A Structured Analysis

of

PHISHING

By

Prasath Manimaran

ID: 20038303

Table of Contents

Chapter One – Introduction

1. Research Questions and Objectives……………….…………………………………………….5

Chapter Two – Literature Review & Definition of Phishing

2.1. Literature Review…………………………………………………………………………………………..8 2.1.2. Definitions of Phishing……………………………………………………………………..8 2.1.3. Outcomes of this Study…………………………………………………………………….16
2.2. Research Details 2.2.1. Scope of the Research……………………………………………………………………….17 2.2.2. Research Methodology……………………………………………………………………..17 2.2.3Inductive versus Deductive Study……..………………………………………………..20 2.2.4. Qualitative versus Quantative……………………………………………………..20

Chapter Three – Phishing in a Banking Context

3.1. Confidence in Internet Banking……………………………………………………………………22 3.1.1. Security Requirements………………………………………………………………………23
3.2. Threat Models……………………………………………………………………………………………….25 3.2.1. The Internet Threat Model……………………………………………………..25 3.2.2. Thompson Threat Model……………………………………………………….26 3.2.3. Viral Threaet Model………………………………………………………………26
3.3. The Phishing Threat Model…………………………………………………………………………..26 3.3.1. Identification of Internet Banking Components………………………………..27 3.3.2. Identification of Phishing Threats………………………………………………29

Chapter 4 – Analysis of Current Phishing Techniques

4.1. Modus Operandi………………………………………………………………………………………….…36
4.2. Roles of Adversary in Phishing………………………………………………………………………..38
4.3. Phishing Supply Chain……………………………………………………………………………………40
4.4. Phishing Techniques………………………………………………………………………………….…..40 4.4.1 Techniques to Improve the Lure…………………………………………………….…....40 4.4.2. Techniques to Improve the Hook………………………………………………….….…41 4.4.3. Techniques to Improve the Catch…………………………………………………...…..42
4.5. Popular Variants of Phishing…………………………………………………………………………..43 4.5.1. Dragnet Phishing……………………………………………………………………….………43 4.5.2. Real Time Man in the Middle Phishing………………………………………………..44 4.5.3 Malware Based Phishing……………………………………………………………………..46
4.6. Examination of the Chapter……………………………………………………………………..……..47
4.7. Key Issues of the Chapter………………………………………………………………………..………47

Chapter 5 – Analysis of Current Phishing Defenses

5.1. Front End Security Systems…………………………………………………………………..………..48 5.1.1. End System Security Products…………………………………………………………….48 5.1.1.1. Malware Scanners……………………………………………………………..…..48 5.1.1.2. Personal Firewalls………………………………………………………………….49 5.1.1.3. Authentication Mechanisms……………………………………………………49 5.1.1.4. SSL / TLS Functionality………………………………………………………….51 5.1.1.5. Two Factor Customer Authencation…………………………………..…….53
5.2. Back End Security Solutions………………………………………………………………………..….62 5.2.1. Transactions Anomaly Detections………………………………………..…..…………62 5.2.2. Log Free Analysis………………………………………………………………………………63 5.2.3. Take Downs…………………………………………………………………………………..….63 5.2.4. Take Down versus Prosecution …………………………………………………………..64
5.3. Evaluation of Current Defensive Strategy……………………………………………………..….64
5.4. Completeness of Antiphishing Controls……………………………………………………………65
5.5. Defensibility against Current Attacks……………………………………………………………….66 5.5.1. Dragnet Phishing…………………………………………………………………………..…..66 5.5.2. Rental Time Man in the Middle Phishing Attacks…………………………………67 5.5.3. Malware Based Phishing…………………………………………………………………….67
5.6. Antiphishing Responsibility & Liability…………………………………………………………….67
5.7. The CANTINA Algorithm………………………………………………………………………..………68
5.8. Key Issues of this Chapter……………………………………………………………………………….72

Chapter 6 - Future Attack Vectors

6.1. Attack Vectors Analysis………………………………………………………………………….………73
6.1.1. The Lure…………………………………………………………………………………………………….74 6.1.1.1. Spear Phishing………………………………………………………………………………..74 6.1.1.2 Vishing………………………………………………………………………………………..….76 6.1.1.3 Exploiting Other Communcation Channels……………………………………..….77

6.1.2. The Hook…………………………………………………………………………………………………….77 6.1.2.1. Semantic Attack…………………………………………………………………………..….78 6.1.2.2. Man in the Browser Attack……………………………………………………………….78
6.2. Problems with Two Factor Authentication…………………………………………………..…...78
6.3. Vulnerability of Two Channel Scheme…………………………………………………………..…82
6.4. Man in the Browser Attack……………………………………………………………………………..83
6.5. Browser Helper Object……………………………………………………………………………………83
6.6. Man in the Mail Client Attack………………………………………………………………………….84
6.7. Key Issues in the Chapter………………………………………………………………………………..85

Chapter 7 – An Enhanced Defensive Strategy

7.1. Conceptual Defensive Solutions………………………………………………………………….……86
7.2. Relevant Observations……………………………………………………………………………………86
7.3. Elaboration of Current Defensive Concepts………………………………………………..…….87 7.3.1. Trusted Computing Base…………………………………………………………………….87 7.3.2. End to End Security………………………………………………………………………..…87 7.3.3. Digital Signatures………………………………………………………………………………87 7.3.4. Non Negligible User Interface ……………………………………………………….…..88 7.3.5. Summary of Our Defensive Strategy……………………………………………………88
7.4. How this matches our Intranet Banking Requirements……………………………………..89
7.5. Security Requirements……………………………………………………………………………………90
7.6. Discussion …………………………………………………………………………………………………….91
7.7. Implementation Considerations………………………………………………………………………91
7.8. Transaction versus Confirmation ………………………………………………………………......92
7.9. In a Two Channel Context………………………………………………………………………………92
7.10 Reflections……………………………………………………………………………………….…………..95
7.11 Smart Card Reader Analysis……………………………………………………………………………95
7.13 Key Issues in the Chapter……………………………………………………………………………….98

Chapter 8 – Conclusion & Recommendations…………………………….………………..99

Bibliography……………………………………………………………………………………………………102

Chapter 1

Research Question and Objectives of the Report

Starting from the first reported AOL Account robberies to fake log in sites, initially phishing did not cause major financial losses. However as the internet developed and became the major medium of financial service offerings, it also became subject to more evolved forms of phishing attacks. The most harmful effect ofthese attacks isthe large monetary losses which victims suffer. Asper Gartner Research, it has been estimated that the annual financialloss on account of Phishing to the US alone is USD 3 billion. In addition to monetary losses, there are dangers of identity theft, lack of trust in the internet, disclosure of classified information etc.

Phishing has grown in technological sophistication making such attacks evenmore difficult to detect. With time Phishing is only going to get more sophisticated using advanced technologies. The current antiphishing mechanisms which successfully detect only 95% of all phishing attempts will prove inadequate in the face of future mutants.

This main purpose of this report will be to examine the methodology of Phishing, explore future phishing forms and the possible defenses that can be adopt towards them.

The fundamental research questions can be summed up as follows:

How can an understanding of the fundamentals of phishing result in successfully predicting future phishing methods and defenses against them?

This fundamental question can be answered by the four research questions:

a) The Methodology of Phishing

b) The Evolution of Future Phishing Attacks

c) Can Existing Antiphishing mechanisms successfully Counter Evolved Phishing Attacks.

d) Future Antiphishing Requirements.

Chapter 2

Literature Review & Definition of Phishing

2.1. Literature Review

Social Engineering is used to describe a non-technical kind of intrusion that cons people into revealing confidential information and performing actions without thinking of the onsequences. (Tipton and Henry, 2006).

Social Engineering is successful because it does not entail much risk and works by preying on human vulnerabilities. These tricks enable the social technician to conduct activities without raising suspicion (Peltier, 2006). Social engineering techniques include phishing, malware, vishing, hackers and email spams.

2.1.2. Phishing - Defined

Phishing has been defined as…:

“An attack in which victims are lured by official emails to a fraudulent website that appears to be that of a legitimate service provider”

“A form of social engineering in which an attacker also known as a phisher, attempts to fraudulently retrieve legitimate users confidential or sensitive credentials by mimicking electronic communications from a trustworthy or public organizations in an automatic fashion.”

“A form of internet scam in which the attackers try to trick consumers into divulging sensitive personal information. The techniques usually involve fraudulent E mail and web sites that impersonate both legitimate E Mail and Web Sites.”

Some of the definitions have a very definite view on phishing (like Definition 1). There are those that refer to phishing in a larger context (Definitions 2 & 3). However phishing scams are evolving. Hence, these scams can no longer be referred to in a limited sense. For any definition to remain satisfactory it will need totake future developments into account. There is too much subjectivity to introduce a universally accepted definition. Hence the need for an introduction of a stipulative definition. Such a definition will have a more encompassing view on phishing that allows for future evolution of the term.

What are the quintessential elements of a phishing attack? Firstly let us consider the spoofing aspect. In the above definitions this is enunciated using terms such as mimick, trick and official looking. We will define spoofng from the point of view of phishing as a form of deceit that tricks a party into believing that he is involved in a genuine transaction with another legitimate party, while actually a pernicious entity influences the transaction.

Again, all definitions basically deal with leakage of confidential information. However, only a few definitions mention that this information is actually stolen with the intention to commit fraud. Phishers do not act on data that is mistakenly leaked, but they steal the data with premeditation

Phishing is a process involving sending out a lure, devising a hook and using with criminal intent the stolen data. None of the aforementioned definitions take this into account. Only one of the given definitions mentions that phishing targets digital communications. In my opinion, this is an essential ingredient of a phishing attack. Attacks on offline real-world transactions are not considered phishing.

Hence we define Phishing as

Phishing is a method by which an opponent commits theft of secret and personal data by conning a person into believing him / her to be involved in an electronic transaction with a genuine organization and at the same time manipulating the transaction in a pernicious manner.

