LIVING WITH TECHNOLOGY

G. LARCOM AND A.J. ELBIRT

Gone Phishing

n an effort to increase customer satisfaction and compete in a global marketplace, more and more financial institutions and businesses alike are increasing online services. Banks offer online account access, credit card companies offer online bill payment methods, and brokerage account transactions can be executed online from the home

personal computer. To companies like Amazon, a brick and mortar business is a thing of the past. Books and DVDs can be ordered online through an Amazon account and paid for using credit card information provided by the user. The important common thread among these services is the exchange of personal information over the Internet.

G. Larcom is a graduate student in the Department of Electrical and Computer Engineering at the University of Massachusetts, Lowell, Lowell, MA; e-mail: guy.larcom@gmail.com. A.J. Elbirt is an Assistant Professor in the Department of Computer Science at the University of Massachusetts Lowell, Lowell, MA, and the Associate Director of the Center for Network and Information Security. E-mail: Adam_Elbirt@uml.edu or aelbirt@cs.uml.edu.

52

IEEE TECHNOLOGY AND SOCIETY MAGAZINE

FALL 2006

GETTY/PHOTODISC

The growth of the Internet has allowed users to manage their personal finances and expenditures from the comforts of their own home with a personal computer. Account balances can be checked, bills paid, and holiday shopping completed all by simply entering account information and clicking a button. E-commerce and online personal banking has made life easier for the average user, but it has also made life easier for thieves. Phishing is the act of convincing users to provide personal identification information such as credit card numbers, social security numbers, and bank account information for explicit illegal use. Phishing techniques and schemes will be analyzed in terms of their effectiveness on the average user as well as their social and economical impacts. Recent countermeasures on both the corporate and U.S. federal government fronts will also be discussed in this article.

small success rate may be enough to make the attack monetarily worthwhile [2]. With today's technology it is easy to carry out a deception based attack, increasing a phisher's success rate. When a user follows a link in a deceptive email it can be very difficult to detect that they are visiting a fraudulent web site. For the average user a

Phishing is the act of convincing users to provide personal identification information, such as social security numbers or bank information, for explicit illegal use.
simple check of the institutions URL in the browser address bar is enough proof that they are visiting a legitimate site. What the user does not realize is that they may be verifying a spoofed address bar. A phisher can write a web browser script to open a new browser window with no address bar at all [4]. The phisher then uses simple, HTML form elements, stylesheets, and Java Script to create very real, functional imitations of the browsers address bar [4]. In an even less complicated scheme than a spoofed address bar, a phisher registers a cousin domain name for a fraudulent web site. A cousin domain name looks exactly like the domain name of a legitimate institution but with a slight modification. For example a phisher could register www.eastern-bank.com to impersonate www.easternbank.com. These are just a few examples of the many tricks that phishers employ to deceive users. More advanced technical attacks move away from social engineering tactics and into the realm of malicious software [3]. Malware attacks comprise the installation and execution of malicious software on a victim's personal computer. In a hybrid approach a phisher will use social engineering tactics to lure a user into opening or downloading a file that contains a malicious software installation. Security vulnerabilities are also exploited to install malicious software on an unsuspecting user's computer. In either attack the malware installation masquerades as an application plug-in or as a device driver [3]. Keyloggers are malicious software designed to record user input events and activities. Executing as a device driver, a keylogger monitors keyboard and mouse input. In conjunction with a malicious browser plug-in it is possible for a keylogger to, monitor the user's location and only transmit credentials for |
53

Phishing: Attacks & Strategy

The increase in online services offered to consumers has naturally led to an increase in the exchange of personal information to access such services. This information is becoming ever more valuable due to the significant amount of money that could be stolen if someone's personal information got into the hands of a criminal. Phishing entails stealing someone's confidential information online for the explicit use of committing fraud. Phishing trends are on the rise: According to a study by Gartner, 57 million U.S. Internet users have identified the receipt of e-mail linked to phishing scams and about 2 million of them are estimated to have been tricked into giving away sensitive information [1]. Not only are phishing exploits on the rise, but phishing scams are becoming progressively more technologically advanced. Phishing techniques range in complexity from deceptive attacks to various forms of malware or malicious software attacks. Deception attacks use social engineering to trick users into providing confidential information. The most common deceptive attacks come in the form of email in which, a phisher sends deceptive email, in bulk, with a 'call to action' that demands the recipient click on a link, [3]. In most scenarios the link leads to a fraudulent web site that prompts the user to enter their personal information. If the user enters and submits their personal information the attack has been successful. The phisher takes the stolen information and uses it to commit acts of fraud or sells the information to other criminals. In a deceptive email attack, a phisher takes advantage of the ability to send bulk email. If the phisher sends out a large number of messages, a
IEEE TECHNOLOGY AND SOCIETY MAGAZINE

