Fundamentals of Research Full Document

Computer Crime (Phishing): Hacking to Money
CHAPTER 1 Computer Crime (Phishing): Hacking To Money
1. Introduction
There seems to be little question that several sweeping changes in the overall state of I.T. practices couple with equally broad changes in the habits of criminal world are making significant, hardhitting attacks easier and more lucrative for their perpetrators (Richardson, 2013). Any use of a computer as an instrument to further illegal ends, such as committing fraud, trafficking in child pornography and intellectual property, stealing identities, or violating privacy.(Miriam-Webster). Cybercrime, especially through the Internet, has grown in importance as the computer has become central to commerce, entertainment, and government. Computer crime is the biggest and broadly criminal acts have been committed using a computer of a user and also the principle tool. Even you talk about computer crimes they are usually mention or referring to the fact that computer either been the medium, object, subject or the instrument of a crime. While the changes in technology prior to computers did provide individuals with opportunities to commit new crimes or made it easier to commit traditional crimes, the threats posed to society by the use of technology remained acceptable and could generally be managed by local or state law enforcement. For the further distinction, we can made crime purely incidentally that is the one role of a computer. These include such as a traditional crimes like fraud, piracy, forgery, extortion, theft and pornogr aphy. Moreover, the worldwide reach of the Internet allows a cybercriminal to cause harm to thousands, if not millions, of victims that may not even be located in the same geographic area. However, with the proliferation of the personal computer and the worldwide interconnection of such computers through the Internet, modern computer crime presents risks to society and unique challenges to the law enforcement than in the past.
Fundamentals of Research
PUPQC 1

Perhaps the most prominent form of computer crime is identity theft, in which criminals use the Internet to steal personal information from other users. Two of the most common ways this is done is through phishing and pharming. Both of these methods lure users to fake websites (that appear to be legitimate), where they are asked to enter personal information. This includes login information, such as usernames and passwords, phone numbers, addresses, credit card numbers, bank account numbers, and other information criminals can use to "steal" another person's identity. Let us know what is phishing? It is the ability to try to catch a fish into a body of water; just a piece of joke. Generally speaking phishing means a scam by which an e-mail user is duped into revealing personal or confidential information which the scammer can use illicitly. Just like what is stated above phishing is a kind of computer crime where computer criminals asked to enter personal information of the victim, which includes login information. Which the phisher (the hacker) can use the details to steal the victim identity.
PUPQC 2

1.1. Rationale for this Research Into our current era, there are lots of user of computers, thus computer remarkably makes our task easier and time saver. Computer and Internet Connection are those essential elements into our current generation. It is more likely used for entertainment purposes just like for example the social media sites; Facebook, Twitter, Multiply, Tumblr, and many more. In part there are many computer criminals that looking for their victims. As a researcher conducting a research about computer crimes this study aims to know more about computer crime and to know how computer criminals do their act to victim innocent peoples by using computer. And other crimes did by computer criminals.
PUPQC 3

1.2. Statement of the Problem
Phishing and Identity Thief are the most growing crimes around the world. Which cyber criminals usurping the identity of their victim whether for the purpose of theft, fraud or other malicious activities.
1. What is phishing? 2. What are the categories uses by phishers? 3. What are the methods used by phisher to know their victims? 4. How phishers attack their victims?
PUPQC 4

1.3. Objectives In this research it aims to know more about phishing and identity thief to be aware with those possibilities if we became a victim of it. Since cyber criminals target everyone those with access to the internet. Almost two thirds of internet users have been victim of some sort of computer crimes. Nevertheless, most of it are opportunistic they will only attack and vulnerable targets to have their goals or need. a. To know more about phishing b. To know more about the techniques and countermeasures of the cyber criminals.
c. To know the safety measures to avoid a victim of computer crime
PUPQC 5
1.4. Methods The researcher will prefer to use the Descriptive method. A research method which gathering or collects data to interpret the point of view of some objectives and other details about the study. In these method it focuses on details which are significant on what is described. In this method of collecting data in this research it remains simple. It is because it focuses on analyzing details to described .
PUPQC 6

1.5 Structure of the research
It can be difficult to write up a research study or dissertation, creating a structure or plan is a good starting point. This will help you to visualize the finished study, and to recognize the process to follow. This research paper focuses to the method and results sections that are more detailed and specific, providing support in the introduction. This will have conclusions and recommendations. Also, this research paper will be open for comments and suggestion, for this research paper to be a better one.
PUPQC 7
CHAPTER II
Review of related literature and studies
This chapter provides an introduction to phishing attack techniques, and reviews related human factors studies and techniques to counter phishing attacks. In this chapter also presents the various related literatures reviewed by the researcher. The following related literatures that researcher used in acquiring facts came from internet such articles; electronic books; news articles; and other electronic articles. Those articles and E-books helped the researcher to develop a deep insight about the study.
Overview The research literature reviewed in this chapter can be classified into following categories: a. Understanding of attacks in general and particular of phishing. b. Investigation of human factors in security; and c. Techniques to prevent and detect phishing attacks.
PUPQC 8
Phishing Attacks Phishing is a special type of social engineering attack. According to (Ollmann, 2005) he described the anatomy of phishing attacks and surveyed phishing attack prevention techniques. He described phishing attack threats from the following three aspects:
a. Social engineering factors; b. How phishing messages are delivered to victims via email, web, IRC, instant messenger, and Trojan horses; c. Techniques used in phishing attacks such as man-in-the-middle attacks, URL Obfuscation, cross site scripting, preset session attacks, etc.
In his report he also provides detailed advice on how to use existing technologies to counter phishing threats from both client and server sides as well as on what organizations can do to prevent them. He identifies the following countermeasures that can be applied on the client side:
a. Desktop protection technologies; b. Utilization of appropriate, less sophisticated communication settings; c. User application-level monitoring solutions; d. Locking-down browser capabilities; e. Digital signing and validation of email; and f. Keeping naming systems simple and understandable.
PUPQC 9

