Computer Crime Research Center


Phishing in Cyberspace: Issues and Solutions

Date: August 19, 2006
Source: Computer Crime Research Center
By: Mohamed CHAWKI

... In any phishing case, the Directive will insure that the communication data between criminals and victims, i.e phishing emails, spoofed web sites, etc are available for the purpose of the investigation, detection and prosecution of serious crime, as defined by each Member State in its national law. [70]

The Directive is applied to traffic and location data on both legal entities and natural persons and to the related data necessary to identify the subscriber or registered user. [71] It shall not be applied to the content of electronic communications; including information consulted using an electronic communications network. [72] The data retained is provided only to the competent national authorities in specific cases and in accordance with national law. Data is retained for periods of not less than six months and not more than two years from the date of communication. [73] Member States have to take necessary measures to insure that any intentional access to, or transfer of; data is punishable by penalties, including administrative or criminal penalties that are effective, proportionate and dissuasive. Each Member State will designate a public authority to be responsible for monitoring the application within its territory of the provisions adopted regarding the security of sorted data. Following entry into force of the directive, Member States will have as a general rule 18 months in which to comply with its provisions.[74]

At the same time, European countries have confronted the dangers of cyberspace by devoting significant resources towards formulating a legal framework that addresses the technical and operational challenges of cybercrime. [76] The Convention on Cybercrime is considered “one of the most important legal instruments elaborated within the Council of Europe”. [77] It was approved by the Committee of Ministers of the Council of Europe (COE), and on November 23, 2001, the Convention was signed by twenty-six member states of the COE along with four non-member states — Canada, Japan, South Africa, and the United States, and entered into force on July 7, 2004, [78] and is actually ratified by 15 member States of the Council of Europe. [79] This Convention is the first international treaty to allow police in one country to request that their counterparts abroad collect an individual’s computer data, have the individual arrested and extradited to serve a prison sentence abroad. [80] It aims principally at (1) harmonising the domestic criminal substantive law elements of offences and connected provisions in the area of cyber-crime; (2) providing for domestic criminal procedural law powers necessary for the investigation and prosecution of such offences as well as other offences committed by means of a computer system or evidence in relation to which is in electronic form; (3) setting up a fast and effective regime of international co-operation. [81] The Convention defines substantive criminal laws to be legislatively adopted by all signatory states. It covers crimes in four main categories: (a) “offences against the confidentiality, integrity and availability of computer data and systems;” [82] (b) computer-related offences; [83] (c) content-related offences (for example, child pornography) ; [84] and (d) “offences related to infringements of copyright and related rights ”. [85] Phishing attacks may be prohibited by either the first or the second group of offences.

The Convention provides that signatory countries must adopt measures to establish jurisdiction over any offences committed in their respective territories or by their nationals. [86] Moreover, it empowers legal authorities and police in one country to collect evidence of cybercrimes for police in another country, and establishes a 24/7 network [87] operating around the clock, seven days per week, to provide immediate assistance with ongoing investigations. This will help in collecting evidences and sharing information related to phishing in any member country.

Article 2 of the Convention prohibits the illegal access to a computer system. [88] “Access” comprises the entering of the whole or any part of a computer system (hardware, components, stored data of the system installed, directories, traffic and content-related data). [89] “Access” also includes the entering of another computer system, where it is connected via public telecommunication networks, or to a computer system on the same network, such as a LAN (local area network) or Intranet within an organisation. The method of communication does not matter. [90] This article may be applied to the act of accessing to bank accounts by the phishers after obtaining their confidential information. The act must also be committed ‘without right’.

The application of specific technical tools may result in an access under Article 2, such as the access of a web page, directly or through hypertext links, including deep-links or the application of “cookies” or “bots” to locate and retrieve information on behalf of communication. The application of such tools per se is not ‘without right’. The maintenance of a public web site implies consent by the web site-owner that it can be accessed by any other web-user. This article may be applied to some phishing scams that use JavaScript commands in order to alter the address bar. [91] This is done either by placing a picture of the legitimate entity's URL over the address bar, or by closing the original address bar and opening a new one containing the legitimate URL. [92]

Article 3 of the Convention aims to protect the right of privacy of data communication. The offence represents the same violation of the privacy of communications as traditional tapping and recording of oral telephone conversations between persons. The offence established under Article 3 applies this principle to all forms of electronic data transfer, whether by telephone, fax, e-mail or file transfer. [93] As we have mentioned before, not all phishing attacks require a fake website and that confidential data may be intercepted by a voice over IP provider. [94] This article may be applied in this case.

The communication in the form of transmission of computer data can take place (a) inside a single computer system, (b) between two computer systems belonging to the same person, (c) two computers communicating with one another, or (d) a computer and a person. [95] Nonetheless, Parties may require as an additional element that the communication be transmitted between computer systems remotely connected.

Article 19 of this Convention aims at modernising and harmonising domestic laws on search and seizure of stored computer data for the purposes of obtaining evidence with respect to specific criminal investigations or proceedings. [96] Any domestic criminal procedural law includes powers for search and seizure of tangible objects. However, in a number of jurisdictions stored computer data per se will not be considered as a tangible object and therefore cannot be secured on behalf of criminal investigations and proceedings in a parallel manner as tangible objects, other than by securing the data medium upon which it is stored. [97] The aim of this article is to establish an equivalent power relating to stored data which is contained either within a computer system or part of it (such as a connected data storage device), or on an independent data storage medium. In phishing cases, this article may be applied for the search and seizure of digital evidence. It also helps in criminal investigations and proceedings as mentioned above.

4. Online phishing proposed solutions: Technical approaches
Information and communication technologies are a double-edged sword that, despite being used to commit online phishing could act as risk minimizing or mitigating factors to enhance privacy and secure the confidentiality and secrecy of personal identifying information.

4.1 Message source analysis
In order to prevent online phishing, the first step that law enforcement officers can do is to get the correct identity information of the phisher’s message source and then decide if the source is trustworthy or not. [98] From the system’s point of view, every computer on the Internet is identified by its IP address. It does not have semantic meanings until humans assign some meanings to it. [99]

Blacklist indicates whether a computer with an IP address is good or bad. A bad computer means that it was known to be used by phishers to send fraudulent emails on the Internet. [100] The blacklist publisher assigns the “goodness” (the machines’ IP addresses are not in the list) and the “badness” (the machines’ IP addresses are in the list) to all Internet machines. The problem of the blacklist is that it is hard to keep the list up-to-date since it is easy to register new IP addresses in the Internet. [101] After a phishers gets a new IP address, he can broadcast solicit emails and wait for victims. Without constant updates, the blacklist gives human users a wrong sense of security to newly-setup phishing sources.

4.2 Intrusion detection systems: Honeypots
A honeypot is a trap set to detect, deflect or in some manner counteract attempts at unauthorized use of computer systems. [102] Generally honeypots consist of a computer, data or a network site that appears to be part of a network but which is actually isolated and protected, and which seems to contain information or a resource that would be of value to phishing attacks. [103] A honeypot is considered a surveillance and early-warning tool. [104] While often a computer system,...

Add comment  Email to a Friend

Copyright © 2001-2013 Computer Crime Research Center
CCRC logo