers of digital certificates often maintain online repositories of public keys These repositories make it possible to authenticate owners of digital certificates in real timeFor example publishers as service providers will want to authenticate the digital certificate of a faculty member or student in real time This is possible by verifying the digital signature using the public key in the repository
Certificate AuthoritiesDigital certificates are one part of a set of components that make up a public keyinfrastructure (PKI) A PKI includes organizations called certification authorities (CAs) that issue manage and revoke digital certificates organizations called relying parties who use the certificates as indicators of authentication and clientswho request manage and use certificates A CA might create a separate registration authority (RA) to handle the task of identifying individuals who applyfor certificates Examples of certification authorities include VeriSign a wellknowncommercial provider and the CREN Certificate Authority that isavailable for higher education institutions
Types of CertificatesThere are different types of certificates each with different functions and this canbe confusing It helps to differentiate between at least four types of certificatesYou can see samples of some of these different types of certificates in your browserbull Root or authority certificatesThese are certificates that create the base (or root) of a certification authority hierarchy such as Thawte or CREN These certificates are not signed by another CAmdashthey are self signed by the CA that created them When a certificate is self-
signed it means that the name in the Issuer field is the same as the name in the Subject Fieldbull Institutional authority certificates These certificates are also called campus certificates These certificates are signed by a third party verifying the authenticity of a campus certification authority Campuses then use their ldquoauthorityrdquo to issue client certificates for faculty staff and studentsbull Client certificatesThese are also known as end-entity certificates identity certificates or personal certificates The Issuer is typically the campus CAbull Web server certificates These certificates are used to secure communications to and from Web servers for example when you buy something on the Web They are called server-side certificates The Subject name in a server certificate is the DNS name of the server
The CREN Digital Certificate ServicesCREN currently offers an expanded set of certificate authority services to higher education institutionsbull CREN-signed campus certificates for institutionsThese CREN-signed certificates are for institutions issuing certificates for their campus communitymdashin the range of 10 or more Web server certificates and formore than 500-1000 client certificatesbull CREN Web server certificates These certificates are for campuses to use for securing Web servers supporting a range of campus Web applicationsbull Client certificatesCREN has an internal CRENNET service equivalent to a campus certificate-issuing application A registration contact at a campus validatesapproves individuals and CREN issues the certificates
With these three levels of service mdash including the free test certificates mdash CRENcan help campuses get started using digital certificates at a level matching theirparticular campus needs
RECOMMENDATION
It is very important to reduce the risk of phishing in todayrsquos business because
hackers need to stay out of companiesrsquo databases Todayrsquos education is not
enough since phishes are getting better each day and coming with newer trends
to catch innocent customers
The real problem of phishing is because the login systems are very weak and thus
they need to be tighter when it comes to userrsquos authentication The companies
could increase their cryptographic system protection by using more IPSec VPNs
and digital certificates The use of IPSec VPNs customers will need to establish
digital certificates from a certificate authority as well as the merchant Recently
while doing this research we came through an article from PayPal where they are
convincing email providers to block messages that lack digital signatures
The reason for this is that PayPal is known as one of the most highly spoofed
brands that fraudsterrsquos uses today This is a very good idea and a good way to
keep hackers out of PayPal databases As a matter of fact not only PayPal but also
every company that conducts business should come up with a similar strategy like
this Using strategies similar to this will help customers to gain confidence in
doing business and dealing with money issues In addition well-known companies
should increase user awareness by education training and working with FBI to
track down phishers
CONCLUSION
In short the outcomes of phishing attacks are dramatically increasing every day Attacks on financial services companies have been doubling each year compared to previous years It is of crucial importance for companies to come up with new ways to solve phishing problems because it can become a major loss to well-known companies Also it can cause consumers to lose confidence in doing business online which can affect many companies with an online presence Not any type of technologyCan stop phishing attacks but there are many ways to enable Phishes from accomplishing their goals Consumer education can increase the awareness of the phishing threat and other online vulnerabilities Lastly biometrics should become one of the major aspects and play an important role to combat phishing because it provides different steps to authenticate users
REFERENCES
[1] Cannon JC Privacy Pearson Education 2005[2] Hilley Sarah ldquoInternet war picking on the finance Sector-surveyrdquo Computer Fraud amp Security October 2006[3] Bellowin Steven ldquoSpamming Phishing Authentication and Privacyrdquo Inside Risks December
2004 Vol47 No12 144[4] Mulrean Jennifer ldquoPhishing scams How to avoid Getting hookedrdquo DollarWise[5] Hunter Philip ldquoMicrosoft declares war on phishersrdquo Computer Fraud amp Security May 2006 (15-16)[6] Google httpwwwgooglecom
[7] Anti-Phishing Working Group Phishing Activity Trends Report November 2005 [8] Anti-Phishing Working Group Phishing Archivehttpanti-phishingorgphishing_archivehtm[9] Ba S amp P Pavlov Evidence of the Effect of TrustBuilding Technology in Electronic Markets PricePremiums and Buyer Behavior
The sting is the part of the content that directs the victim to take
remedial actions It usually takes the form of a clickable URL that directs the
victim to a fake website to log into their account or enter other personal
details We call this the sting as this is the part of the content that inflicts
pain by means of financial loss or other undesirable action after the victim
enters their details on the website Typically the sting is hidden by using
HTML to display a legitimate looking address instead of the address of the
fake website An example of this is shown in above Figure where the
address of the fake website is httpwwwnutristorecomaurhtm and
the corresponding displayed text is a legitimate looking
httpswww2paypalcomcgi-bincmd= login
Headers
The headers are the part of the message which is primarily used by the mail
servers and the mail client to determine where the message is going and how to
unpack the message Most users do not see these headers but in terms of
determining if a message is phishing or not this part of the message can be quite
useful Headers can be subdivided into three parts based on the entities which
add them to the message
Mail clients typically add headers such as ldquoTordquo ldquoFromrdquo ldquoSubjectrdquo
and some client specific headers Examples of mail client headers are X-
MSMail-Priority X-Mailer and X-MimeOLE and they can be seen in above
figure Phishing messages may try to fake a particular header and in doing
so give away that the message is fake For example if the X-Mailer header
indicates that a HTML message has been composed using MS Outlook but
the message only contains HTML (without plaintext) this is an indication
that the message is fake as MS Outlook cannot send HTML only messages
Mail relays will add headers along the path of the message These are
usually ldquoReceivedrdquo headers which can be used to determine the
originating IP of the message and the path taken by the message
Spam-filters or virus-scanners will usually add headers to the message to
indicate results of the tests run over the message These headers can then
be used by the receiving client to determine (based on a user-set
threshold) what to do with the message
WHY PHISHING ATTACK
Lack of Knowledge
Lack of computer system knowledge Many users lack the
underlying knowledge of how operating systems applications email and
the web work and how to distinguish among these Phishing sites exploit
this lack of knowledge in several ways For example some users do not
understand the meaning or the syntax of domain names and cannot
distinguish legitimate versus fraudulent URLs (eg they may think
wwwebay-members-securitycom belongs to wwwebaycom) Another
attack strategy forges the email header many users do not have the skills
to distinguish forged from legitimate headers
Lack of knowledge of security and security indicators Many
users do not understand security indicators For example many users do
not know that a closed padlock icon in the browser indicates that the page
they are viewing was delivered securely by SSL Even if they understand the
meaning of that icon users can be fooled by its placement within the body
of a web page (this confusion is not aided by the fact that competing
browsers use different icons and place them in different parts of their
display) More generally users may not be aware that padlock icons appear
in the browser ldquochromerdquo (the interface constructed by the browser around
a web page eg toolbars windows address bar status bar) only under
specific conditions (ie when SSL is used) while icons in the content of the
web page can be placed there arbitrarily by designers (or by phishers) to
induce trust Attackers can also exploit usersrsquo lack of understanding of the
verification process for SSL certificates Most users do not know how to
check SSL certificates in the browser or understand the information
presented in a certificate In one spoofing strategy a rogue site displays a
certificate authoritys (CA) trust seal that links to a CA webpage This
webpage provides an English language description and verification of the
legitimate sitersquos certificate Only the most informed and diligent users
would know to check that the URL of the originating site and the legitimate
site described by the CA match
Lack of knowledge of web fraud Some users donrsquot know that
spoofing websites is possible Without awareness phishing is possible
some users simply do not question website legitimacy
Erroneous security knowledge Some users have misconceptions
about which website features indicate security For example participants
assumed that if websites contained professional-looking images
animations and ads they assumed the sites were legitimate (influenced by
well-known trust indicators discussed below) Similarly dedicated login
pages from banks were less trusted than those originating from a
homepage several participants mentioned a lack of images and links as a
reason for their distrust
Visual Deception
Phishers use visual deception tricks to mimic legitimate text images and
windows
Visually deceptive text Users may be fooled by the syntax of a
domain name in ldquotype jackingrdquo attacks which substitute letters that may
go unnoticed (eg wwwpaypaicom uses a lowercase ldquoirdquo which looks
similar to the letter ldquolrdquo and wwwpaypa1com substitutes the number ldquo1rdquo
for the letter ldquolrdquo) Phishers have also taken advantage of non-printing
characters and non-ASCII Unicode characters in domain names
Images masking underlying text One common technique used by
phishers is to use an image of a legitimate hyperlink The image itself
serves as a hyperlink to a different rogue site
Images mimicking windows Phishers use images in the content of a
web page that mimic browser windows or For user convenience some
legitimate organizations allow users to login from non-SSL pages Although
the user data may be transmitted securely there is no visual cue in the
browser to indicate if SSL is used for form submissions To ldquoremedyrdquo this
designers resort to placing a padlock icon in the page content a tactic that
phishers also exploit or dialog windows Because the image looks exactly
like a real window a user can be fooled unless he tries to move or resize
the image
Windows masking underlying windows A common phishing
technique is to place an illegitimate browser window on top of or next to
a legitimate window If they have the same look and feel users may
mistakenly believe that both windows are from the same source
regardless of variations in address or security indicators In the worst case
a user may not even notice that a second window exists (browsers that
allow borderless pop-up windows aggravate the problem)
Deceptive look and feel If images and logos are copied perfectly
sometimes the only cues that are available to the user are the tone of the
language misspellings or other signs of unprofessional design If the
phishing site closely mimics the target site the only cue to the user might
be the type and quantity of requested personal information
WHAT SHOULD BE DONE TO FIGHT
PHISHING(ANTI-PHISHING)
Phishing needs to be followed in a managerial way within the network and its
components such as servers PCs operating systems browsers and other
applications that run off a connection
As considering the danger of both false negative where firewall packet
inspection fails to identify a phishing site and false positive where firewall packet
inspection wrongly rejects the valid sites it is important to minimize these risks
Microsoftrsquos Anti-phishing response team analyzes sites carefully to confirm they
are fraud e-mails before adding them to the blacklist Even then sites that are
concerned can be reconsidered and later removed from the list
Another way of solving this problem can be in a technical way by using a
biometric check up Biometrics refers to technologies that analyze an individualrsquos
physical and behavioral characteristics to automate identification or verification
of the user
To avoid the risk of being locked in by phishers here are few tips
bull Be extremely suspicious of any e-mails with urgent
requests for personal information
bull Do not fill out any forms in e-mail messages especially
from banks
bull Do not use the links that are provided in the e-mails this
can cause installing any malicious malware on your
computer Instead contact the company over the phone
to solve any problems
bull Do not give your credit card numbers or account
information unless you are using a secure Web site or
the telephone If you are using a Web site check the
beginning of the web address in your browsersrsquo address
bar A secure site should up as ldquohttpsrdquo instead of just
http
Verify the real address of a web site Cut and paste the
following text into your browser address bar
javascriptalert(The actual URL of this site has been verified
as + location protocol + + location hostname +)
Ensure that your browser and OS software is up-to-date and
that latest security patches are applied
Possible ways of by-passing AntiPhish with JavaScript
As long as the web page that the user is viewing is pure HTML AntiPhish can
easily mitigate phishing attacks This is because the attacker can only steal the
sensitive information in the page after the user performs a submit Before this can
happen however AntiPhish detects that sensitive information has been typed
into a form and cancels the operation Stopping a phishing attack in an HTML
page that has JavaScript on the other hand is not that easy and special care has
to be taken JavaScript is a powerful language that is widely used in webpage for
providing functionality such as submitting forms opening windows intercepting
events and performing input validity checks At the same time however
JavaScript gives the attacker a wide range of possibilities for by-passing a
monitoring application such as AntiPhish Just as AntiPhish creates hooks for
intercepting user generated events such as key strokes the attacker can also
create such hooks using JavaScript embedded into the HTML page Instead of
waiting for the user to press a submit button to send the information the attacker
could intercept the keys that are pressed and send the information character by
character to a server of her choice Typically this is done by modifying the URL of
an existing or hidden image to a web site that the attacker controls (eg if ldquoa ldquohas
been pressed an image URL may be set to httpattackercomkeya)
Another possibility for the attacker could be to set a simple timer and to capture
ldquosnapshotsrdquo of the information in the forms In this way an important part of the
information could be captured without the user ever hitting a submit button The
easiest solution to the JavaScript problem is to deactivate JavaScript on a page
that contains forms Unfortunately this solution is not feasible because as
mentioned before a large number of Web sites use JavaScript for validation and
submission purposes The solution we use in AntiPhish is to deactivate
JavaScript every time the focus is on an HTML text element and to reactivate it
whenever the focus is lost Using this technique we ensure that the attacker is
not able to create hooks timers and intercept browser events such as key presses
while the user is typing information into a text field At the same time we ensure
that the legitimate JavaScript functionality on a page (eg such as input validation
routines) are preserved By the time the focus is lost from the text element and
Java script is reactivated AntiPhish has already determined if the information that
was typed into the text element is sensitive If the web site is un trusted the
operation can be canceled One side-effect of our approach is that legitimate
event-based Java script functionality such as input validation based on key presses
will not function The use of key press events for input validation however is
uncommon Most web sites perform client-side input validation once before a
form is submitted
Implementation detailsWe implemented the prototype of AntiPhish as a Mozilla browser extension (ie
plug-in)Mozilla browser extensions are written using the Mozilla XML User-
Interface language (XUL) and JavaScript The Mozilla implementation of AntiPhish
has a small footprint and consists of about 900 lines of JavaScript code and 200
lines of XUL user interface code We used Paul Terorsquos JavaScript DES
implementation for safely storing the sensitive information
ANALYSIS OF A PHISHING DATABASE
The Anti Phishing Working Group maintains a ldquoPhishing Archiverdquo describing phishing attacks dating back to September 2003 We performed a cognitive walkthrough on the approximately 200 sample attacks within this archive (A cognitive walkthrough evaluates the steps required to perform a task and attempts to uncover mismatches between how users think about a task and how the user interface designer thinks about the task) Our goal was to gather information about which strategies are used by attackers and to formulate hypotheses about how lay users would respond to these strategies Below we list the strategies organized along three dimensions lack of knowledge visual deception and lack of attention To aid readers who are unfamiliar with the topic Security Terms and DefinitionsCertificate (digital certificate public key certificate)
Uses a digital signature to bind together a public key with an identity If the
browser encounters a certificate that has not been signed by a trusted
certificate authority it issues a warning to the user Some organizations
create and sign their own self signed
Certificates If a browser encounters a self-signed certificate it issues a
warning and allows the user to decide whether to accept the certificate
Certificate Authority (CA)
An entity that issues certificates and attests that a public key belongs to a
particular identity A list of trusted CAs is stored in the browser A certificate
may be issued to a fraudulent website by a CA without a rigorous verification
process
HTTPS
Web browsers use HTTPS rather than HTTP as a prefix to the URL to
indicate that HTTP is sent over SSLTLS
Secure Sockets Layer (SSL) and Transport Layer Security
(TLS)
Cryptographic protocols used to provide authentication and secure
communications over the Internet SSLTLS authenticates a server by
verifying that the server holds a certificate that has been digitally signed by
a trusted certificate authority SSLTLS also allows the client and server to
agree on an encryption algorithm for securing communications
CryptographyCryptography is a method of storing and transmitting data in a form that only those it is intended for can read and process It is a science of protecting information by encoding it into an unreadable format Cryptography is an effective way of protecting sensitive information as it is stored on media or transmitted through network communication pathsAlthough the ultimate goal of cryptography and the mechanisms that make it up is to hide information from unauthorized individuals most algorithms can be broken and the information can be revealed if the attacker has enough time desire and resources So a more realistic goal of cryptography is to make obtaining the information too work-intensive to be worth it to the attacker
Digital Certificates
Digital Certificates are part of a technology called Public Key Infrastructure orPKI Digital certificates have been described as virtual ID cards This is a useful analogy There are many ways that digital certificates and ID cards really are thesame Both ID cards and client digital certificates contain information about usersuch as user name and information about the organization that issued thecertificate or card to user
Creating digital certificates a unique cryptographic key pair is generated One of these keys is referred to as a public key and the other as a private key The certification authoritymdashgenerally on your campusmdashcreates a digital certificate by combining information about user and the issuing organization with the public key and digitally signing the whole thing This is very much like an organizationrsquos ID office filling out an ID card for user and then signing it to make it official
The process defines how a certificate authority establishes that a person or institution is who they say they are Certification may require recipients to appear in person and to present pictures birth certificates or social security numbers Certificates that are issued after rigorous authentication will be more trustworthy than certificates requiring little or no authentication
The contents of a digital certificate are prescribed by the X509 standard developed by the International Standards Organization (ISO) and adopted by the American National Standards Institute (ANSI) and the Internet Engineering Task Force (IETF) The latest version is now X509 v3 The principal elements of a digital certificate are as followsbull Version number of the certificate formatbull Serial number of the certificatebull Signature algorithm identifierbull Issuer of digital certificate a certificate authority with URLbull Validity periodbull Unique identification of certificate holderbull Public key informationThe Parties to a Digital CertificateIn principle there are three different interests associated with a digital certificateThe Requesting Party The party who needs the certificate and will offer it for use by others they will generally provide some or all of the information it containsThe Issuing Party
The party that digitally signs the certificate after creating the information in the certificate or checking its correctnessThe Verifying Party (or Parties) Parties that validate the signature on the certificate and then rely on its contents for some purposeType of Certificate Requesting Party Issuing Party Verifying PartyIdentity The person
concernedThe appropriategovernment agency
Anyone undertaking anidentity check
Accreditation A qualified memberof a profession
The professionalbody
A user of the servicesoffered by the member
Authorization A customer wishing to access a resource
The resource owner The resource owner
Public key CertificateThe combination of standards protocols and software that support digital certificates is called a public key infrastructure or PKI The software that supports this infrastructure generates sets of public-private key pairs Public-private key pairs are codes that are related to one another through a complex mathematical algorithm The key pairs can reside on onersquos computer or on hardware devices such as smart cards or floppy disks Individuals or organizations must ensure the security of their private keys However the public keys that correspond to their private keys can be posted on Web sites or sent across the network Issuers of digital certificates often maintain online repositories of public keys These repositories make it possible to authenticate owners of digital certificates in real timeFor example publishers as service providers will want to authenticate the digital certificate of a faculty member or student in real time This is possible by verifying the digital signature using the public key in the repository
Certificate AuthoritiesDigital certificates are one part of a set of components that make up a public keyinfrastructure (PKI) A PKI includes organizations called certification authorities (CAs) that issue manage and revoke digital certificates organizations called relying parties who use the certificates as indicators of authentication and clientswho request manage and use certificates A CA might create a separate registration authority (RA) to handle the task of identifying individuals who applyfor certificates Examples of certification authorities include VeriSign a wellknowncommercial provider and the CREN Certificate Authority that isavailable for higher education institutions
Types of CertificatesThere are different types of certificates each with different functions and this canbe confusing It helps to differentiate between at least four types of certificatesYou can see samples of some of these different types of certificates in your browserbull Root or authority certificatesThese are certificates that create the base (or root) of a certification authority hierarchy such as Thawte or CREN These certificates are not signed by another CAmdashthey are self signed by the CA that created them When a certificate is self-
signed it means that the name in the Issuer field is the same as the name in the Subject Fieldbull Institutional authority certificates These certificates are also called campus certificates These certificates are signed by a third party verifying the authenticity of a campus certification authority Campuses then use their ldquoauthorityrdquo to issue client certificates for faculty staff and studentsbull Client certificatesThese are also known as end-entity certificates identity certificates or personal certificates The Issuer is typically the campus CAbull Web server certificates These certificates are used to secure communications to and from Web servers for example when you buy something on the Web They are called server-side certificates The Subject name in a server certificate is the DNS name of the server
The CREN Digital Certificate ServicesCREN currently offers an expanded set of certificate authority services to higher education institutionsbull CREN-signed campus certificates for institutionsThese CREN-signed certificates are for institutions issuing certificates for their campus communitymdashin the range of 10 or more Web server certificates and formore than 500-1000 client certificatesbull CREN Web server certificates These certificates are for campuses to use for securing Web servers supporting a range of campus Web applicationsbull Client certificatesCREN has an internal CRENNET service equivalent to a campus certificate-issuing application A registration contact at a campus validatesapproves individuals and CREN issues the certificates
With these three levels of service mdash including the free test certificates mdash CRENcan help campuses get started using digital certificates at a level matching theirparticular campus needs
RECOMMENDATION
It is very important to reduce the risk of phishing in todayrsquos business because
hackers need to stay out of companiesrsquo databases Todayrsquos education is not
enough since phishes are getting better each day and coming with newer trends
to catch innocent customers
The real problem of phishing is because the login systems are very weak and thus
they need to be tighter when it comes to userrsquos authentication The companies
could increase their cryptographic system protection by using more IPSec VPNs
and digital certificates The use of IPSec VPNs customers will need to establish
digital certificates from a certificate authority as well as the merchant Recently
while doing this research we came through an article from PayPal where they are
convincing email providers to block messages that lack digital signatures
The reason for this is that PayPal is known as one of the most highly spoofed
brands that fraudsterrsquos uses today This is a very good idea and a good way to
keep hackers out of PayPal databases As a matter of fact not only PayPal but also
every company that conducts business should come up with a similar strategy like
this Using strategies similar to this will help customers to gain confidence in
doing business and dealing with money issues In addition well-known companies
should increase user awareness by education training and working with FBI to
track down phishers
CONCLUSION
In short the outcomes of phishing attacks are dramatically increasing every day Attacks on financial services companies have been doubling each year compared to previous years It is of crucial importance for companies to come up with new ways to solve phishing problems because it can become a major loss to well-known companies Also it can cause consumers to lose confidence in doing business online which can affect many companies with an online presence Not any type of technologyCan stop phishing attacks but there are many ways to enable Phishes from accomplishing their goals Consumer education can increase the awareness of the phishing threat and other online vulnerabilities Lastly biometrics should become one of the major aspects and play an important role to combat phishing because it provides different steps to authenticate users
REFERENCES
[1] Cannon JC Privacy Pearson Education 2005[2] Hilley Sarah ldquoInternet war picking on the finance Sector-surveyrdquo Computer Fraud amp Security October 2006[3] Bellowin Steven ldquoSpamming Phishing Authentication and Privacyrdquo Inside Risks December