We would like to clarify the relation between the terms phishing and identity theft. Phishing is a process that can be modified to perform identity theft. However, it may be noted that the majority of identity theft crimes are committed in an offline context (i.e. not related to the internet) and are hence not related to phishing.

Most Phishing Countermeasures make use of Algorithms to function. CANTINA is the latest algorithm used in antiphishing software. It examines the data content of the website to check for potential fraudulence. This is in contrast to other algorithms which merely check surface features of a website such as the URL or domain name. The success of CANTINA can be gauged from the fact that it is successful in detecting at least 94% of all phishing sites8. However even this algorithm is not full proof against antiphishing attempts. Hence its study exposes at once the technological successes of extant antiphishing measures while revealing it’s weak underbelly.

In this section, we briefly survey existing anti-phishing solutions and list out related works.

The easiest, is to stop phishing at the e-mail position (Hohenberge, & Rivest, 2005), Most current phishing attacks use spam to lure victims to a phishing website (Miller, & Garfinkel, 2006). Another way is to use security toolbars. The toolbar blocks the user’s activity after detecting a known phishing site, (Sharif, 2006)

Another method is to create visual differences between phishing sites and spoofed genuine sites using Dynamic Security Skins (Dhamija & Tygar, 2005). This involves the creation of a photographic image which is used as a trusted path between the user and the browser window to prevent spoofing of the window and of the text entry fields. The remote server then creates a unique image for each user and each transaction. This image creates a “covering or skin” that automatically customizes the browser window and the interface elements of a remote web page. The browser can then by itself configure the image that it expects to receive from the server. To authenticate content from the server, the user has to verify that the images match.

In contrast to other proposals, this scheme is very user friendly in terms of difficulty level, memory and time. For authentication, the user has to recognize only one image and remember one easy to remember password, for any number of servers he may encounter. However it is very difficult for a phisher to impersonate or to spoof a security indicator which is so unique to the user. This method depends on the user’s ability to verify images. Hence insofar as this method depends on “human skill” to distinguish between fraudulent and genuine websites, it’s effectiveness is satisfactory.

Another approach is two-factor authentication, through which a user not only knows a unique passcode but also presents a security token (FDIC, 2004). However Phishing can still happen at sites on which two factor authentications are not supported.

Providing Certification is another method. e.g., Microsoft spams privacy (Microsoft, 2004; Microsoft Corp., 2005; Olsen, 2004; Perez, 2003; Whole Security Web Caller, 2005). Herzberg & Gbara (2004), proposed merging standard certificates procedure with a visual verification of exact certification; a site dependent logo indicating that the certificate was valid would be displayed in a trusted credentials area of the browser.

Current antiphishing approaches suffer from poor scalability and timeliness. Phishing sites are cheap and easy to build and their average lifetime is only a few days. Thus we concludethat though there are many methods to counter phishing, they are not completely successful. Hence the need to develop an effective antiphishing system.

The past decade witnessed the rise of new generation phishing attacks. In 2006, the first attempt of phishing through cross site scripting was carried out. Man in the Middle Attacks, Spear Phishing, Vishing, are just some of these new forms9.

Phishing action has important implications for security in banks, due to its ability to affect perception of service quality. For those customers who have lost their identity due to phishing, a loss of confidence takes place, and therefore the service encounters need to find solutions for protecting the user (Litan, 2004; Schneier, 2004).

Therefore, security is an important Internet banking concept, and it is one of Internet banking’s quality factors. This report will postulate a concept of antiphishing which can effectively counter advanced antiphishing techniques.

2.1.3. Outcomes of this Study

a) This study will propose a comprehensive definition of phishing after duly studying extant definitions.

b) A thorough analysis of current antiphishing defenses, particularly those which relate to banks will be made.

c) The ‘Threat Model’ case study will throw light on the inadequacy of the current banking system to counter phishing.

d) The modus operandi of phishing attacks will be described leading to an understanding of the boundaries of phishing.

e) Evaluation of current antiphishing measures will lead to an understanding of the shortcomings of the system today.

f) The possible evolution of phishing attacks will lead to insights on where phishing is heading to.

g) To counter the gaps in current antiphishing systems, a remedy will be proposed that might make these systems more effective.

2.2. Research Tools and Techniques

2.2.1. Scope of the Research

This research will mainly examine Phishing as it applies to Financial Services offered by banks on the internet. This is because banks are the most common institution targetted by phishers.

2.2.2. Research Methodology

As a first stage of the research a framework to identify and analyze phishing attacks is constructed. This framework will be based on information from literature and on current phishing attacks as empirical evidence. Subsequently, the framework will be reviewed by phishing experts from various parties that are involved in fighting phishing. Furthermore, based on literature, empirical evidence and expert opinions an overview of the phishin gphenomenon will be given. The framework and this context overview together form a guideline for an analysis of current countermeasures. As a practical support for this theoretical risk analysis a practical exploration of state-of-the-art phishing attacks and defenses will be done.

In order to arrive at a fundamental definition of phishing a literature review was been conducted whereby the findings of several researchers and academicians were examined to provide as fundamental a definition of phishing as can be arrived at. Once this definition of phishing was done, an examination of the various aspects of phishing was conducted. Empirical evidence from actual phishing attacks was analyzed to arrive at the manifestations of phishing as it currently exists. An analysis of why the customers succumb so easily to phishing attacks will be derived through a focus group consisting of a mix of consumers. They will be subject to simulations of real time situations, role plays, presentation and examination of real time scenarios.

The methodology for the above will take the form of an online questionnaire given to a select audience who have all been subject at some time to phishing attacks. Considering the shift change in communication preference facilitated by the advent of the internet and the fact that an online survey can be completed in an individual’s convenient time, it was envisaged that this method would be appealing to end users and positively impact on the quantity of research data

Furthermore this method was selected as respondents are more prone to give more honest answers to sensitive questions than an interview or paper based research due to the affordance of anonymity provided by online based surveys.

The online survey will contain 20 questions grouped into the following four sections: user demographics, usage of computer and online services, general security awareness and scenario study on phishing.

The user demographics section will gather demographic details about the respondents including gender, age, country of origin, current country of residence, educational background, area of study and area of experience. Additionally, this section will determine the percentage of respondents who had undergone training in computer security. The second section, “usage of computer and online services”, aims to establish that all the respondents indeed use ebanking and email services. Furthermore, the purpose was to gather details based on the duration the respondents had used ebanking services. The third section, “general security awareness”, will determine the knowledge and attitude of the respondents in relation to security practices and their ability to recognize security concerns. In addition the scenario study will include website certificates, which will ask the respondents if they have ever checked for the certificate of a website.

From this survey, I envisage to gather information about phishing from the victims point of view. How they were targeted, did they recognize the phishing mail, how they were defrauded and what lessons they learnt will all be learnt from this study.

The future scenario of phishing will be explored from the point of view of the phishers themselves. For this a hypothesis of possible future attack strategies will be made. A risk analysis of whether current antiphishing measures can successfully combat these attempts will be examined. The possible state of the art defenses that can be developed will be identified by an examination of current technology available and a prediction as to how they can possibly evolve.

2.2.3. Inductive versus Deductive

This study will be primarily inductive in nature. This is because our arguments will be based on actual experiments and observations and not solely on theory. The research questions will be answered by moving from the specific to the general which is the essence of an inductive study. However inasmuch as we assume certain hypotheses to support our definitions of phishing, this study will also be deductive in nature.

2.2.4. Qualitative versus Quantitative

This study will be mostly qualitative in nature. This is because it will focus on direct in-depth interviews, questionnaires and reviews. It will use inductive process to formulate theories. It examines the problems of phishing from the point of view of those subject to it and is text based

Chapter 3

Phishing in Banking Context

1. Confidence in internet banking security

The safety of internet banking security has always been subject for debate.

One third of internet users who do not use internet banking consider security issues a barrier for using internet banking services. Customers who do use internet banking services judge the security of these services only barely satisfactory. Thus public reputation of internet banking is a major issue for most banks.

1. Security requirements

The seven main issues that security controls in an electronic banking environment should deal with are:

➢ No Intrusion ➢ Authentication ➢ Freshness ➢ Non Repudiation ➢ Integrity ➢ Confidentiality ➢ Accountability

a. No Intrusion

An attacker cannot inject information in a legitimate internet banking session. If an attacker wants to impersonate a customer he has to do so at the beginning of a session.

b. Authenticity.

Authenticity in internet banking can be divided into two requirements:

-Server authentication. The banking application must proof its identity to the customer at the start of a session.

-Customer authentication. The customer must proof his identity to the banking systems at the start of a session.

c. Freshness.

All information exchanged during an internet banking session must be valid exclusively during that session. Consequently captured credential or transaction information cannot be replayed outside a session.

d. Non-repudiation.

The customer and the bank must be able to verify that the sender and receiver of information exchanged in an internet banking session are indeed the parties who claimed to have received or sent the information. This establishes a verifiable binding between this information and the identity of the sender or receiver.

e. Integrity

All information exchanged between bank and customer must arrive at the receiver's side as intended by the sender. Consequently, an attacker cannot modify information that is exchanged in an internet banking session

f. Confidentiality

All information that is exchanged in an internet banking session must be exclusively available to the customer and the banking systems.

g. Accountability

The bank must be able to trace utilization of internet banking functionality to a unique customer.

3.2. Threat Modeling

A threat model is a description of the security aspects of a systemin this report the system to be examined is an internet banking application. A good threat model is one which only includes realistic attacks and which thereby is an indicator for which types of attacks to prevent. A phishing threat model is essential in order to understand the notion of vulnerabilities that bring forth phishing attacks.

1. The Internet Threat Model

The Internet Threat Model was described by Eric Rescorla. It assumes that "designers of Internet security protocols typically share a more or less common threat model. The actual end systems that the protocol is being executed on are secure". This assumption is supported by his statement that "users can expect that their own machines have not been compromised". He assumes that the attacker has more or less complete control of the communications channel between any two machines. He can certainly inject packets into the network with arbitrary address information; both for the sender and the receiver, and can read any packet that is on the network and remove any packet he chooses".

