Home      Discussion      Topics      Dictionary      Almanac
Signup       Login
Phishing

Phishing

Discussion
Ask a question about 'Phishing'
Start a new discussion about 'Phishing'
Answer questions from other users
Full Discussion Forum
 
Encyclopedia
Phishing is a way of attempting to acquire information such as usernames, password
Password
A password is a secret word or string of characters that is used for authentication, to prove identity or gain access to a resource . The password should be kept secret from those not allowed access....

s, and credit card details by masquerading as a trustworthy entity in an electronic communication. Communications purporting to be from popular social web sites, auction sites, online payment processors or IT administrators are commonly used to lure the unsuspecting public. Phishing is typically carried out by e-mail
E-mail
Electronic mail, commonly known as email or e-mail, is a method of exchanging digital messages from an author to one or more recipients. Modern email operates across the Internet or other computer networks. Some early email systems required that the author and the recipient both be online at the...

 spoofing
E-mail spoofing
Email spoofing is email activity in which the sender address and other parts of the email header are altered to appear as though the email originated from a different source. Because core SMTP doesn't provide any authentication, it is easy to impersonate and forge emails...

 or instant messaging
Instant messaging
Instant Messaging is a form of real-time direct text-based chatting communication in push mode between two or more people using personal computers or other devices, along with shared clients. The user's text is conveyed over a network, such as the Internet...

, and it often directs users to enter details at a fake website whose look and feel
Look and feel
In software design, look and feel is a term used in respect of a graphical user interface and comprises aspects of its design, including elements such as colors, shapes, layout, and typefaces , as well as the behavior of dynamic elements such as buttons, boxes, and menus...

 are almost identical to the legitimate one. Phishing is an example of social engineering techniques used to deceive users, and exploits the poor usability of current web security technologies. Attempts to deal with the growing number of reported phishing incidents include legislation
Legislation
Legislation is law which has been promulgated by a legislature or other governing body, or the process of making it...

, user training, public awareness, and technical security measures.

A phishing technique was described in detail in 1987, and the first recorded use of the term "phishing" was made in 1996. The term is a variant of fishing, probably influenced by phreaking
Phreaking
Phreaking is a slang term coined to describe the activity of a culture of people who study, experiment with, or explore telecommunication systems, such as equipment and systems connected to public telephone networks. As telephone networks have become computerized, phreaking has become closely...

,

and alludes to "baits" used in hopes that the potential victim will "bite" by clicking a malicious link or opening a malicious attachment, in which case their financial information and passwords may then be stolen.

History and current status of phishing


A phishing technique was described in detail, in a paper and presentation delivered to the International HP
Hewlett-Packard
Hewlett-Packard Company or HP is an American multinational information technology corporation headquartered in Palo Alto, California, USA that provides products, technologies, softwares, solutions and services to consumers, small- and medium-sized businesses and large enterprises, including...

 Users Group, Interex. The first recorded mention of the term "phishing" is on the alt.online-service.america-online Usenet
Usenet
Usenet is a worldwide distributed Internet discussion system. It developed from the general purpose UUCP architecture of the same name.Duke University graduate students Tom Truscott and Jim Ellis conceived the idea in 1979 and it was established in 1980...

 newsgroup
Newsgroup
A usenet newsgroup is a repository usually within the Usenet system, for messages posted from many users in different locations. The term may be confusing to some, because it is usually a discussion group. Newsgroups are technically distinct from, but functionally similar to, discussion forums on...

 on January 2, 1996,
although the term may have appeared earlier in the print edition of the hacker magazine 2600
2600: The Hacker Quarterly
2600: The Hacker Quarterly is an American publication that specializes in publishing technical information on a variety of subjects including telephone switching systems, Internet protocols and services, as well as general news concerning the computer "underground" and left wing, and sometimes ,...

.

Early phishing on AOL


Phishing on AOL was closely associated with the warez
Warez
Warez refers primarily to copyrighted works distributed without fees or royalties, and may be traded, in general violation of copyright law. The term generally refers to unauthorized releases by organized groups, as opposed to file sharing between friends or large groups of people with similar...

 community that exchanged pirated software and the hacking scene that perpetrated credit card fraud and other online crimes. After AOL brought in measures in late 1995 to prevent using fake, algorithmically generated credit card numbers to open accounts, AOL crackers resorted to phishing for legitimate accounts and exploiting AOL.

A phisher might pose as an AOL staff member and send an instant message to a potential victim, asking him to reveal his password. In order to lure the victim into giving up sensitive information the message might include imperatives like "verify your account" or "confirm billing information". Once the victim had revealed the password, the attacker could access and use the victim's account for fraudulent purposes or spamming
Spam (electronic)
Spam is the use of electronic messaging systems to send unsolicited bulk messages indiscriminately...

. Both phishing and warezing on AOL generally required custom-written programs, such as AOHell
AOHell
AOHell was a tool that greatly simplified 'cracking' online using AOL.-Origin:Released in 1994 by hackers known as "The Rizzer" & "Da Chronic", AOHell provided a number of utilities which ran on top of the America Online client software...

. Phishing became so prevalent on AOL that they added a line on all instant messages stating: "no one working at AOL will ask for your password or billing information", though even this didn't prevent some people from giving away their passwords and personal information if they read and believed the IM first. A user using both an AIM account and an AOL account from an ISP simultaneously could phish AOL members with relative impunity as internet AIM accounts could be used by non-AOL internet members and could not be actioned (i.e.- reported to AOL TOS department for disciplinary action.)

Eventually, AOL's policy enforcement with respect to phishing and warez became stricter and forced pirated software off AOL servers. AOL simultaneously developed a system to promptly deactivate accounts involved in phishing, often before the victims could respond. The shutting down of the warez scene on AOL caused most phishers to leave the service.

Transition from AOL to financial institutions


The capture of AOL account information may have led phishers to misuse credit card information, and to the realization that attacks against online payment systems were feasible. The first known direct attempt against a payment system affected E-gold
E-gold
e-gold is a digital gold currency operated by Gold & Silver Reserve Inc. under e-gold Ltd., and allowed the instant transfer of gold ownership between users until 2009 when transfers were suspended due to legal issues. e-gold Ltd...

 in June 2001, which was followed up by a "post-9/11 id check" shortly after the September 11 attacks on the World Trade Center
September 11, 2001 attacks
The September 11 attacks The September 11 attacks The September 11 attacks (also referred to as September 11, September 11th or 9/119/11 is pronounced "nine eleven". The slash is not part of the pronunciation...

