Study On The Stages Of Phishing Attacks Computer Science Essay

Published: Last Edited:

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.


Spyware is the spying software used to control the operation of the client computer without the knowledge of the user accessing the computer by inserting a large amount of malicious codes on the computer. The behaviour of the program installed will track the user behaviour of the websites he visits and also gains access to the confidential information of the financial data and personal data. Also the social security numbers and information of the credit cards is obtained with the help of the spyware which is confidential information. The invasion of spyware may create huge amount of traffic in the network, consume CPU resources, disk space. Some of the particular spywares can also force the users to visit some of the websites without their permissions [4].

Spyware is often considered as the much complex malware in form when compared to that of the virus and the worms. There are different approaches by which a spyware enters into the network or PC. They are

By the automatic installations of web-based scripts, without the users consent.

Links embedded within public IM conversations can trigger the download of a spyware or adware payload that uses a variety of ports and protocols to install multiple malicious applications.


All of the attackers who insert viruses and worms leave the backdoors to gain access to the victim's machine later after some time to gain access and misuse the victim's machine. "For example code red II leaves the "CMD.exe" in a directory which allows an intruder to execute an arbitrary command on the compromised machine with the privileges of Microsoft IIS process" [4]. These misused machines when collected and controlled in large amounts of armies are collectively called as Botnets. These botnets can be used in launching of several types of attacks such as DDoS, phishing attacks.


This software usually referred to as the advertising software normally advertises the ads without the approval of the user. This adware also exhibits the characteristics of the spyware such as tracking the activities of the users visiting the websites. It also collects the information of the user's data such as social security numbers but do not attract the phishers for using it in launching of phishing attacks.

SMTP: As the name implies, a Simple mail transfer protocol is a protocol used in the process of exchanging electronic mails over the internet. In context with the OSI model, the SMTP belongs to the application layer even though it uses the TCP for mail exchange. It plays a major role in the sending and receiving of the emails between the email servers like from the sender's mail server to the receiver's mail server. It is a text based protocol and ensures reliable transfer of data. [6]

PGP: Pretty good Privacy (PGP):

It is a cryptographic program that ensures privacy and authentication in the process of data communication. It is mainly used for providing secure transmission of the electronic mails through the internet. PGP can also be used in digital signatures for providing message integrity which helps to maintain trust between the sender and receiver. The functions of the PGP can be listed as follows:

Encrypt the files using encryption algorithms

Key generation where PGP keys and the session keys are generated

Maintaining public key database of the communicating users

To send and receive emails in a secured way

Used to digitally sign the documents and also helps to verify others signatures. [7]

In the process of PGP the plain text (email) is compressed and is encrypted using the session key that will be generated at the time of encryption. Then the session key is encrypted using the receiver's public key, so that it can be decrypted only by the receiver's private key. These two files are sent over the internet and when reached at the receivers end first the session key is decrypted using their private key then the original message is decrypted using that session key. It provides message authentication and integrity.

Types of Worms:

Worms are self replicating programs that run individually without any external source which might be destructive in many ways. Once created, the worms are widely spread over the networks and their connections as it does not require any specific host to develop. The types of worms can be listed as below:

Email worms - The most common type of worms that are spread through emails and their attachments.

Instant messaging worms - It is very much similar to the email worms just differ in the way of sending. Here instant message service is used to send infected links and websites.

Internet worms - These are the ones which uses the operating system resources to find vulnerable computers over the network then try to access them completely under their control.

IRC worms - The infected links or files are sent directly over the chat channels.

File sharing network worms - The worms that exist in the shared folder which can be spread when the folders of the computer are under sharing. [9]

Types of Trojan Horse virus:

These are tricky type of malware which actually does a harmful operation but pretends to be doing something else. It's hard to detect and prevent such malware operation from being performed. They may corrupt data, erase data or may give some clues to the hackers helping them to steal the confidential data. The Trojan horses can be spread through emails or files attached to them or they may be transferred along with any data transfer process. These are highly dangerous because of their natures which make them hard to detect and also that it gives complete access when the machine is under attack. [10]

The different types of Trojan horse virus are as follows:

Remote administration Trojan Horse Virus - This is usually performed by a hacker which enables him to completely access the infected system and may perform operations like copying files or altering data in files or prevent from external communication.[11]

File serving Trojan Horse virus - This type of virus manages to create a file server on the target machine and may affect all the machines communicating with it [11]

Distributed denial of service attack Trojan horse virus - A DDOs Trojan will be installed in the main server and using many zombie machines the target machine is attacked by flooding the traffic and making its resources unavailable to other programs. [11]

Key logging Trojan Horse - This Trojan virus records the user's activities like the keystrokes and send to the hacker[11]

Password stealing Trojan Horse - It helps the hacker by providing some password information to the hacker making it easy to access accounts and confidential data.


