Phishing Attacks Survey: Types, Vectors, and Technical Approaches
<p>Number of unique phishing websites between 2013 and 2019.</p> "> Figure 2
<p>Targeted attack infection vectors (Anti-Phishing Working Group).</p> "> Figure 3
<p>Examples of Steam phishing attempts.</p> "> Figure 4
<p>Number of phishing papers published by year in IEEE (the Institute of Electrical and Electronics Engineers) Access.</p> "> Figure 5
<p>How media map to vectors.</p> "> Figure 6
<p>Outlines of email phishing attacks [<a href="#B13-futureinternet-12-00168" class="html-bibr">13</a>]. Reprinted by permission from Springer Link: Telecommunication Systems, (Defending against phishing attacks: taxonomy of methods, current issues and future directions, Gupta et al.), [COPYRIGHT] (2018).</p> "> Figure 7
<p>Outline of malvertizing attack.</p> "> Figure 8
<p>Outline of a man-in-the-middle attack [<a href="#B70-futureinternet-12-00168" class="html-bibr">70</a>].</p> "> Figure A1
<p>Flowchart Demonstrating the Lifecycle of a Bot.</p> "> Figure A2
<p><a href="#futureinternet-12-00168-f001" class="html-fig">Figure 1</a> from [<a href="#B62-futureinternet-12-00168" class="html-bibr">62</a>]. Described as: Formalizing the precautionary principle for n players p<sub>t</sub>, accounting for (1) a threat T<sub>t</sub> in a time period t, t = 1, 2, 3, …, (2) uncertainty Ut assessed against thresholds ε<sub>mt</sub> and ε<sub>m+1,t</sub>, m = 1,…, n − 1, (4) command M<sup>m</sup><sub>t</sub>, and (3) action A<sup>m</sup><sub>t</sub>.</p> ">
Abstract
:1. Introduction
- The medium
- The vector
- The technical approach
2. Literature Review
- Planning—this involves identifying the targets, the information sought, and creating/identifying the tools and techniques that will be used in the attack (such as emails with malicious links and the spoof sites these links direct to).
- Phishing—the stage during which the identified targets are phished using the resources created in Stage 1.
- Infiltration—depending on the method used, this stage will vary but it essentially consists of the response from the target and gaining access to the personal information sought.
- Data collection and exploitation—this is the stage at which the phisher extracts the information sought and utilizes it to achieve the ends established during the planning phase. This often involves fraud whereby the attackers impersonate the victims to access their accounts, etc. Another common occurrence is the selling of this personal data on the online black market.
- Exfiltration—finally, the phisher attempts to remove as much evidence of their attempt as possible (such as the deletion of fake sites). There may also be some analysis on the success of the attack and assessment of future attacks.
- The dragnet method
- The rod and reel method
- The lobsterpot method
- The gillnet phishing method
- (1)
- Attacks against a single element—easily done with phishing just target one of the people who has access to the element and use their credentials to destroy, edit, or copy the element.
- (2)
- Attacks against multiple elements—more difficult, but if the phisher manages to phish someone within the organization who is more senior than the people with access to the elements, they could assume their identity and utilize their authority to order the destruction of these elements.
- (3)
- Consecutive attacks—using a series of attacks to destroy elements can be achieved with phishing as the method of infiltration. However, when the attacks start, if phishing is found to be the cause, additional infiltration may become harder.
- (4)
- Random attacks—one of most common methods of phishing. Spam uses random attacks to steal the credentials of anyone who falls for the bait.
- (5)
- Combination of intentional and unintentional impacts.
3. Phishing Methods and Techniques
- The medium
- The vector
- The technical approach
3.1. Phishing Media
- Voice
- Short messaging service (SMS)/multi-media messaging (MMS)
- Internet
3.2. Phishing Vectors
3.2.1. Vishing
- Trust—telephones have a greater record of trust. In a 2007 survey, a phone call was rated the least suspicious form of communication [10].
- Automation—acceptance of automated telephone systems.
- Call centers—the extensive use of call centers means people are accustomed to strangers calling and asking for personal details. This also reduces the suspicion of phishers with foreign accents.
- Victim age—a larger share of the globally aging population is accessible through telephone than by email. This is also a demographic that is easier to manipulate.
3.2.2. Smishing
3.2.3. Email
3.2.4. EFAX
3.2.5. IM
3.2.6. Social Networks
3.2.7. Websites
3.2.8. Wi-Fi
3.3. Phishing Technical Approaches
3.3.1. Spear Phishing
- Authority—humans tend to comply with demands of authority figures demand.
- Commitment—the principle that once a human has taken a position on a topic, they feel pressured to defend that stance.
- Liking—the principle that people are more likely to do things for people they like (this may be only superficial; for instance, complying with people of their own age or sharing their interests).
- Contrast—this makes an initially unreasonable option seem more appealing because it is preferable to a choice presented in tandem with the first option.
