SlideShare a Scribd company logo

Customer Involvement in Phishing Defence

Jordan Schroeder
Jordan Schroeder
1 of 8
Download to read offline
Customer Involvement in Phishing Defence Jordan Schroeder, CEH June 21, 2011 Abstract Phishing is a major source of e-commerce insecurity, and human behaviour is a larger factor in preventing security breaches than technology is. Phishing can defeat highly secure technologies by using unsophisti- cated technology with highly sophisticated psychological techniques. From the e-commerce vendor or service provider’s perspective, the solution is to employ the latest secure technology in conjunction with educating and training their customers and users on how to protect themselves. Introduction Phishing is the greatest threat that online bank- ing currently faces. One hundred years ago, outlaws would break into bank vaults to steal cash, but in the Web 2.0 era, ‘Information Highwaymen’ break into individual customer accounts as they go about their day-to-day business. Just as bankers of old would in- stall better safes, current bankers seek to solve this threat to their customer’s accounts and to their own reputation by implementing new technology. This ap- proach is important and necessary, but the banking industry needs to be aware that it is only a founda- tional step that alone will not provide the security they seek. Attacks are carried out using technology, but phishing is completed by the victims themselves. Unlike hacking attacks that can steal without the need for an authorized party to be actively involved, what makes phishing so effective is that the victim is the crucial element used to bypass security. In other words, traditional attacks require overwhelm- ing force, but phishing is a con game. Sufficiently ad- vanced technology can block traditional brute-force attacks, but to stop phishing effectively requires that the potential victims play an active role in the defen- sive process, which requires two elements: education and behavioural modification. This paper will look at how an e-commerce organization can instil knowl- edge and skills in its customers in order to protect both parties. Phishing as an Attractive Crim- inal Enterprise There are a number of statistics that show how at- tractive phishing is to criminal organizations: • The number of phishing emails an average indi- vidual receives has increased from one or two a week to more than 70 every day(1) • More than 420,000 scam emails are sent every hour in the United Kingdom(2) • 55 percent of phishing scams are fake bank emails(2) 1
Customer Involvement in Phishing Defence Jordan Schroeder • A quarter of British citizens admitted to falling for phishing emails, losing on average £285(2) • Online banking fraud has surged by 132% during the last year(2) • Phishing web sites created by automated tool kits doubled with an increase of 123% from May 2010 to August 2010(2) • One criminal automatic phishing kit was down- loaded over 200,000 times, according to its cre- ator(3) In the words of Tracy Kitten of Bank Info Security, ”clearly, cybercriminals see value in phishing”(1) . What makes phishing an attractive criminal medium? Phishing is easy, free, bypasses firewalls, bypasses spam filters, bypasses anti-phishing filters, and can result in very lucrative payouts(4–9) . No mat- ter how sophisticated the technological defences are, phishing takes advantage of the access that an au- thorized person has, either by getting the user to disclose their username and password or by piggy- backing on a connection to a secure website. Once an attacker has this access, funds are often transferred to bank accounts in countries that have poor banking fraud laws(10) , which further limits the risk of the act. To make things worse, phishing techniques are evolv- ing quickly(1,2,10,11) . Phishing is so effective that it is used for a variety of purposes and is the primary method used by hackers to gain access to secure net- works, instead of using the traditional sophisticated hacking of firewalls and servers(12) . This means that devising a defence against this devastating, continu- ous, and persistent threat is an imperative. There are two basic approaches to phishing; drag- net, and spear fishing. Dragnet phishing sends emails to great numbers of people, hoping to get a few to fall for the trap(11,12) . Spear phishing seeks to gain the confidence of a few potential victims, or even just one(1) . By focusing on a select few potential vic- tims, the attacker can craft emails in such a way as to increase their legitimate appearance to the recipi- ent, and thereby increase the chances that the attack will succeed. With the amount of information avail- able online from corporate websites and social net- works, it is a simple thing to craft a personal-sounding email(12–14) . No matter the intended target, phishing has proven to be simple and easy to execute, and shockingly effective for their purpose. Technological Defence The response to phishing threats has been to de- velop increasingly sophisticated technology, but the widespread approach, so far, has only been to ad- dress the individual symptoms of an attack. Effec- tive phishing websites have URLs that are close in appearance to legitimate bank URLs and are kept online for as long as possible, while supporting mul- tiple phishing campaigns. The defensive response is to maintain lists of these malicious URLs and block access to them. Phishers respond by generating dis- posable websites that can be replaced as soon as the existing site is blocked or taken down by the author- ities. As a result of this approach, phishers have dis- covered that a website does not need to exist for a long period of time because 90% of people who re- spond to a phishing email do so within ten hours of receiving the email(15) . Defenders develop algorithms to inspect URLs to determine if it was designed to mimic legitimate URLs, but this approach does not work if the URL is not intended to mimic a legitimate one, and even less effective if a legitimate web server has been hacked to be used as a host of the phishing site(14) . One of the easier ways to defend against phishing is to look at the content of emails and block those that use commonly used phishing phrases, but at- tackers circumvent this approach by using sparsely worded emails with the phishing message in a file as 2 of 8
Customer Involvement in Phishing Defence Jordan Schroeder an attachment(7) . The standard response to this ap- proach is to block all or certain attachment types, but as long as attachments of any type are allowed, which is true for most organizations, the threat re- mains. Along the same line of thinking, spam filters analyze the metadata of an email to determine the likelihood that the email is or is not spam, based on common spam characteristics. This approach is effec- tive in blocking the dragnet method of phishing, but not if the email comes from a previously approved source that has been hacked, or if the email is tar- geted, as is the case in spear phishing(8) . Kaspersky Lab, a leader in digital security prod- ucts, applied for a patent in June 2011 for a new defensive approach. Kaspersky Lab seeks to create a tunnel of trusted identity between the bank’s physi- cal web servers and the customer’s physical computer, where both ends are verified to be the legitimate en- tity(16) . This will have an effect on phishing methods that rely on illegitimate URLs and look-a-like web- sites, but it will only work if the customer uses this verified tunnel to engage in banking activities. Many banking customers (52% in one survey) engage in per- sonal banking activities at work and other public ar- eas, which circumvents such dedicated tunnels(1) . Another defensive approach is to use ‘two-factor’ authentication, which is gaining in popularity. This approach requires that a user have two forms of au- thentication, one of which is physical, before being allowed to access the bank’s website. This is a very powerful approach to preventing attackers’ access to accounts, because although the attacker my acquire the login credentials, they will not be able to log in without the second physical authentication device. In response to this method, phishers have developed malware, like Zeus and SpyEye, that prevents a user from logging off of the bank’s website, and passes the customer’s web session to the attacker who then transfers funds from the customers’ accounts(17) . Ex- cept for the unusual activity, there is no technological defence that a bank can develop to prevent this type of attack(10) . Human Behaviour Phishing is popular with attackers because it is easy to perform, effective, and the technological methods to achieve success are simple. But these benefits hinge on the effectiveness of tricking people to do something they might not otherwise do. To accomplish that, phishers become manipulators of human behaviour. One of the common ways to get a user to act is to instil a sense of urgency. When the Epsilon data breach occurred in April 2011, phishers took advan- tage of the worldwide flood of news of the breach and sent emails to potential victims (emails that they had stolen) and told them that as a result of the breach, bank customers were at risk of having their bank ac- counts broken into. The emails included a fake link to a login page where the customers could supply their current credentials. The urgent tone of the email com- bined with the pre-existing urgency of the news in general proved to be effective(8) . This type of manu- factured urgency is further compounded by a natural urgency that web users feel when they read email. A multi-university study conducted in early 2011 found that active Internet users were especially susceptible to phishing because they do not take to time to eval- uate every communication that they receive(18) . This natural sense of urgency contributes to the statistic that half of the respondents to phishing emails visit the illegitimate website within an hour of the emails being sent(15) . Besides urgency, notification of changes in com- pany benefits(11) , fear, trust, desire, greed, and cu- riosity(4) can all be used to successfully manipulate users. One study found that the imposition of respon- sibility that appears to come from a higher authority is the biggest human driver, being 28% more effective than greed, which was thought to be the most suc- 3 of 8
