INDEX

Sr No. Title Page No.

1. Introduction 1
2. Website Phishing Techniques 4
3. Website Phishing Examples 11
4. Reasons Of Website Phishing 18
5. Ways To Avoid Website Phishing 22
6. Effect Of Website Phishing 23
7. Graph Of Phishing Websites 24
8. Anti-Phishing 25
9. Damage Caused By Website Phishing 28
10. Conclusion 29
11. References 30
 1. INTRODUCTION

 Phishing is the fraudulent attempt to obtain sensitive information or

data, such as usernames, passwords, credit card numbers, or other sen-
sitive details by impersonating oneself as a trustworthy entity in a dig-
ital communication. Typically carried out by email spoofing, instant
messaging and text messaging, phishing often directs users to en-
ter personal information at a fake website which matches the look and
feel of the legitimate site. As of 2020, phishing is by far the most
common attack performed by cyber-criminals, with the FBI's Internet
Crime Complaint Centre recording over twice as many incidents of
phishing than any other type of computer crime.

 The first recorded use of the term "phishing" was in the cracking tool-
kit AOHell created by Koceilah Rekouche in 1995, however it is pos-
sible that the term was used before this in a print edition of the hacker
magazine 2600. The word is a leetspeak variant of fishing (ph is a
common replacement for f), probably influenced by phreaking, and al-
ludes to the use of increasingly sophisticated lures to "fish" for users'
sensitive information.

 Attempts to prevent or mitigate the impact of phishing incidents

include legislation, user training, public awareness, and technical
security measures.

1
 The simplified flow of information in a Phishing attack is :

Figure: 1.1 Flow of phishing attack

1. A deceptive message is sent from the Phishers to the user.

2. A user provides confidential information to a Phishing server (normally
after some interaction with the server.
3. The Phishers obtains the confidential information from the server.
4. The confidential information is used to impersonate the user.
5. The Phishers obtains illicit monetary gain.

Steps 3 and 5 are of interest primarily to law enforcement personnel to

identify and prosecute Phishers. The discussion of technology

2
countermeasures will center on ways to disrupt steps 1, 2 and 4, as well as
related technologies outside the information flow proper.

3
 2. WEBSITE PHISHING TECHNIQUES

 Phishers use a wide variety of techniques, with one common thread.

2.1. LINK MANIPULATION

Most methods of Phishing use some form of technical deception
designed to make a link in an e-mail appear to belong to the spoofed
organization. Misspelled URLs or the use of sub domains are common tricks
used by phishers. In the following example,
http://www.yourbank.example.com/, it appears as though the URL will
take you to the example section of the yourbank website; actually this URL
points to the "yourbank" (i.e. Phishing) section of the example website.

An old method of spoofing used links containing the '@' symbol,

originally intended as a way to include a username and password. For
example, http://[email protected]/ might deceive a
casual observer into believing that it will open a page on www.google.com,
whereas it actually directs the browser to a page on members.tripod.com,
using a username of www.google.com: the page opens normally, regardless
of the username supplied.

Figure: 2.1 Link manipulation

4
2.2. FILTER EVASION
Filter evasion is a form of phishing where the phisher uses images to
avoid anti-phishing filters. The idea behind filter evasion is that email clients
have a hard time reading images and are very good at reading plain text. This
is becoming less of a risk as email clients become more sophisticated and
develop anti-phishing filters that use optical character recognition (OCR) in
images.

5
2.3. WEBSITE FORGERY

Website forgery works by making a malicious website impersonate an

authentic one, so as to make the visitors give up their sensitive information
such as account details, passwords, credit card numbers. Web forgery is
mainly carried out in two ways: cross-site scripting and website spoofing.

2.3.1. CROSS-SITE SCRIPTING

This is when a hacker executes malicious script or payload into a

legitimate web application or website through exploiting a vulnerability.

Figure: 2.3.1 Cross-site scripting

6
2.3.2. WEBSITE SPOOFING

This is done by creating a fake website that looks similar to a legitimate

website that the user intends to access.

Google login Current authentic

phishing page Google login page
Figure: 2.3.2 Website spoofing

7
2.4. Pop-ups

“Pop-up tech support”

Another widespread pop-up phishing scam is the “popup tech

support.”

When browsing the Internet, you will suddenly receive a pop-up

message that your system is infected and you need to contact your vendor for
technical support.

Figure: 2.4 Pop-ups

8
2.5. PHONE PHISHING

2.5.1 VISHING

Messages that claimed to be from a bank told users to dial a phone

number regarding problems with their bank accounts. Once the phone number
(owned by the Phishers) was dialed, prompts told users to enter their account
numbers and PIN. Vishing (voice Phishing) sometimes uses fake caller-ID
data to give the appearance that calls come from a trusted organization.

