IAC 2024 - IA Fast Track to Search Focused AI Solutions
Phishing attack types and mitigation strategies
1. PHISHING ATTACK TYPES &
MITIGATION STRATEGIES
SARIM KHAWAJA
VERSION 1.1
27 OCTOBER 2013
2. 1
1 INTRODUCTION
Phishing, otherwise known as carding or
brand spoofing [1], is a malicious attempt to
acquire personal information from a user. The
personal information sought may include, but
is not limited to usernames, passwords and
bank account/credit card details. Since the
user is more likely to respond to someone
known to them, the attacker may pose as the
user’s bank, email provider, company IT ad-
ministrator, or social networking website.
The term phishing may originate from the
phrase ‘password harvesting fishing’ [2], or
may be an adaptation of the term
‘phreak’/’phone freak’ [3]. The word is analo-
gous to ‘fishing’ as the attacker uses an email
as bait to ‘catch’ usernames and passwords.
In the traditional model, an attacker sends an
authentic-looking email to thousands of ad-
dresses. The PCs of the small percentage of
users that act on the email by downloading
the attachment are then infected with a Tro-
jan or other malware.
Phishing is a serious threat to consumers as
well as to organizations. Industry sectors
most targeted for phishing attacks in the first
quarter of 2013 were payment services
(45.48%), financial (23.95%), retail/service
(9.84%), ISP (8.52%), and gaming (5.66%),
and the top country hosting phishing sites
was the U.S [4]. According to estimates, 5% of
adults in the U.S fall prey to phishing every
year [5], and with total damages of $3.2 billion
in 2007 alone [6].
The brand and reputation of a business is
damaged by its customers becoming targets
of phishing scams. The experience can make
users wary of fraud, making them less likely
to do business online, which in turn means
loss of revenue for the company.
New types and techniques of phishing attacks
are continuously being developed and uti-
lized. Businesses must be proactive in defend-
ing against such attacks.
New types and techniques of phishing attacks
are continuously being developed and uti-
lized. Businesses must be proactive in defend-
ing against such attacks.
2 PHISHING IN THE GULF REGION
According to Symantec, Saudi Arabia and the
UAE are the most vulnerable to phishing at-
tacks in the Gulf region [7]. In 2010, Infor-
mation Security Solution Provider IT Matrix
detected 1145 unique phishing attacks in the
UAE, while the occurrence in Saudi Arabia
was the highest of the region for 2007 and
2008 [8]. Following a phishing attack on
Saudi Aramco in August 2012, more than
30000 computers were compromised [9].
Saudi Arabia also faces the highest risk of pri-
vacy exposure due to malicious Android app
usage [10].
A conference paper examined susceptibility
of 200 undergraduate students in Saudi Ara-
bia to phishing [11]. They were divided ran-
domly into two groups of click-a-link emails
(after which the user was sent to a login page)
and reply-directly emails. A total of 14 stu-
dents fell victim to the emails, 12 of which had
responded to the click-a-link email.
3 TYPES OF PHISHING
Since the first incident of phishing in 1996 [3],
phishing has evolved and now has several dif-
ferent classifications.
3.1 SPEAR PHISH
This variation of phishing involves some re-
connaissance, planning and information-
gathering in advance of ‘casting the bait’, and
is so called because it is more specific than
spam phishing. The information may be pub-
lically available from social networking sites,
or may be obtained by methods of social en-
gineering. This information is then used to
3. 2
craft a specific email the content of which ei-
ther appeals to the interests of the particular
user or seems to be genuinely addressed to
them, making them more likely to fall for the
deception.
3.2 ROCK PHISH
Rock-phishing involves purchasing several
domains which are a random mixture of al-
phanumeric characters. All of these domains
are used to make URLs with unique identifi-
ers, and these URLs resolve the single IP ad-
dress of a compromised machine. When that
machine is removed, the DNS is adjusted to
another machine in the botnet. ‘Rock Phish’
was also the name of a phishing gang. On av-
erage, Rock Phish sites stay live for longer
than typical ones [12].
3.3 FAST-FLUX
Fast flux types are related to Rock Phish at-
tacks in that they also generally use botnets of
compromised machines, which act a proxy
servers so as to hide the actual location of the
attacker. There are however multiple simulta-
neous IP addresses in use, and these fluctuate
after a regular interval of time [12].
