PHISHING

A Seminar Report

Submitted in partial fulfillment of the requirements for

the award of the degree of

BACHELOR OF TECHNOLOGY
In

COMPUTER SCIENCE & ENGINEERING

From

JAWAHARLAL NEHRU TECHNOLOGICAL UNIVERSITY

HYDERABAD

By

S.Pranoy Rao (17C11A0568)

Under the guidance of

K.Vijay Kumar M.Tech
Assistant Professor

DEPARTMENT OF COMPUTER SCIENCE & ENGINEERING

ANURAG ENGINEERING COLLEGE
AUTONOMOUS
(Affiliated to JNTU-Hyderabad & Approved by AICTE-New Delhi)
ANANTHAGIRI (V)& (M), SURYAPETA (Dt), TELANGANA -508206.
www.anurag.ac.in
2020-2021
 ANURAG ENGINEERING COLLEGE
AUTONOMOUS
(Affiliated to JNTU-Hyderabad & Approved by AICTE-New Delhi)
ANANTHAGIRI (V) (M), SURYAPETA (D), TELANGANA -508206.
Ph: 08683- 272555, 272456, 272454
www.anurag.ac.in

CERTIFICATE

This is to certify that the Technical Seminar titled “PHISHING” is a bonafide work
done by Mr. S.PRANOY RAO (17C11A0568), in partial fulfillment for the award of
Bachelor of Technology in Computer Science and Engineering of the Anurag Engineering
College (ANRK), Affiliated to JNTUH, Kodad, During the year 2020-2021.
This work has not been submitted for the award of any other degree/diploma of any
Institution/University.

(K.VIJAY KUMAR M.Tech) (Dr. M. MURUGESAN M.Tech, Ph.D.)

SUPERVISOR H.O.D., C.S.E
 ACKNOWLEDGEMENT

This report will certainly not be completed without due acknowledgements

paid to all those who helped us during this project work.

We express sincere thanks to our supervisor K.VIJAY KUMAR for

giving moral support, kind attention and valuable guidance throughout this work.

It is our privilege to thank Dr. M. MURUGESAN, Head of the

Department for his encouragement during the progress of this work.

We are thankful to both Teaching and non-teaching staff members of

CSE DEPARTMENT for their kind cooperation and all sorts of help in bringing out this
work successfully.

We derive great pleasure in expressing our sincere gratitude to the

principal Dr. M.V. SIVA PRASAD for his timely suggestions, which helped us to complete
this work successfully.

We are thankful to the ANURAG ENGINEERING COLLEGE for

providing required facilities during the work.

We would like to thank our parents and friends for being supportive all the
time, and we are very much obliged to them.

S.Pranoy Rao (17C11A0568)

PHISHING
 DECLARATION

I declare that the Technical seminar entitled “PHISHING” recorded

in this work does not form part of any other thesis on which a degree
has been awarded earlier. We further declare that the project work
report is based on our work carried out at “ANURAG
ENGINEERING COLLEGE (ANRK)”, Kodada in the final year of
my B.Tech course.

Date: 17C11A0568, S.Pranoy Rao

Place:
 INDEX

Abstract i

List of Figures ii

List of Acronyms ii

1. Introduction 1

2. Phishing Techniques 3

2.1 Link Manuipulation 3

2.2 Filter Evasion 5

2.3 Website Forgery 8

2.4 Phone Phising 8

3. Reasons of Phishing 11

4. Anti Phishing Techniques 12

4.1 Spam Filters 12

4.2 Anti Phishing Toolbars 13

4.3 Password Protection Mechanism 15

5 ANTI-PHISHING 18

5.1 Socail Responses 18

5.2 Techinical Responces 19

6 Advantages and Disadvantages of using Anti-Phishing 20

CONCLUSION 21

BIBLIOGRAPHY 22
 ABSTRACT

Phishing is a cybercrime in which a target or targets are contacted by email, telephone or text
message by someone posing as a legitimate institution to lure individuals into providing
sensitive data such as personally identifiable information, banking and credit card details, and
passwords.
The information is then used to access important accounts and can result in identity theft and
financial loss.

i
 List of Figures

Fig. No. Title Page No.