Finally he also suggests businesses and ISPs should use technologies to protect against phishing attacks at the enterprise-level. The following enterprise solutions are suggested:
a. automatic validation of sending email server addresses; b. digital signing of email services; c. monitoring of corporate domains and notification of similar registrations; d. perimeter or gateway protection agents; and e. third-party managed services
Together with the counter-measure mechanisms on both, client and server sides, phishing attacks can be defended effectively at multiple levels, giving better protection to users.
According to (D. Watson, 2005) have carried out a study to observe real phishing attacks in the wild by using Honeynet. This study focuses on how attackers build, use and maintain their infrastructure on hacked systems. The report is based on data collected by the German Honeynet Project and the UK Honeynet Project. They do not cover all possible phishing methods or techniques, focusing instead on describing the follow three techniques observed:
a. phishing through compromised web servers; b. phishing through port redirection; and c. phishing using botnets.
They also briefly describe how the observed attacks transfer money they have stolen from victims bank accounts. Their work provides some insights onto how phishing attacks are implemented in reality.
PUPQC 10

The Phishing attacks which have been described so far all need to actively engage users via a communication channel. In-session phishing, a more recently reported type of attack, uses a more passive mode, and yet is still very effective. This type of attack exploits users opening of multiple webpages at the same time. It can succeed if the users have logged into one of the websites which attacker or the phisher would like to impersonate and have opened a web page from a compromised website. On the compromised website the attacker plants malware to identify which website the victim user is currently logged on to, then the malware presents a dialogue box, which asks the user to retype their user name and password because the session has expired or, complete a customer satisfaction survey, or participate in a promotion, etc. Since the user had recently logged onto the targeted website, he/she is unlikely to suspect this pop-up is fraudulent and thus is likely to provide the requested details.
Identifying websites which to which a user is currently logged onto can be more difficult to achieve. According to (Grossman & al, 2006) have described a method to detect the stage of authentication by loading images that are only accessible to logged-in users. There are other methods that can achieve this by exploiting vulnerabilities within web browsers. However, those methods are not general.
Phishing attacks achieve their goals when users have been deceived to carry out certain actions. It is certainly against users interests to satisfy attackers goals. However, they still decide to do so. If human behavior can be understood as a purposeful attempt to achieve wellbeing, then why would phishing attack victims make such decisions?
Bounded rationality is the decision making theory proposed by (Simon, 2006). Simon suggested that decision-makers arrive at their decisions by rationally applying the information and resources that are easily available to them, with the consequence that satisfactory rather than optimal decisions result.
PUPQC 11

Bounded rationality theory has great value for understanding why users make certain decisions during their interactions with phishing attacks. It recognizes that in practice rational decisions are often impossible and users rationality is limited by information available to them. In phishing attacks, rationality of users could be strongly limited by the information presented to them at the user interface. It also recognizes that the time available to decision makers and their own cognitive ability are limiting factors. In Simons theory, the cost of gathering and processing the information would also greatly influence the rationality of a decision one made. It would be interesting to apply the principles of bounded rationality to understand user victims decision making during interactions with phishing attacks.
According to (Dhamija, Fischer, Ozment, & Schechter, 2007) evaluated website authentication measures that are designed to protect users from phishing attacks [77]. 67 bank customers were asked to conduct common online banking tasks. Each time they logged in, they were presented with increasingly alarming clues that their connection was insecure. First, HTTPS indicators were removed; second, the participants site-authentication image (the customer-selected image that many websites now expect their users to verify before entering their passwords) were removed; finally, the banks password-entry page was replaced with a warning page. After each clue, researchers then checked whether participants entered their passwords or withheld them. The researchers also investigated how a studys design affects participant behavior: they asked some participants to play specially created user roles and others to use their own accounts and passwords. Their major findings are:
a. users will enter their passwords even when HTTPS indicator are absent; b. users will enter their passwords even if site authentication images are absent; c. site-authentication images may cause users to disregard other important security indicators; and d. role-playing participants behaved significantly less securely than those using their own passwords.
PUPQC 12