Figure: 2.5.1 Vishing

9
2.5.2 SMISHING

Smishing is a form of phishing where someone tries to trick a

victim into giving their private information via a text message.
The most common form of smishing is a text with a link that
automatically downloads malware. An installed piece of malware can steal
personal data such as banking credentials, tracking locations, or phone
numbers from contact lists to spread the virus in hopes to exponentially
multiply.
Another smishing tactic is to pose as a legitimate and well-known
institution to solicit personal information from victims. In some cases,
scammers masquerade as tax authorities to get users’ financial information
and use that to steal their money.

Figure: 2.5.2 Smishing

10
 3. WEBSITE PHISHING EXAMPLES

3.1. PAYPAL PHISHING

In an example PayPal phish, spelling mistakes in the e-mail and the
presence of an IP address in the link are both clues that this is a Phishing
attempt. Another giveaway is the lack of a personal greeting, although the
presence of personal details would not be a guarantee of legitimacy. A
legitimate Paypal communication will always greet the user with his or her
real name, not just with a generic greeting like, "Dear Accountholder." Other
signs that the message is a fraud are misspellings of simple words, bad
grammar and the threat of consequences such as account suspension if the
recipient fails to comply with the message's requests.

Note that many Phishing emails will include, as a real email from
PayPal would, large warnings about never giving out your password in case
of a Phishing attack. Warning users of the possibility of Phishing attacks, as
well as providing links to sites explaining how to avoid or spot such attacks
are part of what makes the Phishing email so deceptive. In this example, the
Phishing email warns the user that emails from PayPal will never ask for
sensitive information. True to its word, it instead invites the user to follow a
link to "Verify" their account; this will take them to a further Phishing
website, engineered to look like PayPal's website, and will there ask for their
sensitive information.

11
Figure: 3.1 Paypal phishing

12
3.2. RAPID SHARE PHISHING

On the RapidShare web host, Phishing is common in order to get a

premium account, which removes speed caps on downloads, auto-removal of
uploads, waits on downloads, and cool down times between downloads.

Figure: 3.2 Rapid share phishing

Phishers will obtain premium accounts for RapidShare by posting at

warez sites with links to files on RapidShare. However, using link aliases
13
like TinyURL, they can disguise the real page's URL, which is hosted
somewhere else, and is a look-a-like of Rapid Share’s "free user or premium
user" page. If the victim selects free user, the Phishers just passes them
along to the real RapidShare site. But if they select premium, then the
Phishing site records their login before passing them to the download. Thus,
the Phishers has lifted the premium account information from the victim.

14
3.3 E-mails PHISHING

Most phishing messages are delivered by email, and are not

personalized or targeted to a specific individual or company–this is termed
"bulk" phishing. The content of a bulk phishing message varies widely
depending on the goal of the attacker–common targets for impersonation
include banks and financial services, email and cloud productivity providers,
and streaming services. Attackers may use the credentials obtained to
directly steal money from a victim, although compromised accounts are
often used instead as a jumping-off point to perform other attacks, such as
the theft of proprietary information, the installation of malware, or the spear
phishing of other people within the target's organization. Compromised
streaming service accounts are usually sold directly to consumers on darknet
markets.

15
Figure: 3.3.1 E-mails phishing

Figure: 3.3.2 E-mails phishing

16
3.4 Masked Web address PHISHING

Figure: 3.4 Masked web address phishing

Here's two internet domains: ee.co.uk and ee.co.uk.billing-update-

jan02[.]info. They look alike, don't they? You might even think they belong
to the same domain.

However, the second URL is actually an alarming example of a new

way to phish unsuspecting victims: Scammers have been incorporating the
date into their malicious internet domains to help them spoof legitimate
websites.

17
 4. REASONS OF WEBSITE PHISHING

4.1. Users are the weakest link

Even if most of us think we would be able to spot a phishing scam

when we receive one, it only takes a momentary lapse in judgement for us to
fall victim.

Figure: 4.1 Users are the weakest link

The panic one experience when they receive a message claiming that,
for example, there has been suspicious activity on the recipient’s account
will in many cases cause people to overlook signs that the message is
malicious.

But by that point it’s too late, with the victim already clicking links,
opening attachments and handing over their username and password.

18
4.2. Organisations aren’t doing enough

Staff awareness training isn’t the only step that organisations can take
to better protect themselves from phishing scams.

The report highlights three key areas of weakness:

 Insufficient backup processes

 Lack of user testing

 BYOD security risks

19
4.3. Criminal organisations are well funded

The massive success that cyber criminals have had in recent years
means they have plenty of funds to invest in scams.

As such, they can invest in technical resources to root out make their
scams run more efficiently – whether that’s in the number of scams they can
send, the authenticity of their bogus messages or the complexity of their
campaigns.

It’s also enabled cyber criminals to branch out into new attack
vectors. For example, there has been a significant increase in social media in
recent years.

Figure: 4.3 Criminal organisations are well funded

20
4.4. Cyber Criminals are shifting their focus

The availability of stolen data on the dark web has decreased its
commercial value.

Scammers can now buy payment card data on the dark web for as
little as $9 (about £6.80), so there’s less profit to be had for those stealing
and selling this information.

