PHISHING ATTACK TYPES &

MITIGATION STRATEGIES

SARIM KHAWAJA
VERSION 1.1
27 OCTOBER 2013
 New types and techniques of phishing attacks
1 INTRODUCTION are continuously being developed and uti-
Phishing, otherwise known as carding or lized. Businesses must be proactive in defend-
brand spoofing [1], is a malicious attempt to ing against such attacks.
acquire personal information from a user. The
personal information sought may include, but
is not limited to usernames, passwords and
2 PHISHING IN THE GULF REGION
bank account/credit card details. Since the According to Symantec, Saudi Arabia and the
user is more likely to respond to someone UAE are the most vulnerable to phishing at-
known to them, the attacker may pose as the tacks in the Gulf region [7]. In 2010, Infor-
users bank, email provider, company IT ad- mation Security Solution Provider IT Matrix
ministrator, or social networking website. detected 1145 unique phishing attacks in the
The term phishing may originate from the UAE, while the occurrence in Saudi Arabia
phrase password harvesting fishing [2], or was the highest of the region for 2007 and
may be an adaptation of the term 2008 [8]. Following a phishing attack on
phreak/phone freak [3]. The word is analo- Saudi Aramco in August 2012, more than
gous to fishing as the attacker uses an email 30000 computers were compromised [9].
as bait to catch usernames and passwords. Saudi Arabia also faces the highest risk of pri-
vacy exposure due to malicious Android app
In the traditional model, an attacker sends an usage [10].
authentic-looking email to thousands of ad-
dresses. The PCs of the small percentage of A conference paper examined susceptibility
users that act on the email by downloading of 200 undergraduate students in Saudi Ara-
the attachment are then infected with a Tro- bia to phishing [11]. They were divided ran-
jan or other malware. domly into two groups of click-a-link emails
(after which the user was sent to a login page)
Phishing is a serious threat to consumers as and reply-directly emails. A total of 14 stu-
well as to organizations. Industry sectors dents fell victim to the emails, 12 of which had
most targeted for phishing attacks in the first responded to the click-a-link email.
quarter of 2013 were payment services
(45.48%), financial (23.95%), retail/service
(9.84%), ISP (8.52%), and gaming (5.66%), 3 TYPES OF PHISHING
and the top country hosting phishing sites
Since the first incident of phishing in 1996 [3],
was the U.S [4]. According to estimates, 5% of
phishing has evolved and now has several dif-
adults in the U.S fall prey to phishing every
ferent classifications.
year [5], and with total damages of $3.2 billion
in 2007 alone [6].
3.1 SPEAR PHISH
The brand and reputation of a business is
damaged by its customers becoming targets This variation of phishing involves some re-
of phishing scams. The experience can make connaissance, planning and information-
users wary of fraud, making them less likely gathering in advance of casting the bait, and
to do business online, which in turn means is so called because it is more specific than
loss of revenue for the company. spam phishing. The information may be pub-
lically available from social networking sites,
New types and techniques of phishing attacks
or may be obtained by methods of social en-
are continuously being developed and uti-
gineering. This information is then used to
lized. Businesses must be proactive in defend-
ing against such attacks.

1
craft a specific email the content of which ei- a target audience, compromising it, and ex-
ther appeals to the interests of the particular ploiting vulnerabilities in visitors browsers
user or seems to be genuinely addressed to extract credentials and install malware.
them, making them more likely to fall for the
deception.
3.6 PHARMING (DNS-BASED PHISHING)

3.2 ROCK PHISH This term refers to any sort of phishing attack
that abuses the DNS lookup process for a par-
Rock-phishing involves purchasing several ticular domain name. This can either be done
domains which are a random mixture of al- by redirecting the users DNS to a malicious
phanumeric characters. All of these domains server, hacking an existing, legitimate DNS
are used to make URLs with unique identifi- server, or by changing the PCs hosts file
ers, and these URLs resolve the single IP ad- through malware.
dress of a compromised machine. When that
machine is removed, the DNS is adjusted to
3.7 WHALING
another machine in the botnet. Rock Phish
was also the name of a phishing gang. On av- When top-level executives or high-value tar-
erage, Rock Phish sites stay live for longer gets are the victims, phishing becomes whal-
than typical ones [12]. ing. This technique is homonymous with
whaling, the hunting of whales, which are
3.3 FAST-FLUX large fish.