Again because of the experiment conditions, there could be an overestimate of the ineffectiveness of the security indicators. According to (F.Cranor, S.Egelman, & J.Hong, 2008) examine the effectiveness of web browsers phishing warnings and examine if, how, and why they fail users. In their study they used a spear phishing attack to expose users to browser warnings. 97% of sixty participants fell for at least one of the phishing messages sent to them; 79% of participants paid attention to an active warning, in contrast only one participant noticed a passive warning. (F.Cranor, S.Egelman, & J.Hong, 2008) also applied the C-HIP model [86] (Figure 2.3) from the warning sciences to analyze how users perceive warning messages and suggest:
a. Interrupting the primary task: phishing indicators need to be designed to interrupt the users task; b. Providing clear choices: phishing indicators need to provide the user with clear options on how to proceed, rather than simply displaying a block of text; c. Failing safely: phishing indicators must be designed such that one can only proceed to the phishing website after reading the warning message; d. Preventing habituation: phishing indicators need to be distinguishable from less serious warnings and used only when there is a clear danger; and e. Altering the phishing website: phishing indicators need to distort the look and feel of the website such that the user does not place trust in it.
The suggestions made by (F.Cranor, S.Egelman, & J.Hong, 2008) are very useful indeed, however, their claim on spear phishing could be made more convincing if their study included an extended range of speared phishing attacks. Otherwise, one could also argue that the results exhibit biases due to the small number of attack incidents used or the sophistication of the attacks used in the study.
PUPQC 13
According to (Johnston, 2011) have studied what makes phishing emails and web pages appear authentic. Elsewhere Jakobsson summarized comprehensively what typical computer users are able to detect when they are carefully watching for signs of phishing. The findings are are: a. spelling and design matter; b. third party endorsements depend on brand recognition;
c. too much emphasis on security can backfire; d. people look at URLs; e. people judge relevance before authenticity; f. emails are very phishy, web pages are a bit phishy, and phone calls are not; g. padlock icons have limited direct effects; and
h. independent communication channels create trust.
These outcomes provide some comfort and yet are a source of considerable worry, highlighting various opportunities and means of attack. That people look at URLs is a good thing. However, the reason why users look at URLs is not stated, and the degree of attention they pay to them is unclear. The padlock would generally be viewed by many as a significant security mechanism. Not by users, it would appear. The outcome related to media/channel highlights the fact that phishers make highly effective channel choices.
PUPQC 14
According to (T.Jagatic, M.Jakobsson, N.Johnson, & F.Menczer, 2007) have shown how publicly available personal information from social networks (such as Friendster, Myspace, Facebook, Orkut, and Linkedin) can be used to launch effective context aware phishing attacks. In their studies they first determine a victims social networks and then masquerade as one of their social contacts to create an email to the victim (using email header spoofing techniques). Their study has shown that not only is it very easy to exploit the social network data available on the Internet, but it also increases the effectiveness of the attack significantly. In their experiment, the attacks that took advantage of social networks were four times as likely to succeed.
According to (Garfinkel, Miller, & Wu, 2006)who have discovered by conducting two user studies that the security tools such as security toolbars are not effective enough to protect people from falling victim to phishing attacks. Features of five toolbars are grouped into three simulated toolbars. The three simulated toolbars are: the Neutral Information toolbar, the SSLVerification toolbar, and the System-Decision toolbar.
In the user study researchers set up dummy accounts in the name of "John Smith" at various legitimate e-commerce websites and then asked the participants to protect those passwords. The participants played the role of John Smiths personal assistant and were given a printout of Johns profile, including his fictitious personal and financial information and a list of his user names and passwords. The task was to process 20 email messages, most of which were requests by John to handle a forwarded message from an e-commerce site. Each message contained a link for the user to click. Some messages are carefully prepared phishing attacks. The researchers then study the participants response when using various toolbars.
PUPQC 15

Most participants fall victim to the phishing attacks. Based on their findings, the authors suggest that:
a. the alert should always appear at the right time with the right warning message; b. user intentions should be respected, and if users must make security critical decisions they should be made consciously; and c. and it is best to integrate security concerns into the critical path of their tasks so that users must address them.
The user study set up by (Garfinkel, Miller, & Wu, 2006) may lead the users to behave less securely, because the account used is artificial and there are no negative consequences for the participants. Under those conditions users may behave differently than they normally do with their own accounts.
PUPQC 16
CHAPTER III
Analysis and Findings I.
One of the primary threats from phishing of is identity theft. Consumers go to great lengths to protect their personal information, but a single breach security can expose a person to a multitude of threats, including credit card fraud, damaged credit, having an identity used for criminal activity, stolen bank information, unauthorized use of accounts (online and otherwise), or stolen money. There are also intangible threats, such as damage to credibility, loss of trust, or embarrassment; having personal information stolen can cost a great deal more than lost cash. According to The Identity Theft Resource Center, the average time spent repairing the damage caused by a stolen identity is approximately 600 hours and it can take years to completely recover. For consumers, this can equal lost salary, lost time, frustration, stress, and embarrassment, not to mention a sense of being violated. Phishing is not just a small-time operation. Phishing is a business, and billions of dollars are being made by criminals while consumers and businesses are left to suffer the consequences. There are gangs of phishers organized all over the world, but primarily in Eastern Europe, Asia, Africa, and the Middle East, using sophisticated and elaborate schemes to steal personal information. Phishing is also used extensively by organized crime groups. There is a great deal of money at stake, and if a gang can steal bank account information from only a small percentage of those who get duped, thousands, or possibly millions, of dollars can be stolen. A recent article in Consumer Reports, based on their State of the Net survey, stated, Online consumers who fell prey to phishing schemes experienced a five-fold increase in financial losses since 2005 . Recently, a major Swedish bank had losses over $1 million from a phishing attack that targeted the banks customers. Another attack, on E-Trade, used stolen identities, acquired from a hacked computer, to carry out a pump-and-dump scheme, in which the criminals drove up the prices of low-priced stocks
Fundamentals of Research PUPQC 17