The phishing technologies involve several stages. Each and every stage will lead to successful phishing attacks which are as discussed below.

In the first stage the attacker gathers the list of E-mail addresses of the victims he is intending to launch an attack. The email addresses are normally obtained from different sources or can be guessed.

The next stage is the attacker will generate a e-mail which appears genuine and will be requesting the recipient for performing some action.

Then the attacker will send the e-mail generated to the victim intended in such a way which looks like a genuine and difficult to understand the exact source.

Now once the email is reached at recipient's inbox, the recipient now opens the attachment which is malicious and completes the form, or gets redirected to the web site.

The final stage is where the attacker collects the victim's perceptive information and uses this information to exploit the user and launch the attack it in the future.

There are several ways for execution of these steps to the attacker. Also there are many of the countermeasures for the victims that are expected for an attack to be deployed to get rid of these kind of attacks. The step by step procedure of how a successful phishing attack is launched is described in the below figure.

Fig(): Tree Methods of the common attacks. [1]

Attacks with Worms and Trojans:

The user believes email is legitimate and opens an executable attachment. The anti-virus software scans the attachment. If the Trojan is detected and deleted then the attacks is failed. But if in case the Trojan is detected but the user ignores the warning then the attackers gains control to the machine.

Fig(): Attacker with worms and trojans tree method [1]

If Trojan is not detected then the attacker easily gets access to the machine and controls it. The other case is where the user opens without antivirus software. Now after all of these possibilities the user has successfully installed Trojan and has sensitive information on the user's computer.

Now after the Trojan is installed the attacker needs to retrieve the information by passing it through the networks. If there is no firewall or IDS installed then the information is now easily passed to the attacker who gains the sensitive information. Now if the personal firewalls receive the data transmissions then the attacker gains access through existing applications in one case. Other case if the user permits the transmission attacker gains the information. Now possible case of attack failure is when the firewall blocks the communication. If Host IDS is installed on the network then the host IDS blocks the communication and the attack fails as well.

Attacker deceit:

In the below diagram, the attacker keeps the attack continuing by sending an e-mail with an attachment which is considered as a general purpose which is normally a greeting card or the screen saver etc., But in fact the attachment sent consists of program which is executable and serves as a communication medium between the user and the attacker for the future attacks to be launched by the attacker. The spyware consisting in the network normally sends the information across the network bypassing the security software's installed such as the antivirus software, infusion detection software. The deployment of these software's if properly done can restrict the spyware from passing the information over the network by blocking the spyware. The step by step procedure is as follows

The user normally thinks that the email received is genuine and in four different ways attacker gains information of the victim. The first case is where the user thinks that the email is genuine and responds by giving the information to the attacker by the reply to the email received. The second case is where the attacker requests the victim to fill the form and the victim thinking the email genuine fills the form with the information and sends it to the attacker. But the browser initiating the connection if warns to the user that the information being sent is sensitive and warns about data protection then the user gets alert and the attack fails. But if there is no browser protection service then the attacker successfully launches the attack and gains the information.

In the third case the attacker normally redirects the user to its HTTP site where the insecure website is displayed to the user. The user thinks the website as the genuine website and fills the information in the form not knowing the data is being forwarded to the attacker. Then the browser if with the services of privacy protection generates an alert the user gets alerted and stops sending. But if no privacy protection installed then the attacker now gains the information.

The fourth case is where the attacker makes the users to visit the HTTPS site which is normally a secured site. The victim thinks any HTTPS site as a secured site without knowing the site is maintained by the attacker. Once the HTTPS site is visited if the browser generates a warning saying that the website certificate is invalid then the user alerts himself and the attack is failed. But if attacker site has valid certificate then the attacker's website is displayed to the user where the user fills the form on the webpage and then the attacker gains access to the sensitive information.

The other case is where if the user is being warned about the invalid certificate but the user ignores the warning and fills the form then the user gains access. The other case is where the browser fails to detect the invalid certificate and the user is not being warned about this. Then user fills the form and attacker has the information.

Fig(); Attacker deceit tree method [1]


The below figure represents the spyware used by the attacker to launch the attack. Spyware is used to extract information from the user's computer which is sensitive. The previous worm or Trojan installed can be used to gain this information. These programs can be detected by the means of many antivirus software's and detection programs. Here once the user believes email is legitimate then the user visits the sites of attackers and if spyware is not detected by the user computer then the attacker gains the information. If the user ignores the warning as well the attacker successfully gains the information. But if the spyware is detected and the user gets the warning then the attack is failed.