2004 Vol47 No12 144[4] Mulrean Jennifer ldquoPhishing scams How to avoid Getting hookedrdquo DollarWise[5] Hunter Philip ldquoMicrosoft declares war on phishersrdquo Computer Fraud amp Security May 2006 (15-16)[6] Google httpwwwgooglecom
[7] Anti-Phishing Working Group Phishing Activity Trends Report November 2005 [8] Anti-Phishing Working Group Phishing Archivehttpanti-phishingorgphishing_archivehtm[9] Ba S amp P Pavlov Evidence of the Effect of TrustBuilding Technology in Electronic Markets PricePremiums and Buyer Behavior
address of the fake website is httpwwwnutristorecomaurhtm and
the corresponding displayed text is a legitimate looking
httpswww2paypalcomcgi-bincmd= login
Headers
The headers are the part of the message which is primarily used by the mail
servers and the mail client to determine where the message is going and how to
unpack the message Most users do not see these headers but in terms of
determining if a message is phishing or not this part of the message can be quite
useful Headers can be subdivided into three parts based on the entities which
add them to the message
Mail clients typically add headers such as ldquoTordquo ldquoFromrdquo ldquoSubjectrdquo
and some client specific headers Examples of mail client headers are X-
MSMail-Priority X-Mailer and X-MimeOLE and they can be seen in above
figure Phishing messages may try to fake a particular header and in doing
so give away that the message is fake For example if the X-Mailer header
indicates that a HTML message has been composed using MS Outlook but
the message only contains HTML (without plaintext) this is an indication
that the message is fake as MS Outlook cannot send HTML only messages
Mail relays will add headers along the path of the message These are
usually ldquoReceivedrdquo headers which can be used to determine the
originating IP of the message and the path taken by the message
Spam-filters or virus-scanners will usually add headers to the message to
indicate results of the tests run over the message These headers can then
be used by the receiving client to determine (based on a user-set
threshold) what to do with the message
WHY PHISHING ATTACK
Lack of Knowledge
Lack of computer system knowledge Many users lack the
underlying knowledge of how operating systems applications email and
the web work and how to distinguish among these Phishing sites exploit
this lack of knowledge in several ways For example some users do not
understand the meaning or the syntax of domain names and cannot
distinguish legitimate versus fraudulent URLs (eg they may think
wwwebay-members-securitycom belongs to wwwebaycom) Another
attack strategy forges the email header many users do not have the skills
to distinguish forged from legitimate headers
Lack of knowledge of security and security indicators Many
users do not understand security indicators For example many users do
not know that a closed padlock icon in the browser indicates that the page
they are viewing was delivered securely by SSL Even if they understand the
meaning of that icon users can be fooled by its placement within the body
of a web page (this confusion is not aided by the fact that competing
browsers use different icons and place them in different parts of their
display) More generally users may not be aware that padlock icons appear
in the browser ldquochromerdquo (the interface constructed by the browser around
a web page eg toolbars windows address bar status bar) only under
specific conditions (ie when SSL is used) while icons in the content of the
web page can be placed there arbitrarily by designers (or by phishers) to
induce trust Attackers can also exploit usersrsquo lack of understanding of the
verification process for SSL certificates Most users do not know how to
check SSL certificates in the browser or understand the information
presented in a certificate In one spoofing strategy a rogue site displays a
certificate authoritys (CA) trust seal that links to a CA webpage This
webpage provides an English language description and verification of the
legitimate sitersquos certificate Only the most informed and diligent users
would know to check that the URL of the originating site and the legitimate
site described by the CA match
Lack of knowledge of web fraud Some users donrsquot know that
spoofing websites is possible Without awareness phishing is possible
some users simply do not question website legitimacy
Erroneous security knowledge Some users have misconceptions
about which website features indicate security For example participants
assumed that if websites contained professional-looking images
animations and ads they assumed the sites were legitimate (influenced by
well-known trust indicators discussed below) Similarly dedicated login
pages from banks were less trusted than those originating from a
homepage several participants mentioned a lack of images and links as a
reason for their distrust
Visual Deception
Phishers use visual deception tricks to mimic legitimate text images and
windows
Visually deceptive text Users may be fooled by the syntax of a
domain name in ldquotype jackingrdquo attacks which substitute letters that may
go unnoticed (eg wwwpaypaicom uses a lowercase ldquoirdquo which looks
similar to the letter ldquolrdquo and wwwpaypa1com substitutes the number ldquo1rdquo
for the letter ldquolrdquo) Phishers have also taken advantage of non-printing
characters and non-ASCII Unicode characters in domain names
Images masking underlying text One common technique used by
phishers is to use an image of a legitimate hyperlink The image itself
serves as a hyperlink to a different rogue site
Images mimicking windows Phishers use images in the content of a
web page that mimic browser windows or For user convenience some
legitimate organizations allow users to login from non-SSL pages Although
the user data may be transmitted securely there is no visual cue in the
browser to indicate if SSL is used for form submissions To ldquoremedyrdquo this
designers resort to placing a padlock icon in the page content a tactic that
phishers also exploit or dialog windows Because the image looks exactly
like a real window a user can be fooled unless he tries to move or resize
the image
Windows masking underlying windows A common phishing
technique is to place an illegitimate browser window on top of or next to
a legitimate window If they have the same look and feel users may
mistakenly believe that both windows are from the same source
regardless of variations in address or security indicators In the worst case
a user may not even notice that a second window exists (browsers that
allow borderless pop-up windows aggravate the problem)
Deceptive look and feel If images and logos are copied perfectly
sometimes the only cues that are available to the user are the tone of the
language misspellings or other signs of unprofessional design If the
phishing site closely mimics the target site the only cue to the user might
be the type and quantity of requested personal information
WHAT SHOULD BE DONE TO FIGHT
PHISHING(ANTI-PHISHING)
Phishing needs to be followed in a managerial way within the network and its
components such as servers PCs operating systems browsers and other
applications that run off a connection
As considering the danger of both false negative where firewall packet
inspection fails to identify a phishing site and false positive where firewall packet
inspection wrongly rejects the valid sites it is important to minimize these risks
Microsoftrsquos Anti-phishing response team analyzes sites carefully to confirm they
are fraud e-mails before adding them to the blacklist Even then sites that are
concerned can be reconsidered and later removed from the list
Another way of solving this problem can be in a technical way by using a
biometric check up Biometrics refers to technologies that analyze an individualrsquos
physical and behavioral characteristics to automate identification or verification
of the user
To avoid the risk of being locked in by phishers here are few tips
bull Be extremely suspicious of any e-mails with urgent
requests for personal information
bull Do not fill out any forms in e-mail messages especially
from banks
bull Do not use the links that are provided in the e-mails this
can cause installing any malicious malware on your
computer Instead contact the company over the phone
to solve any problems
bull Do not give your credit card numbers or account
information unless you are using a secure Web site or
the telephone If you are using a Web site check the
beginning of the web address in your browsersrsquo address
bar A secure site should up as ldquohttpsrdquo instead of just
http
Verify the real address of a web site Cut and paste the
following text into your browser address bar
javascriptalert(The actual URL of this site has been verified
as + location protocol + + location hostname +)
Ensure that your browser and OS software is up-to-date and
that latest security patches are applied
Possible ways of by-passing AntiPhish with JavaScript
As long as the web page that the user is viewing is pure HTML AntiPhish can
easily mitigate phishing attacks This is because the attacker can only steal the
sensitive information in the page after the user performs a submit Before this can
happen however AntiPhish detects that sensitive information has been typed
into a form and cancels the operation Stopping a phishing attack in an HTML
page that has JavaScript on the other hand is not that easy and special care has
to be taken JavaScript is a powerful language that is widely used in webpage for
providing functionality such as submitting forms opening windows intercepting
events and performing input validity checks At the same time however
JavaScript gives the attacker a wide range of possibilities for by-passing a
monitoring application such as AntiPhish Just as AntiPhish creates hooks for
intercepting user generated events such as key strokes the attacker can also
create such hooks using JavaScript embedded into the HTML page Instead of
waiting for the user to press a submit button to send the information the attacker
could intercept the keys that are pressed and send the information character by
character to a server of her choice Typically this is done by modifying the URL of
an existing or hidden image to a web site that the attacker controls (eg if ldquoa ldquohas
been pressed an image URL may be set to httpattackercomkeya)
Another possibility for the attacker could be to set a simple timer and to capture
ldquosnapshotsrdquo of the information in the forms In this way an important part of the
information could be captured without the user ever hitting a submit button The
easiest solution to the JavaScript problem is to deactivate JavaScript on a page
that contains forms Unfortunately this solution is not feasible because as
mentioned before a large number of Web sites use JavaScript for validation and
submission purposes The solution we use in AntiPhish is to deactivate
JavaScript every time the focus is on an HTML text element and to reactivate it
whenever the focus is lost Using this technique we ensure that the attacker is
not able to create hooks timers and intercept browser events such as key presses
while the user is typing information into a text field At the same time we ensure
that the legitimate JavaScript functionality on a page (eg such as input validation
routines) are preserved By the time the focus is lost from the text element and
Java script is reactivated AntiPhish has already determined if the information that
was typed into the text element is sensitive If the web site is un trusted the
operation can be canceled One side-effect of our approach is that legitimate
event-based Java script functionality such as input validation based on key presses
will not function The use of key press events for input validation however is
uncommon Most web sites perform client-side input validation once before a
form is submitted
Implementation detailsWe implemented the prototype of AntiPhish as a Mozilla browser extension (ie
plug-in)Mozilla browser extensions are written using the Mozilla XML User-
Interface language (XUL) and JavaScript The Mozilla implementation of AntiPhish
has a small footprint and consists of about 900 lines of JavaScript code and 200
lines of XUL user interface code We used Paul Terorsquos JavaScript DES
implementation for safely storing the sensitive information
ANALYSIS OF A PHISHING DATABASE
The Anti Phishing Working Group maintains a ldquoPhishing Archiverdquo describing phishing attacks dating back to September 2003 We performed a cognitive walkthrough on the approximately 200 sample attacks within this archive (A cognitive walkthrough evaluates the steps required to perform a task and attempts to uncover mismatches between how users think about a task and how the user interface designer thinks about the task) Our goal was to gather information about which strategies are used by attackers and to formulate hypotheses about how lay users would respond to these strategies Below we list the strategies organized along three dimensions lack of knowledge visual deception and lack of attention To aid readers who are unfamiliar with the topic Security Terms and DefinitionsCertificate (digital certificate public key certificate)
Uses a digital signature to bind together a public key with an identity If the
browser encounters a certificate that has not been signed by a trusted
certificate authority it issues a warning to the user Some organizations
create and sign their own self signed
Certificates If a browser encounters a self-signed certificate it issues a
warning and allows the user to decide whether to accept the certificate
Certificate Authority (CA)
An entity that issues certificates and attests that a public key belongs to a
particular identity A list of trusted CAs is stored in the browser A certificate
may be issued to a fraudulent website by a CA without a rigorous verification
process
HTTPS
Web browsers use HTTPS rather than HTTP as a prefix to the URL to
indicate that HTTP is sent over SSLTLS
Secure Sockets Layer (SSL) and Transport Layer Security
(TLS)
Cryptographic protocols used to provide authentication and secure
communications over the Internet SSLTLS authenticates a server by
verifying that the server holds a certificate that has been digitally signed by
a trusted certificate authority SSLTLS also allows the client and server to
agree on an encryption algorithm for securing communications
CryptographyCryptography is a method of storing and transmitting data in a form that only those it is intended for can read and process It is a science of protecting information by encoding it into an unreadable format Cryptography is an effective way of protecting sensitive information as it is stored on media or transmitted through network communication pathsAlthough the ultimate goal of cryptography and the mechanisms that make it up is to hide information from unauthorized individuals most algorithms can be broken and the information can be revealed if the attacker has enough time desire and resources So a more realistic goal of cryptography is to make obtaining the information too work-intensive to be worth it to the attacker
Digital Certificates
Digital Certificates are part of a technology called Public Key Infrastructure orPKI Digital certificates have been described as virtual ID cards This is a useful analogy There are many ways that digital certificates and ID cards really are thesame Both ID cards and client digital certificates contain information about usersuch as user name and information about the organization that issued thecertificate or card to user
Creating digital certificates a unique cryptographic key pair is generated One of these keys is referred to as a public key and the other as a private key The certification authoritymdashgenerally on your campusmdashcreates a digital certificate by combining information about user and the issuing organization with the public key and digitally signing the whole thing This is very much like an organizationrsquos ID office filling out an ID card for user and then signing it to make it official
The process defines how a certificate authority establishes that a person or institution is who they say they are Certification may require recipients to appear in person and to present pictures birth certificates or social security numbers Certificates that are issued after rigorous authentication will be more trustworthy than certificates requiring little or no authentication
The contents of a digital certificate are prescribed by the X509 standard developed by the International Standards Organization (ISO) and adopted by the American National Standards Institute (ANSI) and the Internet Engineering Task Force (IETF) The latest version is now X509 v3 The principal elements of a digital certificate are as followsbull Version number of the certificate formatbull Serial number of the certificatebull Signature algorithm identifierbull Issuer of digital certificate a certificate authority with URLbull Validity periodbull Unique identification of certificate holderbull Public key informationThe Parties to a Digital CertificateIn principle there are three different interests associated with a digital certificateThe Requesting Party The party who needs the certificate and will offer it for use by others they will generally provide some or all of the information it containsThe Issuing Party
The party that digitally signs the certificate after creating the information in the certificate or checking its correctnessThe Verifying Party (or Parties) Parties that validate the signature on the certificate and then rely on its contents for some purposeType of Certificate Requesting Party Issuing Party Verifying PartyIdentity The person
concernedThe appropriategovernment agency
Anyone undertaking anidentity check
Accreditation A qualified memberof a profession
The professionalbody
A user of the servicesoffered by the member
Authorization A customer wishing to access a resource
The resource owner The resource owner
Public key CertificateThe combination of standards protocols and software that support digital certificates is called a public key infrastructure or PKI The software that supports this infrastructure generates sets of public-private key pairs Public-private key pairs are codes that are related to one another through a complex mathematical algorithm The key pairs can reside on onersquos computer or on hardware devices such as smart cards or floppy disks Individuals or organizations must ensure the security of their private keys However the public keys that correspond to their private keys can be posted on Web sites or sent across the network Issuers of digital certificates often maintain online repositories of public keys These repositories make it possible to authenticate owners of digital certificates in real timeFor example publishers as service providers will want to authenticate the digital certificate of a faculty member or student in real time This is possible by verifying the digital signature using the public key in the repository
Certificate AuthoritiesDigital certificates are one part of a set of components that make up a public keyinfrastructure (PKI) A PKI includes organizations called certification authorities (CAs) that issue manage and revoke digital certificates organizations called relying parties who use the certificates as indicators of authentication and clientswho request manage and use certificates A CA might create a separate registration authority (RA) to handle the task of identifying individuals who applyfor certificates Examples of certification authorities include VeriSign a wellknowncommercial provider and the CREN Certificate Authority that isavailable for higher education institutions
Types of CertificatesThere are different types of certificates each with different functions and this canbe confusing It helps to differentiate between at least four types of certificatesYou can see samples of some of these different types of certificates in your browserbull Root or authority certificatesThese are certificates that create the base (or root) of a certification authority hierarchy such as Thawte or CREN These certificates are not signed by another CAmdashthey are self signed by the CA that created them When a certificate is self-
signed it means that the name in the Issuer field is the same as the name in the Subject Fieldbull Institutional authority certificates These certificates are also called campus certificates These certificates are signed by a third party verifying the authenticity of a campus certification authority Campuses then use their ldquoauthorityrdquo to issue client certificates for faculty staff and studentsbull Client certificatesThese are also known as end-entity certificates identity certificates or personal certificates The Issuer is typically the campus CAbull Web server certificates These certificates are used to secure communications to and from Web servers for example when you buy something on the Web They are called server-side certificates The Subject name in a server certificate is the DNS name of the server
The CREN Digital Certificate ServicesCREN currently offers an expanded set of certificate authority services to higher education institutionsbull CREN-signed campus certificates for institutionsThese CREN-signed certificates are for institutions issuing certificates for their campus communitymdashin the range of 10 or more Web server certificates and formore than 500-1000 client certificatesbull CREN Web server certificates These certificates are for campuses to use for securing Web servers supporting a range of campus Web applicationsbull Client certificatesCREN has an internal CRENNET service equivalent to a campus certificate-issuing application A registration contact at a campus validatesapproves individuals and CREN issues the certificates
With these three levels of service mdash including the free test certificates mdash CRENcan help campuses get started using digital certificates at a level matching theirparticular campus needs
RECOMMENDATION
It is very important to reduce the risk of phishing in todayrsquos business because
hackers need to stay out of companiesrsquo databases Todayrsquos education is not
enough since phishes are getting better each day and coming with newer trends
to catch innocent customers
The real problem of phishing is because the login systems are very weak and thus
they need to be tighter when it comes to userrsquos authentication The companies
could increase their cryptographic system protection by using more IPSec VPNs
and digital certificates The use of IPSec VPNs customers will need to establish
digital certificates from a certificate authority as well as the merchant Recently
while doing this research we came through an article from PayPal where they are
convincing email providers to block messages that lack digital signatures
The reason for this is that PayPal is known as one of the most highly spoofed
brands that fraudsterrsquos uses today This is a very good idea and a good way to
keep hackers out of PayPal databases As a matter of fact not only PayPal but also
every company that conducts business should come up with a similar strategy like
this Using strategies similar to this will help customers to gain confidence in
doing business and dealing with money issues In addition well-known companies
should increase user awareness by education training and working with FBI to
track down phishers
CONCLUSION
In short the outcomes of phishing attacks are dramatically increasing every day Attacks on financial services companies have been doubling each year compared to previous years It is of crucial importance for companies to come up with new ways to solve phishing problems because it can become a major loss to well-known companies Also it can cause consumers to lose confidence in doing business online which can affect many companies with an online presence Not any type of technologyCan stop phishing attacks but there are many ways to enable Phishes from accomplishing their goals Consumer education can increase the awareness of the phishing threat and other online vulnerabilities Lastly biometrics should become one of the major aspects and play an important role to combat phishing because it provides different steps to authenticate users
REFERENCES
[1] Cannon JC Privacy Pearson Education 2005[2] Hilley Sarah ldquoInternet war picking on the finance Sector-surveyrdquo Computer Fraud amp Security October 2006[3] Bellowin Steven ldquoSpamming Phishing Authentication and Privacyrdquo Inside Risks December
2004 Vol47 No12 144[4] Mulrean Jennifer ldquoPhishing scams How to avoid Getting hookedrdquo DollarWise[5] Hunter Philip ldquoMicrosoft declares war on phishersrdquo Computer Fraud amp Security May 2006 (15-16)[6] Google httpwwwgooglecom
[7] Anti-Phishing Working Group Phishing Activity Trends Report November 2005 [8] Anti-Phishing Working Group Phishing Archivehttpanti-phishingorgphishing_archivehtm[9] Ba S amp P Pavlov Evidence of the Effect of TrustBuilding Technology in Electronic Markets PricePremiums and Buyer Behavior
Spam-filters or virus-scanners will usually add headers to the message to
indicate results of the tests run over the message These headers can then
be used by the receiving client to determine (based on a user-set
threshold) what to do with the message
WHY PHISHING ATTACK
Lack of Knowledge
Lack of computer system knowledge Many users lack the
underlying knowledge of how operating systems applications email and
the web work and how to distinguish among these Phishing sites exploit
this lack of knowledge in several ways For example some users do not
understand the meaning or the syntax of domain names and cannot
distinguish legitimate versus fraudulent URLs (eg they may think
wwwebay-members-securitycom belongs to wwwebaycom) Another
attack strategy forges the email header many users do not have the skills
to distinguish forged from legitimate headers
Lack of knowledge of security and security indicators Many
users do not understand security indicators For example many users do
not know that a closed padlock icon in the browser indicates that the page
they are viewing was delivered securely by SSL Even if they understand the
meaning of that icon users can be fooled by its placement within the body
of a web page (this confusion is not aided by the fact that competing
browsers use different icons and place them in different parts of their
display) More generally users may not be aware that padlock icons appear
in the browser ldquochromerdquo (the interface constructed by the browser around
a web page eg toolbars windows address bar status bar) only under
specific conditions (ie when SSL is used) while icons in the content of the
web page can be placed there arbitrarily by designers (or by phishers) to
induce trust Attackers can also exploit usersrsquo lack of understanding of the
verification process for SSL certificates Most users do not know how to
check SSL certificates in the browser or understand the information
presented in a certificate In one spoofing strategy a rogue site displays a
certificate authoritys (CA) trust seal that links to a CA webpage This
webpage provides an English language description and verification of the
legitimate sitersquos certificate Only the most informed and diligent users
would know to check that the URL of the originating site and the legitimate
site described by the CA match
Lack of knowledge of web fraud Some users donrsquot know that
spoofing websites is possible Without awareness phishing is possible
some users simply do not question website legitimacy
Erroneous security knowledge Some users have misconceptions
about which website features indicate security For example participants
assumed that if websites contained professional-looking images
animations and ads they assumed the sites were legitimate (influenced by
well-known trust indicators discussed below) Similarly dedicated login
pages from banks were less trusted than those originating from a
homepage several participants mentioned a lack of images and links as a
reason for their distrust
Visual Deception
Phishers use visual deception tricks to mimic legitimate text images and
windows
Visually deceptive text Users may be fooled by the syntax of a
domain name in ldquotype jackingrdquo attacks which substitute letters that may
go unnoticed (eg wwwpaypaicom uses a lowercase ldquoirdquo which looks
similar to the letter ldquolrdquo and wwwpaypa1com substitutes the number ldquo1rdquo
for the letter ldquolrdquo) Phishers have also taken advantage of non-printing
characters and non-ASCII Unicode characters in domain names
Images masking underlying text One common technique used by
phishers is to use an image of a legitimate hyperlink The image itself
serves as a hyperlink to a different rogue site
Images mimicking windows Phishers use images in the content of a
web page that mimic browser windows or For user convenience some
legitimate organizations allow users to login from non-SSL pages Although
the user data may be transmitted securely there is no visual cue in the
browser to indicate if SSL is used for form submissions To ldquoremedyrdquo this
designers resort to placing a padlock icon in the page content a tactic that
phishers also exploit or dialog windows Because the image looks exactly
like a real window a user can be fooled unless he tries to move or resize
the image
Windows masking underlying windows A common phishing
technique is to place an illegitimate browser window on top of or next to
a legitimate window If they have the same look and feel users may
mistakenly believe that both windows are from the same source
regardless of variations in address or security indicators In the worst case
a user may not even notice that a second window exists (browsers that
allow borderless pop-up windows aggravate the problem)
Deceptive look and feel If images and logos are copied perfectly
sometimes the only cues that are available to the user are the tone of the
language misspellings or other signs of unprofessional design If the
phishing site closely mimics the target site the only cue to the user might
be the type and quantity of requested personal information
WHAT SHOULD BE DONE TO FIGHT
PHISHING(ANTI-PHISHING)
Phishing needs to be followed in a managerial way within the network and its
components such as servers PCs operating systems browsers and other
applications that run off a connection
As considering the danger of both false negative where firewall packet
inspection fails to identify a phishing site and false positive where firewall packet
inspection wrongly rejects the valid sites it is important to minimize these risks
Microsoftrsquos Anti-phishing response team analyzes sites carefully to confirm they
are fraud e-mails before adding them to the blacklist Even then sites that are
concerned can be reconsidered and later removed from the list
Another way of solving this problem can be in a technical way by using a
biometric check up Biometrics refers to technologies that analyze an individualrsquos
physical and behavioral characteristics to automate identification or verification
of the user
