Phishing Attacks A Challenge Ahead Computer Science Essay

Published: Last Edited:

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.

Authentication is reliably identifying an entity. It is the most important defence in the security of a system. The active hackers, dictionary attacks, phishing scams and other malicious threats have brought great challenges and potential threats to online transactions. Authentication is essential because the numbers of online transactions are increasing exponentially on the web. The most common verification technique is to check whether claimant possesses some information or characteristics that a genuine entity should possess. Authentication process gets complicated when text, visual or audio clues are not available to verify the identity. Authentication protocols are capable of simply authenticating the user to the connecting party and vice-versa. The current technologies used in authentication are password, smart card, passphrase, biometrics, public key cryptography, zero knowledge proof, digital signature, SSL/TLS (Secure Socket Layer/ Transport Layer Security), IPsec (IP Security) and secure shell. The selection of an environment appropriate authentication method is one of most crucial decisions in designing secure systems.

Phishing is an online identity theft that combines social engineering and website spoofing techniques to cheat the user by redirecting his confidential information to an untrusted destination. The attacker can use this information in online transactions to make an illegal economic profit. In a phishing attack, the attacker sends a large number of spoofed e-mails to random Internet users that appear to be coming from a legitimate business organization such as a bank. The e-mail requests the recipient to update his personal information and also warns that failure to reply the request will result in closure of his online banking account. The victim follows the phishing link provided in the e-mail and is directed to a website that is under the control of the attacker. The average user can not distinguish a well designed phishing website from the legitimate site because the phishing site is prepared in a manner that imitates visual characteristics of the target organization's website by using similar colors, icons, logos and textual descriptions. Password based authentication is highly susceptible to phishing attacks by exploiting the visual resemblance of domain names to allure the victims (e.g. instead of actual Phishing attacks are increasing despite the use of preventive measures like e-mail filters and content analysis. The effectiveness of these anti-spam techniques depends upon many critical factors such as regular filter training. There is still a possibility that some of the phishing e-mails manage to get through the filters and reach the potential victims. The phishing attacks are becoming more and more sophisticated and therefore require strong countermeasures. It is important to detect the phishing sites early because most of them are short-lived and cause the damage in the short time span between appearing online and vanishing. Phishing is doing direct damage to the financial industry and is also affecting the expansion of e-commerce.

One of the solutions to counter phishing is to render the browsers with security indicators such as use of https in URL bar, locked icon, public key certificate and security warnings. The main reason for the success of phishing attacks is that average users do not constantly notice the presence of security indicators and do not know how to interpret them. A solution is required in which the user does not have the need of interpreting the browser based security indicators.

Phishing attacks are so powerful that many suggested countermeasures are not very effective. Naive users are easy targets of phishing attacks. Pharming accomplishes same thing as phishing by using Domain Name Server (DNS) spoofing but without spam e-mail. Here adversary plants false code on DNS itself by DNS spoofing attack. Hence anyone entering correct web site address will be directed by DNS to fake site.

This paper is organized as follows. In next section, we explore the literature on existing anti-phishing protocols. Then the paper discusses the various anti-phishing password protocols in terms of security, cost and performance. We present future research directions and finally we conclude the paper.

Literature Review

To mitigate the risk of phishing attacks, defense mechanisms have been deployed at both the client and the server sides. These solutions include the digitally signed e-mail (S/MIME), anti-phishing plug-ins for browsers like SpoofGuard [1], Kirda and Kruegel's measures [2], blacklist integration into Internet Explorer browser [3], Google safe browsing [4] and Mozilla phishing protection [5].

