RESEARCH ON PHISHING

BY
ONYEJI CHIBUIKE EMMANUEL

OC/2022/PC423

A SEMINAR PAPER SUBMITTED TO

OJENESIS COMPUTER INSTITUTE, APO,
F.C.T ABUJA IN FULFILMENT OF THE
REQUIREMENT FOR THE AWARD OF
DIPLOMA IN COMPUTER APPLICATION

SEPTEMBER 2022

DEDICATION
I dedicate this project to God almighty who gave me the strength
and ability to make this project a wonderful and successful one.
Also, to Mr and Mrs. James Ojene for their endeavor in teaching and
also for their caring and discipline to ensuring that we are focused
to know all that we are meant to know. They more than teachers but
parents to me all through my stay in this wonderful institute am so
grateful Sir may God continue to bless you and grant you your
generous heart desires.
To our outstanding teachers in the persons of Bro Michael and Mr
Gideon, they both have been one of the best tutors and outstanding
mentors to me in this very great institute. I must confess that your
teachings are very wonderful and easy to grab in the skull. Thank
you so much sirs, you have been a blessing to me in this very
wonderful institute.
To my awesome course mates for making the class and lectures fun,
and interactive and also being friendly to me all through my stay in
this lovely institute. Thank you all so much.
May God continue to bless you all in all your endeavours.
 ACKNOWLEDGEMENT

I acknowledge the almighty God for the strength and

ability so far, for making this project of mine to
finally come to an end.
Also, to my lovely family, brothers for giving me the
support that I needed from them in ensuring my end
to this computer institute. They are indeed one in a
million, may the almighty God continue to bless you
for me. In Jesus Name.
I must also acknowledge the set man of the
institution and his lovely wife for accepting me as a
child not just a student and also for your love and
care. Thank you so much sir.
Also, to my colleagues at this institute for making
my learning a wonderful one. Thank you all so much
and may God continue to enrich you greatly in Jesus
Name.
 TABLE OF CONTENT
Title Page ………………………………………………………………………….i
Dedication ………………………………………………………………………..ii
Acknowledgement …………………………………………………………...iii
Table of Content ………………………………………………………………iv

CHAPTER ONE
Introduction ……………………………………………………………………1
Definition of phishing..…………………………………………………………2
Types of phishing………………………………………………………………3

CHAPTER TWO
How to prevent phishing…………………………4
How those phishing works……………………….……5

CHAPTER THREE
History of phishing ………..……………………….19
examples of phishing ………………………..………………………22

CHAPTER FOUR
Advantages of phishing ………………………………………………………..25
Disadvantages of phishing ……………………………………………………26

CHAPTER FIVE
Conclusion ………………………………………………………………………27
Brief summary on phishing …………………………………………………………….28
References ………………………………………………………………………29
 INTRODUCTION TO PHISHING

Phishing is a common scam that attempts to lure you into giving

up your username, password, or other sensitive information by
masquerading as someone you know and trust. This can be done
by phone, but is typically done in email. The email may appear
to come from ECSU or another company you do business with,
and it often asks you to click a link, open an attachment, or reply
with your account or personal information.
According to the survey of Radicati group from April 2010,there
are about 1.9 billion users of email worldwide [1]. A 2012
global study reports that 556 million victims per year due to
cyber crimes and one of the reasons could be 44% of adult
access e-mails via free or unsecured Wi-Fi
connections[2].Phishing is a worldwide problem which creates a
great effect on both buisness and consumers.The number of
worldwide email accounts is expected to increase from an
installed base of 3.1 billion in 2011 to nearly 4.1 billion by year-
end 2015. This represents an average annual growth rate of 7%
over the next four years [3]. It aims at exploiting the weakness
in the users. For example, as evaluated in [4], endusers failed to
detect 29% of phishing attacks even when trained with the best
performing user awareness program. Due to vast and broad
nature of phishing problem,this detection of phished emails
study begins by :  Defining a phishing problem.  Life Cycle of
phishing campaign.  Detection Approaches.  Learned lessons
from above approaches.
DEFINITION OF PHISHING

Phishing is when attackers send malicious emails designed to trick

people into falling for a scam. Typically, the intent is to get users to
reveal financial information, system credentials or other sensitive data.

