Phishing within e-commerce: reducing the risk, increasing the trust

(1)

i

PHISHING WITHIN E-COMMERCE:

REDUCING THE RISK, INCREASING THE TRUST

by

(2)

PHISHING WITHIN E-COMMERCE:

REDUCING THE RISK, INCREASING THE TRUST

by

Gregory M. Megaw

Dissertation

submitted in fulfilment of the requirements for the degree

Masters of Commerce

in

Information Systems

in the

Faculty of Management and Commerce

of the

University of Fort Hare

Supervisor: Dr. Stephen Flowerday

(3)

Abstract

E-Commerce has been plagued with problems since its inception and this study examines one of these problems: The lack of user trust in E-Commerce created by the risk of phishing. Phishing has grown exponentially together with the expansion of the Internet. This growth and the advancement of technology has not only benefitted honest Internet users, but has enabled criminals to increase their effectiveness which has caused considerable damage to this budding area of commerce. Moreover, it has negatively impacted both the user and online business in breaking down the trust relationship between them. In an attempt to explore this problem, the following was considered: First, E-Commerce’s vulnerability to phishing attacks. By referring to the Common Criteria Security Model, various critical security areas within E-Commerce are identified, as well as the areas of vulnerability and weakness. Second, the methods and techniques used in phishing, such as phishing e-mails, websites and addresses, distributed attacks and redirected attacks, as well as the data that phishers seek to obtain, are examined. Furthermore, the way to reduce the risk of phishing and in turn increase the trust between users and websites is identified. Here the importance of Trust and the Uncertainty Reduction Theory plus the fine balance between trust and control is explored. Finally, the study presents Critical Success Factors that aid in phishing prevention and control, these being: User Authentication, Website Authentication, E-mail Authentication, Data Cryptography, Communication, and Active Risk Mitigation.

Keywords: Phishing, Anti-Phishing, E-Commerce, Vulnerability, Trust, Risk, Critical Success Factors, Phishing E-mail, Security.

(4)

Acknowledgements

I would like to express my sincere gratitude and appreciation to my supervisor, Dr. Stephen Flowerday, for his valued advice, guidance, teaching, and encouragement towards the finalisation of my dissertation.

I also want to thank Lauren Wainwright, for all her time and effort in providing her language editing and proof reading skills. Her contribution is much appreciated.

I would like to express further gratitude to my friends and family for all their endless support, love and understanding throughout the dissertation process, and for all their help in ensuring the submission of the final dissertation.

I am grateful to the experts and reviewers who participated in this study, and who contributed to the achievement of its objectives.

Finally, I would like to thank my Lord and Saviour, father and friend, Jesus, who has been my strength and perseverance, and who has helped me every step of the way in completing this thesis.

(5)

Declaration

I, Mr Gregory M. Megaw, hereby declare that:

• The work in this dissertation is my own work.

• All sources used or referred to have been documented and recognised.

• This dissertation has not previously been submitted in full or partial fulfilment of the requirements for an equivalent or higher qualification at any other recognised educational institution.

________________________________________ Mr Gregory M. Megaw

(6)

6.7. Conclusion……… 135 CHAPTER 7: CONCLUSION 7.1. Introduction………..……….………... 136 7.2. Literature………..……….……… 136 7.3. Research Questions………..……….……… 141 7.4. Theoretical Frameworks………..………. 142 7.5. Research Methodology………. 144 7.6. Future Research……… 145 7.7. Summary……….……….. 146 Reference List………..…….. 147 List of Acronyms………... 158 Glossary………. 159

(10)

List of Figures

Figure 1.1: eCrime Growth Graph: Quarter 3, 2009………. 1

Figure 1.2: Information Systems Framework………... 7

Figure 2.1: The Common Criteria Security Model ….….………. 12

Figure 2.2: The Internet Threat Model …….……… 14

Figure 3.1: The First Official Use of the Word “Phishing” Online……….. 39

Figure 3.2: The First Citation of Phishing in Media……….. 39

Figure 3.3: The Circle of Phishing………. 43

Figure 3.4: Phishing Example E-mail – eBay……….... 53

Figure 3.5: Phishing Example E-mail – Westpac……….. 54

Figure 3.6: Phishing Example E-mail – Regions………... 55

Figure 3.7: Phishing Example E-mail – ABSA………. 56

Figure 3.8: Barclays Phishing Attack Using Screen Capture Technology………... 60

Figure 3.9: Site Impersonation Using JavaScript………. 61

Figure 3.10: MyBank Cross-Site Scripting Attack……… 64

Figure 3.11: A Picture in Picture Attack……… 65

Figure 3.12: A Man in the Middle Attack Structure………. 66

Figure 3.13: The Phishing Attack Process: Planning Phase……….. 67

Figure 3.14: The Phishing Attack Process: Attack Phase – Phase 2 Summary……… 69

Figure 4.1: A Model of Trust and Trustworthiness………... 76

Figure 4.2: The Relationship between Consumer Risk Perception and Behaviour……….. 78

Figure 4.3: Model of Trust for E-Commerce (MoTEC)……….... 79

Figure 4.4: The Online Trust Model……….. 82

Figure 4.5: Uncertainty Reduction Model: A Conceptual Model………. 87

Figure 4.6: The Relationship between Trust, Controls & Confidence……….. 88

Figure 4.7: Block Diagram of PHONEY’S Architecture……….. 94

Figure 5.1: Research Paradigms……… 103

Figure 5.2: The Information Systems Research Framework………. 105

Figure 5.3: The Delphi Technique Procedure……… 111

Figure 5.4: The Search Design Cycle……… 113

(11)

List of Tables

Table 2.1: Vulnerabilities of E-Commerce……… 34

Table 3.1: Phishing Definitions………. 40

Table 3.2: URL Obfuscation Techniques……….. 49

Table 4.1: Trust and Control Diagram Narrative……….. 88

Table 4.2: iTrustPage Control Summary……….. 89

Table 4.3: DPD Control Summary……… 90

Table 4.4: PRU Client Control Summary……….. 91

Table 4.5: Strong Authentication System Control Summary……… 92

Table 4.6: NMA Zsentry Control Summary……….. 93

Table 4.7: PHONEY Control Summary……… 94

Table 4.8: Toolbar Summary………. 95

Table 4.9: TrustBar Control Summary……….. 96

Table 5.1: Paradigms and Their Differences………. 102

Table 5.2: Design Science Research Guidelines……… 108

Table 6.1: Identified Vulnerabilities……….. 123

Table 6.2: CSF to E-Commerce Vulnerability Elements Map……….. 126

Table 6.3: Vulnerabilities and Sub-vulnerabilities……… 131

(12)

