Phishing in the United State
by Ilhan Turkmen
Phishing is a security attack that seeks to trick people into revealing sensitive information about themselves and their internet account. This paper address the definitional concepts of phishing, its threats to society and companies as well as the types of phishing attacks.
You might receive an e-mail from your bank informing you that your account has been deactivated due to suspicious activity. The message requests you to click a web link and log in to your bank account information. Following the instructions, you are directed to a website which seems like “Online Update” page of your bank. In this page, you are asker your personal information, such as your name, password, account number, social security number, and PIN. It all seems a legitimate operation: the web site address of page looks convincing, and the format of site is the same as you remember. Nevertheless, the e-mail is a fraud and now a cyber-criminal has your bank information. You have become a victim of a growing crime named phishing.
Internet has become a useful part of our regular day to day life as we do almost all of our social and financial activities online. Today every persons are heavily depends on internet and online activities such as online shopping, online Banking, online booking, online recharge and many more(Solanki & Vaishnav, 2016, p. 2044) Phishing is a significant type of internet crime and phisher create the replica of original website and illegally try to get victim’s personal information, such as user name, password, credit card number, and SSN(Zhang-Kennedy, Fares, Chiasson, & Biddle, 2015, p. 1).
What is phishing?
Phishing is the illegal attempt to acquire confidential information such as credit card details, usernames & password and service security number generally for malicious purpose (Solanki & Vaishnav, 2016, p. 2044). According to the Ant-Phishing Working Group report “Phishing is a criminal mechanism employing both social engineering and technical subterfuge to steal consumers’ personal identity data and financial account credentials”(Anti-Phishing Working Group, 2016, p. 2). Phishing affects the Internet in general by undermining consumers’ trust in secured online transactions, which in turn leads to reduced activity online. Because the fraudulent e-mails and websites look incredibly similar to official e-mails and sites, these scams call into question any electronic communication received from an online business(Lynch, 2005, p. 266). Consumers start to doubt the veracity of any unsolicited e-mail they receive, which could force organizations to return to more expensive offline methods to communicate with their customers(Brain Krebs, 2004a)
Brain Krebs published an example of a phishing incident in the Washington Post. William Jackson lives in Katy, Texas. He received an e-mail from what appeared to be PayPal payment offices. The e-mail warned him that his account would be suspended until he updated it with financial information. The e-mail provided a link for Jackson to the website where he could update his information. He entered in his credit card numbers, account numbers, SSN and other his information. Jackson could have lost much money as a result of the phishing website he had mistakenly entered(Brain Krebs, 2004b).
The Threats from Phishing
The most prevalent from phishing is identity theft. Phishing is the act which is more depends on the user then attacker since the user may not be able to identify that the website they have visited is fake or original. This is the point where attackers get advantage to acquire their confidential information like social security number, username, credit card details, passwords, account details(Solanki & Vaishnav, 2016, p. 2044). According to the Javelin report, in the U.S.A., 12.7 million victims were exposed to identity theft in 2014. Put it differently, 5.2% of U.S. population were fraud victims(Javelin Strategy & Research, p. 14). The number of fraud victims reduces in 2014, compared to 2013 which was 13.1 million.
Phishing is a business, and there are gangs of phishers organized all over the world, but primarily in Eastern Europe, Asia, Africa and the Middle East, using sophisticated and elaborate schemes to steal personal information(Anti-Phishing Working Group, 2016, p. 7) For example, cyber-criminals use malicious software, like malware to obtain someone’s personal information. PandaLabs found 18 million new malware samples in 2016 (2nd quarter April-June), an average of more than 200,000 a day. 71.53% of malware samples are Trojans which are the most pervasive type of malware. Also, 12.36% of malware samples are virus and followed by worms with 10.05% (Anti-Phishing Working Group, 2016, p. 8).
