Phishing and Its Effect Againts Business Network Mohd Khairul amin bin Mohd zaki Universiti Sains

Malaysia

Abstract Phishing, an increasingly common form of online theft, is the act of tricking computer users into handing over control of their online accounts using, typically, a combination of a forged email and website. Phishing is done by spamming out authentic-looking emails that claim to come from a well-known financial or ecommerce institution such as Citibank, PayPal, eBay or America Online. These emails contain different messages, but usually follow the same formula: the recipient is asked to click on a link contained within the message, taking them to what appears to be a legitimate website. In fact, the website is a clever forgery, often virtually indistinguishable from the real thing. Phishing methods and tricks are described and ways of protecting computers and networks from phishing attacks are discussed.

1. Introduction

Phishing represents one aspect of the increasingly complex and converging security threats facing businesses today. The methods used by spammers have become more sophisticated, and spam is now increasingly combined with malware and used as a tool for online fraud or theft, or to propagate malicious code. So phishing can be considered a combined threat, part of a fast-changing and increasingly complex threat environment facing networks, which can encompass spam and various kinds of malware. Although consumers are the main targets of phishers, a phishing attack

can damage the reputation and credibility of the affected business, putting brand equity at risk and leading to significant costs. Smaller businesses, meanwhile, may be more directly at risk of falling victim to email fraud, particularly where the corporate accounts are controlled by one or two people who may not have a great deal of technical knowledge. While this is less likely with larger organizations, it is clearly preferable for employees to be protected from fraud attempts arriving in their inboxes via the corporate network. It is therefore important that businesses use an integrated, robust solution to defend their email gateway from spam such as phishing attacks and the many other varieties of emailborne security threat.

Based on my searching from website and other resources there has been a surge in the number of reported phishing attacks. The Anti-Phishing Working Group tracked over 3,326 unique phishing sites in May 2005, with that number rising by an average of 28% per month since July 2004. According to a survey released by research group Gartner in June 2005, over 2.42 million US adults reported losing money in phishing attacks, amounting to nearly $929 million in the past year.4. Another report in October 2004 by research group IDC cited phishing as one of the fastest growing non-violent crimes

For the real case in malaysia, I find out that public bank is one of the internet banking that is being targeted by phishers for doing phishing. From date 24th of March 2010 to 22th April 2010 that I have searching through MyCERT, 55 phishing sites targeting clients of Public Bank have been handled by MyCERT. They have also observed that the phishers are using Bahasa Malaysia for both phishing emails and domain names. The reason why the phishers targeting public bank is because may be of lack of security in their internet banking and the lack of user knowledge on phishing.

The phishers that targeting public bank user only used email as their tool to fool the user believing that the email is sent from public bank itself. The following picture shows the list of phishing site of public bank obtain from MyCERT.

Below is an example of how phishing using an email:

2. Phishing technique

There are many kind of phishing technique that can be use to lure victim to give their confidential information to them.

Man-in-the-Middle Attack

Here, the attacker creates a fake website and catches the attention of users to that website. Normally, the attacker was able to trick the users by disguising their identity to make it appear that the message was coming from a trusted source. Once successful, instead of going to the designated website, users do not realize that they actually go to the fraudsters website. The information keyed in during that session

will be captured and the fraudsters can make their own transactions at the same time.

Dragnet

Dragnet method involves the use of spammed emails, bearing falsified corporate identification (e.g., trademarks, logos, and corporate names), that are addressed to a large class of people (e.g., customers of a particular financial institution or members of a particular auction site) to websites or pop-up windows with similarly falsified identification. Dragnet phishers dont identify specific prospective victims in advance. They only rely on the false information they include in the e-mail to trigger an immediate response by victims by clicking on links in the body of the email to take them to the websites or pop-up windows where are requested to enter bank or credit-card account data or other personal data.

Rod-and-Reel

For rod and reel method, the phisher target initial contacts with prospective victims. Then they send e-mails that directed recipients to disclose their specific confidential information defined in advance, and false information conveyed to trigger responses.

Lobsterpot

This technique relies on the use of spoofed websites. It consists in the creation of spoofed websites, similar to legitimate corporate ones, that a narrowly defined class

of victims is likely to seek out. In lobsterpot phishing, the phishers identify a smaller class of prospective victims in advance, but do not rely on a call to action to redirect prospective victims to another site. It is enough that the victims mistake the spoofed website they discover as a legitimate and trustworthy site. In fact, spoof attacks occur at the Protocol layer level. When the spoofers goal is to either gain access to a secured site or to mask his or her true identity, he or she may hijack an unsuspecting victims address by falsifying the messages routing information so that it appears to have come from the victims account instead of his or her own. He or she may do so through the use of sniffers. Since information intended for a specific computer must pass through any number of other computers while in transit, the data essentially becomes fair game, and sniffers may be used to essentially capture the information en route to its destination. Sniffer software can be programmed to select data intended for any or every computer.

Gillnet

In gillnet, phishers introduce malicious code into emails and websites. They can, for example misuse browser functionality by injecting hostile content into another sites pop up window. Merely by opening a particular email, or browsing a particular website, Internet users may have a Trojan horse introduced into their systems. In some cases, the malicious code will change settings in users systems, so that users who want to visit legitimate banking websites will be redirected to a phishing site. In other cases, the malicious code will record users keystrokes and passwords when they visit legitimate banking sites, then transmit those data to phishers for later illegal access to users financial accounts.