through high-volume purchases and then sold those shares at a profit. The cost of the fraud: close to $18 million. Ameritrade had a similar incident, losing close to $4 million. This is a very real threat, not only to consumers, but also to the companies that are targets of these scams, and, moreover, to the entire worldwide financial systems. Terrorists are known to use phishing and other identity theft scams to gain employment, obtain fake identification as cover for attacks, and to finance their activities. For example, an Al-Qaeda group in Spain used stolen credit cards to setup their crimes and make purchases for the group. They also used stolen calling cards for communications. Companies whose brands are hijacked (used fraudulently) may be poised for all matter of loses. They can lose money in the form of stolen cash, lost productivity, reimbursements to customers, or they may lose customers who believe the company is to blame for not protecting them, no matter how unfounded this may be. Scams can erode consumer confidence in companies that are targets of the schemes, particularly high-profile ones, leaving the company with publicrelations troubles, and a companys branding has a real possibility of becoming irrevocably tarnished. Legal action is increasingly being pursued against companies for losses by customers who become victims of phishing. Whether or not the litigation is successful, the damage to the companys image and the cost of legal fees can be substantial. Some companies offer complete compensation to customers whose accounts are abused. While this may be a good customer-relations tactic, with phishing attacks on the rise, this could cost a great deal to a high-profile company such as Amazon.com or Bank of America , particularly if they have a substantial number of claims. Phishing attacks rely upon a mix of technical deceit and social engineering practices. In the majority of cases, the phisher must persuade the victim to intentionally perform a series of actions that will provide access to confidential information.
Communication channels such as e-mail, web-pages, IRC and instant messaging services are popular. In all cases, the phisher must impersonate a trusted source (such as the helpdesk of their bank, automated support response from their favorite online retailer, etc.) for the victim to believe. In 2007, the most successful phishing attacks continue to be initiated via e-mail with the phisher impersonating the sending authority (such as spoofing the source email address and embedding appropriate corporate logos within the e-mail). For example, the

victim receives an e-mail supposedly from support@mybank.com (address is spoofed) with the subject line 'security update, requesting them to follow the URL www.mybankvalidate.info (a domain name that belongs to the attacker not the bank) and provide their banking PIN number. However, the phisher has many other nefarious methods of social engineering victims into surrendering confidential information. In the real example below, the e-mail recipient is likely to have believed that their banking information has been used by someone else to purchase unauthorized services. The victim would then attempt to contact the email sender to inform them of the mistake and cancel the transaction. Depending upon the specifics of the scam, the phisher would ask (or provide a secure online web page) for the recipient to type-in their confidential details (such as address, credit card number and security code, etc.), to reverse the transaction thereby verifying the live e-mail address (and potentially selling this information on to other spammers) and also capturing enough information to complete a real transaction.
PUPQC 19
II.
Internet usage is growing dramatically, but the vast majority of internet users dont have any security backgrounds. Neither do a large majority of companies care about information security and the severity of any attack that could harm the valuable assets of these companies. They dont give their employees security awareness sessions, either. For these reasons humans, are the weakest link in the information security chain. On the other hand, most information security pen-testers focus only on the client and server exploits (how to gain shell in a server by interacting with the server directly). They dont focus how to exploit the weakest link in the information security chain the humans (who you could own the shell by luring the victim to run the shell for you on his own machine by using any of social engineering techniques). Clone phishing is a type of phishing attack where a hacker tries to clone a website that his victim usually visits. The cloned website usually asks for login credentials, mimicking the real website. This will allow the attacker to save these credentials in a text file or database record on his own server. Then the attacker redirects his victim to the real website as authenticated user. An attacker will also clone email content which will then forward a legitimate and previously-delivered email which contains an attachment or link that has had its content and recipient addresses taken. It will be used to create an almost identical or cloned email. Instead of sending the attachment or link within the email, the attacker will replace them with a malicious version and then send from an email address spoofed to appear to come from the original sender. Phishing has spread beyond email to include VOIP, SMS, instant messaging, social networking sites, and even multiplayer games. In this type phisher creates alone email. Phisher do this by getting such as content and recipient addresses from legitimate email which was delivered previously, and then the phisher sends the same email appears to be from the original sender. The email can claim to be are-send of the original or an updated version as a trapping strategy.
PUPQC 20

A spear phishing email usually includes a link that leads to a spoofed, or fake, web site that requests personal information. It all looks very legitimate, and sometimes even the experts are fooled by spear phishing emails. When the recipient of the message clicks through the link theyre taken to a page on the Web that looks so legitimate it can be hard for even seasoned security professionals to tell its a setup. Other spear phishing emails may contain a downloadable file. Theyre just as convincing, often appearing to come from an employer or someone else thats equally legitimate. But the file contains malware of some kind that, once downloaded to your computer, collects your personal information and transmits it to the criminal when youre online. Spear phishing is a difficult scam to catch because the criminals that use this method of stealing identities put extra time and effort into the process. It requires research to gain access to enough information to make you believe the spear phishing email is real, plus it takes time to put together the web sites and messages that are used as bait. The pay-off however, is usually much greater than the rewards of a simple phishing attack. Spear phishing continues to be a favored means by APT attackers to infiltrate target networks. In a typical spear-phishing attack, a specially crafted email is sent to specific individuals from a target organization. The recipients are convinced through clever and relevant social engineering tactics to either download a malicious file attachment or to click a link to a malware- or an exploit-laden site, starting a compromise. While spear phishing may be a timeworn technique, it continues to be effective even in todays Web 2.0 landscape. In 2011, security firm RSA suffered a breach via a targeted attack. Analysis revealed that the compromise began with the opening of a spearphishing email.1 That same year, email service provider Epsilon also fell prey to a spear-phishing attack that caused the organization to lose an estimated US$4 billion. In this category phisher targets a specific group. So instead of casting out thousands of emails randomly, spear phishers target selected group of people with something in common. Spear phishing is also being used against high-level targets, in a type of attack called whaling. Mobile phone becomes essential instrument for our daily routine life. Invention of Smart phone makes our daily business and social activities even more smoothers as we are able to use network or Internet based applications using such smart phones. When we use any networked based application; there is always risks of attacks on our private/personal network