Customer Involvement in Phishing Defence Jordan Schroeder cessful manipulation technique(19) . The authoritative approach is particularly effective in industries that are highly regulated or in companies that normally operate with a strict authoritative hierarchy(14) . Strangely, those who hold authority are the easiest group of people to phish, even though they should be immune to impositions of responsibility. Company executives can feel that security policies should not apply to them and are quick to complain when they feel that security policies are too restrictive. IT de- partment personnel tend to make allowances for such requests by executives(20) . In the same way, CIO’s tend to be early adopters of new technology and will bring a new device into the office before it has been properly tested for security. This opens up unknown security holes that attackers can exploit by breaking into the device with a phishing email that contains code designed to take over certain devices. When the CIO uses his new device to read the email, attach- ment, or link, the device becomes compromised and can be used to send emails using the CIO’s account or for a staging point for breaking into the secure net- work(20) . This vulnerability shows the importance of having a security policy and the importance of follow- ing it, no matter who the member of the organization is, as well as showing how otherwise effective technol- ogy can be effortlessly subverted by the very people it is supposed to protect. Effective Remedies Since technology is not effective in and of itself, the solution to protecting an organization or enterprise is, in the words of the security consultant Jason Street, to “patch the human problem”(20) . The focus on peo- ple being the solution to phishing is growing in the IT Security and Banking industries(13,14,21) . There are two methods to employ: providing information to empower customers, and instigating a change in cus- tomers’ behaviour. The first step to ‘patching the human problem’ is to provide the basic information necessary to identify the hallmarks of a phishing email. Banks and other e-commerce vendors can set up regular newsletters, informational websites, and social networking venues to communicate security tips and warnings(22) . Even simple Twitter messages of “Remember: we will never send you an email with a link to log on to your ac- count” can be effective in raising the general aware- ness of the average user, which in mid-2011 is very low(22) . As phishing techniques continue to evolve, a bank or vendor who already has a following of cus- tomers who listen to their tips will be able to more quickly inform their customers of the changing threat landscape. Another important consideration is to pro- vide a standard and consistent channel of communi- cation for recent security events and alerts of active threats. If consumers have a trusted source of infor- mation apart from emails, they can start to depend on it to verify suspicious-looking communications(23) . The second step in devising a more complete so- lution to phishing is to engage in active education designed to change the behaviour of the recipient. Knowing the theory behind phishing will only go so far unless the user has a chance to put that knowl- edge into practice in an instructive environment. This involves the bank or vendor actively trying to phish its own customers. If customers fall for the bait, they are directed to a safe landing page that outlines the error they made and how they could avoid falling for a similar trap in the future. This process con- tinues while gradually increasing the complexity of the phishing types. Phishing one’s own customers and employees has been shown to be a very successful ap- proach, with one vendor seeing a reduction in users falling for the bait by 50-70%(13) . PhishMe, a phish- ing training provider, shows that 58% of participants fall for the first phishing email in their program, but that number drops to around 5% by the fourth round of training emails. These numbers from PhishMe are 4 of 8
Customer Involvement in Phishing Defence Jordan Schroeder significant, and this type of training is gaining the attention of government departments like the US De- partment of Energy(19) . To maintain the effectiveness of ‘ethical phishing’, training needs to be ongoing. Having the presence of mind to weigh the impact of random emails requires the constant vigilance of the user. That level of aware- ness needs to be supported by constant information and training opportunities, and that cannot be ac- complished with a once a year program(19) . Just as security technology and personnel are required to stay current, so must the recipients of phishing emails. Conclusion Phishing is easy to perform, simple in design, highly effective, and disastrously profitable. By focusing on tricking a person to take action on behalf of an at- tacker, no complex technology is required to bypass the layers of defence erected to protect users. Phish- ing only works when a user takes action as a result of receiving a malicious email. Technology can be put in place to limit the number of phishing emails and to potentially limit the success of certain types of at- tacks, but ultimately, it is the user that is the crucial agent in the attack. Setting up alternative and consistent channels of communication for security news, tips, and alerts can be an effective way to arm customers with rel- evant information without relying on emails. Testing their knowledge and instilling the skills to identify and avoid phishing emails is currently the most ef- fective method of protecting users, but this solution requires that testing and training be on-going in order to maintain effectiveness. With a combination of up-to-date technology and continuous training and support, a phisher’s success can be reduced a significant amount, and indeed, without the implementation of these elements of pro- tection, phishing will continue to be a substantial threat to all banks, e-commerce vendors, and service providers. 5 of 8
Customer Involvement in Phishing Defence Jordan Schroeder Appendix This paper uses the very latest material available at the time of writing, pulling together the most re- cent news, reports, analyses, and responses from the IT Security community, as well as the most recent techniques discovered and advertised to be in use by criminal organizations. All available peer-reviewed re- search and academic studies were too old to be of use for this paper. As one banking IT Security ex- pert said, “The cybercriminal of 2011 has long ago bypassed and surpassed the techniques of 2005”(10) . References [1] Kitten, Tracy. (18 Jan 2011). “ ‘Spear- Phishing,’ Risky Behavior and Poor Protections To Blame”. Bank Info Security. http://blogs.bankinfosecurity.com/ posts.php?postID=855 (Accessed 21 June 2011) [2] Skinner, Carrie-ann. (16 Jun 2010). “3.7 billion phishing emails were sent in the last 12 months”. Network World. http://www.networkworld.com/news/2010/ 061610-37-billion-phishing-emails-were. html (Accessed 21 June 2011) [3] Brewster, Tom. (23 Jul 2010). “Hackers give birth to phish that never dies”. IT Pro. http://www.itpro.co.uk/625453/hackers- give-birth-to-phish-that-never-dies (Accessed 21 June 2011) [4] Vasudevan, N. Thanuja, B M. (15 Aug 2010). “Cyber goons phish beyond financial transac- tions”. Financial Chronicle. http://www.mydigitalfc.com/knowledge/ cyber-goons-phish-beyond-financial- transactions-420 (Accessed 21 June 2011) [5] Jackson, Jeromie. (17 Dec 2010). “Top 5 Social Engineering and Penetration Testing Tools”. Credit Union Information Security Practitioner. http://itknowledgeexchange.techtarget. com/security-assessment/top-5-social- engineering-penetration-testing-tools/ (Accessed 21 June 2011) [6] Goodchild, Joan. (11 Jan 2010). “Social Engi- neering: The Basics”. CSO. http://www.csoonline.com/article/ 514063/social-engineering-the-basics (Accessed 21 June 2011) [7] Kitten, Tracy. (22 Mar 2011). “Low-Tech Scam Uses Attachments to Fool Spam Filters”. Bank 6 of 8
Customer Involvement in Phishing Defence Jordan Schroeder Info Security. http://www.bankinfosecurity.com/ articles.php?art_id=3455 (Accessed 21 June 2011) [8] Rashid, Fahmida Y. (7 April 2011). “Chase Bank Phish Emails May Be First Post-Epsilon Scam”. eWeek. http://www.eweek.com/c/a/Security/ Chase-Bank-Phish-Emails-May-Be-First- PostEpsilon-Scam-851226/ (Accessed 21 June 2011) [9] Zetter, Kim. (7 June 2011). “Bank Not Re- sponsible for Letting Hackers Steal $300K From Customer”. Wired. http://www.wired.com/threatlevel/2011/ 06/bank-ach-theft/ (Accessed 21 June 2011) [10] Krebs, Brian. (8 June 2011). “Court: Passwords + Secret Questions = ‘Reasonable’ eBanking Security”. KrebsOnSecurity.com. http://krebsonsecurity.com/2011/06/ court-passwords-secret-questions- reasonable-ebanking-security/ (Accessed 21 June 2011) [11] Vijayan, Jaikumar. (20 Apr 2011). “Phishing emerges as major corporate security threat”. Network World. http://www.networkworld.com/news/2011/ 042011-phishing-emerges-as-major- corporate.html (Accessed 21 June 2011) [12] Vijayan, Jaikumar. (9 May 2011). “Phishing Becomes More Sophisticated”. Network World. http://www.networkworld.com/news/2011/ 050911-phishing-becomes-more.html (Accessed 21 June 2011) [13] Musthaler, Linda. (12 May 2011). “Don’t open that email! How to reduce the threat of phishing”. Network World. http://www.networkworld.com/ newsletters/techexec/2011/ 051311bestpractices.html (Accessed 21 June 2011) [14] Helms, Karla Jo. (23 May 2011). “Cybercrime Statistics Expose Five Industries Most Suscep- tible to Phishing Attacks”. PR Newswire. http://www.prnewswire.com/news- releases/cybercrime-statistics-expose- five-industries-most-susceptible-to- phishing-attacks-122436438.html (Accessed 21 June 2011) [15] Leyden, John. (3 Dec 2010). “Half of phish marks respond to scams within one ‘golden hour’”. The Register. http://www.theregister.co.uk/2010/12/ 03/phishing_response_survey/ (Accessed 21 June 2011) [16] Press Release. (3 June 2011). “Kaspersky Lab has been granted a patent for new anti-phishing technology”. Kapersky Lab. http://newsroom.kaspersky.eu/en/texts/ detail/article/kaspersky-lab-has-been- granted-a-patent-for-new-anti-phishing- technology (Accessed 21 June 2011) [17] Neale, Gavin. (9 Dec 2010). “Which Bank would you like with that Phish?”. M86 Security Labs. http://labs.m86security.com/2010/12/ which-bank-would-you-like-with-that- phish/ (Accessed 21 June 2011) [18] Greene, Tim. (7 April 2011). “Phishing scams dupe the most active online users”. Network World. http://www.networkworld.com/news/2011/ 040711-phishing-research.html (Accessed 21 June 2011) [19] Jackson, William. (8 Jun 2011). “To defeat phishing, Energy learns to phish”. Government Computer News. 7 of 8
Customer Involvement in Phishing Defence Jordan Schroeder http://gcn.com/articles/2011/06/13/doe- phishing-test.aspx (Accessed 21 June 2011) [20] Goodchild, Joan. (14 July 2010). “Why execu- tives are the easiest social engineering targets”. Network World. http://www.networkworld.com/news/2010/ 071410-why-executives-are-the-easiest. html (Accessed 21 June 2011) [21] Cohen, Reuven. (15 JAN 2010). “GoogleHack Proves People are Easier to Hack then Net- works”. Cloud Computing Journal. http://cloudcomputing.sys-con.com/node/ 1248613/ (Accessed 21 June 2011) [22] Field, Tom. (June 3, 2011). “Fraud Prevention: The Examiner’s View”. Bank Info Security. http://www.bankinfosecurity.com/ podcasts.php?podcastID=1151&rf=2011- 06-03-eb (Accessed 21 June 2011) [23] Unknown. (26 May 2011). “How banks use Twitter to combat fraud”. Net Security. http://www.net-security.org/secworld. php?id=11078 (Accessed 21 June 2011) [24] Gates, Chris. (16 Dec 2010). “Conducting a Phishing Campaign in Metasploit Pro”. Attack Research. http://carnal0wnage.attackresearch.com/ 2010/12/conducting-phishing-campaign- in.html (Accessed 21 June 2011) [25] Kennedy, David. (13 Sep 2010). “Social Engi- neer Toolkit (SET)”. Social-Engineer.org. http://www.social-engineer.org/ framework/Computer_Based_Social_ Engineering_Tools:_Social_Engineer_ Toolkit_(SET)#Tabnabbing_Attack_Method (Accessed 21 June 2011) [26] Piscitello, Dave. (3 Jun 2011). “APWG Web Vulnerabilities Survey: June 2011”. Anti- Phishing Working Group. http://www.antiphishing.org/reports/ apwg_web_vulberabilities_survey_june_ 2011.pdf (Accessed 21 June 2011) 8 of 8

