Cyber Crime and Information Systems Security: The Concept of Phishing - Research Paper Example

Analysis of Crimes against Information Systems Annette L. Nesbitt Currey CJA570/ Cyber Crime and Information Systems Security Analysis of Crimes against Information Systems Today's Information age has given many freedoms to the netizens which was not possible without the advent of this age. The users of Information Systems have readily available information at their finger tips, for example, complete Encyclopedia Britannica in one Compact disc with all sorts of search features is available, pointing towards correct information within the right time. Imagine doing this with the book version of the Encyclopedia, sifting through numerous pages looking out for the information alphabetically and still may not be able to retrieve it. Another advantage of Information System is the availability of real time information on any area. For example, users can login to their banks' website, credit card site, or share markets for any online transactions. No doubt, this provides convenience but it also comes with its own price of managing the security of the transactions. Crimes against Information systems is a growing concern amongst the Cyber security experts and Federal Law agencies as this has the potential to bring down a system and operation which otherwise would run smoothly. What is Crime against Information System Many experts divide crime against the Information Systems in various ways. Broadly, the crime against Information Systems is defined and classified into following categories - Computer crime These crimes are the illegal activities where computers are used as the primary interface. These types of crime have cost and continue to impact the economies of the worlds by many billions of dollars annually. Using computer as a tool to conduct the crime involves some unethical use of a computer system. Other common security threats identified as computer crime/abuse are as below - Faking identity Trojans Computer viruses and malwares Faking Identity Process of gaining access to a system by faking the identity of a genuine user is called impersonation. This activity necessarily needs either knowing or guessing the genuine users password. The unauthorized programming instructions are hidden within a real program in a Trojan attack. A logical bomb consists of instructions which are not visible to users getting affected. In this technique the virus remains dormant until a certain trigger event takes place. For example, date/time trigger, invoking certain applications. In one of the case, a logic bomb was installed in an organization's financial system. The trigger event of deleting an entry from the database invoked the virus which cleaned the database hence generating a huge loss for the victim organization. Computer viruses & Malwares Computer viruses are fairly common and well known attacking mechanism of a hacker. The usage of internet by a wide majority of people has resulted in frequent attacks of malwares or spywares. Virus, spywares or malwares are designed to bring the victim's computer to a halt by infecting the kernel of the operating system. The latest antivirus software is found to be helpless against "always" new variant of these virus attacks. The worst part of virus attack is that it affects anyone using the infected computer even if the user simply inserts his flash drive or diskette. The impact is immediate and often affects any other computer wherever infected flash drive or diskette is used. Phishing as a study In order to focus on one crime and in-depth analysis of it, following pages describe Phishing in details as a crime against the Information Systems. Phishing is defined as the attempt to steal personal details like user ids, password and other similar details by posing as the real person/institution in a cyber environment. Communications which seem to be from auction sites, social web pages, internet payments or IT Admins are most commonly used to entice the general users. Various modes are used by phishers to carry out Phishing for example, instant messaging, and email from fake accounts. All these messages are designed to direct all unsuspecting users, who click on the link in the email/chat window, to a fake website which looks similar to the original site. Motives of Phishing The primary purpose of the Phishing is to hack the user ids and passwords of users for the personal benefits of the hacker. For example, a hacked user id and password for a net banking site can be misused to draw and transfer money to the hacker's account while hacked user id and password for a social networking sites can be used to get access to users' personal information along with possibility of sending malwares to all the contacts in the site. Recent Phishing Attacks Recent Phishing victims include Best Buy and eBay, Charlotte's Bank of America, where customers were re-directed to internet pages that had high similarity to the company's web site. Facebook (a social networking site) users are currently facing news phishing scam that can crash user's computers, mobile phones and steal their passwords. [3] Picture 1: Logo of Facebook The first step towards compromise of Facebook user's sensitive information is whenever they click on the link provided in the spam message; Clicking on the link leads user to a Facebook log-in page. If user logs in to the site, the site will steal