2018 First International Conference on Secure Cyber Computing and Communication (ICSCCC)

Analysis and Prevention of Phishing Attacks in

Cyber Space
Satyabrata Swain
Alekh Kumar Mishra Asis Kumar Tripathy
School of Information Technology and
Department of Computer Application School of Information Technology and
Engineering
NIT Jamshedpur Engineering
VIT University, Vellore
Jamshedpur, India VIT University, Vellore Vellore, India
alekha.ca@nitjsr.ac.in Vellore, India satya.swain10@gmail.com
asistripathy@gmail.com

Abstract² Now-a-days internet become a very unsafe space

to deal with. HDFNHUV DUH FRQVWDQWO\ WU\LQJ WR JDLQ WKH XVHU¶V
personal information, and detailed credentials. So many
websites on the internet, even though safe, this safety cannot be
assured by all websites. These rule breakers avoid abiding by
rules, and try to employ methods like trickery and hacking to
gain illegal access to private information. To be able to
overcome this problem, we need to first understand the
intricacies of how the virus is designed. This paper mainly
deals with the analysis of phishing attacks in the cyberspace
and any malicious content that is associated with the web, and
is carried out within the browser. The files which are
downloaded with virus, and involve third party applications
from the PC, cannot be checked for virus. For instance, if there
is a word file that is downloaded to the PC, it uses apps outside
the web in the VM, and hence cannot be controlled by the VM.
Keywords² Browser Extension; Container; Phishing;
Plugin; Sandbox; Virtual Machines
I. INTRODUCTION
PHISHING is a form of online identity theft. Fake emails
are used by various social engineering schemes in order to
take a user into various fraud websites that are made to trick
the users into giving their valuable data such as account user
names, ATM PIN numbers, and passwords, this is a
phishing attack technique that is known as deceptive
phishing attack. It is discussed further. In a recent survey by
Gartner, nearly four million U.S. adults lost a total of around
three billion dollars directly due to phishing. Phishing
GRHVQ¶t always only result in explicit money losses. The
implicit losses that are caused by phishing are always on the
peak, this includes customer services, as the customers loose
the trust. Account exchanging costs, and this result in higher
expenses due to the decline in usage of online services in
face of widespread fear about the security of online financial
transactions. This in turn causes a significant loss in money,
resources and time.
In this paper we are analyzing various types of phishing
attacks in cyberspace and providing suitable
countermeasures for the same, also we are proposing a
virtual container based web browser, which will be able to
isolate the websites that users visit in order to safeguard, the
internal computer system. We have done analysis of phishing
trends of last two years, and we are providing the
countermeasures based on the same.
II. ANALYSIS OF EXISTING WORK
Phishing begins with a fraud email or a communication
method that is particularly made to trap a victim, the
message or the form of communication is made to look
appealing, as if it is from an official or trusted sender. If the
person to be affected believes that it is original, he or she
will be in a mindset to provide confidential information such
as bank account numbers, ATM PINs etc. Sometimes
3KLVKLQJ LV GRQH IRU WKH SXUSRVH RI GHVWUR\LQJ D SHUVRQ¶V
cyberspace also, thereby downloading malicious files on the
YLFWLP¶VFRPSXWHU
A. Deceptive Phishing
Deceptive Phishing is the one of the most commonly
executed phishing attack. Here, the phisher aims to get
private and confidential information from the victims, then
the attacker will further use the information obtained in
order to have more money or a bigger scam. The most
common examples for deceptive phishing are fake emails
from bank claiming that your Debit Card has expired, or a
computer-generated invoice call stating that as the part of
updating policy, they need the account number.
Countermeasures of Deceptive Phishing:
x Blacklisting Approaches:
It is the most popular anti phishing technique that is in
use in the commercial scale nowadays, Microsoft for
example has integrated an anti ± phishing solution from
Internet Explorer 7 onwards, where the browser queries
WKHVLWHWKDWXVHUZDQWVWRJRZLWKWKH0LFURVRIW¶VVHUYHU
at the backend, and hence the user is notified whether it
is safe to visit or not, google on the other hand is having
google safe browsing concept, which is also analogous
WR 0LFURVRIW¶V ZRUNIORZ 7KH PDLQ GLVDGYDQWDJH RI
EODFNOLVWLQJDSSURDFKLVWKDW³QRQ±blacklLVWHG´SKLVKLQJ
websites are not recognized.
x Information flow based approaches:
PwdHash is very famous solution when it comes to the
anti ± phishing literature, it creates passwords
belonging to a particular domain (ex: your
www.gmail.com password will not be effective on
www.geemail.com as it will be different in that case.), it
is also discussed later. AntiPhish on the other hand
tracks on where the confidential information is
submitted and analyze the pattern behind it, if it detects
that the information is submitted to some fake website,
it generates a warning and hence the information is safe.