- Reciprocity—humans like to return or reciprocate in kind objects presented to them by another.
- Scarcity—perceived value is used to entice a person to perform a desired action when the availability of this offer is limited.
- Social proof—that is, herd mentality. A person is more likely to follow the majority rather than risk making a mistake.
3.3.2. Whaling
3.3.3. BEC
3.3.4. Cross-Site Scripting (XSS)
3.3.5. Cross-Site Malicious CAPTCHA Attack
3.3.6. QRishing
3.3.7. Social Engineering
- Impersonating staff—fundamental to social engineering because appearing in a position of power increases the odds of the victim falling for the manipulation; for example, a victim is more likely to share their password with an IT employee than to a random stranger.
- Hoaxing—convincing the victim that something untrue is true. Often leading to action out of fear.
- Creating confusion—an attacker can create confusion to obtain the information they seek, especially in physical situations; for example, setting off a fire alarm may cause people to leave their PCs unlocked and unattended, providing the attacker with access.
- Reverse social engineering—this is the most subversive method of social engineering, involving significant effort to set up and plan. As a result, the attacker appears to be in a position of power or authority, and thus victims approach them to ask questions and willingly provide their personal details.
- Greed
- Fear
- Anger
- Patriotism
- Friendship
- Sense of duty
- Sense of belonging
- Sense of authority
- Philanthropy
- Vanity
3.3.8. Drive-by Download
- Proxy services
- Distribution and installation of additional malware
- Update current malware
- Scanning for exploits and vulnerabilities
- Surveillance
- Sending spam and phishing emails by acting as relays
- Redirect to phishing websites
- Pay-for-click services
- DDOS (Distributed denial of service) attacks
3.3.9. Malvertizing
3.3.10. Wiphishing
3.3.11. Browser Vulnerabilities
3.3.12. Tab-Napping
3.3.13. Typo Squatting
3.3.14. Sound Squatting
3.3.15. 404 Error Manipulation
- Create an IFRAME with the src = “Not_Found.aspx”
- Remember the present value of the history.length
- Change the src of the IFRAME to, for example, “AnnualReport_2019.doc”
- If the value of the history.length remains the same then the specified resource does not exist. If it changes then the resource exists and then hacker can map the resource found and proceed to map more resources.
3.3.16. Click Jacking
3.3.17. Malicious Browsing Extensions
3.3.18. Man-in-the-Middle
3.3.19. Mobile Phones
- SMS phishing: Phishers send victims texts with a fraudulent URL, which is disguised as a legitimate source and instructs users to send their personal information or to download a specific app.
- Call phishing: Phishers pretend to be a legitimate organization such as a bank or tax agency and instruct the user to share their personal and sensitive information.
- Social media phishing: Phishers create fake profiles to entice victims to take part in giveaways and romantic scams and then proceed to ask the victims to send large amounts of money and share their personal information.
- Application phishing: Many legitimate applications and games use advertisements as a means for users to earn rewards or increase profit. Malicious hackers can therefore use this to display their own advertisements which, when clicked on by a user, lead to opening a malicious link or downloading a malicious application.
3.3.20. GUI-Squatting
3.3.21. Session Fixation
3.3.22. JavaScript Obfuscation
4. Phishing Resources
4.1. Phishing Kits
4.2. Neosploit
4.3. Online Resources
- SecurityIQ PhishSim—this is a Software-as-a-Service (SaaS) platform which is available for free but has limited features. It contains an interactive education module and provides reports and phishing campaigns. This was developed by the InfoSec Institute.
- LUCY—this is a social engineering platform that simulates phishing attacks and provides the user with various scenarios and templates. A free version is available, but the paid version contains additional features.
- Metasploit—this is a penetration testing tool that consists of a phishing awareness management component. It also contains training for users and simulations. It was developed by the company Rapid7. Two versions are available: a free version with limited features and a Pro version that offers full functionality; the Pro version also offers a 14-day trail.
5. Current Anti-Phishing Methodologies and Techniques
- Protection—technical or organizational measures to protect a target. The anti-phishing techniques in the remainder of this section can be classified in this category.
- Multilevel defense—layered protection where the inner defenses can only be attacked when the outer ones are destroyed. This would apply when a business deploys more than one method to prevent phishing. For example, a technical prevention method like blacklisting (see Section 5.2.1) and education of employees (Section 5.1.2) as a second layer of defense. However, Hausken et al. state that the outer layer must be destroyed before the inner can be attacked, in this example the outer defense is much more likely to be circumvented rather than destroyed.