1.1 The simplified flow of information in phishing attack 2

2.1 An website which does not shows real address bar 8
2.2 How Phishing Attack can take place 9
4.1 Netcraft Anti-Phishing Toolbar 14

ii
 ACRONYMS

URL -- Uniform Resource Locator

AOL -- American Online
SSL -- Secure Sockets Layer
TLS -- Transport Layer Security
HTML -- Hypertext Markup Language
HTTP -- Hypertext Transfer Protocol

iii
 Phishing

Chapter-1
INTRODUCTION
In the field of computer security, Phishing is the criminally fraudulent process of attempting to
acquire sensitive information such as usernames, passwords and credit card details, by
masquerading as a trustworthy entity in an electronic communication. Phishing is a fraudulent
email that attempts to get you to divulge personal data that can then be used for illegitimate
purposes. There are many variations on this scheme. It is possible to Phish for other information
in additions to usernames and passwords such as credit card numbers, bank account numbers,
social security numbers and mothers’ maiden names. Phishing presents direct risks through the use
of stolen credentials and indirect risk to institutions that conduct business on line through erosion
of customer confidence. The damage caused by Phishing ranges from denial of access to e-mail to
substantial financial loss. Phishing is the fraudulent attempt to obtain sensitive information or data,
such as usernames, passwords, credit card numbers, or other sensitive details by impersonating
oneself as a trustworthy entity in a digital communication. Typically carried out by email spoofing,
instant messaging, and text messaging, phishing often directs users to enter personal information
at a fake website which matches the look and feel of the legitimate site. As of 2020, phishing is by
far the most common attack performed by cyber-criminals, with the FBI's Internet Crime
Complaint Centre recording over twice as many incidents of phishing than any other type of
computer crime.

The first recorded use of the term "phishing" was in the cracking toolkit AOHell created by
Koceilah Rekouche in 1995, however it is possible that the term was used before this in a print
edition of the hacker magazine. The word is a leet speak variant of fishing, probably influenced by
phreaking, and alludes to the use of increasingly sophisticated lures to "fish" for users' sensitive
information.

Attempts to prevent or mitigate the impact of phishing incidents include legislation, user training,
public awareness, and technical security measures.

1
ANURAG ENGINEERING COLLEGE CSE
 Phishing

Fig 1.1

Fig 1.1 the simplified flow of information in a Phishing attack

1. A deceptive message is sent from the Phishers to the user.

2. A user provides confidential information to a Phishing server (normally after some interaction with the

server).

3. The Phishers obtains the confidential information from the server.

4. The confidential information is used to impersonate the user.

5. The Phishers obtains illicit monetary gain.

Steps 3 and 5 are of interest primarily to law enforcement personnel to identify and prosecute
Phishers. The discussion of technology countermeasures will center on ways to disrupt steps 1, 2
and 4, as well as related technologies outside the information flow proper.

2
ANURAG ENGINEERING COLLEGE CSE
 Phishing

Chapter-2

PHISHING TECHNIQUES

• Link manipulation
• Filter evasion
• Website forgery
• Phone phishing
2.1 LINK MANIPULATION
Scams improves, phishers have had to come up with inventive new ways of fooling individuals
into falling for their scams. One of the most common ways of doing this involves link
manipulation. Although sometimes tricky to spot, arming yourself with knowledge of these
techniques goes a long way in preventing yourself from falling for even the most sophisticated
scams.

What is link manipulation?

Link manipulation involves disguising the link of a fraudulent website in such a way that it appears
to be the link for the real website. This trick is central to many internet phishing scams.

Even basic phishing campaigns involve embedding the link to the fake website in an email which
is masquerading as an email from a legitimate company. The email includes a fake message crafted
by the hacker, urging the user to login to the account via the embedded link due to some unspecified
issue with their account. When the unsuspecting victim clicks this link, they are brought to a page
which asks them to input their login details as usual. By doing this, they unwittingly give their
login details to the fraudster, who can use them to commit fraud and identity theft.

Most Internet users are now aware of the signs of a phishing email — even those who are not
Internet-savvy know to look at website URLs to check if they are legitimate. However, as
consumers have become more aware, phishers have responded by becoming craftier in the way
they deceive people.

Here is an overview of some of the most common link manipulation techniques employed by
phishers attempting to fool their victims:

3
ANURAG ENGINEERING COLLEGE CSE
 Phishing

Hiding the URL

The scammer may simply hide the URL in the text of the email. The hypertext may be written so
that it looks like it is the legitimate website in question, but when it is clicked on, it brings the user
to another website masquerading as the real company. The user may reveal the actual fake URL
by hovering the mouse about the link, such that the real destination website appears in the popup
window.