It is questionable whether these assumptions are realistic with respect phishing. This is because employees of Internet Service Providers or various government authorities have complete control over the communication means. Furthermore, routers and switches suffer from numerous vulnerabilities that can be exploited by malicious hackers.The other assumption, on the security of end systems can be considered incorrect in the context home user's computers being the target of vast amounts of viruses, drive-by exploits and other onlinedangers. The emergence of bot-nets that control large numbers of computers shows that end systems cannot be considered secure.

3.2.2. Thompson threat model

This threat model is named after Ken Thompson who showed that one cannot trust any software and bootstrapcode that run on the user's hardware. He demonstrated this by implementing a compiler that inserts a Trojan horse. The basis of this model is Thompson's suggestion that source code verification will not protect one from malicious code.Thompson's model has very impractical consequences when applied to phishing: Implementing the total software stack from scratch for every security-demanding application is infeasible. Implementing such a solution would outweigh the costs of damage done by phishing attacks.

3.2.3. Viral threat model

The Viral threat model acknowledges malware to be able to penetrate a user's computer and gain control over it. Consequently, the malware is able to control other software that is running on the computer. However, the main difference with the Thompson threat model is that the Viral threat model assumes the presence of a trusted software.

3.3. The phishing threat model

None of the previously described threat models can be applied perfectly to model phishing in an internet banking context. Therefore, we will derive our own phishing threat model in which the lessons learned from the previously analyzed threat models are merged.

3.3.1. Identification of Internet Banking Components

The components that play a role in an internet banking system are:

a. Processors - are computing units that operate processes (eg. personal computers).

b. Communication Channels - are medium over which data can be exchanged between processors (eg. internet).

c. Actors – are human beings who operate processors (eg. customers).

Using these components we model an internet banking system below:

The customer (actor) operates a personal computer (processor) which communicates with the webserver of the bank (processor) over the internet (communicationchannel). The webserver communicates with the back-end systems of the bank (processor) over a Wide Area Network (communication channel).

Both the webserver and the back-end systems are operated by bank personnel (actor). For authentication purposes either a two-factor or a two-channel scheme may be used. In the case of a two-factor scheme a security calculator (processor) is used. In the case of a two-channel scheme the customer operates a mobile phone (processor) which communicates with the bank's back-end over the GSM network (communication channel).

3.3.2. Identification of phishing threats

We now analyze the threats that the components in our model might face. We use the STRIDE methodology for this. The general idea behindthis methodology is that one can group threats into categories according to the STRIDE acronym:

➢ Spoofing ➢ Tampering ➢ Repudiation ➢ Information disclosure ➢ Denial of service ➢ Elevation of privilege

For our purposes we will consider Spoofing, Tampering and Information Disclosure only as being relevant to processors, communication channels and actors.
|Threat |Breaks Security Requirement |
|Spoofing |Authenticity |
|Tampering |Integrity, Non Intrusion |
|Repudiation |Non – Repudiation |
|Information Disclosure |Confidentiality |
|Denial of Service | |
|Elevation of Privilege | |

Accordingly, the following table summarizes the possible threats on the components in an internet banking application that may be relevant to phishing:

|Component |Spoofing |Tampering |Information Disclosure |
|Customer |- |X |X |
|Mobile Phone |- |X |X |
|PC |- |X |X |
|Security Calculator |- |X |X |
|GSM Network |X |X |X |
|Internet |X |X |X |

Chapter 4

Analysis of Current Phishing Techniques

1. Modus Operandi

All phishing variants share three core elements: the lure, the hook and the catch.

a. The lure

a) Deliver payload

The attacker contacts his victims and delivers a payload via an email message or a telephone call.

_ Step 2. Direct to spoof

The payload delivered in Step 1 direct the victim to the hook. The payload appears to come from the targeted institution and uses a convincing story that lures the victim to a spoof of this institution.

b. The hook

_ Step 3. Prompt for confidential information

Once the victim has navigated to the hook he is prompted with an interface that has the same look and feel as the targeted institution.The deceived is then asked to enter confidential information. Popular information to query are usernames, passwords, credit card numbers,
Social security numbers, etc.

_ Step 4.

Leak confidential information. The victim enters confidential information since he feels comfortable with this familiar looking environment.

_ Step 5.

Collect stolen information

The stolen information is transferred to the attacker.

c.The catch

_ Step 6. Impersonate victim

Eventually the attacker contacts a genuine institution. Presenting stolen information he can impersonate the victim.

_ Step 7. Achieve pay-out

Since the attacker is able to impersonate the victim, the criminal can exploit all services the victim has access to.

Representation of a Phishing Attack
[pic]

2. Roles of an Adversary in Phishing Attack

_ Disseminators are responsible for delivering the payload to the victims. Malicious Hackers can evade filters & anti-virus tools that attempt to block the payload propagation

_ Collectors are responsible for gathering the confidential information that is leaked by victims. Maliciouis Web Developers can create imperceptible forgeries of institution's front-ends.

_ Cashers are responsible for the exploitation of stolen information. In order to do so, they contact legitimate institutions and impersonate a victim by presenting stolen information. Thereupon, an account or service the victim has access to is abused for the gains of the casher.
Cashers use anonymity enhancing techniques such as the use of proxies. They are less technically oriented than disseminators or collectors.

_ Mules are low-level couriers in phishing. They transfer money received on their own account to another account controlled by the attacker for a small fee. They obfuscate the money flow, making it difficult for targeted institutions to trace the actual attackers and to reclaim the losses.

3. Why people get duped.

This section examines why seemingly net savvy people get duped so easily.

1. Methodology

The methodology used in the experiment is mainly deductive in nature, i.e. Findings from the experiment conducted on different persons were analyzed and conclusions arrived at. A single focus group with the following characteristics was chosen for the experiment.

a) 22 people fairly familiar with internet usage were selected

b) 45 % were male and 55% were female

c) Age ranged from 18 to 56 years.

d) The participants mix was eclectic ranging from students to professors, technically savvy people to non technical people.

e) 50% of them used internet explorer as their primary internet browser while the others used browsers like Mozilla Firefox or Apple Safari

f) While some of the participants used the computer from 10 to 135 hours per week, 18 of them regularly used the internet for online banking and other financial services, 20 of them regularly used the internet for online shopping.

The participants were subject to several research tools to determine how proficient they were at detecting phishing sites. These tools included

a) Simulations of real time situations

b) Role Plays

c) Presentation of Scenarios

d) Questionnaires

e) Open Ended Questions

They participants were presented with a series of websites some of which were legitimate and others from phishing sites and were told to use them.

2. Findings:

a) Lack of Knowledge

People do not know how applications, email and the Web Work and cannot distinguish among them. They do not understand syntax of domain names and hence cannot separate legitimate versus fraudulent URL’s.

b) Lack of knowledge of security indicators

The indicators that secure websites and their placement within a site are not familiar to users. They do not understand verification processes that determine authenticity or the information contained in these verification messages. Sometimes the absences of security indicators also go unnoticed.

a) Limited knowledge of Phishing.

Most people have not heard of the term “Phishing” and have no awareness that websites can be compromised.

b) Erroneous security knowledge.

Some users have misconceptions about which website features indicate security.

e) Little Attention Paid to URL’s

Most users do not notice strange looking URL’s. Most do not consider them to be suspicious.

f) Deception through Graphics.

Users assume that if websites contain attractive images and animations, they were legitimate.

g) Visual Deception.

Users do not pay attention to subtly misspelt URL’s or syntax. Images of legitimate hyperlink can be directed to phishing site.

4.4. Phishing techniques

- Spam FilterEvasion. Internet Service Providers, corporations and home users apply email filtering technology to prevent unsolicited email messages from arriving in users' inboxes. These filters successfully filter out more than 95% of all undesirable messages36.

Phishers can get around these filters by embedding their message in a picture to prevent filters from analyzing text of the message. Another method includes text in the message that has the same color as the message's background. Consequently, a filter will take this text into account upon examination of the email and may be fooled by it. An average user will not spot this invisible text.

- Bot-nets. A bot-net is a network of a number of PC's that are infected with Trojan horse software. The keeper of the network has control over all contaminated nodes without the consciousness of their legitimate users. A bot-net is an ideal platform to dispatch a large number of messages since it allows for a distributed message propagation system.

- Drive-by installation. Installation of malware code can be done using a technique called drive-by installation. In drive-by installations cracked websites or online advertising spaces are used to publish malicious HTML code. When a customer browses such a site malware is automatically installed on his computer

- Email spoofing. The Extended Simple Mail Transfer Protocol is the standard for email transmission across the internet. This protocol has no facility for the authentication of senders. Consequently, the originator address of a message can be easily spoofed. Thus email spoofing is a common technique used by disseminators to let a message appear to come from a genuine institution.

- Personalization. By obtaining information about a victim such as full name, date of birth, type of job etc the lure can be personalized. Adopting this information an attacker can make the lure look more reliable and authentic. Personal information is increasingly available on the World Wide Web since the birth of community websites such as LinkedIn, Facebook and MySpace.

- URL hiding. Here the HTML payload contains a hyperlink that appears to lead to a legitimate website but when clicked the browser navigates to a site controlled by the attacker. A basic trick is by supplying an anchor tag with a deceptive link description: Error! Hyperlink reference not valid.>

- Social Engineering. Here a convincing reason is given to persuade a user to follow the path to the hook. For Eg, the victim is sent an email that describes a transaction initiated from his account that he did not make. User clicks the link that is included in the message that promises the possibility to cancel the transaction. Subsequently, he is taken to the hook where he is prompted to enter his credentials.

- Resembling URL's. Attackers host their spoofs at hostnames that resemble the ones of the targeted institution. For example, attackers may use a domain name such as postbank-secure.com to mimic a legitimate Postbank domain.

- Browser spoofing. Technologies such as client-side scripting (e.g. Javascript), HTML and Cascading Style Sheets are powerful tools to mimic the user interface and behavior of a web browser. These technologies are capable of concealing or spoofing security indicators like the SSL padlock.

