subject: Strathclyde Anti-phishing Scam Solutions [print this page] Strathclyde University Associates - Of the following solutions, the first two are corporate while the following two are end-user in nature. Christopher Cranston, Department of Computer and Information Sciences, University of Strathclyde, Glasgow.
1. Digitally Signed Email
Digitally signed emails allow the recipient to verify that the sender information is genuine. This also lets the
recipient know that the message has not been modified in transit. These guarantees are extremely useful in
the context of phishing, as they prevent individuals from impersonating established organizations in phishing
emails. Popular digital signature standards include OpenPGP and S/MIME, although they are incompatible
with each other. These facilities can be used with mail clients such as Outlook, Navigator and Eudora.
At first glance, digitally signed emails appear well suited to combating the phishing problem. However, to
date very few organizations with on-line banking or e-commerce facilities use this technology. Companies
frequently targeted by phishing attacks such as Citibank, eBay and US Bank do not use digital signatures at
all. This has been attributed to the difficulty end-users have in using digital signature technology (Tally, G.,
et al, 2004).
2. Online Brand Monitoring
Companies such as Cyveillance, NameProtect and Netcraft offer on-line brand monitoring services. This
entails monitoring domain name registrations, web pages, spam emails and other on-line content for illegal
use of clients' brand names. If illegal use of a client's brand name is detected, for example on a phishing web
site, then the client is notified and can take remedial to close the website.
In the context of phishing attacks, some components of this service are more useful than others. The
monitoring of domain name registrations is perhaps the most useful component, as organizations can be
alerted in advance to possible phishing websites. For example, the organization with the domain bank.com
could be informed that bank-security.com was recently registered by another party. The organization
controlling bank.com may then conclude that this newly registered domain is likely to be used for phishing
attacks, so could give prior warning to customers.
The web page and spam email monitoring components are less useful. These features may alert
organizations to new phishing attacks, but they still have to go through the appropriate channels to close
down the phishing website. Closing down phishing websites can take as long as 15 days. During this period
end-users are still vulnerable to the phishing attack.
3. Spam Filters
Phishing emails are transmitted using normal spam mechanisms and often contain similar characteristics to
commercial spam emails. Consequently, current spam filters can be used to defend end-users against
phishing attacks.
Spam filters classify incoming mail as either spam or non-spam. Where the classification takes place
depends on the type of spam filter employed. Gateway spam filtering is normally used by large organizations
and ISPs. This type of filter adjudges email messages arriving at the mail gateway. Desktop spam filters are
also available and may be integrated or run in combination with a user's mail program. Filters of this type
judge email once it has been download from the mail server.
Spam emails are often removed by filters, and no spam may be present when the end-user views or
downloads their mail. Alternatively, spam filters may simply mark suspect emails as spam. Some systems
have the ability to quarantine spam emails, and permit users to browse spam emails that have been removed.
Current spam filters aim to catch as much spam as possible whilst minimizing the degree of falsepositives.
To achieve this, most spam filters use Bayesian filtering techniques. Bayesian filtering allows the
filter to learn and adapt over time, taking into account the latest spam emails and the user's personal
preferences. Most of today's popular email filters employ Bayesian filtering capabilities
Although spam filters are often very effective, they are not infallible. Even the best filtering technology
still lets some spam through (Graham, 2003). Consequently, end-users cannot fully rely on spam filters to
remove all phishing emails from their mailbox. In addition, for a variety of reasons, many users do not use
spam filters at all. They may not currently receive enough spam to warrant the use of a spam filter. Some
users may not have the technical ability to install or configure a spam filter, or may believe that they are
prohibitively expensive. Many users may not even be aware that spam filters exist. For such reasons, spam
filters cannot be considered a complete solution to phishing emails.
4. Web browser extensions
Since phishing relies largely on deceptive Web sites, Web browsers are a natural focus for anti-phishng
measures. An early means of adding anti-phishing capabilities to Internet Explorer was the Earthlink Toolbar.
Whenever the user browses to a known phishing web site, the tool alerts them to this fact and the user is
redirected to a warning page hosted by Earthlink (Earthlink, 2006). Similar strategies for user alerting are
now appearing within mainstream Web browsers. Mozilla Firefox has a facility enabled by default that also
works by checking visited Web sites against a list of known phishing sites. In this case, the phishing site list
is automatically downloaded and regularly updated within Firefox. Since new phishing attacks may arise at
any time, an additional option allows users to check sites against an online service for more up-to-date
protection. Users may also report Web Forgery in cases where a suspect site is not detected by the anti6
phishing system. In similar vein, Microsoft have added comparable anti-phishing features to version 7 of
Internet Explorer.
Such anti-phishing extensions to Web browsers help by alerting users to known phishing sites. This relies on
a current database of phishing website information. A system designed in this way cannot protect against all
phishing attacks, since there will always be a delay between a phishing attack going live and the database
being updated. During this delay users are not protected from the new phishing attack.