. Both were viewed at the time as failures, but can now be seen as early experiments towards more fruitful attacks against mainstream banks. By 2004, phishing was recognized as a fully industrialized part of the economy of crime: specializations emerged on a global scale that provided components for cash, which were assembled into finished attacks.

Recent phishing attempts



Phishers are targeting the customers of banks and online payment services. E-mails, supposedly from the Internal Revenue Service
Internal Revenue Service
The Internal Revenue Service is the revenue service of the United States federal government. The agency is a bureau of the Department of the Treasury, and is under the immediate direction of the Commissioner of Internal Revenue...

, have been used to glean sensitive data from U.S. taxpayers. While the first such examples were sent indiscriminately in the expectation that some would be received by customers of a given bank or service, recent research has shown that phishers may in principle be able to determine which banks potential victims use, and target bogus e-mails accordingly. Targeted versions of phishing have been termed spear phishing. Several recent phishing attacks have been directed specifically at senior executives and other high profile targets within businesses, and the term whaling has been coined for these kinds of attacks.

Social networking sites
Social network service
A social networking service is an online service, platform, or site that focuses on building and reflecting of social networks or social relations among people, who, for example, share interests and/or activities. A social network service consists of a representation of each user , his/her social...

 are now a prime target of phishing, since the personal details in such sites can be used in identity theft
Identity theft
Identity theft is a form of stealing another person's identity in which someone pretends to be someone else by assuming that person's identity, typically in order to access resources or obtain credit and other benefits in that person's name...

; in late 2006 a computer worm
Computer worm
A computer worm is a self-replicating malware computer program, which uses a computer network to send copies of itself to other nodes and it may do so without any user intervention. This is due to security shortcomings on the target computer. Unlike a computer virus, it does not need to attach...

 took over pages on MySpace
MySpace
Myspace is a social networking service owned by Specific Media LLC and pop star Justin Timberlake. Myspace launched in August 2003 and is headquartered in Beverly Hills, California. In August 2011, Myspace had 33.1 million unique U.S. visitors....

 and altered links to direct surfers to websites designed to steal login details. Experiments show a success rate of over 70% for phishing attacks on social networks.

The RapidShare
RapidShare
RapidShare is a one-click hosting service that offers both free and commercial services. Operating from Switzerland, it is financed by the subscriptions of paying users...

 file sharing site has been targeted by phishing to obtain a premium account, which removes speed caps on downloads, auto-removal of uploads, waits on downloads, and cooldown times between downloads.

Attackers who broke into TD Ameritrade
TD Ameritrade
TD Ameritrade is an American online broker with over 6 million U.S. customers, and many more internationally, that has grown rapidly through acquisition to become the 746th-largest US firm in 2008. TD Ameritrade Holding Corporation is the owner of TD Ameritrade Inc...

's database (containing all 6.3 million customers' social security number
Social Security number
In the United States, a Social Security number is a nine-digit number issued to U.S. citizens, permanent residents, and temporary residents under section 205 of the Social Security Act, codified as . The number is issued to an individual by the Social Security Administration, an independent...

s, account numbers and email addresses as well as their names, addresses, dates of birth, phone numbers and trading activity) also wanted the account usernames and passwords, so they launched a follow-up spear phishing attack.

Almost half of phishing thefts in 2006 were committed by groups operating through the Russian Business Network
Russian Business Network
The Russian Business Network is a multi-faceted cybercrime organization, specializing in and in some cases monopolizing personal identity theft for resale...

 based in St. Petersburg.

There are anti-phishing websites which publish exact messages that have been recently circulating the internet, such as FraudWatch International and Millersmiles. Such sites often provide specific details about the particular messages.

Link manipulation


Most methods of phishing use some form of technical deception designed to make a link
Uniform Resource Identifier
In computing, a uniform resource identifier is a string of characters used to identify a name or a resource on the Internet. Such identification enables interaction with representations of the resource over a network using specific protocols...

 in an e-mail (and the spoofed website
Website spoofing
Website spoofing is the act of creating a website, as a hoax, with the intention of misleading readers that the website has been created by a different person or organisation. Another meaning for spoof is fake websites. Normally, the spoof website will adopt the design of the target website and...

 it leads to) appear to belong to the spoofed organization. Misspelled URLs
Uniform Resource Identifier
In computing, a uniform resource identifier is a string of characters used to identify a name or a resource on the Internet. Such identification enables interaction with representations of the resource over a network using specific protocols...

 or the use of subdomains are common tricks used by phishers. In the following example URL, http://www.yourbank.example.com/, it appears as though the URL will take you to the example section of the yourbank website; actually this URL points to the "yourbank" (i.e. phishing) section of the example website. Another common trick is to make the displayed text for a link (the text between the tags) suggest a reliable destination, when the link actually goes to the phishers' site. The following example link,
Deception
Deception, beguilement, deceit, bluff, mystification, bad faith, and subterfuge are acts to propagate beliefs that are not true, or not the whole truth . Deception can involve dissimulation, propaganda, and sleight of hand. It can employ distraction, camouflage or concealment...

, appears to direct the user to an article entitled "Genuine"; clicking on it will in fact take the user to the article entitled "Deception". In the lower left hand corner of most browsers users can preview and verify where the link is going to take them. Hovering your cursor over the link for a couple of seconds may do a similar thing, but this can still be set by the phisher.

A further problem with URLs has been found in the handling of Internationalized domain name
Internationalized domain name
An internationalized domain name is an Internet domain name that contains at least one label that is displayed in software applications, in whole or in part, in a language-specific script or alphabet, such as Arabic, Chinese, Russian, Hindi or the Latin alphabet-based characters with diacritics,...

s (IDN) in web browser
Web browser
A web browser is a software application for retrieving, presenting, and traversing information resources on the World Wide Web. An information resource is identified by a Uniform Resource Identifier and may be a web page, image, video, or other piece of content...

s, that might allow visually identical web addresses to lead to different, possibly malicious, websites. Despite the publicity surrounding the flaw, known as IDN spoofing or homograph attack
IDN homograph attack
The internationalized domain name homograph attack is a way a malicious party may deceive computer users about what remote system they are communicating with, by exploiting the fact that many different characters look alike,...