- Privacy enhancing technologies allow for anonymous use of internet services. They serve the needs of honest internet users who, for example, are oppressed by dictatorship.However, privacy enhancing technologiesare can also support malicious activities. Cashers make use of technologies such as TOR39 and anonymous proxies to cover theirtracks when logging into WWW services using stolen credentials.

- Money Laundering. In order to achieve a pay-out a popular manner is to exploit credit card information to purchase valuable goods and sell these on the black market. Internet banking credentials are used to create a tangle of payments after which the money is transferred to a foreign account.

4.5.Popular variants of phishing

4.5.1.Dragnet Phishing

Here the lure consists of mass-mailing to thousands of potential victims. Their email addresses are bought from criminals who run webspiders to harvest email addresses from the WorldWide Web. Consequently, the receivers of the email might not have an account at the target institution. The mailing is done with the use of a botnet.The hook of dragnet phishing consists of an imitation of the website of a legitimate institution which closely resembles the look and feel of the authentic site. The spoof prompts the victim to enter confidential information, which is subsequently sent to the attacker.

4.5.2. Real-time man-in-the-middle phishing

In real-time man-in-the-middle phishing a spoofed website that mimics the attacked internet bank is employed. This spoof can communicate in real time with the genuine internet banking website. Thus, the spoof can present the true look and feel of the online internet banking application.

4.5.3. Malware-based phishing

Malware-based attacks do not use spoofed websites to steal confidential information but they use malicious pieces of software that are to be installed on the customer's end-systems (e.g. personal computer).

Chapter 5

Analysis of Current PhishingDefenses

All antiphishing defences can be categorized into front-end and back-end security solutions.

5.1. Front End Security Solutions involve customers directly. End-system security products and authentication mechanisms are most popular.

5.1.1. End-system security products enhance software security of the personal computer. Installation, Usage and maintenance are the responsibility of the customer. They include malwarescanners and personal firewalls.

5.1.1.1. Malware Scanners endeavor to keep malicious software from end-systems. They create a secure environment in which the software required to make use of internet banking services (e.g. webbrowsers) can operate. Consequently, any information entered by the user can be submitted unimpaired by the software on the personal computer.

Malware scanners are extensively used. 91% of all internet users have a virus scanner installed43. Thus Phishers have to evade these scanners. Unfortunately, malware scanners have major weakess issues.

The cause of these issues is the manner in which malware scanners detect maliciousness. The majority of virus scanners apply fingerprinting techniques in order to detect malware. This technique involves scanning the binary code for known malicious patterns. The major benefit of this technique is that it is accurate and hence only yields a small number of false positives.

However, this method also has deficiencies. As a consequence of this strategy virus scanners have slow response times against phishing attacks that incorporate malware.

First of all a piece of malware has to be detected in the wild. Subsequently, a signature to detect the malware has to be developed. Then, a bunch of signatures has to be collected to release an update batch. Finally, an instance of the scanner will probably look for an update on not more often than a daily basis. Altogether, this detection process may take several days or even weeks.

Since the detection process of a new piece of malware takes several days to weeks the malware developers have a substantial amount of time available to morph their malwareand thus reset the detection process. Thus the anti-virus industry lags behind the attackers. Malware scanners are now user-friendly. Installation, maintenance and correct interpretation of scan results from these products require computer skills that go beyond that of non-technical computer users.

Malware scanners are costly. Norton Antivirus 2008 costs over 50 euros for a one-year license.All in all, malware scanners are not fully satisfactory conditions to protect against phishing attacks.

5.1.1.2. Personal Firewalls work by monitoring network traffic. In phishing captured information is transmitted over the internet to the phisher. Personalfirewalls prevent or complicate this transmission .Popular firewall products are ZoneAlarm and Microsoft WindowsFirewall.

78% of all internet users in Europe and US claim to have a firewall product installed. This imposes serious restrictions on the capabilities of malware. Malware processes that transmit stolen credentials have a high probability of being blocked. This requires phishers to invent firewall evading tricks, which enlarges their required investments.

Commercial firewall products cost about $50. Installation and maintenance efforts are also similar to those of virus scanners. However personal firewall products require extensive configuration abilities which can confuse non-technical users.

5.1.2. Authentication mechanisms

Authentication mechanisms are grouped into server authentication mechanisms and customer authentication mechanisms.

The former are in place to prove the identity of the internet banking website, to the customer. These are valuable in fighting the hook of a phishing attack. SSL/TLS (Secure Sockets Layer) / (Transport Layer Security) is by far the most popular mechanism for server authentication. Customer authentication mechanisms validate the identity of the customer when he performs internet banking operations.

5.1.2.1. SSL / TLS functionality

These protocols provide a secure connection between the customer's browser and the webserver of the internet banking service.

Confidentiality of the connection is ensured by using symmetric encryption for which a session key is negotiated. The integrity of the connection is established by a message integrity check that assures that information that passes the connection has not been altered in transit. SSL/TLS supports verification of the identities of both ends of the connection by cryptographical signatures. Certificates issued by a trusted third party like Verisign & GeoTrust are supported to ensure the validity of these signatures.

Accordingly, it is up to the user to verify the security indicators in the web browser in order to be ensured that indeed a SSL/TLS secured connection to a legitimate banking website has been setup. Verification of these security indicators comprehends two steps: (1) verifying the validity of the URL and (2) checking the presence of the SSL padlock icon in the browser chrome.

5.1.2.1.1. The weaknesses of password authentication

Many internet banking services still rely on a trivial password protection. Here in order for customer Amy (A) to establish an internet banking session with the bank (B) she supplies her identity and her password P:

(1) A B: A, P

However, this scheme is vulnerable to a phishing attack. A phisher Eva (E) could lure Amy to a spoofed website that mimics that of B and perform a Man-in-the-Middle attack. When Amy leaks her password to the spoof, Eva could replay Amy’s credentials and initiate an internet banking session by impersonating Amy:

(1) A E : A, P
(2) E B: A, P

Banks target this problem in two ways. The authenticity problem in the hook is counteracted by the deployment of SSL/TLS. The impersonation act in the catch is targeted by the deployment of a customer authentication scheme.

Almost all banks incorporate a two-factor authentication mechanism to authenticate their customers.

5.1.2.2. Weaknesses of SSL/TLS implementation

Unfortunately, these security indicators tend to malfunction. Users tend to ignore these security indicators. Well-constructed phishing websites fool 90% of the participants. The main cause is the ease of visual deception. Common webbrowser technologies such as DHTML and AJAX allow malicious web developers to create websites to create sophisticated spoofs.

Most of the participants in the survey conducted could not correctly explain the meaning of the web browser's SSL padlock & SSL certificates. Users did not understand which parts of the browser are controlled by the visited website and which are not.

They were fooled by a SSL padlock placed in the contents of a website. Customer's lack knowledge of the domain name system which complicates the verification of the URL of the internet banking service. Phishers actively exploit this by registering top level domain names that mimic authenticity.

Many banks host websites at various domains (e.g. secure-bank.nl). An example is http://accountonline.com which is a Citibank domain. This confuse customers and phishers actively exploit this aspect.

Implementation issues limit the functionality of the SSL/TLS system. Security Space surveys show that the majority of SSL/TLS certificates as being self-signed, expired, etc. In November 2007 68% of all certificates encountered were invalid50. Consequently, the large number of invalid certificates supports users to develop a habit to ignore warning messages related to SSL certificates. This has led to user conditioning to click away error messages.

Many banks provide logos that promise verified security.

Examples of such logos are depicted

[pic]

These logos are easily mimicked, giving a false perception of security and increase the confusion that surrounds valid security indicators.

5.1.2.2. Two-factor customer authentication

Authentication can be based upon any of the following factors:

➢ What you know. Authentication based on Passwords.

➢ What you have. Authentication based on the possession of a token.

➢ Who you are. Authentication based on Fingerprints.

➢ Where you are. Authentication based on IP address information.

An authentication scheme that is based on a combination of these factors is called multifactor authentication. In an internet banking context a combination of the two factors of What you know (PIN code) and What you have (banking card) is generally used.

In such a scheme all internet banking customers own a small and portable computing device called a security calculator such as VASCO. These calculators assist the authentication process and the integrity of important actions during an internet banking session.

The security operations of these calculators are based on a shared secret between the bank and the security calculator. Derivation of this shared secret is based upon the entry of the smart card (in which the secret is stored) and the correct PIN code.

The security calculator is responsible for achieving two goals:

_ Establish a verifiable binding between the identity of the customer and the logon action at the beginning of an internet banking session.

_ Establish a verifiable binding between the identity of the customer and the initiation of a transaction.

Let us consider the logon procedure using the two-factor authentication scheme

5.1.2.2.1. Session authentication in a two-factor context

Firstly, the customer enters the address of the internet banking service in his web browser. The web browser contacts the web server of the internet banking service and requests the login page, which is subsequently transferred to the web browser and displayed to the user. Next, the user inserts his check card into the security calculator and enters his Personal Identification Number (PIN) code. The security calculator now computes a one time password (OTP) which is displayed to the user.

After that, the users enter the OTP in the web browser which transmits it to the bank's web server. The validity of the OTP is checked at the bank's site. In the case of a correct OTP the user is granted access to the internet banking application. The following figure graphically depicts this procedure in a message sequence chart.

[pic]

5.1.2.2. 2. Transaction authentication in a two-factor context

Once granted access to the internet banking application the customer initiates a transaction by entering the details of the transaction in the browser. Subsequently, the web browser sends this information to the server at the bank which computes a challenge code using this information.

This challenge code is delivered to the web browser which then displays it to the user. The user enters his PIN code and the challenge code into the security calculator which computes a response code. The customer enters the response code in the web browser so it can be transferred to the bank's server. The response code is checked upon correctness and in case this code is valid a confirmation that the instructions for the transaction successfully arrived at the bank's computer systems is sent. This procedure is presented as a Message Sequence Chart
[pic]

5.1.2.2.3. Two-channel customer authentication

An alternative to two-factor authentication is a two-channel authentications cheme. Here a trusted non-internet channel is used to establish authentication requirements.