5.1. Traditional Non-Computerized Anti-Phishing Techniques
5.1.1. Legal
5.1.2. Education
5.2. Technical Anti-Phishing Techniques
5.2.1. Black and White Listing
5.2.2. Heuristic Detection
5.2.3. Visual Similarity Detection
5.2.4. Machine Learning
6. Phishing and Cyber Resilience
7. Discussion of Current Challenges and Trends in Phishing Attacks
8. Conclusions
Funding
Conflicts of Interest
Appendix A
Appendix B
Appendix C
Phishing Method | Author | Year | Samples | Country |
---|---|---|---|---|
Vishing | E. O. Yeboah-Boateng and P. M. Amanor | 2014 | Mrs. Sinclair | United Kingdom |
G. Ollmann | 2007 | |||
M. Jakobsson | 2007 | |||
Whaling | A. Shankar, R. Shetty, and B. Nath | 2019 | Perpetrator: Evaldas Rimasauskas Victim: two US-based companies | Perpetrator: Lithuania Victims: United States |
J. Hong | 2012 | |||
T. Dakpa and P. Augustine | 2017 | |||
BEC | Anti-Phishing working group | 2019 | Victims: multi-national companies | International |
I. C. C. (IC3) Federal Bureau of Investigation (FBI) | 2019 | |||
M. Jakobsson | 2019 | |||
K. M. Bakarich and D. Baranek | 2019 | |||
S. Mansfield-Devine | 2016 | |||
S. Aviv, Y. Levy, L. Wang, and N. Geri | 2019 | |||
Cross-Site Scripting | L. K. Shar and H. B. K. Tan | 2018 | Victim: eBay | International |
P. Vogt, F. Nentwich, N. Jovanovic, E. Kirda, C. Kruegel, and G. Vigna | 2007 | |||
Cross-Site Malicious Captcha Attack | N. Gelernter and A. Herzberg | 2016 | Victim: N/A | International |
QRishing | C. Joshi | 2019 2013 | Victim: QR code users | International |
T. Vidas, E. Owusu, S. Wang, C. Zeng, L. F. Cranor, and N. Christin | ||||
Social Engineering | K. D. Mitnick and W. L. Simon | 2003 | Victim: holiday shoppers | International |
G. Harl | 1997 | |||
M. Hasan, N. Prajapati, and S. Vohara | 2010 | |||
B. Christensen | 2014 | |||
P. Kumaraguru, Y. Rhee, A. Acquisti, L. F. Cranor, J. Hong, and E. Nunge | 2007 | |||
R. Heartfield and G. Loukas | 2015 | |||
Drive-by Download | M. Cova, C. Kruegel, and G. Vigna | 2010 | Victim: Onlinevideoconverter.com Users | International |
V. L. Le, I. Welch, X. Gao, and P. Komisarczuk | 2013 | |||
Z. Zhaosheng, J. F. Zhi, L. Guohan, R. Phil, C. Yan, and H. Keesook | 2008 | |||
J. Milletary | 2005 | |||
J. Nazario and T. Holz | 2008 | |||
R. Puri | 2003 | |||
T. Moore and R. Clayton | 2007 | |||
M. T. Banday and J. A. Qadri | 2007 | |||
Malvertizing | T. Nagunwa | 2014 | Victim: Onlinevideoconverter.com Users | International |
A. K. Sood and R. J. Enbody | 2011 | |||
C. Dwyer and A. Kanguri | 2017 | |||
Wiphishing | J. Sunshine, S. Egelman, H. Almuhimedi, N. Atri, and L. F. Cranor | 2009 | Perpetrators: Russian military agency, GRU Victims: international anti-doping agencies | International |
F. Lanze, A. Panchenko, I. Ponce-Alcaide, and T. Engel | 2015 | |||
Browser Vulnerabilities | P. Satish and R. Chavan, | 2017 | Victim: Google Chrome users | International |
Tab-Napping | A. MahaLakshmi, N. Swapna Goud, and Dr. G. Vishnu Murthy | 2018 | Victim: internet browser users | International |
SQL Injection | J. Clark | 2012 | Perpetrators: Vladimir Drinkman, Alexandr Kalinin, Roman Kotov, Mikhail Rytikov, Smilianets Victim: Heartland Payment Systems | Perpetrators: Russia Victim: United States |
K. Ahmad | 2010 | |||
Typo-Squatting | J. Spaulding, A. R. Kang, S. Upadhyaya, and A. Mohaisen | 2016 | Victim: internet users | International |
Sound-Squatting | J. Spaulding, A. R. Kang, S. Upadhyaya, and A. Mohaisen | 2016 | Victim: virtual assistant users (e.g., Amazon Alexa) | International |
404 Error Manipulation | A. Roichman | 2010 | Victim: Cloudflare users | International |
Cloud Computing | Vayansky, Ike & Kumar, Sathish | 2018 | Victim: Office 365 users | International |
P. Suryateja | 2018 | |||
Click Jacking | D. Kavitha | 2015 | Victim: Facebook users | International |
Malicious Browser Extensions | L. F. DeKoven, S. Savage, G. M. Voelker, and N. Leontiadis | 2017 | Victim: internet browser users | International |
Man-in-the-Middle | F. Callegati, W. Cerroni and M. Ramilli | 2009 | Victims: medium and large European companies | International |
A. Mallik, A. Ahsan, M. M. Z. Shahadat and J. C. Tsou | 2019 | |||
X. Liang, S. Shetty, L. Zhang, C. Kamhoua and K. Kwiat | 2017 | |||
R. Jabir, S. Khanji, L. Ahmad, O. Alfandi and H. Said | 2016 | |||
Mobile Phone | G. Kumar | 2016 | Victims: Android users | International |
B. Amro | 2018 | |||
Session Fixation | P. Shital and R. Chavan | 2017 | Victims: iOS users | International |
M. Johns, B. Braun, M. Schrank and J. Posegga | 2010 | |||