Fast flux types are related to Rock Phish at-

tacks in that they also generally use botnets of 4 TOOLS &TECHNIQUES
compromised machines, which act a proxy
servers so as to hide the actual location of the 4.1 SPAM (CLASSIC PHISHING)
attacker. There are however multiple simulta-
neous IP addresses in use, and these fluctuate An official-looking email, professing to be
after a regular interval of time [12]. from an organization such as a bank, payment
or money transfer business, or a coworker ei-
ther requires the user to confirm their ac-
3.4 TILDE PHISH
count, or claims that the user has been se-
Tilde Phish use a new style of multiple URLs lected for a prize. Some variations involve em-
that point to websites on several domains, bedded links to fake webpages while others
when in reality they send the user to one same involve attachments containing Trojans and
phishing website. This method uses the fact malware. On the fake webpages, the user may
that some web servers are configured to all al- be required to enter details for their email or
low file path viewing on any virtual domain bank accounts, which are then transferred to
hosted on that server. The URLs contain a the proponent of the phishing scam. Almost
tilde (~), hence the name [13]. all of these emails have an underlying sense of
urgency, such as this offer expires in 24 hours
or if you do not respond to this email within 24
3.5 WATER-HOLING hours, your account will be closed. The ad-
This technique involves locating an online re- dresses from which these email originate are
source or website that is frequently visited by sometimes a slight variation of the original
entitys domain ([email protected] vs.
[email protected]) known as fuzzy domains

2
or look-alike domains [1], however they may 4.6 PHLASHING (FLASH-BASED PHISHING
be a random selection of words and alphanu-
SITES)
meric characters.
Since it is relatively easy to detect phishing
4.2 INSTANT MESSAGING AND SOCIAL sites that are copies of genuine sites through
automated software, a new form of phishing
NETWORKING which involves using flash-based sites
The same underlying principle as the emerged. Flash-based sites are not as easily
email/spam technique can be used with In- recognized as HTML phishing sites by spe-
stant Messaging or Social Networking ac- cialized software. This breed of attacks was
counts being used instead of email accounts. first seen in 2006 [14].

4.3 SMS (SMISHING) 4.7 TYPO SQUATTING

This method uses SMS to deliver the bait. The basic principle of this technique is regis-
Typically, the user receives a text message in- tering a domain name that a user may acci-
forming them that their account has been dentally type instead of the original, and pos-
compromised or deactivated. They are then sibly not notice. The fake site on that domain
directed to a spoofed website or Vishing line usually looks very similar to the genuine one,
(see below) to recover the account, where and a busy or novice user may not notice their
they are asked for their credentials. typo and continue using the fake site.

4.4 TABNABBING 4.8 URL MANIPULATION/MASQUERADING

An apparently normal page has a script em- A hyperlink has two parts: the text visible to
bedded in it which detects when the tab has the user, and the underlying link, the two of
lost focus for some time. Then favicon and ti- which need not be the same. Masqueraded
tle of the page as well as the page itself is re- URLs leverage this discrepancy to make the
placed by a page similar to an organizations user believe that clicking a certain link will
official login page. The user may think that take them to the official login page when in
they forgot to close that page, and possibly reality the link sends the user to the fake page.
enter their credentials into it, thereby com-
promising their account. 4.9 SESSION HIJACKING
This can be performed remotely through a
4.5 VISHING/PHONE PHISHING man-in-the-middle attack (see below) or lo-
Phone phishers often use VoIP to set up a cally using malware. Once the user has logged
number which potential victims can call. in with their credentials, the malware hijacks
These numbers may be advertised by means the session and performs malicious actions
of email or by hacking a genuine website, and which may include extracting credentials.
some may even spoof their caller ID to appear
to be from a reputable organization. When 4.10 MAN-IN-THE-MIDDLE
called, these lines require the user to input
their account details. An attacker places himself between the user
and a genuine website, most often using ARP
spoofing. Any authentication requests are

3
sent through the attacker and can therefore generate a regularly varying component. Cer-
be compromised. tain banks have implemented a system
whereby customers are given a number of
Transaction Numbers (TANs) every month,
4.11 EVIL TWINS
to approve single transactions [15].
Public places such as cafs and airport often
have public Wi-Fi services. An attacker can 5.1.2 BROWSER PLUGINS
easily set up their own Wi-Fi hotspot in this Certain anti-phishing browser plugins exist
area with the same SSID and authentication that use crowd-sourced and phishing black-
(if present). Credentials of any users that con- list databases to determine that authenticity
nect to the network and visit certain websites of a website, and warn users of potentially
can be sniffed. fake sites, or block them altogether.

