Cognitive Computation

, Volume 2, Issue 3, pp 242–253 | Cite as

Experimental Case Studies for Investigating E-Banking Phishing Techniques and Attack Strategies

  • Maher Aburrous
  • M. A. Hossain
  • Keshav Dahal
  • Fadi Thabtah
Article

Abstract

Phishing is a form of electronic identity theft in which a combination of social engineering and Web site spoofing techniques is used to trick a user into revealing confidential information with economic value. The problem of social engineering attack is that there is no single solution to eliminate it completely, since it deals largely with the human factor. This is why implementing empirical experiments is very crucial in order to study and to analyze all malicious and deceiving phishing Web site attack techniques and strategies. In this paper, three different kinds of phishing experiment case studies have been conducted to shed some light into social engineering attacks, such as phone phishing and phishing Web site attacks for designing effective countermeasures and analyzing the efficiency of performing security awareness about phishing threats. Results and reactions to our experiments show the importance of conducting phishing training awareness for all users and doubling our efforts in developing phishing prevention techniques. Results also suggest that traditional standard security phishing factor indicators are not always effective for detecting phishing websites, and alternative intelligent phishing detection approaches are needed.

Keywords

Phishing Web site e-Banking Social engineering Malicious attack Security awareness 

References

  1. 1.
    Alnajim A, Munro M. An evaluation of users’ tips effectiveness for phishing websites detection, 978-1-4244-2917-2/08, IEEE; 2008. p. 63–68.Google Scholar
  2. 2.
    APWG. Phishing activity trends report. 2005. http://antiphishing.org/reports/apwg_report_DEC2005_FINAL.pdf. Accessed 12 Apr 2007.
  3. 3.
    APWG. Phishing activity trends report. 2008. http://antiphishing.org/reports/apwg_report_sep2008_final.pdf. Accessed 9 March 2009.
  4. 4.
  5. 5.
    Brooks J. Anti-phishing best practices: keys to aggressively and effectively protecting your organization from phishing attacks, White Paper, Cyveillance; 2006.Google Scholar
  6. 6.
    Business Security Guidance. How to protect insiders from social engineering threats. 2006. www.microsoft.com/technet/security/default.mspx. Accessed 8 Apr 2006.
  7. 7.
    Chou N, Ledesma R, Teraguchi Y, Boneh D, Mitchell J. Client side defense against web-based identity theft. In: Proceeding of the 11th annual Network and Distributed System Security Symposium (NDSS ‘04); 2004.Google Scholar
  8. 8.
    Dhamija R, Tygar J. The battle against phishing: dynamic security skins. In: Proceedings of ACM Symposium on Usable Security and Privacy (SOUPS 2005); 2005. p. 77–88.Google Scholar
  9. 9.
    Dhamija R, Tygar J, Marti H. Why phishing works. In: CHI ‘06: Proceedings of the SIGCHI conference on human factors in computing systems. ACM Press, New York; 2006. p. 581–590.Google Scholar
  10. 10.
    FDIC. Putting an end to account-hijacking identity theft, FDIC, Technical Report [Online]. 2004. Available: http://www.fdic.gov/consumers/consumer/idtheftstudy/identitytheft.pdf. Accessed 18 Apr 2007.
  11. 11.
    FFIEC. E-Banking Introduction, Federal Financial Institutions Examination Council, Information Technology Examination Handbook (IT Handbook InfoBase). 2003. Available Online: http://www.ffiec.gov/ffiecinfobase/booklets/e_banking/ebanking_00_intro_def.html. Accessed 15 June 2007.
  12. 12.
    Fu A, Wenyin L, Deng X. Detecting phishing web pages with visual similarity assessment based on Earth Mover’s Distance (EMD). IEEE Trans Dependable Secur Comput. 2006;3(4):301–11.CrossRefGoogle Scholar
  13. 13.
    Gabber E, Gibbons P, Kristol D, Matias Y, Mayer A. Consistent, yet anonymous, web access with LPWA. Commun ACM. 1999;42(2):42–7.CrossRefGoogle Scholar
  14. 14.
    Gartner. 2007. (http://www.gartner.com/it/page.jsp?id=565125). Accessed 10 Sept 2007.
  15. 15.
    Gefen D. Reflections on the dimensions of trust and trustworthiness among online consumers. ACM SIGMIS Database. 2002;33(3):38–53.CrossRefGoogle Scholar