Fig(): Attacker spyware tree method [1]

Man-in-the-Middle attack or Man-in-the-Browser Attack:

The main in the middle attack or the main in the browser attack is where the user actually sends the spoofed content to the user requesting the actual content to a particular website. The step by step procedure of these types of attacks is as shown in the below figure. The user is normally redirected to a fake server to accomplish the attack [13]. The attacker uses the emails with the much clever links to fool the user by including the DNS poisoning or the fake access point. The server of the attacker basically acts as a proxy between the user and the actual server thus intercepting the communication between them and redirecting or providing with spoofed content.

Fig() The Man in the Middle or Main in the Browser Attack [13]

The Cross-site Scripting Attacks:

The cross site scripting attacks are where the actual web server is compromised instead of the redirecting the user. The malicious code is provided by the attacker to this compromised web server and then the code is delivered to the actual user. This procedure of launching the attack is referred to as the cross scripting attack also called as XSS attack [13].

Now as the code is delivered to the user the victim is actually able to see the injected content of XSS on the webpage without his knowledge. After the client runs these scripts into its machines the attacker is now able to access the personal data of the user.

Fig(): Description of Cross-Site Scripting Attack

The Case studies of Phishing Attacks:

Case study 1: The phishing network has been carried out its attacks in various segments of enterprises and also they maintain their own market and strategies typically called as criminal enterprises to launch the attacks. This revolution and marketing of these huge markets will definitely have a much sophisticated approach. The communication between the phishers regarding the latest updates of events happening, disasters occurred or any new thing of interest is so unpredictable that they are informed much ahead of the users. This helps the phishers in launching the attacks to the users to steal the information or resources. The typical example of such kind is the Hurricane Katrina. Several phishing attacks were witnessed by the APWG during the occurrence of the Hurricane Katrina. The phishers at these times launched attacks as if they were supporting the victims of the disaster. They often asked the victims for donations to grab the money. Attacks were staged against organizations such as the American Red Cross, the Salvation Army, and Hurricane Katrina Donations [12]. As soon as the hurricane disaster was named the attackers started registering the domain names with names of websites launching charity for the victims of the disasters. The attackers had by then created the bogus websites hosted at United States and Mexico which provided the latest news updates of the disaster and looted the people asking for the donations. The below figure shows the typical example of the attack where the bogus website was hosted.

Hurricane Katrina Phishing email and Bogus website [12]

The emails called as Katrina were sent as links to the users providing with website details and hence people were easily trapped. The user unaware of these types of things happening in the background were actually tempted for going to a website which consisted of the JavaScript on it. This basically used to attempt two of the HTML help vulnerability exploitation. These could be found at the windows system using the internet explorer of HTML Help ActiveX control. This vulnerability could disclose the information to the attacker. This particular user is now in control of the attacker can also install the Trojan into the machine. Here the Trojan uses the backdoor concept to reinstall and re-enter the machine when required providing them full access to the system. This scenario was developed based upon the Cross-Site functionalities and can be hence considered as the Cross-Site Scripting attack [12].

Case Study 2:

The Botnet and phishing researchers have been continuously researching about the interactions between these programs and the various possible scenarios for the attack to be launched [12].

Fig(): Phishing email using concept of post card [12]

The above figure shows the email phishing attack of post cards. But these researches have helped only to gain the information of the attacks majorly with minor defence mechanisms. The concept of honey pot developed to trap the attacks happening on the network. The honey pot is basically a trap set for detecting the attempts made by an attacker to a particular part of the information system. The researchers were able to observe different types of attacks and some of them among those are the phishing emails resembling the email postcards. These emails consisted of the links for the viewing of the post cards. The unknown users were send a email saying that the postcard was being sent to the familiar person of theirs or post card was received from the familiar person of theirs. The email consisted of the phishing link where the user was tempted by the attacker to click the link and see the post card that has been sent or received [12].

The other interesting aspect was that the email was being sent in different languages to attract different sets of people. For instance the email was sent in English, Polish, Portuguese, German, Spanish and others. The user next clinks the link received and the Trojan horse is installed as the user is redirected to a remote server. Some times the user is being asked for the personal details to be entered by the attacker. Now after the user enters the form all the personal details are at the hand of the attacker which is basically called as the identity theft. Hence now the user has been compromised with identity theft, machine with the Trojan horse installation. Similarly the botnet is going to be set to be activated on the system of the user respectively [12].