CHAPTER 1 The Problem and Its Setting

1.1. GENERAL AREA OF RESEARCH

E-Commerce has been plagued with problems since its inception and this study examined one of these problems: The lack of user trust in E-Commerce created by the risk of phishing. The growth and advancement of technology has not only benefitted honest Internet users, but has enabled criminals to increase their effectiveness which has caused considerable damage to this budding area of commerce. Moreover, it has negatively impacted both the user and online business, by breaking down the trust relationship between them. The severity of this problem can be seen in the statement that phishing has increased by 8000% over the period January 2005 to September 2006 (APACS, 2007). Also, latest statistics obtained from the Anti-Phishing Working Group (the leading, worldwide, anti-phishing law enforcement association) below illustrates the true extent of the impact of phishing as it presently stands:

Figure 1.1: eCrime Growth Graph: Quarter 3, 2009 (Anti-Phishing Working Group, 2009)

In August 2009, the number of unique phishing websites detected by the Anti Phishing Working Group reached an all-time high of 56,362, this being a 1.3 percent increase on the previous record of 55,643 in April 2007 (Anti-Phishing Working Group, 2009, p. 2).

Additionally, unique phishing reports submitted to the Anti Phishing Working Group in the third quarter of 2009 reached a record number of 40,621 in August, being approximately 5.5 percent higher than the previous reported record high of 38,514 in September 2007 (Anti-Phishing Working Group, 2009, p. 2).

Consequently, reflecting on these statistics and the numerous occurrences in which record breaking numbers appear, one notes that there has been an aggressive increase in phishing

(13)

over the 2009 period alone. This emphasises the importance that ways are found to increase the sense of trust within the E-Commerce environment by reducing the risk created from the threat of phishing.

Therefore, this research project investigated a problem within E-Commerce as there is a significant lack of user trust and confidence (between both the user and the E-Commerce business) created by escalating information security breaches such as phishing attacks (or its modifications, such as pharming). The study attempted to firstly, provide a better understanding of the threat of phishing that creates online risk and a lack of confidence in E-Commerce. Secondly, it contributed to the efforts of reducing this risk by building confidence and enhancing the user’s protection.

Electronic Commerce is defined as “the buying and selling of products or services over electronic systems such as the Internet and other computer networks” (Xun & Lixia, 2009, p. 307). This largely occurs between two businesses (called B2B) or between a business and a consumer (B2C). Commerce and business transactions conducted over the Internet make use of supporting technologies such as the World Wide Web, Electronic Data Interchange, Online Transaction Processing, and E-mail to name a few. As modern E-Commerce continues to evolve, common trends can be identified, such as, the move of the web into more of a collaborative social marketplace facilitating online transactions, increasing user interaction through a more digital or ‘virtual’ online environment, and the increasing focus on enhancing business services through personalised product and customer information. However, there are a number of threats that exploit these technologies thereby increasing the risk of conducting business online. Such threats include money theft, fraud, information and identity theft, threats to the system from malicious software, spam e-mail and the invasion of consumer privacy, as well as the theft of intellectual property.

1.2. STATEMENT OF PROBLEM

Along with the significant growth in E-Commerce and Internet usage, threats such as phishing have also drastically increased. Criminals have become smarter, using highly sophisticated technologies and social engineering techniques to commit information theft. This threat has resulted in Internet users having less trust in websites, generating a lack of confidence in online businesses, and forming a significant barrier to the development of E-Commerce. This research project essentially aimed to address the following research question:

(14)

How to increase the sense of trust within the E-Commerce environment by reducing the risk created from the threat of phishing?

In order to adequately address the indentified research question, the following sub-questions were investigated and the objective of each provided:

1.2.1. How and why is E-Commerce vulnerable to phishing attacks?

The objective of this sub-question was to discover and understand how, and why, the E-Commerce environment and online websites were highly prone, and vulnerable to phishing attacks.

1.2.2. How do phishing attacks occur in an online environment?

The objective of this sub-question was to discover, understand and define how phishers and their methods of attack work, and how they operate within the world of E-Commerce. This is in order to gain invaluable and workable knowledge on the phishing phenomenon.

1.2.3. How can the sense of trust and confidence be increased by managing phishing / spoofed websites?

The objective of this sub-question was to establish ways to, through managing phishing, increase the sense of trust so that trust and confidence in E-Commerce is improved.

1.3. OBJECTIVE OF THE STUDY

The main objective of this research project is to produce a set of Critical Success Factors that, if applied, would enable trust to be engendered in online business. These Critical Success Factors will be used to develop a design science artefact which will take the form of a model, thus allowing them to be effectively applied to an IS problem area, and refined from feedback.

1.4. SIGNIFICANCE OF THE STUDY

As the E-Commerce sector grows, the level of trust and confidence needs to be increased in order to support this growth and the development of online businesses. It will also be required to support the increased use of websites by users for transactions, as well as the security on both fronts. The research project is important as it focuses specifically on increasing this trust

(15)

and confidence that is required, thus provide the necessary means to support these areas of growth with sufficient levels of trust.

1.5. INITIAL REVIEW OF RELATED LITERATURE

This research project refers to the Uncertainty Reduction Theory, which states that when two parties meet, the primary concern for both parties is to decrease uncertainty about each other. This can be achieved through communication and by information sharing. Flowerday and Von Solms (2006), contend that there will always be a level of uncertainty, and where uncertainty exists, so does the presence of risks and threats. By reducing the threat of phishing “through communication and the exchange of information about each party…”, which in this case is the user and the website, “uncertainty reduction is a necessary condition for the development of trust” (Flowerday & Von Solms, 2006, p. 3). This can be done by reducing the threat, which will in turn reduce uncertainty, and the level of predictability, trust, confidence, and assurance will be raised.

Gouda, Liu, Leung, and Alam (2007, p. 3715) explain about the fact that the current HTTP authentication methods employed are particularly vulnerable to phishing attacks, allowing attackers to easily obtain confidential information such as passwords. They propose a single password protocol (SPP) that is “simple, secure, efficient and user friendly” which will allow users to securely use a single password across servers, therefore providing them with an effective anti-phishing password protocol.