978-1-5386-6373-8/18/$31.00 ©2018 IEEE 430

 2018 First International Conference on Secure Cyber Computing and Communication (ICSCCC)

B. Spear Phishing:
Spear Phishing as the name suggests mainly points to
specific person, rather than a wide group. Here attackers
PRVWO\ ³VWXG\´ DERXW WKH SHUVRQ on social media, like the
way how he/she customizes their communications and
KHQFH ZKLOH DWWDFNLQJ WKH\¶OO DSSHDU WR EH PRUH DXWKHQWLF
Spear Phishing is usually the first step that is used while
performing a targeted attack.
Countermeasures for spear phishing
x User Education:
Spear phishing targets an individual user, and as such the
user education for the security awareness from phishing
attacks is mandatory, spear phishing can be really fatal for a
company because it is used as a base intrusion while
destrR\LQJDFRPSDQ\¶VVHFXULW\V\VWHPV

C. Whaling
Whaling is the type of phishing where the attacker performs Figure 1: Block Diagram
phishing on a higher executive of a company, like the For analysis of our work we referred the reports trend that is
Director of Operations, as he/she might be having some of provided by the summary of Phishing Activity Trends
the valuable inner data, which is of considerable importance Report (3rd Quarter ± 2017) by Anti-Phishing Working
to the company, as such whaling is of particular importance group [1] APWG) the monthly report analyses the phishing
for the company. attacks reported to the APWG through the website at
Countermeasures against whaling: [1].The total number of unique phishing reports submitted to
APWG in 3rd Quarter was 296,208. There was a consistent
Implementing multi ± layer security systems:
It has to be accepted that only providing user education to amount of decline in the phishing sites. Phishers are
the employees is not going to help in a company, as people typically using the HTTPS protocol to fool people as people
doing whaling phishing are way more sophisticated in see that any site which is having secure HTTPS certificate
SHUIRUPLQJWKHVH W\SHVRIDWWDFNVDQGWKH\¶OOLQWUXGH XVLQJ (Green), is safe to share the information. People who usually
do the online payment continued to be the most affected
spear phishing on an employee at his/her most vulnerable
groups. Phishing was found in more than 200 different top ±
time, that is whether it is a personal situation, or a long day
at office. It is therefore advised to have a multilayer security level domains. Phishers use the simple technique of having a
system, in office. HTTPS protected phishing site that mimics a secure
terminal (as supposed by user), however the mere presence
Updating Cyber security Policies: of HTTPS does not indicate that the site is safe from
phishing and many internet users do not know this. A
As technology is evolving day by day so does the techniques
phisher who has just bought a domain name, and secured it
used by Cybercriminals, as such the FRPSDQ\¶V security
policies should be updated timely. ZLWK DQ +7736 FHUWLILFDWH GRHVQ¶W PHDQ WKDW LW LV WKH
official site, maybe the site is used to mimic, and hence the
XVHU¶V3&JHWVFRPSURPLVHG
D. Pharming
Same as phishing, pharming sends users to a hoax website TABLE 1: ANALYSIS FOR THE THIRD QUARTER FOR PHISHING.
that appears to be original and genuine as well. Here,
contrary to the general phishing techniques, here the user Content July August September
GRHVQ¶WHYHQKDYHWRFOLFNDOLQNWREH taken to a bogus site. No. of unique 60,232 73,393 57,317
7KH ZHEVLWH¶V '16 6HUYHU FDQ EH VWUDLJKW DZD\ LQIHFWHG phishing site
XQGHUSKLVKLQJKHUHWKHXVHUGRHVQ¶WHYHQKDYHWRFOLFNWKH detected
link in order to get to malicious sites. No. of unique 99,024 99,172 98.012
phishing email
received
E. Countermeasures against pharming: No. of brands 277 313 325
Mostly the countermeasures that are used iQ ³'HFHSWLYH targeted
3KLVKLQJ´ DUH XVHG WR IRU WKH SKDUPLQJ DOVR DFFHSW IRU WKH
things such as taking holistic approach towards DNS
Servers, Sophisticated security training for senior IT
engineers.

