Phishing

The word of "phising" initially emerged in 1990s. The early hackers often use 'ph" to replace "f" to produce new words in the hacker's community, since they usually hack by phones.

Phishing is a new word produced from ‘fishing’, it refers to the act that the attacker allure users to visit a faked Web site by sending them faked e-mails (or instant messages), and stealthily get victim’s personal information such as user name, password, and national security ID, etc. This information then can be used for future target advertisements or even identity theft attacks (e.g., transfer money from victims’ bank account).

In general, phishing attacks are performed with the following four steps:

1. Phishes set up a counterfeited Web site which looks exactly like the legitimate Web site, including setting up the web server, applying the DNS server name, and creating the web pages similar to the destination Web site, etc.


2. Send large amount of spoofed e-mails to target users in the name of those legitimate companies and organizations, trying to convince the potential victims to visit their Web sites.


3. Receivers receive the e-mail, open it, click the spoofed hyperlink in the e-mail, and input the required information.


4. Phishers steal the personal information and perform their fraud such as transferring money from the victims’ account.

Although the attacker has the method to phishing the user, user also has the several (technical or non technical) ways to prevent it:

1. Educate users to understand how phishing attacks work and be alert when phishing-alike e-mails are received;


2. Use legal methods to punish phishing attackers;


3. Use technical methods to stop phishing attackers. In this paper, we only focus on the third one. Technically, if we can cut off one or several of the steps that needed by a phishing attack, we then successfully prevent that attack.

In what follows, we briefly review these approaches.

Detect and block the phishing Web sites in time:

• If we can detect the phishing Web sites in time, we can block the sites and prevent phishing attacks.

Enhance the security of the web sites:

• The business Web sites such as the Web sites of banks can take new methods to guarantee the security of users’ personal information. There have one method to enhance this security is to use hardware devices. For example, the Barclays bank provides a hand-held card reader to the users. Before shopping in the net, users need to insert their credit card into the card reader, and input their (personal identification number) PIN code, then the card reader will produce a onetime security password, users can perform transactions only after the right password is input.


• Another method is to use the biometrics characteristic (e.g. voice, fingerprint, iris, etc.) for user authentication. For example, Paypal had tried to replace the single password verification by voice recognition to enhance the security of the Web site.

Block the phishing e-mails by various spam filters:

• Phishers generally use e-mails as ‘bait’ to allure potential victims. SMTP (Simple Mail Transfer Protocol) is the protocol to deliver e-mails in the Internet. Information that related to sender, such as the name and email address of the sender, route of the message, etc, can be counterfeited in SMTP. Thus, the attackers can send out large amounts of spoofed e-mails which are seemed from legitimate organizations. Therefore, if anti-spam systems can determine whether an e-mail is sent by the announced sender (Am I Whom I Say I Am?), the phishing attacks will be decreased dramatically.

Install online anti-phishing software in user’s computers:

• Despite all the above efforts, it is still possible for the users to visit the spoofed Web sites. As a last defense, users can install anti-phishing tools in their computers. The antiphishing tools in use today can be divided into two categories: blacklist or whitelist based and rule-based.