Hallam-Baker (2005) also recognises that there is an increase in phishing and that criminals are using sophisticated tactics to commit information theft. He explains that phishing is evolutionary, shifting from being ‘social engineering’ attacks by tricking users through spoofed e-mails or websites, to being more ‘software engineering’ attacks by exploiting software flaws and redirecting unsuspecting users to capture sites. Hallam-Baker (2005) offers a helpful explanation of the stages in which phishing undergoes, and provides a better understanding of this form of attack. He then provides practical steps one can follow to prevent such attacks.

Moore (2007) acknowledges phishing as a serious threat to E-Commerce and presents a study focusing on the attackers themselves, stating that they can effectively adapt their attack strategies to overcome any defence mechanisms that are in place. He concludes by suggesting

(16)

that banks and ISP’s, through the use of comparative performance measures, can improve transparency, and in turn improve security.

Moreover, Elmaleh (2007) discusses the evolutionary nature of phishing stating that, despite increased web awareness and increased security efforts, phishing techniques have still evolved. The objective of phishing still remains to obtain user information, but now without a user’s knowledge. Additionally, he argues that users need to place their trust, confidence, and reliance in authentication systems, thus reinforcing the need for secure website authentication and the trust of users. Adding to this, Furnell (2007) attempts to address the phishing and trust issue by asking the question of what level of assurance is required to gain a user’s trust. He further moves on to explore aspects of the user’s understanding of phishing threats and their subsequent vulnerability.

An important point made by Deas and Flowerday (2008) states that criminals are increasingly using greater sophisticated techniques to create spoofed websites in order to obtain confidential user information, thus resulting in the urgent need for protection against online threats. They propose the following dual level of authentication be required: User Authentication (for identifying and verifying user logins and information), and Website Authentication (for the identification of websites by the user). Through this method of dual authentication, security, and the protection from threats, can be increased by enhancing trust between users and websites. Furthermore, Ray and Shultz (2007) briefly discuss phishing attacks and the techniques used; however, they also provide a helpful explanation of how a tool provided by Microsoft, the Internet Explorer 7 Phishing Filter, can be used to protect users from these phishing scams.

Steyn, Kruger and Drevin (2007) present a phishing exercise conducted in an academic environment that give important insights into user online behaviour. In the exercise, a phishing attempt was performed on a selected sample of academic staff. The results of the exercise revealed that more than half of the persons undergoing the exercise were willing to give their confidential information to a spoofed website. This illustrates the extent of user vulnerability, and how easy it is for criminals to commit identity theft, steal credit card numbers or banking details.

To link back to Uncertainty Reduction Theory, it is emphasised that there will always be some level of uncertainty, and risks and threats will always be present in some shape or form.

(17)

There will always be insecurity between E-Commerce websites and users, and the threat of phishing (along with the risks created by phishing) will always have an influence on the online environment. The aim therefore, is to reduce risk by lowering this uncertainty, and in so doing, increasing the level of trust. Phishing techniques, strategies, and attacks have been on the rise, are evolving, and being continuously adapted by phishers in order to overcome defence mechanisms. Phishing has become both a software engineering attack as well as a social engineering attack, exploiting the vulnerabilities of people and software. With the combination of spoofed websites and people’s willingness to offer their confidential information over the internet, users are highly vulnerable to phishing attacks. Thus, it is evident that there is a dire need for secure and reliable authentication of websites (website authentication), and users (user authentication).

1.6. RESEARCH DESIGN

According to Mouton (2001), the research methodology is tailored to address the research problem or question and there are various design types. This study follows the design science research paradigm along with its research methods (data collection and data analysis). Thus, involved in this study was both empirical research (using primary data) as well as, non-empirical research through interpretivistic, conceptual analysis, and critical thinking within an extensive and thorough literature review. This review consisted of secondary data including studies, frameworks, methodologies, articles, conference proceedings, standards, codes, and books (Mouton, 2001; Olivier, 2004). All attempts were made to keep the content of the study as current as possible, including the literature which was selected from respected authorities in the field.

Thus the objective of this study was firstly, the refining of the problem statement, and secondly, the development of a set of several Critical Success Factors (CSF's) to reducing the risk of phishing and increasing the trust between users and websites. Then, based on the defined critical success factors, a design science artefact in the form of a model was developed and refined.

1.6.1. Design Science

Design science is essentially a detailed problem solving process aimed at “the construction of ‘better’ IS-related problem solutions” (Winter, 2008, p. 470). Design science “seeks to create

(18)

innovations that define the ideas, practices, technical capabilities, and products through which the analysis, design, implementation, management, and use of information systems can be effectively and efficiently accomplished” (Denning, 1997, p. 133; Tsichritzis, 1998, p. 264). It aims to effectively create an innovative, purposeful artefact (in this study the artefact is a model consisting of Critical Success Factors) for a specified problem domain. In doing this, design science will usually follow a design process cycle (as can be seen in Figure 1.2) that involves the building of an artefact, implementing it (called instantiation), and then evaluating the outcome to determine its utility provided in solving the problem (as well as refining the artefact after evaluation).

According to Hevner, March, Park, and Ram (2004, p. 80), “the artefact must be innovative, solving a heretofore unsolved problem or solving a known problem in a more effective or efficient manner”. With this, the study did not aim to solve the entire phishing problem on a broad level, but it rather aimed to provide an innovative model, or artefact, that will add its part to the complete global solution. Design science offers four different types of artefacts that can be constructed. These include: Constructs (forms the language used to define and communicate identified problems and their respective solutions), Models (uses the constructs to create an abstraction, or representation of the problem and solution), Methods (these define the processes that are needed to solve problems), and Instantiations (implemented and tested systems). In this study, a model (CSF’s) was designed encompassing the problem domain and the proposed solution (including the entities involved in the problem domain, and the critical success factors which were defined).

(19)

In order to have proceeded in applying design science in this study, the following guidelines provided by Hevner et al. (2004) were followed:

Design as an artefact – Build an artefact that is both innovative and purposeful (applies to the develop/build box in Figure 1.2).

Problem Relevance – Ensure one has a specified, well defined, clear problem and problem domain.

