Phishing: An Analysis of the Problem as a Security Weakness

It is an unfortunate reality, but phishing is one of the greatest security weaknesses facing IT today. The concept behind phishing is relatively simple. Essentially, the definition of phishing is the use of social engineering and technical subterfuge to steal a customer's identity and account data (Facts, 2006). In layman's terms, phishing is, essentially, the use of impersonation of a more reliable website, such as PayPal, in order to steal a person's identity, credit card information, or other sensitive information. For businesses, this poses a huge security weakness, because even though phishing is usually easy enough to avoid, being able to trust name-brand websites is important for the business to be successful. This paper will examine the use of phishing as a business vulnerability, and what can be done to stop it.

First, it is necessary to examine how hackers can effectively use phishing to override a business's defenses. While spamming is another popular tactic used by internet criminals, it is, ultimately, not as big an issue in the grand scheme of things as phishing, simply because the monetary costs of phishing are much greater than that of spamming, which only takes up bandwidth (Jagatic, 2007). The basics of phishing are relatively simple. An article by Markus Jakobsson and Steven Myers (2007) explains that phishing is a multi-stage process. First, the hackers use what Jakobsson and Myers call “the lure.” This is where the hackers send out a mass number of email messages that appear to be from legitimate sources, such as a bank or cell phone service provider. The next step is called “the hook.” Here, the hackers must encourage the user to go to a specified website and enter sensitive and identifying information (such as passwords, bank account information, or answers to security questions). The final step, “the catch,” is where the hacker uses this information to actually hack a user’s account by using information gained in the previous two steps to impersonate them. Oftentimes, if a hacker has already reached step three, it is too late to do anything about it save for changing passwords and alerting the proper authorities. This three-step process can sometimes happen in mere minutes, giving the potential impulse-minded user little time to rethink their actions. For this reason, it is important to be proactive in identifying possible phishing attempts before they start. To do this, it is important to understand just how serious phishing is.

The reason why phishing is such a large security weakness to businesses is mainly because it can be done by almost anyone, from anywhere, and can occur at anytime, with potentially disastrous results (Jagatic, 2007). In addition, phishing has become much more organized in the relatively recent past, with phishers learning to target higher-value entities such as businesses, rather than individuals (James, 2005). The emails they have sent are also becoming increasingly more convincing in their believability, since they are learning to mimic not just the website name, but subtle nuances of the site, such as the font, language, or pictures. In fact, one estimate found that, in a single mass mailing of 100,000 emails, 10 percent of those were actually received by the user, and as many as one percent were able to actually collect the user's information (James, 2005). These are scary numbers, and help to prove that phishers are constantly working to find ways to overcome the defense of a business. Since most businesses operate on localized networks, it is very easy, and likely, for phishers to send these emails to everyone in the business, and if even one replies to the phisher with personal information, the consequences could be devastating for the company. Since much of a company's information is stored on this shared network, having the security of this network be compromised by phishing would mean that these hackers could have access to the company's information, which would, of course, be very bad.

In terms of legal ramifications of phishing, there are few. While phishing is, of course, considered fraud, it is oftentimes very difficult to catch phishers, since they utilize proxies, which hide the source of where they are sending their malicious emails and such from (James, 2005). This is exacerbated by the fact that phishing is extremely fast-paced activity, and can be performed almost instantaneously. Worse yet, in order for a phisher to actually be caught and punished to the full extent of the law, a potential victim must know in advance that they are about to be phished, and alert an entity such as the Federal Trade Commission of the potential security risk (James, 2005). There has been anti-phishing legislation put into place, namely, the Anti-Phishing Act of 2004, which states that the creation of fraudulent web sites and sending fraudulent email as, of course, fraud, and thus illegal (James, 2005). This is certainly helpful to avert phishing, but many times, it must be taken into the hands of the business itself. It is possible to combat phishing, and one way to do this is to become better educated about it, starting with the various different types of phishing.