4.12 BROWSER SPOOFING VULNERABILITIES 5.1.3 ANTIVIRUS SOFTWARE WITH SPAM-

FILTERING AND WEB PROTECTION
As with any piece of software, browsers may
Antivirus software has become much more
also have vulnerabilities in their code, which
than just a program that scans your files. Most
can be exploited to obfuscate the address bar
modern day antivirus software contain web,
to look like the site is SSL authenticated, or to
email and spam protection, and these can be
install malware on the victims PC. Although
critical in preventing the user falling victim to
all the currently listed vulnerabilities already
phishing. However, these protection suites
have security patches available [15], they can
must be kept up to date or the PC is left vul-
still be exploited in a machine that is not up-
nerable to the latest variations of the attack.
to-date on its patches.
Some of the techniques used by this type of
software are content blacklisting, blocking
4.13 BOTS/BOTNETS email from relays known to send out spam,
and Bayesian spam filtering [15].
Botnets can be leveraged for phishing as the
processing power, bandwidth, and disk space 5.1.4 END-USER AWARENESS AND EDUCATION
of the computers on which they reside can ex-
tend the scope of the phishing attack. Organizations can take a proactive approach
to fraud by educating their employees, end-
users and consumers about potential signs of
5 MITIGATION TECHNIQUES fraud. In case of a specific phishing attack,
alerts can be issued on official websites, in the
news, and via email. The user can be educated
5.1 USER-DEPENDENT to approach links in email with extreme cau-
tion, to ensure SSL is being used (via the ad-
5.1.1 TWO-FACTOR AUTHENTICATION dress bar), and to scrutinize the domain
This is a mechanism that requires proof of name. Although all of these can be spoofed to
two out of the following three properties: avoid suspicion [16], this at least provides an-
what you have, what you know, and what you other layer of protection against most ama-
are. So apart from your account name and teur phishing attacks.
password (know), you may be required to un-
dergo a fingerprint or retinal scan (are), or
possess (have) a smartcard or hardware to-
ken. Additionally this hardware token may

4
5.2 USER-INDEPENDENT 6 SUMMARY
5.2.1 LEXICAL ANALYSIS Phishing is an ever-increasing and evolving
threat to businesses. It takes advantage of hu-
Recognition of common word patterns and
man behaviors such as curiosity, trust or com-
phrases in phishing messages is one of the
passion.
earliest methods of spam and phishing detec-
tion. As these attacks develop in complexity, the
world is also taking positive steps in anti-
5.2.2 SENDER REPUTATION ANALYSIS phishing efforts. There are several organiza-
Some phishing senders have a certain pattern tions committed to fighting online fraud such
to their domain names, and these may be as the Internet Crime Complaint Center, Na-
blacklisted on well-known sites: tional Cyber-Forensics and Training Alliance,
and the Anti-Phishing Working Group.
spamhaus.org/sbl
ers.trendmicro.com Although there isnt an all-encompassing
mxtoolbox.com/blacklists.aspx technology to stop phishing, a mixture of best
practices, constant diligence, and correct ap-
Permutations of existing domains are also plication of the latest technologies can reduce
ideal candidates for phishing use. the frequency of phishing attacks and the en-
suing loss.
5.2.3 ATTACHMENT SIGNATURE RECOGNITION
Most email providers avail the services of se-
curity companies that provide online scan-
ning of all incoming and outgoing attach-
ments.