Design Evaluation – Thorough evaluation of the artefact to ensure its effectiveness. Research contributions – The artefact must be original in its design, offering a new

perspective on a problem.

Research Rigor – The artefact should be well defined and coherent to existing knowledge and research within the field (knowledge base).

Design as a Search Process – Must follow a search process of building a problem domain, and define the methods to discovering a solution.

Communication of Research – The results and findings of the research must be communicated properly to both a technical and managerial audience.

In reducing the risk of phishing and increasing trust, it can be seen as a process whereby inputs are applied into the fragile relationship, a process occurs, and as an output risk is slowly controlled, trust slowly increases. This, therefore, influenced the decision to follow the design science approach because the process allowed for the creation of a conceptual and practical model, including all its elements.

1.6.2. Research Methodology

1.6.2.1. Data Collection

This is the method of collecting data, and tests the validity and effectiveness of the solution and model that was proposed within this research project.

Primary Data Collection Methods Custom designed questionnaire:

o _{Qualitative Data}

An Informal survey was used to obtain feedback from experts in this field in order to further refine the proposed model (CSF’s). These ten experts were

(20)

presented with the study’s findings and were asked to critique these findings as a validation step in the process. After initial validation, the findings were given further validation as they were accepted and published in the proceedings of ISSA 2010 (Appendix A). All validation of the findings of the study were validated and refined before the final write-up of the project commenced.

Secondary Data Collection Methods Case Studies:

o _{Phishing events that have occurred in the past (for example ABSA Bank).} Literature applicable to this study.

1.6.2.2. Data Analysis

This involves how data will be analysed. The data collected from both primary and secondary data sources was analysed in an inductive form so as to determine whether concrete observations obtained, supported or opposed the theoretical explanation that was presented within the study. However, the qualitative data was handled differently. Each expert in the field provided different feedback which was then broken down and summarised and used as data to either support or oppose the proposed final solution, forming an additional stage of refinement of the study.

1.7. DELIMITATION OF STUDY

This study only was restricted to the E-Commerce threat of phishing attacks only, and the methods or techniques used in such attacks. Variations of more specialised attacks, such as pharming, were not included as this was found to extend beyond the scope of the study.

(21)

1.8. OUTLINE OF CHAPTERS

CHAPTER 1 – The Problem and Its Setting

This chapter provides a brief introductory background on the specific area of study as well as, defines the problem (along with its sub problems) that was investigated, and introduces the literature and research methodology.

CHAPTER 2 – E-Commerce vulnerability to phishing attacks

This chapter investigates the vulnerabilities that cause the E-Commerce environment to be specifically weak to phishing attacks.

CHAPTER 3 – Phishing - Methods and Techniques

Defines and describes phishing in detail, explaining the methods and techniques phishers use to carry out their attacks.

CHAPTER 4 – Reducing the Risk, Increasing the Trust

Identifies the importance of trust and why it is required, and relates this to the uncertainty reduction model. The balance of trust and control is also explained, where a list of effective controls (i.e. anti-phishing tools) is presented.

CHAPTER 5 – Research Design and Methodology

Here a detailed description of the research design scheme, the methods that were used, and the procedures that were followed for collecting and analysing data is given. CHAPTER 6 – Proposed Solution and Findings

In this chapter, a proposed solution to the research question and problem is presented, and with that a model was constructed. The focus is on viewing, understanding and analysing the results obtained from the research that was carried out, and reflects on the solution and model that was developed.

CHAPTER 7 – Conclusion

(22)

CHAPTER 2 E-Commerce Vulnerability to Phishing Attacks

2.1. INTRODUCTION

In this chapter, the reasons why E-Commerce and the online environment is particularly vulnerable to phishing attacks will be investigated and discussed. In order to gain an understanding of the impact phishing has negatively had on E-Commerce, an attempt to identify and explore the vulnerabilities of this industry will be made. To do this, a theoretical foundation of knowledge was first provided by presenting two E-Commerce vulnerability models that accurately describe the E-Commerce environment in which phishing operates. The Common Criteria Security Model is utilised to identify the important areas of security applicable to the E-Commerce environment, the entities involved in the sector, and the relationship of influence between them. The Internet Threat Model is then presented which provides us with an understanding of the entities involved on online activities, and the unsecured nature of their communication channel. Following this, a thorough investigation into the specific vulnerabilities that exist in the E-Commerce environment is performed, with each being discussed and explained in detail. The chapter then concludes with a summarisation of these vulnerabilities, and the sub-vulnerability elements they comprise of.

2.2. THE E-COMMERCE ENVIRONMENT: VULNERABILITY MODELS

In order to help us understand the vulnerabilities found in the online environment and the impact they have on E-Commerce, two relevant vulnerability models will be used, namely the Common Criteria Security Model (CCSM), and the conventional Internet Threat Model (ITM).

2.2.1. The Common Criteria Security Model

The CCSM (illustrated in Figure 2.1) is an effective, diagrammatical representation of the critical areas of security and the relationships between them. When applying this model in context, one notes that ‘Threat Agents’ (which in this case are the phishers) give rise to threats, or the presence of the ability to commit a phishing crime. These threat agents will essentially have an underlying desire to abuse, or damage valuable assets such as confidential

(23)

and personal information, online identities, or credit card details held by owners (online users and websites).

Figure 2.1: The Common Criteria Security Model (The Common Criteria Recognition Agreement, 2009)

This desire forms the reason for these agents posing such a threat within the online environment. In addition, the phishing threat to assets seeks to exploit weaknesses and vulnerabilities of online users and websites (e.g. high trust dependency and the vulnerability to the exploitation of their trust, or the ability to easily mimic web pages), thus leading to the phishing risk. The phishing threat will always exist, but it is the phishing risk that can be influenced (increased or reduced). As a result, the objective is to target and reduce the phishing risk, thus the focus of the study is not the threat itself.

To do this, one needs to consider the ‘Owner’ side of the model. Owners (users and websites), whether they are aware of their vulnerabilities or not, require countermeasures (anti-phishing methods and tools) to be imposed so as to effectively reduce their vulnerability to phishing threats, and in turn, reduce the phishing risk, thus protecting the assets they value. Effective anti-phishing methods and tools are discussed later in this project (chapter 4).

