Phishing Attacks: A Recent Comprehensive Study and a New Anatomy

With the significant growth of internet usage, people increasingly share their personal information online. As a result, an enormous amount of personal information and financial transactions become vulnerable to cybercriminals. Phishing is an example of a highly effective form of cybercrime that enables criminals to deceive users and steal important data. Since the first reported phishing attack in 1990, it has been evolved into a more sophisticated attack vector. At present, phishing is considered one of the most frequent examples of fraud activity on the Internet. Phishing attacks can lead to severe losses for their victims including sensitive information, identity theft, companies, and government secrets. This article aims to evaluate these attacks by identifying the current state of phishing and reviewing existing phishing techniques. Studies have classified phishing attacks according to fundamental phishing mechanisms and countermeasures discarding the importance of the end-to-end lifecycle of phishing. This article proposes a new detailed anatomy of phishing which involves attack phases, attacker’s types, vulnerabilities, threats, targets, attack mediums, and attacking techniques. Moreover, the proposed anatomy will help readers understand the process lifecycle of a phishing attack which in turn will increase the awareness of these phishing attacks and the techniques being used; also, it helps in developing a holistic anti-phishing system. Furthermore, some precautionary countermeasures are investigated, and new strategies are suggested.

[1]  T. Chithralekha,et al.  Classification of Anti-phishing Solutions , 2019, SN Computer Science.

[2]  Qian Cui,et al.  Tracking Phishing Attacks Over Time , 2017, WWW.

[3]  Dimitrios Zissis,et al.  Addressing cloud computing security issues , 2012, Future Gener. Comput. Syst..

[4]  Markus Jakobsson,et al.  What Instills Trust? A Qualitative Study of Phishing , 2007, Financial Cryptography.

[5]  Marti A. Hearst,et al.  Why phishing works , 2006, CHI.

[6]  Daisuke Miyamoto,et al.  An Evaluation of Machine Learning-Based Methods for Detection of Phishing Sites , 2008, ICONIP.

[7]  Markus Jakobsson,et al.  Social phishing , 2007, CACM.

[8]  Arun Vishwanath Spear Phishing: The Tip of the Spear Used by Cyber Terrorists , 2016 .

[9]  Jason R. C. Nurse,et al.  Baiting the hook: factors impacting susceptibility to phishing attacks , 2016, Human-centric Computing and Information Sciences.

[10]  T. L. McCluskey,et al.  Predicting phishing websites based on self-structuring neural network , 2013, Neural Computing and Applications.

[11]  Steve Love,et al.  Security awareness of computer users: A phishing threat avoidance perspective , 2014, Comput. Hum. Behav..

[12]  M. Weiner Regression in group therapy: a negative view. , 1985, International journal of group psychotherapy.

[13]  Christopher Abad,et al.  The economy of phishing: A survey of the operations of the phishing market , 2005, First Monday.

[14]  G. Keinan Decision making under stress: scanning of alternatives under controllable and uncontrollable threats. , 1987, Journal of personality and social psychology.

[15]  Alamgir Hossain,et al.  Awareness Program and AI based Tool to Reduce Risk of Phishing Attacks , 2010, 2010 10th IEEE International Conference on Computer and Information Technology.

[16]  Mustaque Ahamad,et al.  Phoneypot: Data-driven Understanding of Telephony Threats , 2015, NDSS.

[17]  Elijah Blessing Rajsingh,et al.  Intelligent phishing url detection using association rule mining , 2016, Human-centric Computing and Information Sciences.

[18]  Markus Jakobsson,et al.  Phishing and Countermeasures , 2006 .

[19]  Sonia Chiasson,et al.  Why phishing still works: User strategies for combating phishing attacks , 2015, Int. J. Hum. Comput. Stud..

[20]  Michael Workman,et al.  Wisecrackers: A theory-grounded investigation of phishing and pretext social engineering threats to information security , 2008, J. Assoc. Inf. Sci. Technol..

[21]  Xiaotie Deng,et al.  Detection of phishing webpages based on visual similarity , 2005, WWW '05.

[22]  Marie-Francine Moens,et al.  New filtering approaches for phishing email , 2010, J. Comput. Secur..

[23]  Ross J. Anderson,et al.  Taking down websites to prevent crime , 2016, 2016 APWG Symposium on Electronic Crime Research (eCrime).

[24]  Youssef Iraqi,et al.  Phishing Detection: A Literature Survey , 2013, IEEE Communications Surveys & Tutorials.

[25]  Ronald C. Dodge,et al.  Phishing for user security awareness , 2007, Comput. Secur..

[26]  Zulfikar Ramzan,et al.  Phishing Attacks: Analyzing Trends in 2006 , 2007, CEAS.

[27]  Anupam Joshi,et al.  Phishing in an academic community: A study of user susceptibility and behavior , 2018, Cryptologia.

[28]  S. Sahoo,et al.  Dystrophic Epidermolysis Bullosa , 2004, Journal of Perinatology.

[29]  Cormac Herley,et al.  A profitless endeavor: phishing as tragedy of the commons , 2009, NSPW '08.