, phishers have taken advantage of a similar risk, using open URL redirectors on the websites of trusted organizations to disguise malicious URLs with a trusted domain.
Even digital certificates do not solve this problem because it is quite possible for a phisher to purchase a valid certificate and subsequently change content to spoof a genuine website.

Filter evasion


Phishers have used images instead of text to make it harder for anti-phishing filters to detect text commonly used in phishing e-mails.

Website forgery


Once a victim visits the phishing website the deception is not over. Some phishing scams use JavaScript
JavaScript
JavaScript is a prototype-based scripting language that is dynamic, weakly typed and has first-class functions. It is a multi-paradigm language, supporting object-oriented, imperative, and functional programming styles....

 commands in order to alter the address bar
URL bar
An address bar is a feature in a web browser that either shows the current URL or accepts a typed URL that the user wishes to go to. Most address bars offer a list of suggestions while the address is being typed in. Auto-completion bases its search on the browser history...

. This is done either by placing a picture of a legitimate URL over the address bar, or by closing the original address bar and opening a new one with the legitimate URL.

An attacker can even use flaws in a trusted website's own scripts against the victim. These types of attacks (known as cross-site scripting
Cross-site scripting
Cross-site scripting is a type of computer security vulnerability typically found in Web applications that enables attackers to inject client-side script into Web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same...

) are particularly problematic, because they direct the user to sign in at their bank or service's own web page, where everything from the web address to the security certificates
Transport Layer Security
Transport Layer Security and its predecessor, Secure Sockets Layer , are cryptographic protocols that provide communication security over the Internet...

 appears correct. In reality, the link to the website is crafted to carry out the attack, making it very difficult to spot without specialist knowledge. Just such a flaw was used in 2006 against PayPal
PayPal
PayPal is an American-based global e-commerce business allowing payments and money transfers to be made through the Internet. Online money transfers serve as electronic alternatives to paying with traditional paper methods, such as checks and money orders....

.

A Universal Man-in-the-middle
Man-in-the-middle attack
In cryptography, the man-in-the-middle attack , bucket-brigade attack, or sometimes Janus attack, is a form of active eavesdropping in which the attacker makes independent connections with the victims and relays messages between them, making them believe that they are talking directly to each other...

 (MITM) Phishing Kit, discovered in 2007, provides a simple-to-use interface that allows a phisher to convincingly reproduce websites and capture log-in details entered at the fake site.

To avoid anti-phishing techniques that scan websites for phishing-related text, phishers have begun to use Flash
Adobe Flash
Adobe Flash is a multimedia platform used to add animation, video, and interactivity to web pages. Flash is frequently used for advertisements, games and flash animations for broadcast...

-based websites. These look much like the real website, but hide the text in a multimedia object.

Phone phishing


Not all phishing attacks require a fake website. Messages that claimed to be from a bank told users to dial a phone number regarding problems with their bank accounts. Once the phone number (owned by the phisher, and provided by a Voice over IP
Voice over IP
Voice over Internet Protocol is a family of technologies, methodologies, communication protocols, and transmission techniques for the delivery of voice communications and multimedia sessions over Internet Protocol networks, such as the Internet...

 service) was dialed, prompts told users to enter their account numbers and PIN. Vishing
Vishing
Vishing is the criminal practice of using social engineering over the telephone system, most often using features facilitated by Voice over IP , to gain access to private personal and financial information from the public for the purpose of financial reward. The term is a combination of "voice" and...

 (voice phishing) sometimes uses fake caller-ID data to give the appearance that calls come from a trusted organization.

Other techniques

  • Another attack used successfully is to forward the client to a bank's legitimate website, then to place a popup window requesting credentials on top of the website in a way that it appears the bank is requesting this sensitive information.
  • One of the latest phishing techniques is tabnabbing
    Tabnabbing
    Tabnabbing is a computer exploit and phishing attack, which persuades users to submit their login details and passwords to popular Web sites by impersonating those sites and convincing the user that the site is genuine. The attack's name was coined in early 2010 by Aza Raskin, a security researcher...

    . It takes advantage of the multiple tabs that users use and silently redirects a user to the affected site.
  • Evil twins
    Evil twin (wireless networks)
    Evil twin is a term for a rogue Wi-Fi access point that appears to be a legitimate one offered on the premises, but actually has been set up by a hacker to eavesdrop on wireless communications among Internet surfers....

     is a phishing technique that is hard to detect. A phisher creates a fake wireless network that looks similar to a legitimate public network that may be found in public places such as airports, hotels or coffee shops. Whenever someone logs on to the bogus network, fraudsters try to capture their passwords and/or credit card information.

Damage caused by phishing


The damage caused by phishing ranges from denial of access to e-mail to substantial financial loss.
It is estimated that between May 2004 and May 2005, approximately 1.2 million computer users in the United States
United States
The United States of America is a federal constitutional republic comprising fifty states and a federal district...

 suffered losses caused by phishing, totaling approximately . United States businesses lose an estimated per year as their clients become victims.
In 2007, phishing attacks escalated. 3.6 million adults lost in the 12 months ending in August 2007.
Microsoft claims these estimates are grossly exaggerated and puts the annual phishing loss in the US at .
In the United Kingdom
United Kingdom
The United Kingdom of Great Britain and Northern IrelandIn the United Kingdom and Dependencies, other languages have been officially recognised as legitimate autochthonous languages under the European Charter for Regional or Minority Languages...

 losses from web banking fraud—mostly from phishing—almost doubled to in 2005, from in 2004, while 1 in 20 computer users claimed to have lost out to phishing in 2005.

The stance adopted by the UK banking body APACS
APACS
The UK Payments Administration Ltd is a United Kingdom trade organisation that brings together all payment systems organisations and gives banks, building societies and card issuers a forum where they can work together on non-competitive issues...

 is that "customers must also take sensible precautions ... so that they are not vulnerable to the criminal." Similarly, when the first spate of phishing attacks hit the Irish Republic's banking sector in September 2006, the Bank of Ireland
Bank of Ireland
The Bank of Ireland is a commercial bank operation in Ireland, which is one of the 'Big Four' in both parts of the island.Historically the premier banking organisation in Ireland, the Bank occupies a unique position in Irish banking history...

 initially refused to cover losses suffered by its customers (and it still insists that its policy is not to do so), although losses to the tune of
Euro
The euro is the official currency of the eurozone: 17 of the 27 member states of the European Union. It is also the currency used by the Institutions of the European Union. The eurozone consists of Austria, Belgium, Cyprus, Estonia, Finland, France, Germany, Greece, Ireland, Italy, Luxembourg,...