(24)

E-Commerce activities and conducting online transactions require trust and confidence by the user in the E-Commerce website and its security. Thus, E-Commerce is especially vulnerable to phishing attacks because phishing is “nothing more than a confidence game” (Jakobsson & Myers, 2007, p. 57), creating a false sense of confidence and tricking users into falling prey to a scam. This false confidence or trust is created and maintained, beginning with the phishing e-mail, and continues on to highly believable phishing websites that have been designed with the same look and feel as the legitimate sites they imitate. Victims are lured into trusting a fraudulent website and thereby willingly provide their confidential information which they would not normally have done if they had been aware that the website had been created by a phisher. In addition, the Internet is playing an increasingly significant role in online commerce activities, and due to a lack of Internet security, attackers are able to easily target online users involved in E-Commerce (Chandrasekaran, Chinchani, & Upadhyaya, 2006). Consequently, it is mostly users that are involved in making online transactions and engage in E-Commerce activities, and it is these same users who have very little understanding of web browser and Internet security that are targeted (Jakobsson & Myers, 2007).

This leads to an “erosion of trust” (Jakobsson & Myers, 2007, p. 58), which is also supported by the following statement: “Victims perceive that phishing e-mails are associated with a trusted brand, but in reality they are the work of con artists” (Downs, Holbrook, & Cranor, 2006, p. 79). Due to this, and coupled with the lack of Internet security and the low level of user web security knowledge, phishers are easily able to commit information theft and fraud through phishing attacks within the E-Commerce environment.

Ronda, Saroiu, and Wolman (2008) add that E-Commerce makes use of the Internet and other supporting technologies such as e-mail in its functioning. This allows for phishing messages to be sent with ease and in great volume, causing increased vulnerability in E-Commerce activities. These e-mail messages are also becoming more sophisticated. They have begun to include personalised information specific to the targeted user, as well as hidden text making them increasingly harder to filter. Also, E-Commerce relies heavily on websites to do business. This poses a problem because phishing attacks are specifically designed to target webpage’s to commit information theft and fraud. Due to this, and the increase in the number of phishing websites, E-Commerce is open to being compromised by phishing attacks. Supporting this position is the work by Karlof, Shankar, Tygar, and Wagner (2007), who recognise that phishing has become a serious threat to E-Commerce, targeting the inherent weaknesses found in the entities and the links between them.

(25)

2.2.2. The Internet Threat Model

Another model that helps us understand the vulnerabilities and the structure of the online environment in which phishing operates, is the conventional ITM as discussed in Dasgupta, Chatha, and Gupta (2006).

Figure 2.2: The Internet Threat Model (Srinivasan, 2007, p. 35)

The ITM defines the general client-server oriented architecture of entities within the online realm, and is based on the premise that there are a few numbers of non-trusted adversaries and many trusted participants. As illustrated in Figure 2.2, the trusted entities are the client computers (online users) and the certified servers (backend of online companies), which are both considered to be secure end-points of the architecture. Activity on the client computer (password entering, transaction entering, web browsing) is assumed to be under the control of human use, and storage and protection of this data is assumed to be under the responsibility of the online companies and the servers on which the data is held. The non-trusted adversaries reside within the communication network between them i.e. the Internet, and come in the form of malicious attacks, including but not limited to spam and phishing e-mails, phishing websites, viruses, and malware. The communication network is characterised, in this model, as an extremely unsecure and vulnerable link between the two trusted end-points. This is because attackers are able to have complete control over this channel in which the endpoints communicate and undetectably read, modify, or remove any data packets being exchanged over the network. Attackers are also able to create fake packet data, and build it in such a way that it will appear to have been created by a trusted machine. They can then inject it into the network and target any computer or device linked to that network (Väkiparta, 2004; Srinivasan, 2007). Thus, it assumes in this model that websites and passwords are not to be trusted.

When applying the model in this research project, we can see that online users and websites (hosted on servers) are the two main entities involved, with the Internet (WWW and E-mail)

(26)

being the communication channel they use. Attackers exploit the security weaknesses in the communication network, making the medium unsecure and creating distrust between the two parties. On the one hand, phishing websites and e-mails, acting as intermediaries between the two trusted entities, seek to fake as many elements of a trusted certified server as possible in order to obtain information held by the user. Then, concurrently, they seek to assume a trusted user’s identity to compromise a trusted server to commit other crimes. This leads us to highlighting the shortcomings of the ITM. The ITM assumes that end systems are secure and the communication network is vulnerable to attacks (Mannan & van Oorschot, 2004), when in reality, it could be the opposite. In the Internet environment today, client computers and server systems are no longer secure. End systems are almost entirely software driven and can easily be compromised by phishing attacks that make use of malicious software, such as trojans, key loggers, worms, and root kits. Consequently, it can be seen that vulnerabilities exist in every part of the entire system (Mannan & van Oorschot, 2004).

In conclusion, E-Commerce involves certain entities that require interaction and communication with each other in order to facilitate business transaction. This interaction and communication is inherently insecure due to the presence of the phishing risk that seeks to exploit the vulnerabilities found within this interaction. Thus, having established an understanding of the components of E-Commerce through the models already presented, it is then most beneficial to explore the specific vulnerabilities of the environment. As such, the following section will discuss the vulnerabilities that are critical to the study.

2.3. VULNERABILITIES IN AN ONLINE ENVIRONMENT

In order to identify why phishing is so effective in performing attacks within the E-Commerce environment, the vulnerabilities of each area that it is comprised of, needs to be explored. In the following section, the areas of E-Commerce with known vulnerabilities (called ‘vulnerability vectors’ in this study), will be discussed in detail.

2.3.1. Vulnerability Vector A: The Expansion of Technology

With the rapid development in technology, advancement in both the hardware and software domains has been exponential in its growth, and the number of devices able to access the web has increased drastically improving accessibility to the Internet (Lin, Hsu, Tzeng, & Chou, 2008). Therefore, along with this growth, new areas of weakness and vulnerability have

(27)

followed, allowing attackers to use new methods in their attacks. An example of this can be found in Karlof et al. (2007) who highlight that the, ‘Internet everywhere’ nature of wireless technology with its access points and wireless routers, have introduced new types of phishing threats. They state that users have become increasingly used to accessing wireless routers in public places that provide free Internet access (such as airports, restaurants, libraries, etc.). Phishers are now able to setup malicious wireless routers in these areas and redirect users to their spoofed web sites. An added problem here is that users leave the default settings of their own wireless routers unchanged, which is often set up to maximise usability and not security, thus leaving them with the possibility of disabled encryption and weak access security to router administrative functions. Also, Narayanan, Chandrasekaran, and Upadhyaya (2006) found that, because of a key characteristic of the Internet and its nature, i.e. the anonymity of the Internet, phishers are more proficient in hiding their true identity, or even assume another identity, in order to successfully carry out their attacks without the possibility of being caught. Thus, from the perspective of the phisher, being able to stay anonymous means there is low risk of being caught, making phishing attacks more appealing. This has also resulted in there being an increased occurrence of such attacks.