In response, cyber criminals have changed tactics, looking to make

money through organisations directly thanks to ransomware attacks.

These types of attack are no more complicated for a cyber criminal to

pull off, but the rewards can be much greater.

Although experts warn organisations not to pay ransoms, it’s

certainly tempting to wire transfer a lump sum in the hopes that you’ll get
your systems back online rather than face the headaches that come with
incident response.

Figure: 4.4 Cyber criminals are shifting their focus

21
 5.WAYS TO AVOID WEBSITE PHISHING
SCAMS

 Keep Informed About Phishing Techniques

 Think Before You Click!
 Install an Anti-Phishing Toolbar
 Verify a Site’s Security
 Check Your Online Accounts Regularly
 Keep Your Browser Up to Date
 Use Firewalls
 Be Wary of Pop-Ups
 Never Give Out Personal Information
 Use Antivirus Software

22
 6.EFFECT OF WEBSITE PHISHING

 Internet fraud
 Identity theft
 Financial loss to the original institutions
 Difficulties in Law Enforcement Investigations
 Erosion of Public Trust in the Internet

23
7. GRAPH OF PHISHING WEBSITES

Figure: 7.1 uniqe phishing websiter

Figure: 7.2 phishing attack hosted in https

24
 8. ANTI-PHISHING

There are several different techniques to combat Phishing, including

legislation and technology created specifically to protect against Phishing.

i. SOCIAL RESPONSES

One strategy for combating Phishing is to train people to recognize

Phishing attempts, and to deal with them. Education can be effective,
especially where training provides direct feedback. One newer Phishing
tactic, which uses Phishing e-mails targeted at a specific company, known as
Spear Phishing, has been harnessed to train individuals at various locations.

The Anti-Phishing Working Group, an industry and law enforcement

association has suggested that conventional Phishing techniques could
become obsolete in the future as people are increasingly aware of the social
engineering techniques used by Phishers. They predict that Pharming and
other uses of malware will become more common tools for stealing
information.

25
ii. TECHNICAL RESPONSES

Anti-Phishing measures have been implemented as features

embedded in browsers, as extensions or toolbars for browsers, and as part of
website login procedures. The following are some of the main approaches to
the problem.

8.2.1 Helping to identify legitimate sites

8.2.2 Browsers alerting users to fraudulent websites

8.2.3 Augmenting password login

8.2.4 Eliminating Phishing mail

8.2.5 Monitoring and takedown

26
iii. LEGAL RESPONSES

On January 26, 2004, the U.S. Federal Trade Commission filed the
first lawsuit against a suspected Phisher. The defendant, a Californian
teenager, allegedly created a webpage designed to look like the America
Online website, and used it to steal credit card information. In the United
States, Senator Patrick Leahy introduced the Anti-Phishing Act of 2005.
Companies have also joined the effort to crack down on Phishing.

27
9.DAMAGE CAUSED BY WEBSITE PHISHING

The damage caused by Phishing ranges from denial of access to e-

mail to substantial financial loss. This style of identity theft is becoming
more popular, because of the readiness with which unsuspecting people
often make known personal information to Phishers, including credit card
numbers, social security numbers, and mothers' maiden names. There are
also fears that identity thieves can add such information to the knowledge
they gain simply by accessing public records. Once this information is
acquired, the Phishers may use a person's details to create fake accounts in a
victim's name. They can then ruin the victims' credit, or even deny the
victims access to their own accounts.

It is estimated that between May 2004 and May 2005, approximately

1.2 million computer users in the United States suffered losses caused by
Phishing, totaling approximately US$929 million

Figure: 9.1 Damage caused by website phishing

28
 10.CONCLUSION

No single technology will completely stop phishing. However, a

combination of good organization and practice, proper application of current
technologies, and improvements in security technology has the potential to
drastically reduce the prevalence of phishing and the losses suffered from it.
In particular:High-value targets should follow best practices and keep in
touch with continuing evolution of them.

• Phishing attacks can be detected rapidly through a combination of

customer reportage, bounce monitoring, image use monitoring, honeypots
and other techniques.

• Browser security upgrades, such as distinctive display of potentially

deceptive content and providing a warning when a potentially unsafe link is
selected, could substantially reduce the efficacy of phishing attacks.

• Anti-phishing toolbars are promising tools for identifying phishing sites

and heightening security when a potential phishing site is detected.

• Detection of outgoing confidential information, including password

hashing, is a promising area of future work, with some technical challenges.

• Two-factor authentication is highly effective against phishing, and is

recommended in situations in which a small number of users are involved
with a high-value target. Device identifier based two-factor authentication
offers the potential for cost savings.

• Cross-site scripting is a major vulnerability. All user content should be

filtered using a let-in filter. Browser security enhancements could decrease
the likelihood of cross-site scripting attacks.

29
11. REFERENCES

https://en.wikipedia.org/wiki/Phishing
https://www.phishing.org/
https://studymafia.org/
https://www2.deloitte.com/us/en.html

30