3.4 TILDE PHISH
Tilde Phish use a new style of multiple URLs
that point to websites on several domains,
when in reality they send the user to one same
phishing website. This method uses the fact
that some web servers are configured to all al-
low file path viewing on any virtual domain
hosted on that server. The URLs contain a
tilde (~), hence the name [13].
3.5 WATER-HOLING
This technique involves locating an online re-
source or website that is frequently visited by
a target audience, compromising it, and ex-
ploiting vulnerabilities in visitors’ browsers
extract credentials and install malware.
3.6 PHARMING (DNS-BASED PHISHING)
This term refers to any sort of phishing attack
that abuses the DNS lookup process for a par-
ticular domain name. This can either be done
by redirecting the user’s DNS to a malicious
server, hacking an existing, legitimate DNS
server, or by changing the PCs hosts file
through malware.
3.7 WHALING
When top-level executives or high-value tar-
gets are the victims, phishing becomes whal-
ing. This technique is homonymous with
‘whaling’, the hunting of whales, which are
large fish.
4 TOOLS &TECHNIQUES
4.1 SPAM (CLASSIC PHISHING)
An official-looking email, professing to be
from an organization such as a bank, payment
or money transfer business, or a coworker ei-
ther requires the user to confirm their ac-
count, or claims that the user has been se-
lected for a prize. Some variations involve em-
bedded links to fake webpages while others
involve attachments containing Trojans and
malware. On the fake webpages, the user may
be required to enter details for their email or
bank accounts, which are then transferred to
the proponent of the phishing scam. Almost
all of these emails have an underlying sense of
urgency, such as this offer expires in 24 hours
or if you do not respond to this email within 24
hours, your account will be closed. The ad-
dresses from which these email originate are
sometimes a slight variation of the original
entity’s domain (abc@citybank.com vs.
abc@citibank.com) known as fuzzy domains
4. 3
or look-alike domains [1], however they may
be a random selection of words and alphanu-
meric characters.
4.2 INSTANT MESSAGING AND SOCIAL
NETWORKING
The same underlying principle as the
email/spam technique can be used with In-
stant Messaging or Social Networking ac-
counts being used instead of email accounts.
4.3 SMS (SMISHING)
This method uses SMS to deliver the bait.
Typically, the user receives a text message in-
forming them that their account has been
compromised or deactivated. They are then
directed to a spoofed website or Vishing line
(see below) to recover the account, where
they are asked for their credentials.
4.4 TABNABBING
An apparently normal page has a script em-
bedded in it which detects when the tab has
lost focus for some time. Then favicon and ti-
tle of the page as well as the page itself is re-
placed by a page similar to an organization’s
official login page. The user may think that
they forgot to close that page, and possibly
enter their credentials into it, thereby com-
promising their account.
4.5 VISHING/PHONE PHISHING
Phone phishers often use VoIP to set up a
number which potential victims can call.
These numbers may be advertised by means
of email or by hacking a genuine website, and
some may even spoof their caller ID to appear
to be from a reputable organization. When
called, these lines require the user to input
their account details.
4.6 PHLASHING (FLASH-BASED PHISHING
SITES)
Since it is relatively easy to detect phishing
sites that are copies of genuine sites through
automated software, a new form of phishing
which involves using flash-based sites
emerged. Flash-based sites are not as easily
recognized as HTML phishing sites by spe-
cialized software. This breed of attacks was
first seen in 2006 [14].
4.7 TYPO SQUATTING
The basic principle of this technique is regis-
tering a domain name that a user may acci-
dentally type instead of the original, and pos-
sibly not notice. The fake site on that domain
usually looks very similar to the genuine one,
and a busy or novice user may not notice their
typo and continue using the fake site.
4.8 URL MANIPULATION/MASQUERADING
A hyperlink has two parts: the text visible to
the user, and the underlying link, the two of
which need not be the same. Masqueraded
URLs leverage this discrepancy to make the
user believe that clicking a certain link will
take them to the official login page when in
reality the link sends the user to the fake page.
4.9 SESSION HIJACKING
This can be performed remotely through a
man-in-the-middle attack (see below) or lo-
cally using malware. Once the user has logged
in with their credentials, the malware ‘hijacks’
the session and performs malicious actions
which may include extracting credentials.