Recommended

An overview study on cyber crimes in internet
An overview study on cyber crimes in internetAn overview study on cyber crimes in internet
An overview study on cyber crimes in internetAlexander Decker
 
Safeguarding PeopleSoft Against Direct Deposit Theft
Safeguarding PeopleSoft Against Direct Deposit TheftSafeguarding PeopleSoft Against Direct Deposit Theft
Safeguarding PeopleSoft Against Direct Deposit TheftAppsian
 
IRJET- Phishing and Anti-Phishing Techniques
IRJET- Phishing and Anti-Phishing TechniquesIRJET- Phishing and Anti-Phishing Techniques
IRJET- Phishing and Anti-Phishing TechniquesIRJET Journal
 
IRJET- Honeywords: A New Approach for Enhancing Security
IRJET- Honeywords: A New Approach for Enhancing SecurityIRJET- Honeywords: A New Approach for Enhancing Security
IRJET- Honeywords: A New Approach for Enhancing SecurityIRJET Journal
 
A Guide to Internet Security For Businesses- Business.com
A Guide to Internet Security For Businesses- Business.comA Guide to Internet Security For Businesses- Business.com
A Guide to Internet Security For Businesses- Business.comBusiness.com
 
Study on Phishing Attacks and Antiphishing Tools
Study on Phishing Attacks and Antiphishing ToolsStudy on Phishing Attacks and Antiphishing Tools
Study on Phishing Attacks and Antiphishing ToolsIRJET Journal
 
The Evolution of Phising Attacks
The Evolution of Phising AttacksThe Evolution of Phising Attacks
The Evolution of Phising AttacksBee_Ware
 
Multi level parsing based approach against phishing attacks with the help of ...
Multi level parsing based approach against phishing attacks with the help of ...Multi level parsing based approach against phishing attacks with the help of ...
Multi level parsing based approach against phishing attacks with the help of ...IJNSA Journal
 

Recommended

An overview study on cyber crimes in internet
An overview study on cyber crimes in internetAn overview study on cyber crimes in internet
An overview study on cyber crimes in internetAlexander Decker
 
Safeguarding PeopleSoft Against Direct Deposit Theft
Safeguarding PeopleSoft Against Direct Deposit TheftSafeguarding PeopleSoft Against Direct Deposit Theft
Safeguarding PeopleSoft Against Direct Deposit TheftAppsian
 
IRJET- Phishing and Anti-Phishing Techniques
IRJET- Phishing and Anti-Phishing TechniquesIRJET- Phishing and Anti-Phishing Techniques
IRJET- Phishing and Anti-Phishing TechniquesIRJET Journal
 
IRJET- Honeywords: A New Approach for Enhancing Security
IRJET- Honeywords: A New Approach for Enhancing SecurityIRJET- Honeywords: A New Approach for Enhancing Security
IRJET- Honeywords: A New Approach for Enhancing SecurityIRJET Journal
 
A Guide to Internet Security For Businesses- Business.com
A Guide to Internet Security For Businesses- Business.comA Guide to Internet Security For Businesses- Business.com
A Guide to Internet Security For Businesses- Business.comBusiness.com
 
Study on Phishing Attacks and Antiphishing Tools
Study on Phishing Attacks and Antiphishing ToolsStudy on Phishing Attacks and Antiphishing Tools
Study on Phishing Attacks and Antiphishing ToolsIRJET Journal
 
The Evolution of Phising Attacks
The Evolution of Phising AttacksThe Evolution of Phising Attacks
The Evolution of Phising AttacksBee_Ware
 
Multi level parsing based approach against phishing attacks with the help of ...
Multi level parsing based approach against phishing attacks with the help of ...Multi level parsing based approach against phishing attacks with the help of ...
Multi level parsing based approach against phishing attacks with the help of ...IJNSA Journal
 
IRJET-Content based approach for Detection of Phishing Sites
IRJET-Content based approach for Detection of Phishing SitesIRJET-Content based approach for Detection of Phishing Sites
IRJET-Content based approach for Detection of Phishing SitesIRJET Journal
 
Insider Attacks: Theft of Intellectual and Proprietary Data
Insider Attacks: Theft of Intellectual and Proprietary DataInsider Attacks: Theft of Intellectual and Proprietary Data
Insider Attacks: Theft of Intellectual and Proprietary DataLindsey Landolfi
 
A Novel Approach for Phishing Emails Real Time Classification Using K-Means A...
A Novel Approach for Phishing Emails Real Time Classification Using K-Means A...A Novel Approach for Phishing Emails Real Time Classification Using K-Means A...
A Novel Approach for Phishing Emails Real Time Classification Using K-Means A...IJECEIAES
 
Detecting malicious URLs using binary classification through ada boost algori...
Detecting malicious URLs using binary classification through ada boost algori...Detecting malicious URLs using binary classification through ada boost algori...
Detecting malicious URLs using binary classification through ada boost algori...IJECEIAES
 
Phishing website method
Phishing website methodPhishing website method
Phishing website methodarelyf_7
 
E0334035040
E0334035040E0334035040
E0334035040theijes
 
Symantec & WSJ PRESENTS "MALWARE on Main Street" ...
Symantec & WSJ PRESENTS "MALWARE on Main Street" ...Symantec & WSJ PRESENTS "MALWARE on Main Street" ...
Symantec & WSJ PRESENTS "MALWARE on Main Street" ...MZERMA Amine
 
A Review on Antiphishing Framework
A Review on Antiphishing FrameworkA Review on Antiphishing Framework
A Review on Antiphishing FrameworkIJAEMSJORNAL
 
HOST PROTECTION USING PROCESS WHITE-LISTING, DECEPTION AND REPUTATION SERVICES
HOST PROTECTION USING PROCESS WHITE-LISTING, DECEPTION AND REPUTATION SERVICESHOST PROTECTION USING PROCESS WHITE-LISTING, DECEPTION AND REPUTATION SERVICES
HOST PROTECTION USING PROCESS WHITE-LISTING, DECEPTION AND REPUTATION SERVICESAM Publications,India
 
Symantec's Internet Security Threat Report for the Government Sector
Symantec's Internet Security Threat Report for the Government SectorSymantec's Internet Security Threat Report for the Government Sector
Symantec's Internet Security Threat Report for the Government SectorSymantec
 
An Indistinguishability Model for Evaluating Diverse Classes of Phishing Atta...
An Indistinguishability Model for Evaluating Diverse Classes of Phishing Atta...An Indistinguishability Model for Evaluating Diverse Classes of Phishing Atta...
An Indistinguishability Model for Evaluating Diverse Classes of Phishing Atta...CSCJournals
 