However, some sophisticated scammers use JavaScript to place a picture of a legitimate URL over
a browser’s address bar. The URL revealed by hovering over an embedded link can also be
changed using JavaScript. This trick makes it difficult for even the savviest of users to distinguish
between real and fake sites.

Link shortening
Link shortening is a common way of directing victims to a malicious website. There are many
services online which perform this service, such as bit.ly or Tinyurl. Victims then have no way of
knowing if the shortened URL directs them to the legitimate website or one created by the phisher
until they follow the link.

URL Redirection
Another phishing tactic relies on a covert redirect or open URL redirection. This technique is where
an open redirect vulnerability fails to check that a redirected URL is pointing to a website which
may be trusted by the user. The redirected URL acts as a malicious intermediate which acquires
authentication information from the victim before forwarding the victim’s browser to the
legitimate site. This type of threat is rarer and only used by the most sophisticated of phishers.
Still, users should be aware of this technique.

The easiest way to avoid being a victim of phishing due to link manipulation is not to follow the
link embedded in an email. Instead, search for the website in question in a new tab, and log in
through that website. If there legitimately is something wrong with your account, you shall be
informed when you log in.

4
ANURAG ENGINEERING COLLEGE CSE
 Phishing

2.2 FILTER EVASION

Phishers have used images instead of text to make it harder for anti-Phishing filters to detect text
commonly used in Phishing e-mails. First, we must talk about vulnerabilities. We know that
vulnerabilities that are present in any kind of software can be exploited by accepting the right input
data, and parsing and executing it without checking it for malicious strings. Thus, vulnerabilities
are present in software products because the programmers are not checking for user input before
using the inputted data. So, it’s entirely the developer’s fault that a vulnerability exists. And once
a vulnerability is discovered by an attacker, it’s merely a matter of time before it is successfully
exploited. The packet filters are there to try to prevent the exploitation of the vulnerabilities, while
they do nothing to correct the actual vulnerabilities (the vulnerabilities are present in the software
product the whole time). Because of that, it’s often the case that filters and IDS/IPS systems are
present on the network. Usually, all the data flowing to the target system goes through filters,
which analyze the traffic flowing through it. This ensures that known signatures of bad traffic will
not be permitted to enter the network and harm the target system. Packet filtering and IDS/IPS
systems often provide just another layer of security we need to bypass if we want to attack the
target system. Remember the following: if a vulnerability exists, it can and will be exploited and
none of the packet filters can prevent that from happening; it merely complicates stuff to a level
where it’s no longer feasible for the attacker to try to break it, because it would be too time
consuming.

Common tactics that are used to evade filters are listed below:
Pattern Matching: Usually the packet filters use pattern matching to search the packet for known
strings in the packet data. This can be easily circumvented by the techniques listed here:

• Use different HTTP method: (HEAD instead of GET). The HEAD method is identical to
the GET method except that the GET method also returns the message body, while the
HEAD method does not.
• URL encoding: %xx • Double slashes: / becomes //
• Double encoding: If packet filter is blocking %27, we can encode it again, so the string
doesn’t encode the %27 substring anymore. If we double encode %27 we get %2527.
• Stripping: If packet filter is stripping invalid characters, like %27, we can bypass it by
using something like %%2727, which would leave exactly %27 after stripping the %27
substring.
• Reverse path traversal: /dir1/dir2/../ • Parameter hiding: %3f becomes ?
• Different whitespaces: %20 (space) becomes %09 (tab)

5
ANURAG ENGINEERING COLLEGE CSE
 Phishing

• Long URLs: GET /<long_random>/../dir/a.cgi

• Windows-style slashes: / becomes
• Null bytes: GET. This method effectively ends the string where the NULL byte is
encountered. If the string filename is being appended to some file extension (let’s say .aspx)
and if we can control the filename, we can effectively input filename.php, which will end
the string and request the filename.php file instead of one ending with .aspx (as it should).
• Different case sensitive letters: ‘ab’ becomes ‘AB’
– Character Encoding: All the characters can be represented by different strings. They can
be represented through URL encoding, Unicode encoding, HTML encoding, etc. With different
encodings we can change certain strings to represent the same encoded string. The new encoded
string can then bypass the packet filter, because it doesn’t contain any malicious strings, but is
decoded by the target application. In cases where the target application doesn’t decode the encoded
string, that string doesn’t represent the string equivalent.