One of the most common types of phishing is called clone phishing. This is where a phisher creates a cloned email address by gathering information such as recipient addresses from a previously delivered legitimate email, and then resends this email with malware and the like programmed into it. Clone phishing is also the type of phishing that involves spoofing so that an email appears to come from a genuine source (Saleem, 2012). This type of phishing is probably the largest security weakness to businesses because it can multiply and become progressively worse as more and more employees fall for it, since it banks on an employee's trust of other employees in order to succeed. Another commonly-seen type of phishing is known as spear phishing. This security weakness is where thousands of emails are sent out to random people, or people within an organization, such as a business (Saleem, 2012). One of the most well-known examples of spear phishing is in 2008, when several CEOs were sent a fake subpoena along with a virus that would initiate when viewed (Saleem, 2012). This example is not an isolated incident, either. There have been these types of spear phishing attacks on other large entities such as the Australian Prime Minister's office, the Canadian government, and the Oak Ridge National Laboratory (Saleem, 2012). The third and final type of phishing is called phone phishing, and, as its name implies, operates mainly over the phone. This type of phishing requires the user to dial a phone number of a bank (usually), which the phisher can then, eventually, use to imitate said bank and extract a user's information and thus, steal their bank account information (Saleem, 2012). This type of phishing is a serious security weakness for businesses because many are not aware that phishing exists even over the phone, and that a phisher does not even require email phishing in order to be effective.

Although education on the various types of phishing is helpful to keeping a business safe from phishing, it is necessary to understand some of the best techniques that the layman can use to prevent this security weakness from devastating a business. An article by Neil Chou, Robert Ledesma, Yuka Teraguchi, and John C. Mitchell (2004) explains a few common solutions that can help the average consumer identify phishing attempts. The most obvious line of defense is simple observation. Examining the URL of a webpage can expose phishing attempts easily, as explained in the article. “An @ in a URL causes the string to the left to be disregarded, with the string on the right treated as the actual URL for retrieving the page. (p.4)” This means that it is possible to identify phishing attempts simply by looking for an @ symbol in the URL bar. If it does, it may be necessary to take other preventative measures to determine if a URL is a phishing attempt. This step, according to Chou et al. involves using a program called Spoof Guard, which is a plug-in that can scan pictures in potential phishing emails to determine if those same pictures have been reported in other phishing attempts. The last resort for a victim of phishing is to quickly notify all credit and banking agencies of the phishing attempt in order to minimize the financial damage done. Even if it is too late to save finances and such, many banks and credit cards have some form of insurance for things like phishing or identity theft that will soften the financial blow it can cause. With these tools and knowledge, at least preventing phishing is a little easier, although, of course, there is no substitute for common sense.

One of the most popular methods for attempting to block phishing is by simply blacklisting the site that the offending phishing is originating from. This tends to be ineffective, however, as studies show that most phishing websites are only active for less than two hours, and it takes the average user far less than those two hours to click on the link sent by a phisher, and by then, of course, it is too late (Sheng, et al, 2009). There are other measures that can be taken to proactively block phishing attempts, such as utilizing an email gateway filter to block the offending emails and web pages from entering into the company's servers to begin with, but these measures are usually very easy to circumvent, and should not be relied upon as a permanent solution to this security weakness. The best solution is to be proactive in looking for phishing attempts. There are other, more effective ways to combat it, such as by going after the real source of the problem.

One of the most famous examples of phishing, that also serves as a way for businesses to learn how not to deal with their security weaknesses, is Microsoft v. John Doe. Microsoft began filing these cases after numerous complaints about phishing, spamming, and other cyber security issues. It would be a waste of time to only bring one or two of these phishers to trial, so Microsoft brought many of them to court in bulk, in the form of John Does. The defendant was named John Doe because he was a internet phisher, and, as such, his true name was unknown. Microsoft actually filed numerous John Doe cases: about 63, in fact (Kornblum, 2005). While previous John Doe cases had been filed in the past, Microsoft v. John Doe represented one of the first major companies to take strong legal action against phishers. This helped to show that phishing and similar internet crimes were not going to be taken lightly and would be, if possible, punished to the full extent of the law. In order to gather data about the John Doe, so that they may be identified and punished, Microsoft gathers data on the owner of a website thought to be a hive for spam, phishing, and other cybercrime. Then, Microsoft issues subpoenas to entities who might hold information about the website owner (the John Doe) such as internet service providers, financial institutions, and payment processors such as PayPal (Kornblum, 2005). Then, Microsoft attempts to attain the suspected phisher's IP address (which will help to triangulate the physical location of the phisher) from their internet service provider (Kornblum, 2005). Finally, Microsoft will follow the proverbial money trail left by a John Doe in an attempt to acquire even more evidence against them. The process is mildly successful, with about 32 of the 62 John Doe suits filed actually leading to an identification and eventual charging of the phisher (Kornblum, 2005). However, these court cases are important more for what they represent than for what actually happened in the case. That is, that it is possible, with enough diligence, manpower, and cooperation, to actually track down these supposedly anonymous phishers and bring them to justice. It is also possible for businesses to examine this cyber-security weakness and how they operate through these court cases, which helps to improve overall security by being able to plan and adapt to these phishers before they have a chance to wreak havoc on the company. Even now, measures are being taken, especially by larger companies, to bring as many of these phishers to justice as possible, with varying amounts of success, but it at least shows that big business will continue to take the issue seriously and continue to combat phishing.