Javascript Obfuscation | P. Likarish, E. Jung and I. Jo | 2009 | Victims: users who were sent a link | International |
A. A. Orunsolu and A. S. Sodiya | 2017 |
References
- Stavroulakis, P.; Stamp, M. (Eds.) Handbook of Information and Communication Security; Springer Science & Business Media: Berlin/Heidelberg, Germany, 2010. [Google Scholar]
- Jakobsson, M.; Myers, S. Phishing and Countermeasures: Understanding the Increasing Problem of Electronic Identity Theft; Wiley: Hoboken, NJ, USA, 2006. [Google Scholar]
- Rekouche, K. Early Phishing. arXiv 2011, arXiv:1106.4692. [Google Scholar]
- Rader, M.A.; Rahman, S.M. Phishing Techniques and Mitigating the Associated Security Risks. Int. J. Netw. Secur. Appl. 2013, 5, 23–41. [Google Scholar] [CrossRef] [Green Version]
- Symantec. ISTR Internet Security Threat Report 2019. Symantec 2019, 24, 61. Available online: https://docs.broadcom.com/doc/istr-15-april-volume-20-en (accessed on 15 December 2019).
- Symantec. ISTR Internet Security Threat Report 2015. Symantec 2015, 20. Available online: https://docs.broadcom.com/doc/istr-24-2019-en (accessed on 15 December 2019).
- Anti Phishing Working Group. Phishing Activity Trends Report: 3rd Quarter2019. 2019. Available online: https://docs.apwg.org/reports/apwg_trends_report_q3_2019.pdf (accessed on 15 December 2019).
- APWG. Phishing Activity Trends Reports. Available online: https://apwg.org/trendsreports/ (accessed on 27 December 2019).
- Symantec. ISTR Internet Security Threat Report Volume 23. 2018. Available online: https://www.phishingbox.com/assets/files/images/Symantec-Internet-Security-Threat-Report-2018.pdf (accessed on 15 December 2019).
- IBM. IBM X-Force Threat Intelligence Index 2019. 2019. Available online: https://www.securindex.com/downloads/8b9f94c46a70c60b229b04609c07acff.pdf (accessed on 15 December 2019).
- ICC (IC3)/Federal Bureau of Investigation (FBI). Internet Crime Report 2018. 2018. Available online: https://www.fbi.gov/news/stories/ic3-releases-2018-internet-crime-report-042219 (accessed on 20 December 2019).
- Seals, T. Elder Scrolls Online Targeted by Cybercrooks Hunting In-Game Loot. Threatpost 2019. Available online: https://threatpost.com/elder-scrolls-online-cybercrooks-in-game-loot/150934/ (accessed on 20 December 2019).
- Zetter, K. Inside the Cunning, Unprecedented Hack of Ukraine’s Power Grid. WIRED 2018. Available online: https://www.wired.com/2016/03/inside-cunning-unprecedented-hack-ukraines-power-grid/ (accessed on 20 December 2019).
- Chiew, K.L.; Yong, K.S.C.; Tan, C.L. A survey of phishing attacks: Their types, vectors and technical approaches. Expert Syst. Appl. 2018, 106, 1–20. [Google Scholar] [CrossRef]
- Shankar, A.; Shetty, R.; Nath, B. A Review on Phishing Attacks. Int. J. Appl. Eng. Res. 2019, 14, 2171–2175. [Google Scholar]
- Shaikh, A.N.; Shabut, A.M.; Hossain, M.A. A literature review on phishing crime, prevention review and investigation of gaps. In Proceedings of the 2016 10th International Conference on Software, Knowledge, Information Management and Applications (SKIMA 2016), Chengdu, China, 15–17 December 2016; pp. 9–15. [Google Scholar]
- Chaudhary, G.K. Development Review on Phishing: A Computer Security Threat. Int. J. Adv. Res. Comput. Sci. Manag. Stud. 2014, 2, 55–64. [Google Scholar]
- Suganya, V. A Review on Phishing Attacks and Various Anti Phishing Techniques. Int. J. Comput. Appl. 2016, 139, 20–23. [Google Scholar] [CrossRef]
- Purkait, S. Phishing counter measures and their effectiveness—Literature review. Inf. Manag. Comput. Secur. 2012, 20, 382–420. [Google Scholar] [CrossRef]
- Mohammad, R.M.; Thabtah, F.; McCluskey, L. Tutorial and critical analysis of phishing websites methods. Comput. Sci. Rev. 2015, 17, 1–24. [Google Scholar] [CrossRef] [Green Version]
- Atkins, B.; Huang, W. A Study of Social Engineering in Online Frauds. Open J. Soc. Sci. 2013, 1, 23–32. [Google Scholar] [CrossRef] [Green Version]
- Krombholz, K.; Hobel, H.; Huber, M.; Weippl, E. Advanced social engineering attacks. J. Inf. Secur. Appl. 2015, 22, 113–122. [Google Scholar] [CrossRef]
- Singh, N.P. Online Frauds in Banks with Phishing. J. Internet Bank. Commer. 2007, 12, 1–27. [Google Scholar]
- Hausken, K.; Levitin, G. Review of systems defense and attack models. Int. J. Perform. Eng. 2012, 8, 355–366. [Google Scholar]
- Chawki, M. Phishing in Cyberspace: Issues and Solutions. 2006. Available online: http://www.crime-research.org/articles/phishing-in-cyberspace-issues-and-solutions (accessed on 17 December 2019).