11,300 were made good.

Anti-phishing


There are several different techniques to combat phishing, including legislation and technology created specifically to protect against phishing. Most new internet browsers come with anti-phishing software
Anti-phishing software
Anti-phishing software consists of computer programs that attempt to identify phishing content contained in websites and e-mail. It is often integrated with web browsers and email clients as a toolbar that displays the real domain name for the website the viewer is visiting, in an attempt to...

.

Social responses


One strategy for combating phishing is to train people to recognize phishing attempts, and to deal with them. Education
Education
Education in its broadest, general sense is the means through which the aims and habits of a group of people lives on from one generation to the next. Generally, it occurs through any experience that has a formative effect on the way one thinks, feels, or acts...

 can be effective, especially where training provides direct feedback. One newer phishing tactic, which uses phishing e-mails targeted at a specific company, known as spear phishing, has been harnessed to train individuals at various locations, including United States Military Academy
United States Military Academy
The United States Military Academy at West Point is a four-year coeducational federal service academy located at West Point, New York. The academy sits on scenic high ground overlooking the Hudson River, north of New York City...

 at West Point, NY. In a June 2004 experiment with spear phishing, 80% of 500 West Point cadets who were sent a fake e-mail from a non-existent Col. Robert Melville at West Point, were tricked into clicking on a link that would supposedly take them to a page where they would enter personal information. (The page informed them that they had been lured.)

People can take steps to avoid phishing attempts by slightly modifying their browsing habits. When contacted about an account needing to be "verified" (or any other topic used by phishers), it is a sensible precaution to contact the company from which the e-mail apparently originates to check that the e-mail is legitimate. Alternatively, the address that the individual knows is the company's genuine website can be typed into the address bar of the browser, rather than trusting any hyperlink
Hyperlink
In computing, a hyperlink is a reference to data that the reader can directly follow, or that is followed automatically. A hyperlink points to a whole document or to a specific element within a document. Hypertext is text with hyperlinks...

s in the suspected phishing message.

Nearly all legitimate e-mail messages from companies to their customers contain an item of information that is not readily available to phishers. Some companies, for example PayPal
PayPal
PayPal is an American-based global e-commerce business allowing payments and money transfers to be made through the Internet. Online money transfers serve as electronic alternatives to paying with traditional paper methods, such as checks and money orders....

, always address their customers by their username in e-mails, so if an e-mail addresses the recipient in a generic fashion ("Dear PayPal customer") it is likely to be an attempt at phishing. E-mails from banks and credit card companies often include partial account numbers.
However, recent research has shown that the public do not typically distinguish between the first few digits and the last few digits of an account number—a significant problem since the first few digits are often the same for all clients of a financial institution.
People can be trained to have their suspicion aroused if the message does not contain any specific personal information. Phishing attempts in early 2006, however, used personalized information, which makes it unsafe to assume that the presence of personal information alone guarantees that a message is legitimate. Furthermore, another recent study concluded in part that the presence of personal information does not significantly affect the success rate of phishing attacks, which suggests that most people do not pay attention to such details.

The Anti-Phishing Working Group
Anti-Phishing Working Group
The Anti-Phishing Working Group is an international consortium that brings together businesses affected by phishing attacks, security products and services companies, law enforcement agencies, government agencies, trade association, regional international treaty organizations and communications...

, an industry and law enforcement association, has suggested that conventional phishing techniques could become obsolete in the future as people are increasingly aware of the social engineering techniques used by phishers. They predict that pharming
Pharming
Pharming is a hacker's attack aiming to redirect a website's traffic to another, bogus website. Pharming can be conducted either by changing the hosts file on a victim’s computer or by exploitation of a vulnerability in DNS server software. DNS servers are computers responsible for resolving...

 and other uses of malware
Malware
Malware, short for malicious software, consists of programming that is designed to disrupt or deny operation, gather information that leads to loss of privacy or exploitation, or gain unauthorized access to system resources, or that otherwise exhibits abusive behavior...

 will become more common tools for stealing information.

Everyone can help educate the public by encouraging safe practices, and by avoiding dangerous ones. Unfortunately, even well-known players are known to incite users to hazardous behaviour, e.g. by requesting their users to reveal their passwords for third party services, such as email.

Technical responses


Anti-phishing measures have been implemented as features embedded in browsers, as extensions or toolbars for browsers, and as part of website login procedures. The following are some of the main approaches to the problem.

Helping to identify legitimate websites


Most websites targeted for phishing are secure websites meaning that SSL
Transport Layer Security
Transport Layer Security and its predecessor, Secure Sockets Layer , are cryptographic protocols that provide communication security over the Internet...

 with strong PKI cryptography is used for server authentication, where the website's URL is used as identifier. In theory it should be possible for the SSL authentication to be used to confirm the site to the user, and this was SSL v2's design requirement and the meta of secure browsing. But in practice, this is easy to trick.

The superficial flaw is that the browser's security user interface (UI) is insufficient to deal with today's strong threats. There are three parts to secure authentication using TLS and certificates: indicating that the connection is in authenticated mode, indicating which site the user is connected to, and indicating which authority says it is this site. All three are necessary for authentication, and need to be confirmed by/to the user.
Secure connection

The standard display for secure browsing from the mid-1990s to mid-2000s was the padlock. In 2005, Mozilla fielded a yellow address bar as a better indication of the secure connection. This innovation was later reversed due to the EV certificates, which replaced certain certificates providing a high level of organization identity verification with a green display, and other certificates with an extended blue favicon
Favicon
A favicon , also known as a shortcut icon, Web site icon, URL icon, or bookmark icon, is a file containing one small icons, most commonly 16×16 pixels, associated with a particular Web site or Web page...

 box to the left of the URL bar (in addition to the switch from "http" to "https" in the url itself).
Which site

The user is expected to confirm that the domain name in the browser's URL bar was in fact where they intended to go. URLs can be too complex to be easily parsed. Users often do not know or recognise the URL of the legitimate sites they intend to connect to, so that the authentication becomes meaningless. A condition for meaningful server authentication is to have a server identifier that is meaningful to the user; many ecommerce sites will change the domain names within their overall set of websites, adding to the opportunity for confusion. Simply displaying the domain name for the visited website as some anti-phishing toolbars do is not sufficient.