Uk computer emergency response team (cert) introduction to social engineering
Uk computer emergency response team (cert) introduction to social engineeringUk computer emergency response team (cert) introduction to social engineering
Uk computer emergency response team (cert) introduction to social engineeringPublicLeaker
 
Malicious-URL Detection using Logistic Regression Technique
Malicious-URL Detection using Logistic Regression TechniqueMalicious-URL Detection using Logistic Regression Technique
Malicious-URL Detection using Logistic Regression TechniqueDr. Amarjeet Singh
 
Phishing attack types and mitigation strategies
Phishing attack types and mitigation strategiesPhishing attack types and mitigation strategies
Phishing attack types and mitigation strategiesSarim Khawaja
 
Top Positive and Negative Impacts of AI & ML on Cybersecurity
Top Positive and Negative Impacts of AI & ML on CybersecurityTop Positive and Negative Impacts of AI & ML on Cybersecurity
Top Positive and Negative Impacts of AI & ML on CybersecurityPixel Crayons
 
A novel hybrid approach of SVM combined with NLP and probabilistic neural ne...
A novel hybrid approach of SVM combined with NLP and probabilistic neural ne...A novel hybrid approach of SVM combined with NLP and probabilistic neural ne...
A novel hybrid approach of SVM combined with NLP and probabilistic neural ne...IJECEIAES
 
A Cancelable Biometric Based Security Protocol for Online Banking System
A Cancelable Biometric Based Security Protocol for Online Banking SystemA Cancelable Biometric Based Security Protocol for Online Banking System
A Cancelable Biometric Based Security Protocol for Online Banking SystemIJCSIS Research Publications
 
Responsive VS Efficient
Responsive VS EfficientResponsive VS Efficient
Responsive VS Efficientharbine
 
Capital versus labour intensive
Capital versus labour intensiveCapital versus labour intensive
Capital versus labour intensiveIGilmore
 
Chapter 3-process-design-strategy
Chapter 3-process-design-strategyChapter 3-process-design-strategy
Chapter 3-process-design-strategymeerabyaseen
 
Consumer Involvement Workshop 1
Consumer Involvement Workshop 1Consumer Involvement Workshop 1
Consumer Involvement Workshop 1CPOsorio
 
Process strategy
Process strategyProcess strategy
Process strategyMoezza A
 

More Related Content

What's hot

IRJET-Content based approach for Detection of Phishing Sites
IRJET-Content based approach for Detection of Phishing SitesIRJET-Content based approach for Detection of Phishing Sites
IRJET-Content based approach for Detection of Phishing SitesIRJET Journal
 
Insider Attacks: Theft of Intellectual and Proprietary Data
Insider Attacks: Theft of Intellectual and Proprietary DataInsider Attacks: Theft of Intellectual and Proprietary Data
Insider Attacks: Theft of Intellectual and Proprietary DataLindsey Landolfi
 
A Novel Approach for Phishing Emails Real Time Classification Using K-Means A...
A Novel Approach for Phishing Emails Real Time Classification Using K-Means A...A Novel Approach for Phishing Emails Real Time Classification Using K-Means A...
A Novel Approach for Phishing Emails Real Time Classification Using K-Means A...IJECEIAES
 
Detecting malicious URLs using binary classification through ada boost algori...
Detecting malicious URLs using binary classification through ada boost algori...Detecting malicious URLs using binary classification through ada boost algori...
Detecting malicious URLs using binary classification through ada boost algori...IJECEIAES
 
Phishing website method
Phishing website methodPhishing website method
Phishing website methodarelyf_7
 
E0334035040
E0334035040E0334035040
E0334035040theijes
 
Symantec & WSJ PRESENTS "MALWARE on Main Street" ...
Symantec & WSJ PRESENTS "MALWARE on Main Street" ...Symantec & WSJ PRESENTS "MALWARE on Main Street" ...
Symantec & WSJ PRESENTS "MALWARE on Main Street" ...MZERMA Amine
 
A Review on Antiphishing Framework
A Review on Antiphishing FrameworkA Review on Antiphishing Framework
A Review on Antiphishing FrameworkIJAEMSJORNAL
 
HOST PROTECTION USING PROCESS WHITE-LISTING, DECEPTION AND REPUTATION SERVICES
HOST PROTECTION USING PROCESS WHITE-LISTING, DECEPTION AND REPUTATION SERVICESHOST PROTECTION USING PROCESS WHITE-LISTING, DECEPTION AND REPUTATION SERVICES
HOST PROTECTION USING PROCESS WHITE-LISTING, DECEPTION AND REPUTATION SERVICESAM Publications,India
 
Symantec's Internet Security Threat Report for the Government Sector
Symantec's Internet Security Threat Report for the Government SectorSymantec's Internet Security Threat Report for the Government Sector
Symantec's Internet Security Threat Report for the Government SectorSymantec
 
An Indistinguishability Model for Evaluating Diverse Classes of Phishing Atta...
An Indistinguishability Model for Evaluating Diverse Classes of Phishing Atta...An Indistinguishability Model for Evaluating Diverse Classes of Phishing Atta...
An Indistinguishability Model for Evaluating Diverse Classes of Phishing Atta...CSCJournals
 
Uk computer emergency response team (cert) introduction to social engineering
Uk computer emergency response team (cert) introduction to social engineeringUk computer emergency response team (cert) introduction to social engineering
Uk computer emergency response team (cert) introduction to social engineeringPublicLeaker
 
Malicious-URL Detection using Logistic Regression Technique
Malicious-URL Detection using Logistic Regression TechniqueMalicious-URL Detection using Logistic Regression Technique
Malicious-URL Detection using Logistic Regression TechniqueDr. Amarjeet Singh
 
Phishing attack types and mitigation strategies
Phishing attack types and mitigation strategiesPhishing attack types and mitigation strategies
Phishing attack types and mitigation strategiesSarim Khawaja
 
Top Positive and Negative Impacts of AI & ML on Cybersecurity
Top Positive and Negative Impacts of AI & ML on CybersecurityTop Positive and Negative Impacts of AI & ML on Cybersecurity
Top Positive and Negative Impacts of AI & ML on CybersecurityPixel Crayons
 
A novel hybrid approach of SVM combined with NLP and probabilistic neural ne...
A novel hybrid approach of SVM combined with NLP and probabilistic neural ne...A novel hybrid approach of SVM combined with NLP and probabilistic neural ne...
A novel hybrid approach of SVM combined with NLP and probabilistic neural ne...IJECEIAES
 
A Cancelable Biometric Based Security Protocol for Online Banking System
A Cancelable Biometric Based Security Protocol for Online Banking SystemA Cancelable Biometric Based Security Protocol for Online Banking System
A Cancelable Biometric Based Security Protocol for Online Banking SystemIJCSIS Research Publications
 

What's hot (17)

IRJET-Content based approach for Detection of Phishing Sites
IRJET-Content based approach for Detection of Phishing SitesIRJET-Content based approach for Detection of Phishing Sites
IRJET-Content based approach for Detection of Phishing Sites
 
Insider Attacks: Theft of Intellectual and Proprietary Data
Insider Attacks: Theft of Intellectual and Proprietary DataInsider Attacks: Theft of Intellectual and Proprietary Data
Insider Attacks: Theft of Intellectual and Proprietary Data
 
A Novel Approach for Phishing Emails Real Time Classification Using K-Means A...
A Novel Approach for Phishing Emails Real Time Classification Using K-Means A...A Novel Approach for Phishing Emails Real Time Classification Using K-Means A...
A Novel Approach for Phishing Emails Real Time Classification Using K-Means A...
 
Detecting malicious URLs using binary classification through ada boost algori...
Detecting malicious URLs using binary classification through ada boost algori...Detecting malicious URLs using binary classification through ada boost algori...
Detecting malicious URLs using binary classification through ada boost algori...
 
Phishing website method
Phishing website methodPhishing website method
Phishing website method
 
E0334035040
E0334035040E0334035040
E0334035040
 
Symantec & WSJ PRESENTS "MALWARE on Main Street" ...
Symantec & WSJ PRESENTS "MALWARE on Main Street" ...Symantec & WSJ PRESENTS "MALWARE on Main Street" ...
Symantec & WSJ PRESENTS "MALWARE on Main Street" ...
 
A Review on Antiphishing Framework
A Review on Antiphishing FrameworkA Review on Antiphishing Framework
A Review on Antiphishing Framework
 
HOST PROTECTION USING PROCESS WHITE-LISTING, DECEPTION AND REPUTATION SERVICES
HOST PROTECTION USING PROCESS WHITE-LISTING, DECEPTION AND REPUTATION SERVICESHOST PROTECTION USING PROCESS WHITE-LISTING, DECEPTION AND REPUTATION SERVICES
HOST PROTECTION USING PROCESS WHITE-LISTING, DECEPTION AND REPUTATION SERVICES
 
Symantec's Internet Security Threat Report for the Government Sector
Symantec's Internet Security Threat Report for the Government SectorSymantec's Internet Security Threat Report for the Government Sector
Symantec's Internet Security Threat Report for the Government Sector
 
An Indistinguishability Model for Evaluating Diverse Classes of Phishing Atta...
An Indistinguishability Model for Evaluating Diverse Classes of Phishing Atta...An Indistinguishability Model for Evaluating Diverse Classes of Phishing Atta...
An Indistinguishability Model for Evaluating Diverse Classes of Phishing Atta...
 