In the two-channel scheme of the bank the trusted channel is only used to establish a verifiable binding between the identity of the customer and the initiation of a transaction. For the establishment of a verifiable binding between the identity of the customer and the logon action at the beginning of an internet banking session a trivial password-based authentication scheme is used.

5.1.2.2. 4. Session authentication in a two-channel context

As just discussed, the bank postulated above does not use a trusted channel for logging in: The logon procedure relies on a traditional username-password based authentication scheme over a SSL encrypted internet connection. The logon procedure is presented as a Message Sequence Chart

[pic]
5.1.2.2. 5. Transaction authentication in a two-channel context

For initiating transactions via internet banking the bank employs an authentication system that incorporates Transaction Authentication Numbers (TAN) which serve as one-time passwords that are required to verify that the customer did actually initiate the transaction. These codes are issued to the customer using a trusted channel: either using postal service or delivered using SMS text messaging.

The Message Sequence Chart depicts the process of initiating a transaction and receiving the TAN code via SMS text messaging.

[pic]

An issue with TAN codes is the time span in which they are valid.TAN codes are valid for single use but remain valid for a long time when unused. In combination with the fact that TAN codes are only related to the serial number of a transaction this renders them desirable objects for phishers. Once a phisher has captured valid credentials and the TAN code he is capable of perpetrating arbitrary transactions.

5.2.Back-End Security Solutions are anti-phishing mechanisms are under direct control of the bank. They include:

5.2.1. Transaction Anomaly Detection used to detect potentially fraudulent transactions.These systems explicitly counter the ability to achieve pay-out to phishers. They combine user profiling with business rules to detect suspicious account activity which are alerted to the bank's professionals so that corrective measures can be taken.

5.2.2. Log File Analysis

Log analysis systems apply sophisticated analysis on audit trails in order to detect phishing lures, hooks and catches. Phishers often spoof the From: address in email messages to mimic the legitimate domain of the targeted bank. Consequently, when the email inbox ofthe victim is full or non-existent the email will bounce to the email servers of the bank. By analyzing the number of bounced messages and their content a phishing email lure can be detected.

By mapping IP addresses to geographical locations a bank can detect logins from countries where phishing activities are concentrated.

5.3. Completeness of anti-phishing controls

The conclusion that one can draw from the above is that back-end systems cover the wide spectrum of the lure, hook and catch of a phishing attack. Log file analysis systems counter phishing lures and hooks, whereas transaction anomaly detection systems cover the catch of a phishing attack.

However, although the range of the back-end systems employed by a bank is wide, these systems are limited in their defensive strategy. They are merely detective and reactive controls or a combination of these.

Also front-end controls do not support a preventive strategy.

Thus we can conclude that the preventive anti-phishing strategy of banks largely depends on either security calculators or TAN codes which are not full proof

[pic]

5.4. The CANTINA Algorithm

Most of the anitphishing mechanisms use algorithms to function effectively. The most commonly used algorithm is the CANTINA and an analysis of this algorithm will provide an insight on the mechanics of antiphishing software.

While other algorithms examine the surface of a web page to check if it is a phishing website, CANTINA checks the contents of the page to determine its legitimacy. It does so using the TF – IDF Algorithm and the Robust Hyperlink concept.

5.4.1.TF – IDF Algorithm

This algorithm consists of two portions:

a) TF stands for Term Frequency. When the algorithm is run TF calculates how many times a given word appears in that document and assigns a weight called a ‘term’. The higher the term, the greater the frequency of occurance of that word in the document.

b) IDF stands for Inverse Document Frequency. IDF is a measure of the frequency of occurance of a word in a collection of documents

A high term refers to a word that occurs frequently in a particular document but less frequently in other documents.

5.4.2. Robust Hyperlink

The concept of robust hyperlink was developed to overcome the problem of finding the correct URL on the web. It works as follows:

a) When locating a web page of choice, one first types the basic URL into the browser window. If the web page is not found then…

b) Identify few Key Words also called “Signature Words” that are unique to the page one is searching for.

c) These words are identified using the TF IDF algorithm. The algorithm examines each word in the document and throws up words with a high term. 5 most frequently occurring words are chosen

d) These signature words are then fed into a search engine

e) This process yields those pages / documents which closely match the one with the URL one is looking for.

f) Further Examination of the page / document URL’s will result in the identification of the URL of choice

Let us now examine how CANTINA uses both these concepts in Anti Phishing

a) When a web page loads on the screen, CANTINA uses TF – IDF algorithm to generate the “term” of every word on that page.

b) Those five words with the highest terms are fed into a search engine such as Google

c) The search engine throws up those web pages that contain those five words in greatest measure.

d) The Domain Name of the currently opened web page is compared with the domain names of the top 30 web pages thrown up in process 3.

e) If the domain names match, then the website is legitimate. Else it is a phishing site.

[pic]

The effectiveness of CANTINA is borne by the fact that detects 94 – 97 % of phishing sites.

Chapter 6

Future Attack Vectors

61.1. Spear phishing are attacks that use lures to reach select (as opposed to mass mailing) victims.

A spear phishing lure is a lure in which sophisticated filtering mechanismsare employed to select and approach victims of a phishing attack.

In order to find appropriate victim’s phishers access private information on the World Wide Web. The popularity of social networking sites such as MySpace, Facebook, Hyves and LinkedIn allows published information to be easily be gathered and exploited by attackers.

Typically, it requires webspidering and form-filling tools to carry out a spear phishing lure. The webspider tool crawls the World Wide Web for personalized information. Once information that indicates a potentialvictim is found the form-filling tool is used to contact the victims so the payload can be delivered.

6.2.2. Vishing is a pun in which the letter 'V' stands for Voice overIP (VoIP). Vishing usually refers to the use of Voice over IP technologyin phishing attacks.

Vishing attacks are phishing attacks in which Voice over IP technology isused to approach the victim.

With many VoIP services it is possible to make calls to traditional landline telephony services. Vishing lures use this feature to exploit the publictrust in traditional landline telephony services while maintaining the advantages of VoIP: Voice over IP calls generally are of lower cost than traditional telephony services and they can be completely automated.

An attack scenario is to make calls to a mass of victims using an interactive voice response (IVR) system. Using social engineering texts this system can ask for credentials, TAN codes, PIN codes or other sensitive information which the system can record.

Chapter 7

An Enhanced Defensive Strategy

In this chapter we propose a defensive strategy that we believe to be able to withstand all current phishing attacks and the most important future phishing attacks on internet banking services

a.Customers' end-systems are compromised

From our threat model section we conclude that tampering with customers' end-systems (e.g. personal computers and mobile telephones) poses a medium to high risk threat depending on the technology involved. Moreover, we have demonstrated that this threat is not sufficiently mitigated by softwaresecurity mechanisms. Hence, our defensive solution should not rely onthe security of these end-systems.

b. Resistance against improper usage

We conclude that customers fail to properly interpret security indicators either because of ignorance or indolence. Thus our solution should present a simple and convenient interface to the customer that cannot be disregarded.

c. What you see is what you sign

We also elaborated on phishing attacks that are likely to arise in the coming years. There we have demonstrated the likelihood of attacks that exploit the possibility to alter the presentation of data, such as Man-in-the-Browser attacks. This vulnerability is caused by the lack of a possibility for the customer to confirm that their data was received correctly. That is why our solution should allow customers to express their consciousness and the authenticity oftheir internet banking activity and to confirm the correctness of the information involved in this activity.

7.1. Trusted computing base

First of all, the observation that those customers' end-systems are compromised implies that our security critical components cannot run in the compromised environment of these end-systems. We solve this by introducing atrusted computing base (TCB) which is an entity consisting of hardware and software designed in such a way that exploitation of it is extremely unlikely.

This allows us to design a system in which thesecurity of internet banking activity does not depend on the security of the customer's end-systems. Note that the TCB is critical for the security of our concept. Accordingly, when the TCB is broken our system will likely be broken too. The less complex the TCB is, the better it is for the verification of the security of the TCB. Moreover, we require that the TCB cannot be operated remotely (e.g. from the internet). This requires physical access to the TCB.

7.2. End-to-end security

The TCB should enable end-to-end security. That means from the trust boundary of the banking systems as close as possible to the customer (i.e. without intervention of a non-trusted entity) and vice versa. It is not the customer'send-systems that should be regarded as a safe end-point for communications as is the case in current internet banking contexts and which enables Manin-the-Browser attacks. Hence, the TCB should be under direct physical control of the user, without intervention of a possibly compromised end system and without dependence on the correct and genuine reproduction of data by these end-systems.

7.3. Digital signatures

In the observation of what you see is what you sign we have expressed the need for a mechanism that allows customers to express their consciousness and the authenticity of their internet banking activity and to confirm the correctness of the information involved in this activity. We can divide this issue into two aspects, namely authenticity and integrity:

_ Authenticity: Our concept should allow a customer to create a non-forgeable binding between his identity and the internet banking activityand the corresponding information involved that can be verified bythe banking systems2.

_ Integrity: Our concept should allow the banking systems to verify that information involved in internet banking activity was received correctly and as intended by the customer.

We rely on cryptographic techniquesthat enable digital signatures inorder to achieve these goals. These techniques must be implemented on the TCB as the security of our system heavily relies on these signatures. In order to create a binding between the identity of the customer and the generationof a digital signature this action should require the entry of a PIN code bythe customer. A counter can be generated by the TCB in order to guarantee freshness of the information.

7.4. Non-neglible user interface

Our observation of resistance against improper usage expressed the need for a mechanism that cannot be disregarded. We do so by making the digital signature action an obligatory step before crucial internet banking activity(e.g. initiating a transaction, logging in or changing one's correspondenceaddress) can be completed. Creating a digital signature should be a conscious user action. The requirement to enter a PIN code before being able to generate a digital signature will likely support this awareness.

