Computer Crime Research Center

staff/mohamed.jpg

Phishing in Cyberspace: Issues and Solutions

Date: August 19, 2006
Source: Computer Crime Research Center
By: Mohamed CHAWKI

Abstract:

This paper analyses and addresses the growing threat of phishing in cyberspace. Digital transactions and communications have, over the past decade, been increasingly transpiring at an accelerated rate. This non-linear progression has generated a myriad of risks associated with the utilization of information and communication technologies in cyberspace communications, amongst the most important of which is the online phishing crime.
This paper aims to provide an overview of the risks related to this crime and seeks to offer some solutions based on the necessity of pursuing an international policy encompassing strategic, regulatory and technical approaches.

Keywords: Phishing - Cybercrime – Cyberspace - Identity theft

1. Introduction

Phishing [1] is the act of sending an email to a user falsely claiming to be an established legitimate business in an attempt to scam the user into surrendering private information that will be used for identity theft. [2] The email directs the user to visit a Web site where he or she is asked to update personal information, [3] such as passwords and credit card, social security, and bank account numbers, that the legitimate organization already has issued. [4] The Web site, however, is bogus and set up only to steal the user’s information. [5] Phishing combines the power of the internet with universal human nature to defraud millions of people out of billions of dollars. [6] Nearly every internet user has received a phishing email by now.

On such account, phishing is a serious crime that merits due consideration and adequate prevention and combating. Phishing may be committed in whole or in part by the use of information and communication technologies (ICTs), which dispenses with face – to – face physical contact and allows for distance counters. [7] Historically, fraud involved face-to-face communication since physical contact was primarily the norm. [8] Even when remote communication — i.e., snail mail—could be used to set up a fraudulent transaction, it was often still necessary for the parties to meet and consummate the crime with a physical transfer of the tangible property obtained by deceit. [9] Nevertheless, the proliferation of ICTs has exerted a profound impact upon the nature and form of the crime, and has altered the mechanisms of crime commission. [10] Nowadays, perpetrators can use fraudulent emails and fake websites to scam thousands of victims located around the globe, and may expend less effort in doing so than their predecessors. [11] This new form of automated or electronic crime distinguishes online virtual fraud from real-world fraud in at least two important respects: [12] (a) it is far more difficult for law enforcement officers to identify and apprehend online fraudsters; and (b) these offenders can commit crimes on a far broader scale than their real-world counterparts.

Studies indicate that the number of phishing incidents is increasing at an alarming rate. [13] A recent report by the Anti – Phishing Working Group (APWG) found that phishing attacks have increased. [14] In May 2006, alone, more than 20, 109 emails and 11, 976 phishing web sites, representing 137 hijacked brands were reported and tracked by the APWG. [15] In the United States, it was estimated that between May 2004 and May 2005, 1,2 million internet users were victims of phishing, totaling approx. $ 929 million USD. [16] In the United Kingdom, losses from phishing almost doubled to £ 23.2 m in 2005, from £ 12.2 m in 2004. [17]

Finally, online phishing does carry the seeds of a potential conflict between national legal systems due to the intrinsic transnational and cross-border implications of such crimes, and the relative variation and divergence of national and regional policies dealing with such crimes. Whilst national and international efforts are underway to establish harmonized and consistent national strategies and policies to combat cybercrime, global condemnation as well as adequate universal policies may not be achieved in the near future at least until all states recognize the importance of ICTs and the need for existence of an adequate regulatory framework. [18]

2. Phishing techniques
There are many techniques used by phishers in cyberspace. [19] Perhaps the most frequently ones are: [20]

2.1 Dragnet method
On January 26, 2004, the Federal Trade Commission filed the first lawsuit against a suspected phisher. [21] The defendant, a Californian teenager, allegedly created and used a webpage designed to look like the America Online website, so that he could steal credit card numbers.[22] In the same year, California federal prosecution, prosecuted a 21 years old defendant who used spoofed eBay emails and Web pages to acquire users’ names and passwords, then ran fraudulent auctions on eBay under the victim’s names. [23] This particular crime involved the use of the dragnet method. This method involves the use of spammed emails, bearing falsified corporate identification (e.g., trademarks, logos, and corporate names), that are addressed to a large class of people (e.g., customers of a particular financial institution or members of a particular auction site) to websites or pop-up windows with similarly falsified identification. [24]

Dragnet phishers don’t identify specific prospective victims in advance. [25] Instead, they rely on the false information they include in the e-mail to trigger an immediate response by victims – typically, clicking on links in the body of the email to take them to the websites or pop-up windows where are requested to enter bank or credit-card account data or other personal data. [26]

2.2 Rod – and – Reel method
In a 2004 Connecticut federal prosecution, a young husband and wife team worked together to access chat rooms, use a device to capture the screen names of chat room participants, and send e-mails that directed recipients to disclose their correct billing information, including current credit-card numbers. [27] Two years later, eight people were arrested by Japanese police on suspicion of phishing fraud by creating bogus Yahoo Japan Web sites, netting themselves 100 million yen ($870 thousand USD). [28] The principals in the scheme then used the credit – card numbers and other personal data to arrange for wire transfers of funds via Western Union, but had others pick up the funds from Western Union. In rod and reel method, phishers identify specific prospective victims in advance, and convey false information to them to prompt their disclosure of personal and financial data. [29]

2.3 Lobsterpot method
This technique relies solely on the use of spoofed websites. It consists in the creation of spoofed websites, similar to legitimate corporate ones, that a narrowly defined class of victims is likely to seek out. In lobsterpot phishing, the phishers identify a smaller class of prospective victims in advance, but do not rely on a call to action to redirect prospective victims to another site. It is enough that the victims mistake the spoofed website they discover on their won as a legitimate and trust worthy site. [30] In fact, spoof attacks occur at the Protocol layer level. When the spoofer’s goal is to either gain access to a secured site or to mask his or her true identity, he or she may hijack an unsuspecting victim’s address by falsifying the message’s routing information so that it appears to have come from the victim’s account instead of his or her own. [31] He or she may do so through the use of “sniffers.” Since information intended for a specific computer must pass through any number of other computers while in transit, the data essentially becomes fair game, and sniffers may be used to essentially capture the information en route to its destination. Sniffer software can be programmed to select data intended for any or every computer.[32]

2.4 Gillnet phishing
At West Point in 2004, teacher and National Security Agency expert Aaron Ferguson sent out a message to 500 cadets asking them to click a link to verify grades. [33] The messages appeared to come from a Colonel Robert Melville of West Point. Over 80% of recipients clicked the link in the message; in response they received a notification that they’d been duped and warning that their behavior could have resulted in downloads of spyware, Trojan horses, and/or other malware. [34] This technique relies far less on social engineering than the preceding techniques. In gillnet phishing, phishers introduce malicious code into emails and websites. They can, for example misuse browser functionality by injecting hostile content into another site’s pop – up window. [35] Merely by opening a particular email, or browsing a particular website, Internet users may have a Trojan horse introduced into their systems. In some cases, the malicious code will change settings in user’s systems, so that users who want to visit legitimate banking websites will be redirected to a lookalike phishing site. In other cases, the malicious code will record user’s keystrokes and passwords when they visit legitimate banking sites, then transmit those data to phishers for later illegal access to users’ financial accounts. [36]


2.5 New phishing techniques
In fact, not all phishing attacks use a fake website. [37] In an incident in 2006 , messages that claimed to be from a bank asked the users to dial a phone number...


Add comment  Email to a Friend

Copyright © 2001-2013 Computer Crime Research Center
CCRC logo