To avoid the risk of being locked in by phishers here are few tips
bull Be extremely suspicious of any e-mails with urgent
requests for personal information
bull Do not fill out any forms in e-mail messages especially
from banks
bull Do not use the links that are provided in the e-mails this
can cause installing any malicious malware on your
computer Instead contact the company over the phone
to solve any problems
bull Do not give your credit card numbers or account
information unless you are using a secure Web site or
the telephone If you are using a Web site check the
beginning of the web address in your browsersrsquo address
bar A secure site should up as ldquohttpsrdquo instead of just
http
Verify the real address of a web site Cut and paste the
following text into your browser address bar
javascriptalert(The actual URL of this site has been verified
as + location protocol + + location hostname +)
Ensure that your browser and OS software is up-to-date and
that latest security patches are applied
Possible ways of by-passing AntiPhish with JavaScript
As long as the web page that the user is viewing is pure HTML AntiPhish can
easily mitigate phishing attacks This is because the attacker can only steal the
sensitive information in the page after the user performs a submit Before this can
happen however AntiPhish detects that sensitive information has been typed
into a form and cancels the operation Stopping a phishing attack in an HTML
page that has JavaScript on the other hand is not that easy and special care has
to be taken JavaScript is a powerful language that is widely used in webpage for
providing functionality such as submitting forms opening windows intercepting
events and performing input validity checks At the same time however
JavaScript gives the attacker a wide range of possibilities for by-passing a
monitoring application such as AntiPhish Just as AntiPhish creates hooks for
intercepting user generated events such as key strokes the attacker can also
create such hooks using JavaScript embedded into the HTML page Instead of
waiting for the user to press a submit button to send the information the attacker
could intercept the keys that are pressed and send the information character by
character to a server of her choice Typically this is done by modifying the URL of
an existing or hidden image to a web site that the attacker controls (eg if ldquoa ldquohas
been pressed an image URL may be set to httpattackercomkeya)
Another possibility for the attacker could be to set a simple timer and to capture
ldquosnapshotsrdquo of the information in the forms In this way an important part of the
information could be captured without the user ever hitting a submit button The
easiest solution to the JavaScript problem is to deactivate JavaScript on a page
that contains forms Unfortunately this solution is not feasible because as
mentioned before a large number of Web sites use JavaScript for validation and
submission purposes The solution we use in AntiPhish is to deactivate
JavaScript every time the focus is on an HTML text element and to reactivate it
whenever the focus is lost Using this technique we ensure that the attacker is
not able to create hooks timers and intercept browser events such as key presses
while the user is typing information into a text field At the same time we ensure
that the legitimate JavaScript functionality on a page (eg such as input validation
routines) are preserved By the time the focus is lost from the text element and
Java script is reactivated AntiPhish has already determined if the information that
was typed into the text element is sensitive If the web site is un trusted the
operation can be canceled One side-effect of our approach is that legitimate
event-based Java script functionality such as input validation based on key presses
will not function The use of key press events for input validation however is
uncommon Most web sites perform client-side input validation once before a
form is submitted
Implementation detailsWe implemented the prototype of AntiPhish as a Mozilla browser extension (ie
plug-in)Mozilla browser extensions are written using the Mozilla XML User-
Interface language (XUL) and JavaScript The Mozilla implementation of AntiPhish
has a small footprint and consists of about 900 lines of JavaScript code and 200
lines of XUL user interface code We used Paul Terorsquos JavaScript DES
implementation for safely storing the sensitive information
ANALYSIS OF A PHISHING DATABASE
The Anti Phishing Working Group maintains a ldquoPhishing Archiverdquo describing phishing attacks dating back to September 2003 We performed a cognitive walkthrough on the approximately 200 sample attacks within this archive (A cognitive walkthrough evaluates the steps required to perform a task and attempts to uncover mismatches between how users think about a task and how the user interface designer thinks about the task) Our goal was to gather information about which strategies are used by attackers and to formulate hypotheses about how lay users would respond to these strategies Below we list the strategies organized along three dimensions lack of knowledge visual deception and lack of attention To aid readers who are unfamiliar with the topic Security Terms and DefinitionsCertificate (digital certificate public key certificate)
Uses a digital signature to bind together a public key with an identity If the
browser encounters a certificate that has not been signed by a trusted
certificate authority it issues a warning to the user Some organizations
create and sign their own self signed
Certificates If a browser encounters a self-signed certificate it issues a
warning and allows the user to decide whether to accept the certificate
Certificate Authority (CA)
An entity that issues certificates and attests that a public key belongs to a
particular identity A list of trusted CAs is stored in the browser A certificate
may be issued to a fraudulent website by a CA without a rigorous verification
process
HTTPS
Web browsers use HTTPS rather than HTTP as a prefix to the URL to
indicate that HTTP is sent over SSLTLS
Secure Sockets Layer (SSL) and Transport Layer Security
(TLS)
Cryptographic protocols used to provide authentication and secure
communications over the Internet SSLTLS authenticates a server by
verifying that the server holds a certificate that has been digitally signed by
a trusted certificate authority SSLTLS also allows the client and server to
agree on an encryption algorithm for securing communications
CryptographyCryptography is a method of storing and transmitting data in a form that only those it is intended for can read and process It is a science of protecting information by encoding it into an unreadable format Cryptography is an effective way of protecting sensitive information as it is stored on media or transmitted through network communication pathsAlthough the ultimate goal of cryptography and the mechanisms that make it up is to hide information from unauthorized individuals most algorithms can be broken and the information can be revealed if the attacker has enough time desire and resources So a more realistic goal of cryptography is to make obtaining the information too work-intensive to be worth it to the attacker
Digital Certificates
Digital Certificates are part of a technology called Public Key Infrastructure orPKI Digital certificates have been described as virtual ID cards This is a useful analogy There are many ways that digital certificates and ID cards really are thesame Both ID cards and client digital certificates contain information about usersuch as user name and information about the organization that issued thecertificate or card to user
Creating digital certificates a unique cryptographic key pair is generated One of these keys is referred to as a public key and the other as a private key The certification authoritymdashgenerally on your campusmdashcreates a digital certificate by combining information about user and the issuing organization with the public key and digitally signing the whole thing This is very much like an organizationrsquos ID office filling out an ID card for user and then signing it to make it official
The process defines how a certificate authority establishes that a person or institution is who they say they are Certification may require recipients to appear in person and to present pictures birth certificates or social security numbers Certificates that are issued after rigorous authentication will be more trustworthy than certificates requiring little or no authentication
The contents of a digital certificate are prescribed by the X509 standard developed by the International Standards Organization (ISO) and adopted by the American National Standards Institute (ANSI) and the Internet Engineering Task Force (IETF) The latest version is now X509 v3 The principal elements of a digital certificate are as followsbull Version number of the certificate formatbull Serial number of the certificatebull Signature algorithm identifierbull Issuer of digital certificate a certificate authority with URLbull Validity periodbull Unique identification of certificate holderbull Public key informationThe Parties to a Digital CertificateIn principle there are three different interests associated with a digital certificateThe Requesting Party The party who needs the certificate and will offer it for use by others they will generally provide some or all of the information it containsThe Issuing Party
The party that digitally signs the certificate after creating the information in the certificate or checking its correctnessThe Verifying Party (or Parties) Parties that validate the signature on the certificate and then rely on its contents for some purposeType of Certificate Requesting Party Issuing Party Verifying PartyIdentity The person
concernedThe appropriategovernment agency
Anyone undertaking anidentity check
Accreditation A qualified memberof a profession
The professionalbody
A user of the servicesoffered by the member
Authorization A customer wishing to access a resource
The resource owner The resource owner
Public key CertificateThe combination of standards protocols and software that support digital certificates is called a public key infrastructure or PKI The software that supports this infrastructure generates sets of public-private key pairs Public-private key pairs are codes that are related to one another through a complex mathematical algorithm The key pairs can reside on onersquos computer or on hardware devices such as smart cards or floppy disks Individuals or organizations must ensure the security of their private keys However the public keys that correspond to their private keys can be posted on Web sites or sent across the network Issuers of digital certificates often maintain online repositories of public keys These repositories make it possible to authenticate owners of digital certificates in real timeFor example publishers as service providers will want to authenticate the digital certificate of a faculty member or student in real time This is possible by verifying the digital signature using the public key in the repository
Certificate AuthoritiesDigital certificates are one part of a set of components that make up a public keyinfrastructure (PKI) A PKI includes organizations called certification authorities (CAs) that issue manage and revoke digital certificates organizations called relying parties who use the certificates as indicators of authentication and clientswho request manage and use certificates A CA might create a separate registration authority (RA) to handle the task of identifying individuals who applyfor certificates Examples of certification authorities include VeriSign a wellknowncommercial provider and the CREN Certificate Authority that isavailable for higher education institutions
Types of CertificatesThere are different types of certificates each with different functions and this canbe confusing It helps to differentiate between at least four types of certificatesYou can see samples of some of these different types of certificates in your browserbull Root or authority certificatesThese are certificates that create the base (or root) of a certification authority hierarchy such as Thawte or CREN These certificates are not signed by another CAmdashthey are self signed by the CA that created them When a certificate is self-
signed it means that the name in the Issuer field is the same as the name in the Subject Fieldbull Institutional authority certificates These certificates are also called campus certificates These certificates are signed by a third party verifying the authenticity of a campus certification authority Campuses then use their ldquoauthorityrdquo to issue client certificates for faculty staff and studentsbull Client certificatesThese are also known as end-entity certificates identity certificates or personal certificates The Issuer is typically the campus CAbull Web server certificates These certificates are used to secure communications to and from Web servers for example when you buy something on the Web They are called server-side certificates The Subject name in a server certificate is the DNS name of the server
The CREN Digital Certificate ServicesCREN currently offers an expanded set of certificate authority services to higher education institutionsbull CREN-signed campus certificates for institutionsThese CREN-signed certificates are for institutions issuing certificates for their campus communitymdashin the range of 10 or more Web server certificates and formore than 500-1000 client certificatesbull CREN Web server certificates These certificates are for campuses to use for securing Web servers supporting a range of campus Web applicationsbull Client certificatesCREN has an internal CRENNET service equivalent to a campus certificate-issuing application A registration contact at a campus validatesapproves individuals and CREN issues the certificates
With these three levels of service mdash including the free test certificates mdash CRENcan help campuses get started using digital certificates at a level matching theirparticular campus needs
RECOMMENDATION
It is very important to reduce the risk of phishing in todayrsquos business because
hackers need to stay out of companiesrsquo databases Todayrsquos education is not
enough since phishes are getting better each day and coming with newer trends
to catch innocent customers
The real problem of phishing is because the login systems are very weak and thus
they need to be tighter when it comes to userrsquos authentication The companies
could increase their cryptographic system protection by using more IPSec VPNs
and digital certificates The use of IPSec VPNs customers will need to establish
digital certificates from a certificate authority as well as the merchant Recently
while doing this research we came through an article from PayPal where they are
convincing email providers to block messages that lack digital signatures
The reason for this is that PayPal is known as one of the most highly spoofed
brands that fraudsterrsquos uses today This is a very good idea and a good way to
keep hackers out of PayPal databases As a matter of fact not only PayPal but also
every company that conducts business should come up with a similar strategy like
this Using strategies similar to this will help customers to gain confidence in
doing business and dealing with money issues In addition well-known companies
should increase user awareness by education training and working with FBI to
track down phishers
CONCLUSION
In short the outcomes of phishing attacks are dramatically increasing every day Attacks on financial services companies have been doubling each year compared to previous years It is of crucial importance for companies to come up with new ways to solve phishing problems because it can become a major loss to well-known companies Also it can cause consumers to lose confidence in doing business online which can affect many companies with an online presence Not any type of technologyCan stop phishing attacks but there are many ways to enable Phishes from accomplishing their goals Consumer education can increase the awareness of the phishing threat and other online vulnerabilities Lastly biometrics should become one of the major aspects and play an important role to combat phishing because it provides different steps to authenticate users
REFERENCES
[1] Cannon JC Privacy Pearson Education 2005[2] Hilley Sarah ldquoInternet war picking on the finance Sector-surveyrdquo Computer Fraud amp Security October 2006[3] Bellowin Steven ldquoSpamming Phishing Authentication and Privacyrdquo Inside Risks December
2004 Vol47 No12 144[4] Mulrean Jennifer ldquoPhishing scams How to avoid Getting hookedrdquo DollarWise[5] Hunter Philip ldquoMicrosoft declares war on phishersrdquo Computer Fraud amp Security May 2006 (15-16)[6] Google httpwwwgooglecom
[7] Anti-Phishing Working Group Phishing Activity Trends Report November 2005 [8] Anti-Phishing Working Group Phishing Archivehttpanti-phishingorgphishing_archivehtm[9] Ba S amp P Pavlov Evidence of the Effect of TrustBuilding Technology in Electronic Markets PricePremiums and Buyer Behavior
they are viewing was delivered securely by SSL Even if they understand the
meaning of that icon users can be fooled by its placement within the body
of a web page (this confusion is not aided by the fact that competing
browsers use different icons and place them in different parts of their
display) More generally users may not be aware that padlock icons appear
in the browser ldquochromerdquo (the interface constructed by the browser around
a web page eg toolbars windows address bar status bar) only under
specific conditions (ie when SSL is used) while icons in the content of the
web page can be placed there arbitrarily by designers (or by phishers) to
induce trust Attackers can also exploit usersrsquo lack of understanding of the
verification process for SSL certificates Most users do not know how to
check SSL certificates in the browser or understand the information
presented in a certificate In one spoofing strategy a rogue site displays a
certificate authoritys (CA) trust seal that links to a CA webpage This
webpage provides an English language description and verification of the
legitimate sitersquos certificate Only the most informed and diligent users
would know to check that the URL of the originating site and the legitimate
site described by the CA match
Lack of knowledge of web fraud Some users donrsquot know that
spoofing websites is possible Without awareness phishing is possible
some users simply do not question website legitimacy
Erroneous security knowledge Some users have misconceptions
about which website features indicate security For example participants
assumed that if websites contained professional-looking images
animations and ads they assumed the sites were legitimate (influenced by
well-known trust indicators discussed below) Similarly dedicated login
pages from banks were less trusted than those originating from a
homepage several participants mentioned a lack of images and links as a
reason for their distrust
Visual Deception
Phishers use visual deception tricks to mimic legitimate text images and
windows
Visually deceptive text Users may be fooled by the syntax of a
domain name in ldquotype jackingrdquo attacks which substitute letters that may
go unnoticed (eg wwwpaypaicom uses a lowercase ldquoirdquo which looks
similar to the letter ldquolrdquo and wwwpaypa1com substitutes the number ldquo1rdquo
for the letter ldquolrdquo) Phishers have also taken advantage of non-printing
characters and non-ASCII Unicode characters in domain names
Images masking underlying text One common technique used by
phishers is to use an image of a legitimate hyperlink The image itself
serves as a hyperlink to a different rogue site
Images mimicking windows Phishers use images in the content of a
web page that mimic browser windows or For user convenience some
legitimate organizations allow users to login from non-SSL pages Although
the user data may be transmitted securely there is no visual cue in the
browser to indicate if SSL is used for form submissions To ldquoremedyrdquo this
designers resort to placing a padlock icon in the page content a tactic that
phishers also exploit or dialog windows Because the image looks exactly
like a real window a user can be fooled unless he tries to move or resize
the image
Windows masking underlying windows A common phishing
technique is to place an illegitimate browser window on top of or next to
a legitimate window If they have the same look and feel users may
mistakenly believe that both windows are from the same source
regardless of variations in address or security indicators In the worst case
a user may not even notice that a second window exists (browsers that
allow borderless pop-up windows aggravate the problem)
Deceptive look and feel If images and logos are copied perfectly
sometimes the only cues that are available to the user are the tone of the
language misspellings or other signs of unprofessional design If the
phishing site closely mimics the target site the only cue to the user might
be the type and quantity of requested personal information
WHAT SHOULD BE DONE TO FIGHT
PHISHING(ANTI-PHISHING)
Phishing needs to be followed in a managerial way within the network and its
components such as servers PCs operating systems browsers and other
applications that run off a connection
As considering the danger of both false negative where firewall packet
inspection fails to identify a phishing site and false positive where firewall packet
inspection wrongly rejects the valid sites it is important to minimize these risks
Microsoftrsquos Anti-phishing response team analyzes sites carefully to confirm they
are fraud e-mails before adding them to the blacklist Even then sites that are
concerned can be reconsidered and later removed from the list
Another way of solving this problem can be in a technical way by using a
biometric check up Biometrics refers to technologies that analyze an individualrsquos
physical and behavioral characteristics to automate identification or verification
of the user
To avoid the risk of being locked in by phishers here are few tips
bull Be extremely suspicious of any e-mails with urgent
requests for personal information
bull Do not fill out any forms in e-mail messages especially
from banks
bull Do not use the links that are provided in the e-mails this
can cause installing any malicious malware on your
computer Instead contact the company over the phone
to solve any problems
bull Do not give your credit card numbers or account
information unless you are using a secure Web site or
the telephone If you are using a Web site check the
beginning of the web address in your browsersrsquo address
bar A secure site should up as ldquohttpsrdquo instead of just
http
Verify the real address of a web site Cut and paste the
following text into your browser address bar
javascriptalert(The actual URL of this site has been verified
as + location protocol + + location hostname +)
Ensure that your browser and OS software is up-to-date and
that latest security patches are applied
Possible ways of by-passing AntiPhish with JavaScript
As long as the web page that the user is viewing is pure HTML AntiPhish can
easily mitigate phishing attacks This is because the attacker can only steal the
sensitive information in the page after the user performs a submit Before this can
happen however AntiPhish detects that sensitive information has been typed
into a form and cancels the operation Stopping a phishing attack in an HTML
page that has JavaScript on the other hand is not that easy and special care has
to be taken JavaScript is a powerful language that is widely used in webpage for
providing functionality such as submitting forms opening windows intercepting
events and performing input validity checks At the same time however
JavaScript gives the attacker a wide range of possibilities for by-passing a
monitoring application such as AntiPhish Just as AntiPhish creates hooks for
intercepting user generated events such as key strokes the attacker can also
create such hooks using JavaScript embedded into the HTML page Instead of
waiting for the user to press a submit button to send the information the attacker
could intercept the keys that are pressed and send the information character by
character to a server of her choice Typically this is done by modifying the URL of
an existing or hidden image to a web site that the attacker controls (eg if ldquoa ldquohas
been pressed an image URL may be set to httpattackercomkeya)
Another possibility for the attacker could be to set a simple timer and to capture
ldquosnapshotsrdquo of the information in the forms In this way an important part of the
information could be captured without the user ever hitting a submit button The
easiest solution to the JavaScript problem is to deactivate JavaScript on a page
that contains forms Unfortunately this solution is not feasible because as
mentioned before a large number of Web sites use JavaScript for validation and
submission purposes The solution we use in AntiPhish is to deactivate
JavaScript every time the focus is on an HTML text element and to reactivate it
whenever the focus is lost Using this technique we ensure that the attacker is
not able to create hooks timers and intercept browser events such as key presses
while the user is typing information into a text field At the same time we ensure
that the legitimate JavaScript functionality on a page (eg such as input validation
routines) are preserved By the time the focus is lost from the text element and
Java script is reactivated AntiPhish has already determined if the information that
was typed into the text element is sensitive If the web site is un trusted the
operation can be canceled One side-effect of our approach is that legitimate
event-based Java script functionality such as input validation based on key presses
will not function The use of key press events for input validation however is
uncommon Most web sites perform client-side input validation once before a
form is submitted
Implementation detailsWe implemented the prototype of AntiPhish as a Mozilla browser extension (ie
plug-in)Mozilla browser extensions are written using the Mozilla XML User-
Interface language (XUL) and JavaScript The Mozilla implementation of AntiPhish
has a small footprint and consists of about 900 lines of JavaScript code and 200
lines of XUL user interface code We used Paul Terorsquos JavaScript DES
implementation for safely storing the sensitive information
ANALYSIS OF A PHISHING DATABASE
The Anti Phishing Working Group maintains a ldquoPhishing Archiverdquo describing phishing attacks dating back to September 2003 We performed a cognitive walkthrough on the approximately 200 sample attacks within this archive (A cognitive walkthrough evaluates the steps required to perform a task and attempts to uncover mismatches between how users think about a task and how the user interface designer thinks about the task) Our goal was to gather information about which strategies are used by attackers and to formulate hypotheses about how lay users would respond to these strategies Below we list the strategies organized along three dimensions lack of knowledge visual deception and lack of attention To aid readers who are unfamiliar with the topic Security Terms and DefinitionsCertificate (digital certificate public key certificate)
Uses a digital signature to bind together a public key with an identity If the
browser encounters a certificate that has not been signed by a trusted
certificate authority it issues a warning to the user Some organizations
create and sign their own self signed
Certificates If a browser encounters a self-signed certificate it issues a
warning and allows the user to decide whether to accept the certificate
Certificate Authority (CA)
An entity that issues certificates and attests that a public key belongs to a
particular identity A list of trusted CAs is stored in the browser A certificate
may be issued to a fraudulent website by a CA without a rigorous verification
process
HTTPS
Web browsers use HTTPS rather than HTTP as a prefix to the URL to
indicate that HTTP is sent over SSLTLS
Secure Sockets Layer (SSL) and Transport Layer Security
(TLS)
Cryptographic protocols used to provide authentication and secure
communications over the Internet SSLTLS authenticates a server by
verifying that the server holds a certificate that has been digitally signed by
a trusted certificate authority SSLTLS also allows the client and server to
agree on an encryption algorithm for securing communications
CryptographyCryptography is a method of storing and transmitting data in a form that only those it is intended for can read and process It is a science of protecting information by encoding it into an unreadable format Cryptography is an effective way of protecting sensitive information as it is stored on media or transmitted through network communication pathsAlthough the ultimate goal of cryptography and the mechanisms that make it up is to hide information from unauthorized individuals most algorithms can be broken and the information can be revealed if the attacker has enough time desire and resources So a more realistic goal of cryptography is to make obtaining the information too work-intensive to be worth it to the attacker
Digital Certificates
Digital Certificates are part of a technology called Public Key Infrastructure orPKI Digital certificates have been described as virtual ID cards This is a useful analogy There are many ways that digital certificates and ID cards really are thesame Both ID cards and client digital certificates contain information about usersuch as user name and information about the organization that issued thecertificate or card to user
Creating digital certificates a unique cryptographic key pair is generated One of these keys is referred to as a public key and the other as a private key The certification authoritymdashgenerally on your campusmdashcreates a digital certificate by combining information about user and the issuing organization with the public key and digitally signing the whole thing This is very much like an organizationrsquos ID office filling out an ID card for user and then signing it to make it official
The process defines how a certificate authority establishes that a person or institution is who they say they are Certification may require recipients to appear in person and to present pictures birth certificates or social security numbers Certificates that are issued after rigorous authentication will be more trustworthy than certificates requiring little or no authentication