Some newer browsers, such as Internet Explorer 8
Internet Explorer 8
Windows Internet Explorer 8 is a web browser developed by Microsoft in the Internet Explorer browser series. The browser was released on March 19, 2009 for Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, and Windows 7. Both 32-bit and 64-bit builds are available...

, display the entire URL in grey, with just the domain name itself in black, as a means of assisting users in identifying fraudulent URLs.

An alternate approach is the petname
Petname
Petname systems are naming systems that claim to possess all three naming properties - global, secure, and memorable . Software that uses such a system can satisfy all three requirements...

 extension for Firefox which lets users type in their own labels for websites, so they can later recognize when they have returned to the site. If the site is not recognised, then the software may either warn the user or block the site outright. This represents user-centric identity management of server identities. Some suggest that a graphical image selected by the user is better than a petname.

With the advent of EV certificates, browsers now typically display the organisation's name in green, which is much more visible and is hopefully more consistent with the user's expectations. Browser vendors have chosen to limit this prominent display only to EV certificates, leaving the user to fend for himself with all other certificates.
Who is the Authority

The browser needs to state who the authority is that makes the claim of who the user is connected to. At the simplest level, no authority is stated, and therefore the browser is the authority, as far as the user is concerned. The browser vendors take on this responsibility by controlling a root list of acceptable CAs. This is the current standard practice.

The problem with this is that not all certification authorities (CAs) employ equally good nor applicable checking, regardless of attempts by browser vendors to control the quality. Nor do all CAs subscribe to the same model and concept that certificates are only about authenticating ecommerce organisations. Certificate Manufacturing is the name given to low-value certificates that are delivered on a credit card and an email confirmation; both of these are easily perverted by fraudsters. Hence, a high-value site may be easily spoofed by a valid certificate provided by another CA. This could be because the CA is in another part of the world, and is unfamiliar with high-value ecommerce sites, or it could be that no care is taken at all. As the CA is only charged with protecting its own customers, and not the customers of other CAs, this flaw is inherent in the model.

The solution to this is that the browser should show, and the user should be familiar with, the name of the authority. This presents the CA as a brand, and allows the user to learn the handful of CAs that she is likely to come into contact within her country and her sector. The use of brand is also critical to providing the CA with an incentive to improve their checking, as the user will learn the brand and demand good checking for high-value sites.

This solution was first put into practice in early IE7 versions, when displaying EV certificates. In that display, the issuing CA is displayed. This was an isolated case, however. There is resistance to CAs being branded on the chrome, resulting in a fallback to the simplest level above: the browser is the user's authority.
Fundamental flaws in the security model of secure browsing

Experiments to improve the security UI have resulted in benefits, but have also exposed fundamental flaws in the security model. The underlying causes for the failure of the SSL authentication to be employed properly in secure browsing are many and intertwined.

Users tend not to check security information, even when it is explicitly displayed to them. For example, the vast majority of warnings for sites are for misconfigurations, not a MITM
Man-in-the-middle attack
In cryptography, the man-in-the-middle attack , bucket-brigade attack, or sometimes Janus attack, is a form of active eavesdropping in which the attacker makes independent connections with the victims and relays messages between them, making them believe that they are talking directly to each other...

 (man in the middle attack). Users have learned to bypass the warnings and treat all warnings with the same disdain, resulting in Click-through syndrome. For example, Firefox 3 has a 4-click process for adding an exception, but it has been shown to be ignored by an experienced user in a real case of MITM.

Another underlying factor is the lack of support for virtual hosting. The specific causes are a lack of support for Server Name Indication
Server Name Indication
Server Name Indication is a feature that extends the SSL and TLS protocols. To properly secure the communication between a client and a server, the client requests a digital certificate from the server; once the server sends the certificate, the client examines it, uses it to encrypt the...

 in TLS webservers, and the expense and inconvenience of acquiring certificates. The result is that the use of authentication is too rare to be anything but a special case. This has caused a general lack of knowledge and resources in authentication within TLS, which in turn has meant that the attempts by browser vendors to upgrade their security UIs have been slow and lackluster.

The security model for secure browser includes many participants: user, browser vendor, developers, CA, auditor, webserver vendor, ecommerce site, regulators (e.g., FDIC), and security standards committees. There is a lack of communication between different groups that are committed to the security model. E.g., although the understanding of authentication is strong at the protocol level of the IETF committees, this message does not reach the UI groups. Webserver vendors do not prioritize the Server Name Indication
Server Name Indication
Server Name Indication is a feature that extends the SSL and TLS protocols. To properly secure the communication between a client and a server, the client requests a digital certificate from the server; once the server sends the certificate, the client examines it, uses it to encrypt the...

 (TLS/SNI) fix, not seeing it as a security fix but instead a new feature. In practice, all participants look to the others as the source of the failures leading to phishing, hence the local fixes are not prioritized.

Matters improved slightly with the CAB Forum, as that group includes browser vendors, auditors and CAs. But the group did not start out in an open fashion, and the result suffered from commercial interests of the first players, as well as a lack of parity between the participants. Even today, CAB forum is not open, and does not include representation from small CAs, end-users, ecommerce owners, etc.

Vendors commit to standards, which results in an outsourcing effect when it comes to security. Although there have been many and good experiments in improving the security UI, these have not been adopted because they are not standard, or clash with the standards. Threat models can re-invent themselves in around a month; Security standards take around 10 years to adjust.

Control mechanisms employed by the browser vendors over the CAs have not been substantially updated; the threat model has. The control and quality process over CAs is insufficiently tuned to the protection of users and the addressing of actual and current threats. Audit processes are in great need of updating. The recent EV Guidelines documented the current model in greater detail, and established a good benchmark, but did not push for any substantial changes to be made.