Phishing is an example of social engineering: a collection of techniques

that scam artists use to manipulate human psychology. Social
engineering techniques include forgery, misdirection and lying—all of
which can play a part in phishing attacks. On a basic level, phishing
emails use social engineering to encourage users to act without thinking
things through.
The Definition of phishing is not consistent as phishing problem is broad
and discusses about various scenarios .
For example, according to PhishTank:
Phishing is a fraudulent attempt, normally made through email, to steal
your personal information‖ But this definition limits the phishing attacks
as it is not only concerned with stealing the personal information. For
example, a message can tempt the victim to install a script which would
in turn transfer the money to the attacker's account, without the need to
steal the personal information.
 Types of Phishing

1. Email phishing
2. Spear phishing
3. Whaling (CEO fraud)
4. Link manipulation
5. Content injection
6. Malware
7. Smishing
8. Vishing

Email: the general term given to any malicious email message meant to trick
users into divulging private information. Attackers generally aim to steal account
credentials, personally identifiable information (PII) and corporate trade secrets.
However, attackers targeting a specific business might have other motives.

Spear phishing: these email messages are sent to specific people within an
organization, usually high-privilege account holders, to trick them into divulging
sensitive data, sending the attacker money or downloading malware.

Whaling (CEO fraud): these messages are typically sent to high-profile

employees of a company to trick them into believing the CEO or other executive
has requested to transfer money. CEO fraud falls under the umbrella of phishing,
but instead of an attacker spoofing a popular website, they spoof the CEO of the
targeted corporation.

Link manipulation: messages contain a link to a malicious site that looks like
the official business but takes recipients to an attacker-controlled server where they
are persuaded to authenticate into a spoofed login page that sends credentials to an
attacker.

Content injection: an attacker who can inject malicious content into an official
site will trick users into accessing the site to show them a malicious popup or
redirect them to a phishing website.

Malware: users tricked into clicking a link or opening an attachment might

download malware onto their devices. Ransomware, rootkits or keyloggers are
common malware attachments that steal data and extort payments from targeted
victims.

Smishing: using SMS messages, attackers trick users into accessing malicious
sites from their smartphones. Attackers send a text message to a targeted victim
with a malicious link that promises discounts, rewards or free prizes.

Vishing: attackers use voice-changing software to leave a message telling

targeted victims that they must call a number where they can be scammed. Voice
changers are also used when speaking with targeted victims to disguise an
attacker’s accent or gender so that they can pretend to be a fraudulent person.

HOW TO PREVENT PHISHING

Preventing phishing attacks requires a combination of user training to recognize

the warning signs and robust cybersecurity systems to stop payloads. Email filters
are helpful with phishing, but human prevention is still necessary in cases of false
negatives.

A few ways your organization can prevent being a victim of phishing:

1. Train users to detect a phishing email: a sense of urgency and requests for
personal data, including passwords, embedded links and attachments, are all
warning signs. Users must be able to identify these warning signs to defend
against phishing.
2. Avoid clicking links: instead of clicking a link and authenticating into a
web page directly from an embedded link, type the official domain into a
browser and authenticate directly from the manually typed site.
3. Use anti-phishing email security: artificial intelligence scans incoming
messages, detects suspicious messages and quarantines them without
allowing phishing messages to reach the recipient’s inbox.
4. Change passwords regularly: users should be forced to change their
passwords every 30-45 days to reduce an attacker’s window of opportunity.
Leaving passwords active for too long gives an attacker indefinite access to
a compromised account.
 HOW PHISHING WORKS

Whether a phishing campaign is targeted or sent to as many victims as possible, it

starts with a malicious email message. An attack is disguised as a message from a
legitimate company. The more aspects of the message that mimic the real
company, the more likely an attacker will be successful.

An attacker’s goals vary, but usually, the aim is to steal personal information or
credentials. An attack is facilitated by communicating a sense of urgency in the
message, which could threaten account suspension, money loss or loss of the
targeted user’s job. Users tricked into an attacker’s demands don’t take the time to
stop and think if demands seem reasonable. Only later do they recognize the
warning signs and unreasonable demands.