7.5. Summary of our defensive concept

Altogether, we summarize our defensive concept as follows:

We propose a signing application running in a trusted computing base onlyavailable under direct physical control of the customer that requires a customer to digitally sign every crucial internet banking activity and the relevantinformation involved in this activity.

The message sequence chart in the Figure below depicts the operation of our concepton an abstract crucial internet banking activity (for example, imagine activity is a transaction).
[pic]

7.6.How this matches our internet banking requirements

Let us now discuss whether our defensive solutions establish the internetbanking requirements and whether it is any better than the existing defensivestrategy discussed earlier.

We recall the security requirements and briefly discuss the relevant aspects of our proposed solution

7.7. Security requirements

_ No-intrusion is established since only messages that have a correctdigital signature of the customer are accepted by the bank.

_ Authenticity - The TCB can only be operated under direct physical control. Such access is out of the scope of our adversary. Only the customer knows the PIN code to access the application.Hence, this allows the bank to verify the identity of thecustomer who sent a signed message.
_ Freshness

A time stamp generator inside of the TCB guarantees the freshness of every message signed using the signing application.

_ Confidentiality

No additional measures in order to guarantee confidentiality of messages are taken in our proposed solution.

_ Integrity

Our signing application requires that the generation of a digital signaturehappens with full consciousness of the customer. Moreover, this is done solely trusting the TCB (without dependence on the correct andgenuine reproduction of data by the customer's end-systems). Hence, this mechanism allows the banking systems to verify that informationis received as was intended by the customer.

_ Non-repudiation

The TCB can only be operated under direct physical control and only the customer knows the PIN code to access the application. Our signing application requires that the generation of a digital signature happens with full consciousness of the customer and does not rely on non-trusted systems. Hence, a customer cannot plausibly deny internet banking activity that was signed for with his digital signature.

_ Accountability

The digital signature mechanism allows the bank to trace crucial internet banking activity back to a unique customer.

7.8. Implementation Considerations

In this section we will discuss alternatives for implementing our proposed signing application. We believe these alternatives to be most feasible.First, we present a short-term solution based on the current defensive strategy, which only implements our concept by approximation. Although this implementation does not fully comply with our theoretical concepts it is an effective manner to counter soon to be expected attacks, such as the man-inthe-browser attack . Subsequently, we present two branchesthat could be implemented on the long term and that fulfill our conceptwholly.

7.8.1.Transaction Information Confirmation

Our first alternative is a migration of the current defensive strategy whichhas been described in earlier. The key point of this migration is to beable to counter sophisticated phishing attacks that are prevalent or to be expectedin the near future. Real-time man-in-the-middle attacks (and man-in-the-browser attacks are the main examplesof such attacks. These attacks exploit the weaknesses that are present incurrent two-factor and two-channel authentication schemes. The central problem with these implementations is that theydepend on the correct and genuine reproduction of data by the customer'send-systems. However, as pointed out in our threat model it is not reasonable to trust these end-systems. Hence, we need to fit the aforementioned concept of end-to-end security in the current two-factor andtwo-channel authentication schemes. The key issue in this migration is transaction information confirmation: we require the customer to confirm the transaction information (i.e. amount ofthe transaction and the account number of the beneficiary) using the trusted part of the authentication scheme and independent of the customer's endsystem.

That means, it is confirmed either via the security calculator or via the second channel. In this way, the integrity of the transaction information does no longer depend on the correct and genuine reproduction ofthis information by the customer's end-systems. As a consequence, real-time man-in-the-middle attacks and man-in-the-browser attacks are rendered impossible.Let us discuss how we can achieve transaction information confirmationin both a two-channel context and a two-factor context by adapting thetransaction initiation protocols of these contexts:

7.8.2. In a two-channel context

In a two-channel context we can establish transaction information confirmationby creating a binding between the TAN code and the transaction information. The solution for this is very trivial: always send the transactioninformation along with the TAN code over the trusted channel (e.g.the SMS text messaging channel). Consequently, a customer can notice that a man-in-the-middle or man-in-the-browser attack is attempted when the transaction information confirmation received via the trusted channel diverges from the transaction information that he entered at his end-system.If this is the case, the customer should not confirm the transaction by enteringthe TAN code but instead call the bank and notify them that an attackis going on.

The message sequence chart in following figure depicts the two-channel authenticationscheme with transaction information confirmation:

[pic]

This scheme requires very little adjustments and could be rolled out on a very short term. Unfortunately, the major drawback of this scheme isthat it requires a real-time trusted channel to deliver the transaction information confirmation. This means that this scheme is not applicable whenTAN codes are transmitted in bulk mode via the postal service.In a two-factor context. In a two-factor context we can establish transaction information confirmationby creating a binding between the challenge-response mechanism (in which the security calculator is involved) and the transaction information.We do so by letting the customer enter the transaction information in the security calculator (in addition of entering this information in the customer'send-system). The security calculator can then generate a digital signatureof the transaction information which is sent along with the response. Consequently, the bank can notice an attempted man-in-the-middle or manin-the-browser attack when the signature does not match the transactioninformation that was received.

The message sequence chart in following figure depicts the two-factor authenticationscheme with transaction information authentication.

[pic]

7.9.Reflection

Transaction information confirmation helps us to achieve that the integrityof the transaction information does no longer depend on the correct andgenuine reproduction of this transaction information by the customers' endsystems.Consequently, it is a successful control to counter real-time manin-the-middle attacks and man-in-the-browser attacks.For the customer transaction information confirmation has a major benefit:

he can do secure transactions without the need to implement tight softwaresecurity restrictions and mechanisms on his end-systems. In return, the customer should verify the information sent to him via a trusted channel (in a two-channel context) or enter the transaction information twice (in a two factor context). We believe that transaction information confirmation is a major improvement: we think the increased security and decreased effort to maintain a secure end-systems outweigh the slightly increased effort to confirm the transaction information.

Moreover, we believe that transaction information confirmation is also favorable for the bank. It is a front-end control that is directly visible to the customer. As a consequence, we believe that it would not only improve securityrealization but also security perception by the customer. The latter is agreat benefit with respect to the confidence in internet banking security

Additionally, there is no need to shift the liability for internet banking security to the customer to maintain a secure end-system. Although transaction information confirmation is a quick fix to counter soon to be expected attacks, it does not fully meet our conceptual solution. For example, in a two-channel context a SMS text message that contains the transaction information can be easily neglected. Furthermore, transaction information only focusses on transactions as crucial internet banking activity.Although it is probably the most important activity in internet bankingit is not the only activity that should be protected. For example, changingone's correspondence address or making modifications to the shortlistof contacts is also crucial internet banking activity. We now provide two implementation branches of our conceptual solution that banks could roll out on the longer term and that do not suffer from these deficiencies.

7.1o.Connected smart card reader

One way to implement our conceptual solution is using a secure connectedsmart card reader70 . The smart card reader is connected to the customer'send-system via a standard interface, for example USB. The smartcard reader also has a display, a numerical key-pad and a sign button. Since we ruled out physical access to such a device in our threat model any requirements of tamper-proofness are out of the scope of ourresearch.

Let us discuss the issues of this implementation:

_ Trusted computing base

In this implementation our TCB consists of the smart card reader and

_ End-to-end security

The smart card reader and the smart card are under direct control ofthe customer. The USB interface is only used to feed information tobe signed to the smart card reader. In order to operate the signatureapplication the user has to enter the PIN code that corresponds to his banking smart card.

_ Digital signatures

Either the smart card or the smart card reader must implement a digital signature algorithm. We prefer to do this on the smart card so the signature algorithm can be easily updated by issuing a new smart card to a customer. Key managementfor this scheme is trivial: it can be based on keys already existing onthe smart card. In the case of a compromised key only a new smartcard has to be issued to a single customer. Furthermore, this has theadvantage that all smart card readers can be identical, which savescosts and enables roaming. Secure timestamps are calculated by the smart card reader.

_ Non-negligible user-interface

All crucial internet banking activity requires a digital signature overthe information involved in this activity. Before this can be done thecustomer is required to insert his smart card into the reader, enter hispin code and press the sign button. We stress that before pressingthe sign button is important for the customer to carefully verify theinformation displayed on the smart card reader.We are aware that this implementation has some similarities with FINREAD,the Financial transactional IC card reader. However, FINREADis a standard that is way more extensive than our proposal. For example, FINREAD allows a bank to remotely authenticate and update the softwareon the device. We believe that such functionality unnecessarily complicatesthe TCB, which does not support its security. Instead, we propose a simplesmart card reader with security-critical software ran on the smart card.We conclude this section by summarizing the considerations of this particularimplementation:

_ Advantages

Key management can be done based on the smart card. A universal smart card reader allows for roaming. Software updates can be rolled out by issuing new smart cards. Because of current security calculators customers are familiarwith using a separate device for signing purposes.

_ Disadvantages The smart card reader has to communicate with the customer'send-device which might cause interoperability issues.

Chapter 8

Conclusions and Recommendations

Let us answer our research questions

Q1: In what ways is it possible to structure the methodology of phishing techniques and defenses?

We devised a framework of seven steps that can be identified in a phishing hook. We also showed cohesion amongst these stepsby which we divided phishing attacks in the lure, the hook and the catch. This distinction follows the principle of separation of concerns which allows attackers to specialize. As a result, a phishing supplychain exists which is supported by illicit online market places. Currently, we identified the three most prevalent phishing attacks to be dragnet phishing, real-time man-in-the-middle phishing and malwarebased phishing.

In phishing defense we can distinguish between front-end and back-end controls. The former are directly visible to the customer while the latter are under direct control o fthe bank and mostly invisible to the customer. Prominent front-end controls are the authentication mechanisms. Here we can distinguishtwo-factor and two-channel authentication schemes. Moreover, frontendsecurity relies on software security mechanisms that protect thesecurity of the customer's end-systems. As back-end controls transactionanomaly detection and takedowns are most popular.The defensive strategy should be based on a proper threat model.

Unfortunately, an applicable threat model was not publicly available.Therefore we applied modelling techniques developed by Microsoft toconstruct a threat model ourselves One of the mainresults from this threat model is that we identified tampering with thecustomer's end-systems a high-risk threat.