– Session Splicing: We send parts of the request in different packets.”GET / HTTP/1.0″ is

split into multiple packets. This is not the same as IP fragmentation. IP fragmentation happens
automatically, because the whole packet can’t be sent over the wire because it’s too big; the routers
have to split the packet into multiple parts. Session Splicing is where we intentionally split the
payload over multiple packets to evade detection. The IDS/filters can still detect that with:
fragment reassembly, session reassembly and sending a RST to reset connection upon detection of
such activity. – Time Splicing: If the IDS/filter doesn’t look at a subsequent number of packets,
but rather waits some period of time to reassemble packets that were received in that time, we can
evade it by sending multiple packets with time intervals, so the previous packet is already accepted
and will not be joined with current packet to do inspection on. We need to send packets with time
delays between them.
– Fragmentation: Fragmentation happens when we split the whole packet into multiple parts
on a network layer (not only the application layer). Normally, IP fragmentation happens
automatically, because the packets are too big to send them on the wire (normally, the MTU –
Maximum Transmission Unit – is only 1500 bytes). But we can also divide the packets into smaller
chunks manually; those chunks can then be really small.
– Polymorphic Shellcode: Another option to avoid detection is polymorphic shellcode that
changes itself when being executed. It’s very hard to detect polymorphic shellcode as malicious,
because the packet filter must implement the complete language the shellcode is written in, to
execute it in sandbox and check whether it contains malicious data. If the polymorphic shellcode
is written in JavaScript, the packet filter must implement a JavaScript interpreter that is running in
sandbox to execute the JavaScript code and check whether it is doing something malicious. It’s
often out of the scope of a packet filter to implement all of the protocols, languages and other
formats to try to detect the malicious code.
– TTL Attacks: Whenever we want to use the TTL attack, we must know where the packet
filter and the target node are located in the target network. With that knowledge we can send

6
ANURAG ENGINEERING COLLEGE CSE
 Phishing

packets that will only reach the packet filter, resulting in a packet to be dropped (because the TTL
value has decreased to 0). But other packets have a big enough TTL value that are normally
forwarded to the target node. The problem arises when the packet filter also uses the dropped
packets to reconstruct the data stream. The reconstruction process then forms a new data stream
that doesn’t contain any malicious data, but because some packets are dropped, only other packets
are sent to the target node. Thus, the target node sees only some packets (with big enough TTL),
which when reconstructed hold the malicious data.
We also need to keep in mind that if the packet filters can’t effectively protect whatever they are
protecting, this is because the packet filters are interpreting the stream of data in some way, but the
protected application is interpreting it in another way. Such an example would be web servers that
tend to fix malformed requests, and there are modules to correct some URLs to specific documents
and paths, such as mod spelling. So, you can try to send “broken” requests hoping that the packet
filter will consider it harmless, but the web server will still interpret it correctly. This can be
summarized with one sentence: the target application doesn’t see the same as the packet filter.

7
ANURAG ENGINEERING COLLEGE CSE
 Phishing

2.3 WEBSITE FORGERY

Once a victim visits the Phishing website the deception is not over. Some Phishing scams use
JavaScript commands in order to alter the address bar. This is done

Fig 2.1 An website which does not shows real address bar
2.4 PHONE PHISHING
Messages that claimed to be from a bank told users to dial a phone number regarding problems
with their bank accounts. Once the phone number (owned by the Phishers) was dialed, prompts

8
ANURAG ENGINEERING COLLEGE CSE
 Phishing

told users to enter their account numbers and PIN. Vishing (voice Phishing) sometimes uses fake
caller-ID data to give the appearance that calls come from a trusted organization.

Fig 2.2 How phishing attack can take place

Most think “email” when they hear the word “phishing” but it is different on mobile. Mobile
phishing extends beyond email to SMS, MMS, messaging platforms, and social media apps.
Attacks are technically simple but novel in their approach. They seek to exploit human trust along
social networks using personal context. For example, a parent would click without hesitation on a
message saying their daughter has been in an accident at school.
Employees also find it easier to perform tasks on a mobile device than on a desktop. Depositing
checks via mobile banking app, for example, is simple, fast, and convenient, and there are many
other examples like this.
So, organizations must remain vigilant to keep pace with phishing threats that are increasingly
targeting mobile users. An Akamai study highlights the dynamic nature of phishing sites - of over