4.10 MAN-IN-THE-MIDDLE
An attacker places himself between the user
and a genuine website, most often using ARP
spoofing. Any authentication requests are
5. 4
sent through the attacker and can therefore
be compromised.
4.11 EVIL TWINS
Public places such as cafés and airport often
have public Wi-Fi services. An attacker can
easily set up their own Wi-Fi hotspot in this
area with the same SSID and authentication
(if present). Credentials of any users that con-
nect to the network and visit certain websites
can be sniffed.
4.12 BROWSER SPOOFING VULNERABILITIES
As with any piece of software, browsers may
also have vulnerabilities in their code, which
can be exploited to obfuscate the address bar
to look like the site is SSL authenticated, or to
install malware on the victim’s PC. Although
all the currently listed vulnerabilities already
have security patches available [15], they can
still be exploited in a machine that is not up-
to-date on its patches.
4.13 BOTS/BOTNETS
Botnets can be leveraged for phishing as the
processing power, bandwidth, and disk space
of the computers on which they reside can ex-
tend the scope of the phishing attack.
5 MITIGATION TECHNIQUES
5.1 USER-DEPENDENT
5.1.1 TWO-FACTOR AUTHENTICATION
This is a mechanism that requires proof of
two out of the following three properties:
what you have, what you know, and what you
are. So apart from your account name and
password (know), you may be required to un-
dergo a fingerprint or retinal scan (are), or
possess (have) a smartcard or hardware to-
ken. Additionally this hardware token may
generate a regularly varying component. Cer-
tain banks have implemented a system
whereby customers are given a number of
Transaction Numbers (TANs) every month,
to approve single transactions [15].
5.1.2 BROWSER PLUGINS
Certain anti-phishing browser plugins exist
that use crowd-sourced and phishing black-
list databases to determine that authenticity
of a website, and warn users of potentially
fake sites, or block them altogether.
5.1.3 ANTIVIRUS SOFTWARE WITH SPAM-
FILTERING AND WEB PROTECTION
Antivirus software has become much more
than just a program that scans your files. Most
modern day antivirus software contain web,
email and spam protection, and these can be
critical in preventing the user falling victim to
phishing. However, these protection suites
must be kept up to date or the PC is left vul-
nerable to the latest variations of the attack.
Some of the techniques used by this type of
software are content blacklisting, blocking
email from relays known to send out spam,
and Bayesian spam filtering [15].
5.1.4 END-USER AWARENESS AND EDUCATION
Organizations can take a proactive approach
to fraud by educating their employees, end-
users and consumers about potential signs of
fraud. In case of a specific phishing attack,
alerts can be issued on official websites, in the
news, and via email. The user can be educated
to approach links in email with extreme cau-
tion, to ensure SSL is being used (via the ad-
dress bar), and to scrutinize the domain
name. Although all of these can be spoofed to
avoid suspicion [16], this at least provides an-
other layer of protection against most ama-
teur phishing attacks.
6. 5
5.2 USER-INDEPENDENT
5.2.1 LEXICAL ANALYSIS
Recognition of common word patterns and
phrases in phishing messages is one of the
earliest methods of spam and phishing detec-
tion.
5.2.2 SENDER REPUTATION ANALYSIS
Some phishing senders have a certain pattern
to their domain names, and these may be
blacklisted on well-known sites:
spamhaus.org/sbl
ers.trendmicro.com
mxtoolbox.com/blacklists.aspx
Permutations of existing domains are also
ideal candidates for phishing use.
5.2.3 ATTACHMENT SIGNATURE RECOGNITION
Most email providers avail the services of se-
curity companies that provide online scan-
ning of all incoming and outgoing attach-
ments.
5.2.4 SECURE SOCKETS LAYER (SSL)
SSL is protocol that secures browsing by en-
crypting transmission, while using certificate
to ensure the identity of both sides. SSL uses
HTTPS instead of HTTP. While not com-
pletely foolproof on its own [17], this technol-
ogy in combination with others can be one of
the indications as to the authenticity of a
website. When a website is detected to be SSL
secured by a browser, a small padlock icon ap-
pears in the address bar.
5.2.5 WEBSITE TAKEDOWN
When a phishing website is detected, the DNS
and hosting provider can be notified. After
analyzing it themselves, they usually take
down the website or remove the DNS records.
6 SUMMARY
Phishing is an ever-increasing and evolving
threat to businesses. It takes advantage of hu-
man behaviors such as curiosity, trust or com-
passion.
