Courses/Computer Science/CPSC 203/CPSC 203 2007Fall L04/CPSC 203 2007Fall L04 TermProjects/Phishing for Trouble

Group Name


Group Members

Charlotte Jones

Jocelyne Ung

Josh Campbell

Kiel Donahue

Sanni Onnela

Initial Project Statement
Are internet providers doing enough to protect their users from phishing? Phishing manifests through emails, through pop-up advertisements and also on websites. This project will explore how phishing defeats security systems, why people are vulnerable towards it and, furthermore, what we can do as internet users to inform and protect ourselves moreso in the future. We will focus mainly on phishing occuring through email, rather than via websites and pop-ups.

Argument
In this project we will argue alongside the position that phishing is harmful and detrimental to society. We feel that internet providers are doing  all they can to protect society from the intelligence of phishing hackers. It is the responsibility of users to educate and inform themselves about the issue. There are many available applications, software programs and resources to protect and inform ourselves; however, society is vulnerable because we are inexpert on the subject.

What is Phishing?
The word ‘phishing’ refers to the act of luring Internet users to a counterfeit website or sending authentic-appearing emails to users with the aim of obtaining passwords, personal and/or financial information. The word is derived from the idea that fishermen use bait to lure fish in, which is parallel to internet phishing in the sense that hackers and online criminals 'phish' for personal information by using replicated bait to lure them in unsuspectingly. Phishing is directed at generally everyone; however, those who are uneducated are the ones who get hit hardest with the consequences.

Phishers send out mass emails hoping that someone is going to be unaware of the facts that firstly, is it not from a legitimate source, and secondly, that Internet users should never give out personal information unless it is a well-known and credible site - and here is the posed problem: phishers act as people from just those websites, such as amazon.com, ebay.com and your local bank, so it is hard to tell what is kosher and what is not.

Phishing can occur in many forms: ‘’link manipulation’’ forces people to illegitimate websites when they think they're on the right path; ‘’website forgery’’ uses the idea from legitimate websites and modifies it to suit their purpose; and phishing via the telephone by which phishers call and ask you to verify credit card or personal information over the phone. The goal of the phisher is, no matter the method, to get credit card information and personal information, to obtain access to bank accounts, and, to the best of their abilities, use the stolen information to spend as much money as they can or steal your identity first in order to do so.

The History and Development
Phishing has become one of the most popular forms of crime of the 21st century. Starting in the mid-1990’s, phishing has been detrimental to millions of users on the Internet, such as online shoppers and email account clients. In 1997, the word 'phishing' finally became worldwide when it first appeared in the media.

The first attempt at mass phishing occurred in 1996 when hackers posing as AOL Staff sent messages over the Internet to real AOL customers telling them to submit their account passwords to them. As a result, the hackers gained access to many AOL member accounts as well as previous client billing information.

In years following the 1996 incident, phishing crimes grew to become more than just emails sent to unsuspecting users. Phishing websites, or websites that replicate official websites, have become more and more popular on the Internet scene. These websites trick unsuspicious shoppers into confirming their past credit information, credit card numbers and passwords to shopping accounts.

Several variations on the 1996 scam also include opening up fake pharmacies, banks and loan firm websites in order to acquire information. Moreover, with the development of new technologies and gained computer intelligence, other forms of phishing began to appear in the 21st century such as fake banner advertising and phishing from a middle-man perspective.

From the aforementioned middle-man perspective, phishers can place themselves between an online shopper/customer and a legitimate website. From there, the phisher can act for the shopper or for the website, tracing all the information in between the two and use this information to their advantage.

The Five Steps
Phishers usually go about the process of fooling internet users through several steps:

1.      Planning Stage – First, the hacker has to decide upon which business to pose as, and also how to obtain email addresses for the customers that they will send the email to – keeping in mind that they have to make sure those customers are real customers of the legitimate business. Phishers are known to use the same address collection technique as spammers and use a similar mass-emailing procedure.

2.      Preparation Stage – After the business and its customers have been chosen, the hacker now has to steal logos and corporate-looking headings to post in the email. Sometimes, a fake website is also used; in the email, there may be a link to follow to “confirm information” – this leads the internet user to the phony website created by the hacker.

3.      Attacking Stage – At this stage, the imitation website is fully operational and the logos and headings have been stolen or created and put together in an official-looking email. This is where the phisher physically sends the mass emails out to the customers of the reputable business, posing as the business itself or someone from it.

4.      Reaping Stage – The hackers take down the personal, financial or other information that the customers have “confirmed” or “verified for the business records” through the email or via the counterfeit website created and linked through the email.

5.      Consequences Stage – This is where the identity theft, fraud and crimes occur. The hackers take the sensitive information they obtained through the reaping stage and use that information to make illegal purchases and commit identity theft and/or fraud.

How Hackers Make It "Authentic"
The method that hackers use to create the authentic-looking websites is fairly straightforward, though time-consuming. A study-report taken by Harvard and Berkeley in 2006 concluded that "Successful phishers must not only present a high credibility web presence to their victims; they must create a presence that is so impressive that it causes the victim to fail to recognize security measures installed in web browsers".