9
ANURAG ENGINEERING COLLEGE CSE
 Phishing

2 billion domains analyzed; nearly 89% of the domains commonly associated with malicious sites
had a life span of less than 24 hours. This emphasizes the need for advanced detection capabilities.
Historically, organizations have invested heavily in security solutions such as secure email
gateways, inbox scans, and end user training. Yet, these techniques remain too narrowly focused
on email and do not protect modern messaging, such as SMS, Slack, and Microsoft Instant
Messaging. Combating sophisticated phishing attacks on mobile is the new battleground as
attackers continue to employ sophisticated mobile phishing strategies.
The 5 most common mobile phishing tactics
There are several techniques that cybercriminals use to make their phishing attacks more effective
on mobile. Below are some of the more commonly used tactics that Lookout has observed in the
wild:
• URL padding is a technique that includes a real, legitimate domain within a larger URL
but pads it with hyphens to obscure the real destination. For example,
hxxp://m.facebook.com----------------validate----step1.rickytaylk[dot]com/sign_in.html
conceals the actual domain of the malicious site, rickytaylk, leaving only m.facebook.com
as visible in the address bar on the device. Note, that the ‘rickytaylk’ phishing site is a few
years old, no longer active, and only used here for example.
• Tiny URLs are shortened URLs that can be used by attackers to direct a user to malicious
content. Due to their abbreviated nature, they are well suited for SMS phishing attacks and
are often used in large scale ‘smishing’ attacks.
• Screen overlays enable an app to replicate the login page of a legitimate mobile app in
order to capture a user's authentication credentials. This type of attack is often deployed by
phishing scams and has shown to be highly effective and lucrative for hackers who are
targeting mobile banking and payment apps.
• Mobile verification refers to code that is embedded in phishing sites and is designed to
verify that the device accessing the link is a mobile device. This implies that the attacker
confirms that the target is mobile in order to deploy a mobile-specific attack.
• SMS spoofing using over-the-air (OTA) provisioning is a mobile phishing attack where
a bogus text message tricks a user into clicking a link. These messages often come in the
form of a system configuration update notification. If clicked, the link can trigger
interception of email or web traffic to and from Android phones.

10
ANURAG ENGINEERING COLLEGE CSE
 Phishing

Chapter-3

REASONS OF PHISHING

Let's consider some of the reasons people fall victim to Phishing scams.

TRUST OF AUTHORITY

When a Phishing email arrives marked as “High Priority” that threatens to close our bank account
unless we update our data immediately, it engages the same authority response mechanisms that
we've obeyed for millennia. In our modern culture, the old markers of authority – physical strength,
aggressiveness, ruthlessness – have largely given way to signs of economic power. “He's richer
than I am, so he must be a better man”. If you equate market capitalization with GDP then Bank
of America is the 28th most powerful country in the world. If you receive a personal email purported
to come from BOA questioning the validity of your account data, you will have a strong
compulsion to respond, and respond quickly.

TEXTUAL AND GRAPHIC PRESENTATION LACKS TRADITIONAL CLUES OF VALIDITY

The use of symbols laden with familiarity and repute lends legitimacy (or the illusion of legitimacy)
to information—whether accurate or fraudulent—that is placed on the imitating page. Deception
is possible because the symbols that represent a trusted company are no more 'real' than the
symbols that are reproduced for a fictitious company. Certain elements of dynamic web content
can be difficult to copy directly but are often easy enough to fake, especially when 100% accuracy
is not required. Email messages are usually easier to replicate than web pages since their elements
are predominately text or static HTML and associated images. Hyperlinks are easily subverted
since the visible tag does not have to match the URL that your click will actually redirect your
browser to. The link can look like http://bankofamerica.com/login but the URL could actually link
to http://bankofcrime.com/got_your_login Dept

11
ANURAG ENGINEERING COLLEGE CSE
 Phishing

Chapter-4

ANTI PHISHING TECHNIQUES

To counter the phishing threat, a number of anti-phishing solutions have been proposed, both by
industry and academic world. The anti-phishing techniques can in general be divided into three
categories. there are several methods to protect users from phishing attacks. But prevention is not
enough. We need detection measures to get early warning signals when a phishing attack is being
planned or is in progress. Before we get into detection measures let us look at the steps the attackers
do while executing a phishing attack.