based resources. Various surveys show that phishing is one of the popular attacks now a day to steal the personal information. In this paper we had identified and presented various aspects related to phishing in mobile phones. We had tried to suggest important prevention mechanisms against mobile phishing that can be used to protect our personal information and resources. Mobile technologies are opening new ways of communication between people, businesses and governments. This instrument offers greater access to data and information for using basic services useful to all in their respective daily operations. No such technology is reached to hand of so many people in the world. This is one of reason behind rapid growth of mobile technology. Now a day cost of basic mobile instrument and cost of service provided by telecom operators are also reduced to great extent. In this another type of phishing refers to messages that claim to be from a bang asking users to dial a phone number regarding problems with their bank accounts. Traditional phone equipment has dedicated lines, so Voice over IP, being easy to manipulate, becomes a good choice for the phisher. Once the phone number, owned by the phisher and provided by a VoIP service, is dialed voice prompts tell the caller to enter her account numbers and PIN. Caller ID spoofing, which is not prohibited by law, can be used along with this so that the call appears to be from a trusted source.
PUPQC 22

III.
Email spoofing may occur in different forms, but all have a similar result: a user receives email that appears to have originated from one source when it actually was sent from another source. Email spoofing is often an attempt to trick the user into making a damaging statement or releasing sensitive information (such as passwords). Email claiming to be from a system administrator requesting users to change their passwords to a specified string and threatening to suspend their account if they do not do this. Email claiming to be from a person in authority requesting users to send them a copy of a password file or other sensitive information. It is one that claims to be originating from one source when it was actually sent from another. Email spoofing is a common phishing technique in which a phisher sends spoofed emails, with the sender address and other parts of the email header altered, in order to deceive recipients. Spoofed emails usually appear to be from a website or financial institution that the recipient may have business with, so that an unsuspecting recipient would probably take actions as instructed by the email contents, such as; reply the email with their credit card number; click on the link labelled as \view my statement", and enter the password when the (forged) website prompts for it; and open an attached PDF form, and enter confidential information into the form.
Web Spoofing is a security attack that allows an adversary to observe and modify all web pages sent to the victim's machine, and observe all information entered into forms by the victim. Web Spoofing works on both of the major browsers and is not prevented by "secure" connections. The attacker can observe and modify all web pages and form submissions, even when the browser's "secure connection" indicator is lit. The user sees no indication that anything is wrong. The attack is implemented using JavaScript and Web server plug-ins, and works in two parts. First, the attacker causes a browser window to be created on the victim's machine, with some of the normal status and menu information replaced by identical-looking components supplied by the attacker. Then, the attacker causes all Web pages destined for the victim's machine to be routed through the attacker's server. On the attacker's server, the pages

are rewritten in such a way that their appearance does not change at all, but any actions taken by the victim (such as clicking on a link) would be logged by the attacker. In addition, any attempt by the victim to load a new page would cause the newly-loaded page to be routed through the attacker's server, so the attack would continue on the new page. The attack is initiated when the victim visits a malicious Web page, or receives a malicious email message (if the victim uses an HTML-enabled email reader). We have implemented a demonstration of the Web Spoofing attack and have shown the demo live at the Internet World conference and on MSNBC television. Although the implementation is not trivial, it is well within the means of a single dedicated programmer. Current browsers do not prevent Web Spoofing, and there seems to be little movement in the direction of addressing this problem. We believe that there can be no secure electronic commerce on the Web until the Web Spoofing vulnerability has been addressed. Many false claims have been made about Web Spoofing, and some people who make public statements about Web Spoofing do not understand the full scope of the problem. If you want to understand Web Spoofing, please read our paper on the topic. We worked hard to make it accessible to non-experts. Pharming is similar to phishing but more sophisticated. Pharmers also send emails. The consumer, however, can be duped by the pharmer without even opening an email attachment. The consumer compromises his personal financial information simply by opening the email message. The pharming email message contains a virus (or Trojan horse) that installs a small software program on the users computer. Subsequently, when the consumer tries to visit an official web site, the pharmers software program redirects the browser to the pharmers fake version of the web site. In this way, the pharmer is able to capture the personal financial information that the consumer enters into the counterfeit web site, and the consumers account is again compromised. The latest form of pharming does not require email at all. Passwordstealing Trojan horses can attack through Microsoft Messenger where keyloggers are run. Keyloggers are viruses that track a users keystrokes on legitimate sites and steal passwords, allowing a thief to have access to a consumers password for future fraudulent transactions.
PUPQC 24

