Fighting internet fraud: anti-phishing effectiveness for phishing websites detection

Recently, the Internet has become a very important medium of communication. Many people go online and conduct a wide range of business. They can sell and buy goods, perform different banking activities and even participate in political and social elections by casting a vote online. The parties involved in any transaction never need to meet and a buyer can sometimes be dealing with a fraudulent business that does not actually exist. So, security for conducting businesses online is vital and critical. All security-critical applications (e.g. online banking login pages) that are accessed using the Internet are at the risk of fraud. A common risk comes from so-called Phishing websites, which have become a problem for online banking and e-commerce users. Phishing websites attempt to trick people into revealing their sensitive personal and security information in order for the fraudster to access their accounts. They use websites that look similar to those of legitimate organizations and exploit the end-user's lack of knowledge of web browser clues and security indicators. This thesis addresses the effectiveness of Phishing website detection. It reviews existing anti-Phishing approaches and then makes the following contributions. First of all, the research in this thesis evaluates the effectiveness of the current most common users' tips for detecting Phishing websites. A novel effectiveness criteria is proposed and used to examine every tip and rank it based on its effectiveness score, thus revealing the most effective tips to enable users to detect Phishing attacks. The most effective tips can then be used by anti-Phishing training approaches. Secondly, this thesis proposes a novel Anti-Phishing Approach that uses Training Intervention for Phishing Websites' Detection (APTIPWD) and shows that it can be easily implemented. Thirdly, the effectiveness of the New Approach (APTIPWD) is evaluated using a set of user experiments showing that it is more effective in helping users distinguish between legitimate and Phishing websites than the Old Approach of sending anti-Phishing tips by email. The experiments also address the issues of the effects of technical ability and Phishing knowledge on Phishing websites' detection. The results of the investigation show that technical ability has no effect whereas Phishing knowledge has a positive effect on Phishing website detection. Thus, there is need to ensure that, regardless their technical ability level (expert or non-expert), the participants do not know about Phishing before they evaluate the effectiveness of a new anti-Phishing approach. This thesis then evaluates the anti-Phishing knowledge retention of the New Approach users and compares it with the knowledge retention of users who are sent anti-Phishing tips by email

Experimental Case Studies for Investigating E-Banking Phishing Techniques and Attack Strategies

Phishing is a form of electronic identity theft in which a combination of social engineering and web site spoofing techniques are used to trick a user into revealing confidential information with economic value. The problem of social engineering attack is that there is no single solution to eliminate it completely, since it deals largely with the human factor. This is why implementing empirical experiments is very crucial in order to study and to analyze all malicious and deceiving phishing website attack techniques and strategies. In this paper, three different kinds of phishing experiment case studies have been conducted to shed some light into social engineering attacks, such as phone phishing and phishing website attacks for designing effective countermeasures and analyzing the efficiency of performing security awareness about phishing threats. Results and reactions to our experiments show the importance of conducting phishing training awareness for all users and doubling our efforts in developing phishing prevention techniques. Results also suggest that traditional standard security phishing factor indicators are not always effective for detecting phishing websites, and alternative intelligent phishing detection approaches are needed

Performance Assessment of some Phishing predictive models based on Minimal Feature corpus

Phishing is currently one of the severest cybersecurity challenges facing the emerging online community. With damages running into millions of dollars in financial and brand losses, the sad tale of phishing activities continues unabated. This led to an arms race between the con artists and online security community which demand a constant investigation to win the cyberwar. In this paper, a new approach to phishing is investigated based on the concept of minimal feature set on some selected remarkable machine learning algorithms. The goal of this is to select and determine the most efficient machine learning methodology without undue high computational requirement usually occasioned by non-minimal feature corpus. Using the frequency analysis approach, a 13-dimensional feature set consisting of 85% URL-based feature category and 15% non-URL-based feature category was generated. This is because the URL-based features are observed to be more regularly exploited by phishers in most zero-day attacks. The proposed minimal feature set is then trained on a number of classifiers consisting of Random Tree, Decision Tree, Artificial Neural Network, Support Vector Machine and Naïve Bayes. Using 10 fold-cross validation, the approach was experimented and evaluated with a dataset consisting of 10000 phishing instances. The results indicate that Random Tree outperforms other classifiers with significant accuracy of 96.1% and a Receiver’s Operating Curve (ROC) value of 98.7%. Thus, the approach provides the performance metrics of various state of art machine learning approaches popular with phishing detection which can stimulate further deeper research work in the evaluation of other ML techniques with the minimal feature set approach