In 1999, RFC 2617 [6] proposed a Digest Access Authentication scheme that uses a password digest to authenticate a user. In 2004, Herzberg and Gbara [7] constructed a TrustBar that associates the logo with the public key certificate of the visited site. In 2004, SecurID [8] scheme was suggested that uses one-time password for authentication and has been deployed in a number of financial organizations. In 2005, PwdHash [9] scheme was suggested that authenticates a user with one-way hash [10] on <password, domain name> instead of the password only so as to defeat the visual similarity of the domain name. This technique creates a domain specific password that becomes useless if it is submitted to another domain. However, PwdHash is susceptible to offline dictionary attack and ineffective against pharming or DNS spoofing attack where the attacker presents correct domain name to the browser but redirects the user's request to its own server. In 2005, Synchronized Random Dynamic (SRD) [11] scheme was suggested that is having an internal reference window, whose color changes randomly and sets up the boundary of the browser window with different colors according to certain rules. This scheme is impractical for hand held devices and is also ineffective if the attacker creates a bogus reference window to overlap the original reference window. In 2005, Dhamija and Tygar [12] proposed a technique that uses Dynamic Security Skin (DSS) on the user's browser. It creates a dedicated window containing a specific image shared between the user and the server for inputting user name and password so as to defeat a bogus window. In 2005, SpoofGuard [1] technique was suggested that examines the domain name, images and links on the web pages and raises an alarm to the users if the site has a high probability of being a phishing site. In 2005, Adelsbach et al. [13] combines different concepts of an adaptive web browser toolbar that summarizes all relevant information and allows user to get required crucial information at a glance. This toolbar is a local component of user's system on client side and hence a remote attacker can not access it by means of active web languages. The main disadvantage of this toolbar scheme is that the user has to recognize his personal image at each login.

In 2006, Wu et al. [14] found that 13-54 % of the users visited phishing websites, despite the warnings from anti-phishing toolbars. Several browser toolbars like SpoofGuard [1] and TrustBar [7] have been proposed to find a pattern in phishing websites and alerts the user if the given site matches the pattern. In 2006, Juels et al. [15] suggested the use of cache cookies for the user identification and authentication that uses the browser cache files to identify the browser. These cookies are easy to deploy because it does not require installation of any software on the client side. Then they extended the concept to active cookie scheme, which stores the user's identification and a fixed IP address of the server. During the client's visits to the server, the server will redirect the client request to the fixed IP address so as to defeat phishing and pharming attacks. SiteKey [8] has been deployed by the bank of America [16] and Yahoo's sign-in seal [17] to prevent a phishing attack. Initially, it recognizes the client's browser by a previously installed cookie and then requests the user to enter his user name. After successful authentication, a user specific image is displayed on the browser. Finally, the user submits his password after recognizing the image displayed on the browser to authenticate itself. In 2006, Automatic Detecting Security Indicator (ADSI) [18] was proposed as an enhancement of toolbar scheme that generates a random picture and embeds it in to the existing web browser. It can be triggered by any security related event occurred on browser and then performs automatic checking on current active security status. In case mismatch in embedded images is detected, an alarm goes off to alert the users. ADSI can not prevent man-in-the-middle and phishing attacks with self sign certificate.

In 2007, Ludl et al. [19] analyzed legitimate and phishing websites to define the metrics that can be used to detect a phishing site. In 2007, Microsoft deployed Sender ID [20] and Yahoo deployed DomainKeys [17] protocols to detect the phishing e-mails. In 2007, Karlof et al. [21] proposed the cookies based Locked Same Origin Policy (LSOP) that enforces access control for the SSL web objects based on the server's public key. In 2007, Microsoft [3] integrated the blacklisted phishing domains in to the web browser so that browser refuses to visit these phishing websites. In 2007, Google Safe Browsing [4] uses a blacklist of phishing URLs to find out a phishing site. This technique can not recognize those phishing sites which are not present in the blacklist maintained by the server. This approach can prevent phishing attack if the fraudulent sites are discovered and listed quickly. A study carried out by the Microsoft [3] in 2007 reported that the Microsoft's blacklist is superior to the Google's blacklist. Another study initiated by the Mozilla [4] drew the opposite conclusion in favor of the Google. In 2007, Zhang et al. [22] performed a similar study that tested the detection rates of different blacklist based anti-phishing solutions. Their dataset includes 100 phishing URLs collected over a period of three days in November 2006. They analyzed ten toolbars experimentally and reported that the only toolbar consistently identifying more than 90 % of phishing URLs also classified 42 % of legitimate URLs incorrectly as phishing. VeriSign [23] is providing a commercial anti-phishing service. The company is crawling millions of web pages to spot out clones to identify phishing websites. In 2007, Adida [24] suggested a FragToken scheme that uses the URL portion as an authenticator and accordingly change response for authentication. FragToken is only useful in low security environment like blog because it is vulnerable to man-in-the-middle attack.