As was outlined in the first part of this series, there are several methods to protect users from
phishing attacks. But prevention is not enough. We need detection measures to get early warning
signals when a phishing attack is being planned or is in progress. Before we get into detection
measures let us look at the steps the attackers do while executing a phishing attack.
1. Spam Filters

2. Anti-phishing tool bars and

3. Password protection mechanism

4.1 Spam Filters

A class of anti-phishing approaches aims to solve the phishing problem at the email level. The key
idea is that when a phishing email does not reach its victims, they cannot fall for the scam. Hence,
filters and content analysis techniques are often used to attempt to identify phishing emails before
these emails are delivered to users. Clearly, this line of research is closely related to anti-spam
research [10]. By continuously training filters (e.g., Bayesian filters), a large number of phishing
emails can be blocked. This is because such emails often contain words that may be identified as
suspicious tokens that do not frequently occur in legitimate emails (e.g., ―update ‖, ―login‖, etc.).
The main disadvantage of anti-spam techniques is that their success depends on the availability of
these filters and their proper training. That is, when the user does not actively help in training the
filter, the filter typically does not perform as expected. Furthermore, even when filters are trained

12
ANURAG ENGINEERING COLLEGE CSE
 Phishing

well and a user rarely receives any spam or phishing emails, once a phishing email bypasses the
filter, the user’s belief of the legitimacy of this mail is strengthened.

4.2 Anti-Phishing Toolbars

To identify a page as a phishing site, there are a variety of methods that can be used, such as white
lists (lists of known safe sites), blacklists (lists of known fraudulent sites), various heuristics to see
if a URL is similar to a well-known URL, and community ratings. The toolbars examined here
employ different combinations of these methods. By using publicly available information provided
on the toolbar download web sites as well as observations from using each toolbar we get a basic
understanding of how each toolbar functions. Some of the toolbars that are used for anti-phishing
are

1) eBay Toolbar

The eBay Toolbar uses a combination of heuristics and blacklists. The toolbar also gives users the
ability to report phishing sites, which will then be verified before being blacklisted.

2) GeoTrust Trust Watch Toolbar

GeoTrust’s web site provides no information about how Trust Watch determines if a site is
fraudulent; however, it is suspect that the company compiles a blacklist thatincludes sites reported
by users through a button provided on the toolbar.

3) Google Safe Browsing

Google provides the source code for the Safe Browsing feature and says that it checks URLs against
a blacklist

4) McAfee Site Advisor

Site Advisor claims to detect not just phishing websites, but any sites that send spam, offer
downloads containing spyware, or engage in other similar bad practices. The determination is made
by a combination of automated heuristics and manual verification.

5) Microsoft Phishing Filter in Windows Internet Explorer

13
ANURAG ENGINEERING COLLEGE CSE
 Phishing

This toolbar largely relies on a blacklist hosted by Microsoft. However, it also uses some heuristics
when it encounters a site that is not in the blacklist. Users also have the option of using this feature
to report suspected phishing sites

6) Net craft Anti-Phishing Toolbar

The Net craft toolbar also uses a blacklist, which consists of fraudulent sites identified by Net craft
as well as sites submitted by users and verified by the company. The toolbar also displays a risk
rating between one and ten as well as the hosting location of the site.

Fig 4.1 Netcraft Anti-Phishing Toolbar

7) Netscape Browser 8.1

It appears that the functionality of Netscape Browser relies solely on a blacklist, which is
maintained by AOL and updated frequently. When a suspected phishing site is encountered, the
user is redirected to a built-in warning page. Users are shown the original URL and are asked
whether or not they would like to proceed.

8) Spoofguard

Spoofguard does not use white lists or blacklists. Instead, the toolbar employs a series

of heuristics to identify phishing pages.

9) Anti Phish

14
ANURAG ENGINEERING COLLEGE CSE
 Phishing

Anti-Phish is an academic solution which keeps track of where sensitive information is being
submitted to.

10) Dynamic security skins

Dynamic security skins are also an academies solution which allow a remote server to prove its
identity in a way that is easy for humans to verify. Most of the tools that were tested used blacklists,
but only half of them were able to identify the majority of phishing web sites. We don’t know the
size of the blacklists used by each toolbar, nor do we know what heuristics are used by any of the
toolbars other than Spoof guard. We suspect that the toolbars that performed best use larger and
more frequently updated black lists. They may also use heuristics that allow them to detect phishing
sites that haven’t yet been put on the blacklist. The only toolbar known to make no use of blacklists
was Spoof guard. While it was able to identify the majority of phishing sites using only heuristics,
it still missed some phishing sites and it had a very high false positive rate. Spoof guard could
potentially be improved through the use of a whitelist, which would prevent the problems that
occurred when phishing sites were visited before their corresponding legitimate sites. The whitelist
would not necessarily need to be extremely large or updated frequently to be effective.