Security awareness of computer users: A game based learning approach

This thesis was submitted for the degree of Doctor of Philosophy and awarded by Brunel University.The research reported in this thesis focuses on developing a framework for game design to protect computer users against phishing attacks. A comprehensive literature review was conducted to understand the research domain, support the proposed research work and identify the research gap to fulfil the contribution to knowledge. Two studies and one theoretical design were carried out to achieve the aim of this research reported in this thesis. A quantitative approach was used in the first study while engaging both quantitative and qualitative approaches in the second study. The first study reported in this thesis was focused to investigate the key elements that should be addressed in the game design framework to avoid phishing attacks. The proposed game design framework was aimed to enhance the user avoidance behaviour through motivation to thwart phishing attack. The results of this study revealed that perceived threat, safeguard effectiveness, safeguard cost, self-efficacy, perceived severity and perceived susceptibility elements should be incorporated into the game design framework for computer users to avoid phishing attacks through their motivation. The theoretical design approach was focused on designing a mobile game to educate computer users against phishing attacks. The elements of the framework were addressed in the mobile game design context. The main objective of the proposed mobile game design was to teach users how to identify phishing website addresses (URLs), which is one of many ways of identifying a phishing attack. The mobile game prototype was developed using MIT App inventor emulator. In the second study, the formulated game design framework was evaluated through the deployed mobile game prototype on a HTC One X touch screen smart phone. Then a discussion is reported in this thesis investigating the effectiveness of the developed mobile game prototype compared to traditional online learning to thwart phishing threats. Finally, the research reported in this thesis found that the mobile game is somewhat effective in enhancing the user’s phishing awareness. It also revealed that the participants who played the mobile game were better able to identify fraudulent websites compared to the participants who read the website without any training. Therefore, the research reported in this thesis determined that perceived threat, safeguard effectiveness, safeguard cost, self-efficacy, perceived threat and perceived susceptibility elements have a significant impact on avoidance behaviour through motivation to thwart phishing attacks as addressed in the game design framework

A Survey on Phishing Attacks in Cyberspace

Phishing is a type of cyber attack in which cybercriminals use various advanced techniques to deceive people, such as creating fake webpages or malicious e-mails. The objective of phishing attacks is to gather personal data, money, or personal information from victims illegally. The primary aim of this review is to survey the literature on phishing attacks in cyberspace. It discusses different types of phishing attacks, such as spear phishing, e-mail spoofing, phone phishing, web spoofing, and angler phishing, as well as negative consequences they may cause for people. Phishing is typically carried out through different delivery methods such as e-mail, phone calls, or messaging. Victims of phishing are usually either not sensitive to privacy protection or do not have enough knowledge about social engineering attacks to know they are at risk. In addition, this paper introduces different methods for detecting phishing attacks. The last section discusses certain limitations of existing studies on phishing detection and potential future researc

Analysis of publicly available anti-phishing webpages: contradicting information, lack of concrete advice and very narrow attack vector

Phishing is currently one of the biggest threats in cybersecurity for both the business and the private contexts. A large percentage of phishing attacks are blocked by automated technical solutions, but unfortunately there is often a delay between when phishing emails enter inboxes and when the technical solutions are able to detect and filter them out. To close this gap, it is common practice for companies to implement mandatory phishing awareness measures for their employees. But what about the private context? We aimed at answering that question by analysing94 anti-phishing webpages from eight different countries and four organisation types. Our analysis revealed not only contradicting recommendations, but also that most of them are rather abstract (e.g. check the URL before clicking on the link without telling what to look for) and lack guidance on advanced phishing techniques (e.g. clone phishing). We discuss the problems faced by readers of these webpages and outline both immediate recommendations to the web designer and ways forward to improve the current situation as future work

A taxonomy of phishing research

Phishing is a widespread threat that has attracted a lot of attention from the security community. A significant amount of research has focused on designing automated mitigation techniques. However, these techniques have largely only proven successful at catching previously witnessed phishing campaigns. Characteristics of phishing emails and web pages were thoroughly analyzed, but not enough emphasis was put on exploring alternate attack vectors. Novel education approaches were shown to be effective at teaching users to recognize phishing attacks and are adaptable to other kinds of threats. In this thesis, we explore a large amount of existing literature on phishing and present a comprehensive taxonomy of the current state of phishing research. With our extensive literature review, we will illuminate both areas of phishing research we believe will prove fruitful and areas that seem to be oversaturated