431
 2018 First International Conference on Secure Cyber Computing and Communication (ICSCCC)

confuse users into wrongly believing its source. We can

Figure 2: Emergence of new malicious domains.
classify phishing mails as spam content thus avoiding its use
by the user but, even if spam filters have become quite
efficient today, they are not able to detect every phishing
mail apart from regular mails. One anti-spam and anti-
phishing technique is to authenticate and verify the sender
and preventing attackers from using fake of hijacked e-mail
addresses. Microsoft is implementing the technique of
³Sender ID Framework´ [2] whereas Yahoo is using it is
own method called ³'RPDLQ.H\V´ [3]. As of now,
Microsoft, and other industry leaders are trying to
standardise a technique called DomainKeys Identified Mail
(DKIM), which is an evolved form of DomainKeys [3] [6].
Another approach that is to mention a database of malicious
content and cross verifying the mail to the database similar
to using signatures in anti-virus programs. Whenever the
user tries to open a web site that present in the database,
warnings will come up and advise the user to avoid the
website. Microsoft is using this approach along with some
heuristics in their anti-phishing filter for their web browser
[4].

TABLE 3: TABULAR DATA REPRESENTATION OF FIGURE 2.

Count of unique
Month 1 Month 2 Month 3
phishing URLs

Figure 3: Pie Chart depicting that users are easily forged when the
Quarter 1, 2016 86,557 79,259 123,555
phishers use COM as the site domain. At 53% COM is the domain with the
highest numbers of the users getting affected. Quarter 2, 2016 158,988 148,295 158,782

TABLE 2: TOTAL NUMBER OF INCIDENTS REPORTED AT Quarter 3, 2016 155,102 104,349 104,973
FACEBOOK, THE TABLE INDICATES THAT MOST OF THE
PHISHING ATTACKS IN THE RECENT HISTORY OCCURRED IN Quarter 4, 2016 89,232 118,928 69,533
THE UNITED STATES, IT IS ALSO REMARKABLE TO SEE THAT
THERE IS A HUGE DROP FROM THE US TO IRELAND.
Quarter 1, 2017 42,899 50,567 51,265
Country of hosting July Aug Sept Total
United States 1,392 1,686 1,082 4,160 Quarter 2, 2017 50,328 45,327 20,720
Ireland 375 208 165 748
Brazil 148 239 175 562 Quarter 3, 2017 60,232 73,393 57,317
France 19 60 87 166 To make the number of phishing attacks less in number,
Germany 21 68 57 146 VeriSign is now crawling millions of websites and identify
Canada 44 68 33 145 that look ideal to one of the DJHQW¶V site while having
Switzerland 0 77 8 85 different domain information. Once a website is marked as a
Netherlands 12 34 22 68 phishing site, legal procedure is applied to shut the site
United Kingdom 11 21 30 62 down. The main problem with crawling and blacklisting
Czech Republic 19 25 13 57 web sites is that the anti-phishing companies and the
Other (35 Countries) 59 121 52 232 attackers will be in constant struggle with each other where
Total 2,100 2,607 1,724 6,431 attackers create fake and malicious websites only to get it
shut down and the cycle repeats. Hence users are always
In recent times, users are provided with many methods, so
under the threat of a phishing attack, hence the attack is
that they can be protected from the various levels of the
always imminent. Also, efficiency of blacklisting methods is
phishing attacks. There are quite a few attempts to reduce
dependent on the lists quality, and how frequently they are
spam mails from reaching to the end users. [2] [3], while
maintained. Also repeated checking should be done.
other techniques decrement fraud websites [4], while some
checks the genuineness of web pages that a user visits [5]. Two browser-based client-side solutions are proposed by
All these methods have some pros and inevitable cons. The Stanford University for the detection and avoidance of
main reasons of existence of phishing attacks even today is phishing attacks [5] [7]. They are implemented as browser
because of the fact that mails can be spoofed easily to plugins.