The contents of a digital certificate are prescribed by the X509 standard developed by the International Standards Organization (ISO) and adopted by the American National Standards Institute (ANSI) and the Internet Engineering Task Force (IETF) The latest version is now X509 v3 The principal elements of a digital certificate are as followsbull Version number of the certificate formatbull Serial number of the certificatebull Signature algorithm identifierbull Issuer of digital certificate a certificate authority with URLbull Validity periodbull Unique identification of certificate holderbull Public key informationThe Parties to a Digital CertificateIn principle there are three different interests associated with a digital certificateThe Requesting Party The party who needs the certificate and will offer it for use by others they will generally provide some or all of the information it containsThe Issuing Party
The party that digitally signs the certificate after creating the information in the certificate or checking its correctnessThe Verifying Party (or Parties) Parties that validate the signature on the certificate and then rely on its contents for some purposeType of Certificate Requesting Party Issuing Party Verifying PartyIdentity The person
concernedThe appropriategovernment agency
Anyone undertaking anidentity check
Accreditation A qualified memberof a profession
The professionalbody
A user of the servicesoffered by the member
Authorization A customer wishing to access a resource
The resource owner The resource owner
Public key CertificateThe combination of standards protocols and software that support digital certificates is called a public key infrastructure or PKI The software that supports this infrastructure generates sets of public-private key pairs Public-private key pairs are codes that are related to one another through a complex mathematical algorithm The key pairs can reside on onersquos computer or on hardware devices such as smart cards or floppy disks Individuals or organizations must ensure the security of their private keys However the public keys that correspond to their private keys can be posted on Web sites or sent across the network Issuers of digital certificates often maintain online repositories of public keys These repositories make it possible to authenticate owners of digital certificates in real timeFor example publishers as service providers will want to authenticate the digital certificate of a faculty member or student in real time This is possible by verifying the digital signature using the public key in the repository
Certificate AuthoritiesDigital certificates are one part of a set of components that make up a public keyinfrastructure (PKI) A PKI includes organizations called certification authorities (CAs) that issue manage and revoke digital certificates organizations called relying parties who use the certificates as indicators of authentication and clientswho request manage and use certificates A CA might create a separate registration authority (RA) to handle the task of identifying individuals who applyfor certificates Examples of certification authorities include VeriSign a wellknowncommercial provider and the CREN Certificate Authority that isavailable for higher education institutions
Types of CertificatesThere are different types of certificates each with different functions and this canbe confusing It helps to differentiate between at least four types of certificatesYou can see samples of some of these different types of certificates in your browserbull Root or authority certificatesThese are certificates that create the base (or root) of a certification authority hierarchy such as Thawte or CREN These certificates are not signed by another CAmdashthey are self signed by the CA that created them When a certificate is self-
signed it means that the name in the Issuer field is the same as the name in the Subject Fieldbull Institutional authority certificates These certificates are also called campus certificates These certificates are signed by a third party verifying the authenticity of a campus certification authority Campuses then use their ldquoauthorityrdquo to issue client certificates for faculty staff and studentsbull Client certificatesThese are also known as end-entity certificates identity certificates or personal certificates The Issuer is typically the campus CAbull Web server certificates These certificates are used to secure communications to and from Web servers for example when you buy something on the Web They are called server-side certificates The Subject name in a server certificate is the DNS name of the server
The CREN Digital Certificate ServicesCREN currently offers an expanded set of certificate authority services to higher education institutionsbull CREN-signed campus certificates for institutionsThese CREN-signed certificates are for institutions issuing certificates for their campus communitymdashin the range of 10 or more Web server certificates and formore than 500-1000 client certificatesbull CREN Web server certificates These certificates are for campuses to use for securing Web servers supporting a range of campus Web applicationsbull Client certificatesCREN has an internal CRENNET service equivalent to a campus certificate-issuing application A registration contact at a campus validatesapproves individuals and CREN issues the certificates
With these three levels of service mdash including the free test certificates mdash CRENcan help campuses get started using digital certificates at a level matching theirparticular campus needs
RECOMMENDATION
It is very important to reduce the risk of phishing in todayrsquos business because
hackers need to stay out of companiesrsquo databases Todayrsquos education is not
enough since phishes are getting better each day and coming with newer trends
to catch innocent customers
The real problem of phishing is because the login systems are very weak and thus
they need to be tighter when it comes to userrsquos authentication The companies
could increase their cryptographic system protection by using more IPSec VPNs
and digital certificates The use of IPSec VPNs customers will need to establish
digital certificates from a certificate authority as well as the merchant Recently
while doing this research we came through an article from PayPal where they are
convincing email providers to block messages that lack digital signatures
The reason for this is that PayPal is known as one of the most highly spoofed
brands that fraudsterrsquos uses today This is a very good idea and a good way to
keep hackers out of PayPal databases As a matter of fact not only PayPal but also
every company that conducts business should come up with a similar strategy like
this Using strategies similar to this will help customers to gain confidence in
doing business and dealing with money issues In addition well-known companies
should increase user awareness by education training and working with FBI to
track down phishers
CONCLUSION
In short the outcomes of phishing attacks are dramatically increasing every day Attacks on financial services companies have been doubling each year compared to previous years It is of crucial importance for companies to come up with new ways to solve phishing problems because it can become a major loss to well-known companies Also it can cause consumers to lose confidence in doing business online which can affect many companies with an online presence Not any type of technologyCan stop phishing attacks but there are many ways to enable Phishes from accomplishing their goals Consumer education can increase the awareness of the phishing threat and other online vulnerabilities Lastly biometrics should become one of the major aspects and play an important role to combat phishing because it provides different steps to authenticate users
REFERENCES
[1] Cannon JC Privacy Pearson Education 2005[2] Hilley Sarah ldquoInternet war picking on the finance Sector-surveyrdquo Computer Fraud amp Security October 2006[3] Bellowin Steven ldquoSpamming Phishing Authentication and Privacyrdquo Inside Risks December
2004 Vol47 No12 144[4] Mulrean Jennifer ldquoPhishing scams How to avoid Getting hookedrdquo DollarWise[5] Hunter Philip ldquoMicrosoft declares war on phishersrdquo Computer Fraud amp Security May 2006 (15-16)[6] Google httpwwwgooglecom
[7] Anti-Phishing Working Group Phishing Activity Trends Report November 2005 [8] Anti-Phishing Working Group Phishing Archivehttpanti-phishingorgphishing_archivehtm[9] Ba S amp P Pavlov Evidence of the Effect of TrustBuilding Technology in Electronic Markets PricePremiums and Buyer Behavior
well-known trust indicators discussed below) Similarly dedicated login
pages from banks were less trusted than those originating from a
homepage several participants mentioned a lack of images and links as a
reason for their distrust
Visual Deception
Phishers use visual deception tricks to mimic legitimate text images and
windows
Visually deceptive text Users may be fooled by the syntax of a
domain name in ldquotype jackingrdquo attacks which substitute letters that may
go unnoticed (eg wwwpaypaicom uses a lowercase ldquoirdquo which looks
similar to the letter ldquolrdquo and wwwpaypa1com substitutes the number ldquo1rdquo
for the letter ldquolrdquo) Phishers have also taken advantage of non-printing
characters and non-ASCII Unicode characters in domain names
Images masking underlying text One common technique used by
phishers is to use an image of a legitimate hyperlink The image itself
serves as a hyperlink to a different rogue site
Images mimicking windows Phishers use images in the content of a
web page that mimic browser windows or For user convenience some
legitimate organizations allow users to login from non-SSL pages Although
the user data may be transmitted securely there is no visual cue in the
browser to indicate if SSL is used for form submissions To ldquoremedyrdquo this
designers resort to placing a padlock icon in the page content a tactic that
phishers also exploit or dialog windows Because the image looks exactly
like a real window a user can be fooled unless he tries to move or resize
the image
Windows masking underlying windows A common phishing
technique is to place an illegitimate browser window on top of or next to
a legitimate window If they have the same look and feel users may
mistakenly believe that both windows are from the same source
regardless of variations in address or security indicators In the worst case
a user may not even notice that a second window exists (browsers that
allow borderless pop-up windows aggravate the problem)
Deceptive look and feel If images and logos are copied perfectly
sometimes the only cues that are available to the user are the tone of the
language misspellings or other signs of unprofessional design If the
phishing site closely mimics the target site the only cue to the user might
be the type and quantity of requested personal information
WHAT SHOULD BE DONE TO FIGHT
PHISHING(ANTI-PHISHING)
Phishing needs to be followed in a managerial way within the network and its
components such as servers PCs operating systems browsers and other
applications that run off a connection
As considering the danger of both false negative where firewall packet
inspection fails to identify a phishing site and false positive where firewall packet
inspection wrongly rejects the valid sites it is important to minimize these risks
Microsoftrsquos Anti-phishing response team analyzes sites carefully to confirm they
are fraud e-mails before adding them to the blacklist Even then sites that are
concerned can be reconsidered and later removed from the list
Another way of solving this problem can be in a technical way by using a
biometric check up Biometrics refers to technologies that analyze an individualrsquos
physical and behavioral characteristics to automate identification or verification
of the user
To avoid the risk of being locked in by phishers here are few tips
bull Be extremely suspicious of any e-mails with urgent
requests for personal information
bull Do not fill out any forms in e-mail messages especially
from banks
bull Do not use the links that are provided in the e-mails this
can cause installing any malicious malware on your
computer Instead contact the company over the phone
to solve any problems
bull Do not give your credit card numbers or account
information unless you are using a secure Web site or
the telephone If you are using a Web site check the
beginning of the web address in your browsersrsquo address
bar A secure site should up as ldquohttpsrdquo instead of just
http
Verify the real address of a web site Cut and paste the
following text into your browser address bar
javascriptalert(The actual URL of this site has been verified
as + location protocol + + location hostname +)
Ensure that your browser and OS software is up-to-date and
that latest security patches are applied
Possible ways of by-passing AntiPhish with JavaScript
As long as the web page that the user is viewing is pure HTML AntiPhish can
easily mitigate phishing attacks This is because the attacker can only steal the
sensitive information in the page after the user performs a submit Before this can
happen however AntiPhish detects that sensitive information has been typed
into a form and cancels the operation Stopping a phishing attack in an HTML
page that has JavaScript on the other hand is not that easy and special care has
to be taken JavaScript is a powerful language that is widely used in webpage for
providing functionality such as submitting forms opening windows intercepting
events and performing input validity checks At the same time however
JavaScript gives the attacker a wide range of possibilities for by-passing a
monitoring application such as AntiPhish Just as AntiPhish creates hooks for
intercepting user generated events such as key strokes the attacker can also
create such hooks using JavaScript embedded into the HTML page Instead of
waiting for the user to press a submit button to send the information the attacker
could intercept the keys that are pressed and send the information character by
character to a server of her choice Typically this is done by modifying the URL of
an existing or hidden image to a web site that the attacker controls (eg if ldquoa ldquohas
been pressed an image URL may be set to httpattackercomkeya)
Another possibility for the attacker could be to set a simple timer and to capture
ldquosnapshotsrdquo of the information in the forms In this way an important part of the
information could be captured without the user ever hitting a submit button The
easiest solution to the JavaScript problem is to deactivate JavaScript on a page
that contains forms Unfortunately this solution is not feasible because as
mentioned before a large number of Web sites use JavaScript for validation and
submission purposes The solution we use in AntiPhish is to deactivate
JavaScript every time the focus is on an HTML text element and to reactivate it
whenever the focus is lost Using this technique we ensure that the attacker is
not able to create hooks timers and intercept browser events such as key presses
while the user is typing information into a text field At the same time we ensure
that the legitimate JavaScript functionality on a page (eg such as input validation
routines) are preserved By the time the focus is lost from the text element and
Java script is reactivated AntiPhish has already determined if the information that
was typed into the text element is sensitive If the web site is un trusted the
operation can be canceled One side-effect of our approach is that legitimate
event-based Java script functionality such as input validation based on key presses
will not function The use of key press events for input validation however is
uncommon Most web sites perform client-side input validation once before a
form is submitted
Implementation detailsWe implemented the prototype of AntiPhish as a Mozilla browser extension (ie
plug-in)Mozilla browser extensions are written using the Mozilla XML User-
Interface language (XUL) and JavaScript The Mozilla implementation of AntiPhish
has a small footprint and consists of about 900 lines of JavaScript code and 200
lines of XUL user interface code We used Paul Terorsquos JavaScript DES
implementation for safely storing the sensitive information
ANALYSIS OF A PHISHING DATABASE
The Anti Phishing Working Group maintains a ldquoPhishing Archiverdquo describing phishing attacks dating back to September 2003 We performed a cognitive walkthrough on the approximately 200 sample attacks within this archive (A cognitive walkthrough evaluates the steps required to perform a task and attempts to uncover mismatches between how users think about a task and how the user interface designer thinks about the task) Our goal was to gather information about which strategies are used by attackers and to formulate hypotheses about how lay users would respond to these strategies Below we list the strategies organized along three dimensions lack of knowledge visual deception and lack of attention To aid readers who are unfamiliar with the topic Security Terms and DefinitionsCertificate (digital certificate public key certificate)
Uses a digital signature to bind together a public key with an identity If the
browser encounters a certificate that has not been signed by a trusted
certificate authority it issues a warning to the user Some organizations
create and sign their own self signed
Certificates If a browser encounters a self-signed certificate it issues a
warning and allows the user to decide whether to accept the certificate
Certificate Authority (CA)
An entity that issues certificates and attests that a public key belongs to a
particular identity A list of trusted CAs is stored in the browser A certificate
may be issued to a fraudulent website by a CA without a rigorous verification
process
HTTPS
Web browsers use HTTPS rather than HTTP as a prefix to the URL to
indicate that HTTP is sent over SSLTLS
Secure Sockets Layer (SSL) and Transport Layer Security
(TLS)
Cryptographic protocols used to provide authentication and secure
communications over the Internet SSLTLS authenticates a server by
verifying that the server holds a certificate that has been digitally signed by
a trusted certificate authority SSLTLS also allows the client and server to
agree on an encryption algorithm for securing communications
CryptographyCryptography is a method of storing and transmitting data in a form that only those it is intended for can read and process It is a science of protecting information by encoding it into an unreadable format Cryptography is an effective way of protecting sensitive information as it is stored on media or transmitted through network communication pathsAlthough the ultimate goal of cryptography and the mechanisms that make it up is to hide information from unauthorized individuals most algorithms can be broken and the information can be revealed if the attacker has enough time desire and resources So a more realistic goal of cryptography is to make obtaining the information too work-intensive to be worth it to the attacker
Digital Certificates
Digital Certificates are part of a technology called Public Key Infrastructure orPKI Digital certificates have been described as virtual ID cards This is a useful analogy There are many ways that digital certificates and ID cards really are thesame Both ID cards and client digital certificates contain information about usersuch as user name and information about the organization that issued thecertificate or card to user
Creating digital certificates a unique cryptographic key pair is generated One of these keys is referred to as a public key and the other as a private key The certification authoritymdashgenerally on your campusmdashcreates a digital certificate by combining information about user and the issuing organization with the public key and digitally signing the whole thing This is very much like an organizationrsquos ID office filling out an ID card for user and then signing it to make it official
The process defines how a certificate authority establishes that a person or institution is who they say they are Certification may require recipients to appear in person and to present pictures birth certificates or social security numbers Certificates that are issued after rigorous authentication will be more trustworthy than certificates requiring little or no authentication
The contents of a digital certificate are prescribed by the X509 standard developed by the International Standards Organization (ISO) and adopted by the American National Standards Institute (ANSI) and the Internet Engineering Task Force (IETF) The latest version is now X509 v3 The principal elements of a digital certificate are as followsbull Version number of the certificate formatbull Serial number of the certificatebull Signature algorithm identifierbull Issuer of digital certificate a certificate authority with URLbull Validity periodbull Unique identification of certificate holderbull Public key informationThe Parties to a Digital CertificateIn principle there are three different interests associated with a digital certificateThe Requesting Party The party who needs the certificate and will offer it for use by others they will generally provide some or all of the information it containsThe Issuing Party
The party that digitally signs the certificate after creating the information in the certificate or checking its correctnessThe Verifying Party (or Parties) Parties that validate the signature on the certificate and then rely on its contents for some purposeType of Certificate Requesting Party Issuing Party Verifying PartyIdentity The person
concernedThe appropriategovernment agency
Anyone undertaking anidentity check
Accreditation A qualified memberof a profession
The professionalbody
A user of the servicesoffered by the member
Authorization A customer wishing to access a resource
The resource owner The resource owner
Public key CertificateThe combination of standards protocols and software that support digital certificates is called a public key infrastructure or PKI The software that supports this infrastructure generates sets of public-private key pairs Public-private key pairs are codes that are related to one another through a complex mathematical algorithm The key pairs can reside on onersquos computer or on hardware devices such as smart cards or floppy disks Individuals or organizations must ensure the security of their private keys However the public keys that correspond to their private keys can be posted on Web sites or sent across the network Issuers of digital certificates often maintain online repositories of public keys These repositories make it possible to authenticate owners of digital certificates in real timeFor example publishers as service providers will want to authenticate the digital certificate of a faculty member or student in real time This is possible by verifying the digital signature using the public key in the repository
Certificate AuthoritiesDigital certificates are one part of a set of components that make up a public keyinfrastructure (PKI) A PKI includes organizations called certification authorities (CAs) that issue manage and revoke digital certificates organizations called relying parties who use the certificates as indicators of authentication and clientswho request manage and use certificates A CA might create a separate registration authority (RA) to handle the task of identifying individuals who applyfor certificates Examples of certification authorities include VeriSign a wellknowncommercial provider and the CREN Certificate Authority that isavailable for higher education institutions
Types of CertificatesThere are different types of certificates each with different functions and this canbe confusing It helps to differentiate between at least four types of certificatesYou can see samples of some of these different types of certificates in your browserbull Root or authority certificatesThese are certificates that create the base (or root) of a certification authority hierarchy such as Thawte or CREN These certificates are not signed by another CAmdashthey are self signed by the CA that created them When a certificate is self-
signed it means that the name in the Issuer field is the same as the name in the Subject Fieldbull Institutional authority certificates These certificates are also called campus certificates These certificates are signed by a third party verifying the authenticity of a campus certification authority Campuses then use their ldquoauthorityrdquo to issue client certificates for faculty staff and studentsbull Client certificatesThese are also known as end-entity certificates identity certificates or personal certificates The Issuer is typically the campus CAbull Web server certificates These certificates are used to secure communications to and from Web servers for example when you buy something on the Web They are called server-side certificates The Subject name in a server certificate is the DNS name of the server
The CREN Digital Certificate ServicesCREN currently offers an expanded set of certificate authority services to higher education institutionsbull CREN-signed campus certificates for institutionsThese CREN-signed certificates are for institutions issuing certificates for their campus communitymdashin the range of 10 or more Web server certificates and formore than 500-1000 client certificatesbull CREN Web server certificates These certificates are for campuses to use for securing Web servers supporting a range of campus Web applicationsbull Client certificatesCREN has an internal CRENNET service equivalent to a campus certificate-issuing application A registration contact at a campus validatesapproves individuals and CREN issues the certificates
With these three levels of service mdash including the free test certificates mdash CRENcan help campuses get started using digital certificates at a level matching theirparticular campus needs
RECOMMENDATION
It is very important to reduce the risk of phishing in todayrsquos business because
hackers need to stay out of companiesrsquo databases Todayrsquos education is not
enough since phishes are getting better each day and coming with newer trends
to catch innocent customers
The real problem of phishing is because the login systems are very weak and thus
they need to be tighter when it comes to userrsquos authentication The companies
could increase their cryptographic system protection by using more IPSec VPNs
and digital certificates The use of IPSec VPNs customers will need to establish
digital certificates from a certificate authority as well as the merchant Recently
while doing this research we came through an article from PayPal where they are
convincing email providers to block messages that lack digital signatures
The reason for this is that PayPal is known as one of the most highly spoofed
brands that fraudsterrsquos uses today This is a very good idea and a good way to
keep hackers out of PayPal databases As a matter of fact not only PayPal but also
every company that conducts business should come up with a similar strategy like
this Using strategies similar to this will help customers to gain confidence in
doing business and dealing with money issues In addition well-known companies
should increase user awareness by education training and working with FBI to
track down phishers
CONCLUSION
In short the outcomes of phishing attacks are dramatically increasing every day Attacks on financial services companies have been doubling each year compared to previous years It is of crucial importance for companies to come up with new ways to solve phishing problems because it can become a major loss to well-known companies Also it can cause consumers to lose confidence in doing business online which can affect many companies with an online presence Not any type of technologyCan stop phishing attacks but there are many ways to enable Phishes from accomplishing their goals Consumer education can increase the awareness of the phishing threat and other online vulnerabilities Lastly biometrics should become one of the major aspects and play an important role to combat phishing because it provides different steps to authenticate users
REFERENCES
[1] Cannon JC Privacy Pearson Education 2005[2] Hilley Sarah ldquoInternet war picking on the finance Sector-surveyrdquo Computer Fraud amp Security October 2006[3] Bellowin Steven ldquoSpamming Phishing Authentication and Privacyrdquo Inside Risks December
2004 Vol47 No12 144[4] Mulrean Jennifer ldquoPhishing scams How to avoid Getting hookedrdquo DollarWise[5] Hunter Philip ldquoMicrosoft declares war on phishersrdquo Computer Fraud amp Security May 2006 (15-16)[6] Google httpwwwgooglecom
[7] Anti-Phishing Working Group Phishing Activity Trends Report November 2005 [8] Anti-Phishing Working Group Phishing Archivehttpanti-phishingorgphishing_archivehtm[9] Ba S amp P Pavlov Evidence of the Effect of TrustBuilding Technology in Electronic Markets PricePremiums and Buyer Behavior
Windows masking underlying windows A common phishing
technique is to place an illegitimate browser window on top of or next to
a legitimate window If they have the same look and feel users may
mistakenly believe that both windows are from the same source
regardless of variations in address or security indicators In the worst case
a user may not even notice that a second window exists (browsers that
allow borderless pop-up windows aggravate the problem)
Deceptive look and feel If images and logos are copied perfectly
sometimes the only cues that are available to the user are the tone of the
language misspellings or other signs of unprofessional design If the
phishing site closely mimics the target site the only cue to the user might
be the type and quantity of requested personal information
WHAT SHOULD BE DONE TO FIGHT
PHISHING(ANTI-PHISHING)
Phishing needs to be followed in a managerial way within the network and its
components such as servers PCs operating systems browsers and other
applications that run off a connection
As considering the danger of both false negative where firewall packet
inspection fails to identify a phishing site and false positive where firewall packet
inspection wrongly rejects the valid sites it is important to minimize these risks
Microsoftrsquos Anti-phishing response team analyzes sites carefully to confirm they
are fraud e-mails before adding them to the blacklist Even then sites that are
concerned can be reconsidered and later removed from the list
Another way of solving this problem can be in a technical way by using a
biometric check up Biometrics refers to technologies that analyze an individualrsquos
physical and behavioral characteristics to automate identification or verification
of the user
To avoid the risk of being locked in by phishers here are few tips
bull Be extremely suspicious of any e-mails with urgent
requests for personal information
bull Do not fill out any forms in e-mail messages especially
from banks
bull Do not use the links that are provided in the e-mails this
can cause installing any malicious malware on your
computer Instead contact the company over the phone
to solve any problems
bull Do not give your credit card numbers or account
information unless you are using a secure Web site or
the telephone If you are using a Web site check the
beginning of the web address in your browsersrsquo address
bar A secure site should up as ldquohttpsrdquo instead of just
http
Verify the real address of a web site Cut and paste the