- Skog, R.; Torok, E. Multimedia Messaging Service Routing System and Method. U.S. Patent 6947738B2, 20 September 2005. [Google Scholar]
- El-Fishawy, S.; Othmer, K. Delivery of Voice Data from Multimedia Messaging Service Messages. U.S. Patent 7,133,687 B1, 7 November 2006. [Google Scholar]
- Wang, Y.; Streff, K.; Raman, S. Smartphone security challenges. Computer 2012, 45, 52–58. [Google Scholar] [CrossRef]
- Kleinrock, L. Comments on ‘an early history of the internet’. IEEE Commun. Mag. 2011, 49, 12. [Google Scholar]
- Frauenstein, E.D.; Flowerday, S.V. Social network phishing: Becoming habituated to clicks and ignorant to threats? In Proceedings of the 2016 Information Security for South Africa (ISSA), Johannesburg, South Africa, 17–18 August 2016; pp. 98–105. [Google Scholar]
- Yeboah-Boateng, E.O.; Amanor, P.M. Phishing, SMiShing & Vishing: An Assessment of Threats against Mobile Devices. J. Emerg. Trends Comput. Inf. Sci. 2014, 5, 297–307. [Google Scholar]
- Jakobsson, M. The Human Factor in Phishing. Priv. Secur. Consum. Inf. 2007, 7, 1–19. [Google Scholar]
- Jamil, A.; Asif, K.; Ghulam, Z.; Nazir, M.K.; Alam, S.M.; Ashraf, R. MPMPA: A Mitigation and Prevention Model for Social Engineering Based Phishing attacks on Facebook. In Proceedings of the 2018 IEEE International Conference on Big Data (Big Data), Seattle, WA, USA, 10–13 December 2018; pp. 5040–5048. [Google Scholar]
- Caputo, D.D.; Pfleeger, S.L.; Freeman, J.D.; Johnson, M.E. Going spear phishing: Exploring embedded training and awareness. IEEE Secur. Priv. 2014, 12, 28–38. [Google Scholar] [CrossRef]
- Heartfield, R.; Loukas, G. A Taxonomy of Attacks and a Survey of Defense Mechanisms for Semantic Social Engineering Attacks. ACM Comput. Surveys 2015. [Google Scholar] [CrossRef]
- Lin, T.; Capecci, D.E.; Ellis, D.M.; Rocha, H.A.; Dommaraju, S.; Oliveira, D.S.; Ebner, N.C. Susceptibility to Spear-Phishing Emails: Effects of Internet User Demographics and Email Content. ACM Trans. Comput. Interact. 2019, 26, 32. [Google Scholar] [CrossRef]
- Oliveira, D.; Rocha, H.; Yang, H.; Ellis, D.; Dommaraju, S.; Muradoklu, M.; Weir, D.; Soliman, A.; Lin, T.; Ebner, N.; et al. Dissecting spear phishing emails for older vs young adults: On the interplay of weapons of influence and life domains in predicting susceptibility to phishing. In Proceedings of the 2017 CHI Conference on Human Factors in Computing Systems, Denver, CO, USA, 6–11 May 2017; Volume 2017, pp. 6412–6424. [Google Scholar]
- Tankard, C. Advanced Persistent threats and how to monitor and deter them. Netw. Secur. 2011, 2011, 16–19. [Google Scholar] [CrossRef]
- Hong, J. The Current State of Phishing Attacks. Commun. ACM 2012, 55, 74–81. [Google Scholar] [CrossRef]
- Dakpa, T.; Augustine, P. Study of Phishing Attacks and Preventions. Int. J. Comput. Appl. 2017, 163, 5–8. [Google Scholar] [CrossRef]
- Jakobsson, M. The Rising Threat of Launchpad Attacks. IEEE Secur. Priv. 2019, 17, 68–72. [Google Scholar] [CrossRef]
- Bakarich, K.M.; Baranek, D. Something Phish-y is Going On Here: A Teaching Case on Business Email Compromise. Curr. Issues Audit. 2019, 14, A1–A9. [Google Scholar] [CrossRef]
- Mansfield-Devine, S. The imitation game: How business email compromise scams are robbing organisations. Comput. Fraud Secur. 2016, 2016, 5–10. [Google Scholar] [CrossRef]
- Aviv, S.; Levy, Y.; Wang, L.; Geri, N. An expert assessment of corporate professional users to measure business email compromise detection skills and develop a knowledge and awareness training program. In Proceedings of the 14th Pre-ICIS Workshop on Information Security and Privacy, Munich, Germany, 15 December 2019. [Google Scholar]