Included in this technological explosion is the increase in the development and use of new software applications. This has created the vulnerability of the E-Commerce environment to viruses and other software attacks. This vulnerability exists because of E-Commerce’s heavy reliance on the use of software. In addition, software is system based and is therefore easily attacked by viruses. Viruses are widespread and powerful and have the capability to gain full access and computational ability of a computer, and can be completely undetectable by users or even anti-virus software. Viruses such as these are frequently used by phishers to serve their purpose, for example, to compromise trusted entities and control all its functionality to steal user identity information from the entity itself, or utilise it as a slave to carry out larger phishing attacks. Computer viruses can also be used by phishers to steal private keys to completely cripple public key infrastructures (Dasgupta et al., 2006). Consequently, this conveys that viruses are a very real vulnerability within the E-Commerce environment and cannot be ignored or overlooked.

Included in this area is a vulnerability pointed out by Ronda et al. (2008) and Ramzan and Wuest (2007), who both identify that criminals are now able to, due to the improvements in technology, easily mimic websites and create believable spoofed e-mails. The ease of access to phishing tools and their wide availability, allows phishers to obtain aid and produce

(28)

effective attacks in a short period of time. This essentially is improving the attack of a phisher, and indirectly creating vulnerability as it has become increasingly easier for the E-Commerce environment to be attacked.

The expansion of technological devices used for E-Commerce, and the software that supports them, has opened up new methods, opportunities, and areas for phishers to attack. They are also able to hide their identities more effectively based on the anonymity of the Internet. Additionally, devices used for E-Commerce (such as personal computers, laptops, cell phones, smart phones, and PDA’s) which are able to access the Internet have weak access security implemented as default. This, and the susceptibility of software to software attacks, all contribute in making the E-Commerce environment considerably more vulnerable to the attacks of a phisher.

2.3.2. Vulnerability Vector B: Weaknesses in Information Security

Notable weaknesses with regards to the security of information in the online world of E-Commerce are presented below.

2.3.2.1. Avenues of Leakage

A critical vulnerability identified by Dasgupta et al. (2006) is that there are numerous avenues of leakage of private information. What this means is that confidential information held by users is required to be shared and exchanged regularly between themselves and a large number of other entities (such as service providers, credit grantors, merchants, employers and business partners or acquaintances) and their terminals of exchange (computers and telephones). On the flip side, a user's private information is also stored and made available on an abundant number of computers owned by various parties, for instance merchants, employers, medical providers, utility companies, creditors, and business partners. All this information held at each point is at risk and is often leaked either by the owner, or a third party to the owner, and phished. An example provided by Dasgupta et al. (2006) is given where a user named 'Alice' follows a daily routine of using a few passwords to check her e-mail, and access the business's file server at work. Her employer keeps detailed information about her on the computer, such as her social security number, date of birth, and financial details. Also, many other personal details about her are being kept for example, by her bank and her doctor. At home she will surf the web, partake in E-Commerce activities, accessing her accounts, and online services using her passwords. From this example it is apparent that

(29)

her personal public identity, along with her secret private identity (consisting of all her confidential information) is being widely shared across a vast number of people, increasing the points where phishing can take place. Other expressions of this vulnerability exist and are discussed as follows:

2.3.2.2. Shared Secrets

The current financial infrastructure of our time presents a huge vulnerability to the E-Commerce sector. This is because financial systems all function using private information of individuals, which are weakly protected, and regarding the information as being private when it is, in truth, really not. The possibility of leakage of this information is immense. The term used for this is "shared secrets" and is a notorious vulnerability within E-Commerce (Dasgupta et al., 2006).

Therefore it can be reasonably concluded that information, whether or not it is public or private, is not secure and is shared among various parties. Thus, this presents itself as a significant vulnerability within E-Commerce to phishing, a weakness that directly aids the phisher in obtaining confidential information which should instead be protected.

2.3.2.3. Ease of Website Development and Information Sharing

Another vulnerability that is relevant is the ease in which people are able to open online storefronts. Both fake, and legitimate, Internet storefronts open and close down regularly with each having servers that contain usernames, passwords, addresses, credit card information, and the likes. The pace at which personal information is spreading is becoming a huge problem, with the vulnerability of this information being completely understated (Dasgupta et al., 2006).

2.3.3. Vulnerability Vector C: Online Users (The Customers of E-Commerce)

An area that needs to be considered are the vulnerabilities that exist on the client side of the E-Commerce environment: the vulnerabilities of users. Firstly, Dhamija, Tygar, and Hearst (2006) point out that, users are vulnerable because they make mistakes. A test was done conducted in which twenty websites were presented to 22 participants, requesting them to identify which of them were fraudulent or legitimate and provide the reasons why they

(30)

thought so. Test results revealed that participants made mistakes 40% of the time, with the best phishing web pages fooling 90% of them. Security warnings and visual cues were ineffective, with 23% of the users ignoring them and proceeding nonetheless. Users are, to no surprise, humans, and it has been proven time and time again that humans will make mistakes. Additionally, it is well supported that even the most vigilant and thorough online users can be fooled by good phishing techniques (Dhamija et al., 2006; Jagatic, Johnson, Jakobsson, & Menczer, 2007),leaving online users vulnerable, forming a weakness for phishers to exploit. Furthermore, it has been identified by Henshaw (2005)that it is extremely difficult for users to visually distinguish a legitimate website from a fraudulent, phishing website, with Downs et al. (2006), in support of this, saying that users are unable to differentiate between phishing e-mails and websites effectively. With this in mind, Downs et al. (2006) performed a study interviewing twenty participants with no experience in computer security. The results of the study showed that many of the users could not distinguish legitimate mail from phishing e-mail, and easily fell prey to the phisher’s scams. Florêncio and Herley (2007a), in April 2005, performed a phishing attack as a case study against 581 students attending the University of Indiana. In their experiment, they personalised phishing e-mails using publically available information and sent them out to the students. It was found that, from the results of this experiment, 72% of the students gave away their usernames and passwords when they saw that the phishing e-mail ‘supposedly’ came from a friend. This rate dropped however, to 16% when they saw that the e-mail came from a fictitious person. Additionally, 70% of all responses occurred within the first twelve hours of running the experiment. Thus, by using more sophisticated phishing attacks and personalising e-mails, phishers can make their attacks increasingly successful.