In 2007, Gouda et al. [25] proposed an anti-phishing single password protocol that allows the user to choose a single password of his choice for multiple online accounts on the web. In 2008, Yongdong et al. [26] proposed SSO anti-phishing technique based on encrypted cookie that defeats phishing and pharming attacks. They mentioned different reasons for web spoofing like self signed certificates or insertion of a spoofed image representing security indicator where one does not exist. Most of the users can not distinguish the spoofed browser's security indicators from actual security indicators such as public key certificate, URL bar and locked icon. It encrypts the sensitive data with the server's public key and stores this cookie on the user's computer. This Encrypted Cookie Scheme (ECS) has advantage that the user can ignore SSL indicator in online transaction procedure.

NetCraft Tool Bar [27] is based on risk rating system. Risk is computed based on the age of domain. This technique uses the database of phishing sites and hence might not recognize new phishing sites successfully. SpoofStick [28] provides basic domain information. It will show that you are on when you are on paypal site or will display you are on IP address of spoofed site. It is not efficient against spoofed sites opened in multiple frames. McAfee SiteAdvisor [29] protects the users from spyware and ad-ware attacks. It uses the crawler to create a large database of malware and test results on them to provide rating for a site. This technique will not be able to find new phishing sites. The ebay Tool Bar [30] solution is based on "Account Guard" that changes color if the user is on a spoofed site and is specifically designed for ebay and paypal websites.


Security Requirements

Password is the most commonly used technique to authenticate the users on the web. Short and easily memorable passwords are susceptible to attacks on insecure communication channels like the Internet. On the other hand, the users find it difficult to remember long and complex passwords. A common practice adopted by the users is to choose a single strong password and use it for multiple accounts, instead of choosing a unique password for each account [31]. The attacker can learn the password of a user from a less secure site and reuse it to compromise a secure site. An insider or a person close to the user has the maximum ability to steal the user's password because most of the users chosen passwords are limited to the user's personal domain. Therefore, the password based authentication schemes are vulnerable to phishing, dictionary, man-in-the-middle and insider attacks. Hacking and identity thefts are the two main concerns in password based authentication protocols. Phishing attacks are also increasing significantly in online transactions. Information Technology (IT) companies such as Microsoft, Google, America On Line (AOL) and Opera have recently started announcing browser integrated blacklist based anti-phishing solutions. A solution is required to list out the new phishing sites in blacklist database quickly otherwise they will do the damage before being included in the blacklist database. Researchers are putting efforts in developing better password based authentication protocols that should achieve required goals and satisfy security requirements to withstand all possible attack scenarios.

In 2006, Wu et al. [32] gave different reasons for web spoofing like placing a spoofed image with security indicator even though it does not exist and self signed certificates. Most of users find it difficult to interpret browser security indicators correctly and clues such as URL bar, locked icon, certificate dialogs and security warnings.

Google Safe Browsing [4] uses a blacklist of phishing URLs to find out a phishing site. This technique can not recognize those phishing sites which are not present in the black list maintained by server. NetCraft Tool Bar [27] is based on risk rating system. Risk is computed based on the age of domain. This technique uses the database of phishing sites and hence might not recognize new phishing sites successfully. SpoofStick [28] provides basic domain information. It will show that you are on when you are on paypal site or will display you are on IP address of spoofed site. It is not efficient technique against spoofed sites opened in multiple frames. McAfee SiteAdvisor [29] protects the users from spyware and ad-ware attacks. It uses the crawler to create a large database of malware and test results on them to provide rating for a site. This technique will not be able to find new phishing sites. The ebay Tool Bar [30] solution is based on "Account Guard" that changes color if the user is on a spoofed site and is specifically designed for ebay and paypal web sites.