following text into your browser address bar
javascriptalert(The actual URL of this site has been verified
as + location protocol + + location hostname +)
Ensure that your browser and OS software is up-to-date and
that latest security patches are applied
Possible ways of by-passing AntiPhish with JavaScript
As long as the web page that the user is viewing is pure HTML AntiPhish can
easily mitigate phishing attacks This is because the attacker can only steal the
sensitive information in the page after the user performs a submit Before this can
happen however AntiPhish detects that sensitive information has been typed
into a form and cancels the operation Stopping a phishing attack in an HTML
page that has JavaScript on the other hand is not that easy and special care has
to be taken JavaScript is a powerful language that is widely used in webpage for
providing functionality such as submitting forms opening windows intercepting
events and performing input validity checks At the same time however
JavaScript gives the attacker a wide range of possibilities for by-passing a
monitoring application such as AntiPhish Just as AntiPhish creates hooks for
intercepting user generated events such as key strokes the attacker can also
create such hooks using JavaScript embedded into the HTML page Instead of
waiting for the user to press a submit button to send the information the attacker
could intercept the keys that are pressed and send the information character by
character to a server of her choice Typically this is done by modifying the URL of
an existing or hidden image to a web site that the attacker controls (eg if ldquoa ldquohas
been pressed an image URL may be set to httpattackercomkeya)
Another possibility for the attacker could be to set a simple timer and to capture
ldquosnapshotsrdquo of the information in the forms In this way an important part of the
information could be captured without the user ever hitting a submit button The
easiest solution to the JavaScript problem is to deactivate JavaScript on a page
that contains forms Unfortunately this solution is not feasible because as
mentioned before a large number of Web sites use JavaScript for validation and
submission purposes The solution we use in AntiPhish is to deactivate
JavaScript every time the focus is on an HTML text element and to reactivate it
whenever the focus is lost Using this technique we ensure that the attacker is
not able to create hooks timers and intercept browser events such as key presses
while the user is typing information into a text field At the same time we ensure
that the legitimate JavaScript functionality on a page (eg such as input validation
routines) are preserved By the time the focus is lost from the text element and
Java script is reactivated AntiPhish has already determined if the information that
was typed into the text element is sensitive If the web site is un trusted the
operation can be canceled One side-effect of our approach is that legitimate
event-based Java script functionality such as input validation based on key presses
will not function The use of key press events for input validation however is
uncommon Most web sites perform client-side input validation once before a
form is submitted
Implementation detailsWe implemented the prototype of AntiPhish as a Mozilla browser extension (ie
plug-in)Mozilla browser extensions are written using the Mozilla XML User-
Interface language (XUL) and JavaScript The Mozilla implementation of AntiPhish
has a small footprint and consists of about 900 lines of JavaScript code and 200
lines of XUL user interface code We used Paul Terorsquos JavaScript DES
implementation for safely storing the sensitive information
ANALYSIS OF A PHISHING DATABASE
The Anti Phishing Working Group maintains a ldquoPhishing Archiverdquo describing phishing attacks dating back to September 2003 We performed a cognitive walkthrough on the approximately 200 sample attacks within this archive (A cognitive walkthrough evaluates the steps required to perform a task and attempts to uncover mismatches between how users think about a task and how the user interface designer thinks about the task) Our goal was to gather information about which strategies are used by attackers and to formulate hypotheses about how lay users would respond to these strategies Below we list the strategies organized along three dimensions lack of knowledge visual deception and lack of attention To aid readers who are unfamiliar with the topic Security Terms and DefinitionsCertificate (digital certificate public key certificate)
Uses a digital signature to bind together a public key with an identity If the
browser encounters a certificate that has not been signed by a trusted
certificate authority it issues a warning to the user Some organizations
create and sign their own self signed
Certificates If a browser encounters a self-signed certificate it issues a
warning and allows the user to decide whether to accept the certificate
Certificate Authority (CA)
An entity that issues certificates and attests that a public key belongs to a
particular identity A list of trusted CAs is stored in the browser A certificate
may be issued to a fraudulent website by a CA without a rigorous verification
process
HTTPS
Web browsers use HTTPS rather than HTTP as a prefix to the URL to
indicate that HTTP is sent over SSLTLS
Secure Sockets Layer (SSL) and Transport Layer Security
(TLS)
Cryptographic protocols used to provide authentication and secure
communications over the Internet SSLTLS authenticates a server by
verifying that the server holds a certificate that has been digitally signed by
a trusted certificate authority SSLTLS also allows the client and server to
agree on an encryption algorithm for securing communications
CryptographyCryptography is a method of storing and transmitting data in a form that only those it is intended for can read and process It is a science of protecting information by encoding it into an unreadable format Cryptography is an effective way of protecting sensitive information as it is stored on media or transmitted through network communication pathsAlthough the ultimate goal of cryptography and the mechanisms that make it up is to hide information from unauthorized individuals most algorithms can be broken and the information can be revealed if the attacker has enough time desire and resources So a more realistic goal of cryptography is to make obtaining the information too work-intensive to be worth it to the attacker
Digital Certificates
Digital Certificates are part of a technology called Public Key Infrastructure orPKI Digital certificates have been described as virtual ID cards This is a useful analogy There are many ways that digital certificates and ID cards really are thesame Both ID cards and client digital certificates contain information about usersuch as user name and information about the organization that issued thecertificate or card to user
Creating digital certificates a unique cryptographic key pair is generated One of these keys is referred to as a public key and the other as a private key The certification authoritymdashgenerally on your campusmdashcreates a digital certificate by combining information about user and the issuing organization with the public key and digitally signing the whole thing This is very much like an organizationrsquos ID office filling out an ID card for user and then signing it to make it official
The process defines how a certificate authority establishes that a person or institution is who they say they are Certification may require recipients to appear in person and to present pictures birth certificates or social security numbers Certificates that are issued after rigorous authentication will be more trustworthy than certificates requiring little or no authentication
The contents of a digital certificate are prescribed by the X509 standard developed by the International Standards Organization (ISO) and adopted by the American National Standards Institute (ANSI) and the Internet Engineering Task Force (IETF) The latest version is now X509 v3 The principal elements of a digital certificate are as followsbull Version number of the certificate formatbull Serial number of the certificatebull Signature algorithm identifierbull Issuer of digital certificate a certificate authority with URLbull Validity periodbull Unique identification of certificate holderbull Public key informationThe Parties to a Digital CertificateIn principle there are three different interests associated with a digital certificateThe Requesting Party The party who needs the certificate and will offer it for use by others they will generally provide some or all of the information it containsThe Issuing Party
The party that digitally signs the certificate after creating the information in the certificate or checking its correctnessThe Verifying Party (or Parties) Parties that validate the signature on the certificate and then rely on its contents for some purposeType of Certificate Requesting Party Issuing Party Verifying PartyIdentity The person
concernedThe appropriategovernment agency
Anyone undertaking anidentity check
Accreditation A qualified memberof a profession
The professionalbody
A user of the servicesoffered by the member
Authorization A customer wishing to access a resource
The resource owner The resource owner
Public key CertificateThe combination of standards protocols and software that support digital certificates is called a public key infrastructure or PKI The software that supports this infrastructure generates sets of public-private key pairs Public-private key pairs are codes that are related to one another through a complex mathematical algorithm The key pairs can reside on onersquos computer or on hardware devices such as smart cards or floppy disks Individuals or organizations must ensure the security of their private keys However the public keys that correspond to their private keys can be posted on Web sites or sent across the network Issuers of digital certificates often maintain online repositories of public keys These repositories make it possible to authenticate owners of digital certificates in real timeFor example publishers as service providers will want to authenticate the digital certificate of a faculty member or student in real time This is possible by verifying the digital signature using the public key in the repository
Certificate AuthoritiesDigital certificates are one part of a set of components that make up a public keyinfrastructure (PKI) A PKI includes organizations called certification authorities (CAs) that issue manage and revoke digital certificates organizations called relying parties who use the certificates as indicators of authentication and clientswho request manage and use certificates A CA might create a separate registration authority (RA) to handle the task of identifying individuals who applyfor certificates Examples of certification authorities include VeriSign a wellknowncommercial provider and the CREN Certificate Authority that isavailable for higher education institutions
Types of CertificatesThere are different types of certificates each with different functions and this canbe confusing It helps to differentiate between at least four types of certificatesYou can see samples of some of these different types of certificates in your browserbull Root or authority certificatesThese are certificates that create the base (or root) of a certification authority hierarchy such as Thawte or CREN These certificates are not signed by another CAmdashthey are self signed by the CA that created them When a certificate is self-
signed it means that the name in the Issuer field is the same as the name in the Subject Fieldbull Institutional authority certificates These certificates are also called campus certificates These certificates are signed by a third party verifying the authenticity of a campus certification authority Campuses then use their ldquoauthorityrdquo to issue client certificates for faculty staff and studentsbull Client certificatesThese are also known as end-entity certificates identity certificates or personal certificates The Issuer is typically the campus CAbull Web server certificates These certificates are used to secure communications to and from Web servers for example when you buy something on the Web They are called server-side certificates The Subject name in a server certificate is the DNS name of the server
The CREN Digital Certificate ServicesCREN currently offers an expanded set of certificate authority services to higher education institutionsbull CREN-signed campus certificates for institutionsThese CREN-signed certificates are for institutions issuing certificates for their campus communitymdashin the range of 10 or more Web server certificates and formore than 500-1000 client certificatesbull CREN Web server certificates These certificates are for campuses to use for securing Web servers supporting a range of campus Web applicationsbull Client certificatesCREN has an internal CRENNET service equivalent to a campus certificate-issuing application A registration contact at a campus validatesapproves individuals and CREN issues the certificates
With these three levels of service mdash including the free test certificates mdash CRENcan help campuses get started using digital certificates at a level matching theirparticular campus needs
RECOMMENDATION
It is very important to reduce the risk of phishing in todayrsquos business because
hackers need to stay out of companiesrsquo databases Todayrsquos education is not
enough since phishes are getting better each day and coming with newer trends
to catch innocent customers
The real problem of phishing is because the login systems are very weak and thus
they need to be tighter when it comes to userrsquos authentication The companies
could increase their cryptographic system protection by using more IPSec VPNs
and digital certificates The use of IPSec VPNs customers will need to establish
digital certificates from a certificate authority as well as the merchant Recently
while doing this research we came through an article from PayPal where they are
convincing email providers to block messages that lack digital signatures
The reason for this is that PayPal is known as one of the most highly spoofed
brands that fraudsterrsquos uses today This is a very good idea and a good way to
keep hackers out of PayPal databases As a matter of fact not only PayPal but also
every company that conducts business should come up with a similar strategy like
this Using strategies similar to this will help customers to gain confidence in
doing business and dealing with money issues In addition well-known companies
should increase user awareness by education training and working with FBI to
track down phishers
CONCLUSION
In short the outcomes of phishing attacks are dramatically increasing every day Attacks on financial services companies have been doubling each year compared to previous years It is of crucial importance for companies to come up with new ways to solve phishing problems because it can become a major loss to well-known companies Also it can cause consumers to lose confidence in doing business online which can affect many companies with an online presence Not any type of technologyCan stop phishing attacks but there are many ways to enable Phishes from accomplishing their goals Consumer education can increase the awareness of the phishing threat and other online vulnerabilities Lastly biometrics should become one of the major aspects and play an important role to combat phishing because it provides different steps to authenticate users
REFERENCES
[1] Cannon JC Privacy Pearson Education 2005[2] Hilley Sarah ldquoInternet war picking on the finance Sector-surveyrdquo Computer Fraud amp Security October 2006[3] Bellowin Steven ldquoSpamming Phishing Authentication and Privacyrdquo Inside Risks December
2004 Vol47 No12 144[4] Mulrean Jennifer ldquoPhishing scams How to avoid Getting hookedrdquo DollarWise[5] Hunter Philip ldquoMicrosoft declares war on phishersrdquo Computer Fraud amp Security May 2006 (15-16)[6] Google httpwwwgooglecom
[7] Anti-Phishing Working Group Phishing Activity Trends Report November 2005 [8] Anti-Phishing Working Group Phishing Archivehttpanti-phishingorgphishing_archivehtm[9] Ba S amp P Pavlov Evidence of the Effect of TrustBuilding Technology in Electronic Markets PricePremiums and Buyer Behavior
Microsoftrsquos Anti-phishing response team analyzes sites carefully to confirm they
are fraud e-mails before adding them to the blacklist Even then sites that are
concerned can be reconsidered and later removed from the list
Another way of solving this problem can be in a technical way by using a
biometric check up Biometrics refers to technologies that analyze an individualrsquos
physical and behavioral characteristics to automate identification or verification
of the user
To avoid the risk of being locked in by phishers here are few tips
bull Be extremely suspicious of any e-mails with urgent
requests for personal information
bull Do not fill out any forms in e-mail messages especially
from banks
bull Do not use the links that are provided in the e-mails this
can cause installing any malicious malware on your
computer Instead contact the company over the phone
to solve any problems
bull Do not give your credit card numbers or account
information unless you are using a secure Web site or
the telephone If you are using a Web site check the
beginning of the web address in your browsersrsquo address
bar A secure site should up as ldquohttpsrdquo instead of just
http
Verify the real address of a web site Cut and paste the
following text into your browser address bar
javascriptalert(The actual URL of this site has been verified
as + location protocol + + location hostname +)
Ensure that your browser and OS software is up-to-date and
that latest security patches are applied
Possible ways of by-passing AntiPhish with JavaScript
As long as the web page that the user is viewing is pure HTML AntiPhish can
easily mitigate phishing attacks This is because the attacker can only steal the
sensitive information in the page after the user performs a submit Before this can
happen however AntiPhish detects that sensitive information has been typed
into a form and cancels the operation Stopping a phishing attack in an HTML
page that has JavaScript on the other hand is not that easy and special care has
to be taken JavaScript is a powerful language that is widely used in webpage for
providing functionality such as submitting forms opening windows intercepting
events and performing input validity checks At the same time however
JavaScript gives the attacker a wide range of possibilities for by-passing a
monitoring application such as AntiPhish Just as AntiPhish creates hooks for
intercepting user generated events such as key strokes the attacker can also
create such hooks using JavaScript embedded into the HTML page Instead of
waiting for the user to press a submit button to send the information the attacker
could intercept the keys that are pressed and send the information character by
character to a server of her choice Typically this is done by modifying the URL of
an existing or hidden image to a web site that the attacker controls (eg if ldquoa ldquohas
been pressed an image URL may be set to httpattackercomkeya)
Another possibility for the attacker could be to set a simple timer and to capture
ldquosnapshotsrdquo of the information in the forms In this way an important part of the
information could be captured without the user ever hitting a submit button The
easiest solution to the JavaScript problem is to deactivate JavaScript on a page
that contains forms Unfortunately this solution is not feasible because as
mentioned before a large number of Web sites use JavaScript for validation and
submission purposes The solution we use in AntiPhish is to deactivate
JavaScript every time the focus is on an HTML text element and to reactivate it
whenever the focus is lost Using this technique we ensure that the attacker is
not able to create hooks timers and intercept browser events such as key presses
while the user is typing information into a text field At the same time we ensure
that the legitimate JavaScript functionality on a page (eg such as input validation
routines) are preserved By the time the focus is lost from the text element and
Java script is reactivated AntiPhish has already determined if the information that
was typed into the text element is sensitive If the web site is un trusted the
operation can be canceled One side-effect of our approach is that legitimate
event-based Java script functionality such as input validation based on key presses
will not function The use of key press events for input validation however is
uncommon Most web sites perform client-side input validation once before a
form is submitted
Implementation detailsWe implemented the prototype of AntiPhish as a Mozilla browser extension (ie
plug-in)Mozilla browser extensions are written using the Mozilla XML User-
Interface language (XUL) and JavaScript The Mozilla implementation of AntiPhish
has a small footprint and consists of about 900 lines of JavaScript code and 200
lines of XUL user interface code We used Paul Terorsquos JavaScript DES
implementation for safely storing the sensitive information
ANALYSIS OF A PHISHING DATABASE
The Anti Phishing Working Group maintains a ldquoPhishing Archiverdquo describing phishing attacks dating back to September 2003 We performed a cognitive walkthrough on the approximately 200 sample attacks within this archive (A cognitive walkthrough evaluates the steps required to perform a task and attempts to uncover mismatches between how users think about a task and how the user interface designer thinks about the task) Our goal was to gather information about which strategies are used by attackers and to formulate hypotheses about how lay users would respond to these strategies Below we list the strategies organized along three dimensions lack of knowledge visual deception and lack of attention To aid readers who are unfamiliar with the topic Security Terms and DefinitionsCertificate (digital certificate public key certificate)
Uses a digital signature to bind together a public key with an identity If the
browser encounters a certificate that has not been signed by a trusted
certificate authority it issues a warning to the user Some organizations
create and sign their own self signed
Certificates If a browser encounters a self-signed certificate it issues a
warning and allows the user to decide whether to accept the certificate
Certificate Authority (CA)
An entity that issues certificates and attests that a public key belongs to a
particular identity A list of trusted CAs is stored in the browser A certificate
may be issued to a fraudulent website by a CA without a rigorous verification
process
HTTPS
Web browsers use HTTPS rather than HTTP as a prefix to the URL to
indicate that HTTP is sent over SSLTLS
Secure Sockets Layer (SSL) and Transport Layer Security
(TLS)
Cryptographic protocols used to provide authentication and secure
communications over the Internet SSLTLS authenticates a server by
verifying that the server holds a certificate that has been digitally signed by
a trusted certificate authority SSLTLS also allows the client and server to
agree on an encryption algorithm for securing communications
CryptographyCryptography is a method of storing and transmitting data in a form that only those it is intended for can read and process It is a science of protecting information by encoding it into an unreadable format Cryptography is an effective way of protecting sensitive information as it is stored on media or transmitted through network communication pathsAlthough the ultimate goal of cryptography and the mechanisms that make it up is to hide information from unauthorized individuals most algorithms can be broken and the information can be revealed if the attacker has enough time desire and resources So a more realistic goal of cryptography is to make obtaining the information too work-intensive to be worth it to the attacker
Digital Certificates
Digital Certificates are part of a technology called Public Key Infrastructure orPKI Digital certificates have been described as virtual ID cards This is a useful analogy There are many ways that digital certificates and ID cards really are thesame Both ID cards and client digital certificates contain information about usersuch as user name and information about the organization that issued thecertificate or card to user
Creating digital certificates a unique cryptographic key pair is generated One of these keys is referred to as a public key and the other as a private key The certification authoritymdashgenerally on your campusmdashcreates a digital certificate by combining information about user and the issuing organization with the public key and digitally signing the whole thing This is very much like an organizationrsquos ID office filling out an ID card for user and then signing it to make it official
The process defines how a certificate authority establishes that a person or institution is who they say they are Certification may require recipients to appear in person and to present pictures birth certificates or social security numbers Certificates that are issued after rigorous authentication will be more trustworthy than certificates requiring little or no authentication
The contents of a digital certificate are prescribed by the X509 standard developed by the International Standards Organization (ISO) and adopted by the American National Standards Institute (ANSI) and the Internet Engineering Task Force (IETF) The latest version is now X509 v3 The principal elements of a digital certificate are as followsbull Version number of the certificate formatbull Serial number of the certificatebull Signature algorithm identifierbull Issuer of digital certificate a certificate authority with URLbull Validity periodbull Unique identification of certificate holderbull Public key informationThe Parties to a Digital CertificateIn principle there are three different interests associated with a digital certificateThe Requesting Party The party who needs the certificate and will offer it for use by others they will generally provide some or all of the information it containsThe Issuing Party
The party that digitally signs the certificate after creating the information in the certificate or checking its correctnessThe Verifying Party (or Parties) Parties that validate the signature on the certificate and then rely on its contents for some purposeType of Certificate Requesting Party Issuing Party Verifying PartyIdentity The person
concernedThe appropriategovernment agency
Anyone undertaking anidentity check
Accreditation A qualified memberof a profession
The professionalbody
A user of the servicesoffered by the member
Authorization A customer wishing to access a resource
The resource owner The resource owner
Public key CertificateThe combination of standards protocols and software that support digital certificates is called a public key infrastructure or PKI The software that supports this infrastructure generates sets of public-private key pairs Public-private key pairs are codes that are related to one another through a complex mathematical algorithm The key pairs can reside on onersquos computer or on hardware devices such as smart cards or floppy disks Individuals or organizations must ensure the security of their private keys However the public keys that correspond to their private keys can be posted on Web sites or sent across the network Issuers of digital certificates often maintain online repositories of public keys These repositories make it possible to authenticate owners of digital certificates in real timeFor example publishers as service providers will want to authenticate the digital certificate of a faculty member or student in real time This is possible by verifying the digital signature using the public key in the repository
Certificate AuthoritiesDigital certificates are one part of a set of components that make up a public keyinfrastructure (PKI) A PKI includes organizations called certification authorities (CAs) that issue manage and revoke digital certificates organizations called relying parties who use the certificates as indicators of authentication and clientswho request manage and use certificates A CA might create a separate registration authority (RA) to handle the task of identifying individuals who applyfor certificates Examples of certification authorities include VeriSign a wellknowncommercial provider and the CREN Certificate Authority that isavailable for higher education institutions
Types of CertificatesThere are different types of certificates each with different functions and this canbe confusing It helps to differentiate between at least four types of certificatesYou can see samples of some of these different types of certificates in your browserbull Root or authority certificatesThese are certificates that create the base (or root) of a certification authority hierarchy such as Thawte or CREN These certificates are not signed by another CAmdashthey are self signed by the CA that created them When a certificate is self-
signed it means that the name in the Issuer field is the same as the name in the Subject Fieldbull Institutional authority certificates These certificates are also called campus certificates These certificates are signed by a third party verifying the authenticity of a campus certification authority Campuses then use their ldquoauthorityrdquo to issue client certificates for faculty staff and studentsbull Client certificatesThese are also known as end-entity certificates identity certificates or personal certificates The Issuer is typically the campus CAbull Web server certificates These certificates are used to secure communications to and from Web servers for example when you buy something on the Web They are called server-side certificates The Subject name in a server certificate is the DNS name of the server
The CREN Digital Certificate ServicesCREN currently offers an expanded set of certificate authority services to higher education institutionsbull CREN-signed campus certificates for institutionsThese CREN-signed certificates are for institutions issuing certificates for their campus communitymdashin the range of 10 or more Web server certificates and formore than 500-1000 client certificatesbull CREN Web server certificates These certificates are for campuses to use for securing Web servers supporting a range of campus Web applicationsbull Client certificatesCREN has an internal CRENNET service equivalent to a campus certificate-issuing application A registration contact at a campus validatesapproves individuals and CREN issues the certificates
With these three levels of service mdash including the free test certificates mdash CRENcan help campuses get started using digital certificates at a level matching theirparticular campus needs
RECOMMENDATION
It is very important to reduce the risk of phishing in todayrsquos business because
