Computer Crime Research Center

staff/mohamed.jpg

Phishing in Cyberspace: Issues and Solutions

Date: August 19, 2006
Source: Computer Crime Research Center
By: Mohamed CHAWKI

... early-warning tool. [104] While often a computer system, a honeypot can take on other forms, such data records, unused IP address space or files. Honeypots should have no production value and hence should not see any legitimate traffic or activity. Whatever they capture can then be surmised as malicious or unauthorized. [105] One practical implication of honeypots is that they are designed to thwart spam by masquerading as systems of the types abused by spammers to send spam can categorize the material they trap 100% accurately: it is all illicit. A honeypot needs no spam-recognition capability, no filter to separate ordinary e-mail from spam. Ordinary email never comes to a honeypot. [106]

4.3 Sharing information
- The Anti-Phishing Working Group (APWG) is the global pan-industrial and law enforcement association focused on eliminating the fraud and identity theft that result from phishing, pharming and email spoofing of all types. [107] The APWG has over 2300 members from over 1500 companies and agencies worldwide. Member companies include leading security companies such as Symantec, McAfee and VeriSign. Financial Industry members include the ING Group, VISA, Mastercard and the American Bankers Association.

- Another body is the internet Crime Prevention and Control Institute (ICPCI). [108] This is a private membership based organization whose goals are to take actions against internet crimes, to educate a variety of groups regarding internet crime issues, to research future threats and trends in internet crimes, and to provide information and contact resources for victims of interent crimes. [109]

4.4 Using anti – phishing tool bars
A toolbar is effectively a giant neighbourhood watch scheme to defend every internet user against phishing acts. They trap suspicious URLs containing characters which have no common purpose than to deceive. [110] They also enforce display of browser navigational controls in all windows, to defend against pop up windows which attempt to hide the navigational controls. [111] Finally, some tool bars display sites’ hosting location, including country, helping the internet user to evaluate fraudulent urls (e.g. the real citibank.com or barclays.co.uk sites are unlikely to be hosted in the former Soviet Union). [112]

4.5 Using identity scoring systems: Fair Isaac
Fair Isaac Corporation was founded in 1956 by engineer Bill Fair and mathematician Earl Isaac. It provides decision management systems and consulting services. [114] They developed the FICO scores, a measure of credit risk, that are the most used credit scores in the world. These scores are available through all of the major consumer reporting agencies in Canada and the United States.

4.6 Consumer education
- Moving on to consumer education, we suggest that internet users follow the following steps:
(a) Choose safer software.
(b) Avoid using peer – to – peer programs.
(c) Backup their data.
(d) Make good passwords.
(e) Don’t share their personal information online.
(f) Don’t believe everything they read.
(g) Check their bank statements.
(h) Install a firewall.
(i) Install patches.
(j) Pull the plug.
(k) Turn off services they don’t need.
(l) Close used accounts.

- If you have been phished, be sure to do the following:
(a) Close your accounts.
(b) Change your passwords.
(c) Get a credit report.
(d) Contact the Federal Trade Commission.
(e) File a police report.

Conclusion

Online phishing is a persisting international evil that transcends national boundaries in a manner that renders this form of organized crime a global concern. Online phishing may take several forms including stealing credit card numbers, creating email lists, sending machines and hosting web sites. However, taking over someone’s identity is a major criminal activity and a blatant evil that should be effectively tackled on all levels. It has been seen that amongst the major reasons that facilitate online phishing are: economic, educational, and social conditions. On a different note, the globalisation of technology and the revolutionary advancement of ICTs have impacted on criminal activity, especially online phishing. Trojans, botnets, keyloggers, and templates are amongst the tools utilized by criminals to commit their crime and promote their services. By and large, it is submitted that online phishing should be subject to a global principle of public policy that aims at combating and preventing this form of organized crime through raising global awareness and increasing literacy rates, promoting economic development, improving social conditions in least developed source and transit countries, coordinating legislative efforts on national, regional and global levels, and establishing a high level global network of cooperation between national, regional, and international enforcement agencies and police forces.