- Shar, L.K.; Tan, H.B.K. Defending Against Cross Site Scripting Attacks. IEEE Comput. Soc. 2018, 45, 55–62. [Google Scholar] [CrossRef]
- Vogt, P.; Nentwich, F.; Jovanovic, N.; Kirda, E.; Kruegel, C.; Vigna, G. Cross-Site Scripting Prevention with Dynamic Data Tainting and Static Analysis. In Proceedings of the Network and Distributed System Security Symposium (NDSS 2007), San Diego, CA, USA, 28 February–2 March 2007. [Google Scholar]
- Gelernter, N.; Herzberg, A. Tell me about yourself: The malicious CAPTCHA Attack. In Proceedings of the 25th International World Wide Web Conference (WWW 2016), Montréal, QC, Canada, 11–15 April 2016; pp. 999–1008. [Google Scholar]
- Joshi, C. QR Codes in E-Commerce: 7 Ways Amazon is Getting It Right! Beaconstac 2019. Available online: https://blog.beaconstac.com/2019/04/qr-codes-in-e-commerce-ways-amazon-is-getting-it-right/ (accessed on 21 December 2019).
- Vidas, T.; Owusu, E.; Wang, S.; Zeng, C.; Cranor, L.F.; Christin, N. QRishing: The susceptibility of smartphone users to QR code phishing attacks. In Lecture Notes in Computer Science (Including Subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Springer: Berlin/Heidelberg, Germany, 2013; Volume 7862, pp. 52–69. [Google Scholar]
- Mitnick, K.D.; Simon, W.L. The Art of Deception: Controlling the Human Element in Security; Wiley: Hoboken, NJ, USA, 2003; ISBN 978-0-471-23712-9. [Google Scholar]
- Harl, G. People Hacking—The Psychology of Social Engineering. Text of Harl’s Talk at Access All Areas III. 1997. Available online: https://barzha.cyberpunk.us/lib/cin/se10.html (accessed on 21 December 2019).
- Hasan, M.; Prajapati, N.; Vohara, S. Case Study On Social Engineering Techniques for Persuasion. Int. J. Appl. Graph Theory Wirel. Ad Hoc Netw. Sens. Netw. 2010, 2, 17–23. [Google Scholar] [CrossRef]
- Christensen, B. PHISHING SCAM—‘Request to Terminate Microsoft Account’. Hoax-Slayer. 2014. Available online: https://www.hoax-slayer.net/phishing-scam-request-to-terminate-microsoft-account/ (accessed on 21 December 2019).
- Kumaraguru, P.; Rhee, Y.; Acquisti, A.; Cranor, L.F.; Hong, J.; Nunge, E. Protecting people from phishing: The design and evaluation of an embedded training email system. In Proceedings of the 2007 Conference on Human Factors in Computing Systems (CHI 2007), San Jose, CA, USA, 28 April–3 May 2007; pp. 905–914. [Google Scholar]
- Cova, M.; Kruegel, C.; Vigna, G. Detection and analysis of drive-by-download attacks and malicious JavaScript code. In Proceedings of the 19th International Conference on World Wide Web (WWW 2010), Raleigh, NC, USA, 26–30 April 2010; pp. 281–290. [Google Scholar]
- Le, V.L.; Welch, I.; Gao, X.; Komisarczuk, P. Anatomy of Drive-by Download Attack. In Proceedings of the Proceedings of the Eleventh Australasian Information Security Conference—Volume 138; Australian Computer Society, Inc.: Adelaide, Australia, 2013; pp. 49–58. [Google Scholar] [CrossRef]
- Zhaosheng, Z.; Zhi, J.F.; Guohan, L.; Phil, R.; Yan, C.; Keesook, H. Botnet research survey. In Proceedings of the 2008 32nd Annual IEEE International Computer Software and Applications Conference, Turku, Finland, 28 July–1 August 2008; pp. 967–972. [Google Scholar]
- Milletary, J. Technical Trends in Phishing Attacks. Available online: https://resources.sei.cmu.edu/asset_files/WhitePaper/2005_019_001_50315.pdf (accessed on 21 December 2019).