As these attacks develop in complexity, the
world is also taking positive steps in anti-
phishing efforts. There are several organiza-
tions committed to fighting online fraud such
as the Internet Crime Complaint Center, Na-
tional Cyber-Forensics and Training Alliance,
and the Anti-Phishing Working Group.
Although there isn’t an all-encompassing
technology to stop phishing, a mixture of best
practices, constant diligence, and correct ap-
plication of the latest technologies can reduce
the frequency of phishing attacks and the en-
suing loss.
7. 6
7 REFERENCES
[1] L. James, Phishing Exposed, Syngress Publishing,
Inc., 2005.
[2] A. V. Mahajan, "Phishing and Man-in-the-Middle
Attacks," University of Southern California.
[3] A. S. Martino and X. Perramon, "Phishing
Secrets: History, Effects, and Countermeasures,"
International Journal of Network Security, vol. 11,
no. 3, p. 163–171, 2010.
[4] Anti-Phishing Working Group (APWG),
"Phishing Activity Trends Report," 1st Quarter
2013.
[5] The Anti-Phishing Group at Indiana University,
"Stopphishing.com - Protect the Public," 2006.
[Online]. Available:
indiana.edu/~phishing/?prot_public. [Accessed
20 October 2013].
[6] A. Bergholz, J. D. Beer, S. Glahn, M.-F. Moens, G.
Paaß and S. Strobel, "New Filtering Approaches
for Phishing Email," International Journal of
Computer Trends and Technology (IJCTT), vol. 4,
no. 6, June 2013.
[7] "Saudi Arabia, UAE rank high for phishing
attacks: Symantec," Arab News, 30 November
2011. [Online]. Available:
arabnews.com/node/399661. [Accessed 20
October 2013].
[8] G. Enzer, "UAE hit hard by increasing phishing,"
ITP.net, 26 April 2011. [Online]. Available:
itp.net/584599-uae-hit-hard-by-increasing-
phishing. [Accessed 20 October 2013].
[9] W. Mahdi, "Saudi Arabia Says Aramco
Cyberattack Came From Foreign States,"
Bloomberg.com, 9 December 2012. [Online].
Available: bloomberg.com/news/2012-12-
09/saudi-arabia-says-aramco-cyberattack-came-
from-foreign-states.html. [Accessed 20 October
2013].
[10] K. Kanchi, "Fake applications, phishing sites hit
smartphone users," The Hindu Business Line, 23
May 2013. [Online]. Available:
thehindubusinessline.com/industry-and-
economy/info-tech/fake-applications-phishing-
sites-hit-smartphone-users/article4742336.ece.
[Accessed 20 October 2013].
[11] I. Alseadoon, T. Chan, E. Foo and J. G. Nieto,
"Who is more susceptible to phishing emails?: A
Saudi Arabian study," in 23rd Australasian
Conference on Information Systems, 2012.
[12] T. Moore and R. Clayton, "The Impact of
Incentives on Notice and Take-down," in
Managing Information Risk and the Economics of
Security, Springer US, 2009, pp. 199-223.
[13] B. Gyawali, T. Solorio, M. Montes-y-Gómez, B.
Wardman and G. Warner, "Evaluating a
Semisupervised Approach to Phishing URL
Identification in a Realistic Scenario,"
Department of Computer and Information
Sciences, University of Alabama at Birmingham.
[14] R. Miller, "Phishing Attacks Continue to Grow in
Sophistication," Netcraft, 15 January 2007.
[Online]. Available:
http://news.netcraft.com/archives/2007/01/15/p
hishing_attacks_continue_to_grow_in_sophistic
ation.html. [Accessed 20 October 2013].
[15] J. Milletary, "Technical Trends in Phishing
Attacks," US-CERT, 2005.
[16] A. Emigh, "Online Identity Theft: Phishing
Technology, Chokepoints and
Countermeasures," ITTC Report on Online
Identity Theft Technology and
Countermeasures, 2005.
[17] R. Lininger and R. D. Vines, Phishing: Cutting the
Identity Theft Line, Wiley Publishing, Inc., 2005.
[18] G. Enzer, "UAE hit hard by increasing phishing,"
ITP.net, 26 April 2011. [Online]. Available:
itp.net/584599-uae-hit-hard-by-increasing-
phishing. [Accessed 20 October 2013].