Moreover, Dr. TULIANI suggests that the most obvious way to combat online phishing is to stop it arising in the first place. [115] This requires the widespread deployment of a trustworthy and foolproof PC interface, something which is beyond the current technology horizon. Finally, adoption of SMS – based security measures must be carefully managed, particularly the procedures used for registering and maintaining records of user’s mobile phone numbers. [116]

References

1 The term phishing comes from the fact that Internet scammers are using increasingly sophisticated lures as they "fish" for users' financial information and password data. The most common ploy is to copy the Web page code from a major site — such as AOL — and use that code to set up a replica page that appears to be part of the company's site. (This is why phishing is also called brand spoofing.) A fake e-mail is sent out with a link to this page, which solicits the user's credit card data or password. When the form is submitted, it sends the data to the scammer while leaving the user on the company's site so they don't suspect a thing. Hackers have an endearing tendency to change the letter "f" to "ph," and phishing is but one example. Available at:
(visited 27/07/2006).
2 See, What is phishing : A word definition from the Webopedia, available at:
(visited 27/07/2006). The term “identity” is commonly used arbitrarily and imprecisely in popular media and literature and the terms “identity theft” and “identity crime” are frequently used interchangeably. Occasional misuses are not surprising because in the contemporary context, the traditional meaning underlying those concepts have become increasingly known as information and information technology (IT). The Oxford English Dictionary defines “identity” as “the set of behavioral or personal characteristics by which an individual is recognized”. The traditional use of the word “identity” spoke to one’s name, familial membership and occupation. The contemporary meaning of “identity” has, however, assumed a candidly IT connotation that extends traditional meanings to include such things as one’s consumer and credit histories, financial accounts, and Social security number. It is this contemporary usage of “identity” that is at issue when it comes to conceptualizing identity theft. See J. COLLINS, Preventing Identity Theft in Your Business: How to Protect Your Business, Customers and Employees (John Wiley and Sons), [2005], p. 7.
3 According to the American Heritage Dictionary of the English Language, information is “knowledge of specific events or situations that has been gathered or received by communication, intelligence, or news”.
4 Ibid.
5 Ibid.
6 See R. LININGER and R. DEAN, Phishing, cutting identity theft line (Wiley, Canada), [2005], p. 1.
7 See New Phishing Techniques: Safe Like Money in the Bank. Available at:
(visited 07/08/2006).
8 See S. BRENNER, Cybercrime Metrics: Old Wine, New Bottles (Virginia, Virginia Journal of Law and Technology), [2004], p. 6.
9 Ibid.
10 See M. CHAWKI and M. Abdel WAHAB, Identity Theft in Cyberspace: Issues and Solutions (LexElectronica), [Spring 2006].
11 Ibid.
12 Ibid.
13 See ( visited 07/08/2006).
14 Ibid.
15 Ibid.
16 See Damage caused by phishing, available at http://en.wikipedia.org/wiki/Phishing#_note-18 (visited 07/08/2006).
17 Ibid.
18 See M. CHAWKI and M. Abdel WAHAB, op. cit.
19 In fact, the term cyberspace literally means ‘navigable space’ and is derived from the Greek word kyber (to navigate). In William Gibson’s 1984 novel, the original source of the term, cyberspace refers to, a navigable, digital space of networked computers accessible from computer consoles, a visual, colourful, electronic, Cartesian datascape known as ‘The Matrix’ where companies and individuals interact with, and trade in, information. Since the publication of this novel, the term cyberspace has been re-appropriated, adapted and used in a variety of ways, by many different constituencies, all of which refer in some way to emerging computer- mediated communication and virtual reality...


Add comment  Email to a Friend

Copyright © 2001-2013 Computer Crime Research Center
CCRC logo