- Nazario, J.; Holz, T. As the net churns: Fast-flux botnet observations. In Proceedings of the 3rd International Conference on Malicious and Unwanted Software (MALWARE 2008), Fairfax, VI, USA, 7–8 October 2008; pp. 24–31. [Google Scholar]
- Puri, R. Bots & Botnet: An Overview. SANS Institute. 2003. Puri, R. (2003). Bots & Botnet: An Overview. Available online: https://www.sans.org/reading-room/whitepapers/malicious/bots-botnet-overview-1299 (accessed on 21 December 2019).
- Moore, T.; Clayton, R. Examining the impact of website take-down on phishing. In Proceedings of the Anti-Phishing Working Groups 2nd Annual eCrime Researchers Summit on—eCrime ’07; ACM Press: New York, NY, USA, 2007; Volume 269, pp. 1–13. [Google Scholar] [CrossRef]
- Hausken, K. The Precautionary Principle as Multi-Period Games Where Players Have Different Thresholds for Acceptable Uncertainty. 2020. Available online: https://doi.org/10.1016/j.ress.2020.107224 (accessed on 21 December 2019).
- Banday, M.T.; Qadri, J.A. Phishing—A Growing Threat to E-Commerce. Bus. Rev. 2011, 12, 76–83. [Google Scholar]
- Nagunwa, T. Behind Identity Theft and Fraud in Cyberspace: The Current Landscape of Phishing Vectors. Int. J. Cyber-Secur. Digit. Forensics 2014, 3, 72–83. [Google Scholar] [CrossRef] [Green Version]
- Sood, A.K.; Enbody, R.J. Malvertising—Exploiting web advertising. Comput. Fraud Secur. 2011, 2011, 11–16. [Google Scholar] [CrossRef]
- Dwyer, C.; Kanguri, A. Malvertising—A Rising Threat to The Online Ecosystem. J. Inf. Syst. Appl. Res. 2017, 10, 29–37. [Google Scholar]
- Sunshine, J.; Egelman, S.; Almuhimedi, H.; Atri, N.; Cranor, L.F. Crying Wolf: An Empirical Study of SSL Warning Effectivenes. In Proceedings of the 18th USENIX Security Symposium, Montreal, QC, Canada, 10–14 August 2009. [Google Scholar]
- Lanze, F.; Panchenko, A.; Ponce-Alcaide, I.; Engel, T. Hacker’s toolbox: Detecting software-based 802.11 evil twin access points. In Proceedings of the 2015 12th Annual IEEE Consumer Communications and Networking Conference (CCNC 2015), Las Vegas, NV, USA, 9–12 January 2015; pp. 225–232. [Google Scholar]
- Kumar, D.; Paccagnella, R.; Murley, P.; Hennenfent, E.; Mason, J.; Bates, A.; Bailey, M. Emerging Threats in Internet of Things Voice Services. IEEE Secur. Priv. 2019, 17, 18–24. [Google Scholar] [CrossRef]
- Raam, M. Cain and Abel—Man in the Middle (MITM) Attack Tool Explained. 2019. Available online: https://cybersguards.com/cain-and-abel-man-in-the-middle-mitm-attack-tool-explained/ (accessed on 27 December 2019).
- Chen, S.; Fan, L.; Chen, C.; Xue, M.; Liu, Y.; Xu, L. GUI-Squatting Attack: Automated Generation of Android Phishing Apps. IEEE Trans. Dependable Secur. Comput. 2019. [Google Scholar] [CrossRef]
- Qabajeh, I.; Thabtah, F.; Chiclana, F. A recent review of conventional vs. automated cybersecurity anti-phishing techniques. Comput. Sci. Rev. 2018, 29, 44–55. [Google Scholar] [CrossRef]
- Misra, G.; Arachchilage, N.A.G.; Berkovsky, S. Phish Phinder: A Game Design Approach to Enhance User Confidence in Mitigating Phishing Attacks. arXiv 2017, arXiv:1710.06064. [Google Scholar]
- Siadati, H.; Palka, S.; Siegel, A.; McCoy, D. Measuring the effectiveness of embedded phishing exercises. In Proceedings of the 10th USENIX Workshop on Cyber Security Experimentation and Test (CSET 2017), Vancouver, BC, Canada, 14 August 2017; Available online: https://www.researchgate.net/publication/319128761_Measuring_the_Effectiveness_of_Embedded_Phishing_Exercises (accessed on 21 December 2019).