email and password and will send their entire contacts/friends list the same message. Mechanism/Methodology of Phishing The mechanism of phishing is simple to understand. Hackers' have a way of capturing user id and password of the un-aware users by 'luring' him or her to his site which is exactly similar to the site where user intends to go except for the web-address. The most used methodology is to send an anxious looking email to the user with a fraudulent, innocent looking Uniform Resource Locator (URL), where the user clicks and reaches to a login page which captures users' id and password to be misused immediately or future. The captured password is changed immediately so that user can not login for the immediate future and the hacker gets good time to misuse the account. It seems quite naive that people fall in such traps but scientifically all humans have a built-in reaction seemingly to important things. Emails with subject lines cleverly worded to initiate anxiety are meant to prompt urgent action. There has been lot of research on the subject especially by banks going for internet banking, credit cards having online payment features. Phishing has permeated so much in common lives that all sites including corporate and government are pro-actively communicating to their users about the risks associated with Phishing attacks. Link manipulation The methodology of phishing where an email with a link to the hacker's site is sent to the un-suspecting users is called Link manipulation. The link is designed to look like a genuine site hence a general user feels it to be correct. Spellings which seem similar to URLs or using sub-domains are frequent tricks which are used in Phishing. Let's take example of a URL, http://www.bestbank.bankingdomain.com/. Users perceive the URL would link to the banking domain part of the bestbank site; in reality, this URL re-directs to the "bestbank" which is the phishing part of the example website. Another trap which is quite common is to make the main part of a URL seemingly valid, whereas the link is redirected to the fraudster's site. The knowledgestore link in the following example, http://knowledgestore/True, seems to be opening an article titled "True;" even though the simple act of clicking on the link will open the article entitled "False." Another, not so new method of Phishing uses the technique of including '@' '@' symbol in the link. For instance, the URL link http://www.travelcity.com@members.gmail.com/ might fool an un-attentive observer into trusting that the link would direct to www.travelcity.com, while in reality the users gets re-directed to one of the web-pages on members.gmail.com, with the user id of www.travelcity.com: the page opening process does not change hence does not raise any suspicion. These types of URLs are controlled by prompting a warning message letting user exercise a choice on whether continuing browsing or cancelling the operation in Mozilla Firefox and Opera while they are disabled in Internet Explorer. Some phishers use Java commands to modify the address bar in the internet explorer by different ways like putting up an image which is a genuine URL over fake address bar. In some case the genuine Internet explorer bar may be completely removed. Thus the deception is far from over even if the user has clicked on the fraudulent link. Something similar is done by experts in animation whom hide the real text behind the multimedia flash animations. The end objective is to fool a user to believe that the site he is trying to access is the genuine site and any information he shares on the site is secured and would not be leaked. As soon as user has trusted the look and feel of the site, he is deceived into giving his user id and password which is the point where he is tricked. Sometimes, phishers make use of flaws in a website's operating scripts to trap the visitors. These cross-site scripting issue pose a big problem as they re-direct the users to login to the webpage where all the visual features appear to be correct. In reality, the link of the webpage is modified, though very difficult to spot without training into such area. Another variation of the above attack is where the user is forwarded to the legitimate website of the net banking or a credit card site but just before the site opens, a pop-window is opened which requests the users for the logon credentials. The un-suspecting user provides the information on the presumption that the concerned bank is asking for the information. This can be made further lethal by incorporating an urgent sounding message, like - "Please reset your password else your account is at the risk of getting locked." Impact of Phishing According to one of the Cyber Experts, for the parameter of successful infection, malwares disseminated through the emails are 10 times less effective as compared to social networking sites [4]. There can be substantial financial losses as well as denial of access to emails as a result of Phishing. In the year 2007, approximately 3.6 million phishing attacks happened. These phishing attacks resulted in a loss of approx USD 3.0 billion for a period of12 months until August 2007. According to Microsoft, the Phishing losses are exaggerated. They estimates US suffering a phishing loss at approx USD60 million. In the UK, web banking fraud was responsible for losses which almost increased to 23.0m in year 2005, from 12.0m in 2004, attributed mainly to phishing attacks. 