Phishing Attacks : Too Many Phishers for ISPs to Catch

Privacy for all People

Information security has recently become a thriving and fast-moving discipline by the failure of security systems from technical factors. The purpose of having secure information is to preserve confidentiality, integrity, and availability of information. Confidentiality means that only the right people will have permission to access the information; integrity means that the information system and data are accurate; and availability means that the information system operates reliably. These three key ideas will shape the way organizations create policy.

Phishing attacks have been making their appearance locally and internationally in a big way. The United Kingdom trade association asserted a 726% increase in phishing attacks between 2005 and 2006. This drastic increase in attacks shows that people need to pay close attention to what information they provide to others. Also, organizations need to update and enforce policies that involve privacy of personal data. IBM states that phishing is one of the more prominent attack vectors used to compromise information and communications technology networks. With the growing number of attacks, we must develop better ways to implement information security.

Internet service providers (ISPs) play an important role when it comes to crime committed in the cyber domain. All traffic that goes to the world wide web flows from the source host to provider to target host. This shows that providers are the ones responsible for allowing all malicious payload through their network to reach the victim. Information security is compromised every time the ISP is negligent in securing their massive network. ISPs are at fault and should play a larger role in protecting people from attacks that can cripple their internet wellbeing. 

Phishing attacks are pervasive and can happen at any moment. There are various types of phishing attacks such as smishing and vishing. These types are not as common as the email phishing, but still, raise a real concern for citizens’ privacy. For example, privacy is compromised when people use their mobile devices for actions that require collecting sensitive and personal information. Phishing attacks on mobile devices are three times more vulnerable than desktop users. Since consumers are constantly using their mobile devices, they need to be cautious about the information they input, because there is a distinct possibility phishers are maliciously stealing their information. 

Technical Perspective of Phishing Attacks

Typically, a phisher (person committing the phishing attack) starts by running a web server and building a spoofed website of well known companies such as Facebook or Amazon. The spoofed website will have malicious code to capture the user’s personal information like their credentials or credit card number. Once the website is created and has access to the internet, the phisher will send the spoofed link to a victim, with their intention to trick them into giving up their personal data. The malicious code goes through the phishers internet service provider then  on to the victim. After receiving the link, the victim may open it and input his or her personal information without knowing it is a spoofed website. The malicious code is executed storing the information in a database for the phisher to use at his or her own discretion. One way the user can use the information is by inputting it into the real website to steal more information about the victim. This simple, typical and low-cost phishing scenario is outlined in figure 1.

Simple Phishing Scenrio

Other phishing attacks have most of the same steps as depicted in figure 1. The main differences are the medium to send the spoofed link and the malicious code. Most commonly the medium is email, but recently mobile devices are becoming more vulnerable to phishing attacks. Since the web server hosting the fake site is accessible through the internet, phishers will be able to send text messages to victims’ mailboxes. The most common phishing tactics are spoofing websites, text messages and images; weblink manipulation; malicious scripting languages; javascript popup and fake address bars; and utilizing browser vulnerabilities. Figure 2 gives a graphical representation of the most common tactics used to compromise people’s privacy. Thus, the methods that hackers carry out to exploit their victims are endless.

Screen Shot 2018-07-26 at 7.15.57 PM

Spoofing websites, text, and images involve the perpetrator crafting files that are similar to something that the victim is accustomed to seeing. In other words, these files are not real and will mislead you into thinking that you are on the real site. Web link manipulation attacks occur when the user does can see the link explicitly. The user is unaware that if the link is clicked he or she will be brought to a website that will trick them into giving up their credentials. Malicious use of scripting languages has a similar behavior to the spoofed website but is hidden to the victim. On the other hand, there are attacks that will steal information when there is a javascript popup or when someone installs a plugin that actually is a malicious address bar. The last phishing attack is knowing the vulnerability of web applications and exploiting them to get sensitive data. Thus, there are many ways to implement a phishing attack and cyber professionals need to be confident that their systems are secure for any attack.

There are many industries that are susceptible to these types of phishing attacks. Some will need a stronger cybersecurity infrastructure than others. Two examples of phishing attack in different industries and countries are given below to show how widespread the phishing problem is. Above all, industries that collect and store private information need to be cautious at all times of the risks that will arise when conducting operations via the internet.

 Foreign Bank Meltdown

TSB, a bank that is located in the UK, was in a merger with Lloyd Banking Group until September 2013 when the two companies split. Once TSB left, it became an orphaned bank forcing a portion of the customer base to go along with it. The orphaned bank was on its own to protect the information of roughly five million customers. For example, one customer banked with Lloyd Banking before TSB was part of the merger, but had to switch due to TSB being the customer’s local branch. 