- Alghoul, A.; Al Ajrami, S.; Al Jarousha, G.; Harb, G.; Abu-Naser, S.S. Email Classification Using Artificial Neural Network. Int. J. Acad. Eng. Res. 2018, 2, 8–14. [Google Scholar]
- Ying, P.; Xuhua, D. Anomaly based web phishing page detection. In Proceedings of the Annual Computer Security Applications Conference (ACSAC), Miami Beach, FL, USA, 11–15 December 2006; pp. 381–390. [Google Scholar]
- Somesha, M.; Pais, A.R.; Rao, R.S.; Rathour, V.S. Efficient deep learning techniques for the detection of phishing websites. Sadhana Acad. Proc. Eng. Sci. 2020, 45. [Google Scholar] [CrossRef]
- Hausken, K. Cyber resilience in firms, organizations and societies. Internet Things 2020, 11, 100204. [Google Scholar] [CrossRef]
- Bier, V.; Gutfraind, A. Risk analysis beyond vulnerability and resilience—Characterizing the defensibility of critical systems. Eur. J. Oper. Res. 2019, 276, 626–636. [Google Scholar] [CrossRef] [Green Version]
- Bostick, T.P.; Connelly, E.B.; Lambert, J.H.; Linkov, I. Resilience science, policy and investment for civil infrastructure. Reliab. Eng. Syst. Saf. 2018, 175, 19–23. [Google Scholar] [CrossRef]
- Jain, A.K.; Gupta, B.B. Phishing Detection: Analysis of Visual Similarity Based Approaches. Secur. Commun. Netw. 2017, 2017, 5421046. [Google Scholar] [CrossRef] [Green Version]
- Anti Phishing Working Group. Phishing Activity Trends Report: 4th Quater 2019. 2019. Available online: https://docs.apwg.org/reports/apwg_trends_report_q4_2019.pdf (accessed on 21 December 2019).
- Anti Phishing Working Group. Phishing Activity Trends Report: 2nd Quater 2020. 2020. Available online: https://docs.apwg.org/reports/apwg_trends_report_q2_2020.pdf (accessed on 21 December 2019).
- Dupuis, M.; Geiger, T.; Slayton, M.; Dewing, F. The use and non-use of cybersecurity tools among consumers: Do they want help? In Proceedings of the 20th Annual Conference on Information Technology Education (SIGITE 2019), Tacoma, WA, USA, 3–5 October 2019; Volume 19, pp. 81–86. [Google Scholar] [CrossRef]
- Goel, D.; Jain, A.K. Mobile Phishing Attacks and Defence Mechanisms: State of Art and Open Research Challenges. Comput. Secur. 2018, 73, 519–544. [Google Scholar] [CrossRef]
- Gutierrez, C.N.; Kim, T.; Della Corte, R.; Avery, J.; Goldwasser, D.; Cinque, M.; Bagchi, S. Learning from the Ones That Got Away: Detecting New Forms of Phishing Attacks. IEEE Trans. Dependable Secur. Comput. 2018, 15, 988–1001. [Google Scholar] [CrossRef]
- Hausken, K. Security investment, hacking, and information sharing between firms and between hackers. Games 2017, 8, 23. [Google Scholar] [CrossRef] [Green Version]
- Wen, Z.A.; Lin, Z.; Chen, R.; Andersen, E. What.Hack: Engaging Anti-Phishing Training Through a Role-playing Phishing Simulation Game. In Proceedings of the 2019 CHI Conference on Human Factors in Computing Systems—CHI ’19; ACM Press: Scotland, UK, 2019; pp. 1–12. [Google Scholar] [CrossRef]
- Hausken, K. A cost–benefit analysis of terrorist attacks. Def. Peace Econ. 2018, 29, 111–129. [Google Scholar] [CrossRef]
- Verma, P.; Goyal, A.; Gigras, Y. Email Phishing: Text Classification Using Natural Language Processing. Comput. Sci. Inf. Technol. 2020, 1, 1–12. [Google Scholar] [CrossRef]
- Kumar, A.; Chatterjee, J.; Díaz, V.G. A Novel Hybrid Approach of SVM Combined with NLP and Probabilistic Neural Network for Email Phishing. Int. J. Electr. Comput. Eng. 2020, 10, 486–493. [Google Scholar] [CrossRef]
- Verizon Verizon: 2019 Data Breach Investigations Report. Comput. Fraud Secur. 2019, 2019, 4. [CrossRef]
© 2020 by the author. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (http://creativecommons.org/licenses/by/4.0/).
Share and Cite
Alabdan, R. Phishing Attacks Survey: Types, Vectors, and Technical Approaches. Future Internet 2020, 12, 168. https://doi.org/10.3390/fi12100168
Alabdan R. Phishing Attacks Survey: Types, Vectors, and Technical Approaches. Future Internet. 2020; 12(10):168. https://doi.org/10.3390/fi12100168
Chicago/Turabian StyleAlabdan, Rana. 2020. "Phishing Attacks Survey: Types, Vectors, and Technical Approaches" Future Internet 12, no. 10: 168. https://doi.org/10.3390/fi12100168
APA StyleAlabdan, R. (2020). Phishing Attacks Survey: Types, Vectors, and Technical Approaches. Future Internet, 12(10), 168. https://doi.org/10.3390/fi12100168