Phishing takes place when someone masquerades as someone else, often with a fake website, to trick you into sharing personal information. (Its called phishing because the bad guys throw out electronic bait and wait for someone to bite.) In a typical phishing scam, the attacker sends an email that looks like its from a bank or familiar web service you use. The subject line might say, Please update your information at your bank! The email contains phishing links that look like they go to your banks website, but really take you to an impostor website. There youre asked to log in, and inadvertently reveal your bank account number, credit card numbers, passwords, or other sensitive information to the bad guys. Malware, on the other hand, is malicious software installed on your machine, usually without your knowledge. You may be asked to download an anti-virus software that is actually a virus itself. Or you may visit a page that installs software on your computer without even asking. The software is really designed to steal credit card numbers or passwords from your computer, or in some cases, harm your computer. Once the malware is on your computer, its not only difficult to remove, but its also free to access all the data and files it finds, send that information elsewhere, and generally wreak havoc on your computer.
PUPQC 25
IV.
A typical phishing attack is launched using spam e-mail messages, usually sent to thousands or even millions of e-mail addresses. The e-mails are forged with a From or Reply to address that makes them appear to be from a reputable or trusted source, such as a bank or credit card company. The messages are often sent in Hyper-Text Markup Language (HTML) format (as opposed to text-only) and may use logos, URLs, legal disclaimers, etc., taken from the spoofed companys website. This makes the attack all the more insidious since the average user may not question an e-mail if it appears to be from his or her bank and has that banks logo on it. Phishers play the odds when sending their mass-mailings. Of the thousands of messages sent, only a small percentage of the recipients may actually be a customer of the spoofed company. For instance, if the phisher has spoofed PayPal , an online payment company, the number of e-mails sent to actual PayPal customers who then fall for the scheme might be relatively small; however, it is estimated that around five percent of the phishing e-mails sent actually are successful. This can result in quite hefty profits for the scammers. There have been many different variations of phishing scams, but the e-mail messages are usually structured to prey, ironically, on the computer users fear of being a victim of fraud or hacking, or may be a message stating that the company needs to update their records If the victim follows the link, their browser is directed to an address that might look very similar to the one they would expect. This is another ploy used by phishers: registering domain names with similar looking addresses or using character replacement (using the number 1 for the lowercase letter L for example) to disguise the fake address. Many people can be fooled since they may not notice the difference. The URL can also be displayed within the e-mail as the actual legitimate address (e.g., www.aol.com), but another web addressthe phony phisher addresshas been embedded using deceptive techniques (explained earlier). The victim may be taken to a web site that looks identical to their banks, or eBay , or AOL , with the same icons, graphics, and text. The fraudulent site is set up to display an interface for the user to enter his or her information, thinking they are entering it at the companys web site. Some of the more well-known and publicized phishing scams involve

high-profile sites such as eBay and PayPal. Scammers use company logos and designs to make the messages look legitimate. The message may tell the user that money needs to be transferred or that their account is out of date and needs to be modified. When the user follows the link, they are taken to what they believe to be the legitimate web site and are asked to enter personal information, such as their bank account or social security number. The scammers capture this information and use it to steal the victims identity or to fraudulently use accounts.
PUPQC 27
Computer Crime (Phishing): Hacking to Money CHAPTER IV
Results and Discussions
Phishing scams can pose a significant threat to consumers and the companies they deal with. The number of online has increased significantly, and the techniques the criminals employ have become and more sophisticated. These and other online cons show little sign of slowing. On the contrary, scams are on the rise, and companies and individuals need to be aware of the consequences. There is no magic bullet or pixie dust that can make these threats go away. No single technology can keep fraudsters at bay and keep our personal information completely safe. There are ways to make the crimes more difficult to accomplish, but well-crafted phishing attack has a significant chance of being successful. There will have to be more done to stop the spread of these attacks and make them unprofitable and less appealing for would-be phishers. More research and development of anti-fraud technologies, more education of computer users, and aggressive prosecutions of the criminals who commit these crimes will go a long way to curb the threat, but these alone will most likely have little impact in the number of schemes. Consumers need to become more educated concerning online threats and vulnerabilities. Companies need to make sure that online fraud and scams are reported and that their customers are kept apprised of scams that may affect them. The security community needs to work to find new ways to make e-mail and online commerce as bullet-proof as it can possibly be. This is a monumental task, but there are a great number of extremely talented people with many brilliant ideas out there. If something is not done, the way we do business online will change, and almost certainly not for the better. For most purposes, an online consumer is only a number transacting over the Internet. The Internet consumer should actively protect the confidentiality of his or her online identity in order to prevent identity theft. Online consumers need to learn how to prevent and cope with fraudulent Internet activity aimed at extracting personal details for the financial benefit of phishers. A consumer should be able to recognize the signs of a possible phishing attack and know how to react to a phishing e-mail message that he or she receives. By considering the various aspects covered, and by applying the precautionary measures suggested in this article, the Internet consumer

will significantly reduce his or her chances of falling prey to phishing attacks. The actions recommended in this article to Internet consumers who have responded to phishing messages, should also assist in minimizing the negative effects that might otherwise be suffered as a result of phishing. Phishing has becoming a serious network security problem, causing finical lose of billions of dollars to both consumers and e-commerce companies. And perhaps more fundamentally, phishing has made e-commerce distrusted and less attractive to normal consumers. In this paper, we have studied the characteristics of the hyperlinks that were embedded in phishing e-mails. The prediction of phishing websites is essential and this can be done using neural networks. For the prediction of phishing websites, earlier works were done using various data mining classification algorithms were used but the error rate of those algorithms were very high. When an element of the neural networks fails, it can continue without any problem because of its parallel nature. Thus performance can be made better by considering neural networks as it reduces the error and gives better classification. We believe that this framework works better and gives a lower error rate.
PUPQC 29
CHAPTER V
Conclusion and Recommendation
Phishing started off being part of popular hacking culture. Now, as more organizations provide greater online access for their customers, professional criminals are successfully using phishing techniques to steal personal finances and conduct identity theft at a global level. By understanding the tools and technologies phishers have in their arsenal, businesses and their customers can take a proactive stance in defending against future attacks. Organizations have within their grasp numerous techniques and processes that may be used to protect the trust and integrity of their customers personal data. The points raised within this paper, and the solutions proposed, represent key steps in securing online services from fraudulent phishing attacks and also go a long way in protecting against many other popular hacking or criminal attack vectors. By applying a multi-tiered approach to their security model (client-side, serverside and enterprise), organizations can easily manage their protection technologies against todays and tomorrows threats without relying upon proposed improvements in communication security that are unlikely to be adopted globally for many years to come. It is worth noting that phishers are getting smarter. Following trends in other online crimes, it is inevitable that future generations of phishing attacks will incorporate greater elements of context to become more effective and thus more dangerous for society. For instance, suppose a phisher were able to induce an interruption of service to a frequently used resource, e.g., to cause a victims password to be locked by generating excessive authentication failures. The phisher could then notify the victim of a security threat. Such a message may be welcome or expected by the victim, who would then be easily induced into disclosing personal information. Phishing has become such a prevalent problem due to its huge profit margins, and researcher believes that here to stay. In the absence of a single silver bullet to address the problem, phishers will increasingly rely on context to keep their yield from being lowered by