Phishing is also substantially used by organized crime groups. Huge amount of money is under the risk because of cyber-criminals. Even if they steal bank account information of only a small percentage of people who get duped, this is enough for them to get millions of dollars(Lynch, 2005, p. 270). In the United States, total fraud losses declined to $16 billion in 2014, a decrease of 11% from 2013 ($18 billion)(Javelin Strategy & Research, p. 7). According to the Department of Justice report, in 2014, about 8.6 million victims experienced the fraudulent use of their credit cards, a slight increase from 7.7 million victims in 2012(Harrell, 2015, p. 2)
Companies lose many customers because of phishing which damages their image. Also, some companies offer complete compensation to customers whose accounts are abused(IBM Ponemon Institue, 2016, pp. 2–3). Companies lost related to data breach is average $4 million in 2016. Hackers and cyber-criminal insiders caused the most data breaches. 48% of all breaches were caused by malicious or criminal attacks. The average cost per record to resolve such an attack was $170(IBM Ponemon Institue, 2016, p. 3). Additional, The number of brands targeted by phishers in the second quarter remained consistent – ranging from 411 to 425 different brands each month(Anti-Phishing Working Group, 2016, p. 6). In the United State, The Retail/Service sector remained the most targeted industry sector during the second quarter of 2016, suffering 43% of attacks(Anti-Phishing Working Group, 2016, p. 7)
Many companies have stopped communicating with their customers’ via e-mail and they start using alternative ways, such as letter, message via mobile phone. For instance, US Bank in the United State, automatically alerts customers via mobile phone, letter and e-mail when personal information changes on their system.
A typical phishing attack is launched using spam e-mail messages. Cyber-criminals usually send to thousands or even millions of e-mail addresses. The e-mails are forged with a “Form” or “Reply to” address that makes them appear to be from reputable or trusted source, such as a bank or credit card company. The messages are often sent in HTML (Hyper-Text Markup Language) format and phishers use real companies’ logos, URLs which are obfuscated these URLs through varied methods. When customers access the spoofed company’s website, they may not notice whether the website is real or not(Garera, Provos, Chew, & Rubin, 2007, p. 2).
Second attack method is “spear phishing”. Spear-phishing is increasingly being used to penetrate systems as the preliminary stage of an Advanced Persistent Threat (APT) attack, to create a point of entry into the organization. Employees are targeted with emails containing information personal to them. The unsuspecting employee opens an attachment within the email, or downloads a linked file, which executes and silently installs an APT on a network node within the enterprise(Parmar, 2012, p. 3).
With recent findings that 91% of APT attacks begin with spear-phishing emails and that, increasingly, cyber-criminals are targeting mobile devices using personal data gleaned from social networks, organisations need to work hard to make their employees aware of the threat, reports Tracey Caldwell(Caldwell, 2013, p. 1)
|Table 1: Commonly Used URL Obfuscation Techniques|
|Obfuscating the Host with an IP address||http://220.127.116.11/~test3/.signin.ebay.com/ebayisapidllsignin.html
|Obfuscating the Host with another Domain||http://21photo.cn/https://cgi3.ca.ebay.com/eBayISAPI.dllSignIn.php
|Obfuscating with large host names||http://www.volksbank.de.custsupportref1007.dllconf.info/r1/vm/
|Domain unknown or misspelled||http://www.wamuweb.com/IdentityManagement/
Third phishing attack is “vishing”. Utilizing Voice over Internet Protocol (VoIP) convenience combined with electronic mail phishing techniques, “Vishing” has the potential to be a highly successful threat vector(Griffin & Rackley, 2008, pp. 1–2). Vishing is the practice of leveraging IP-based voice messaging technologies (primarily Voice over Internet Protocol, or VoIP) to socially engineer the intended victim into providing personal, financial or other confidential information for the purpose of financial reward. The term “vishing” is derived from a combination of “voice” and “phishing.”(Yeboah-Boateng & Amanor, 2014, p. 300). Vishing capitalizes on a person’s confidence in the telephone service, as the target is usually not aware of scammer’s ability to use techniques such as caller ID spoofing and advanced automated systems to commit this kind of scam(Griffin & Rackley, 2008, pp. 33–34).