Browsers alerting users to fraudulent websites


Another popular approach to fighting phishing
is to maintain a list of known phishing sites
and to check websites against the list.
Microsoft's IE7 browser
Internet Explorer
Windows Internet Explorer is a series of graphical web browsers developed by Microsoft and included as part of the Microsoft Windows line of operating systems, starting in 1995. It was first released as part of the add-on package Plus! for Windows 95 that year...

,
Mozilla Firefox
Mozilla Firefox
Mozilla Firefox is a free and open source web browser descended from the Mozilla Application Suite and managed by Mozilla Corporation. , Firefox is the second most widely used browser, with approximately 25% of worldwide usage share of web browsers...

 2.0, Safari
Safari (web browser)
Safari is a web browser developed by Apple Inc. and included with the Mac OS X and iOS operating systems. First released as a public beta on January 7, 2003 on the company's Mac OS X operating system, it became Apple's default browser beginning with Mac OS X v10.3 "Panther". Safari is also the...

 3.2, and Opera
Opera (web browser)
Opera is a web browser and Internet suite developed by Opera Software with over 200 million users worldwide. The browser handles common Internet-related tasks such as displaying web sites, sending and receiving e-mail messages, managing contacts, chatting on IRC, downloading files via BitTorrent,...


all contain this type of anti-phishing measure. Firefox 2 used Google
Google
Google Inc. is an American multinational public corporation invested in Internet search, cloud computing, and advertising technologies. Google hosts and develops a number of Internet-based services and products, and generates profit primarily from advertising through its AdWords program...

 anti-phishing software.
Opera 9.1 uses live blacklists
Blacklist (computing)
In computing, a blacklist or block list is a basic access control mechanism that allows everyone access, except for the members of the black list . The opposite is a whitelist, which means allow nobody, except members of the white list...

 from
PhishTank
PhishTank
PhishTank is an anti-phishing site.PhishTank was launched in October 2006 by entrepreneur David Ulevitch as an offshoot of OpenDNS. The company offers a community-based phish verification system where users submit suspected phishes and other users "vote" if it is a phish or not.PhishTank is used...

 and GeoTrust
GeoTrust
GeoTrust is a large digital certificate provider.GeoTrust was a restarted company in 2001 that acquired the security business of Equifax. The Equifax business was the basis of its fast growth. The founders of the restarted company were CEO Neal Creighton, CTO Chris Bailey and Principal Engineer...

,
as well as live whitelists from GeoTrust
GeoTrust
GeoTrust is a large digital certificate provider.GeoTrust was a restarted company in 2001 that acquired the security business of Equifax. The Equifax business was the basis of its fast growth. The founders of the restarted company were CEO Neal Creighton, CTO Chris Bailey and Principal Engineer...

.
Some implementations of this approach
send the visited URLs to a central service to be checked,
which has raised concerns about privacy. According to a report by Mozilla in late 2006, Firefox 2 was found to be more effective than Internet Explorer 7 at detecting fraudulent sites in a study by an independent software testing company.

An approach introduced in mid-2006 involves switching to a special DNS service that filters out known phishing domains: this will work with any browser, and is similar in principle to using a hosts file
Hosts file
The hosts file is a computer file used in an operating system to map hostnames to IP addresses. The hosts file is a plain-text file and is conventionally named hosts.-Purpose:...

 to block web adverts.

To mitigate the problem of phishing sites impersonating a victim site by embedding its images (such as logos), several site owners have altered the images to send a message to the visitor that a site may be fraudulent. The image may be moved to a new filename and the original permanently replaced, or a server can detect that the image was not requested as part of normal browsing, and instead send a warning image.

Augmenting password logins


The Bank of America
Bank of America
Bank of America Corporation, an American multinational banking and financial services corporation, is the second largest bank holding company in the United States by assets, and the fourth largest bank in the U.S. by market capitalization. The bank is headquartered in Charlotte, North Carolina...

's website is one of several
that ask users to select a personal image,
and display this user-selected image
with any forms that request a password.
Users of the bank's online services are instructed to enter a password
only when they see the image they selected.
However, a recent study suggests few users refrain
from entering their password when images are
absent. In addition, this feature (like other forms of two-factor authentication
Two-factor authentication
Two-factor authentication is an approach to authentication which requires the presentation of two different kinds of evidence that someone is who they say they are. It is a part of the broader family of multi-factor authentication, which is a defense in depth approach to security...

) is susceptible to other attacks, such as those suffered by Scandinavian bank Nordea
Nordea
Nordea Bank AB is a Stockholm-based financial services group operating in Northern Europe. The bank is the result of the successive mergers and acquisitions of the Swedish, Finnish, Danish and Norwegian banks of Nordbanken, Merita Bank, Unibank and Kreditkassen that took place between 1997 and 2000...

 in late 2005, and Citibank
Citibank
Citibank, a major international bank, is the consumer banking arm of financial services giant Citigroup. Citibank was founded in 1812 as the City Bank of New York, later First National City Bank of New York...

 in 2006.

A similar system, in which an automatically generated "Identity Cue" consisting of a colored word within a colored box is displayed to each website user, is in use at other financial institutions.

Security skins are a related technique
that involves overlaying a user-selected image
onto the login form as a visual cue that the form is legitimate.
Unlike the website-based image schemes, however,
the image itself is shared only between the user and the browser,
and not between the user and the website. The scheme also relies on a mutual authentication
Mutual authentication
Mutual authentication or two-way authentication refers to two parties authenticating each other suitably. In technology terms, it refers to a client or user authenticating themselves to a server and that server authenticating itself to the user in such a way that both parties are assured of the...

 protocol, which makes it less vulnerable to attacks that affect user-only authentication schemes.

Still another technique relies on a dynamic grid of images that is different for each login attempt. The user must identify the pictures that fit their pre-chosen categories (such as dogs, cars and flowers). Only after they have correctly identified the pictures that fit their categories are they allowed to enter their alphanumeric password to complete the login. Unlike the static images used on the Bank of America website, a dynamic image-based authentication method creates a one-time passcode for the login, requires active participation from the user, and is very difficult for a phishing website to correctly replicate because it would need to display a different grid of randomly generated images that includes the user's secret categories.

