Experimental Case Studies for Investigating E-Banking Phishing Techniques and Attack Strategies

Phishing is a form of electronic identity theft in which a combination of social engineering and web site spoofing techniques are used to trick a user into revealing confidential information with economic value. The problem of social engineering attack is that there is no single solution to eliminate it completely, since it deals largely with the human factor. This is why implementing empirical experiments is very crucial in order to study and to analyze all malicious and deceiving phishing website attack techniques and strategies. In this paper, three different kinds of phishing experiment case studies have been conducted to shed some light into social engineering attacks, such as phone phishing and phishing website attacks for designing effective countermeasures and analyzing the efficiency of performing security awareness about phishing threats. Results and reactions to our experiments show the importance of conducting phishing training awareness for all users and doubling our efforts in developing phishing prevention techniques. Results also suggest that traditional standard security phishing factor indicators are not always effective for detecting phishing websites, and alternative intelligent phishing detection approaches are needed

Web Spoofing 2001

The Web is currently the pre-eminent medium for electronic service delivery to remote users. As a consequence, authentication of servers is more important than ever. Even sophisticated users base their decision whether or not to trust a site on browser cues---such as location bar information, SSL icons, SSL warnings, certificate information, response time, etc. In their seminal work on web spoofing, Felten et al showed how a malicious server could forge some of these cues---but using approaches that are no longer reproducible. However, subsequent evolution of Web tools has not only patched security holes---it has also added new technology to make pages more interactive and vivid. In this paper, we explore the feasibility of web spoofing using this new technology---and we show how, in many cases, every one of the above cues can be forged. In particular, we show how a malicious server can forge all the SSL information a client sees---thus providing a cautionary tale about the security of one of the most common applications of PKI. We stress that these techniques have been implemented, and are available for public demonstration

Web Spoofing Revisited: SSL and Beyond

Can users believe what their browsers tell them? Even sophisticated Web users decide whether or not to trust a server based on browser cues such as location bar information, SSL icons, SSL warnings, certificate information, and response time. In their seminal work on Web spoofing, Felten et al showed how, in 1996, a malicious server could forge some of these cues. However, this work used genuine SSL sessions, and Web technology has evolved much since 1996. The Web has since become the pre-eminent medium for electronic service delivery to remote users, and the security of many commerce, government, and academic network applications critically rests on the assumption that users can authenticate the servers with which they interact. This situation raises the question: is the browser-user communication model today secure enough to warrant this assumption? In this paper, we answer this question by systematically showing how a malicious server can forge every one of the above cues. Our work extends the prior results by examining contemporary browsers, and by forging all of the SSL information a client sees, including the very existence of an SSL session (thus providing a cautionary tale about the security of one of the most common applications of PKI). We have made these techniques available for public demonstration, because anything less than working code would not convincingly answer the question. We also discuss implications and potential countermeasures, both short-term and long-term

W3Bcrypt: Encryption as a Stylesheet

While web-based communications (e.g., webmail or web chatrooms) are increasingly protected by transport-layer cryptographic mechanisms, such as the SSL/TLS protocol, there are many situations where even the web server (or its operator) cannot be trusted. The end-to-end (E2E) encryption of data becomes increasingly important in these trust models to protect the confidentiality and integrity of the data against snooping and modification. We introduce W3Bcrypt, an extension to the Mozilla Firefox platform that enables application-level cryptographic protection for web content. In effect, we view cryptographic operations as a type of style to be applied to web content, similar to and along with layout and coloring operations. Among the main benefits of using encryption as a stylesheet are (a) reduced workload on the web server, (b) targeted content publication, and (c) greatly increased privacy. This paper discusses our implementation for Firefox, although the core ideas are applicable to most current browsers

A taxonomy of attacks and a survey of defence mechanisms for semantic social engineering attacks

Social engineering is used as an umbrella term for a broad spectrum of computer exploitations that employ a variety of attack vectors and strategies to psychologically manipulate a user. Semantic attacks are the specific type of social engineering attacks that bypass technical defences by actively manipulating object characteristics, such as platform or system applications, to deceive rather than directly attack the user. Commonly observed examples include obfuscated URLs, phishing emails, drive-by downloads, spoofed web- sites and scareware to name a few. This paper presents a taxonomy of semantic attacks, as well as a survey of applicable defences. By contrasting the threat landscape and the associated mitigation techniques in a single comparative matrix, we identify the areas where further research can be particularly beneficial

Building Trusted Paths for Web Browsers

The communication between the Web browser and the human user is one component of the server-client channel. It is not the user but the browser that receives all server information and establishes the secure connection. The browser\u27s user interface signals, such as SSL lock, https protocol header et al., indicate whether the browser-server communication at the current moment is secure. Those user interface signals indicating the security status of browser should be clearly and correctly understood by the user. A survey of modern Web browsers shows the information provided by current browsers is insufficient for users to make trust judgment. Our Web spoofing work further proved that the browser status information is not reliable either. We discuss the criteria for and how to build the trusted paths between a browser and a human user. We present an open source implementation of one of the designs--synchronized random dynamic (SRD) boundary, based on Modified Mozilla source code, together with its usability study results