Features & Detection Of Phishing Attacks

Introduction

Phishing is the type of computer attack where the attacker manipulates the victim in order to persuade them to enter the user credentials via electronic communication channels, this information is further exploited by the attacker.

Phishing attack

Colin Walker has defined Phishing as- “We define a phishing page as any web page that, without permission, alleges to act on behalf of a third party with the intention of confusing viewers into performing an action with which the viewer would only trust a true agent of the third party”. The criminals who wants to obtain the user data creates the unauthorized replicas of the legitimate websites and e-mails, usually some financial corporate that handles the financial data of its clients.

The e-mails and website will be created using the logos and the trademark of the actual website. The flexibility of HTML document makes it very easy to copy the images or even an entire document, this is fact is abused by the criminal. Phisher then sends these spoofed e-mails to as many users as possible in order to lure them into some scheme and retrieving user credentials from them. When the user finds these e-mails having logos and trademarks of actual organization, they click the links in the mail and are redirected to the spoofed website, appearing to be the actual website.

History

The phishing attack was first done by a group of hackers and pirates via America Online or AOL. [2]These attackers called themselves ”the Warez community”. In early 1990 they created an algorithm to generate random credit card numbers, using which they attempted to create phony AOL accounts. When they hit match to the real credit card number, they were able to create an account and spam in AOL community. AOL was able to stop the random credit card generators by 1995, till the time. Then again Warez group found other ways to pretend specifically as an AOL employee and hence messaging people via AOL messenger for their information. This problem grew so quickly that on January 2 1996, the word ”phishing” was first posted in a Usenet group dedicated to AOL. AOL further included warnings on all its emails and messages to alert the users of potential phishing risk.

Phishing Attack Statistics

Phishing continues to grow rapidly taking its firm roots in the field of identity theft and thereby causing large number of frauds and scams on daily basis. There have been nearly 33,000 phishing attacks globally per month in the year of 2012, accounting a total loss of $687 million. In June 2004, Royal Bank of Canada notified customers that fraud e-mails pretending to originate from the Royal Bank were being sent out to customer asking to verify their account numbers and Personal Identification Numbers (PINs) through a link.

The fraudulent e-mails stated that if the receiver did not click the link and enter his details his account would be blocked. These e-mails were sent within a week of computer malfunction that had blocked the update of customer accounts. Financial service organization is most likely target of the attacker for phishing. The United States continued to be the top country hosting phishing websites during the third quarter period of year 2012.This is due to the fact that United States hosts a large percentage of websites and domain names overall.

BlackList/Whitelist based detection

This method of detection is most widely used in browsers such as Google Chrome and Mozilla Firefox for safe browsing. Depending on the method of implementation either the user maintains a list of whitelist and blacklist URLs or the browser automatically updates the lists. The blacklisted URLs contains the list of websites that are found malicious by the browser. Classifiers such as Naive Bayesian, SVM etc. are used to maintain the whitelist of the websites that safe for user browsing. Although easy to implement it faces the issue of high false negative ratio due to short lifetime of phishing web pages. The main drawback of this approach is that they are not effective on the web pages which were previously undetected and hence the lists needs to be maintained frequently to have a good accuracy.

URL based detection

URL based approach analyze the URL features of the given web pages and based on this features a decision is made whether the website is phishing or not. URL features such as length, path, hostname, no. of tokens present are different for a legitimate and a phishing website. This property is exploited in this approach. Lexical analysis is performed on the URL in order to extract URL features. To maintain and update the feature list of URL properties, a classifier is employed that can successfully distinguish between the features of actual website and a malicious website and thereby can make an appropriate decision for the suspicious webpage’s URL.

Content based detection

In content based detection, the visual similarity between a malicious page and target page is the key feature to detect phishing attacks. The visual features considered can be text and styles, images and the overall appearance of the web pages. The study proposes an algorithm that detects the phishing pages on basis of contents of the web-page, using term frequency - inverse document frequency (TF-IDF). This cannot be resilient to evasion as the attacker can change the contents and still may make feel the website as the original one to user.

So to deal with this some approaches to detect phishing consider capturing image of the page and convert it into text using optical character recognition(OCR) and uses the Google PageRank algorithm to find the top rank domains from search engines and compares them with the current page. Another study considers the textual clues from the DOM tree of the website to detect any anomalies in the DOM Objects. A file similarity is calculated between the targeted file and the suspicious web page so as to easily find out potential phishing web pages effectively.

Phishing detection based on other features

Other features such as domain owner differs of an actual website and the fake website. As the phishing web pages are hosted on a less reputable domain and are usually taken down more frequently, this property can be used to decide whether the webpage given is phishing or not. WHOIS Lookup is conducted to reveal the registrar given webpage and the registrar of the legitimate webpage .This is found using search engine analysis tools. Then these both domain owners are checked if the registrars for the suspicious and the legitimate website does not match then it is declared as phishing website.

11 February 2020
close
Your Email

By clicking “Send”, you agree to our Terms of service and  Privacy statement. We will occasionally send you account related emails.

close thanks-icon
Thanks!

Your essay sample has been sent.

Order now
exit-popup-close
exit-popup-image
Still can’t find what you need?

Order custom paper and save your time
for priority classes!

Order paper now