Eliminating phishing mail


Specialized spam filters can reduce the number of phishing e-mails that reach their addressees' inboxes. These approaches rely on machine learning
Machine learning
Machine learning, a branch of artificial intelligence, is a scientific discipline concerned with the design and development of algorithms that allow computers to evolve behaviors based on empirical data, such as from sensor data or databases...

 and natural language processing
Natural language processing
Natural language processing is a field of computer science and linguistics concerned with the interactions between computers and human languages; it began as a branch of artificial intelligence....

 approaches to classify phishing e-mails.

Monitoring and takedown


Several companies offer banks and other organizations likely to suffer from phishing scams round-the-clock services to monitor, analyze and assist in shutting down phishing websites. Individuals can contribute by reporting phishing to both volunteer and industry groups, such as PhishTank
PhishTank
PhishTank is an anti-phishing site.PhishTank was launched in October 2006 by entrepreneur David Ulevitch as an offshoot of OpenDNS. The company offers a community-based phish verification system where users submit suspected phishes and other users "vote" if it is a phish or not.PhishTank is used...

. Individuals can also contribute by reporting phone phishing attempts to Phone Phishing, Federal Trade Commission.

Legal responses


On January 26, 2004, the U.S. Federal Trade Commission
Federal Trade Commission
The Federal Trade Commission is an independent agency of the United States government, established in 1914 by the Federal Trade Commission Act...

 filed the first lawsuit against a suspected phisher. The defendant, a California
California
California is a state located on the West Coast of the United States. It is by far the most populous U.S. state, and the third-largest by land area...

n teenager, allegedly created a webpage designed to look like the America Online website, and used it to steal credit card information. Other countries have followed this lead by tracing and arresting phishers. A phishing kingpin, Valdir Paulo de Almeida, was arrested in Brazil
Brazil
Brazil , officially the Federative Republic of Brazil , is the largest country in South America. It is the world's fifth largest country, both by geographical area and by population with over 192 million people...

 for leading one of the largest phishing crime rings, which in two years stole between and . UK authorities jailed two men in June 2005 for their role in a phishing scam, in a case connected to the U.S. Secret Service
United States Secret Service
The United States Secret Service is a United States federal law enforcement agency that is part of the United States Department of Homeland Security. The sworn members are divided among the Special Agents and the Uniformed Division. Until March 1, 2003, the Service was part of the United States...

 Operation Firewall, which targeted notorious "carder" websites. In 2006 eight people were arrested by Japanese police on suspicion of phishing fraud by creating bogus Yahoo Japan Web sites, netting themselves . The arrests continued in 2006 with the FBI
Federal Bureau of Investigation
The Federal Bureau of Investigation is an agency of the United States Department of Justice that serves as both a federal criminal investigative body and an internal intelligence agency . The FBI has investigative jurisdiction over violations of more than 200 categories of federal crime...

 Operation Cardkeeper detaining a gang of sixteen in the U.S. and Europe.

In the United States
United States
The United States of America is a federal constitutional republic comprising fifty states and a federal district...

, Senator
United States Senate
The United States Senate is the upper house of the bicameral legislature of the United States, and together with the United States House of Representatives comprises the United States Congress. The composition and powers of the Senate are established in Article One of the U.S. Constitution. Each...

 Patrick Leahy
Patrick Leahy
Patrick Joseph Leahy is the senior United States Senator from Vermont and member of the Democratic Party. He is the first and only elected Democratic United States Senator in Vermont's history. He is the chairman of the Senate Judiciary Committee. Leahy is the second most senior U.S. Senator,...

 introduced the Anti-Phishing Act of 2005
Anti-Phishing Act of 2005
The Anti-Phishing Act of 2005 was a United States bill to combat phishing and pharming...

 in Congress
United States Congress
The United States Congress is the bicameral legislature of the federal government of the United States, consisting of the Senate and the House of Representatives. The Congress meets in the United States Capitol in Washington, D.C....

 on March 1, 2005. This bill
Bill (proposed law)
A bill is a proposed law under consideration by a legislature. A bill does not become law until it is passed by the legislature and, in most cases, approved by the executive. Once a bill has been enacted into law, it is called an act or a statute....

, if it had been enacted into law, would have subjected criminals who created fake web sites and sent bogus e-mails in order to defraud consumers to fines of up to and prison terms of up to five years.
The UK strengthened its legal arsenal against phishing with the Fraud Act 2006
Fraud Act 2006
The Fraud Act 2006 is an Act of the Parliament of the United Kingdom. It affects England and Wales and Northern Ireland. It was given Royal Assent on 8 November 2006, and came into effect on 15 January 2007.-Purpose:...

, which introduces a general offence of fraud that can carry up to a ten year prison sentence, and prohibits the development or possession of phishing kits with intent to commit fraud.

Companies have also joined the effort to crack down on phishing. On March 31, 2005, Microsoft
Microsoft
Microsoft Corporation is an American public multinational corporation headquartered in Redmond, Washington, USA that develops, manufactures, licenses, and supports a wide range of products and services predominantly related to computing through its various product divisions...

 filed 117 federal lawsuits in the U.S. District Court for the Western District of Washington
United States District Court for the Western District of Washington
The United States District Court for the Western District of Washington is the Federal district court whose jurisdiction comprises the following counties of the state of Washington: Clallam, Clark, Cowlitz, Grays Harbor, Island, Jefferson, King, Kitsap, Lewis, Mason, Pacific, Pierce, San Juan,...

. The lawsuits accuse "John Doe
John Doe
The name "John Doe" is used as a placeholder name in a legal action, case or discussion for a male party, whose true identity is unknown or must be withheld for legal reasons. The name is also used to refer to a male corpse or hospital patient whose identity is unknown...

" defendants of obtaining passwords and confidential information. March 2005 also saw a partnership between Microsoft and the Australian government
Government of Australia
The Commonwealth of Australia is a federal constitutional monarchy under a parliamentary democracy. The Commonwealth of Australia was formed in 1901 as a result of an agreement among six self-governing British colonies, which became the six states...

 teaching law enforcement officials how to combat various cyber crimes, including phishing. Microsoft announced a planned further 100 lawsuits outside the U.S. in March 2006, followed by the commencement, as of November 2006, of 129 lawsuits mixing criminal and civil actions. AOL
AOL
AOL Inc. is an American global Internet services and media company. AOL is headquartered at 770 Broadway in New York. Founded in 1983 as Control Video Corporation, it has franchised its services to companies in several nations around the world or set up international versions of its services...

 reinforced its efforts against phishing in early 2006 with three lawsuits seeking a total of under the 2005 amendments to the Virginia Computer Crimes Act, and Earthlink
EarthLink
EarthLink , is an Internet service provider headquartered in Atlanta, Georgia, USA. It claims 1.94 million subscribers.- Business :EarthLink provides a variety of Internet connection types, including dial-up, DSL, satellite, and cable. Both dial-up and high speed Internet access are available...

 has joined in by helping to identify six men subsequently charged with phishing fraud in Connecticut
Connecticut
Connecticut is a state in the New England region of the northeastern United States. It is bordered by Rhode Island to the east, Massachusetts to the north, and the state of New York to the west and the south .Connecticut is named for the Connecticut River, the major U.S. river that approximately...