The key to fooling internet users is appearing one hundred ten per cent legitimate. Corporate colours need to be used and followed through and logos need to be accurate and placed correctly in emails. Websites need to work smoothly and be easy to access and read, the URL to the website from the email needs to look genuine. The text in the email needs to be concise, professional, and usually be “authorized” and closed by a high-positioned person within the company. The crucial part to the creation and execution of phishing is in the details.

Logos can be duplicated in, copied into and modified through programs such as Photoshop which are all purchasable through general retail. Fairly simple to catch on to, Photoshop makes it easy for phishers to cut and paste logos and modify them to fit the layout of their email. By having a seemingly-secure website, many internet users, who are generally uninformed about the subject, don’t think twice about giving up their information and the like because the emails and linked websites seem so real. Being as the phisher has planned the attack and has sent out a mass email to the clients of a familiar company, it doesn’t always seem suspicious. This way, internet users are susceptible to attacks and henceforth also being victims of identity theft and fraud.

Protecting Yourself from Phishers
The task of creating programs that will completely protect you against phishing is one that will be going on for as long as phishing is used. The various forms of phishing makes this task an even harder one. Some software programs and applications will protect you against certain aspects, such as giving passwords out to illegitimate sites, or some will even block pop-ups that are suspicious. Even more effort is required to block threatening emails from reaching your inbox, let alone uneducated Internet users from being susceptible to them. Some programs run in the background of many computers without the user’s knowledge – this is, however, a good thing. They are constantly working in the user’s defense. For example, Internet Explorer 7.0 has a built in phishing filter that scans every website before it is even displayed on your screen. They call it, originally, the ‘’Phishing Filter’’.

How Does a Phishing Filter Protect Me?
There are three ways that Phishing Filter helps to protect you from Phishing scams.

1. Phishing filters compare every website an Internet user visits against a list of reported phishing sites. This list is stored on the user’s computer.

2. They have the ability to analyze the characteristics of the website in order to see if it is similar to any known and common phishing websites.

3. Finally, with a user’s consent, phishing filters send certain website addresses to Microsoft, for example, to be further checked against a frequently updated list of reported phishing websites.

If a website is one that is on Microsoft’s or another’s list of phishing websites, a warning screen will activate and users can then choose to trust the website themselves or not; in the latter case, they wouldn’t proceed.

Free Programs for Protection
The following are some of the most common free programs that can help users protect themselves against phishing attacks. If you use Firefox as an Internet browser: The program that Firefox uses to protect its users from phishing scams is very similar to that used in Internet Explorer 7.0. This program works by checking the sites that users browse against a list of known phishing sites. This list is automatically updated and regularly downloaded. Since phishing attacks can occur very quickly, Firefox also has an option to check the sites that users browse to against an online service for more up-to-date protection.

If you use Windows Live Hotmail: Some security features of Windows Live Hotmail are that users can report any emails that look like they are phishing emails, or even simply suspicious. By doing this, users can send any future emails from the suspicious sender straight to ‘’Junk Mail’’. Another application offered by Hotmail is to mark addresses as ‘safe’ or ‘unsafe’. If a user marks a sender as ‘safe’, anything that the address sends will be placed safely in the user’s email. If a sender is marked as ‘unsafe’, anything that the address sends will either not come through at all, or is sent to a specified folder such as Junk Mail. Even thus, any links or pictures will be locked and a user won’t have the ability to access them unless the address is changed to ‘safe’.

Victims
Phishing emails can look very real and it is often hard to tell them from legitimate ones with the inexperienced eye. Professional phishing emails might, for example, be from a user’s actual bank and look exactly like a real email from them. The links in the email will resemble real ones, but they will actually take users to a different Internet page. If users proceed to the next step, their information is stolen in one way or another.

Internet users should be informed that banks ‘’never’’ ask for personal information over email, and therefore users should be careful before giving out any information. Phishing emails often threaten that your account will be closed unless you take immediate action, so many Internet users don’t think twice about giving information about themselves up.

A high percentage of phishing scams could be avoided by being informed about scams and reading suspicious emails carefully. As many as seventy-five per cent of scams could be avoided by simply checking the address of the site. It is possible for phishers to alter the URL that is displayed in the address bar, and it is here that most Internet users are caught.

Even the most obvious phishing emails manage to trick some people. An example of an obviously fake email could have spelling errors, have misshapen formatting, or even have a made-up company name. But, when a user ‘wins a contest’, many don’t pay attention to the company name and that is why the latter method works. The success of such scams is based on the volume. Emails are sent to millions of people and even though some Internet users ignore them, there are still many inexperienced people who fall for them.

Conclusion
Phishing is dangerous to society and needs to be constantly monitored in order to keep track of the changes it makes to get to your confidential information. This monitoring can be done by care from the user, and also from software programs and applications that do it for them.

The rate at which phishing has been continuously expanding is increasing almost indefinitely; phisher intelligence is always developing with the help of advancing technology and computer intelligence. From simple emails, to replicated websites and pop-ups, phishers are finding out new and innovative methods to con naïve internet users out of their money and more importantly, their identities.