Uk computer emergency response team (cert) introduction to social engineering
Uk computer emergency response team (cert) introduction to social engineeringUk computer emergency response team (cert) introduction to social engineering
Uk computer emergency response team (cert) introduction to social engineering
 
Malicious-URL Detection using Logistic Regression Technique
Malicious-URL Detection using Logistic Regression TechniqueMalicious-URL Detection using Logistic Regression Technique
Malicious-URL Detection using Logistic Regression Technique
 
Phishing attack types and mitigation strategies
Phishing attack types and mitigation strategiesPhishing attack types and mitigation strategies
Phishing attack types and mitigation strategies
 
Top Positive and Negative Impacts of AI & ML on Cybersecurity
Top Positive and Negative Impacts of AI & ML on CybersecurityTop Positive and Negative Impacts of AI & ML on Cybersecurity
Top Positive and Negative Impacts of AI & ML on Cybersecurity
 
A novel hybrid approach of SVM combined with NLP and probabilistic neural ne...
A novel hybrid approach of SVM combined with NLP and probabilistic neural ne...A novel hybrid approach of SVM combined with NLP and probabilistic neural ne...
A novel hybrid approach of SVM combined with NLP and probabilistic neural ne...
 
A Cancelable Biometric Based Security Protocol for Online Banking System
A Cancelable Biometric Based Security Protocol for Online Banking SystemA Cancelable Biometric Based Security Protocol for Online Banking System
A Cancelable Biometric Based Security Protocol for Online Banking System
 

Viewers also liked

Responsive VS Efficient
Responsive VS EfficientResponsive VS Efficient
Responsive VS Efficientharbine
 
Capital versus labour intensive
Capital versus labour intensiveCapital versus labour intensive
Capital versus labour intensiveIGilmore
 
Chapter 3-process-design-strategy
Chapter 3-process-design-strategyChapter 3-process-design-strategy
Chapter 3-process-design-strategymeerabyaseen
 
Consumer Involvement Workshop 1
Consumer Involvement Workshop 1Consumer Involvement Workshop 1
Consumer Involvement Workshop 1CPOsorio
 
Process strategy
Process strategyProcess strategy
Process strategyMoezza A
 
Consumer Involvement 1
Consumer Involvement 1Consumer Involvement 1
Consumer Involvement 1Aditya008
 
CAPACITY PLANNING
CAPACITY PLANNING CAPACITY PLANNING
CAPACITY PLANNING 889222
 

Viewers also liked (9)

Responsive VS Efficient
Responsive VS EfficientResponsive VS Efficient
Responsive VS Efficient
 
Capital versus labour intensive
Capital versus labour intensiveCapital versus labour intensive
Capital versus labour intensive
 
Chapter 3-process-design-strategy
Chapter 3-process-design-strategyChapter 3-process-design-strategy
Chapter 3-process-design-strategy
 
Consumer Involvement Workshop 1
Consumer Involvement Workshop 1Consumer Involvement Workshop 1
Consumer Involvement Workshop 1
 
Process strategy
Process strategyProcess strategy
Process strategy
 
Consumer Involvement 1
Consumer Involvement 1Consumer Involvement 1
Consumer Involvement 1
 
CAPACITY PLANNING
CAPACITY PLANNING CAPACITY PLANNING
CAPACITY PLANNING
 
Demand Management
Demand ManagementDemand Management
Demand Management
 
Cycle inventory
Cycle inventoryCycle inventory
Cycle inventory
 

Similar to Customer Involvement in Phishing Defence

IRJET- A Survey on Automatic Phishing Email Detection using Natural Langu...
IRJET- A Survey on Automatic Phishing Email Detection using Natural Langu...IRJET- A Survey on Automatic Phishing Email Detection using Natural Langu...
IRJET- A Survey on Automatic Phishing Email Detection using Natural Langu...IRJET Journal
 
CERT STRATEGY TO DEAL WITH PHISHING ATTACKS
CERT STRATEGY TO DEAL WITH PHISHING ATTACKSCERT STRATEGY TO DEAL WITH PHISHING ATTACKS
CERT STRATEGY TO DEAL WITH PHISHING ATTACKScsandit
 
A FRAMEWORK FOR SECURING EMAIL ENTRANCES AND MITIGATING PHISHING IMPERSONATIO...
A FRAMEWORK FOR SECURING EMAIL ENTRANCES AND MITIGATING PHISHING IMPERSONATIO...A FRAMEWORK FOR SECURING EMAIL ENTRANCES AND MITIGATING PHISHING IMPERSONATIO...
A FRAMEWORK FOR SECURING EMAIL ENTRANCES AND MITIGATING PHISHING IMPERSONATIO...IJNSA Journal
 
An Introduction to E-Mail Security and Fraud
An Introduction to E-Mail Security and FraudAn Introduction to E-Mail Security and Fraud
An Introduction to E-Mail Security and FraudDR.P.S.JAGADEESH KUMAR
 
Cybersecurity in BFSI - Top Threats & Importance
Cybersecurity in BFSI - Top Threats & ImportanceCybersecurity in BFSI - Top Threats & Importance
Cybersecurity in BFSI - Top Threats & Importancemanoharparakh
 
Research Paper on Spreading Awareness About Phishing Attack Is Effective In R...
Research Paper on Spreading Awareness About Phishing Attack Is Effective In R...Research Paper on Spreading Awareness About Phishing Attack Is Effective In R...
Research Paper on Spreading Awareness About Phishing Attack Is Effective In R...IRJET Journal
 
Phishing detection in ims using domain ontology and cba an innovative rule ...
Phishing detection in ims using domain ontology and cba an innovative rule ...Phishing detection in ims using domain ontology and cba an innovative rule ...
Phishing detection in ims using domain ontology and cba an innovative rule ...ijistjournal
 
PHISHING DETECTION IN IMS USING DOMAIN ONTOLOGY AND CBA – AN INNOVATIVE RULE ...
PHISHING DETECTION IN IMS USING DOMAIN ONTOLOGY AND CBA – AN INNOVATIVE RULE ...PHISHING DETECTION IN IMS USING DOMAIN ONTOLOGY AND CBA – AN INNOVATIVE RULE ...
PHISHING DETECTION IN IMS USING DOMAIN ONTOLOGY AND CBA – AN INNOVATIVE RULE ...ijistjournal
 
Detecting phishing websites using associative classification (2)
Detecting phishing websites using associative classification (2)Detecting phishing websites using associative classification (2)
Detecting phishing websites using associative classification (2)Alexander Decker
 
Edu 03 assingment
Edu 03 assingmentEdu 03 assingment
Edu 03 assingmentAswani34
 
Phishing: Analysis and Countermeasures
Phishing: Analysis and CountermeasuresPhishing: Analysis and Countermeasures
Phishing: Analysis and CountermeasuresIRJET Journal
 
CYBERSECURITY STRATEGIES FOR SAFEGUARDING CUSTOMER’S DATA AND PREVENTING FINA...
CYBERSECURITY STRATEGIES FOR SAFEGUARDING CUSTOMER’S DATA AND PREVENTING FINA...CYBERSECURITY STRATEGIES FOR SAFEGUARDING CUSTOMER’S DATA AND PREVENTING FINA...
CYBERSECURITY STRATEGIES FOR SAFEGUARDING CUSTOMER’S DATA AND PREVENTING FINA...ijsc
 
Cybersecurity Strategies for Safeguarding Customer’s Data and Preventing Fina...
Cybersecurity Strategies for Safeguarding Customer’s Data and Preventing Fina...Cybersecurity Strategies for Safeguarding Customer’s Data and Preventing Fina...
Cybersecurity Strategies for Safeguarding Customer’s Data and Preventing Fina...ijsc
 
E Mail Phishing Prevention and Detection
E Mail Phishing Prevention and DetectionE Mail Phishing Prevention and Detection
E Mail Phishing Prevention and Detectionijtsrd
 
A Survey On Cyber Crime Information Security
A Survey On Cyber Crime Information SecurityA Survey On Cyber Crime Information Security
A Survey On Cyber Crime Information SecurityMichele Thomas
 
E-COMMERCE SYSTEMS SECURITY FOR SMALL BUSINESSES
E-COMMERCE SYSTEMS SECURITY FOR SMALL BUSINESSESE-COMMERCE SYSTEMS SECURITY FOR SMALL BUSINESSES
E-COMMERCE SYSTEMS SECURITY FOR SMALL BUSINESSESIJNSA Journal
 