4.3 Password Protection Mechanism

A password is a secret word or string of characters that is used for authentication, to prove identity
or gain access to a resource. The password should be kept secret from those who are not allowed
for access. So, the major concern for any user is to safeguard his/her password. The password can
be cracked with the attacks such as Guessing attack, Brute-force attack, Dictionary attack, Phishing
attack etc.,. Another problem regarding password is single password problem where the user uses
asingle password for both vulnerable sites and financial sites. The hackers can break into the
vulnerable sites that simply stores username and password and apply those retrieved combination
of username and password on high security sites such as banking sites. All these problems at a
single stroke can be solved by hashing the master password using domain name as key on client
side. Some of the applications/tools that use this powerful technique are

15
ANURAG ENGINEERING COLLEGE CSE
 Phishing

1) Password Composer

This extension [25] puts a tiny red icon to the left of a password entry field. If one clicks on this
icon, the password field is overlaid with a replacement input, where one can supply a single, secure
password (Master Password).

2) Magic Password Generator

This extension combines master password and the domain name of the site to make another unique
password for that site. For advanced users, with a catchall address at a domain, just put
"@example.com" (whatever one’s domain is) for the address, and MPW Gen will make a different
email for every site too. Alternately, use "foo+@…" and the value will be inserted after the + sign,
for email accounts that support this feature, like Gmail.

3) Password generator

Password Generator gets the hostname from the page's URL and mixes it together with one’s
personal master password using a little cryptographic magic MD5. It always gets the same result
if given that hostname and master password, but will never get that result if either change.

4) Hassapass

Hasspass automatically generates strong passwords from a master password and a parameter like
domain name. The password generation is performed inside this very browser window in
JavaScript

5) Genpass

Genpass is a JavaScript/MD5 bookmarklet-based password generator. Genpass is no longer being

updated. Presently consider using SuperGenPass; however, note that SuperGenPass is not
compatible with Genpass—given the same input, they generate different passwords.

6) Password Hasher

When the master key is given to Password Hasher and it enters the hash word into the site's
password field. A hash word is the result of scrambling the master key with a site tag. Click on a
# marker next to a password field or press the Control-F6 key combination when in a password

16
ANURAG ENGINEERING COLLEGE CSE
 Phishing

field or choose Password Hasher from either the Tools menu or the right-click popup menu on a
password field to enter the master key.

7) Pwdhash

Pwdhash is a browser extension that transparently converts a user's password into a domainspecific
password. The user can activate this hashing by choosing passwords that start with a special prefix
(@@) or by pressing a special password key (F2). Pwdhash automatically replaces the contents of
these password fields with a one-way hash of the pair (password, domain-name). Based on the
features like application type, hashing algorithm, security, password strength, spoof proof,
visibility to webpage, visibility to user etc., Pwdhash is the best among the above-mentioned
applications. But some of its disadvantages are as follows

a) Invisible to user - Password hashing done by Pwdhash is invisible to user. If this extension stops
working, user will not know about this, i.e., passwords will not be hashed.

b) Visibility of activation to webpage - Webpage gets the intimation about the activation of
Pwdhash. This made Pwdhash vulnerable for JavaScript attacks. So webpage can put some
efforts to know the original master password.

c) Password availability as plain text – The master password is directly filled in password field
given by webpage. i.e., password is available in plain text.

d) Easily spoof-able – As activation is visible to webpage and by using Alex’s corner method it is
very easy to know the master password of user by fake webpage.

e) Effect on others / Affecting webpage - Pwdhash have some side-effects on websites. Any
JavaScript attached with password fields will not work properly. For ex. keyPress event will not
work properly.

f) Not secure – Finally, Pwdhash is not looking so secured.

17
ANURAG ENGINEERING COLLEGE CSE
 Phishing

Chapter-5

ANTI-PHISHING

There are several different techniques to combat Phishing, including legislation and technology
created specifically to protect against Phishing.