432
 2018 First International Conference on Secure Cyber Computing and Communication (ICSCCC)

PwdHash [7] is a plug-LQWKDWFRQYHUWVXVHU¶VSDVVZRUGVLQWR All the browser processes are executed inside the virtual
passwords that are domain specific such that the generated environment.
passwords can be reused safely on multiple web sites,
supported on Internet Explorer. Due to the fact that the IV. RESULT ANALYSIS
generated passwords are domain specific, any password The main features of the browser is provided by the
phished by a malicious website cannot be used anywhere Manager App Container. It incorporates several other sub
HOVHOLNHDEDQN¶VZHEVLWHIRUWUDQVDFWLRQ%XWLWRQO\ZRUNV containers within it to divide the backend processes. They
for passwords and cannot protect private information of the are:
users like credit card information or social security number. x Internet App Container: Gets the source codebase
SpoofGuard [5] is another such plugin which offers a of a website from a domain and renders it.
symptom based solution which searches for traits in
websites like similar domain names and masked links. x Intranet App Container: Gets the source codebase
of websites from the Intranet. These sites can be
TABLE 4: BRANDS THAT WERE AFFECTED BY PHISHING IN control interface dashboards for various devices on
PAST TWO YEARS. the network like Wi-Fi router, printers or any IoT
devices. By separating it from the Internet, they are
Phishing protected from attackers.
Month
&DPSDLJQV¶ Month 1 Month 2
3
targeted brands x Extensions App Container: Renders the in-built
extensions of the browser (if any).
Quarter 1, 2016 431 406 418
x Flash App Container: Renders the flash based
Quarter 2, 2016 411 425 418 applications by isolating it from the main content
processes and running it seperatly. Thus avoiding
Quarter 3, 2016 358 340 361
the exploitation of many oI WKH $GREH )ODVK¶V
Quarter 4, 2016 357 332 264 bugs.

x Service User Interface App Container: Renders

Quarter 1, 2017 424 423 444
browser pages, such as settings, about:flags, and
the home page.
Quarter 2, 2017 460 457 452

Quarter 3, 2017 277 313 325

III. CONTAINER BASED SOLUTION

Instance of an entire computer operating system within it, so
if you were to open it on your computer, it would be like
having a PC within a PC. Figure 4: Different sub container of manager app container of web browser.
This technology is routinely used by software developers to
The Internet App Container is a major part of this browser.
test how their software works on different platforms, so for
Renders the web pages provided by the domains that the
example, they might be working on a Windows PC, but the
user surfs. Because of the complexity of web page sources
virtual machine would have a Mac OS X computer running
and the codebase being huge, web attacks can be easily
within it at the same time.
executed. A malicious web site generally presents itself in
Most people use their old laptops or desktop setups as an
such a believable that the user gets confuse with its
alternative for the old operating system, so that they can use
authenticity. The website then tries to exploit any bugs in
the old software and games again.
the browser to take control of its content process.
And if you were to release a virus in the virtual machine or
If by any chance some attacker gains control of the Internet
do something to crash the operating system, that's just fine ±
App Container, they will need to find some exploits to
when you shut the virtual machine down, it's erased
execute their attacks. Even if they are successful in their
completely. When you are using VM on your computer it
exploit, they would need to actually find a way to get access
acts as a layer on the existing files, computing resources, so
the system outside the virtual environment which is not
that whatever you done on the virtual environment stays in
permitted by any way by the browser.
the environment. So when you start your VM again, you
Cutting the web browser off from the rest of your PC:
have the option to choose to keep the same instance, or start
The virtual environment won't need to emulate a full
a new one, so it's like you've got a brand-new computer.
operating system but a small set of features in order to run
We can use this technology to create web-browsers capable
the browser, but most importantly, this means that the users
of launching itself in a virtual environment which is isolated
can browse the internet safely without access to any
from rest of the operating system and other applications
hardware devices like hard drives or printers. This way, the
running on it. All the content that runs on the browser, will
kernel is safe and secure from foreign attacks, thus
be running under the container sandbox.
safeguarding the most crucial part of the computer's OS.