improved countermeasures of the types mentioned above. We now know that social networks are an easy way to improve the effectiveness of attacks by a quantifiable amount. By anticipating this and other kinds of contextual phishing attacks, mitigating or preventative measures can be designed to limit the damage incurred.
PUPQC 31

II. Recommendation
Given the risk of phishing, what are the ways in which individuals and organizations can protect themselves? Though hard to implement but training the end-user is perhaps the best protection mechanism. Sensing the gravity of issue, more non-profit organizations and groups are joining hands to combat phishing scams. Legislation particularly needs attention in this matter to define phishing explicitly and elucidate phishing specific penalties.
Phishing exploits human vulnerabilities such that technical solutions can only block some of the phishing web sites. It doesn't matter how many firewalls, encryption software, certificates, or two factor authentication mechanisms an organization has if the person behind the keyboard falls for a phishing attack. A study on effectiveness of several anti-phishing educational materials suggests that educational materials reduced users' tendency to enter information into phishing webpages by 40%; however, some of the educational materials also slightly decreased participants' tendency to click on legitimate links. This leads to the belief that it is of paramount importance to find a new and efficient way of educating a large proportion of the population. The challenge lies in getting the user's attention to these security tips and advises. There are few questions that arise: Should we implement all these protection mechanisms which complicate the user interface? Should we provide better user experience at the cost of reduced security or improve security at the cost of user inconvenience? Several recent surveys indicate that lack of security is leading to loss of customer confidence in Internet commerce. That means users want appropriate security controls in place even if it means carrying a password token or getting their passwords on SMS. Today phishing is recognized by users as a real and potentially damaging threat. If appropriate anti-phishing controls are not put in place, chances are high that customers might switch to a more secure party to do business. Education is a vital component of the phishing battle as well as other online scams.
PUPQC 32

Based on the data gathered by the researcher some guidelines has been make up by the researcher; Dont reply to e-mails asking to confirm account information. Call or log on to the companys web site to confirm that the email is legitimate. Review credit card and bank account statements for suspicious activity Report suspicious activity Stop: Dont react to phisher ploys of upsetting or exciting information. Look: Look closely at the claims in the e-mail. Also look at the links and web addresses. Call: Call or e-mail the company in question to verify if the e-mail is legitimate,
Stop, Look, and Call
Computer users should make an effort to keep abreast of computer security issues in the news, and use common sense when giving information anywhere: online or otherwise. If an email (or phone solicitor or web site, etc., etc.) asks for personal information, that should be an immediate red flag that something may not be legitimate and needs to be confirmed. Legitimate companies will generally not solicit personal information via e-mail. If personal information is requested via a web site, the user should make certain he or she is connected to the proper site and that the communications are encrypted.
Unfortunately, phishing usually involves social engineering tricks, and, thus, even the best defenses that a company might have in place to combat outside threats are sometimes useless against these types of attacks. Although education is likely the best defense against phishing scams, there are technologies that make phishing harder to accomplish. When implemented with a defense-in-depth approach, software and hardware can be installed to slow the phishers down.
PUPQC 33

These are possible defense against phisher;
Two-factor Authentication - One of the more promising technologies to thwart phishing schemes involves two-factor authentication. This method uses a layered approach to validate a users credentials by using two separate methods to verify a user. A two-factor authentication technique currently being offered uses one-time passwords that expire after a single use. These passwords are generated using a shared electronic key between the user and a bank. A login is authenticated by not only the users credentials (username/one-time password), but also the key that generates the password. If a password does happen to get stolen, it will not matter since it expires after a single use.
Firewalls - There are e-mail firewall products that implement rules to block spam and phishing scams at the perimeter. These products offer heuristic rules that are updated as new phishing schemes are found. They not only block the spam, they verify the IP numbers and web addresses of the e-mail source and compare them to known phishing sites. For larger organizations, this can be an effective defense against spam and phishing. Anti-virus Technology -Though phishing scams are usually not considered a viral problem, if a user is infected with a worm that, in turn, installs a Trojan horse that can capture personal data, then anti-virus technologies are effective. Security best-practices direct that all users should implement an anti-virus product regardless of whether they are concerned about phishing or online fraud.
Security begins with establishing trust between a user and a web site. Digital certificates are a way to establish this trust in the form of an encrypted digital key system. A public and private key structure is established whereby a company has a private key, obtained from a Certificate Authority (CA), and a user who wishes to make. Though phishing scams are usually not considered a viral problem, if a user is infected with a worm that, in turn, installs a Trojan horse that can capture personal data, then anti-virus
PUPQC 34