Another vulnerability found to exist in users, as identified in Chiasson and van Oorchot (2006) is their lack in understanding of phishing attacks, as well as the anti-phishing tools which are employed. This shortfall generally results in user frustration and avoidance. This could largely be due to website users (or the customers of E-Commerce) not being aware of the security risks, threats, and how tools or preventive solutions function. Also, in the case where they do not understand how anti-phishing tools and software work, they can become frustrated and bypass all measures put in place to protect them, leaving users exposed to phishing attacks. Karlof et al. (2007) explained that in order for security and authentication mechanisms to be effective and not ignored or avoided by users, it requires a user’s psychological acceptance. This means that its behavior should match as close as possible to the expectations of the user, and in order to do this, users’ mental models need to be

(31)

understood. Studies have shown that many users have partial or incorrect mental models of the security countermeasures currently employed. A user’s mental model is basically their understanding of how a mechanism operates, its goals and its interface, as well as the assumptions that it makes and the risks involved in using it. A study of this was performed by Chiasson and van Oorchot (2006) who investigated the usability of two password managers with twenty six participants from the Carleton University, Ottawa, Canada. Most of the participants consisted of students from various faculties studying different degrees, but none specialising in computer security. During the study, it was found that their participants struggled to build a mental model of the software and did not have any understanding of what the software was doing. This resulted in frustration and misunderstandings, which lead to a dangerous security vulnerability. Unclear alert and warning messages added to this frustration in the users, eventually causing them to give up completely. Thus, the imperfections in users’ mental models result in the following major weakness areas:

How users deem things to be secure varies greatly resulting in a wide range of understandings, creating complexity.

Many users find it difficult to interpret security indicators such as: the verified URL’s in the address bar, the ‘lock’ icon, certificate dialogues, and all the countless pop-up warnings and messages in a web browser.

User awareness of online risks: Most users’ knowledge of online risks extends to the commonly known vulnerabilities and needed countermeasures, but studies have shown that users experience trouble in managing risks they are unfamiliar with. Attackers use these misunderstandings and misconceptions to aid in their attacks.

If the security mechanisms are irritating or too difficult to use, users will disable the mechanism or avoid the mechanism all together. This problem is aggravated if there is no sound understanding of the necessity of the mechanism in place. This relates to what is called “Warning Fatigue” (Florêncio & Herley, 2007a, p. 26; Wu, Miller, & Garnkel, 2006, p. 609), which describes how users become irritated and tired of warning messages when they are repetitively presented with them, each time having to view them, form an understanding of them and act on them. This Warning Fatigue ultimately motivates avoidance of the mechanism completely.

Users do not understand how to use web authentication securely and make poor decisions when they do not know what to do in order to be secure. For example, users will ignore confusing alerts and take the “path of least resistance”. This view is shared by Henshaw (2005) who states that programs designed to secure personal information

(32)

are mostly ignored if users are unable to understand how to use them. Karlof et al. (2007) supports this view by saying that if anti-phishing, or anti-pharming, solutions are either too expensive or complicated, or limits scalability in any way, users (and websites) will always forfeit security for efficiency, simplicity and functionality. Similarly, Dasgupta et al. (2006) add that when it comes to the consumer domain, the usability of a security mechanism is vital and must always operate in the background. The example used is that of the security protocol for SSL. The security protocol is difficult to understand and is complex for most non-IT professionals, yet everyone uses and trusts it based on the mere fact that it is seamlessly integrated into every web browser on the Internet.

In continuing, users are also the keepers of their own confidential information. This poses as another danger to users in itself. This can be based on the view held by Florêncio and Herley (2007a) who explain that users are a danger unto themselves and require protection (unknowingly) from themselves, because they hold information and are able to be manipulated into divulging it. Mashima and Ahamad (2006) support this stance by saying that users can be naive, and through various social engineering techniques can be fooled into leaking their own confidential information.

Another problem is that users make use of multiple passwords across multiple websites which greatly increases their vulnerability (Florêncio & Herley, 2007b). Florêncio and Herley (2007b) performed a study on the web password habits of approximately five hundred thousand users over a three month period, and by conducting certain measurements, could obtain helpful information on users’ web password behaviours. From some of the results of the study, it was found that firstly, during a three week period, passwords which had previously been used on other websites were being typed into verified phishing sites 101 times. Secondly, users entered their passwords into websites often and according to the authors, they estimate that users type in their passwords approximately, on average, eight times a day. Thirdly, users tend to keep many web accounts (25 accounts on average, all requiring passwords). It is calculated that an average user keeps and uses 6.5 passwords with each being shared over 3.9 unique websites. Lastly, users forget their passwords frequently. It is estimated that during the three month study, 4.3% of Yahoo users forgot their passwords, with most users changing their passwords fifteen times in 100 logins they made. Thirdly, Karlof et al. (2007) explains that whenever users are requested to input their usernames and passwords into a website, they are required to decide whether it is safe or not to provide the

(33)

website with this information. This places unmanageable responsibility on the user to analyse, interpret, and understand all the security indicators of a website, which they often get wrong and increase their vulnerability to attack.

And finally, users suffer from a vulnerability element called the denial factor. According to Dasgupta et al. (2006), when a user logs into a banking website they are in a 'state of denial' about any viruses that may be attacking their computer and will dismiss any thoughts questioning the legitimacy of the website, which could be a phishing website designed to obtain their password. This vulnerability is highly advantageous to the phisher and aids them in the success of their attacks.

In conclusion, it is the users, the customers of E-Commerce themselves, who are vulnerable based on the natural flaws of being human, making them prone to mistakes and easily fooled. This too adds to the vulnerability of the E-Commerce environment to phishing attacks.