433
 2018 First International Conference on Secure Cyber Computing and Communication (ICSCCC)
Thus, using this browser if a user ever receives a malicious
email with a suspicious link, it will open in the container
EURZVHU¶V YLUWXDO HQYLURQPHQW DQG LI VRPH DWWDFNHU WULHV WR
harm it, a simple restart can erase all the damage done
In the same way, the browser would be ineffective if the
user accidentally clicks on a malicious ad on some website,
or one of his favorite websites gets compromised and starts
redirecting the user to some attacker's site which downloads
and executes malwares like ransomware.
V. CONCLUSION AND FUTURE ENHANCEMENT
Phishing is a major issue throughout the world and causes
problems like identity theft. Till today, phishing attacks
have been the cause of billions of dollars in losses to
companies and the markets all over the world. Sometimes
the phisher only wants to gain information which is worth
many dollars, to sell it to secondary market, hence the
resources that were used by the company are all wasted.
Therefore, phishing attacks are still a very common problem
in the cyberspace. In this paper we researched and presented
a detailed analysis of some of the common phishing trends
the countermeasures that have been developed against the
same. We summarized the reported phishing attacks in past
two years and analyzed its trends. We have also proposed a
virtual environment based container web browser solution.
If someone receive an email with file attachment of
unknown origin or format, like a word document, excel
spreadsheet or PDF file and the user launches it, it may still
harm the computer the computer. This is due to the fact that
that file will be opened by using some other software like
MS Word or Adobe Reader and will run outside the scope
of the virtual machine. One possible solution to this can be
implementing some common file readers for pdf, doc, jpg
etc. within browser itself so that those files can be opened
within the virtual environment.
REFERENCES
[1] $QWL3KLVKLQJZRUNLQJ*URXS³3KLVKLQJ$FWLYLW\7UHQGV5HSRUWUG
Quarter´ Aug. 2009. [Online]. Availabe
http://www.antiphishing.org.
[2] Microsoft, "Sender ID Framework Overview.," Microsoft, 2005.
[Online]. Available: http://www.microsoft.com.
[3] Yahoo, "Yahoo! Anti - Spam Resource Center.," 2006. [Online].
Available: http://antispam.yahoo.com.
[4] Microsoft, "Anti - Phishing Technologies.," Microsoft, 2005.
[Online]. Available: http://www.microsoft.com.
[5] N. Chou, R. Ledesma, Y. Teraguchi, J. C. Mitchell and others,
"Client-Side Defense Against Web-Based Identity Theft.," in NDSS,
2004.
[6] Mutual Internet Practices Association, "DomainKeys Identified Mail
(DKIM)," [Online]. Available: https://dkim.org/.
[7] B. Ross, C. Jackson, N. Miyake, D. Boneh and J. C. Mitchell,
"Stronger Password Authentication Using Browser Extensions.,"
SSYM'05 Proceedings of the 14th conference on USENIX Security
Symposium, Volume-14, May-2005
[8] DEBIAN, "Deploy: Debian Project unable to deploy Sender ID,"
2006. [Online]. Available: http://www.debian.org.
[9] B. Wardman, T. Stallings, G. Warner and A. Skjellum, "High-
performance content-based phishing attack detection," in eCrime
Researchers Summit (eCrime), Nv-2011.
[10] T. N. Jagatic, N. A. Johnson, M. Jakobsson and F. Menczer, "Social
