Curricula - Knowledge - Navigation

Auction and trade fraud

This case study is related to the fraudulent practice of using another person’s name and personal information, as well as the illegal use of someone else’s personal information (such as a social security number), in order to obtain especially money or credit, loans, etc.

Table 5 summarizes 3 main scenarios, as well as possible prevention approaches, which are described in more details in the next subsections.

Threat Scenarios related attacks Prevention approaches
Phishing

–          Anti-Virus Technology

–          Secure E-mail Protocols,

–          Computer security,

–          NoPhish

–          Education

Pharming

–          Firewalls

–          Browser Enhancements

–          Digital Certificates

Call ID Spoofing –          Detection Tools

Phishing scenario. This scenario considers phishing attacks by faking the identity of trustworthy sources with the goal to obtain sensitive data, like passwords or credit card information, from the Internet user (Raffetseder, Kirda and Kruegel 2007; James, Sandhya and Thomas 2013). Phishing is derived from “fishing” due to the similarity of using a bait in order to catch a victim. A typical attack is launched using mass-generated spam e-mails, which contain corporate logos of the spoofed company, containing links to a replication of the trustworthy website, e.g. online banking or buyer-seller-portals (for example amazon.com). Phishers register domain names with similar addresses to cover the fake address. Since many people are not aware of phishing, they do not notice the difference. Other techniques for domain masking are misspellings, similar looking characters (arnazon.com, using the number ”1” for the lowercase letter “L”), use of subdomains (amazon.buyhere.com) or displaying another URL in the inner HTML of the link tag than the actual destination, so the displayed URL differs from the actual URL. If the recipient clicks on the malicious link, he is redirected to the phisher’s own website, thinking that he enters a trustworthy page and is then asked to enter login information or credit card data. The phishing e-mails often have attachments which appear as legitimate Microsoft Word or PowerPoint presentation documents. If the user opens the file, he downloads malware and infects his computer with a Trojan horse, computer worms or viruses. Phishers also use instant messaging technology and social communities such as Facebook for phishing scams. Social media users receive a message that often appears to be coming from a buddy-list contact. The victim is then lured into clicking a URL and then directed to a phishing website. Fake Facebook login pages are also created to capture users email and passwords, allowing the account to be compromised and used to spam other accounts. In addition, IM and social networks are often mediums for malware (SANS Institute 2007).

Pharming scenario. Pharming is derived of the words “farming” and “phishing”. In this case a cyber-attack is used to redirect Internet users from legitimate websites to another (malicious) website where login data is demanded from the victim. It is used by malicious actors to elicit information for identity theft. Pharming can be performed either by changing the hosts file on a victim’s computer or by exploitation of a vulnerability in DNS server software, through poisoned DNS servers.

Call ID Spoofing scenario. Call ID Spoofing involves phishers causing the telephone network to advertise a trustworthy originator of a call if the true originator is themselves. The Caller ID display visualizes a phone number different from that of the telephone from which the call was placed. Phishers use Voice Over Internet Protocol (VoIP) numbers, available through retailers such as Skype, to setup a war dialer which is software to sequentially dial phone numbers. When a person answers, they are informed about some kind of fraudulent activity on their credit card or bank account. They are directed to call a phone number to confirm personal data. The phone number is in fact attached to the VoIP account of the scammer.

In order to deal with identity theft, different approaches are available. The main one are described in the following:

  • Phishing Detection Tools. Anti-Phishing tools are available for many platforms, like e-mail applications and browsers. They inform the user about possible threats and examine background information, for example look up malicious links in a database. TORPEDO (TORPEDO 2017), a just-in-time and just-in-place tooltip for Thunderbird, Firefox and Google Chrome, displays the URL that is behind a link the user is about to click on and highlights the unique domain in the tooltip. This and other tools help users to identify phish and inform about personal security and safety.
  • Digital Certificates. Security begins with establishing trust between a user and a web site. Digital certificates are a way to establish this trust in the form of an encrypted digital key system. A public and private key structure is established whereby a company has a private key, obtained from a Certificate Authority (CA), and a user who wishes to make secure transactions obtains the corresponding public key from the company. When the user logs into the companies’ server, the keys have to match or the transaction will not be processed. The problem with this method is that the private keys could be stolen if not kept completely secure. If the private key is compromised, then a hacker could use the digital key to masquerade as the keys owner.
  • Firewalls. There are many e-mail firewall products that implement rules to block spam and phishing scams, which are updated as new phishing schemes are found. They not only block the spam, they verify the IP numbers and web addresses of the e-mail source and compare them to known phishing sites.
  • Anti-virus Technology. Phishing is typically not spread through computer viruses, but if a device is infected with a worm, this could give the scammer access to personal data of the user. Security best-practices direct that all users should implement an anti-virus product regardless of whether they are concerned about phishing or online fraud.
  • Secure E-mail Protocols. There is a push within the industry to modify the existing e-mail transport protocols and include built-in security at this lower level. Validating the identity of the originating sender of a message would go a long way in preventing phishing attacks. There are encryption methods for sending e-mail, but many believe they are difficult for the average user to implement. Built-in encryption may eliminate the need for using separate encryption methods, allowing transparent authentication for the user. It would also eliminate the possibility of keys being stolen or hacked, thus allowing an attacker to decrypt secure messages. Several companies are working on this, but it may be years before something is available.
  • Browser Enhancements. Recent versions of Microsoft Internet Explorer, Mozilla Firefox, Google Chrome and Opera offer new security features aimed at controlling phishing attacks and other online fraud. The browsers maintain databases of known phishing sites, where they can look up a site and let the user know of the danger. However, these approaches do not protect the web user from all forms of phishing attacks. The phishers will most certainly try and find ways to defeat the browsers.

Furthermore, education is an important part of the countering phishing and other online scams. Computer users should make an effort to keep up to date of computer security issues, and use common sense when giving information anywhere. If an unsolicited e-mail asks for personal information, that should be an immediate red flag that something may not be right. Legitimate companies will generally not solicit personal information via e-mail. If personal information is requested via a web site, the user should make certain he or she is connected to the proper site and that the communications are encrypted. NoPhish (Secuso 2017), a research project in Germany, deals with informing web users about the risks of phishing and how to avoid it. They provide online training through an anti-phishing game and tools for secure interaction with browser or email applications.

SHOW RELATED PRODUCTS