Countermeasures to online dictionary attacks are provided by Pinkas and Sander [33]. Several techniques are available to withstand dictionary attacks. Most of the existing password based authentication schemes are vulnerable to different attacks (e.g. dictionary, phishing, man-in-the-middle) and hence not able to serve as an ideal password authentication scheme. The fast development in Internet and web technologies for online applications such as e-commerce and e-government is increasing at exponential rate. Once the server authenticates the user's input, web server sends the confidential page to user's browser window. User's password sent to a server for authentication is subject to phishing attacks. User may have disclosed sensitive data to an adversary during its visit to a fake or unreliable server. Security requirements for password based authentication protocol requires resistance against different attacks such as phishing, dictionary, man-in-the-middle, denial of service, impersonation, forward secrecy, server spoofing, replay, smart card loss, stolen-verifier and parallel session and should achieve mutual authentication.


Most of the user's finds it difficult to understand security indicators. Researchers are working for effective browser integrated blacklist based solutions and other different techniques to thwart phishing attacks. An adversary can masquerade as a legal user by stealing user's identity and password stored in plain text from the password table stored on remote server. Hashed or encrypted passwords can solve this problem. Lamport [34] proposed one-time password with one-way hash function that was secure against replay attacks. Password reuse rates increases because people accumulate more accounts but did not create more passwords. Researchers have conducted experimental studies of password use and concluded that people inclined to pick passwords that represent themselves. Personalized passwords such as phone numbers, vehicle number, pet's name or a social security number can be cracked given a large enough dictionary tries. Gaw et al. [35] give tips and rules for creating strong passwords: use of both uppercase and lowercase letters, at least six characters, avoid common literary names, mix up two or more separate words, create an acronym from an uncommon phrase, avoid passwords that contain login identity, use of numbers, dropping of letters from a familiar phrase, deliberate misspelling and use of punctuation in the password. The average user finds it difficult to remember complex passwords. Moreover, most of the users lack motivation and do not understand the need of password security policies. An ideal password authentication scheme should not store verification table directly on the server, allows the user to change password freely, not revealing password to the server, password transmission should not be in clear text, appropriate password for memorization, unauthorized login can be detected quickly and the scheme should be secure even if the secret key of the server is leaked out or stolen. Table 1 gives the cost and functionality comparison among recent anti-phishing protocols.

Table 1: Cost and functionality comparison among different anti-phishing protocols

* Y implies yes and N means no

Table 2 gives the statistics of organization based phishing sites. Table 3 gives the attacks and countermeasures. Table 4 gives the domains, country domains and phishing count.

Table 2: Organization based phishing sites

Table 3: Phishing attacks and their countermeasures

Table 4: Domain, country domain and phishing count

Future Directions

Potential scope of research work contains the important issues identified as the dynamic identity management, multi level password verification and two layers based password concept so that efficient password authentication schemes can be designed which satisfy all the security requirements and achieve the goals of an ideal password authentication scheme. An ideal password authentication scheme should have protection from eavesdropping, denial of service, impersonation, parallel session, password guessing, replay, stolen smart card, stolen verifier, man-in-the-middle, malicious user, malicious server, phishing, pharming and other feasible attacks relevant to that protocol and should achieve mutual authentication.

One of the reasons for success of phishing and dictionary attacks is high rate of password reuse because users tend to use the same password with more and more accounts. Users find it difficult to remember several complex passwords and hence it is difficult to prevent phishing and dictionary attacks. One of the thrust and major area of research is to find technical solutions for the online password management without significantly changing the user's behavior.

Researchers have proposed different anti-phishing techniques based on the web browser security indicators. The main reason for the success of phishing attack is that users do not constantly notice the presence of a security indicator or find it difficult to understand the meaning of these browser based security indicators. Therefore, the web browser must provide an easy to use interface for the users and minimize the efforts in checking the browser based security indicators. A solution is required in which the user does not have the need of interpreting the browser based security indicators.

Researchers have proposed an anti-phishing solution based on integration of blacklist into the web browsers. Therefore, effective techniques must be devised to check whether a web page is legitimate or a phishing page. It is not easy to provide a mechanism to prevent the users from visiting a phishing site. It is important to detect phishing pages early because most of them are short lived and do the damage in time span between appearing online and vanishing.

