Network security increase by using extended validation secure socket layer certificates for avoiding the phishing threats.
Tabusca, Alexandru ; Enaceanu, Alexandru
1. INTRODUCTION
Phishing is the term for the operation of cheating network users to
provide private information for identity or business theft. This issue
is one of the most important threats today for both consumers and
businesses depending on the IT infrastructure. During the last five
years phishing has been growing rapidly, with an estimate citation of
approximately 8 million daily phishing attempts all over the world
(O'Donnell, 2009).
The international organization of APWG--Anti-Phishing Working
Group--has reported that during the second half of 2008 the number of
phishing attacks reported to them grew with more than 20 percent related
to the figures of the first half of the year, from 47342 to 56969 (Aaron
& Rasmussen, 2009).
2. PHISHING ATTACK MODELS
There are five different types of generally accepted phishing
attacks. The first, and most widely used during the second half of 2008
and the first quarter of 2009, is the so-called "spear
phishing". It is a type of precisely targeted phishing attack;
while the common phishing attacks are not discriminating network surfers
the spear phishing attack targets known users of a special company, a
bank or another financial institution usually.
The second type of such an attack is business services phishing.
During the last year there have also been confirmed reports of two
large-scale phishing attacks on the well known facebook.com socializing
portal and on Yahoo.com email accounts users. Another great name of the
industry that was subject to such an attack was Google; Google Ad Words
users have received emails with requests for account updates, an
operation redirected to a fake Ad Words interface that managed to get
hold of an undisclosed number of credit card information, mostly from
small and medium companies heavily relying on online advertising for
attracting web traffic.
Another type of phishing attack is the so-called crisis-phishing.
It is a newly arrived model and is based mostly on the fear and
instability induced by the economic crisis. Phishing emails coming from
a large financial institution announcing that it has recently acquired
the target victim's local bank or favorite retail store seem quite
in order nowadays. The large number of real mergers and acquisition
activity taking place on the market today creates such an atmosphere of
confusion for consumers that they are now more than ever inclined to
take into account such messages. Unfortunately, phishing attacks are
thriving in this type of situation.
The fourth type of phishing is in fact a mixed-model--the
phishing/malware danger. To increase the odds of success some attacks
combine phishing with malware for a blended attack model. A potential
victim receives a phishing e-card through an e-mail that seems to be
legit. By clicking on the link inside the e-mail to receive the card,
the individual is taken to a fake web location which automatically
downloads a Trojan application to the victim's computer; another
widely used method is to show the victim a message that indicates the
need for a download of updated software, an update needed before the
victim's computer can view the card. When the victim downloads the
software, it is in fact a key-logger or another security breaching
application which has already been granted access and rights by the
innocent user-victim.
The last, and latest, phishing attack type is based on the
explosive increase in mobile phone use. Posing as a real financial
institution the phishing message is using the old SMS as an alternative
to e-mail in order to attempt to gain access to private and confidential
information. Also known as "smishing" --from the crossing of
SMS and Phishing terms--the typical message tells the mobile phone user
that for example the person's bank account has been compromised or
his credit card has been rendered out of service; the victim is sent to
call a real phone number or access a fake website to re-enable the use
of the account or credit card and once on the site or through an
automated phone system, the potential victim is guided to leave its
account data or card and PIN numbers.
During the 2008 year and the first quarter of 2009 there are
available figures to show that despite the IT security industry's
effort to reduce the phishing threat the number of such attacks is still
very high and seems to be rising again. Even if the big players of the
ISP field have managed to reduce the threat of the best known and most
persistent phishing groups we are still in constant danger due to the
new and more sophisticated methods employed by the wrongdoers--Fig.1.
[FIGURE 1 OMITTED]
3. ROMANIA'S PHISHING ENVIRONMENT
In order to help the Romanian IT environment track the latest local
phishing issues, during the first quarter of 2009 we have developed a
web application that works like a classic web crawler, targeted at a
list of defined domains, and able to automatically retrieve phishing
attacks related data from the online reports posted regularly by five of
the most important names of the IT security field: Symantec,
McAfee, BitDefender, RSA and APWG. The application is called RSBPA
(Romanian Security Bulletin--PhishingAttacks) for the time being and is
still under development, with a future path designed to engulf two more
components: for compiling virus spread information and for testing the
security degree available for a certain web client accessing the
application online.
Based on the compilation of these different data reported by the
five sources nominated before we can produce a weekly report containing
phishing attacks details strictly restricted to Romania.
