MEZIESBLOG

Abstract

Phishing has become an increasing threat in online space, largely driven by the evolving web, mobile, and social networking technologies. Previous phishing taxonomies have mainly focused on the underlying mechanisms of phishing but ignored the emerging attacking techniques, targeted environments, and countermeasures for mitigating new phishing types. This survey investigates phishing attacks and anti-phishing techniques developed not only in traditional environments such as e-mails and websites, but also in new environments such as mobile and social networking sites. Taking an integrated view of phishing, we propose a taxonomy that involves attacking techniques, countermeasures, targeted environments and communication media. The taxonomy will not only provide guidance for the design of effective techniques for phishing detection and prevention in various types of environments, but also facilitate practitioners in evaluating and selecting tools, methods, and features for handling specific types of phishing problems.

Introduction

Phishing is an attack wherein the attacker exploits social engineering techniques to perform identity theft. Phishing traditionally functions by sending forged e-mail, mimicking an online bank, auction or payment sites, guiding users to a bogus web page which is carefully designed to look like the login to the genuine site (Inomata et al, 2005, Jakobsson, Myers, 2006, Kumar, 2005, Tally et al, 2004, Wu et al, 2006a). Phishing aims to collect sensitive and personal information such as usernames, passwords, credit card numbers, and even money by impersonating a legitimate entity in the cyber space. Ramzan and Wüest (2007) characterize a phishing attack in three ways:1) a legitimate entity must be spoofed; 2) the spoofing process must involve a website, which distinguishes itself from some scams (e.g., muling); and 3) sensitive information about the entity must be solicited.

Phishing attacks, which are prevalent, could have serious consequences for their victims, such as the loss of intellectual property and sensitive customer information, financial loss and the compromise of national security (Ramzan and Wüest, 2007), as well as general weakening trust (Litan, 2005, Sullins, 2006). According to CYREN report, the first quarter of 2015 witnessed a 51 percent increase in phishing sites (Mclean, 2015). RSA identifies 52,554 phishing attacks in April, 2014, marking a 24% increase from the previous month. Phishing, including spear phishing, has become such a serious problem that researchers and practitioners strive to look for an effective way to mitigate its impact.

Phishing detection remains a challenging problem. This is primarily because phishing is considered a semantics-based attack, which particularly exploits human vulnerabilities, but not system vulnerabilities (Wu et al., 2006b), despite the fact that protection protocols increase the probability of phishing attacks (Alsaid, Mitchell, 2006, Bose, Leung, 2008, Oppliger, Gajek, 2005). Phishing belongs to unsolicited bulk email like spam, but the latter is distinctly different in that it is mainly utilized for marketing or advertising products (Toolan and Carthy, 2010) (see Appendix A). This current survey is focused on phishing. For email phishing, phishers utilize Social Engineering and identity impersonation through spoofing to steal legitimate users’ passwords for fraudulent purposes (Jakobsson and Soghoian, 2009).