FALL 2006

particular sites [3]. The credentials are transmitted to phishing servers and used to commit fraud. Malicious web browser plug-ins have even evolved into processes that can take complete control of a user's session. A malware attack known as session hijacking involves monitoring a user's online activities through a web browser plug-in. In a typical scenario an unsuspecting user simply browses to their bank homepage and logs in, at which point, the malicious software 'hijacks' the session to perform malicious actions once the user has legitimately established his or her credentials [3]. The targeted institution suspects no illegitimate behavior and executes requested transactions.

The fight against phishing starts with education and prevention.

Anti-Phishing: Users & Institutions
Phishing is not the only technology experiencing a growth period. Security companies are working together in an effort to advance technologies to combat phishing attacks. The Anti-Fraud Alliance (AFA) is a consortium of cutting edge security companies, namely, Symantec, Corillian, NameProtect, PassMark, and Internet Identity, utilizing each other's emerging technologies to combat phishing [5]. The goal of the AFA is, to deliver an integrated anti-fraud solution to financial institutions, ecommerce companies, Internet Service Providers, and other likely targets of online fraud schemes [5]. The stakeholders in the anti-phishing effort include both the users of online services and the institutions that provide such services. Combating phishing starts with educating the stakeholders and continues with utilization of available technology. The fight against phishing starts with education and prevention. Users of online services need to learn about what phishing is, the tactics employed by phishers, and how they can protect themselves against attacks. Awareness of phishing attacks and knowing what to look for in an email is a step toward a fraudulent-free online experience. Users must understand the importance of running security software as well staying up to date with security patches, virus and spyware definition files, and operating system service packs. The phishing knowledge base must extend beyond users and include institutions that provide online services [5]. Companies targeted by phishing must be educated on phishing attacks and stay up to date with this evolving technology. Investing in the latest antiphishing software packages and consulting agen54

cies will prevent attacks and save time and money in the long run. Servers are the front door to an online service and log files document activities by all its visitors. Log files need to be analyzed for any fingerprints left by a phisher or any abnormal behavior [5]. Awareness of cousin domains and the potential for fraud will help a company protect itself and its customers [3]. Education and prevention are only the first steps in the fight against phishing. A retaliatory approach is a counterattack on phishers. The retaliation consists of sending a phishing server as much traffic as they can handle and dilute their database with largely false information [6]. This form of retaliation is known as poisoning. In a retaliation scheme similar to a denial of service attack, an anti-phishing company will send a phishing server so much information that the server is unable to accept incoming packets from targeted consumers [6]. In the United States, a denial of service attack against a legitimate Web site is a federal crime that can carry a penalty of up to 10 years in prison. Companies that provide poisoning services claim they do not condone denial of service attacks, rather their goal is to send dummy information to phishing sites. The dummy information is then used by financial institutions to monitor for fraudulent activity [9]. Companies cannot rely on retaliatory attacks alone to protect themselves from phishers; rather time and money should be focused on innovations in security measures and authentication. Companies need to stay one step ahead of the constant evolution of phishing attacks. Advancements in authentication, such as Two-Way Authentication, can protect consumers from phishing attacks. Two-Way Authentication, developed by PassMark Security, adds an additional security feature for verifying a legitimate institution [5]. When a user registers with an online service they securely receive a unique image. This image is presented to the user in subsequent web site transactions. If a user enters their personal identification number at a web site and is presented with the correct secret image, they know they are dealing with the legitimate institution and can continue to enter their password. The secret image can also be utilized in emails to allow the user to verify the message is legitimate. However, authentication technology and counterattacks are not the complete solution to phishing prevention [5]. Institutions also need to take a stronger stance against fraudulent transactions. Currently, the incentive lies not in cracking down on fraudulent transactions, but in issuing new credit cards, offering cash
IEEE TECHNOLOGY AND SOCIETY MAGAZINE

FALL 2006

advancements, and completing purchase transactions. The more transactions a credit card company can complete, the more money they make. Conversely, fighting fraud costs money for a company and is viewed as simply not worth it. It is cheaper for an institution to pay back losses from fraudulent transactions than it is to redesign its infrastructure. To force institutions like credit card companies to confront fraud the government needs to start enacting consumer rights legislation [7].