phishing," Communications of the ACM, vol. 50, pp. 94-100, Oct-
2007.
434
[11] H. Huang, J. Tan and L. Liu, "Countermeasure techniques for
deceptive phishing attack," in New Trends in Information and Service
Science, 2009. NISS'09. International Conference on, Pp. 636-641,
June-2009.
[12] L. Wenyin, G. Huang, L. Xiaoyue, Z. Min and X. Deng, "Detection of
phishing webpages based on visual similarity," in Special interest
tracks and posters of the 14th international conference on World Wide
Web, pp. 1060-1061, May-2005.
[13] S. Sheng, B. Wardman, G. Warner, L. F. Cranor, J. Hong and C.
Zhang, "An empirical analysis of phishing blacklists," CHI '08
Proceedings of the SIGCHI Conference on Human Factors in
Computing Systems, pp. 1065-1074, April- 2009.
[14] B. Parno, C. Kuo and A. Perrig, "Phoolproof phishing prevention," in
International Conference on Financial Cryptography and Data
Security, vol . 4107, 2006.
[15] B. Parmar, "Protecting against spear-phishing," Computer Fraud &
Security, vol. 2012, pp. 8-11, January. 2012.
[16] M. Mishra and A. Jain, "Anti-Phishing Techniques: A
Review,"International Journal of Engineering Research and
Application (IJERA), vol. 2 pp. 230-355, January. 2012.
[17] E. Medvet, E. Kirda and C. Kruegel, "Visual-similarity-based
phishing detection," in Proceedings of the 4th international
conference on Security and privacy in communication netowrks, Sept.
2008.
[18] P. Kumaraguru, S. Sheng, A. Acquisti, L. F. Cranor and J. Hong,
"Lessons from a real world evaluation of anti-phishing training," in
eCrime Researchers Summit, pp. 1-12, Oct. 2008.
[19] E. Kirda and C. Kruegel, "Protecting users against phishing attacks,"
29th Annual International Computer Software and Applications
Conference (COMPSAC'05), vol. 49, pp. 517-524, Jul. 2005.
[20] H. Huang, S. Zhong and J. Tan, "Browser-side countermeasures for
deceptive phishing attack,´ Fifth International Conference on
Information Assurance and Security on, vol. 1, pp. 352-355, Aug.
2009.
[21] J. Hong, "The state of phishing attacks," Communications of the ACM,
vol. 55, pp. 74-81, Jan. 2012.
[22] T. Halevi, J. Lewis and N. Memon, "Phishing, personality traits and
Facebook," arXiv preprint arXiv:1301.7643, Jan. 2013.
[23] S. Gupta and P. Kumaraguru, "Emerging phishing trends and
effectiveness of the anti-phishing landing page," in Electronic Crime
Research (eCrime), 2014 APWG Symposium on, pp. 36-47, Nov.
2014.
[24] S. Garera, N. Provos, M. Chew and A. D. Rubin, "A framework for
detection and measurement of phishing attacks," in Proceedings of the
ACM workshop on Recurring malcode, pp. 1-8, Nov. 2007.
[25] I. Fette, N. Sadeh and A. Tomasic, "Learning to detect phishing
emails," in Proceedings of the 16th international conference on World
Wide Web, pp. 649-656 May. 2007.
[26] R. Dhamija, J. D. Tygar and M. Hearst, "Why phishing works," in
Proceedings of the SIGCHI conference on Human Factors in
computing systems, pp. 581-590, April 2006.
[27] R. Dhamija and J. D. Tygar, "The battle against phishing: Dynamic
security skins," in Proceedings of the 2005 symposium on Usable
privacy and security, pp. 77-88, July 2005.
[28] J. Abawajy, "User preference of cyber security awareness delivery
methods,´ Behaviour and Information Technology, vol. 33, no. 3, pp.
237-248, March. 2014.