Since then, there have been many advances made to help stem the flow of this cyber-weakness. One of the more practical measures are certain applications that help to validate websites and the information contained in them. One of these applications, called TrustBar, attaches a bar at the top of the browser window and scans all incoming data to determine whether or not the source is genuine (Herzberg and Gbara, 2004). Trustbar scans the logo of a particular email or website and determines if it exactly matches the database file of said picture that is on file. It also checks the credentials of the site, which act as a sort of digital fingerprint, to determine if a site or email is genuine (Herzberg and Gbara, 2004). This acts as a final layer of defense against phishing, in case common sense and identifying other telltale factors of phishing fail. It is also helpful because it is easily able to be dispersed to all members of a business or other organization, meaning that it is possible for all users in the company to be mostly protected against phishing. In order for it to be effective, however, it must be universally installed on all machines within a company. This means purchasing many copies of it or a similar piece of anti-phishing software and installing it on every computer in the company, which could prove to be an arduous, and expensive, task, but one that will defend against this security weakness. However, there is a downside to these toolbars, and that is, quite simply, the human element. The toolbars can warn users of imminent phishing threats, but cannot actually do anything about it, in most cases. In short, they rely on the user to notice the toolbar and make the correct decision in regards to blocking the offending website, which, of course, does not have a 100% success rate, and will eventually lead to security breaches.

Lastly, one of the easiest to identify factors of phishing attempts leads to the final line of defense against them: by identifying them on the simplest criteria, that is, the structure of the phishing email itself. To this end, the user must examine, or use special software to examine, some of the intricacies in potentially suspicious emails and web pages. For example, a user who receives a potentially harmful email from PayPal requesting their banking information may run what is called a HTML scan which can be done by the user itself easily (Chandrasekaran, 2006). This is a surefire way to determine the authenticity of a source, as reputable companies like PayPal will not have the oftentimes stilted structure that many of these phishing emails and websites possess. By the same token, if a user observes a website that they determine is not genuine, they may attempt to cease using that website and, assuming they successfully averted the phishing attempt, disable some of the culprits that are leading to phishing, such as ActiveX controls and similar browser helper objects so they may avoid it in the future (Chandrasekaran, 2006)..

While phishing is, of course, a serious security weakness for businesses, it is not one that is insurmountable. In fact, with the right combination of software and common sense, as well as a small amount of technical knowhow, it is very possible to have a flawless success rate in dealing with these phishing attempts. The key is to be vigilant against them, and to continue to do research on the latest methods phishers are using to gather personal information, and use this information to continue to evolve the business's defenses alongside theirs. Using these measures, this cyber-security weakness may be patched with relative ease. Phishing is a serious security concern and allowing phishing to continue to run rampant among businesses represents a key security threat that must not only be stopped, but proactively protected against to protect the business as much as possible.

References

Chandrasekaran, M., Narayanan, K., & Upadhyaya, S. (2006) Phishing email detection based on structural properties. In NYS Cyber Security Conference (pp. 1-7).

Chou, N., Ledesma, R., Teraguchi, Y., & Mitchell, J. C. (2004,). Client-Side Defense Against Web-Based Identity Theft. In NDSS. 3-5

Facts, P. (2006). Phishing mongers and posers. Communications of the ACM, 49(4), 21.

Herzberg, A., & Gbara, A. (2004). Trustbar: Protecting (even naive) web users from spoofing and phishing attacks. Computer Science Department Bar Ilan University, 6.

Jagatic, T. N., Johnson, N. A., Jakobsson, M., & Menczer, F. (2007). Social phishing. Communications of the ACM, 50(10), 94-100.

Jakobsson, M., & Myers, S. (Eds.). (2006). Phishing and countermeasures: understanding the increasing problem of electronic identity theft. Wiley.com

James, L. (2005). Phishing exposed. Syngress. 3-12

Kornblum, A. E. (2005) Searching For John Doe: Finding Spammers and Phishers. In CEAS.

Sheng, S., Wardman, B., Warner, G., Cranor, L., Hong, J., & Zhang, C. (2009) An empirical analysis of phishing blacklists. In Sixth Conference on Email and Anti-Spam (CEAS).

Shi, J., Saleem, S. (2012) Phishing. 2-4