Different solutions to thwart online dictionary attacks in authentication protocols have been suggested. These solutions include Reverse Turing Tests (RTT), single password to different accounts, virtual password generation, two layers based password verification and password based authentication using multi-server environment. Most of the suggested solutions are vulnerable to dictionary attacks, even the most commonly used RTT is vulnerable to RTT relay attack. More effective and efficient techniques are required to thwart online dictionary attacks.

The role of cookies can be enhanced in virtual password authentication protocols to preserve the advantages of basic password authentication and simultaneously increasing the efforts required for online dictionary attacks. The legitimate client can easily authenticate itself to the web server from any computer irrespective of whether that computer contains cookie or not. However, the computational efforts required from the attacker during login on to the web server increases with each login failure. Therefore, even the automated programs can not launch online dictionary attacks on the proposed protocol.

Single-Sign-On (SSO) provides an environment in which the client sign in once and are able to access the services offered by different servers under the same administrative control. However, the user's password verification information stored on the single centralized server is a main point of susceptibility and remains an attractive target for the attacker. Therefore, the concept of SSO password based two-server architecture that uses two-server paradigm so that password verification information is distributed between two servers (an authentication server and a control server) is more resistant to dictionary attacks as compared to existing single-server password based SSO authentication protocols.

Smart card based password authentication is one of the most convenient ways to provide multi-factor authentication for the user by acquiring the smart card and knowing the identity and password. They are used in financial transactions and therefore require secure authentication protocols with high computational and communication efficiency. The protocol designer should also take memory requirement, number of rounds and time complexity into consideration.

A number of static identity based remote user authentication schemes have been proposed to improve security, efficiency and cost. The static identity leaks out partial information about the user's authentication messages to the attacker. On the other hand, the dynamic identity based authentication schemes preserve the user's anonymity. The dynamic identity is computed from the user specific parameters and is different for the same user in each new session of the protocol. Therefore, the dynamic identity based authentication schemes are more suitable to e-commerce applications.

In e-commerce, the number of servers providing the services to the user is usually more than one and hence secure authentication protocols for multi-server environment are required. The concept of multi-server authentication helps to distribute the user's verifier information among different servers. Therefore, the multi-server architecture based authentication protocols make it difficult for the attacker to find out any significant authentication information related to the legitimate users. The issue of remote login authentication with smart card in single server environment has already been solved by a variety of schemes. These conventional single-server password authentication protocols can not be directly applied to multi-server environment because each user needs to remember different sets of identities and passwords. Researchers are working in this direction to develop secure and efficient remote user smart card based authentication protocols for multi-server environment.


Corporate network and e-commerce applications require secure and practical remote user authentication solutions. Password based authentication protocols are mainly susceptible to dictionary and phishing attacks. Instances of phishing attacks are rapidly growing in number. This is sufficient to shake the confidence of the customers in e-commerce. Naive users find it difficult to understand the security indicators of the web browser. Authenticating the user on the web is an essential primitive and is target of various attacks. In this study, we analyzed currently available password authentication schemes over insecure communication channel. Techniques should be devised so that it will be helpful to naive users in judging out phishing web sites quickly. That type of protocol can be easily integrated into different types of services such as banking and enterprise applications. Cookies are good means to provide weak authentication. SSO authentication is time efficient because it allows the user to enter his identity and password once within specific time period to login on to multiple hosts and applications within an organization. The concept of two-tier authentication for the client makes it difficult for an attacker to guess out the information pertaining to password and ticket. Smart card based password authentication is one of the most convenient ways to provide multi-factor authentication for the communication between a client and a server. User's privacy is an important issue in e-commerce applications. Dynamic identity based authentication schemes aim to provide the privacy to the user's identity so that users are anonymous in communication channel. Transaction authorization method based on out of band channels like SMS messages was introduced by banks to thwart dictionary and phishing attacks but it requires two separate communication channels. The concept of virtual password authentication protocol changes the password in each login attempt corresponding to the same client. In future, more computation and communication efficient password authentication schemes should be developed which can resist different attacks in a better way. In this paper, a brief review of the literature on the research topic has been carried out. The scope of the research work has been outlined and the future directions have been listed.