Last phishing attack is “SMiShing” which is a form of Phishing that uses short messaging services (SMS) or text messages on mobile phones and Smartphone’s. SMiShing derived its name from the test messaging technology SMS (Short Message Service). There are two main processes for the SMiShing scams; one involves receiving a text message which is purported to have originated from a known and trusted source, such as your bankers or your system administrator. The second one involves you receiving a vital text message about your identity been stolen or account number been frozen, it then goes ahead to direct you to a website or a phone number for the verification of the account information(Yeboah-Boateng & Amanor, 2014, p. 299).
Many experts contend that phishing is less of a technology problem and more of a user problem; that the responsibility ultimately lies with the user being aware of where they are browsing, what information they are giving over the internet, and to whom they are giving the information. Others are more concerned that the sophisticated techniques used by phishers are becoming more difficult to detect, even for experienced computer users; casual or less-technical users are much less likely to able to discern a legitimate e-mail, web address, or website from a fake one.
Anti-Phishing Working Group. (2016). Phishing Attack Trends Report 2016. Retrieved from http://www.antiphishing.org/resources/apwg-reports/
Brain Krebs. (2004a, b). Companies Forced to Fight Phishing. Retrieved from http://www.washingtonpost.com/wp-co/hotcontent/index.html?section=technology/techpolicy/cybercrime
Brain Krebs. (2004b). Phishing Feeds Internet Black Markets. Retrieved October 13, 2016, from http://www.washingtonpost.com/wp-co/hotcontent/index.html?section=technology/techpolicy/cybercrime
Caldwell, T. (2013). Spear-phishing: how to spot and mitigate the menace. Computer Fraud & Security, 2013(1), 11–16. https://doi.org/10.1016/S1361-3723(13)70007-1
Garera, S., Provos, N., Chew, M., & Rubin, A. D. (2007). A Framework for Detection and Measurement of Phishing Attacks. In Proceedings of the 2007 ACM Workshop on Recurring Malcode (pp. 1–8). New York, NY, USA: ACM. https://doi.org/10.1145/1314389.1314391
Griffin, S. E., & Rackley, C. C. (2008). Vishing. In Proceedings of the 5th Annual Conference on Information Security Curriculum Development (pp. 33–35). New York, NY, USA: ACM. https://doi.org/10.1145/1456625.1456635
Harrell, E. (2015). Victims of Identity Theft, 2014. US Department of Justice Bureau of Justice Statistics Bulletin, September. Retrieved from http://www.a51.nl/sites/default/files/pdf/vit14.pdf
IBM Ponemon Institue. (2016). IBM 2016 Cost of Data Breach Study – United States. Retrieved from http://www-03.ibm.com/security/data-breach/
Javelin Strategy & Research. (n.d.). Research (2014).
Kunz, M., & Wilson, P. (2004). Computer crime and computer fraud. Report Submitted to the Montgomery County Criminal Justice Coordinating Commission. Retrieved from http://www.academia.edu/download/35230311/computer_crime_study.pdf
Lynch, J. (2005). Identity theft in cyberspace: Crime control methods and their effectiveness in combating phishing attacks. Berkeley Technology Law Journal, 259–300.
Parmar, B. (2012). Protecting against spear-phishing. Computer Fraud & Security, 2012(1), 8–11. https://doi.org/10.1016/S1361-3723(12)70007-6
Solanki, J., & Vaishnav, R. G. (2016). Website Phishing Detection using Heuristic Based Approach. Retrieved from https://www.irjet.net/archives/V3/i5/IRJET-V3I5420.pdf
Yeboah-Boateng, E. O., & Amanor, P. M. (2014). Phishing, SMiShing & Vishing: An Assessment of Threats against Mobile Devices. Journal of Emerging Trends in Computing and Information Sciences, 5(4), 297–307.
Zhang-Kennedy, L., Fares, E., Chiasson, S., & Biddle, R. (2015). Geo-Phisher: The Design of a Global Phishing Trend Visualization Tool. In Symposium on Usable Privacy and Security (SOUPS). Retrieved from http://cups.cs.cmu.edu/soups/2015/posters/soups2015_posters-final20.pdf