hackers need to stay out of companiesrsquo databases Todayrsquos education is not
enough since phishes are getting better each day and coming with newer trends
to catch innocent customers
The real problem of phishing is because the login systems are very weak and thus
they need to be tighter when it comes to userrsquos authentication The companies
could increase their cryptographic system protection by using more IPSec VPNs
and digital certificates The use of IPSec VPNs customers will need to establish
digital certificates from a certificate authority as well as the merchant Recently
while doing this research we came through an article from PayPal where they are
convincing email providers to block messages that lack digital signatures
The reason for this is that PayPal is known as one of the most highly spoofed
brands that fraudsterrsquos uses today This is a very good idea and a good way to
keep hackers out of PayPal databases As a matter of fact not only PayPal but also
every company that conducts business should come up with a similar strategy like
this Using strategies similar to this will help customers to gain confidence in
doing business and dealing with money issues In addition well-known companies
should increase user awareness by education training and working with FBI to
track down phishers
CONCLUSION
In short the outcomes of phishing attacks are dramatically increasing every day Attacks on financial services companies have been doubling each year compared to previous years It is of crucial importance for companies to come up with new ways to solve phishing problems because it can become a major loss to well-known companies Also it can cause consumers to lose confidence in doing business online which can affect many companies with an online presence Not any type of technologyCan stop phishing attacks but there are many ways to enable Phishes from accomplishing their goals Consumer education can increase the awareness of the phishing threat and other online vulnerabilities Lastly biometrics should become one of the major aspects and play an important role to combat phishing because it provides different steps to authenticate users
REFERENCES
[1] Cannon JC Privacy Pearson Education 2005[2] Hilley Sarah ldquoInternet war picking on the finance Sector-surveyrdquo Computer Fraud amp Security October 2006[3] Bellowin Steven ldquoSpamming Phishing Authentication and Privacyrdquo Inside Risks December
2004 Vol47 No12 144[4] Mulrean Jennifer ldquoPhishing scams How to avoid Getting hookedrdquo DollarWise[5] Hunter Philip ldquoMicrosoft declares war on phishersrdquo Computer Fraud amp Security May 2006 (15-16)[6] Google httpwwwgooglecom
[7] Anti-Phishing Working Group Phishing Activity Trends Report November 2005 [8] Anti-Phishing Working Group Phishing Archivehttpanti-phishingorgphishing_archivehtm[9] Ba S amp P Pavlov Evidence of the Effect of TrustBuilding Technology in Electronic Markets PricePremiums and Buyer Behavior
bar A secure site should up as ldquohttpsrdquo instead of just
http
Verify the real address of a web site Cut and paste the
following text into your browser address bar
javascriptalert(The actual URL of this site has been verified
as + location protocol + + location hostname +)
Ensure that your browser and OS software is up-to-date and
that latest security patches are applied
Possible ways of by-passing AntiPhish with JavaScript
As long as the web page that the user is viewing is pure HTML AntiPhish can
easily mitigate phishing attacks This is because the attacker can only steal the
sensitive information in the page after the user performs a submit Before this can
happen however AntiPhish detects that sensitive information has been typed
into a form and cancels the operation Stopping a phishing attack in an HTML
page that has JavaScript on the other hand is not that easy and special care has
to be taken JavaScript is a powerful language that is widely used in webpage for
providing functionality such as submitting forms opening windows intercepting
events and performing input validity checks At the same time however
JavaScript gives the attacker a wide range of possibilities for by-passing a
monitoring application such as AntiPhish Just as AntiPhish creates hooks for
intercepting user generated events such as key strokes the attacker can also
create such hooks using JavaScript embedded into the HTML page Instead of
waiting for the user to press a submit button to send the information the attacker
could intercept the keys that are pressed and send the information character by
character to a server of her choice Typically this is done by modifying the URL of
an existing or hidden image to a web site that the attacker controls (eg if ldquoa ldquohas
been pressed an image URL may be set to httpattackercomkeya)
Another possibility for the attacker could be to set a simple timer and to capture
ldquosnapshotsrdquo of the information in the forms In this way an important part of the
information could be captured without the user ever hitting a submit button The
easiest solution to the JavaScript problem is to deactivate JavaScript on a page
that contains forms Unfortunately this solution is not feasible because as
mentioned before a large number of Web sites use JavaScript for validation and
submission purposes The solution we use in AntiPhish is to deactivate
JavaScript every time the focus is on an HTML text element and to reactivate it
whenever the focus is lost Using this technique we ensure that the attacker is
not able to create hooks timers and intercept browser events such as key presses
while the user is typing information into a text field At the same time we ensure
that the legitimate JavaScript functionality on a page (eg such as input validation
routines) are preserved By the time the focus is lost from the text element and
Java script is reactivated AntiPhish has already determined if the information that
was typed into the text element is sensitive If the web site is un trusted the
operation can be canceled One side-effect of our approach is that legitimate
event-based Java script functionality such as input validation based on key presses
will not function The use of key press events for input validation however is
uncommon Most web sites perform client-side input validation once before a
form is submitted
Implementation detailsWe implemented the prototype of AntiPhish as a Mozilla browser extension (ie
plug-in)Mozilla browser extensions are written using the Mozilla XML User-
Interface language (XUL) and JavaScript The Mozilla implementation of AntiPhish
has a small footprint and consists of about 900 lines of JavaScript code and 200
lines of XUL user interface code We used Paul Terorsquos JavaScript DES
implementation for safely storing the sensitive information
ANALYSIS OF A PHISHING DATABASE
The Anti Phishing Working Group maintains a ldquoPhishing Archiverdquo describing phishing attacks dating back to September 2003 We performed a cognitive walkthrough on the approximately 200 sample attacks within this archive (A cognitive walkthrough evaluates the steps required to perform a task and attempts to uncover mismatches between how users think about a task and how the user interface designer thinks about the task) Our goal was to gather information about which strategies are used by attackers and to formulate hypotheses about how lay users would respond to these strategies Below we list the strategies organized along three dimensions lack of knowledge visual deception and lack of attention To aid readers who are unfamiliar with the topic Security Terms and DefinitionsCertificate (digital certificate public key certificate)
Uses a digital signature to bind together a public key with an identity If the
browser encounters a certificate that has not been signed by a trusted
certificate authority it issues a warning to the user Some organizations
create and sign their own self signed
Certificates If a browser encounters a self-signed certificate it issues a
warning and allows the user to decide whether to accept the certificate
Certificate Authority (CA)
An entity that issues certificates and attests that a public key belongs to a
particular identity A list of trusted CAs is stored in the browser A certificate
may be issued to a fraudulent website by a CA without a rigorous verification
process
HTTPS
Web browsers use HTTPS rather than HTTP as a prefix to the URL to
indicate that HTTP is sent over SSLTLS
Secure Sockets Layer (SSL) and Transport Layer Security
(TLS)
Cryptographic protocols used to provide authentication and secure
communications over the Internet SSLTLS authenticates a server by
verifying that the server holds a certificate that has been digitally signed by
a trusted certificate authority SSLTLS also allows the client and server to
agree on an encryption algorithm for securing communications
CryptographyCryptography is a method of storing and transmitting data in a form that only those it is intended for can read and process It is a science of protecting information by encoding it into an unreadable format Cryptography is an effective way of protecting sensitive information as it is stored on media or transmitted through network communication pathsAlthough the ultimate goal of cryptography and the mechanisms that make it up is to hide information from unauthorized individuals most algorithms can be broken and the information can be revealed if the attacker has enough time desire and resources So a more realistic goal of cryptography is to make obtaining the information too work-intensive to be worth it to the attacker
Digital Certificates
Digital Certificates are part of a technology called Public Key Infrastructure orPKI Digital certificates have been described as virtual ID cards This is a useful analogy There are many ways that digital certificates and ID cards really are thesame Both ID cards and client digital certificates contain information about usersuch as user name and information about the organization that issued thecertificate or card to user
Creating digital certificates a unique cryptographic key pair is generated One of these keys is referred to as a public key and the other as a private key The certification authoritymdashgenerally on your campusmdashcreates a digital certificate by combining information about user and the issuing organization with the public key and digitally signing the whole thing This is very much like an organizationrsquos ID office filling out an ID card for user and then signing it to make it official
The process defines how a certificate authority establishes that a person or institution is who they say they are Certification may require recipients to appear in person and to present pictures birth certificates or social security numbers Certificates that are issued after rigorous authentication will be more trustworthy than certificates requiring little or no authentication
The contents of a digital certificate are prescribed by the X509 standard developed by the International Standards Organization (ISO) and adopted by the American National Standards Institute (ANSI) and the Internet Engineering Task Force (IETF) The latest version is now X509 v3 The principal elements of a digital certificate are as followsbull Version number of the certificate formatbull Serial number of the certificatebull Signature algorithm identifierbull Issuer of digital certificate a certificate authority with URLbull Validity periodbull Unique identification of certificate holderbull Public key informationThe Parties to a Digital CertificateIn principle there are three different interests associated with a digital certificateThe Requesting Party The party who needs the certificate and will offer it for use by others they will generally provide some or all of the information it containsThe Issuing Party
The party that digitally signs the certificate after creating the information in the certificate or checking its correctnessThe Verifying Party (or Parties) Parties that validate the signature on the certificate and then rely on its contents for some purposeType of Certificate Requesting Party Issuing Party Verifying PartyIdentity The person
concernedThe appropriategovernment agency
Anyone undertaking anidentity check
Accreditation A qualified memberof a profession
The professionalbody
A user of the servicesoffered by the member
Authorization A customer wishing to access a resource
The resource owner The resource owner
Public key CertificateThe combination of standards protocols and software that support digital certificates is called a public key infrastructure or PKI The software that supports this infrastructure generates sets of public-private key pairs Public-private key pairs are codes that are related to one another through a complex mathematical algorithm The key pairs can reside on onersquos computer or on hardware devices such as smart cards or floppy disks Individuals or organizations must ensure the security of their private keys However the public keys that correspond to their private keys can be posted on Web sites or sent across the network Issuers of digital certificates often maintain online repositories of public keys These repositories make it possible to authenticate owners of digital certificates in real timeFor example publishers as service providers will want to authenticate the digital certificate of a faculty member or student in real time This is possible by verifying the digital signature using the public key in the repository
Certificate AuthoritiesDigital certificates are one part of a set of components that make up a public keyinfrastructure (PKI) A PKI includes organizations called certification authorities (CAs) that issue manage and revoke digital certificates organizations called relying parties who use the certificates as indicators of authentication and clientswho request manage and use certificates A CA might create a separate registration authority (RA) to handle the task of identifying individuals who applyfor certificates Examples of certification authorities include VeriSign a wellknowncommercial provider and the CREN Certificate Authority that isavailable for higher education institutions
Types of CertificatesThere are different types of certificates each with different functions and this canbe confusing It helps to differentiate between at least four types of certificatesYou can see samples of some of these different types of certificates in your browserbull Root or authority certificatesThese are certificates that create the base (or root) of a certification authority hierarchy such as Thawte or CREN These certificates are not signed by another CAmdashthey are self signed by the CA that created them When a certificate is self-
signed it means that the name in the Issuer field is the same as the name in the Subject Fieldbull Institutional authority certificates These certificates are also called campus certificates These certificates are signed by a third party verifying the authenticity of a campus certification authority Campuses then use their ldquoauthorityrdquo to issue client certificates for faculty staff and studentsbull Client certificatesThese are also known as end-entity certificates identity certificates or personal certificates The Issuer is typically the campus CAbull Web server certificates These certificates are used to secure communications to and from Web servers for example when you buy something on the Web They are called server-side certificates The Subject name in a server certificate is the DNS name of the server
The CREN Digital Certificate ServicesCREN currently offers an expanded set of certificate authority services to higher education institutionsbull CREN-signed campus certificates for institutionsThese CREN-signed certificates are for institutions issuing certificates for their campus communitymdashin the range of 10 or more Web server certificates and formore than 500-1000 client certificatesbull CREN Web server certificates These certificates are for campuses to use for securing Web servers supporting a range of campus Web applicationsbull Client certificatesCREN has an internal CRENNET service equivalent to a campus certificate-issuing application A registration contact at a campus validatesapproves individuals and CREN issues the certificates
With these three levels of service mdash including the free test certificates mdash CRENcan help campuses get started using digital certificates at a level matching theirparticular campus needs
RECOMMENDATION
It is very important to reduce the risk of phishing in todayrsquos business because
hackers need to stay out of companiesrsquo databases Todayrsquos education is not
enough since phishes are getting better each day and coming with newer trends
to catch innocent customers
The real problem of phishing is because the login systems are very weak and thus
they need to be tighter when it comes to userrsquos authentication The companies
could increase their cryptographic system protection by using more IPSec VPNs
and digital certificates The use of IPSec VPNs customers will need to establish
digital certificates from a certificate authority as well as the merchant Recently
while doing this research we came through an article from PayPal where they are
convincing email providers to block messages that lack digital signatures
The reason for this is that PayPal is known as one of the most highly spoofed
brands that fraudsterrsquos uses today This is a very good idea and a good way to
keep hackers out of PayPal databases As a matter of fact not only PayPal but also
every company that conducts business should come up with a similar strategy like
this Using strategies similar to this will help customers to gain confidence in
doing business and dealing with money issues In addition well-known companies
should increase user awareness by education training and working with FBI to
track down phishers
CONCLUSION
In short the outcomes of phishing attacks are dramatically increasing every day Attacks on financial services companies have been doubling each year compared to previous years It is of crucial importance for companies to come up with new ways to solve phishing problems because it can become a major loss to well-known companies Also it can cause consumers to lose confidence in doing business online which can affect many companies with an online presence Not any type of technologyCan stop phishing attacks but there are many ways to enable Phishes from accomplishing their goals Consumer education can increase the awareness of the phishing threat and other online vulnerabilities Lastly biometrics should become one of the major aspects and play an important role to combat phishing because it provides different steps to authenticate users
REFERENCES
[1] Cannon JC Privacy Pearson Education 2005[2] Hilley Sarah ldquoInternet war picking on the finance Sector-surveyrdquo Computer Fraud amp Security October 2006[3] Bellowin Steven ldquoSpamming Phishing Authentication and Privacyrdquo Inside Risks December
2004 Vol47 No12 144[4] Mulrean Jennifer ldquoPhishing scams How to avoid Getting hookedrdquo DollarWise[5] Hunter Philip ldquoMicrosoft declares war on phishersrdquo Computer Fraud amp Security May 2006 (15-16)[6] Google httpwwwgooglecom
[7] Anti-Phishing Working Group Phishing Activity Trends Report November 2005 [8] Anti-Phishing Working Group Phishing Archivehttpanti-phishingorgphishing_archivehtm[9] Ba S amp P Pavlov Evidence of the Effect of TrustBuilding Technology in Electronic Markets PricePremiums and Buyer Behavior
create such hooks using JavaScript embedded into the HTML page Instead of
waiting for the user to press a submit button to send the information the attacker
could intercept the keys that are pressed and send the information character by
character to a server of her choice Typically this is done by modifying the URL of
an existing or hidden image to a web site that the attacker controls (eg if ldquoa ldquohas
been pressed an image URL may be set to httpattackercomkeya)
Another possibility for the attacker could be to set a simple timer and to capture
ldquosnapshotsrdquo of the information in the forms In this way an important part of the
information could be captured without the user ever hitting a submit button The
easiest solution to the JavaScript problem is to deactivate JavaScript on a page
that contains forms Unfortunately this solution is not feasible because as
mentioned before a large number of Web sites use JavaScript for validation and
submission purposes The solution we use in AntiPhish is to deactivate
JavaScript every time the focus is on an HTML text element and to reactivate it
whenever the focus is lost Using this technique we ensure that the attacker is
not able to create hooks timers and intercept browser events such as key presses
while the user is typing information into a text field At the same time we ensure
that the legitimate JavaScript functionality on a page (eg such as input validation
routines) are preserved By the time the focus is lost from the text element and
Java script is reactivated AntiPhish has already determined if the information that
was typed into the text element is sensitive If the web site is un trusted the
operation can be canceled One side-effect of our approach is that legitimate
event-based Java script functionality such as input validation based on key presses
will not function The use of key press events for input validation however is
uncommon Most web sites perform client-side input validation once before a
form is submitted
Implementation detailsWe implemented the prototype of AntiPhish as a Mozilla browser extension (ie
plug-in)Mozilla browser extensions are written using the Mozilla XML User-
Interface language (XUL) and JavaScript The Mozilla implementation of AntiPhish
has a small footprint and consists of about 900 lines of JavaScript code and 200
lines of XUL user interface code We used Paul Terorsquos JavaScript DES
implementation for safely storing the sensitive information
ANALYSIS OF A PHISHING DATABASE
The Anti Phishing Working Group maintains a ldquoPhishing Archiverdquo describing phishing attacks dating back to September 2003 We performed a cognitive walkthrough on the approximately 200 sample attacks within this archive (A cognitive walkthrough evaluates the steps required to perform a task and attempts to uncover mismatches between how users think about a task and how the user interface designer thinks about the task) Our goal was to gather information about which strategies are used by attackers and to formulate hypotheses about how lay users would respond to these strategies Below we list the strategies organized along three dimensions lack of knowledge visual deception and lack of attention To aid readers who are unfamiliar with the topic Security Terms and DefinitionsCertificate (digital certificate public key certificate)
Uses a digital signature to bind together a public key with an identity If the
browser encounters a certificate that has not been signed by a trusted
certificate authority it issues a warning to the user Some organizations
create and sign their own self signed
Certificates If a browser encounters a self-signed certificate it issues a
warning and allows the user to decide whether to accept the certificate
Certificate Authority (CA)
An entity that issues certificates and attests that a public key belongs to a
particular identity A list of trusted CAs is stored in the browser A certificate
may be issued to a fraudulent website by a CA without a rigorous verification
process
HTTPS
Web browsers use HTTPS rather than HTTP as a prefix to the URL to
indicate that HTTP is sent over SSLTLS
Secure Sockets Layer (SSL) and Transport Layer Security
(TLS)
Cryptographic protocols used to provide authentication and secure
communications over the Internet SSLTLS authenticates a server by
verifying that the server holds a certificate that has been digitally signed by
a trusted certificate authority SSLTLS also allows the client and server to
agree on an encryption algorithm for securing communications
CryptographyCryptography is a method of storing and transmitting data in a form that only those it is intended for can read and process It is a science of protecting information by encoding it into an unreadable format Cryptography is an effective way of protecting sensitive information as it is stored on media or transmitted through network communication pathsAlthough the ultimate goal of cryptography and the mechanisms that make it up is to hide information from unauthorized individuals most algorithms can be broken and the information can be revealed if the attacker has enough time desire and resources So a more realistic goal of cryptography is to make obtaining the information too work-intensive to be worth it to the attacker
Digital Certificates
Digital Certificates are part of a technology called Public Key Infrastructure orPKI Digital certificates have been described as virtual ID cards This is a useful analogy There are many ways that digital certificates and ID cards really are thesame Both ID cards and client digital certificates contain information about usersuch as user name and information about the organization that issued thecertificate or card to user
Creating digital certificates a unique cryptographic key pair is generated One of these keys is referred to as a public key and the other as a private key The certification authoritymdashgenerally on your campusmdashcreates a digital certificate by combining information about user and the issuing organization with the public key and digitally signing the whole thing This is very much like an organizationrsquos ID office filling out an ID card for user and then signing it to make it official
The process defines how a certificate authority establishes that a person or institution is who they say they are Certification may require recipients to appear in person and to present pictures birth certificates or social security numbers Certificates that are issued after rigorous authentication will be more trustworthy than certificates requiring little or no authentication
The contents of a digital certificate are prescribed by the X509 standard developed by the International Standards Organization (ISO) and adopted by the American National Standards Institute (ANSI) and the Internet Engineering Task Force (IETF) The latest version is now X509 v3 The principal elements of a digital certificate are as followsbull Version number of the certificate formatbull Serial number of the certificatebull Signature algorithm identifierbull Issuer of digital certificate a certificate authority with URLbull Validity periodbull Unique identification of certificate holderbull Public key informationThe Parties to a Digital CertificateIn principle there are three different interests associated with a digital certificateThe Requesting Party The party who needs the certificate and will offer it for use by others they will generally provide some or all of the information it containsThe Issuing Party
The party that digitally signs the certificate after creating the information in the certificate or checking its correctnessThe Verifying Party (or Parties) Parties that validate the signature on the certificate and then rely on its contents for some purposeType of Certificate Requesting Party Issuing Party Verifying PartyIdentity The person
concernedThe appropriategovernment agency
Anyone undertaking anidentity check
Accreditation A qualified memberof a profession
The professionalbody
A user of the servicesoffered by the member
Authorization A customer wishing to access a resource
The resource owner The resource owner
Public key CertificateThe combination of standards protocols and software that support digital certificates is called a public key infrastructure or PKI The software that supports this infrastructure generates sets of public-private key pairs Public-private key pairs are codes that are related to one another through a complex mathematical algorithm The key pairs can reside on onersquos computer or on hardware devices such as smart cards or floppy disks Individuals or organizations must ensure the security of their private keys However the public keys that correspond to their private keys can be posted on Web sites or sent across the network Issuers of digital certificates often maintain online repositories of public keys These repositories make it possible to authenticate owners of digital certificates in real timeFor example publishers as service providers will want to authenticate the digital certificate of a faculty member or student in real time This is possible by verifying the digital signature using the public key in the repository
Certificate AuthoritiesDigital certificates are one part of a set of components that make up a public keyinfrastructure (PKI) A PKI includes organizations called certification authorities (CAs) that issue manage and revoke digital certificates organizations called relying parties who use the certificates as indicators of authentication and clientswho request manage and use certificates A CA might create a separate registration authority (RA) to handle the task of identifying individuals who applyfor certificates Examples of certification authorities include VeriSign a wellknowncommercial provider and the CREN Certificate Authority that isavailable for higher education institutions
Types of CertificatesThere are different types of certificates each with different functions and this canbe confusing It helps to differentiate between at least four types of certificatesYou can see samples of some of these different types of certificates in your browserbull Root or authority certificatesThese are certificates that create the base (or root) of a certification authority hierarchy such as Thawte or CREN These certificates are not signed by another CAmdashthey are self signed by the CA that created them When a certificate is self-
signed it means that the name in the Issuer field is the same as the name in the Subject Fieldbull Institutional authority certificates These certificates are also called campus certificates These certificates are signed by a third party verifying the authenticity of a campus certification authority Campuses then use their ldquoauthorityrdquo to issue client certificates for faculty staff and studentsbull Client certificatesThese are also known as end-entity certificates identity certificates or personal certificates The Issuer is typically the campus CAbull Web server certificates These certificates are used to secure communications to and from Web servers for example when you buy something on the Web They are called server-side certificates The Subject name in a server certificate is the DNS name of the server
The CREN Digital Certificate ServicesCREN currently offers an expanded set of certificate authority services to higher education institutionsbull CREN-signed campus certificates for institutionsThese CREN-signed certificates are for institutions issuing certificates for their campus communitymdashin the range of 10 or more Web server certificates and formore than 500-1000 client certificatesbull CREN Web server certificates These certificates are for campuses to use for securing Web servers supporting a range of campus Web applicationsbull Client certificatesCREN has an internal CRENNET service equivalent to a campus certificate-issuing application A registration contact at a campus validatesapproves individuals and CREN issues the certificates