  16. 16.
    Herzberg A, Gbara A. Protecting naive web users, Draft of July 18; 2004.Google Scholar
  17. 17.
    Jagatic T, Johnson N, Jakobsson M, Menczer F. Social phishing, community. ACM. 2007;50(10):94–100.CrossRefGoogle Scholar
  18. 18.
    Jakobsson M. Modeling and preventing phishing attacks, School of Informatics Indiana University at Bloomington; 2005.Google Scholar
  19. 19.
    Jakobsson M, Tsow A, Shah A, Blevis E, Lim Y. What instills trust? A qualitative study of phishing. Bloomington: Indiana University; 2007. p. 356–61.Google Scholar
  20. 20.
    James L. Phishing exposed, Tech Target Article sponsored by: Sunbelt software. 2006. searchexchange.com.
  21. 21.
    Kinjo H, Snodgrass JG. Is there a picture superiority effect in perceptual implicit tasks? Eur J Cogn. 2000;12(2):145–64.CrossRefGoogle Scholar
  22. 22.
    Kirda E, Kruegel C. Filching attack of on-line status. J Netw Secur Technol Appl. 2005;6(4):17–20.Google Scholar
  23. 23.
    Kirda E, Kruegel C Protecting users against phishing attacks with antiphishing. In: Proceedings of the 29th annual international Computer Software and Applications Conference (COMPSAC); 2005b. p. 517–524.Google Scholar
  24. 24.
    Liu W, Guanglin H, Liu X, Xiaotie D, Zhang M. Phishing webpage detection. In: Proceedings of the 2005 eight international conference on Document Analysis and Recognition (ICDAR’05), IEEE; 2005. p. 560–564.Google Scholar
  25. 25.
    Microsoft Corporation. Microsoft phishing filter: a new approach to building trust in E-Commerce Content, White Paper; 2008.Google Scholar
  26. 26.
    Ollmann G. The phishing guide, understanding and preventing phishing attacks (online available). 2004. http://www.nextgenss.com/papers/NISR-WP-Phishing.pdf.
  27. 27.
    PassMark. Two-factor two-way authentication, PassMark Security. 2005. http://www.passmarksecurity.com.
  28. 28.
    Pettersson J, Fischer-Hübner S, Danielsson N, Nilsson J, Bergmann M, Clauss S, Kriegelstein T, Krasemann H. Making prime usable. In: Proceedings of SOUPS’05. ACM Press, Pittsburgh; 2005. p. 53–64.Google Scholar
  29. 29.
    Phishtank. 2008 http://www.phishtank.com/phish_archive.php. Accessed 14 Nov 2008.
  30. 30.
    Rhodes JS. Human memory limitations and web site usability. 1998. Moving WebWord from http://www.webword.com/moving/memory.html. Accessed 28 May 2008.
  31. 31.
    Ross B, Jackson C, Miyake N, Boneh D, Mitchell J. Stronger password authentication using browser extensions. In: Proceedings of the 14th Usenix Security Symposium; 2005.Google Scholar
  32. 32.
    Sharif T. Phishing filter in IE7. 2005. http://blogs.msdn.com/ie/archive/2005/09/09/463204.aspx. Accessed 6 Apr 2007.
  33. 33.
    Stenberg G. Conceptual and perceptual factors in the picture superiority effect. Eur J Cogn. 2006;18(6):813–47.CrossRefGoogle Scholar
  34. 34.
    Stepp M. Phishhook: a tool to detect and prevent phishing attacks. In: DIMACS workshop on theft in E-Commerce: content, identity, and service; 2005.Google Scholar
  35. 35.
    Suh B, Han I. Effect of trust on customer acceptance of Internet banking. Electron Commer Res Appl. 2002;1(3):247–63.CrossRefGoogle Scholar
  36. 36.
    Watson D, Holz T, Mueller S. Know your enemy: phishing, behind the scenes of phishing attacks, The Honeynet Project & Research Alliance; 2005.Google Scholar
  37. 37.
    Wu M, Miller R, Little G. Web wallet: preventing phishing attacks by revealing user intentions. MIT Computer Science and Artificial Intelligence Lab; 2006.Google Scholar
  38. 38.
    Ye Z, Smith S. Trusted paths for browsers. ACM Trans Inform Syst Secur. 2005;8(2):153–86.CrossRefGoogle Scholar
  39. 39.
    Zin A, Yunos Z. How to make online banking secure, article published in The Star InTech; 2005.Google Scholar

Copyright information

© Springer Science+Business Media, LLC 2010

Authors and Affiliations

  • Maher Aburrous
    • 1
  • M. A. Hossain
    • 1
  • Keshav Dahal
    • 1
  • Fadi Thabtah
    • 2
  1. 1.Department of ComputingUniversity of BradfordBradfordEngland, UK
  2. 2.MIS DepartmentPhiladelphia UniversityAmmanJordan

Personalised recommendations