Q2: How will phishing attacks presumably evolve in the future?

We concluded that the evolution of phishing attacks willtake place especially in the lure and hook of a phishing attack. Wethink that the developments of future attacks will be bipartite. On theone hand we will see the employment of new technology (broadening) and on the other hand we will see more sophisticated exploitation ofcurrent technologies (deepening). This is a direct result of the armsrace between phishers and banks: when defense is raised phishers seekfor new targets and techniques (broadening) and for ways to enhancecurrent attacks in order to circumvent the raised security (deepening).

In the lure we expect to see new methods for contacting victims (broadening).Vishing, the use of Voice over IP technology for phishing lures, is one example of such attacks. We showed that the required technologyfor vishing is publicly available at low costs. Moreover, we expect spear phishing (deepening) to develop. In spear phishing only a smallernumber of interesting victims is selected in order to achieve a higherreturn on investment and in order to create more stealthy phishing attacks.

In the hook of phishing attacks we expect to see sophisticated semanticattacks. We expect the current malware-based phishing attacksto evolve into man-in-the-browser attacks (deepening), which are attacksthat redirect transaction initiations using a malware-infected webbrowser. In Wealso demonstrated the practical feasibility ofsuch an attack. Man-in-the-browser attacks can be realized at lowcosts and with moderate skills. Moreover, we expect future phishingattacks to target other internet banking activity than just the transactioninitiation activity (broadening). We have also documentedan attack that successfully exploits the transaction request procedure.

Q3: To what extent will currently deployed anti-phishing mechanismsprotect against future attacks?

A major pillar in phishing defense is the two-factor and two-channelauthentication schemes employed by banks. These schemes successfully rendered dragnet phishing infeasible. However, this moved phishers to attack other internet banking activity than just the loginprocedure. Namely, both two-factor and two-channel authenticationschemes lack a proper mechanism to protect the integrity of the datainvolved in internet banking activity. Hence, in order to ensure the integrity of the data transmitted to the bank a secure path from thecustomer to the bank is required. This leads to a focus on software security mechanisms such as firewalls and virus scanners that protectthe customer's end systems and to a focus on SSL / TLS for the protection of the connection to the bank. Unfortunately, these defensivecontrols have serious deficiencies.As a consequence we see that the transaction initiation procedure is attacked by phishing attacks such as real-time man-in-the-middle phishing and man-inthe-browser attacks. In conclusion, the currently deployed defensive strategy fails to adequately target the sophisticated phishing attacksthat we expect to arouse in the near future.

Q4: Which defensive techniques are required to protect against the future prospects of phishing attacks?

We have seen that protecting the security of the customer'send-systems is infeasible because of the lack of proper controlsand the nature of human behavior. As a consequence, we require a defensive solution that does not rely on the security of these end-systems.Moreover, because of this human behavior we require a solution thatpresents a simple and convenient interface to the customer and whichcannot be disregarded. Finally, because of the trend to attack other internet banking activity that was observed in answering Q3, weshould have a proper mechanism to protect all crucial internet bankingactivity and the data involved in this activity. Hence, we require a solution that allows customers to express their consciousness and the authenticity of their internet banking activity and to confirm thecorrectness of the information involved in this activity.

We also presented a solution: we propose a signing applicationrunning in a trusted computing base only available under direct physical control of the customer that requires a customer to digitally sign every crucial internet banking activity and the relevant informationinvolved in this activity.On the long term, such a solution could be implemented as a secure smart-card reader or using a Type 1 hypervisor. On the short term such a solution will not be available. In the meanwhile we think itis wise to adapt current two-factor and two-channel authentication

Recommendations

Based on our conclusions we make the following three recommendations to internet banking services:

1. A defensive strategy should not rely on a trusted path from the customerto the bank. This leads to liability issues, it is out of control ofthe internet banking service and it is inherently insecure since softwaresecurity mechanisms have serious deficiencies and security indicators of SSL / TLS are easily ignored.

2. Man-in-the-browser attacks are extremely feasible. A proper defensivecontrol is required in order to avoid serious attacks, loss of customers'trust in internet banking security and a media smear campaign. We advise to adapt the current two-factor and two-channel authenticationschemes to incorporate transaction information confirmation. For twofactorschemes this means that security calculators should require adigital signature over the transaction information (account numberand amount). For two-channel schemes this means that when sendingthe TAN code to the customer over SMS text messaging a confirmationof the transaction information should be sent along.

3. On the longer term we expect that other digital payment activity willalso be the victim of attacks, as was demonstrated by the man-inthe-mailclient attacks. We advise internetbanking services to seriously research these problems before attacksare carried out in the wild. A control that protects all crucial internetbanking activity and the information involved in this activity isrequired. For example, look into the possibilities of connected smartcard readers or emulation using a hypervisor,

Bibliography

[1] McMillan, R., Gartner: Consumers to Lose $2.8 Billion to Phisers in 2006, Network World, 2006

[2] Zhang, Yue, Hong, Jason: CANTINA. A Content Based Approach to Detecting Phishing Web Sites. 2007

[3] Phishing Online, March 2006, Oxford University Press, Oxford English Dictionary Online.

[4] M. Jakobsson, Modeling and Preventing Phishing Attacks, Phishing Panel of Finfancial Cryptography, 2005

[5] R. Clayton, A Chat at the Old Phishin’ Hole, Lecture Notes in Compute Science, Springer-Verlag, 2005

[6] G. Tally, R. Thomas & T. Van Vleck, Anti-Phishing: Best Practices for Institutions and Consumers, McAfee, March 2004

[7] A. Litan, The War on Phishing is Far from Over, Gartner Group Report, 2009

[8] M. Jakobsson, Phishing & Countermeasures: Understanding the increasing problem of Electronic Identity Theft, Wiley, ISBN, 2007

[9] Salton, G. & M.J. McGill, Introduction to Modern Information Retrieval, New York, NY, MC Graw Hill - 1986.

[10] R. Dhamjia, J.D. Tygar & M. Hearst, Why Phishing Works, In Proceedings of ACM conference on Human Factors in computing Systems, April 2006.

[1] Anti-Phishing Working Group. Proposed Solutions to Address the Threat of Email Spoofing Scams, http://www.antiphishing.org, December 2003.

[2] Basel Committee on Banking Supervision. Risk Management Principles for Electronic Banking, July 2003.

[3] CA / Browser Forum. Guidelines for the issuance and management of extended validation certificates, Version 1.0, June 2007.

[4] Central European Committee for Standardization. FINREAD specifications, CWA 14174, http://www.cen.eu/cenorm/sectors/sectors/isss/cwa/finread.asp, 2004.

[5] Centraal Bureau voor de Statistiek. De Digitale Economie, 2006

[6] Consumentenbond. 'Internetbankieren is Veilig', Consumentengids,January 2008.

[9] Department of Defense, Trusted Computer System Evaluation Criteria, DoD 5200.28-STD, 1985. In the glossary under entry Trusted Computing Base (TCB).
[10] Federal Financial Institutions Examination Council. Authentication in an Internet Banking Environment, http://www.ffiec.gov/pdf/authentication _guidance.pdf, 2005.

[11] Federal Financial Institutions Examination Council. IT Examination Handbook, http://www.ffiec.gov/ffiecinfobase/booklets/information_security/informationsecurity.pdf, July 2006.

[12] Federal Trade Commission's Division of Marketing Practices. Email Address Harvesting and the Effectiveness of Anti-Spam Filters, http://www.ftc.gov/opa/2005/11/spamharvest.pdf, November 2005.

[13] Gartner Inc. Gartner Says Number of Phishing E-Mails Sent to U.S. Adults Nearly Doubles in Just Two Years, Press Release, 9 November2006.

[15] IBM Corporation. IBM Systems Virtualization, Version 2 Release 1, 2005.

[18] RSA Security Inc. Fighting Emerging Threats: How To Combat ManIn-The-Middle And Trojan Attacks, 2007.

[19] RSA Security Inc. Fighting The Enemy: Making Sense of the Growing Crimeware Threat, 2006.

[20] RSA Security Inc. Phishing Special Report: What We Can Expect For 2007, January 2007.

[21] SecuritySpace. Secure Server Survey, November 2007.

[22] World Wide Web consortium. Document Object Model (DOM) Level 1 Specification Version 1.0, http://www.w3.org, 1 October, 1998.

[23] C. Abad. The economy of phishing: A survey of the operations of the phishing market, Cloudmark, September 2005.

[24] B. Adida, S. Hohenberger and R. L. Rivest. Fighting Phishing Attacks: A Lightweight Trust Architecture for Detecting Spoofed Emails,2005.

[25] B. Adida, S. Hohenberger and R. L. Rivest. Seperable Identity-Based Ring Signatures: Theoretical Foundations For Fighting Phishing Attacks, presented at the DIMACS Workshop on Theft in E-Commerce, Piscataway, New Jersey February 2005.

[26] A. Allan, J. Heiser, A. Litan, A. Newton and R. Wagner. State of the Art for Online Consumer Authentication, Gartner, May 2006.

[27] A. Alsaid and C. J. Mitchell. Preventing Phishing Attacks Using Trusted Computing Technology, in Proceedings of INC 2006, Sixth International Network Conference, Plymouth, UK, pp.221-228, July 2006.

[29] D. Bizeul. Russian Business Network Study, http://www.bizeul.org/files/RBN_study.pdf, November 2007.

[30] D. Barroso. Botnets - The Silent Threat, European Network and Information Security Agency (ENISA), November 2007.

[31] K. B. Bignell. Authentication in an Internet Banking Environment; Towards Developing a Strategy for Fraud Detection, International Conference on Internet Surveillance and Protection, 2006.

[32] M. Christodorescu and S. Jha. Testing Malware Detectors, Published in the Proceedings of the ACM SIGSOFT International Symposium on Software Testing and Analysis (ISSTA'04), July 2004.

[33] R. Clayton. A Chat at the Old Phishin' Hole, lecture notes in computer science number 3570, pages 88, Springer-Verlag, 2005.