1 out of every 20 users of computers acknowledged to have been affected by Phishing in year 2005. According to the banking industry's estimates in UK; Customers need to take appropriate pro-active measures to prevent themselves from Phishing. The Customers must also ensure that they are not sitting ducks to the Phishing crimes. On a similar vein, Bank of Ireland declined to take care of the losses suffered by its customers, amounting to 11,000, as a first reaction. The bank still refuses to acknowledge that it's their responsibility to ensure that their sites are secured for Customer rather puts the blame squarely on the customer in case they get affected by Phishing attacks and suffer losses. Minimizing Phishing Following actions are advised to General internet users to prevent Phishing attacks [8] - Modifying the browsing habits: People can prevent phishing attempts by making some changes to net browsing methods. Whenever they are contacted by anyone about their account details required to be "verified", users must always contact the organization from where the e-mail seems to be originating to cross check that the e-mail is not a phishing attack. Otherwise, always type the web address into the browser, rather than clicking on any hyperlinks provided in the email. This small precaution has potential of minimizing the Phishing attacks to a high degree as by following this method, users cut off one notoriously famous channel used by Phishers. Being Proactive: All the companies have a unique way of addressing their Customers. This information is not available with the Phishers. An example here could be of PayPal which communicates with its Customers by using their user-name. Hence if a user gets an email from PayPal in a general way like "Dear customer" he must do an intelligent guess of such an email being a phishing attack. Credit card or banks often include partial account numbers of Customers while communicating with them. Adopt safe practices: In this era of computing, it's a duty of each responsible netizen to help adopt safe practices as well encourage other users to adopt safe practices. Though it has been seen quite frequently that established third parties ask for user's bank account and password for authentication making in-frequent users to believe that this kind of information is generally required. Augmenting password logins: Another effective technique used by certain banks is to ask users to recognize an image along with giving their password while logging on the banks online site. Some banks have also started the practice of virtual keyboard which is another option users have to enter the passwords in the banking sites. These all measures are augmented to traditional password entry to prevent the phishing attacks on a pro-active basis. Eliminating phishing mail: One more important method is to identify and filter the phishing emails through specially designed spam filters. These filters have high potential of reducing the huge amount of communications that a user would otherwise receive from a phisher. Federal laws to control Crimes against Information Systems All the cases of cyber crimes are classified as Fraud and depending on the strength of evidences available, the judgments are passed. As per Federal law, Phishing is defined as a fraud where the perpetrators of crime lure the unsuspecting victims by spam or pop-up messages with a purpose to get access to their personal or financial information. [5] [6] Following are few cases to point in terms of Phishing - The first lawsuit was filed in the beginning of 2004, by the Federal Trade Commission of US against a suspected phisher. The defendant had allegedly stolen the credit card information by creating an internet page which closely resembled the America Online website. In the United States, Anti-Phishing Act was introduced in year 2005. If a person is proved guilty then this act has a maximum monetary penalty of up to $250,000. This punishment also includes prison terms to a maximum of five years for fake website creators. The UK brought out Fraud Act 2006, against phishing. This act carries a 10 year prison term, and seeks to prohibit the possession and development of kits which can enable phishing. Several organizations have also joined the effort to file litigation against various Phishers. Software Giant Microsoft filed around 120 lawsuits against various phishers in year 2005, following the Anti-Phishing Act. References 1. Baldwin, Howard (2009) The Expanding Boundaries of Risk Management [Internet], Available from: [Accessed 20 May 2009]. 2. Laudon, Jane P. & Laudon, Kenneth C. (2007) Essentials of Business Information Systems 7th Edn, Prentice Hall. 3. Facebook Phishing, Internet, 25th May 09 [Accessed 27/05/09.] 4. Kaspersky Responds to New Phishing Attack on Facebook [Internet] Available from: [Accessed 27/05/09.] 5. 2007 State legislation related to Phishing. [Internet] Available from: [Accessed 27/05/09.] 6. Stevenson, Robert Louis B., March 17, 2005, Plugging the "phishing" hole: legislation versus technology [Internet] [Accessed 27/05/09.] 7. HOMEPAGE. May 27, 2009, Number of Crimeware Websites Surge in Largest Jump Ever in Dec. 2008 [Internet] < http://www.antiphishing.org/> [Accessed 27/05/09.] 8. May 27, 2009, Consumer Advice: How to Avoid Phishing Scams [Internet] < http://www.antiphishing.org/consumer_recs.html> [Accessed 27/05/09.] Read More