With these three levels of service mdash including the free test certificates mdash CRENcan help campuses get started using digital certificates at a level matching theirparticular campus needs
RECOMMENDATION
It is very important to reduce the risk of phishing in todayrsquos business because
hackers need to stay out of companiesrsquo databases Todayrsquos education is not
enough since phishes are getting better each day and coming with newer trends
to catch innocent customers
The real problem of phishing is because the login systems are very weak and thus
they need to be tighter when it comes to userrsquos authentication The companies
could increase their cryptographic system protection by using more IPSec VPNs
and digital certificates The use of IPSec VPNs customers will need to establish
digital certificates from a certificate authority as well as the merchant Recently
while doing this research we came through an article from PayPal where they are
convincing email providers to block messages that lack digital signatures
The reason for this is that PayPal is known as one of the most highly spoofed
brands that fraudsterrsquos uses today This is a very good idea and a good way to
keep hackers out of PayPal databases As a matter of fact not only PayPal but also
every company that conducts business should come up with a similar strategy like
this Using strategies similar to this will help customers to gain confidence in
doing business and dealing with money issues In addition well-known companies
should increase user awareness by education training and working with FBI to
track down phishers
CONCLUSION
In short the outcomes of phishing attacks are dramatically increasing every day Attacks on financial services companies have been doubling each year compared to previous years It is of crucial importance for companies to come up with new ways to solve phishing problems because it can become a major loss to well-known companies Also it can cause consumers to lose confidence in doing business online which can affect many companies with an online presence Not any type of technologyCan stop phishing attacks but there are many ways to enable Phishes from accomplishing their goals Consumer education can increase the awareness of the phishing threat and other online vulnerabilities Lastly biometrics should become one of the major aspects and play an important role to combat phishing because it provides different steps to authenticate users
REFERENCES
[1] Cannon JC Privacy Pearson Education 2005[2] Hilley Sarah ldquoInternet war picking on the finance Sector-surveyrdquo Computer Fraud amp Security October 2006[3] Bellowin Steven ldquoSpamming Phishing Authentication and Privacyrdquo Inside Risks December
2004 Vol47 No12 144[4] Mulrean Jennifer ldquoPhishing scams How to avoid Getting hookedrdquo DollarWise[5] Hunter Philip ldquoMicrosoft declares war on phishersrdquo Computer Fraud amp Security May 2006 (15-16)[6] Google httpwwwgooglecom
[7] Anti-Phishing Working Group Phishing Activity Trends Report November 2005 [8] Anti-Phishing Working Group Phishing Archivehttpanti-phishingorgphishing_archivehtm[9] Ba S amp P Pavlov Evidence of the Effect of TrustBuilding Technology in Electronic Markets PricePremiums and Buyer Behavior
uncommon Most web sites perform client-side input validation once before a
form is submitted
Implementation detailsWe implemented the prototype of AntiPhish as a Mozilla browser extension (ie
plug-in)Mozilla browser extensions are written using the Mozilla XML User-
Interface language (XUL) and JavaScript The Mozilla implementation of AntiPhish
has a small footprint and consists of about 900 lines of JavaScript code and 200
lines of XUL user interface code We used Paul Terorsquos JavaScript DES
implementation for safely storing the sensitive information
ANALYSIS OF A PHISHING DATABASE
The Anti Phishing Working Group maintains a ldquoPhishing Archiverdquo describing phishing attacks dating back to September 2003 We performed a cognitive walkthrough on the approximately 200 sample attacks within this archive (A cognitive walkthrough evaluates the steps required to perform a task and attempts to uncover mismatches between how users think about a task and how the user interface designer thinks about the task) Our goal was to gather information about which strategies are used by attackers and to formulate hypotheses about how lay users would respond to these strategies Below we list the strategies organized along three dimensions lack of knowledge visual deception and lack of attention To aid readers who are unfamiliar with the topic Security Terms and DefinitionsCertificate (digital certificate public key certificate)
Uses a digital signature to bind together a public key with an identity If the
browser encounters a certificate that has not been signed by a trusted
certificate authority it issues a warning to the user Some organizations
create and sign their own self signed
Certificates If a browser encounters a self-signed certificate it issues a
warning and allows the user to decide whether to accept the certificate
Certificate Authority (CA)
An entity that issues certificates and attests that a public key belongs to a
particular identity A list of trusted CAs is stored in the browser A certificate
may be issued to a fraudulent website by a CA without a rigorous verification
process
HTTPS
Web browsers use HTTPS rather than HTTP as a prefix to the URL to
indicate that HTTP is sent over SSLTLS
Secure Sockets Layer (SSL) and Transport Layer Security
(TLS)
Cryptographic protocols used to provide authentication and secure
communications over the Internet SSLTLS authenticates a server by
verifying that the server holds a certificate that has been digitally signed by
a trusted certificate authority SSLTLS also allows the client and server to
agree on an encryption algorithm for securing communications
CryptographyCryptography is a method of storing and transmitting data in a form that only those it is intended for can read and process It is a science of protecting information by encoding it into an unreadable format Cryptography is an effective way of protecting sensitive information as it is stored on media or transmitted through network communication pathsAlthough the ultimate goal of cryptography and the mechanisms that make it up is to hide information from unauthorized individuals most algorithms can be broken and the information can be revealed if the attacker has enough time desire and resources So a more realistic goal of cryptography is to make obtaining the information too work-intensive to be worth it to the attacker
Digital Certificates
Digital Certificates are part of a technology called Public Key Infrastructure orPKI Digital certificates have been described as virtual ID cards This is a useful analogy There are many ways that digital certificates and ID cards really are thesame Both ID cards and client digital certificates contain information about usersuch as user name and information about the organization that issued thecertificate or card to user
Creating digital certificates a unique cryptographic key pair is generated One of these keys is referred to as a public key and the other as a private key The certification authoritymdashgenerally on your campusmdashcreates a digital certificate by combining information about user and the issuing organization with the public key and digitally signing the whole thing This is very much like an organizationrsquos ID office filling out an ID card for user and then signing it to make it official
The process defines how a certificate authority establishes that a person or institution is who they say they are Certification may require recipients to appear in person and to present pictures birth certificates or social security numbers Certificates that are issued after rigorous authentication will be more trustworthy than certificates requiring little or no authentication
The contents of a digital certificate are prescribed by the X509 standard developed by the International Standards Organization (ISO) and adopted by the American National Standards Institute (ANSI) and the Internet Engineering Task Force (IETF) The latest version is now X509 v3 The principal elements of a digital certificate are as followsbull Version number of the certificate formatbull Serial number of the certificatebull Signature algorithm identifierbull Issuer of digital certificate a certificate authority with URLbull Validity periodbull Unique identification of certificate holderbull Public key informationThe Parties to a Digital CertificateIn principle there are three different interests associated with a digital certificateThe Requesting Party The party who needs the certificate and will offer it for use by others they will generally provide some or all of the information it containsThe Issuing Party
The party that digitally signs the certificate after creating the information in the certificate or checking its correctnessThe Verifying Party (or Parties) Parties that validate the signature on the certificate and then rely on its contents for some purposeType of Certificate Requesting Party Issuing Party Verifying PartyIdentity The person
concernedThe appropriategovernment agency
Anyone undertaking anidentity check
Accreditation A qualified memberof a profession
The professionalbody
A user of the servicesoffered by the member
Authorization A customer wishing to access a resource
The resource owner The resource owner
Public key CertificateThe combination of standards protocols and software that support digital certificates is called a public key infrastructure or PKI The software that supports this infrastructure generates sets of public-private key pairs Public-private key pairs are codes that are related to one another through a complex mathematical algorithm The key pairs can reside on onersquos computer or on hardware devices such as smart cards or floppy disks Individuals or organizations must ensure the security of their private keys However the public keys that correspond to their private keys can be posted on Web sites or sent across the network Issuers of digital certificates often maintain online repositories of public keys These repositories make it possible to authenticate owners of digital certificates in real timeFor example publishers as service providers will want to authenticate the digital certificate of a faculty member or student in real time This is possible by verifying the digital signature using the public key in the repository
Certificate AuthoritiesDigital certificates are one part of a set of components that make up a public keyinfrastructure (PKI) A PKI includes organizations called certification authorities (CAs) that issue manage and revoke digital certificates organizations called relying parties who use the certificates as indicators of authentication and clientswho request manage and use certificates A CA might create a separate registration authority (RA) to handle the task of identifying individuals who applyfor certificates Examples of certification authorities include VeriSign a wellknowncommercial provider and the CREN Certificate Authority that isavailable for higher education institutions
Types of CertificatesThere are different types of certificates each with different functions and this canbe confusing It helps to differentiate between at least four types of certificatesYou can see samples of some of these different types of certificates in your browserbull Root or authority certificatesThese are certificates that create the base (or root) of a certification authority hierarchy such as Thawte or CREN These certificates are not signed by another CAmdashthey are self signed by the CA that created them When a certificate is self-
signed it means that the name in the Issuer field is the same as the name in the Subject Fieldbull Institutional authority certificates These certificates are also called campus certificates These certificates are signed by a third party verifying the authenticity of a campus certification authority Campuses then use their ldquoauthorityrdquo to issue client certificates for faculty staff and studentsbull Client certificatesThese are also known as end-entity certificates identity certificates or personal certificates The Issuer is typically the campus CAbull Web server certificates These certificates are used to secure communications to and from Web servers for example when you buy something on the Web They are called server-side certificates The Subject name in a server certificate is the DNS name of the server
The CREN Digital Certificate ServicesCREN currently offers an expanded set of certificate authority services to higher education institutionsbull CREN-signed campus certificates for institutionsThese CREN-signed certificates are for institutions issuing certificates for their campus communitymdashin the range of 10 or more Web server certificates and formore than 500-1000 client certificatesbull CREN Web server certificates These certificates are for campuses to use for securing Web servers supporting a range of campus Web applicationsbull Client certificatesCREN has an internal CRENNET service equivalent to a campus certificate-issuing application A registration contact at a campus validatesapproves individuals and CREN issues the certificates
With these three levels of service mdash including the free test certificates mdash CRENcan help campuses get started using digital certificates at a level matching theirparticular campus needs
RECOMMENDATION
It is very important to reduce the risk of phishing in todayrsquos business because
hackers need to stay out of companiesrsquo databases Todayrsquos education is not
enough since phishes are getting better each day and coming with newer trends
to catch innocent customers
The real problem of phishing is because the login systems are very weak and thus
they need to be tighter when it comes to userrsquos authentication The companies
could increase their cryptographic system protection by using more IPSec VPNs
and digital certificates The use of IPSec VPNs customers will need to establish
digital certificates from a certificate authority as well as the merchant Recently
while doing this research we came through an article from PayPal where they are
convincing email providers to block messages that lack digital signatures
The reason for this is that PayPal is known as one of the most highly spoofed
brands that fraudsterrsquos uses today This is a very good idea and a good way to
keep hackers out of PayPal databases As a matter of fact not only PayPal but also
every company that conducts business should come up with a similar strategy like
this Using strategies similar to this will help customers to gain confidence in
doing business and dealing with money issues In addition well-known companies
should increase user awareness by education training and working with FBI to
track down phishers
CONCLUSION
In short the outcomes of phishing attacks are dramatically increasing every day Attacks on financial services companies have been doubling each year compared to previous years It is of crucial importance for companies to come up with new ways to solve phishing problems because it can become a major loss to well-known companies Also it can cause consumers to lose confidence in doing business online which can affect many companies with an online presence Not any type of technologyCan stop phishing attacks but there are many ways to enable Phishes from accomplishing their goals Consumer education can increase the awareness of the phishing threat and other online vulnerabilities Lastly biometrics should become one of the major aspects and play an important role to combat phishing because it provides different steps to authenticate users
REFERENCES
[1] Cannon JC Privacy Pearson Education 2005[2] Hilley Sarah ldquoInternet war picking on the finance Sector-surveyrdquo Computer Fraud amp Security October 2006[3] Bellowin Steven ldquoSpamming Phishing Authentication and Privacyrdquo Inside Risks December
2004 Vol47 No12 144[4] Mulrean Jennifer ldquoPhishing scams How to avoid Getting hookedrdquo DollarWise[5] Hunter Philip ldquoMicrosoft declares war on phishersrdquo Computer Fraud amp Security May 2006 (15-16)[6] Google httpwwwgooglecom
[7] Anti-Phishing Working Group Phishing Activity Trends Report November 2005 [8] Anti-Phishing Working Group Phishing Archivehttpanti-phishingorgphishing_archivehtm[9] Ba S amp P Pavlov Evidence of the Effect of TrustBuilding Technology in Electronic Markets PricePremiums and Buyer Behavior
Certificate Authority (CA)
An entity that issues certificates and attests that a public key belongs to a
particular identity A list of trusted CAs is stored in the browser A certificate
may be issued to a fraudulent website by a CA without a rigorous verification
process
HTTPS
Web browsers use HTTPS rather than HTTP as a prefix to the URL to
indicate that HTTP is sent over SSLTLS
Secure Sockets Layer (SSL) and Transport Layer Security
(TLS)
Cryptographic protocols used to provide authentication and secure
communications over the Internet SSLTLS authenticates a server by
verifying that the server holds a certificate that has been digitally signed by
a trusted certificate authority SSLTLS also allows the client and server to
agree on an encryption algorithm for securing communications
CryptographyCryptography is a method of storing and transmitting data in a form that only those it is intended for can read and process It is a science of protecting information by encoding it into an unreadable format Cryptography is an effective way of protecting sensitive information as it is stored on media or transmitted through network communication pathsAlthough the ultimate goal of cryptography and the mechanisms that make it up is to hide information from unauthorized individuals most algorithms can be broken and the information can be revealed if the attacker has enough time desire and resources So a more realistic goal of cryptography is to make obtaining the information too work-intensive to be worth it to the attacker
Digital Certificates
Digital Certificates are part of a technology called Public Key Infrastructure orPKI Digital certificates have been described as virtual ID cards This is a useful analogy There are many ways that digital certificates and ID cards really are thesame Both ID cards and client digital certificates contain information about usersuch as user name and information about the organization that issued thecertificate or card to user
Creating digital certificates a unique cryptographic key pair is generated One of these keys is referred to as a public key and the other as a private key The certification authoritymdashgenerally on your campusmdashcreates a digital certificate by combining information about user and the issuing organization with the public key and digitally signing the whole thing This is very much like an organizationrsquos ID office filling out an ID card for user and then signing it to make it official
The process defines how a certificate authority establishes that a person or institution is who they say they are Certification may require recipients to appear in person and to present pictures birth certificates or social security numbers Certificates that are issued after rigorous authentication will be more trustworthy than certificates requiring little or no authentication
The contents of a digital certificate are prescribed by the X509 standard developed by the International Standards Organization (ISO) and adopted by the American National Standards Institute (ANSI) and the Internet Engineering Task Force (IETF) The latest version is now X509 v3 The principal elements of a digital certificate are as followsbull Version number of the certificate formatbull Serial number of the certificatebull Signature algorithm identifierbull Issuer of digital certificate a certificate authority with URLbull Validity periodbull Unique identification of certificate holderbull Public key informationThe Parties to a Digital CertificateIn principle there are three different interests associated with a digital certificateThe Requesting Party The party who needs the certificate and will offer it for use by others they will generally provide some or all of the information it containsThe Issuing Party
The party that digitally signs the certificate after creating the information in the certificate or checking its correctnessThe Verifying Party (or Parties) Parties that validate the signature on the certificate and then rely on its contents for some purposeType of Certificate Requesting Party Issuing Party Verifying PartyIdentity The person
concernedThe appropriategovernment agency
Anyone undertaking anidentity check
Accreditation A qualified memberof a profession
The professionalbody
A user of the servicesoffered by the member
Authorization A customer wishing to access a resource
The resource owner The resource owner
Public key CertificateThe combination of standards protocols and software that support digital certificates is called a public key infrastructure or PKI The software that supports this infrastructure generates sets of public-private key pairs Public-private key pairs are codes that are related to one another through a complex mathematical algorithm The key pairs can reside on onersquos computer or on hardware devices such as smart cards or floppy disks Individuals or organizations must ensure the security of their private keys However the public keys that correspond to their private keys can be posted on Web sites or sent across the network Issuers of digital certificates often maintain online repositories of public keys These repositories make it possible to authenticate owners of digital certificates in real timeFor example publishers as service providers will want to authenticate the digital certificate of a faculty member or student in real time This is possible by verifying the digital signature using the public key in the repository
Certificate AuthoritiesDigital certificates are one part of a set of components that make up a public keyinfrastructure (PKI) A PKI includes organizations called certification authorities (CAs) that issue manage and revoke digital certificates organizations called relying parties who use the certificates as indicators of authentication and clientswho request manage and use certificates A CA might create a separate registration authority (RA) to handle the task of identifying individuals who applyfor certificates Examples of certification authorities include VeriSign a wellknowncommercial provider and the CREN Certificate Authority that isavailable for higher education institutions
Types of CertificatesThere are different types of certificates each with different functions and this canbe confusing It helps to differentiate between at least four types of certificatesYou can see samples of some of these different types of certificates in your browserbull Root or authority certificatesThese are certificates that create the base (or root) of a certification authority hierarchy such as Thawte or CREN These certificates are not signed by another CAmdashthey are self signed by the CA that created them When a certificate is self-
signed it means that the name in the Issuer field is the same as the name in the Subject Fieldbull Institutional authority certificates These certificates are also called campus certificates These certificates are signed by a third party verifying the authenticity of a campus certification authority Campuses then use their ldquoauthorityrdquo to issue client certificates for faculty staff and studentsbull Client certificatesThese are also known as end-entity certificates identity certificates or personal certificates The Issuer is typically the campus CAbull Web server certificates These certificates are used to secure communications to and from Web servers for example when you buy something on the Web They are called server-side certificates The Subject name in a server certificate is the DNS name of the server
The CREN Digital Certificate ServicesCREN currently offers an expanded set of certificate authority services to higher education institutionsbull CREN-signed campus certificates for institutionsThese CREN-signed certificates are for institutions issuing certificates for their campus communitymdashin the range of 10 or more Web server certificates and formore than 500-1000 client certificatesbull CREN Web server certificates These certificates are for campuses to use for securing Web servers supporting a range of campus Web applicationsbull Client certificatesCREN has an internal CRENNET service equivalent to a campus certificate-issuing application A registration contact at a campus validatesapproves individuals and CREN issues the certificates
With these three levels of service mdash including the free test certificates mdash CRENcan help campuses get started using digital certificates at a level matching theirparticular campus needs
RECOMMENDATION
It is very important to reduce the risk of phishing in todayrsquos business because
hackers need to stay out of companiesrsquo databases Todayrsquos education is not
enough since phishes are getting better each day and coming with newer trends
to catch innocent customers
The real problem of phishing is because the login systems are very weak and thus
they need to be tighter when it comes to userrsquos authentication The companies
could increase their cryptographic system protection by using more IPSec VPNs
and digital certificates The use of IPSec VPNs customers will need to establish
digital certificates from a certificate authority as well as the merchant Recently
while doing this research we came through an article from PayPal where they are
convincing email providers to block messages that lack digital signatures
The reason for this is that PayPal is known as one of the most highly spoofed
brands that fraudsterrsquos uses today This is a very good idea and a good way to
keep hackers out of PayPal databases As a matter of fact not only PayPal but also
every company that conducts business should come up with a similar strategy like
this Using strategies similar to this will help customers to gain confidence in
doing business and dealing with money issues In addition well-known companies
should increase user awareness by education training and working with FBI to
track down phishers
CONCLUSION
In short the outcomes of phishing attacks are dramatically increasing every day Attacks on financial services companies have been doubling each year compared to previous years It is of crucial importance for companies to come up with new ways to solve phishing problems because it can become a major loss to well-known companies Also it can cause consumers to lose confidence in doing business online which can affect many companies with an online presence Not any type of technologyCan stop phishing attacks but there are many ways to enable Phishes from accomplishing their goals Consumer education can increase the awareness of the phishing threat and other online vulnerabilities Lastly biometrics should become one of the major aspects and play an important role to combat phishing because it provides different steps to authenticate users
REFERENCES
[1] Cannon JC Privacy Pearson Education 2005[2] Hilley Sarah ldquoInternet war picking on the finance Sector-surveyrdquo Computer Fraud amp Security October 2006[3] Bellowin Steven ldquoSpamming Phishing Authentication and Privacyrdquo Inside Risks December
2004 Vol47 No12 144[4] Mulrean Jennifer ldquoPhishing scams How to avoid Getting hookedrdquo DollarWise[5] Hunter Philip ldquoMicrosoft declares war on phishersrdquo Computer Fraud amp Security May 2006 (15-16)[6] Google httpwwwgooglecom
[7] Anti-Phishing Working Group Phishing Activity Trends Report November 2005 [8] Anti-Phishing Working Group Phishing Archivehttpanti-phishingorgphishing_archivehtm[9] Ba S amp P Pavlov Evidence of the Effect of TrustBuilding Technology in Electronic Markets PricePremiums and Buyer Behavior
Digital Certificates are part of a technology called Public Key Infrastructure orPKI Digital certificates have been described as virtual ID cards This is a useful analogy There are many ways that digital certificates and ID cards really are thesame Both ID cards and client digital certificates contain information about usersuch as user name and information about the organization that issued thecertificate or card to user
Creating digital certificates a unique cryptographic key pair is generated One of these keys is referred to as a public key and the other as a private key The certification authoritymdashgenerally on your campusmdashcreates a digital certificate by combining information about user and the issuing organization with the public key and digitally signing the whole thing This is very much like an organizationrsquos ID office filling out an ID card for user and then signing it to make it official
The process defines how a certificate authority establishes that a person or institution is who they say they are Certification may require recipients to appear in person and to present pictures birth certificates or social security numbers Certificates that are issued after rigorous authentication will be more trustworthy than certificates requiring little or no authentication
The contents of a digital certificate are prescribed by the X509 standard developed by the International Standards Organization (ISO) and adopted by the American National Standards Institute (ANSI) and the Internet Engineering Task Force (IETF) The latest version is now X509 v3 The principal elements of a digital certificate are as followsbull Version number of the certificate formatbull Serial number of the certificatebull Signature algorithm identifierbull Issuer of digital certificate a certificate authority with URLbull Validity periodbull Unique identification of certificate holderbull Public key informationThe Parties to a Digital CertificateIn principle there are three different interests associated with a digital certificateThe Requesting Party The party who needs the certificate and will offer it for use by others they will generally provide some or all of the information it containsThe Issuing Party
The party that digitally signs the certificate after creating the information in the certificate or checking its correctnessThe Verifying Party (or Parties) Parties that validate the signature on the certificate and then rely on its contents for some purposeType of Certificate Requesting Party Issuing Party Verifying PartyIdentity The person
concernedThe appropriategovernment agency
Anyone undertaking anidentity check
Accreditation A qualified memberof a profession
The professionalbody
A user of the servicesoffered by the member
Authorization A customer wishing to access a resource
The resource owner The resource owner