Social engineering relies heavily on human interaction and often involves using psychological tricks aimed at making victims agree to things they would not have done normally. By exploiting humans’ limited security knowledge or awareness, phishers deceive online users into disclosing their sensitive information (e.g., passwords, credit card numbers, and other sensitive information; Gouda et al., 2007), or inject suspicious content into their systems (Berghel et al, 2007, Cova et al, 2008, Jakobsson, Myers, 2006). The key to traditional phishing is to attract users to visit a bogus website, which can be effectively achieved through a fake email. The weaknesses in web applications fuel phishing attempts; for example, attackers can easily modify the “FROM” address in an email to make it look like coming from a legitimate source. Thus, compared to the creation of viruses, worms or other exploits, some phishing attempts are considered simple. However, phishing attack techniques are evolving and becoming more sophisticated (Irani et al., 2008). There has been an increasing trend of launching new phishing attacks through emerging technologies such as mobile and social media (Egele et al, 2013, Marforio et al, 2015). The prevalent use of social media provides fertile ground for phishing attacks due to increasing sharing of personal information but little awareness and action of protecting the information (Borsack and Lifson, 2010). Studies show that phishing attacks increasingly focus on social networks because they offer the greatest possibilities for success (Lemos, 2014). Recent statistics shows that mobile users around the globe download over 67 million apps every day. The large numbers of mobile users and apps are not matched with high levels of security-awareness, and it is a matter of time before online threats such as phishing become a reality on mobile devices (Kessem, 2012). Trend Micro already identified 4000 phishing URLs designed for the mobile web (Pajares and Abendan, 2013). Other channels have also been exploited for phishing such as Voice over IP (VoIP) technology (Gupta et al., 2015). For instance, the frequency of unwanted calls has increased at an alarming rate. Telephone phishing can be made at little or no cost at a scale and in an automated fashion similar to email phishing. Therefore, the Federal Trade Commission (FTC) has received millions of complaints from citizens about such unwanted and fraudulent calls. Some studies show that the economics of phishing is far worse than it appears. Rather than sharing a fixed pool of dollars, phishing is subject to the tragedy of the commons – the pool of dollars shrinks as a result of the efforts of phishers (Herley and Florêncio, 2009). One limitation of these studies is that they overlooked uptime – an important metric of the damaging effect of phishing attacks and the success of counter measures (Aaron and Rasmussen, 2013) (see Appendix B). Based on a statistics for different time periods between 2008 and 2013 by anti-phishing Working Group, the average uptime ranges between 23 and 72 hours (Aaron and Rasmussen, 2013). Additionally, at hour zero, only fewer than 20% of phishing attempts were identified by blacklists, and only 47~87% of those phish got updated into the blacklist after 12 hours of occurrences (Sheng et al., 2009). These data suggest that existing countermeasures remain ineffective and insufficient for detecting phishing attacks. Therefore, providing a systematic survey of countermeasures and phishing techniques can not only help to understand the state of phishing practice but also inform future design of anti-phishing mechanisms.

This survey provides a system review of extensive research on phishing techniques and countermeasures. Previous surveys and taxonomies either concentrate on one specific aspect of phishing such as anti-phishing tools (Abbasi et al, 2010, Zhang et al, 2011a) or fail to provide an integrated overview of research approaches to various phishing techniques (Huajun et al, 2009, Ollmann, 2007a, Wetzel, 2005). The taxonomy proposed in this research is multi-dimensional, which distinguishes itself from the previous ones that are focused on a single dimension. In addition, the phishing environment covered in existing taxonomies is limited to traditional channels such as e-mails and spoofed websites.

However, emerging communication channels in support of phishing, such as mobile apps, online social networks, and Instant Messaging (IM) applications, are yet to be considered by existing taxonomies and surveys (Hong, 2012). To address these limitations, we propose a phishing taxonomy that addresses phishing environments, techniques and corresponding countermeasures. We identify the dimensions of phishing via the process lens. Particularly, we identify the characteristics of phishing attacks in emergent communication media. Moreover, we analyze anti-phishing techniques in relation to the communication media for the first time. In view of the significant practical implications of phishing detection, we introduce a comprehensive comparison between research anti-phishing tool and another comparison between commercial anti-phishing tools. Additionally, we applied the dimensions to analyze anti-phishing tools, and ranked the techniques based on their performance. The analyses revealed several new categories of countermeasures that are missing from the existing taxonomies, including human users, ontology, and search engine-based. For instance, human users play an important part in the loop of phishing attacks, who can potentially serve as the most effective line of defense. Further, we identified a number of phishing problems that require future research and suggested possible solutions.

The rest of this survey is organized as follows. The next section provides a critical review of extant phishing taxonomies. In Section 3, we first examine phishing from the process perspective. Based on each activity of the process, we propose one or more taxonomy dimensions. We introduce our proposed taxonomy and its dimensions in Section 4. In Section 5 we provide a comprehensive review of extant anti-phishing techniques and discuss future research issues in phishing detection. The final section concludes the survey.