technologies are effective. Security best-practices direct that all users should implement an anti-virus product regardless of whether they are concerned about phishing or online fraud.
Browser Enhancements - Recent versions of Microsoft Internet Explorer, Mozilla Firefox, Netscape, and Opera offer new security features aimed at controlling phishing attacks and other online fraud. Using databases of known phishing sites, the browsers can look up a site and let the user know of the danger. These features are certainly a step in the right direction, thought they are not 100% accurate. Microsoft and the Mozilla Foundation have been at odds as to how accurate each of their respective anti-phishing technologies is. If history is any indication, the phishers will most certainly try and find ways to defeat the browsers. Time will be the judge as to how effective these new browser technologies are.
These are details that researcher can provide for the recommendation of the research.
PUPQC 35
BIBLIOGRAPHY
PUPQC 36
Computer Crime (Phishing): Hacking to Money Bibliography
D. Watson, T. H. (2005). Know Your Enemy: Phishing. The Honeynet Project & Research Alliance. Dhamija, Fischer, Ozment, & Schechter. (2007). The emperor's new secirity indicators: An evaluation of website authenticationn and the effect of role playing on usability studies. F.Cranor, S.Egelman, & J.Hong. (2008). You've been warned: An Empirical Study of the effectiveness of web browser phishing warnings. Garfinkel, S., Miller, R., & Wu, M. (2006). Do security toolbars prevent phishing attacks? 601-610. Grossman, J., & al, e. (2006, June). Dark Reading. Retrieved August 20, 2013, from Social Engineering, the usb way: http://www.darkreading.com/security/perimeter/showArticle.jhtml?articleID=2088036 34 Johnston, P. (2011, March). Paj's Home: Cryptography. Retrieved from http://pajhome.org.uk/crypt/index.html Ollmann, G. (2005). The Phishing Guide. Technical Report. Simon, H. A. (2006). w3. Retrieved August 20, 2013, from Web Security Context Working Group Charter: www.w3.org/2005/Security/wsc-charter T.Jagatic, M.Jakobsson, N.Johnson, & F.Menczer. (2007, October). Social Phishing.
PUPQC 37
CURRICULUM VITAE
PUPQC 38
Edmar G. Celeste
L6 B2 Samsung St. Doa Nicasia Subd. Brgy. Commonwealth, Quezon City
09128005654
celeste_edmar@yahoo.com / edmarck16@gmail.com
Personal Background
Gender: Male Civil Status: Single Birthday: June 16, 1995 Citizenship: Filipino Religion : Roman Catholic
Educational Background
Tertiary Education:
Polytechnic University of the Philippines Quezon City Campus Bachelor of Science in Information Technology 2011 Present North Fairview High School North Fairview Subdivision,North Fairview Q.C 2007 -2011 Fairview Elementary School Fairlane St. Fairview Q.C 2001-2007
Secondary Education:
Elementary Education:
PUPQC 39

Fundamentals of Research Full Document

Transféré par

Informations du document

Titre original

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

Fundamentals of Research Full Document

Transféré par

Droits d'auteur :

Formats disponibles

Computer Crime (Phishing): Hacking to Money

CHAPTER 1 Computer Crime (Phishing): Hacking To Money

Computer Crime (Phishing): Hacking to Money

Computer Crime (Phishing): Hacking to Money

Computer Crime (Phishing): Hacking to Money

Computer Crime (Phishing): Hacking to Money

Computer Crime (Phishing): Hacking to Money

Computer Crime (Phishing): Hacking to Money

Computer Crime (Phishing): Hacking to Money

Review of related literature and studies

Computer Crime (Phishing): Hacking to Money

Computer Crime (Phishing): Hacking to Money

Computer Crime (Phishing): Hacking to Money

Computer Crime (Phishing): Hacking to Money

Computer Crime (Phishing): Hacking to Money

Computer Crime (Phishing): Hacking to Money

h. independent communication channels create trust.

Computer Crime (Phishing): Hacking to Money

Computer Crime (Phishing): Hacking to Money

Computer Crime (Phishing): Hacking to Money

Computer Crime (Phishing): Hacking to Money

Computer Crime (Phishing): Hacking to Money

Computer Crime (Phishing): Hacking to Money

Computer Crime (Phishing): Hacking to Money

Computer Crime (Phishing): Hacking to Money

Computer Crime (Phishing): Hacking to Money

Computer Crime (Phishing): Hacking to Money

Computer Crime (Phishing): Hacking to Money

Computer Crime (Phishing): Hacking to Money

Computer Crime (Phishing): Hacking to Money

Computer Crime (Phishing): Hacking to Money CHAPTER IV

Results and Discussions

Computer Crime (Phishing): Hacking to Money

Computer Crime (Phishing): Hacking to Money

Conclusion and Recommendation

Computer Crime (Phishing): Hacking to Money

Computer Crime (Phishing): Hacking to Money

Computer Crime (Phishing): Hacking to Money

Stop, Look, and Call

Computer Crime (Phishing): Hacking to Money

Computer Crime (Phishing): Hacking to Money

Computer Crime (Phishing): Hacking to Money

Computer Crime (Phishing): Hacking to Money Bibliography

Computer Crime (Phishing): Hacking to Money

Computer Crime (Phishing): Hacking to Money

Vous aimerez peut-être aussi