Public key CertificateThe combination of standards protocols and software that support digital certificates is called a public key infrastructure or PKI The software that supports this infrastructure generates sets of public-private key pairs Public-private key pairs are codes that are related to one another through a complex mathematical algorithm The key pairs can reside on onersquos computer or on hardware devices such as smart cards or floppy disks Individuals or organizations must ensure the security of their private keys However the public keys that correspond to their private keys can be posted on Web sites or sent across the network Issuers of digital certificates often maintain online repositories of public keys These repositories make it possible to authenticate owners of digital certificates in real timeFor example publishers as service providers will want to authenticate the digital certificate of a faculty member or student in real time This is possible by verifying the digital signature using the public key in the repository
Certificate AuthoritiesDigital certificates are one part of a set of components that make up a public keyinfrastructure (PKI) A PKI includes organizations called certification authorities (CAs) that issue manage and revoke digital certificates organizations called relying parties who use the certificates as indicators of authentication and clientswho request manage and use certificates A CA might create a separate registration authority (RA) to handle the task of identifying individuals who applyfor certificates Examples of certification authorities include VeriSign a wellknowncommercial provider and the CREN Certificate Authority that isavailable for higher education institutions
Types of CertificatesThere are different types of certificates each with different functions and this canbe confusing It helps to differentiate between at least four types of certificatesYou can see samples of some of these different types of certificates in your browserbull Root or authority certificatesThese are certificates that create the base (or root) of a certification authority hierarchy such as Thawte or CREN These certificates are not signed by another CAmdashthey are self signed by the CA that created them When a certificate is self-
signed it means that the name in the Issuer field is the same as the name in the Subject Fieldbull Institutional authority certificates These certificates are also called campus certificates These certificates are signed by a third party verifying the authenticity of a campus certification authority Campuses then use their ldquoauthorityrdquo to issue client certificates for faculty staff and studentsbull Client certificatesThese are also known as end-entity certificates identity certificates or personal certificates The Issuer is typically the campus CAbull Web server certificates These certificates are used to secure communications to and from Web servers for example when you buy something on the Web They are called server-side certificates The Subject name in a server certificate is the DNS name of the server
The CREN Digital Certificate ServicesCREN currently offers an expanded set of certificate authority services to higher education institutionsbull CREN-signed campus certificates for institutionsThese CREN-signed certificates are for institutions issuing certificates for their campus communitymdashin the range of 10 or more Web server certificates and formore than 500-1000 client certificatesbull CREN Web server certificates These certificates are for campuses to use for securing Web servers supporting a range of campus Web applicationsbull Client certificatesCREN has an internal CRENNET service equivalent to a campus certificate-issuing application A registration contact at a campus validatesapproves individuals and CREN issues the certificates
With these three levels of service mdash including the free test certificates mdash CRENcan help campuses get started using digital certificates at a level matching theirparticular campus needs
RECOMMENDATION
It is very important to reduce the risk of phishing in todayrsquos business because
hackers need to stay out of companiesrsquo databases Todayrsquos education is not
enough since phishes are getting better each day and coming with newer trends
to catch innocent customers
The real problem of phishing is because the login systems are very weak and thus
they need to be tighter when it comes to userrsquos authentication The companies
could increase their cryptographic system protection by using more IPSec VPNs
and digital certificates The use of IPSec VPNs customers will need to establish
digital certificates from a certificate authority as well as the merchant Recently
while doing this research we came through an article from PayPal where they are
convincing email providers to block messages that lack digital signatures
The reason for this is that PayPal is known as one of the most highly spoofed
brands that fraudsterrsquos uses today This is a very good idea and a good way to
keep hackers out of PayPal databases As a matter of fact not only PayPal but also
every company that conducts business should come up with a similar strategy like
this Using strategies similar to this will help customers to gain confidence in
doing business and dealing with money issues In addition well-known companies
should increase user awareness by education training and working with FBI to
track down phishers
CONCLUSION
In short the outcomes of phishing attacks are dramatically increasing every day Attacks on financial services companies have been doubling each year compared to previous years It is of crucial importance for companies to come up with new ways to solve phishing problems because it can become a major loss to well-known companies Also it can cause consumers to lose confidence in doing business online which can affect many companies with an online presence Not any type of technologyCan stop phishing attacks but there are many ways to enable Phishes from accomplishing their goals Consumer education can increase the awareness of the phishing threat and other online vulnerabilities Lastly biometrics should become one of the major aspects and play an important role to combat phishing because it provides different steps to authenticate users
REFERENCES
[1] Cannon JC Privacy Pearson Education 2005[2] Hilley Sarah ldquoInternet war picking on the finance Sector-surveyrdquo Computer Fraud amp Security October 2006[3] Bellowin Steven ldquoSpamming Phishing Authentication and Privacyrdquo Inside Risks December
2004 Vol47 No12 144[4] Mulrean Jennifer ldquoPhishing scams How to avoid Getting hookedrdquo DollarWise[5] Hunter Philip ldquoMicrosoft declares war on phishersrdquo Computer Fraud amp Security May 2006 (15-16)[6] Google httpwwwgooglecom
[7] Anti-Phishing Working Group Phishing Activity Trends Report November 2005 [8] Anti-Phishing Working Group Phishing Archivehttpanti-phishingorgphishing_archivehtm[9] Ba S amp P Pavlov Evidence of the Effect of TrustBuilding Technology in Electronic Markets PricePremiums and Buyer Behavior
The party that digitally signs the certificate after creating the information in the certificate or checking its correctnessThe Verifying Party (or Parties) Parties that validate the signature on the certificate and then rely on its contents for some purposeType of Certificate Requesting Party Issuing Party Verifying PartyIdentity The person
concernedThe appropriategovernment agency
Anyone undertaking anidentity check
Accreditation A qualified memberof a profession
The professionalbody
A user of the servicesoffered by the member
Authorization A customer wishing to access a resource
The resource owner The resource owner
Public key CertificateThe combination of standards protocols and software that support digital certificates is called a public key infrastructure or PKI The software that supports this infrastructure generates sets of public-private key pairs Public-private key pairs are codes that are related to one another through a complex mathematical algorithm The key pairs can reside on onersquos computer or on hardware devices such as smart cards or floppy disks Individuals or organizations must ensure the security of their private keys However the public keys that correspond to their private keys can be posted on Web sites or sent across the network Issuers of digital certificates often maintain online repositories of public keys These repositories make it possible to authenticate owners of digital certificates in real timeFor example publishers as service providers will want to authenticate the digital certificate of a faculty member or student in real time This is possible by verifying the digital signature using the public key in the repository
Certificate AuthoritiesDigital certificates are one part of a set of components that make up a public keyinfrastructure (PKI) A PKI includes organizations called certification authorities (CAs) that issue manage and revoke digital certificates organizations called relying parties who use the certificates as indicators of authentication and clientswho request manage and use certificates A CA might create a separate registration authority (RA) to handle the task of identifying individuals who applyfor certificates Examples of certification authorities include VeriSign a wellknowncommercial provider and the CREN Certificate Authority that isavailable for higher education institutions
Types of CertificatesThere are different types of certificates each with different functions and this canbe confusing It helps to differentiate between at least four types of certificatesYou can see samples of some of these different types of certificates in your browserbull Root or authority certificatesThese are certificates that create the base (or root) of a certification authority hierarchy such as Thawte or CREN These certificates are not signed by another CAmdashthey are self signed by the CA that created them When a certificate is self-
signed it means that the name in the Issuer field is the same as the name in the Subject Fieldbull Institutional authority certificates These certificates are also called campus certificates These certificates are signed by a third party verifying the authenticity of a campus certification authority Campuses then use their ldquoauthorityrdquo to issue client certificates for faculty staff and studentsbull Client certificatesThese are also known as end-entity certificates identity certificates or personal certificates The Issuer is typically the campus CAbull Web server certificates These certificates are used to secure communications to and from Web servers for example when you buy something on the Web They are called server-side certificates The Subject name in a server certificate is the DNS name of the server
The CREN Digital Certificate ServicesCREN currently offers an expanded set of certificate authority services to higher education institutionsbull CREN-signed campus certificates for institutionsThese CREN-signed certificates are for institutions issuing certificates for their campus communitymdashin the range of 10 or more Web server certificates and formore than 500-1000 client certificatesbull CREN Web server certificates These certificates are for campuses to use for securing Web servers supporting a range of campus Web applicationsbull Client certificatesCREN has an internal CRENNET service equivalent to a campus certificate-issuing application A registration contact at a campus validatesapproves individuals and CREN issues the certificates
With these three levels of service mdash including the free test certificates mdash CRENcan help campuses get started using digital certificates at a level matching theirparticular campus needs
RECOMMENDATION
It is very important to reduce the risk of phishing in todayrsquos business because
hackers need to stay out of companiesrsquo databases Todayrsquos education is not
enough since phishes are getting better each day and coming with newer trends
to catch innocent customers
The real problem of phishing is because the login systems are very weak and thus
they need to be tighter when it comes to userrsquos authentication The companies
could increase their cryptographic system protection by using more IPSec VPNs
and digital certificates The use of IPSec VPNs customers will need to establish
digital certificates from a certificate authority as well as the merchant Recently
while doing this research we came through an article from PayPal where they are
convincing email providers to block messages that lack digital signatures
The reason for this is that PayPal is known as one of the most highly spoofed
brands that fraudsterrsquos uses today This is a very good idea and a good way to
keep hackers out of PayPal databases As a matter of fact not only PayPal but also
every company that conducts business should come up with a similar strategy like
this Using strategies similar to this will help customers to gain confidence in
doing business and dealing with money issues In addition well-known companies
should increase user awareness by education training and working with FBI to
track down phishers
CONCLUSION
In short the outcomes of phishing attacks are dramatically increasing every day Attacks on financial services companies have been doubling each year compared to previous years It is of crucial importance for companies to come up with new ways to solve phishing problems because it can become a major loss to well-known companies Also it can cause consumers to lose confidence in doing business online which can affect many companies with an online presence Not any type of technologyCan stop phishing attacks but there are many ways to enable Phishes from accomplishing their goals Consumer education can increase the awareness of the phishing threat and other online vulnerabilities Lastly biometrics should become one of the major aspects and play an important role to combat phishing because it provides different steps to authenticate users
REFERENCES
[1] Cannon JC Privacy Pearson Education 2005[2] Hilley Sarah ldquoInternet war picking on the finance Sector-surveyrdquo Computer Fraud amp Security October 2006[3] Bellowin Steven ldquoSpamming Phishing Authentication and Privacyrdquo Inside Risks December
2004 Vol47 No12 144[4] Mulrean Jennifer ldquoPhishing scams How to avoid Getting hookedrdquo DollarWise[5] Hunter Philip ldquoMicrosoft declares war on phishersrdquo Computer Fraud amp Security May 2006 (15-16)[6] Google httpwwwgooglecom
[7] Anti-Phishing Working Group Phishing Activity Trends Report November 2005 [8] Anti-Phishing Working Group Phishing Archivehttpanti-phishingorgphishing_archivehtm[9] Ba S amp P Pavlov Evidence of the Effect of TrustBuilding Technology in Electronic Markets PricePremiums and Buyer Behavior
Certificate AuthoritiesDigital certificates are one part of a set of components that make up a public keyinfrastructure (PKI) A PKI includes organizations called certification authorities (CAs) that issue manage and revoke digital certificates organizations called relying parties who use the certificates as indicators of authentication and clientswho request manage and use certificates A CA might create a separate registration authority (RA) to handle the task of identifying individuals who applyfor certificates Examples of certification authorities include VeriSign a wellknowncommercial provider and the CREN Certificate Authority that isavailable for higher education institutions
Types of CertificatesThere are different types of certificates each with different functions and this canbe confusing It helps to differentiate between at least four types of certificatesYou can see samples of some of these different types of certificates in your browserbull Root or authority certificatesThese are certificates that create the base (or root) of a certification authority hierarchy such as Thawte or CREN These certificates are not signed by another CAmdashthey are self signed by the CA that created them When a certificate is self-
signed it means that the name in the Issuer field is the same as the name in the Subject Fieldbull Institutional authority certificates These certificates are also called campus certificates These certificates are signed by a third party verifying the authenticity of a campus certification authority Campuses then use their ldquoauthorityrdquo to issue client certificates for faculty staff and studentsbull Client certificatesThese are also known as end-entity certificates identity certificates or personal certificates The Issuer is typically the campus CAbull Web server certificates These certificates are used to secure communications to and from Web servers for example when you buy something on the Web They are called server-side certificates The Subject name in a server certificate is the DNS name of the server
The CREN Digital Certificate ServicesCREN currently offers an expanded set of certificate authority services to higher education institutionsbull CREN-signed campus certificates for institutionsThese CREN-signed certificates are for institutions issuing certificates for their campus communitymdashin the range of 10 or more Web server certificates and formore than 500-1000 client certificatesbull CREN Web server certificates These certificates are for campuses to use for securing Web servers supporting a range of campus Web applicationsbull Client certificatesCREN has an internal CRENNET service equivalent to a campus certificate-issuing application A registration contact at a campus validatesapproves individuals and CREN issues the certificates
With these three levels of service mdash including the free test certificates mdash CRENcan help campuses get started using digital certificates at a level matching theirparticular campus needs
RECOMMENDATION
It is very important to reduce the risk of phishing in todayrsquos business because
hackers need to stay out of companiesrsquo databases Todayrsquos education is not
enough since phishes are getting better each day and coming with newer trends
to catch innocent customers
The real problem of phishing is because the login systems are very weak and thus
they need to be tighter when it comes to userrsquos authentication The companies
could increase their cryptographic system protection by using more IPSec VPNs
and digital certificates The use of IPSec VPNs customers will need to establish
digital certificates from a certificate authority as well as the merchant Recently
while doing this research we came through an article from PayPal where they are
convincing email providers to block messages that lack digital signatures
The reason for this is that PayPal is known as one of the most highly spoofed
brands that fraudsterrsquos uses today This is a very good idea and a good way to
keep hackers out of PayPal databases As a matter of fact not only PayPal but also
every company that conducts business should come up with a similar strategy like
this Using strategies similar to this will help customers to gain confidence in
doing business and dealing with money issues In addition well-known companies
should increase user awareness by education training and working with FBI to
track down phishers
CONCLUSION
In short the outcomes of phishing attacks are dramatically increasing every day Attacks on financial services companies have been doubling each year compared to previous years It is of crucial importance for companies to come up with new ways to solve phishing problems because it can become a major loss to well-known companies Also it can cause consumers to lose confidence in doing business online which can affect many companies with an online presence Not any type of technologyCan stop phishing attacks but there are many ways to enable Phishes from accomplishing their goals Consumer education can increase the awareness of the phishing threat and other online vulnerabilities Lastly biometrics should become one of the major aspects and play an important role to combat phishing because it provides different steps to authenticate users
REFERENCES
[1] Cannon JC Privacy Pearson Education 2005[2] Hilley Sarah ldquoInternet war picking on the finance Sector-surveyrdquo Computer Fraud amp Security October 2006[3] Bellowin Steven ldquoSpamming Phishing Authentication and Privacyrdquo Inside Risks December
2004 Vol47 No12 144[4] Mulrean Jennifer ldquoPhishing scams How to avoid Getting hookedrdquo DollarWise[5] Hunter Philip ldquoMicrosoft declares war on phishersrdquo Computer Fraud amp Security May 2006 (15-16)[6] Google httpwwwgooglecom
[7] Anti-Phishing Working Group Phishing Activity Trends Report November 2005 [8] Anti-Phishing Working Group Phishing Archivehttpanti-phishingorgphishing_archivehtm[9] Ba S amp P Pavlov Evidence of the Effect of TrustBuilding Technology in Electronic Markets PricePremiums and Buyer Behavior
signed it means that the name in the Issuer field is the same as the name in the Subject Fieldbull Institutional authority certificates These certificates are also called campus certificates These certificates are signed by a third party verifying the authenticity of a campus certification authority Campuses then use their ldquoauthorityrdquo to issue client certificates for faculty staff and studentsbull Client certificatesThese are also known as end-entity certificates identity certificates or personal certificates The Issuer is typically the campus CAbull Web server certificates These certificates are used to secure communications to and from Web servers for example when you buy something on the Web They are called server-side certificates The Subject name in a server certificate is the DNS name of the server
The CREN Digital Certificate ServicesCREN currently offers an expanded set of certificate authority services to higher education institutionsbull CREN-signed campus certificates for institutionsThese CREN-signed certificates are for institutions issuing certificates for their campus communitymdashin the range of 10 or more Web server certificates and formore than 500-1000 client certificatesbull CREN Web server certificates These certificates are for campuses to use for securing Web servers supporting a range of campus Web applicationsbull Client certificatesCREN has an internal CRENNET service equivalent to a campus certificate-issuing application A registration contact at a campus validatesapproves individuals and CREN issues the certificates
With these three levels of service mdash including the free test certificates mdash CRENcan help campuses get started using digital certificates at a level matching theirparticular campus needs
RECOMMENDATION
It is very important to reduce the risk of phishing in todayrsquos business because
hackers need to stay out of companiesrsquo databases Todayrsquos education is not
enough since phishes are getting better each day and coming with newer trends
to catch innocent customers
The real problem of phishing is because the login systems are very weak and thus
they need to be tighter when it comes to userrsquos authentication The companies
could increase their cryptographic system protection by using more IPSec VPNs
and digital certificates The use of IPSec VPNs customers will need to establish
digital certificates from a certificate authority as well as the merchant Recently
while doing this research we came through an article from PayPal where they are
convincing email providers to block messages that lack digital signatures
The reason for this is that PayPal is known as one of the most highly spoofed
brands that fraudsterrsquos uses today This is a very good idea and a good way to
keep hackers out of PayPal databases As a matter of fact not only PayPal but also
every company that conducts business should come up with a similar strategy like
this Using strategies similar to this will help customers to gain confidence in
doing business and dealing with money issues In addition well-known companies
should increase user awareness by education training and working with FBI to
track down phishers
CONCLUSION
In short the outcomes of phishing attacks are dramatically increasing every day Attacks on financial services companies have been doubling each year compared to previous years It is of crucial importance for companies to come up with new ways to solve phishing problems because it can become a major loss to well-known companies Also it can cause consumers to lose confidence in doing business online which can affect many companies with an online presence Not any type of technologyCan stop phishing attacks but there are many ways to enable Phishes from accomplishing their goals Consumer education can increase the awareness of the phishing threat and other online vulnerabilities Lastly biometrics should become one of the major aspects and play an important role to combat phishing because it provides different steps to authenticate users
REFERENCES
[1] Cannon JC Privacy Pearson Education 2005[2] Hilley Sarah ldquoInternet war picking on the finance Sector-surveyrdquo Computer Fraud amp Security October 2006[3] Bellowin Steven ldquoSpamming Phishing Authentication and Privacyrdquo Inside Risks December
2004 Vol47 No12 144[4] Mulrean Jennifer ldquoPhishing scams How to avoid Getting hookedrdquo DollarWise[5] Hunter Philip ldquoMicrosoft declares war on phishersrdquo Computer Fraud amp Security May 2006 (15-16)[6] Google httpwwwgooglecom
[7] Anti-Phishing Working Group Phishing Activity Trends Report November 2005 [8] Anti-Phishing Working Group Phishing Archivehttpanti-phishingorgphishing_archivehtm[9] Ba S amp P Pavlov Evidence of the Effect of TrustBuilding Technology in Electronic Markets PricePremiums and Buyer Behavior
RECOMMENDATION
It is very important to reduce the risk of phishing in todayrsquos business because
hackers need to stay out of companiesrsquo databases Todayrsquos education is not
enough since phishes are getting better each day and coming with newer trends
to catch innocent customers
The real problem of phishing is because the login systems are very weak and thus
they need to be tighter when it comes to userrsquos authentication The companies
could increase their cryptographic system protection by using more IPSec VPNs
and digital certificates The use of IPSec VPNs customers will need to establish
digital certificates from a certificate authority as well as the merchant Recently
while doing this research we came through an article from PayPal where they are
convincing email providers to block messages that lack digital signatures
The reason for this is that PayPal is known as one of the most highly spoofed
brands that fraudsterrsquos uses today This is a very good idea and a good way to
keep hackers out of PayPal databases As a matter of fact not only PayPal but also
every company that conducts business should come up with a similar strategy like
this Using strategies similar to this will help customers to gain confidence in
doing business and dealing with money issues In addition well-known companies
should increase user awareness by education training and working with FBI to
track down phishers
CONCLUSION
In short the outcomes of phishing attacks are dramatically increasing every day Attacks on financial services companies have been doubling each year compared to previous years It is of crucial importance for companies to come up with new ways to solve phishing problems because it can become a major loss to well-known companies Also it can cause consumers to lose confidence in doing business online which can affect many companies with an online presence Not any type of technologyCan stop phishing attacks but there are many ways to enable Phishes from accomplishing their goals Consumer education can increase the awareness of the phishing threat and other online vulnerabilities Lastly biometrics should become one of the major aspects and play an important role to combat phishing because it provides different steps to authenticate users
REFERENCES
[1] Cannon JC Privacy Pearson Education 2005[2] Hilley Sarah ldquoInternet war picking on the finance Sector-surveyrdquo Computer Fraud amp Security October 2006[3] Bellowin Steven ldquoSpamming Phishing Authentication and Privacyrdquo Inside Risks December
2004 Vol47 No12 144[4] Mulrean Jennifer ldquoPhishing scams How to avoid Getting hookedrdquo DollarWise[5] Hunter Philip ldquoMicrosoft declares war on phishersrdquo Computer Fraud amp Security May 2006 (15-16)[6] Google httpwwwgooglecom
[7] Anti-Phishing Working Group Phishing Activity Trends Report November 2005 [8] Anti-Phishing Working Group Phishing Archivehttpanti-phishingorgphishing_archivehtm[9] Ba S amp P Pavlov Evidence of the Effect of TrustBuilding Technology in Electronic Markets PricePremiums and Buyer Behavior
this Using strategies similar to this will help customers to gain confidence in
doing business and dealing with money issues In addition well-known companies
should increase user awareness by education training and working with FBI to
track down phishers
CONCLUSION
In short the outcomes of phishing attacks are dramatically increasing every day Attacks on financial services companies have been doubling each year compared to previous years It is of crucial importance for companies to come up with new ways to solve phishing problems because it can become a major loss to well-known companies Also it can cause consumers to lose confidence in doing business online which can affect many companies with an online presence Not any type of technologyCan stop phishing attacks but there are many ways to enable Phishes from accomplishing their goals Consumer education can increase the awareness of the phishing threat and other online vulnerabilities Lastly biometrics should become one of the major aspects and play an important role to combat phishing because it provides different steps to authenticate users
REFERENCES
[1] Cannon JC Privacy Pearson Education 2005[2] Hilley Sarah ldquoInternet war picking on the finance Sector-surveyrdquo Computer Fraud amp Security October 2006[3] Bellowin Steven ldquoSpamming Phishing Authentication and Privacyrdquo Inside Risks December
2004 Vol47 No12 144[4] Mulrean Jennifer ldquoPhishing scams How to avoid Getting hookedrdquo DollarWise[5] Hunter Philip ldquoMicrosoft declares war on phishersrdquo Computer Fraud amp Security May 2006 (15-16)[6] Google httpwwwgooglecom
[7] Anti-Phishing Working Group Phishing Activity Trends Report November 2005 [8] Anti-Phishing Working Group Phishing Archivehttpanti-phishingorgphishing_archivehtm[9] Ba S amp P Pavlov Evidence of the Effect of TrustBuilding Technology in Electronic Markets PricePremiums and Buyer Behavior
2004 Vol47 No12 144[4] Mulrean Jennifer ldquoPhishing scams How to avoid Getting hookedrdquo DollarWise[5] Hunter Philip ldquoMicrosoft declares war on phishersrdquo Computer Fraud amp Security May 2006 (15-16)[6] Google httpwwwgooglecom
[7] Anti-Phishing Working Group Phishing Activity Trends Report November 2005 [8] Anti-Phishing Working Group Phishing Archivehttpanti-phishingorgphishing_archivehtm[9] Ba S amp P Pavlov Evidence of the Effect of TrustBuilding Technology in Electronic Markets PricePremiums and Buyer Behavior