[34] R. Clayton. Who'd phish from the summit of Kilimanjaro?, ISBN 9783-540-26656-3, pages 91-92, 2005.

[35] L. Cranor, S. Egelman, J. Hong and Y. Zhang. Phinding Phish: An Evaluation of Anti-Phishing Toolbars, CyLab Technical Report CMUCyLab-06-018, November 2006.

[36] J. Dapeng. Personal Firewall Usability-A Survey, TKK T-110.5290 Seminar on Network Security, 2007.

[37] P. Dasgupta, K. Chatha, and S. K. S. Gupta. Personal Authenticators: Identity Assurance under the Viral Threat Model, draft, 2006.

[38] L. Delpha and M. Rashid. Smartphone Security Issues, Black Hat Briefings Europe, May 2004

[39] R. Dhamija, J. D. Tygar and M. Hearst. Why Phishing Works, in the Proceedings of the Conference on Human Factors in Computing Systems (CHI2006), April 2006.

[40] T. Dierks and E. Rescorla. The Transport Layer Security (TLS) Protocol Version 1.1, RFC 4346, April 2006.

[41] R. Dingledine, N. Mathewson and P. Syverson. Tor: The Second Generation Onion Router, in proceedings of the 13th USENIX Security Symposium, pp. 303-320, 2004.

[42] A. Emigh. Online Identity Theft: Phishing Technology, Chokepoints and Countermeasures, Identity Theft Technology Council, http://www.antiphishing.org/Phishing-dhs-report.pdf, October 2005.

[43] I. Fette, N. Sadeh and A. Tomasic. Learning to Detect Phishing Emails, Carnegie Mellon Cyber Laboratory Technical Report CMU-CyLab-06-012, June 2006.

[44] R. Fielding, J. Gettys, J. Mogul, H. Frystyk, L. Masinter, P. Leach and T. Berners-Lee. Hypertext Transfer Protocol Request for Comments 2616, June 1999.

[45] P. Finn and M. Jakobsson. Designing and Conducting Phishing Experiments, preprint, to appear in IEEE Technology and Society Magazine, Special Issue on Usability and Security, 2007.
[46] J. Franklin, V. Paxson, A. Perrig and S. Savage. An Inquiry into the Nature and Causes of the Wealth of Internet Miscreants, in Proceedings of the 14th ACM conference on Computer and communications security, ages 375-388, 2007.

[47] G. R. Gordon, D. J. Rebovich, K. Choo and J. Gordon. Identity Fraud Trends and Patterns: Building a Data-Based Foundation for Proactive Enforcement, Grant No. 2006-DD-BX-K086, October 2007.

[48] M. G. Gouda, A. X. Liu, L. M. Leung and M. A. Alam. SPP: An anti-phishing single password protocol, in Computer Networks: The International Journal of Computer and Telecommunications Networking Volume 51, Issue 13 (September 2007), Pages 3715-3726, March 2007.

[49] P. Guhring. Concepts against Man-in-the-Browser Attacks, Financial Cryptography, FC++ number 3, 007.

[50] P. Gutmann. Phishing Tips and Techniques, presentation at the University of Cambridge Computer Laboratory, May 2007.

[51] A. Hallawell and A. Litan. Brand-Monitoring and Anti-phishing Services Intersect Several Security Markets, Gartner, September 2007.

[52] M. Howard and D. LeBlanc. Writing Secure Code, Microsoft Press, 2002.

[53] C. Jackson, D.R. Simon, D.S. Tan and Adam Barth. An Evaluation of Extended Validation and Picture-in-Picture Phishing Attacks, In Proceedings of Usable Security (USEC '07) Workshop, 007.

[54] T. Jagatic, N. Johnson, M. Jakobsson and F. Menczer. Social Phishing, in Communications of the ACM Volume 50, Issue 10 (October 2007), Pages 94 - 100, December 2005.

[55] M. Jakobsson. Modeling and Preventing Phishing Attacks, in Phishing Panel of Finfancial Cryptography, 2005.

[56] M. Jakobsson. Phishing and Countermeasures: Understanding the Increasing Problem of Electronic Identity Theft, Wiley, ISBN: 978-0-471-78245-2, 2007.

[57] M. Jakobsson and J. Ratkiewicz. Designing Ethical Phishing Experiments: A study of (ROT13) rOnl query features, In Proceedings of the 15th International Conference on World Wide Web, 2006.

[58] M. Jakobsson and A. Young. Distributed Phishing Attacks, http://eprint.iacr.org/2005/091.pdf, 2005.

[59] L. James. Phishing Exposed, Syngress, ISBN: 978-1-597-49030-6, November 2005.

[60] J. Klensin. Simple Mail Transfer Protocol, RFC 2821, April 2001.

[61] B. Lampson, M. Abadi, M. Burrows and E. Wobber. Authentication in Distributed Systems: Theory and Practice, ACM Transactions on Computer Systems, on page 6, 1992.
[62] A. Litan. HSBC Bank Brasil Turns to Back-End Fraud Detection to Curb Cybercrime, Gartner, June 2006.

[63] A. Litan. Phishing Attacks Leapfrog Despite Attempts to Stop Them, Gartner, November 2006.

[64] S. Mauw and M. Oostdijk. Foundations of Attack Trees, presented at Eighth Annual International Conference on Information Security and Cryptology, 2006.

[65] M. C. McChesney. Banking in Cberspace: an investment in itself, EEE Spectrum, February 1997.
[66] A. McCullagh. Non-Repudiation in the Digital Environment, First Monday, volume 5, number 8, August 2000.

[67] J.D. Meier, A. Mackman, M. Dunner, S. Vasireddy, R. Escamilla and A. Murukan. Improving Web Application Security: Threats and Countermeasures Roadmap, Microsoft Corporation, June 2003.

68] T. Moore and R. Clayton. An Empirical Analysis of the Current State of Phishing Attack and Defence, In Proceedings of the 2007 Workshop on The Economics of Information Security (WEIS2007), http://www. cl.cam.ac.uk/~rnc1/weis07-phishing.pdf, 2007.

[69] P. Mutton. PayPal Security Flaw allows Identity Theft, Netcraft, June 2006.

[70] G. Ollman. The Phishing Guide: Understanding & Preventing Phishing Attacks, NGSSoftware Insight Security Research, 2004.

[71] B. Parno, C. Kuo and A. Perrig. Phoolproof Phishing Prevention, CMUCyLab05-003,http://sparrow.ece.cmu.edu/~adrian/projects/phishing.pdf, March 2006.

[72] N. Provos. A Virtual Honeypot Framework, In Proceedings of the 13th USENIX Security Symposium, August 2004.

[73] N. Provos, P. Mavrommatis, M.A. Rajab and F. Monrose. All Your iFRAMEs Point to Us, Google Technical Report provos-2008a, 2008.

[74] N. Provos, D. McNamee, P. Mavrommatis, K.Wang and N. Modadugu.The Ghost In The Browser - Analysis of Web-based Malware, Google Inc., 2007.

[75] J. Quirke. Security in the GSM system, AusMobile, May 2004.

[77] E. Rescorla. SSL and TLS: Designing and Building Secure Systems, ISBN 978-0201615982, Addison-Wesley Professional, 2000.

[78] R. Rivest, A. Shamir, and L. Adleman. A Method for Obtaining Digital Signatures and Public-Key Cryptosystems, Communications of the ACM, Vol.21, Nr.2, 1978, S.120-126.

[79] P. Robichaux and D. L. Ganger. Gone Phishing: Evaluating AntiPhishing Tools for Windows, 3Sharp LLC, http://www.3sharp.com/projects/antiphishing/gone-phishing.pdf, September 2006.
[80] B. Ross, C. Jackson, N. Miyake, D. Boneh and J. C. Mitchell. Stronger Password Authentication Using Browser Extensions, Proceedings of the 14th Usenix Security Symposium, 2005.

[81] S. E. Schechter, R. Dhamija, A. Ozment and I. Fischer. The Emperor's New Security Indicators - An evaluation of website authentication and the effect of role playing on usability studies, The 2007 IEEE Symposium on Security and Privacy, May 2007.

[82] B. Schneier. Attack trees: Modeling Security Threats, Dr. Dobb's journal, December 1999.

[83] B. Schneier. Semantic Attacks: The Third Wave of Network Attacks, Crypto-Gram Newsletter, 2000.

[84] F. Swiderski and W. Snyder. Threat Modeling, Microsoft Professional, ISBN 978-0735619913, July 2004.

[85] G. Tally, R. Thomas and T. van Vleck. Anti-Phishing: Best Practices for Institutions and Consumers, McAfee, March 2004.

[86] T. G. Tan. Phishing Redefined - Preventing Man-in-the-Middle Attacks for Web-based Transactions, Draft, March 2005.

[87] K. Thompson. Reactions on trusting trust, in Communications of the ACM archive Volume 27 , Issue 8, August 1984.

[88] J. Verdurmen. Firefox extension security, Bachelor Thesis, January 2008.

[89] L. Wang and P. Dasgupta. Kernel and Application Integrity Assurance: Ensuring Freedom from Rootkits and Malware in a Computer System, 21st International Conference on Advanced Information Networking and Applications Workshops, 2007, Volume 1, pages 583-589,

[90] Z. Ye, S. Smith and D. Anthony. Trusted Paths for Browsers, in Proceedings of the 11th USENIX Security Symposium, Pages: 263 - 279, 2002.

[91] A. Young and M. Yung. Malicious Cryptography: Exposing Cryptovirology, Section 8.2, ISBN 978-0764549755, February 2004.

-----------------------
Web Page Opens

CANTINA uses TF – IDF to calculate ‘Term” (frequency of occurance) of each word in the Web Page

Words with highest TF IDF score are fed into a search engine. Generally the top 5 words are chosen

This process throws up those webpages where these words most frequently occur

The Domain Name of the Original Web Page is compared to the domain names of the top 30 pages thrown up by the above process

If Domain Names match, then the Site is Legitimate

Else it is a Pishing Site