Phishing continually evolves to bypass security and human detection, so

organizations must continually train staff to recognize the latest phishing strategies.
It only takes one person to fall for phishing to incite a severe data breach. That’s
why it’s one of the most critical threats to mitigate and the most difficult since it
requires human defenses.

HISTORY OF PHISHING

The term “phishing” came about in the mid-1990s when hackers began using
fraudulent emails to “fish for” information from unsuspecting users. Since these
early hackers were often referred to as “phreaks,” the term became known as
“phishing,” with a “ph.” Phishing emails lure people in and get them to take the
bait. And, once they’re hooked, both user and organization are in trouble.

Like many common threats, the history of phishing starts in the 1990s. When AOL
was a popular content system with internet access, attackers used phishing and
instant messaging to masquerade as AOL employees to trick users into divulging
their credentials to hijack accounts.

In the 2000s, attackers turned to bank accounts. Phishing emails were used to trick
users into divulging their bank account credentials. The emails contained a link to
a malicious site that mirrored the official banking site, but the domain was a slight
variation of the official domain name (e.g., paypai.com instead of paypal.com).
Later, attackers pursued other accounts such as eBay and Google to hijack
credentials, steal money, commit fraud or spam other users.
 Example of phishing

Attackers prey on fear and a sense of urgency. It’s common for attackers to tell
users that their account is restricted or will be suspended if they don’t respond to
the email. Fear makes targeted users ignore common warning signs and forget their
phishing education. Even administrators and security experts fall for phishing
occasionally.

Typically, a phishing email is sent to as many people as possible, so the greeting is

generic. The following illustrates a common phishing email example .

The attachment could be a web page, a shell script (e.g., PowerShell), or a

Microsoft Office document with a malicious macro. The macro and scripts can be
used to download malware or trick users into divulging their account credentials.

Attackers register domains that look similar to the official one or occasionally use
generic providers such as Gmail. Spoofed senders are possible with email
protocols, but most recipient servers use email security that detects spoofed email
headers. When users receive emails, the messages might use the official company
logo, but the sender address would not include the official company domain. The
sender address is not the only factor that determines message legitimacy.

How an attacker carries out a phishing campaign depends on their goals. For
businesses, attackers may use fake invoices to trick the accounts payable
department into sending money. In this attack, the sender is not important. Many
vendors use personal email accounts to do business.

The button in this example opens a web page with a fraudulent Google
authentication form. The page attempts to scam targeted victims into entering their
Google credentials so that attackers can steal accounts.

Another method attackers use is to pretend they are internal technical support. The
technical support email asks users to install a messaging system, an application
with hidden malware or run a script that will download ransomware. Users should
be on the lookout for these types of emails and report them to administrators.
 ADVANTAGES OF PHISHING

1. Measure the degrees of corporate and employee vulnerability

2. Eliminate the cyber threat risk level
3. Increase user alertness to phishing risks
4. Instill a cyber-security culture and create cyber security heroes
5. Change behavior to eliminate the automatic trust response
6. Deploy targeted anti-phishing solutions
7. Protect valuable corporate and personal data

Disadvantages

1. Mitigation of zero-hour phishing attacks.

2. Higher FP rate than blacklists

3. High computational cost.

4. Time consuming. -Costly.

5. -Huge number of rules.

 Conclusion
I have mad this report file on this topic Phishing technology; I have tried all

my possible best to elucidate every relevant details to the topic to be included

in the report. While in the beginning I have tried to give general view about

this topic called Phishing technology.

My efforts and wholehearted co-operation of each and every one has ended

on a successful note. I express my sincere gratitude to Mr Ojene James Chika and

Mr precious Jonathan who contributed and assisted me throughout the preparation

of this topic, I sincerely appreciate you all for it.

I want to thank him for providing me the reinforcement, and most

importantly the track for the topic whenever I needed it.

Brief Summary
The Comparison of techniques has shown that Machine Learning techniques are

most promising, but it also has the disadvantages of greater computational cost.

New techniques can be developed for having low false positives by combining

blacklists and heuristics approaches. As a future work, phishing detection

techniques from the perspective of their computational cost and energy

consumption can be thought of.

 Reference

https://www.proofpoint.com/us/threat-reference/phishinghttps:

www.ijert.org/research/comparison-of-phishing-detection-techniques-IJERTV3IS030830.pdf