A project was underway to migrate TSB customers data from Lloyd Banking Group systems to their own proprietary systems. Proteo4UK was the migration tool that the banking institution chose to help with moving the data securely and efficiently. The project finished with a press release from TSB stating the migration was complete, but the migration did not move the data as expected. When the bank reopened for the public to access their accounts after the system downtime, people began to notice other accountholders’ transactions and that their accounts simply didn’t add up. A writer from the Wired UK states that “Banking systems are almost as low-tech as they are complex.” A technical failure that resulted in bank tellers not being able to access the system occurred at the completion of the data migration. TSB customers struggled to make payments, pay off bills or simply access their account without being confronted with someone else’s transactions. It seems that banking institutions such as TSB use software that compromise their privacy’s confidentiality, integrity, and availability.

As a result of the data migration failure, phishing emails and text messages were sent to TSB customers attempting to steal their banking details. Not only were TSB customers the target, but also other customers at local banks such as Barclay and NatWest. Phishers and scammers are aware of companies with internal scandals due to angry customers on social media posts. Customers were exploited by being encouraged to click a link and input their username and password to process their complaint against TSB. These customers lost control of their bank accounts. There have been ten complaints per day from frustrated customers since April 30th. The frustrated customers were exploited during the technical failure when they did not have access to see their accounts. One customer stated that “it was a vulnerable time, and clearly security behind-the-scenes was not up to scratch.”

When private information is at stake, the correct security measures need to be taken in order to establish confidentiality, integrity, and availability. TSB is at fault for not testing the migration beforehand to know that everything would be error free. Furthermore, there needs to be policy at TSB to ensure that this event never happens again. After creation of such policy, other banks in the area need to adopt similar cyber policy positions. With the spread of policymaking, people will become more aware of cyber attacks and have a way to defend against them.

Education System Attack

Around the same time of the TSB meltdown, there was a phishing attack on teachers at a high school in California called Ygnacio Valley High School. This attack was similar in nature but was not as serious as the attack in the UK. Schools do not collect financial information such as credit card and saving accounts number, but schools do collect grades and other sensitive information like social security numbers. The main differences between what happened in the UK and California are the number of people who were affected and the culprit’s age. 

At the beginning of May, the police department in Concord, California put a teen in handcuffs for sending phishing emails to his teachers. The email contained a link that could take the victims to a spoofed grading system login page. After the victim inputed his or her’s information, the teenager phisher was able to logon to the grading system with real credentials. As a result of gaining access to the confidential and password protected system, the phisher was able to change grades for some students excluding his own.

The student wanted to teach his school how easy it was to trick people into giving him what he wanted. Since a teenager did this act instead of an adult, the police department had to deal with a minor committing serious crime. Apparently, the teen phisher only spent five minutes to create the email. Even surprisingly, an information technology staff found the message two weeks later in the spam folder. The high schooler stated a playful remark that “it was like stealing candy from a baby.” If anything was learned, the administrators know now that they have threats coming from their students.

It is important to note that the number of people affected by this phishing attack was relatively small. The people affected included a couple of teachers who received the email and students whose grades were changed. Even though the number is not close to five million like the TSB crisis, it still had a great impact on the high school’s community and its reputation. Now that students see how easy it is to trick teachers into giving them their credential, the number of phishing attacks are most likely to rise. Thus, the community will have to deal with malicious attacks not only from outside but also from within.

Teachers in school systems and universities around the globe are susceptible to malicious phishing attacks. Some students will do similar acts to change their grades if they feel they will not get caught. In this case, the student did not care about his grade, but he wanted to show that social engineering is an easy and effective technique. Just imagine if he did a better job covering up his tracks, what would the school do? As a response, the school district needs to make changes in their cyber operations and policy to ensure that this will not happen again. Hopefully, these changes in policy will spark a conversation with other school districts around the nation, so they can adopt similar upgrades.

The role of ISPs

Since TSB is not a well-known bank to United States citizens, they will not undoubtedly care about the outcome because it did not affect their financial situation. However, citizens need to care so that industries and companies holding their data in the United States understand the risks at hand. The executives in these industries are constantly battling with phishers internally and externally. Phishers are the present day cyber criminals and they will not cease to exist, only increase in numbers. In the financial world, these criminals are similar to a present-day bank robber. Banks will never stop getting harassed; all the money is located there. In the educational world, phishing is not a problem until it becomes one. So in order to deter phishing, public and private sector industries and educational institutions need to practice safe browsing and have updated software and hardware. 