2.3.4. Vulnerability Vector D: Website and Web Browser Vulnerabilities (The Shop Front Of Online Companies)

According to Ronda et al. (2008) the number of compromising websites continues to grow. 27, 221 unique phishing websites were reported in January 2007, being three times more than in January 2006. Friedman, Hurley, Howe, Felten, and Nissenbaum (2002) also state that over the past few years phishing websites have become more elusive and more difficult to close down, with the average lifetime of a general phishing site decreasing from a week to just a few hours. Some clever phishers even make use of distributed tactics and fault tolerant architectures, with the aid of botnets that automate their attacks from compromised computers making it harder for them to be caught. Karlof et al. (2007) predicts that similar trends will continue. With phishing websites increasing in numbers and in sophistication, it has become evident that all information submitted via websites and related HTML forms on webpage’s, is highly susceptible to attack (McCall, 2004; Loftesness, 2004). All phishers require victims to type in their confidential information that has been used or will be used on another legitimate site (Florêncio & Herley, 2007a), such as usernames and passwords. This drives phishers to direct their attacks on websites that require the same user information, which is why banking websites (ABSA Bank), online merchants (eBay), and other financial institutions (PayPal) are often targeted. In a case presented by Capellán, Choi, Phillips, and Williams (2008), they state that according to news reported in 2004, millions of bank accounts of a major bank in North America were impacted by an installation of inadequately tested transaction processing

(34)

software. This resulted in attracting large numbers of e-mail phishing attacks against the bank’s customers, costing the bank over $100 million because of the incident.

Another reason for these websites being specifically targeted is because they provide the phisher with the potential to obtain large financial gain, i.e., obtaining the confidential details of users of these legitimate websites can result in high returns with little amount of effort or work (Narayanan et al., 2006).

Weaknesses in the web browsers used to view websites also add to the vulnerabilities of E-Commerce. In the process of browsers increasingly adding new and better features and functionality, gaps and weaknesses in its security have also increased, thus leaving browsers prone to phishing attacks and other online threats (Narayanan et al., 2006). Some of these are explained in more detail below:

2.3.4.1. Susceptibility to Domain Name Spoofing and Pop-up Hijacking

In Atighetchi and Pal (2007) it is mentioned that URL’s and Domain Names are easily masked or disguised via text masking methods. This domain name obfuscation (or spoofing) essentially hides the phisher’s root URL, placing the non-trusted path ‘behind a mask’ and giving it a seemingly ‘legitimate’ visual appearance that causes the user to incorrectly think it is safe. Abu-Nimeh, Nappa, Wang, and Nair (2007) add here that a user is immediately exposed to an attack once they enter the address of a phishing site in the browser address bar, or click on a spoofed URL. An example identified by Narayanan et al. (2006), is the recent attack upon Yahoo's web hosting domain geocities.com. In this attack, the phisher created a user with the username of 'login' and a fake login launch webpage mimicking the original Geocities login page. When the user tried to login, the page viewed was seen as 'www.geocities.com/login', where the 'login' part of the URL was actually the false username. Also to be noted here is that because of the pop-up functionality built into a web browser, phishers are able to take over and control this to aid them in their attack.

2.3.4.2. Vulnerability in Browser Helper Objects (BHO)

Atighetchi and Pal (2007) state that most anti-phishing technologies are inserted into web browsers as Browser Helper Objects (BHO). These are components of a web browser that web applications use to interface web browsers with (such as toolbars and plug-ins). Although

(35)

plug-ins allow for the transparent insertion of anti-phishing mechanisms, they are highly susceptible to phishing attacks. Firstly, they are highly vulnerable to buffer overflow attacks. This can occur for example, when malware is mistakenly downloaded by a user and unknowingly executed on their computer. This malware can then corrupt the user’s web browser and execute a range of malicious tasks that can disable anti-phishing plug-ins, install key loggers to capture typed data, or even install root kits. Root Kits are “a collection of tools / programs designed to hide the fact that a given system has been compromised” (Locsin & Do, 2009, p. 2). Due to this, they can evade host-based detection systems such as anti-virus software, and cause large amounts of damage to targeted computers. ActiveX controls employed by a browser can also be compromised and used to install Trojans on a victim’s computer. Trojans are designed to alter the computer’s system files to redirect the request of a legitimate website to the phishers IP address (Narayanan et al., 2006).

Anti-phishing Plug-ins and toolbars function with the goal of preventing users from leaking their confidential details to a phishing server, eluding the phishers attack and stopping them from obtaining the details they seek. Plug-ins and tools have however, been proven ineffective in preventing phishing, which still leaves the E-Commerce environment vulnerable in this area. In an investigation into the effectiveness of toolbars in preventing phishing, Wu et al. (2006)performed experiments which involved using 30 test subjects, three security toolbars, the web browser’s address bar, and the status bar. The results of their experiment showed that all the toolbars tested were ineffective against phishing, with users being spoofed 34% of the time. Almost 70% of all the users were spoofed by at least one phishing attack, with 85% thinking that the websites which were presented to them were legitimate. In summary, the study found that two main reasons for falling into these attacks was firstly that users discard toolbars based on the professional or legitimate 'look' of a website, and secondly, companies do not follow good web design practices. Both these reasons cause toolbars to be ineffective in distinguishing between legitimate websites and those that are phishing attacks.

In another experiment performed by Cranor, Egelman, Hong, and Zhang (2006), the effectiveness of ten well known toolbars were tested. The results of the test found that only three of the 10 toolbars were able to successfully identify over 75% of the phishing sites encountered. Also, four of the toolbars were not able to identify half of the tested phishing sites. Narayanan et al. (2006) examined a widely used tool called Spoofstick which employs reverse DNS lookup on the visited website, by displaying the sites actual IP address on its toolbar. Although it can detect simple obfuscation, it still requires a human in the loop to

Phishing within e-commerce: reducing the risk, increasing the trust

PHISHING WITHIN E-COMMERCE:

REDUCING THE RISK, INCREASING THE TRUST

by

PHISHING WITHIN E-COMMERCE:

REDUCING THE RISK, INCREASING THE TRUST

Gregory M. Megaw

Dissertation

Masters of Commerce

Information Systems

Faculty of Management and Commerce

University of Fort Hare

Abstract

Acknowledgements

Declaration

Table of Contents

List of Figures

List of Tables

CHAPTER 1

The Problem and Its Setting

CHAPTER 2

E-Commerce Vulnerability to Phishing Attacks