Experimental Case Studies for Investigating E-Banking Phishing Techniques and Attack Strategies
- 849 Downloads
Phishing is a form of electronic identity theft in which a combination of social engineering and Web site spoofing techniques is used to trick a user into revealing confidential information with economic value. The problem of social engineering attack is that there is no single solution to eliminate it completely, since it deals largely with the human factor. This is why implementing empirical experiments is very crucial in order to study and to analyze all malicious and deceiving phishing Web site attack techniques and strategies. In this paper, three different kinds of phishing experiment case studies have been conducted to shed some light into social engineering attacks, such as phone phishing and phishing Web site attacks for designing effective countermeasures and analyzing the efficiency of performing security awareness about phishing threats. Results and reactions to our experiments show the importance of conducting phishing training awareness for all users and doubling our efforts in developing phishing prevention techniques. Results also suggest that traditional standard security phishing factor indicators are not always effective for detecting phishing websites, and alternative intelligent phishing detection approaches are needed.
KeywordsPhishing Web site e-Banking Social engineering Malicious attack Security awareness
- 1.Alnajim A, Munro M. An evaluation of users’ tips effectiveness for phishing websites detection, 978-1-4244-2917-2/08, IEEE; 2008. p. 63–68.Google Scholar
- 2.APWG. Phishing activity trends report. 2005. http://antiphishing.org/reports/apwg_report_DEC2005_FINAL.pdf. Accessed 12 Apr 2007.
- 3.APWG. Phishing activity trends report. 2008. http://antiphishing.org/reports/apwg_report_sep2008_final.pdf. Accessed 9 March 2009.
- 4.APWG. 2009. http://www.apwg.org/reports/APWG_GlobalPhishingSurvey_1H2009.pdf. Accessed 8 Aug 2009.
- 5.Brooks J. Anti-phishing best practices: keys to aggressively and effectively protecting your organization from phishing attacks, White Paper, Cyveillance; 2006.Google Scholar
- 6.Business Security Guidance. How to protect insiders from social engineering threats. 2006. www.microsoft.com/technet/security/default.mspx. Accessed 8 Apr 2006.
- 7.Chou N, Ledesma R, Teraguchi Y, Boneh D, Mitchell J. Client side defense against web-based identity theft. In: Proceeding of the 11th annual Network and Distributed System Security Symposium (NDSS ‘04); 2004.Google Scholar
- 8.Dhamija R, Tygar J. The battle against phishing: dynamic security skins. In: Proceedings of ACM Symposium on Usable Security and Privacy (SOUPS 2005); 2005. p. 77–88.Google Scholar
- 9.Dhamija R, Tygar J, Marti H. Why phishing works. In: CHI ‘06: Proceedings of the SIGCHI conference on human factors in computing systems. ACM Press, New York; 2006. p. 581–590.Google Scholar
- 10.FDIC. Putting an end to account-hijacking identity theft, FDIC, Technical Report [Online]. 2004. Available: http://www.fdic.gov/consumers/consumer/idtheftstudy/identitytheft.pdf. Accessed 18 Apr 2007.
- 11.FFIEC. E-Banking Introduction, Federal Financial Institutions Examination Council, Information Technology Examination Handbook (IT Handbook InfoBase). 2003. Available Online: http://www.ffiec.gov/ffiecinfobase/booklets/e_banking/ebanking_00_intro_def.html. Accessed 15 June 2007.
- 14.Gartner. 2007. (http://www.gartner.com/it/page.jsp?id=565125). Accessed 10 Sept 2007.
- 16.Herzberg A, Gbara A. Protecting naive web users, Draft of July 18; 2004.Google Scholar
- 18.Jakobsson M. Modeling and preventing phishing attacks, School of Informatics Indiana University at Bloomington; 2005.Google Scholar
- 19.Jakobsson M, Tsow A, Shah A, Blevis E, Lim Y. What instills trust? A qualitative study of phishing. Bloomington: Indiana University; 2007. p. 356–61.Google Scholar
- 20.James L. Phishing exposed, Tech Target Article sponsored by: Sunbelt software. 2006. searchexchange.com.
- 22.Kirda E, Kruegel C. Filching attack of on-line status. J Netw Secur Technol Appl. 2005;6(4):17–20.Google Scholar
- 23.Kirda E, Kruegel C Protecting users against phishing attacks with antiphishing. In: Proceedings of the 29th annual international Computer Software and Applications Conference (COMPSAC); 2005b. p. 517–524.Google Scholar
- 24.Liu W, Guanglin H, Liu X, Xiaotie D, Zhang M. Phishing webpage detection. In: Proceedings of the 2005 eight international conference on Document Analysis and Recognition (ICDAR’05), IEEE; 2005. p. 560–564.Google Scholar
- 25.Microsoft Corporation. Microsoft phishing filter: a new approach to building trust in E-Commerce Content, White Paper; 2008.Google Scholar
- 26.Ollmann G. The phishing guide, understanding and preventing phishing attacks (online available). 2004. http://www.nextgenss.com/papers/NISR-WP-Phishing.pdf.
- 27.PassMark. Two-factor two-way authentication, PassMark Security. 2005. http://www.passmarksecurity.com.
- 28.Pettersson J, Fischer-Hübner S, Danielsson N, Nilsson J, Bergmann M, Clauss S, Kriegelstein T, Krasemann H. Making prime usable. In: Proceedings of SOUPS’05. ACM Press, Pittsburgh; 2005. p. 53–64.Google Scholar
- 29.Phishtank. 2008 http://www.phishtank.com/phish_archive.php. Accessed 14 Nov 2008.
- 30.Rhodes JS. Human memory limitations and web site usability. 1998. Moving WebWord from http://www.webword.com/moving/memory.html. Accessed 28 May 2008.
- 31.Ross B, Jackson C, Miyake N, Boneh D, Mitchell J. Stronger password authentication using browser extensions. In: Proceedings of the 14th Usenix Security Symposium; 2005.Google Scholar
- 32.Sharif T. Phishing filter in IE7. 2005. http://blogs.msdn.com/ie/archive/2005/09/09/463204.aspx. Accessed 6 Apr 2007.
- 34.Stepp M. Phishhook: a tool to detect and prevent phishing attacks. In: DIMACS workshop on theft in E-Commerce: content, identity, and service; 2005.Google Scholar
- 36.Watson D, Holz T, Mueller S. Know your enemy: phishing, behind the scenes of phishing attacks, The Honeynet Project & Research Alliance; 2005.Google Scholar
- 37.Wu M, Miller R, Little G. Web wallet: preventing phishing attacks by revealing user intentions. MIT Computer Science and Artificial Intelligence Lab; 2006.Google Scholar
- 39.Zin A, Yunos Z. How to make online banking secure, article published in The Star InTech; 2005.Google Scholar