[30]  Zulfikar Ramzan Phishing Attacks and Countermeasures , 2010, Handbook of Information and Communication Security.

[31]  Markus Jakobsson,et al.  Phishing and Countermeasures: Understanding the Increasing Problem of Electronic Identity Theft , 2006 .

[32]  May R. Berenbaum,et al.  Caught in the Net , 2001 .

[33]  Steven Furnell,et al.  An assessment of website password practices , 2007, Comput. Secur..

[34]  Harry Wechsler,et al.  phishGILLNET—phishing detection methodology using probabilistic latent semantic analysis, AdaBoost, and co-training , 2012 .

[35]  L. Hadlington Human factors in cybersecurity; examining the link between Internet addiction, impulsivity, attitudes towards cybersecurity, and risky cybersecurity behaviours , 2017, Heliyon.

[36]  Lorrie Faith Cranor,et al.  Anti-Phishing Phil: the design and evaluation of a game that teaches people not to fall for phish , 2007, SOUPS '07.

[37]  Tyler Moore,et al.  Examining the impact of website take-down on phishing , 2007, eCrime '07.

[38]  Charles L. A. Clarke,et al.  Efficient and effective spam filtering and re-ranking for large web datasets , 2010, Information Retrieval.

[39]  Russell Dean Vines,et al.  Phishing: Cutting the Identity Theft Line , 2005 .

[40]  Tobin J. Lehman,et al.  We've Looked at Clouds from Both Sides Now , 2011, 2011 Annual SRII Global Conference.

[41]  Norman M. Sadeh,et al.  Learning to detect phishing emails , 2007, WWW '07.

[42]  Ali Kashif Bashir,et al.  Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) , 2013, ICIRA 2013.

[43]  Matt Boddy,et al.  Phishing 2.0: the new evolution in cybercrime , 2018, Computer Fraud & Security.

[44]  K. Dahal,et al.  Intelligent Phishing Website Detection System using Fuzzy Techniques , 2008, 2008 3rd International Conference on Information and Communication Technologies: From Theory to Applications.

[45]  Lorrie Faith Cranor,et al.  Teaching Johnny not to fall for phish , 2010, TOIT.

[46]  Ezer Osei Yeboah-Boateng,et al.  Phishing, SMiShing & Vishing: An Assessment of Threats against Mobile Devices , 2014 .

[47]  Bradley K. Jensen,et al.  Analysis of Student Vulnerabilities to Phishing , 2008, AMCIS.

[48]  Dieter Hogrefe,et al.  A review of mobility support paradigms for the internet , 2006, IEEE Communications Surveys & Tutorials.

[49]  Christopher Krügel,et al.  Protecting users against phishing attacks with AntiPhish , 2005, 29th Annual International Computer Software and Applications Conference (COMPSAC'05).

[50]  Herbert J. Mattord,et al.  Principles of Information Security , 2004 .

[51]  Xuxian Jiang,et al.  Voice pharming attack and the trust of VoIP , 2008, SecureComm.

[52]  Sun Bin,et al.  A DNS Based Anti-phishing Approach , 2010, 2010 Second International Conference on Networks Security, Wireless Communications and Trusted Computing.

[53]  Sadia Afroz,et al.  PhishZoo : An Automated Web Phishing Detection Approach Based on Profiling and Fuzzy Matching , 2009 .

[54]  Patrick Traynor,et al.  CryptoLock (and Drop It): Stopping Ransomware Attacks on User Data , 2016, 2016 IEEE 36th International Conference on Distributed Computing Systems (ICDCS).

[55]  Claudio Soriente,et al.  Personalized Security Indicators to Detect Application Phishing Attacks in Mobile Platforms , 2015, ArXiv.

[56]  J. R. Scotti,et al.  Available From , 1973 .

[57]  Max-Emanuel Maurer,et al.  Using visual website similarity for phishing detection and reporting , 2012, CHI Extended Abstracts.

[58]  Eric Medvet,et al.  Visual-similarity-based phishing detection , 2008, SecureComm.

[59]  John R. Talburt Principles of Information Quality , 2011 .

[60]  박성현,et al.  [기술해설]PBX : Private Branch Exchange , 1986 .

[61]  Stewart Kowalski,et al.  Towards Automating Social Engineering Using Social Networking Sites , 2009, 2009 International Conference on Computational Science and Engineering.

[62]  Kelly O. Finnerty,et al.  Cyber Security Breaches Survey 2020 , 2019 .

[63]  Jason Hong,et al.  The state of phishing attacks , 2012, Commun. ACM.

[64]  Suku Nair,et al.  Bypassing Security Toolbars and Phishing Filters via DNS Poisoning , 2008, IEEE GLOBECOM 2008 - 2008 IEEE Global Telecommunications Conference.

[65]  Adam N. Joinson,et al.  Exploring susceptibility to phishing in the workplace , 2018, International Journal of Human-Computer Studies.

[66]  Marianne Loock,et al.  Characteristics and responsibilities involved in a Phishing attack , 2005 .

[67]  Bimal Parmar,et al.  Protecting against spear-phishing , 2012 .