5.1 SOCIAL RESPONSES

One strategy for combating Phishing is to train people to recognize Phishing attempts, and to deal
with them. Education can be effective, especially where training provides direct feedback. One
newer Phishing tactic, which uses Phishing e-mails targeted at a specific company, known as Spear
Phishing, has been harnessed to train individuals at various locations. People can take steps to
avoid Phishing attempts by slightly modifying their browsing habits. When contacted about an
account needing to be "verified" (or any other topic used by Phishers), it is a sensible precaution
to contact the company from which the e-mail apparently originates to check that the e-mail is
legitimate. Alternatively, the address that the individual knows is the company's genuine website
can be typed into the address bar of the browser, rather than trusting any hyperlinks in the suspected
Phishing message. Nearly all legitimate e-mail messages from companies to their customers
contain Nearly all legitimate e-mail messages from companies to their customers contain an item
of information that is not readily available to Phishers. Some companies, for example PayPal,
always address their customers by their username in e-mails, so if an email addresses the recipient
in a generic fashion ("Dear PayPal customer") it is likely to be an attempt at Phishing. E-mails
from banks and credit card companies often include partial account numbers. However, recent
research has shown that the public do not typically distinguish between the first few digits and the
last few digits of an account number—a significant problem since the first few digits are often the
same for all clients of a financial institution. People can be trained to have their suspicion aroused
if the message does not contain any specific personal information. Phishing attempts in early 2006,
however, used personalized information, which makes it unsafe to assume that the presence of
personal information alone guarantees that a message is legitimate. Furthermore, another recent
study concluded in part that the presence of personal information does not significantly affect the
success rate of Phishing attacks, which suggests that most people do not pay attention to such
details.

18
ANURAG ENGINEERING COLLEGE CSE
 Phishing

The Anti-Phishing Working Group, an industry and law enforcement association has suggested
that conventional Phishing techniques could become obsolete in the future as people are
increasingly aware of the social engineering techniques used by Phishers. They predict that
Pharming and other uses of malware will become more common tools for stealing information.

5.2 TECHNICAL RESPONSES

Anti-Phishing measures have been implemented as features embedded in browsers, as extensions
or toolbars for browsers, and as part of website login procedures. The following are some of the
main approaches to the problem.

Helping to identify legitimate sites

Most Phishing websites are secure websites, meaning that SSL with strong cryptography is used
for server authentication, where the website's URL is used as identifier. The problem is that users
often do not know or recognize the URL of the legitimate sites they intend to connect to, so that
the authentication becomes meaningless. A condition for meaningful server authentication is to
have a server identifier that is meaningful to the user. Simply displaying the domain name for the
visited website as some anti-Phishing toolbars do is not sufficient. A better approach is the pet's
name extension for Firefox which lets users type in their own labels for websites, so they can later
recognize when they have returned to the site. If the site is not recognized, then the software may
either warn the user or block the site outright. This represents user-centric identity management of
server identities. Some suggest that a graphical image selected by the user is better than a pet name.

19
ANURAG ENGINEERING COLLEGE CSE
 Phishing

Chapter-6

ADVANTAGES AND DISADVANTAGES OF USING ANTI-PHISHING

Advantages

• Protect your savings from Phishing attacks.

• When a Phishing website or phishing email appears, it will inform to the user.

• Some Anti-Phishing software's also allows seeing the hosting location and Risk Rating of every
site you visit.

• Anti-phishing software is designed to track websites and monitor activity; any suspicious
behavior can be automatically reported and even reviewed as a report after a period of time

Disadvantages

• No single technology will completely stop phishing. So Phishing attacks can not be completely
stopped

• Even Anti-Phishing software's should be upgraded with respect to the Phishing attacks.

20
ANURAG ENGINEERING COLLEGE CSE
 Phishing

CONCLUSION

No single technology will completely stop phishing. However, a combination of good

organization and practice, proper application of current technologies, and improvements in
security technology has the potential to drastically reduce the prevalence of phishing and the losses
suffered from it. In particular:
High-value targets should follow best practices and keep in touch with continuing
evolution of them. Phishing attacks can be detected rapidly through a combination of customer
reportage, bounce monitoring, image use monitoring, honeypots and other techniques.
Email authentication technologies such as Sender-ID and cryptographic signing, when
widely deployed, have the potential to prevent phishing emails from reaching users.Analysis of
imagery is a promising area of future research to identify phishing emails. Personally identifiable
information should be included in all email communications. Systems allowing the user to enter
or select customized text and/or imagery are particularly promising.
Browser security upgrades, such as distinctive display of potentially deceptive content and
providing a warning when a potentially unsafe link is selected, could substantially reduce the
efficacy of phishing attacks. Anti-phishing toolbars are promising tools for identifying phishing
sites and heightening security when a potential phishing site is detected.
Detection of outgoing confidential information, including password hashing, is promising
area of future work, with some technical challenges

21
ANURAG ENGINEERING COLLEGE CSE
 Phishing

BIBLIOGRAPHY

[1] http://en.wikipedia.org/

[2] http://webopedia.com/

[3] http://computerworld.com/

[4] http://www.anti-phishing.info/

22
ANURAG ENGINEERING COLLEGE CSE