MULTI-LEVEL PARSING BASED APPROACH AGAINST PHISHING ATTACKS WITH THE HELP OF ...
MULTI-LEVEL PARSING BASED APPROACH AGAINST PHISHING ATTACKS WITH THE HELP OF ...MULTI-LEVEL PARSING BASED APPROACH AGAINST PHISHING ATTACKS WITH THE HELP OF ...
MULTI-LEVEL PARSING BASED APPROACH AGAINST PHISHING ATTACKS WITH THE HELP OF ...IJNSA Journal
 
Cybercrime - An essential guide from Thawte
Cybercrime - An essential guide from ThawteCybercrime - An essential guide from Thawte
Cybercrime - An essential guide from ThawteRapidSSLOnline.com
 
Cyber security.docx
Cyber security.docxCyber security.docx
Cyber security.docxsaivarun91
 

Similar to Customer Involvement in Phishing Defence (20)

IRJET- A Survey on Automatic Phishing Email Detection using Natural Langu...
IRJET- A Survey on Automatic Phishing Email Detection using Natural Langu...IRJET- A Survey on Automatic Phishing Email Detection using Natural Langu...
IRJET- A Survey on Automatic Phishing Email Detection using Natural Langu...
 
CERT STRATEGY TO DEAL WITH PHISHING ATTACKS
CERT STRATEGY TO DEAL WITH PHISHING ATTACKSCERT STRATEGY TO DEAL WITH PHISHING ATTACKS
CERT STRATEGY TO DEAL WITH PHISHING ATTACKS
 
A FRAMEWORK FOR SECURING EMAIL ENTRANCES AND MITIGATING PHISHING IMPERSONATIO...
A FRAMEWORK FOR SECURING EMAIL ENTRANCES AND MITIGATING PHISHING IMPERSONATIO...A FRAMEWORK FOR SECURING EMAIL ENTRANCES AND MITIGATING PHISHING IMPERSONATIO...
A FRAMEWORK FOR SECURING EMAIL ENTRANCES AND MITIGATING PHISHING IMPERSONATIO...
 
An Introduction to E-Mail Security and Fraud
An Introduction to E-Mail Security and FraudAn Introduction to E-Mail Security and Fraud
An Introduction to E-Mail Security and Fraud
 
Cybersecurity in BFSI - Top Threats & Importance
Cybersecurity in BFSI - Top Threats & ImportanceCybersecurity in BFSI - Top Threats & Importance
Cybersecurity in BFSI - Top Threats & Importance
 
Research Paper on Spreading Awareness About Phishing Attack Is Effective In R...
Research Paper on Spreading Awareness About Phishing Attack Is Effective In R...Research Paper on Spreading Awareness About Phishing Attack Is Effective In R...
Research Paper on Spreading Awareness About Phishing Attack Is Effective In R...
 
Phishing detection in ims using domain ontology and cba an innovative rule ...
Phishing detection in ims using domain ontology and cba an innovative rule ...Phishing detection in ims using domain ontology and cba an innovative rule ...
Phishing detection in ims using domain ontology and cba an innovative rule ...
 
PHISHING DETECTION IN IMS USING DOMAIN ONTOLOGY AND CBA – AN INNOVATIVE RULE ...
PHISHING DETECTION IN IMS USING DOMAIN ONTOLOGY AND CBA – AN INNOVATIVE RULE ...PHISHING DETECTION IN IMS USING DOMAIN ONTOLOGY AND CBA – AN INNOVATIVE RULE ...
PHISHING DETECTION IN IMS USING DOMAIN ONTOLOGY AND CBA – AN INNOVATIVE RULE ...
 
Detecting phishing websites using associative classification (2)
Detecting phishing websites using associative classification (2)Detecting phishing websites using associative classification (2)
Detecting phishing websites using associative classification (2)
 
Edu 03 assingment
Edu 03 assingmentEdu 03 assingment
Edu 03 assingment
 
Phishing: Analysis and Countermeasures
Phishing: Analysis and CountermeasuresPhishing: Analysis and Countermeasures
Phishing: Analysis and Countermeasures
 
CYBERSECURITY STRATEGIES FOR SAFEGUARDING CUSTOMER’S DATA AND PREVENTING FINA...
CYBERSECURITY STRATEGIES FOR SAFEGUARDING CUSTOMER’S DATA AND PREVENTING FINA...CYBERSECURITY STRATEGIES FOR SAFEGUARDING CUSTOMER’S DATA AND PREVENTING FINA...
CYBERSECURITY STRATEGIES FOR SAFEGUARDING CUSTOMER’S DATA AND PREVENTING FINA...
 
Cybersecurity Strategies for Safeguarding Customer’s Data and Preventing Fina...
Cybersecurity Strategies for Safeguarding Customer’s Data and Preventing Fina...Cybersecurity Strategies for Safeguarding Customer’s Data and Preventing Fina...
Cybersecurity Strategies for Safeguarding Customer’s Data and Preventing Fina...
 
E Mail Phishing Prevention and Detection
E Mail Phishing Prevention and DetectionE Mail Phishing Prevention and Detection
E Mail Phishing Prevention and Detection
 
A Survey On Cyber Crime Information Security
A Survey On Cyber Crime Information SecurityA Survey On Cyber Crime Information Security
A Survey On Cyber Crime Information Security
 
V01 i010413
V01 i010413V01 i010413
V01 i010413
 
E-COMMERCE SYSTEMS SECURITY FOR SMALL BUSINESSES
E-COMMERCE SYSTEMS SECURITY FOR SMALL BUSINESSESE-COMMERCE SYSTEMS SECURITY FOR SMALL BUSINESSES
E-COMMERCE SYSTEMS SECURITY FOR SMALL BUSINESSES
 
MULTI-LEVEL PARSING BASED APPROACH AGAINST PHISHING ATTACKS WITH THE HELP OF ...
MULTI-LEVEL PARSING BASED APPROACH AGAINST PHISHING ATTACKS WITH THE HELP OF ...MULTI-LEVEL PARSING BASED APPROACH AGAINST PHISHING ATTACKS WITH THE HELP OF ...
MULTI-LEVEL PARSING BASED APPROACH AGAINST PHISHING ATTACKS WITH THE HELP OF ...
 
Cybercrime - An essential guide from Thawte
Cybercrime - An essential guide from ThawteCybercrime - An essential guide from Thawte
Cybercrime - An essential guide from Thawte
 