3. List of real cases

Beside Malaysia there are many kind of phishing attack that happen around the world. Below is several of them:

a. Douglas Havard and Lee Elwood Case: they have netted over 6.5 million pounds during 2003-04 in UK (Roberts (2005)). They reportedly received large groups of stolen credit card information and passwords from unnamed individuals in Russia, then used those to purchase goods online and resell them, pocketing the proceeds and passing a cut along to their counterparts in Russia through money exchanges. They also trafficked in stolen identity information and documents, including driver's licenses, passports and birth certificates.

b. Shelly S. Perry Case: Perry operated an "Internet Business" having a website address of "www.paylessfurniture.com" from her private residence in Memphis, Tennessee. Perry defrauded many individuals, located throughout the country, who were attempting to purchase furniture via the said Internet website, auction sites, and personal contact with her. More than 70 citizen victims sent her $110,000.00 in access.

c. Citibank Case: The financial losses of Russian businesses caused by carder reached $20000000. Carders specialized on counterfeiting plastic cards use Internet for receiving information on card holders and cards numbers. Phishing Messages are received by customers of Citibank. The Russian message reads as Your personal account has accepted wire transfer in

foreign currency more than $ 2000. According to the agreement of CitibankR Online you have to confirm you data for successful accepting money to the account. To confirm this operation it is necessary to run program of account management and fallow proposed instruction. In case of un-confirmation wire transfer will be returned to sender. SAYTARLY (2004).

d. Bank of Ireland Case: Some of the customers of Bank of Ireland had lost more than 110,000 to the scammers. One customer claims to have lost more than 49,000 and other reported losses between 5,000 to 16,900 (OBrein (2006a)). Bank had agreed to refund about 160,000

How to avoid being phished There are many methods to combat bank frauds in general and phishing in particular. Most of the financial institutions are educating their customers of regular basis about phishing websites. In addition to these educative e-mails from the institutions the following measures can reduces frauds with phishing includes measures for customers, induction of new technology.

Measures for customer For the customer it is essential that they must never share their password (Security related information) under any circumstance. They also should never click on an email that is purportedly from a bank advising you for updated antivirus software, and which can be downloaded from the banks website. Third, the customer should pay attention on all activities that is going on in the websites of their bank by browse the

banks notification system on regular basis so that one can see the activities of his/her account. Fourth, whenever one wants to visit the website of the bank, type full URL or web address. It is secure and will avoid the logon to spoof sites such as http://www.citbank.com for http://www.citibank.com , and www.idbiibank.com for http://www.idbibank.com. The customer should not do internet banking in wireless internet environments or at Internet caf. The customer should continuously read the posting of their banker for security updates. For example rather type the address directly into the browser address bar.

Induction of new technology For the technology the customer should use browsers such as Firefox 7, Opera and Internet Explorer 8 (all latest versions) which include phishing shields and has better anti-fraud features in comparison to others. Second the banks must implement antiphishing programs as implemented by HSBC in Hong Kong. Security firms such as Symantec and McAfee are marketing anti-phishing softwares. Bank must install security softwares from Symantec Corp and McAfee Inc. There are many more companies which either developing or marketing anti-phishing solutions. These solutions can safeguard banks /financial institutions against fishing.

Other approached to avoid phished The customer should be cautious with emails and confidential data. Most banks have a security page on their website with information on carrying out safe transactions, along with the usual advice relating to confidential data. Customer also should avoid opening or replying to spam emails as this may give the sender confirmation that

they have reached a live address. Use common sense when reading emails. If something seems implausible or too good to be true, then it probably is.

If you receive an email you suspect is not genuine, forward it to the organization it fraudulently claims to have come from. Many companies have a dedicated email address for reporting such phishing attempts. Legislation against online criminals is having an effect. there have been arrests of suspected phishers in several countries, including the UK and Brazil, while in Australia an email scammer who stole millions of dollars in an email fraud was sentenced to five years in prison.

The threat of Trojans being used in phishing attacks raises the possibility of a backdoor. It is being opened to allow attackers access to the affected computer or network. To prevent and avoid this, installing a personal firewall will provide some measure of protection. As we have seen, keeping operating systems up to date with the latest security patches is also important in countering some of the phishing tricks already described, such as disguising headers and URLs. However, firewalls and patches will not stop users entering their details onto a forged an organizations customer base. Message samples and additional information on the website owners are provided in the alerts to help customers quickly respond to the attack by shutting down the fraudulent website and communicating with their customers. This service most obviously benefits financial institutions and online retailers, but other organizations with an online presence should also subscribe to the service, especially those who conduct a significant portion of their customer transactions online. Phishing attacks are also broadening out to target other customer bases such as charity donors.

Conclusion

In conclusion, there are many ways that the phisher can use to get our personal information. It is up to ourselves to be alert and caution on this phishing scam. There are also many kind of security that can prevent this kind of threat.

References 1. http://www.antiphishingscams.com/email-phishing.html 2. http://fraudwatchinternational.com/phishing-fraud/phishing-email-methods/ 3. http://labs.m86security.com/2011/03/phishing-scam-in-an-html-attachment/ 4. http://www.darknet.org.uk/2007/12/dns-poisoning-getting-serious-phishingfrom-open-recursive-dns-servers/ 5. http://www.esecurityplanet.com/trends/article.php/3488216/DNSBasedPhishing-Attacks-on-The-Rise.htm 6. Phishing and the threat to corporate networks, Sophos Plc. 7. Journal of Internet Banking and Commerce, N. P. Singh 8. HOW TO MAKE ONLINE BANKING SECURE, Ahmad Nasir mohd zin