Phishing is everywhere. Also, phishing is only one type of the techniques that cybercriminals can use against public and private sector industries. The examples mentioned are supposed to show that this is a current and prevalent problem that many countries are facing. This problem needs to be resolved collectively by working together to stop cybercriminals. Internet service provider such as AT&T and Comcast need to step there game up when it comes to securing its networks. As we speak, malicious traffic is going unnoticed. There could be a phishing attack on you and the ISP would not know until after the target is exploited. Internet service providers are usually well placed to detect infection because evidence of a user’s infection flows over an ISP’s network. Hosting providers that have control of the malicious hosting can take the phishing pages down. Anderson et. al. proposes fixed statutory damages against an ISP that does not act within a fixed time period after being notified of an infected computer on its network. This proposal was for the European Union, but something similar should be proposed to the United States government. If ISPs are unable to detect infected hosts that are connected to their network then shame on them. They need to understand that they are the middleman in every cyber attack.

When an ISP notices that a host is sending spoofed links, it should immediately take that host offline. The way in which the provider deciphers between the infected hosts and the uninfected hosts is something that service providers need to implement, if not already. This algorithm or firewall of some kind will have the potential to protect people’s privacy around the globe. As a result, there needs to be pressure on small ISPs and large ISPs, so that they can share knowledge about phishing hosts. When there is such teamwork between the ISP there will be better communication which should lead to fewer attacks. In all, it is imperative that ISPs play a vital role in securing the world wide web from attackers.

Conclusion

The internet is vast and is home of phishers that will steal information right from under your fingertips. In order to mitigate phishing attacks, there needs to be a collaborative effort among governments, private and public sector industries, and internet service providers. These are the main actors when coming to implement a policy that will safeguard a citizen’s confidentiality, integrity, and availability. The two recent attacks show that this technique is inevitable and easy to accomplish. So why cannot ISPs detect malicious web traffic before reaching the victim? The traffic could be simply dropped or filtered, but knowing which packet to filter is the issue. This is clearly an issue that ISPs need to resolve in order to make the world wide web safe.

Research Log

Aaron, G. (2010). The state of phishing//doi.org/10.1016/S1361-3723(10)70065-8 Retrieved from http://www.sciencedirect.com/science/article/pii/S1361372310700658

Anderson, R. (2001). “Why Information Security is Hard – an Economic Perspective”.Web.

Anderson, R., Böhme, R., Clayton, R., & Moore, T. (2008). Security economics and the internal market. United Kingdom: European Union Agency for Network and Information Security.

Anti-corruption Digest. (2018, May 23,). TSB phishing scams are surging in the wake of its online banking crisis. Retrieved from https://anticorruptiondigest.com/anti-corruption-news/2018/05/23/tsb-phishing-scams-are-surging-in-the-wake-of-its-online-banking-crisis/#axzz5IKxABvFx

Farivar, C. (2018, May 14,). ‘Like stealing candy from a baby,’ arrested teen says of his phishing efforts. Arstechnica Retrieved from https://arstechnica.com/tech-policy/2018/05/like-stealing-candy-from-a-baby-arrested-teen-says-of-his-phishing-efforts/

Gaurav, Varshney, Misra Manoj, and Pradeep K. Atrey. (2016) “A Survey and Classification of Web Phishing Detection Schemes.” Security and Communication Networks 9.18: 6266-84. Web.

Gramma, Joanna. (2015). Legal Issues in Information Security. 2nd ed. Massachusetts: Jones & Bartlett Learning. Print.

IBM. (2018). IBM X-Force Threat Intelligence Index 2018. Armonk, New York: IBM Security. Print.

Jones, R. (2018, June 6,). TSB admits 1,300 customers lost money from accounts. Retrieved from https://www.theguardian.com/business/2018/jun/06/tsb-admits-1300-customers-lost-money-from-accounts

Kollewe, J. (2018, April 30,). TSB online banking meltdown drags into second week. Retrieved from https://www.theguardian.com/business/2018/apr/30/tsb-online-banking-internet-business-it

Megaw, N. (2018, June 5,). FCA to launch formal investigation into TSB’s IT failure. Financial Times Retrieved from https://www.ft.com/content/a000d194-68a6-11e8-8cf3-0c230fa67aec

Moore, Tyler, Richard Clayton, and Ross Anderson. (2009) “The Economics of Online Crime.” Journal of Economic Perspectives 23.3: 3-20. Web.

Shahriar, Hossain, Tulin Klintic, and Victor Clincy. (2015). ”Mobile Phishing Attacks and Mitigation Techniques.” Journal of Information Security 6.03: 206. Web.

Stokel-Walker, C. (2018, May 1,). ‘We’re on our knees’: Inside the tally avoidable TSB crisis. Wired UK Retrieved from http://www.wired.co.uk/article/tsb-crisis-it-issues-online-banking-problems-ibm-paul-pester-compensation

Advertisements