Similarly, the aforementioned software programs and applications can use the advancing technology and computer intelligence to become smarter and block more and superior phishing methods. Phishing filters and blockers will similarly try and keep up with the hackers.

As it stands, phishing doesn’t look like it’s slowing down any time soon. Since the beginning of phishing’s debut in the 1990’s, new ways of getting towards Internet users’ personal information via the Internet are constantly changing and being manipulated. Nevertheless, the main problem is that Internet users are uneducated – uneducated about phishing itself, and also about how they can go about protecting themselves from it. So we, as Internet users ourselves, can help stop phishers from succeeding.

References (Information Review)
http://wiki.ucalgary.ca/index.php?title=Courses/Computer_Science/CPSC_203/CPSC_203_2007Fall_L04/CPSC_203_2007Fall_L04_TermProjects/Phishing_for_Trouble&action=edit&section=14

http://hotmail.com

http://dictionary.reference.com/browse/phishing

http://www.netlingo.com/lookup.cfm?term=phishing

http://www.netlingo.com/lookup.cfm?term=spoof+Web+site

http://www.sans.org/top20/#h2

http://money.howstuffworks.com/phishing.htm

http://www.mozilla.com/en-US/firefox/phishing-protection/

http://www.microsoft.com/presspass/press/2005/nov05/11-17EnhancesPhishingProtectionPR.mspx

http://www.occ.treas.gov/consumer/phishing.htm

http://www.redteam-pentesting.de/advisories/rt-sa-2005-014.txt

http://www.microsoft.com/protect/products/yourself/office2007.mspx

http://www.antiphishing.org/

http://www.hoax-slayer.com/phisher-scams.html

http://72.14.253.104/search?q=cache:slP1mp2y87AJ:www.nextgenss.com/papers/NISR-WP-Phishing.pdf+phishing+information&hl=en&ct=clnk&cd=6&gl=ca

http://72.14.253.104/search?q=cache:b-zN54PK1EIJ:people.seas.harvard.edu/~rachna/papers/why_phishing_works.pdf+how+phishing+works&hl=en&ct=clnk&cd=3&gl=ca

http://www.securityfocus.com/brief/176

http://www.digitalstrategy.govt.nz/templates/Page____60.aspx

http://www.the-cma.org/?WCE=C=47%7CK=225551

http://www.microsoft.com/protect/yourself/phishing/identify.mspx

http://www.wiredsafety.org/safety/email_safety/phishing/index.html

http://www.oreillynet.com/pub/a/network/2005/10/25/what-is-phishing.html

http://www.millersmiles.co.uk/faq.php

http://www.computerworld.com/securitytopics/security/story/0,10801,89096,00.html

http://tech.yahoo.com/blogs/hughes/4337

http://inhome.rediff.com/money/2004/dec/20spec.htm

http://images.businessweek.com/ss/05/05/hacker_phishing/index_01.htm

http://technology.inc.com/security/articles/200609/phishing.html

http://www.emailtrackerpro.com/support/phishing.html

http://www.johntp.com/2006/01/12/what-is-phishing/ http://www.cyberoam.com/phishing.html

http://www.caribvoice.org/Consumer's%20Corner/pishing.html

http://www.windowsitpro.com/Article/ArticleID/44060/44060.html

http://hhi.corecom.com/phishing.htm

http://research.microsoft.com/research/pubs/view.aspx?id=1647&type=Publication

http://www.occ.treas.gov/consumer/PhishBrochFINAL-SCREEN.pdf

http://sparrow.ece.cmu.edu/~parno/phishing/

http://www.reflexion.net/control/phishing.php

http://antivirus.about.com/od/emailscams/ss/phishing.htm

http://www.wordspy.com/words/phishing.asp

http://www.lse.ac.uk/itservices/help/phishing.htm

http://www.boutell.com/newfaq/definitions/phishing.html

http://us.trendmicro.com/us/threats/home-user/common-threats/phishing/

http://www-128.ibm.com/developerworks/web/library/wa-cranky60.html?ca=drs-

http://www.badphisher.com/myspace-phishing

http://www.phishinginfo.org/

http://www.nextgenss.com/papers/NISR-WP-Phishing.pdf

http://ezinearticles.com/?Secret-Tips-To-Prevent-Phishing-Attack&id=708699

http://www.ftc.gov/bcp/edu/pubs/consumer/alerts/alt127.shtm

http://www.rsa.com/glossary/default.asp?id=1037

http://www.sec.gov/investor/pubs/phishing.htm

http://www.technicalinfo.net/papers/Phishing.html

http://www.aba.com/Consumer+Connection/033104PHISH.htm

http://www.pcworld.com/article/id,138150-pg,1/article.html

http://www.internetidentity.com/html/newsrelease-20060418.html

http://www.cbc.ca/technology/story/2007/04/13/tech-facebookphishing-20070413.html

http://www.darkreading.com/document.asp?doc_id=136035

Image References
Microsoft Word™ ClipArt

http://granby01033.blogspot.com/2006_10_08_archive.html

http://www.rahulgaitonde.org/blog/labels/strategy.html

http://weblog.infoworld.com/zeroday/archives/2007/04/lets_talk_ident.html