During 2007 Romania experienced only 10 serious phishing attacks
and in 2008 there were already 30 such attacks (Cosoi, 2009)--an
increase of 3 times related to the previous year. Up to the month of
June 2009--during the January-May period of time--there were already 126
nation-wide phishing attacks, most of them being spear phishing attacks
targeted at some of the largest banks in the country and on the top
three mobile communications providers. Such a number can be used for
projecting a whole-year number of attacks for 2009, a number around 276
attacks. These numbers show an awesome increase of about 10 times the
number of attacks in 2008.
In order to understand Romania's position on the world map of
phishing attacks, one of the output reports of the RSBPA is a pie-chart
graphic showing Romania's percentage of attacks, relative to the
worldwide number of attacks reported by the above mentioned security
companies during the relevant period of time.
Taking into account the compiled data and reanalyzing it through
the RSB-PA algorithms we have also obtained an estimate of the May 2009
attacks even before the public posting of these figures by the RSB-PA
"source sites". The top ten countries attacked by phishing
schemes in May 2009 have the US in front with Great Britain second,
followed at a great distance by Italy. The US and UK have the largest
shares with 59 and 13 percent of the worldwide attacks, Italy and
Romania follow with 5 and 2 percent, then we have Canada, Holland, Spain
and India with 2 percent and the last one, Australia, with 1 percent; 12
percent are divided among the rest of the world.
We have to underline that these reports are not traditional
ones--there is no direct oversight of the everyday attacks; we take into
account all the reports from the five trusted sources mentioned above
and we obtain the figures only for Romania by applying different
algorithms that take into account the statistics for the previous twelve
months, the number of visitors that each of the five source have during
the week previous to the one of the report, the number of citations of
the source website during the last twelve months and the degree of data
matching between all five sources.
[FIGURE 2 OMITTED]
4. ANTI-PHISHING BEST PRACTICES: EV-SSL
Taking into consideration that most attacks rely on directing the
users to a fake website we consider that the best option for avoiding
the threat is the use of a special certificate for the accessed website.
We recommend a step further than the simple use of https protocol or the
implementation of SSL: the use of EV-SSL. This technology combines the
versatility and encryption capabilities of the SSL with the possibility
of certifying the website as legitimate with the help of a security
certificate issued by a trusted CA--Certification Authority.
Despite the heavy use of encryption and secure technologies EV-SSL
has another big plus from the user's point of view: it is very
simple to see it in action (Kasten, 2008). All major web browsers have
now the built in capability of detecting and using the EV-SSL
certificates and distinguish its use by displaying a distinctive green
bar in the background of the web address accessed by the user and by
displaying next to the secure locker sign a text that is toggling
between the name of the CA and of the client's company or name.
Despite the advanced capabilities to copy legitimate websites,
without the user's EV-SSL Certificate there is no way to display
its name on the address bar because the information shown there is
outside of webpage control; one cannot obtain somebody else's
legitimate EV-SSL Certificates because of the very rigorous and
stringent authentication process.
5. CONCLUSION
Besides implementing the EV-SSL, the IT companies and the online
businesses should continue to educate the 21st century society on safe
network use and practices.
We should spread the information on how to recognize the signs of
phishing: misspellings--a lot less common now, generic salutation
formulae instead of personalized ones, urgent deadlines for acting in a
certain manner, account status threats, requests for personal data and
information or fake domain names and links. We should also educate users
to recognize a valid and secure site before providing personal or
sensitive information to a webpage:
--check that the URL starts with HTTPS
--looking for the green bar of the EV-SSL
--click the secure locker to the certificate of the website
Education is a key component of building the trust necessary to
overcome phishing fears. By implementing up-to-date security solutions
on a website a company can capitalize on this trust and gain a real and
tangible benefit from investing into secure development of its network
presence.
6. REFERENCES
Aaron, G & Rasmussen, R. (2009). Global Phishing Survey: Trends
and Domain Name Use in 2H2008, Available from:
http://www.antiphishing.org/reports/APWG_GlobalPhishin gSurvey2H2008.pdf
Accessed: 2009-06-09
Cosoi, C. (2008). Prevenirea pericolelor IT si non-IT
(securitate)--Preventing IT and non-IT threats (security), Available
from: http://www.calendar evenimente.ro/ detalii.php?ev=6088 Accessed:
2009-06-07
Kasten, C. (2008). My EV SSL Journey, Available from:
http://www.solo-technology.com/blog/2008/08/21/ my-firstev-ssl-journey
Accessed: 2009-06-09
O'Donnell, M. (2009). Counterfeiting & Spear Phishing
Growth Scams Of 2009, Available from: http://www.infonews.co.nz/
news.cfm?l=1&t=164&id=3397 1 Accessed: 2009-06-10
Rivner, U. (2009). RSA Online Fraud Report May 2009, Available
from: http://www.rsa.com/solutions/
consumer_authentication/intelreport/FRARPT_DS_0509.pdf Accessed:
2009-06-10