Cyber security.docx
Cyber security.docxCyber security.docx
Cyber security.docx
 

Customer Involvement in Phishing Defence

  • 1. Customer Involvement in Phishing Defence Jordan Schroeder, CEH June 21, 2011 Abstract Phishing is a major source of e-commerce insecurity, and human behaviour is a larger factor in preventing security breaches than technology is. Phishing can defeat highly secure technologies by using unsophisti- cated technology with highly sophisticated psychological techniques. From the e-commerce vendor or service provider’s perspective, the solution is to employ the latest secure technology in conjunction with educating and training their customers and users on how to protect themselves. Introduction Phishing is the greatest threat that online bank- ing currently faces. One hundred years ago, outlaws would break into bank vaults to steal cash, but in the Web 2.0 era, ‘Information Highwaymen’ break into individual customer accounts as they go about their day-to-day business. Just as bankers of old would in- stall better safes, current bankers seek to solve this threat to their customer’s accounts and to their own reputation by implementing new technology. This ap- proach is important and necessary, but the banking industry needs to be aware that it is only a founda- tional step that alone will not provide the security they seek. Attacks are carried out using technology, but phishing is completed by the victims themselves. Unlike hacking attacks that can steal without the need for an authorized party to be actively involved, what makes phishing so effective is that the victim is the crucial element used to bypass security. In other words, traditional attacks require overwhelm- ing force, but phishing is a con game. Sufficiently ad- vanced technology can block traditional brute-force attacks, but to stop phishing effectively requires that the potential victims play an active role in the defen- sive process, which requires two elements: education and behavioural modification. This paper will look at how an e-commerce organization can instil knowl- edge and skills in its customers in order to protect both parties. Phishing as an Attractive Crim- inal Enterprise There are a number of statistics that show how at- tractive phishing is to criminal organizations: • The number of phishing emails an average indi- vidual receives has increased from one or two a week to more than 70 every day(1) • More than 420,000 scam emails are sent every hour in the United Kingdom(2) • 55 percent of phishing scams are fake bank emails(2) 1
  • 2. Customer Involvement in Phishing Defence Jordan Schroeder • A quarter of British citizens admitted to falling for phishing emails, losing on average £285(2) • Online banking fraud has surged by 132% during the last year(2) • Phishing web sites created by automated tool kits doubled with an increase of 123% from May 2010 to August 2010(2) • One criminal automatic phishing kit was down- loaded over 200,000 times, according to its cre- ator(3) In the words of Tracy Kitten of Bank Info Security, ”clearly, cybercriminals see value in phishing”(1) . What makes phishing an attractive criminal medium? Phishing is easy, free, bypasses firewalls, bypasses spam filters, bypasses anti-phishing filters, and can result in very lucrative payouts(4–9) . No mat- ter how sophisticated the technological defences are, phishing takes advantage of the access that an au- thorized person has, either by getting the user to disclose their username and password or by piggy- backing on a connection to a secure website. Once an attacker has this access, funds are often transferred to bank accounts in countries that have poor banking fraud laws(10) , which further limits the risk of the act. To make things worse, phishing techniques are evolv- ing quickly(1,2,10,11) . Phishing is so effective that it is used for a variety of purposes and is the primary method used by hackers to gain access to secure net- works, instead of using the traditional sophisticated hacking of firewalls and servers(12) . This means that devising a defence against this devastating, continu- ous, and persistent threat is an imperative. There are two basic approaches to phishing; drag- net, and spear fishing. Dragnet phishing sends emails to great numbers of people, hoping to get a few to fall for the trap(11,12) . Spear phishing seeks to gain the confidence of a few potential victims, or even just one(1) . By focusing on a select few potential vic- tims, the attacker can craft emails in such a way as to increase their legitimate appearance to the recipi- ent, and thereby increase the chances that the attack will succeed. With the amount of information avail- able online from corporate websites and social net- works, it is a simple thing to craft a personal-sounding email(12–14) . No matter the intended target, phishing has proven to be simple and easy to execute, and shockingly effective for their purpose. Technological Defence The response to phishing threats has been to de- velop increasingly sophisticated technology, but the widespread approach, so far, has only been to ad- dress the individual symptoms of an attack. Effec- tive phishing websites have URLs that are close in appearance to legitimate bank URLs and are kept online for as long as possible, while supporting mul- tiple phishing campaigns. The defensive response is to maintain lists of these malicious URLs and block access to them. Phishers respond by generating dis- posable websites that can be replaced as soon as the existing site is blocked or taken down by the author- ities. As a result of this approach, phishers have dis- covered that a website does not need to exist for a long period of time because 90% of people who re- spond to a phishing email do so within ten hours of receiving the email(15) . Defenders develop algorithms to inspect URLs to determine if it was designed to mimic legitimate URLs, but this approach does not work if the URL is not intended to mimic a legitimate one, and even less effective if a legitimate web server has been hacked to be used as a host of the phishing site(14) . One of the easier ways to defend against phishing is to look at the content of emails and block those that use commonly used phishing phrases, but at- tackers circumvent this approach by using sparsely worded emails with the phishing message in a file as 2 of 8
  • 3. Customer Involvement in Phishing Defence Jordan Schroeder an attachment(7) . The standard response to this ap- proach is to block all or certain attachment types, but as long as attachments of any type are allowed, which is true for most organizations, the threat re- mains. Along the same line of thinking, spam filters analyze the metadata of an email to determine the likelihood that the email is or is not spam, based on common spam characteristics. This approach is effec- tive in blocking the dragnet method of phishing, but not if the email comes from a previously approved source that has been hacked, or if the email is tar- geted, as is the case in spear phishing(8) . Kaspersky Lab, a leader in digital security prod- ucts, applied for a patent in June 2011 for a new defensive approach. Kaspersky Lab seeks to create a tunnel of trusted identity between the bank’s physi- cal web servers and the customer’s physical computer, where both ends are verified to be the legitimate en- tity(16) . This will have an effect on phishing methods that rely on illegitimate URLs and look-a-like web- sites, but it will only work if the customer uses this verified tunnel to engage in banking activities. Many banking customers (52% in one survey) engage in per- sonal banking activities at work and other public ar- eas, which circumvents such dedicated tunnels(1) . Another defensive approach is to use ‘two-factor’ authentication, which is gaining in popularity. This approach requires that a user have two forms of au- thentication, one of which is physical, before being allowed to access the bank’s website. This is a very powerful approach to preventing attackers’ access to accounts, because although the attacker my acquire the login credentials, they will not be able to log in without the second physical authentication device. In response to this method, phishers have developed malware, like Zeus and SpyEye, that prevents a user from logging off of the bank’s website, and passes the customer’s web session to the attacker who then transfers funds from the customers’ accounts(17) . Ex- cept for the unusual activity, there is no technological defence that a bank can develop to prevent this type of attack(10) . Human Behaviour Phishing is popular with attackers because it is easy to perform, effective, and the technological methods to achieve success are simple. But these benefits hinge on the effectiveness of tricking people to do something they might not otherwise do. To accomplish that, phishers become manipulators of human behaviour. One of the common ways to get a user to act is to instil a sense of urgency. When the Epsilon data breach occurred in April 2011, phishers took advan- tage of the worldwide flood of news of the breach and sent emails to potential victims (emails that they had stolen) and told them that as a result of the breach, bank customers were at risk of having their bank ac- counts broken into. The emails included a fake link to a login page where the customers could supply their current credentials. The urgent tone of the email com- bined with the pre-existing urgency of the news in general proved to be effective(8) . This type of manu- factured urgency is further compounded by a natural urgency that web users feel when they read email. A multi-university study conducted in early 2011 found that active Internet users were especially susceptible to phishing because they do not take to time to eval- uate every communication that they receive(18) . This natural sense of urgency contributes to the statistic that half of the respondents to phishing emails visit the illegitimate website within an hour of the emails being sent(15) . Besides urgency, notification of changes in com- pany benefits(11) , fear, trust, desire, greed, and cu- riosity(4) can all be used to successfully manipulate users. One study found that the imposition of respon- sibility that appears to come from a higher authority is the biggest human driver, being 28% more effective than greed, which was thought to be the most suc- 3 of 8
