Fraud and Identity Theft Issues

Identity theft and identity fraud are terms used to refer to all types of crime in which someone wrongfully obtains and uses another person’s personal data in some way that involves fraud or deception, typically for economic gain. In spite of the different possible attacks discussed in later chapters, this chapter can focus on phishing attacks – a form of indirect attacks– such as an act of sending an e-mail to a user falsely claiming to be an established legitimate enterprise in an attempt to scam the user into surrendering private information that will be used for identity theft. The e-mail directs the user to visit a Web site where they are asked to update personal information, such as passwords and credit card, social security, and bank account numbers, that the legitimate organization already has. Phishing attacks use ‘spoofed’ e-mails and fraudulent websites designed to fool recipients into divulging personal financial data such as credit card numbers, account usernames and passwords, social security numbers, et cetera. The vulnerabilities on various phishing methods such as domain name spoofing, URL obfuscation, susceptive e-mails, spoofed DNS and IP addresses, and cross site scripting are analyzed, and the chapter concludes that an integrated approach is required to mitigate phishing attacks.

[1]  Christopher Krügel,et al.  Protecting users against phishing attacks with AntiPhish , 2005, 29th Annual International Computer Software and Applications Conference (COMPSAC'05).

[2]  Jason I. Hong,et al.  A hybrid phish detection approach by identity discovery and keywords retrieval , 2009, WWW '09.

[3]  Gerhard Paass,et al.  Improved Phishing Detection using Model-Based Features , 2008, CEAS.

[4]  Lorrie Faith Cranor,et al.  Phinding Phish: An Evaluation of Anti-Phishing Toolbars , 2007, NDSS.

[5]  Lorrie Faith Cranor,et al.  Cantina: a content-based approach to detecting phishing web sites , 2007, WWW '07.

[6]  Min Wu Fighting phishing at the user interface , 2006 .

[7]  Suku Nair,et al.  A comparison of machine learning techniques for phishing detection , 2007, eCrime '07.

[8]  Christopher Krügel,et al.  Protecting Users against Phishing Attacks , 2006, Comput. J..

[9]  Norman M. Sadeh,et al.  Learning to detect phishing emails , 2007, WWW '07.

[10]  Ronald L. Rivest,et al.  Lightweight Encryption for Email , 2005, SRUTI.

[11]  Haifeng Shen,et al.  Achieving Data Consistency by Contextualization in Collaborative Web-based Applications , 2011 .

[12]  Aayad Al Hajj,et al.  Cyber crimes: Threats and protection , 2010, 2010 International Conference on Networking and Information Technology.

[13]  Niels Provos,et al.  A framework for detection and measurement of phishing attacks , 2007, WORM '07.

[14]  Lorrie Faith Cranor,et al.  An Empirical Analysis of Phishing Blacklists , 2009, CEAS 2009.

[15]  Lorrie Faith Cranor,et al.  Phinding Phish: An Evaluation of Anti-Phishing Toolbars , 2007, NDSS.

[16]  John C. Mitchell,et al.  Client-Side Defense Against Web-Based Identity Theft , 2004, NDSS.

[17]  Haining Wang,et al.  BogusBiter: A transparent protection against phishing attacks , 2010, TOIT.

[18]  Adrian Perrig,et al.  Phoolproof Phishing Prevention , 2006, Financial Cryptography.

[19]  Lawrence K. Saul,et al.  Identifying suspicious URLs: an application of large-scale online learning , 2009, ICML '09.