.

In January 2007, Jeffrey Brett Goodin of California became the first defendant convicted by a jury under the provisions of the CAN-SPAM Act of 2003
CAN-SPAM Act of 2003
The CAN-SPAM Act of 2003 , signed into law by President George W. Bush on December 16, 2003, establishes the United States' first national standards for the sending of commercial e-mail and requires the Federal Trade Commission to enforce its provisions...

. He was found guilty of sending thousands of e-mails to America Online users, while posing as AOL's billing department, which prompted customers to submit personal and credit card information. Facing a possible 101 years in prison for the CAN-SPAM violation and ten other counts including wire fraud
Wire fraud
Mail and wire fraud is a federal crime in the United States. Together, 18 U.S.C. §§ 1341, 1343, and 1346 reach any fraudulent scheme or artifice to intentionally deprive another of property or honest services with a nexus to mail or wire communication....

, the unauthorized use of credit cards, and the misuse of AOL's trademark, he was sentenced to serve 70 months. Goodin had been in custody since failing to appear for an earlier court hearing and began serving his prison term immediately.

See also


  • Advanced Persistent Threat
    Advanced Persistent Threat
    Advanced persistent threat usually refers to a group, such as a foreign government, with both the capability and the intent to persistently and effectively target a specific entity. The term is commonly used to refer to cyber threats, in particular that of Internet-enabled espionage, but applies...

  • Anti-phishing software
    Anti-phishing software
    Anti-phishing software consists of computer programs that attempt to identify phishing content contained in websites and e-mail. It is often integrated with web browsers and email clients as a toolbar that displays the real domain name for the website the viewer is visiting, in an attempt to...

  • Anti-Phishing Working Group
    Anti-Phishing Working Group
    The Anti-Phishing Working Group is an international consortium that brings together businesses affected by phishing attacks, security products and services companies, law enforcement agencies, government agencies, trade association, regional international treaty organizations and communications...

  • Brandjacking
    Brandjacking
    Brandjacking is an activity whereby someone acquires or otherwise assumes the online identity of another entity for the purposes of acquiring that person's or business's brand equity. The term combines the notions of 'branding' and 'hijacking', and has been used since at least 2007 when it appeared...

  • Certificate authority
    Certificate authority
    In cryptography, a certificate authority, or certification authority, is an entity that issues digital certificates. The digital certificate certifies the ownership of a public key by the named subject of the certificate...

  • Confidence trick
    Confidence trick
    A confidence trick is an attempt to defraud a person or group by gaining their confidence. A confidence artist is an individual working alone or in concert with others who exploits characteristics of the human psyche such as dishonesty and honesty, vanity, compassion, credulity, irresponsibility,...

  • E-mail spoofing
    E-mail spoofing
    Email spoofing is email activity in which the sender address and other parts of the email header are altered to appear as though the email originated from a different source. Because core SMTP doesn't provide any authentication, it is easy to impersonate and forge emails...

  • FBI
  • Hacker (computer security)
    Hacker (computer security)
    In computer security and everyday language, a hacker is someone who breaks into computers and computer networks. Hackers may be motivated by a multitude of reasons, including profit, protest, or because of the challenge...

  • In-session phishing
    In-session phishing
    In-session phishing is a form of phishing attack which relies on one web browsing session being able to detect the presence of another session on the same web browser, and to then launch a pop-up window that pretends to have been opened from the targeted session...

  • Internet fraud
    Internet fraud
    Internet fraud refers to the use of Internet services to present fraudulent solicitations to prospective victims, to conduct fraudulent transactions, or to transmit the proceeds of fraud to financial institutions or to others connected with the scheme....

  • Penetration test
    Penetration test
    A penetration test, occasionally pentest, is a method of evaluating the security of a computer system or network by simulating an attack from malicious outsiders and malicious insiders...

  • Pharming
    Pharming
    Pharming is a hacker's attack aiming to redirect a website's traffic to another, bogus website. Pharming can be conducted either by changing the hosts file on a victim’s computer or by exploitation of a vulnerability in DNS server software. DNS servers are computers responsible for resolving...

  • PhishTank
    PhishTank
    PhishTank is an anti-phishing site.PhishTank was launched in October 2006 by entrepreneur David Ulevitch as an offshoot of OpenDNS. The company offers a community-based phish verification system where users submit suspected phishes and other users "vote" if it is a phish or not.PhishTank is used...

  • SiteKey
    SiteKey
    SiteKey is a web-based security system that provides one type of mutual authentication between end-users and websites. Its primary purpose is to deter phishing....

  • SMiShing
    SMiShing
    In computing, Smishing is a form of criminal activity using social engineering techniques similar to phishing. The name is derived from "SMs phISHING". SMS is the technology used for text messages on cell phones....

  • Social engineering
  • Spy-phishing
    Spy-phishing
    Spy-phishing is a term coined by Jeffrey Aboud of Trend Micro at the Virus Bulletin 2006 conference in Montreal.Defined as "crimeware" , spy-phishing capitalizes on the trend of "blended threats", it borrows techniques from both phishing and spyware...

  • Vishing
    Vishing
    Vishing is the criminal practice of using social engineering over the telephone system, most often using features facilitated by Voice over IP , to gain access to private personal and financial information from the public for the purpose of financial reward. The term is a combination of "voice" and...

  • White collar crime
  • Wire fraud
    Wire fraud
    Mail and wire fraud is a federal crime in the United States. Together, 18 U.S.C. §§ 1341, 1343, and 1346 reach any fraudulent scheme or artifice to intentionally deprive another of property or honest services with a nexus to mail or wire communication....


External links