  • 4. Customer Involvement in Phishing Defence Jordan Schroeder cessful manipulation technique(19) . The authoritative approach is particularly effective in industries that are highly regulated or in companies that normally operate with a strict authoritative hierarchy(14) . Strangely, those who hold authority are the easiest group of people to phish, even though they should be immune to impositions of responsibility. Company executives can feel that security policies should not apply to them and are quick to complain when they feel that security policies are too restrictive. IT de- partment personnel tend to make allowances for such requests by executives(20) . In the same way, CIO’s tend to be early adopters of new technology and will bring a new device into the office before it has been properly tested for security. This opens up unknown security holes that attackers can exploit by breaking into the device with a phishing email that contains code designed to take over certain devices. When the CIO uses his new device to read the email, attach- ment, or link, the device becomes compromised and can be used to send emails using the CIO’s account or for a staging point for breaking into the secure net- work(20) . This vulnerability shows the importance of having a security policy and the importance of follow- ing it, no matter who the member of the organization is, as well as showing how otherwise effective technol- ogy can be effortlessly subverted by the very people it is supposed to protect. Effective Remedies Since technology is not effective in and of itself, the solution to protecting an organization or enterprise is, in the words of the security consultant Jason Street, to “patch the human problem”(20) . The focus on peo- ple being the solution to phishing is growing in the IT Security and Banking industries(13,14,21) . There are two methods to employ: providing information to empower customers, and instigating a change in cus- tomers’ behaviour. The first step to ‘patching the human problem’ is to provide the basic information necessary to identify the hallmarks of a phishing email. Banks and other e-commerce vendors can set up regular newsletters, informational websites, and social networking venues to communicate security tips and warnings(22) . Even simple Twitter messages of “Remember: we will never send you an email with a link to log on to your ac- count” can be effective in raising the general aware- ness of the average user, which in mid-2011 is very low(22) . As phishing techniques continue to evolve, a bank or vendor who already has a following of cus- tomers who listen to their tips will be able to more quickly inform their customers of the changing threat landscape. Another important consideration is to pro- vide a standard and consistent channel of communi- cation for recent security events and alerts of active threats. If consumers have a trusted source of infor- mation apart from emails, they can start to depend on it to verify suspicious-looking communications(23) . The second step in devising a more complete so- lution to phishing is to engage in active education designed to change the behaviour of the recipient. Knowing the theory behind phishing will only go so far unless the user has a chance to put that knowl- edge into practice in an instructive environment. This involves the bank or vendor actively trying to phish its own customers. If customers fall for the bait, they are directed to a safe landing page that outlines the error they made and how they could avoid falling for a similar trap in the future. This process con- tinues while gradually increasing the complexity of the phishing types. Phishing one’s own customers and employees has been shown to be a very successful ap- proach, with one vendor seeing a reduction in users falling for the bait by 50-70%(13) . PhishMe, a phish- ing training provider, shows that 58% of participants fall for the first phishing email in their program, but that number drops to around 5% by the fourth round of training emails. These numbers from PhishMe are 4 of 8
  • 5. Customer Involvement in Phishing Defence Jordan Schroeder significant, and this type of training is gaining the attention of government departments like the US De- partment of Energy(19) . To maintain the effectiveness of ‘ethical phishing’, training needs to be ongoing. Having the presence of mind to weigh the impact of random emails requires the constant vigilance of the user. That level of aware- ness needs to be supported by constant information and training opportunities, and that cannot be ac- complished with a once a year program(19) . Just as security technology and personnel are required to stay current, so must the recipients of phishing emails. Conclusion Phishing is easy to perform, simple in design, highly effective, and disastrously profitable. By focusing on tricking a person to take action on behalf of an at- tacker, no complex technology is required to bypass the layers of defence erected to protect users. Phish- ing only works when a user takes action as a result of receiving a malicious email. Technology can be put in place to limit the number of phishing emails and to potentially limit the success of certain types of at- tacks, but ultimately, it is the user that is the crucial agent in the attack. Setting up alternative and consistent channels of communication for security news, tips, and alerts can be an effective way to arm customers with rel- evant information without relying on emails. Testing their knowledge and instilling the skills to identify and avoid phishing emails is currently the most ef- fective method of protecting users, but this solution requires that testing and training be on-going in order to maintain effectiveness. With a combination of up-to-date technology and continuous training and support, a phisher’s success can be reduced a significant amount, and indeed, without the implementation of these elements of pro- tection, phishing will continue to be a substantial threat to all banks, e-commerce vendors, and service providers. 5 of 8
  • 6. Customer Involvement in Phishing Defence Jordan Schroeder Appendix This paper uses the very latest material available at the time of writing, pulling together the most re- cent news, reports, analyses, and responses from the IT Security community, as well as the most recent techniques discovered and advertised to be in use by criminal organizations. All available peer-reviewed re- search and academic studies were too old to be of use for this paper. As one banking IT Security ex- pert said, “The cybercriminal of 2011 has long ago bypassed and surpassed the techniques of 2005”(10) . References [1] Kitten, Tracy. (18 Jan 2011). “ ‘Spear- Phishing,’ Risky Behavior and Poor Protections To Blame”. Bank Info Security. http://blogs.bankinfosecurity.com/ posts.php?postID=855 (Accessed 21 June 2011) [2] Skinner, Carrie-ann. (16 Jun 2010). “3.7 billion phishing emails were sent in the last 12 months”. Network World. http://www.networkworld.com/news/2010/ 061610-37-billion-phishing-emails-were. html (Accessed 21 June 2011) [3] Brewster, Tom. (23 Jul 2010). “Hackers give birth to phish that never dies”. IT Pro. http://www.itpro.co.uk/625453/hackers- give-birth-to-phish-that-never-dies (Accessed 21 June 2011) [4] Vasudevan, N. Thanuja, B M. (15 Aug 2010). “Cyber goons phish beyond financial transac- tions”. Financial Chronicle. http://www.mydigitalfc.com/knowledge/ cyber-goons-phish-beyond-financial- transactions-420 (Accessed 21 June 2011) [5] Jackson, Jeromie. (17 Dec 2010). “Top 5 Social Engineering and Penetration Testing Tools”. Credit Union Information Security Practitioner. http://itknowledgeexchange.techtarget. com/security-assessment/top-5-social- engineering-penetration-testing-tools/ (Accessed 21 June 2011) [6] Goodchild, Joan. (11 Jan 2010). “Social Engi- neering: The Basics”. CSO. http://www.csoonline.com/article/ 514063/social-engineering-the-basics (Accessed 21 June 2011) [7] Kitten, Tracy. (22 Mar 2011). “Low-Tech Scam Uses Attachments to Fool Spam Filters”. Bank 6 of 8
  • 7. Customer Involvement in Phishing Defence Jordan Schroeder Info Security. http://www.bankinfosecurity.com/ articles.php?art_id=3455 (Accessed 21 June 2011) [8] Rashid, Fahmida Y. (7 April 2011). “Chase Bank Phish Emails May Be First Post-Epsilon Scam”. eWeek. http://www.eweek.com/c/a/Security/ Chase-Bank-Phish-Emails-May-Be-First- PostEpsilon-Scam-851226/ (Accessed 21 June 2011) [9] Zetter, Kim. (7 June 2011). “Bank Not Re- sponsible for Letting Hackers Steal $300K From Customer”. Wired. http://www.wired.com/threatlevel/2011/ 06/bank-ach-theft/ (Accessed 21 June 2011) [10] Krebs, Brian. (8 June 2011). “Court: Passwords + Secret Questions = ‘Reasonable’ eBanking Security”. KrebsOnSecurity.com. http://krebsonsecurity.com/2011/06/ court-passwords-secret-questions- reasonable-ebanking-security/ (Accessed 21 June 2011) [11] Vijayan, Jaikumar. (20 Apr 2011). “Phishing emerges as major corporate security threat”. Network World. http://www.networkworld.com/news/2011/ 042011-phishing-emerges-as-major- corporate.html (Accessed 21 June 2011) [12] Vijayan, Jaikumar. (9 May 2011). “Phishing Becomes More Sophisticated”. Network World. http://www.networkworld.com/news/2011/ 050911-phishing-becomes-more.html (Accessed 21 June 2011) [13] Musthaler, Linda. (12 May 2011). “Don’t open that email! How to reduce the threat of phishing”. Network World. http://www.networkworld.com/ newsletters/techexec/2011/ 051311bestpractices.html (Accessed 21 June 2011) [14] Helms, Karla Jo. (23 May 2011). “Cybercrime Statistics Expose Five Industries Most Suscep- tible to Phishing Attacks”. PR Newswire. http://www.prnewswire.com/news- releases/cybercrime-statistics-expose- five-industries-most-susceptible-to- phishing-attacks-122436438.html (Accessed 21 June 2011) [15] Leyden, John. (3 Dec 2010). “Half of phish marks respond to scams within one ‘golden hour’”. The Register. http://www.theregister.co.uk/2010/12/ 03/phishing_response_survey/ (Accessed 21 June 2011) [16] Press Release. (3 June 2011). “Kaspersky Lab has been granted a patent for new anti-phishing technology”. Kapersky Lab. http://newsroom.kaspersky.eu/en/texts/ detail/article/kaspersky-lab-has-been- granted-a-patent-for-new-anti-phishing- technology (Accessed 21 June 2011) [17] Neale, Gavin. (9 Dec 2010). “Which Bank would you like with that Phish?”. M86 Security Labs. http://labs.m86security.com/2010/12/ which-bank-would-you-like-with-that- phish/ (Accessed 21 June 2011) [18] Greene, Tim. (7 April 2011). “Phishing scams dupe the most active online users”. Network World. http://www.networkworld.com/news/2011/ 040711-phishing-research.html (Accessed 21 June 2011) [19] Jackson, William. (8 Jun 2011). “To defeat phishing, Energy learns to phish”. Government Computer News. 7 of 8
  • 8. Customer Involvement in Phishing Defence Jordan Schroeder http://gcn.com/articles/2011/06/13/doe- phishing-test.aspx (Accessed 21 June 2011) [20] Goodchild, Joan. (14 July 2010). “Why execu- tives are the easiest social engineering targets”. Network World. http://www.networkworld.com/news/2010/ 071410-why-executives-are-the-easiest. html (Accessed 21 June 2011) [21] Cohen, Reuven. (15 JAN 2010). “GoogleHack Proves People are Easier to Hack then Net- works”. Cloud Computing Journal. http://cloudcomputing.sys-con.com/node/ 1248613/ (Accessed 21 June 2011) [22] Field, Tom. (June 3, 2011). “Fraud Prevention: The Examiner’s View”. Bank Info Security. http://www.bankinfosecurity.com/ podcasts.php?podcastID=1151&rf=2011- 06-03-eb (Accessed 21 June 2011) [23] Unknown. (26 May 2011). “How banks use Twitter to combat fraud”. Net Security. http://www.net-security.org/secworld. php?id=11078 (Accessed 21 June 2011) [24] Gates, Chris. (16 Dec 2010). “Conducting a Phishing Campaign in Metasploit Pro”. Attack Research. http://carnal0wnage.attackresearch.com/ 2010/12/conducting-phishing-campaign- in.html (Accessed 21 June 2011) [25] Kennedy, David. (13 Sep 2010). “Social Engi- neer Toolkit (SET)”. Social-Engineer.org. http://www.social-engineer.org/ framework/Computer_Based_Social_ Engineering_Tools:_Social_Engineer_ Toolkit_(SET)#Tabnabbing_Attack_Method (Accessed 21 June 2011) [26] Piscitello, Dave. (3 Jun 2011). “APWG Web Vulnerabilities Survey: June 2011”. Anti- Phishing Working Group. http://www.antiphishing.org/reports/ apwg_web_vulberabilities_survey_june_ 2011.pdf (Accessed 21 June 2011) 8 of 8