Legislation Needed
The growth of the Internet and web services has made life easier for many people. Some people enjoy trading stocks online, some people like purchasing music from their favorite artist at Amazon, and some people like trying to commit fraud.

Anti-Phishing and the U.S. Government

In February of 2005, U.S. Senator Patrick Leahy introduced the Anti-Phishing Act of 2005. The Act addresses the threat of phishing attacks on the public's trust in the Internet and financial loss from fraud. If the public does not trust the Internet, not only will there be a financial loss due to fraudulent activity now, but there will also be a loss of e-commerce business in the future as well. To combat phishing attacks, the Act introduces two new federal crimes. The first law would criminalize the act of creating a phishing website regardless of whether anyone was a victim of fraud by visiting the site. The second law would similarly criminalize the act of sending a phishing email regardless of whether or not any fraud was committed. Together the laws aim to make it a federal crime to lure victims to a phishing site to steal their identity [8]. The intentions of the Anti-Phishing Act are a start in the right direction but are not strong enough to make a significant difference in preventing fraud. Instead of concentrating all its efforts on cracking down on phishers, the U.S. government needs to move toward legislation that forces institutions to prevent fraudulent transactions from occurring. Credit card companies pay all but the first $50 of a fraudulent transaction and most of this cost is pushed onto merchants. If the government made financial institutions liable for fraudulent transactions and required balance sheets to state the financial cost of fraud, consumers would see major advancements in authentication services because advanced authentication services will prevent accounts from being opened under a false identity. As a result, financial institutions will have fewer transactions to monitor for fraud and consumers will be better protected. Simple measures such as daily account withdrawal limits and a holding period for purchases in excess of specified monetary values would also prevent fraudulent transactions [7]. The problem is that solutions reducing the number of transactions an institution makes are not popular economics.
IEEE TECHNOLOGY AND SOCIETY MAGAZINE

The U.S. Anti-Phishing Act of 2005 is a baby step in the right direction.
Phishing attacks are on the rise and becoming increasingly complex. On the home front, consumers can protect themselves through education, awareness, and up-to-date security software. Consumers are not the only party that needs to be up to speed on phishing education. Institutions need to be aware of the tell-tale signs and fingerprints left behind by a phishing scam. They too need to employ the latest authentication and security software. But for every new software version or band-aid that gets installed, the phishing community pulls a new lure out of the tackle box. The real solution lies in federal legislation. Senator Patrick Leahy's Anti-Phishing Act of 2005 is not going to stop phishing attacks. The Act has made the U.S. government aware of what phishing is. The Anti-Phishing Act is a baby step in the right direction. The federal government must move toward forcing institutions to prevent fraud from ever happening versus cracking down on phishing emails and websites to eliminate the cause of the problem instead of treating the symptoms.

References
[1] E. Kirda and C. Kruegel, Protecting users against phishing attacks with antiphish, in Proc. 29th Ann. Int. Computer Software and Applications Conf. - COMPSAC 2005 (Edinburgh, Scotland), July 26-28 2005, vol. 1, pp. 517-524. [2] B. Schneier, A real remedy for Phishers, Wired News, Oct. 6, 2005; http://www.schneier.com/essay-090.html. [3] A. Emigh, Online identity theft: Phishing technology, chokepoints and countermeasures, ITTC Report on Online Identity Theft Technology and Countermeasures, Oct. 2005; http://www.antiphishing.org/ Phishing-dhs-report.pdf. [4] E. Levy, Interface illusions, IEEE Security & Privacy, vol. 02, no. 6, pp. 66-69, Nov.-Dec. 2004. [5] Anti-fraud alliance, Dec. 3, 2005; http://www.securitypronews .com/news/securitynews/spn-45-20041117TheAntiFraudAlliance.html. [6] D. Geer, Security technologies go Phishing, Computer, vol. 38, no. 6, pp. 18-21, June 2005. [7] B. Schneier, Mitigating identity theft, Schneier on Security: A weblog covering security and security technology, Dec. 12, 2005; http://www.schneier.com/blog/archives/2005/04/mitigating_iden.html. [8] Sen. P. Leahy, Introduction Of The Anti-Phishing Act Of 2005, press release, Feb. 28, 2005; http://leahy.senate.gov/press/ 200503/ 030105.html. [9] B. Krebs, New industry helping banks fight back, Washington Post.com, Jan. 4, 2006; http://washingtonpost.com/wp-dyn/articles/ A63672005Mar4.html

FALL 2006

55