5.2.4 SECURE SOCKETS LAYER (SSL)

SSL is protocol that secures browsing by en-
crypting transmission, while using certificate
to ensure the identity of both sides. SSL uses
HTTPS instead of HTTP. While not com-
pletely foolproof on its own [17], this technol-
ogy in combination with others can be one of
the indications as to the authenticity of a
website. When a website is detected to be SSL
secured by a browser, a small padlock icon ap-
pears in the address bar.

5.2.5 WEBSITE TAKEDOWN

When a phishing website is detected, the DNS
and hosting provider can be notified. After
analyzing it themselves, they usually take
down the website or remove the DNS records.

5
 Saudi Arabian study," in 23rd Australasian
7 REFERENCES Conference on Information Systems, 2012.

[1] L. James, Phishing Exposed, Syngress Publishing, [12] T. Moore and R. Clayton, "The Impact of
Inc., 2005. Incentives on Notice and Take-down," in
Managing Information Risk and the Economics of
[2] A. V. Mahajan, "Phishing and Man-in-the-Middle Security, Springer US, 2009, pp. 199-223.
Attacks," University of Southern California.
[13] B. Gyawali, T. Solorio, M. Montes-y-Gmez, B.
[3] A. S. Martino and X. Perramon, "Phishing Wardman and G. Warner, "Evaluating a
Secrets: History, Effects, and Countermeasures," Semisupervised Approach to Phishing URL
International Journal of Network Security, vol. 11, Identification in a Realistic Scenario,"
no. 3, p. 163171, 2010. Department of Computer and Information
Sciences, University of Alabama at Birmingham.
[4] Anti-Phishing Working Group (APWG),
"Phishing Activity Trends Report," 1st Quarter [14] R. Miller, "Phishing Attacks Continue to Grow in
2013. Sophistication," Netcraft, 15 January 2007.
[Online]. Available:
[5] The Anti-Phishing Group at Indiana University, http://news.netcraft.com/archives/2007/01/15/p
"Stopphishing.com - Protect the Public," 2006. hishing_attacks_continue_to_grow_in_sophistic
[Online]. Available: ation.html. [Accessed 20 October 2013].
indiana.edu/~phishing/?prot_public. [Accessed
20 October 2013]. [15] J. Milletary, "Technical Trends in Phishing
Attacks," US-CERT, 2005.
[6] A. Bergholz, J. D. Beer, S. Glahn, M.-F. Moens, G.
Paa and S. Strobel, "New Filtering Approaches [16] A. Emigh, "Online Identity Theft: Phishing
for Phishing Email," International Journal of Technology, Chokepoints and
Computer Trends and Technology (IJCTT), vol. 4, Countermeasures," ITTC Report on Online
no. 6, June 2013. Identity Theft Technology and
Countermeasures, 2005.
[7] "Saudi Arabia, UAE rank high for phishing
attacks: Symantec," Arab News, 30 November [17] R. Lininger and R. D. Vines, Phishing: Cutting the
2011. [Online]. Available: Identity Theft Line, Wiley Publishing, Inc., 2005.
arabnews.com/node/399661. [Accessed 20
October 2013]. [18] G. Enzer, "UAE hit hard by increasing phishing,"
ITP.net, 26 April 2011. [Online]. Available:
[8] G. Enzer, "UAE hit hard by increasing phishing," itp.net/584599-uae-hit-hard-by-increasing-
ITP.net, 26 April 2011. [Online]. Available: phishing. [Accessed 20 October 2013].
itp.net/584599-uae-hit-hard-by-increasing-
phishing. [Accessed 20 October 2013].

[9] W. Mahdi, "Saudi Arabia Says Aramco

Cyberattack Came From Foreign States,"
Bloomberg.com, 9 December 2012. [Online].
Available: bloomberg.com/news/2012-12-
09/saudi-arabia-says-aramco-cyberattack-came-
from-foreign-states.html. [Accessed 20 October
2013].

[10] K. Kanchi, "Fake applications, phishing sites hit

smartphone users," The Hindu Business Line, 23
May 2013. [Online]. Available:
thehindubusinessline.com/industry-and-
economy/info-tech/fake-applications-phishing-
sites-hit-smartphone-users/article4742336.ece.
[Accessed 20 October 2013].

[11] I. Alseadoon, T. Chan, E. Foo and J. G. Nieto,

"Who is more susceptible to phishing emails?: A