The Threat of Phishing and Pharming
Posted in Security on November 13th, 2010 by Rachael
It is important to know the threats phishing and pharming pose to your company and employees. In particular, there are four primary threats; employees replying to contact made by an adversary [3], malicious software being installed on employee workstations [1], employees or the public visiting an illegitimate website under the presumption it is legitimate [6], and employee sessions being hijacked [4]. These primary threats introduce the following secondary, yet important, threats; the adversary obtains private employee and / or company details, the adversary tracks employee browsing habits and other employee and / or company data.
The first primary threat mentioned above is perhaps one of the oldest phishing threats; a user replies to a phisher (posing as a trusted source) with personal information. One example of this is an adversary asking for the user’s bank account information so they can transfer large sums of money to them; the goal being of course to get the user’s bank details [7]. The threat of the user replying to a spear-phishing email does not just threaten the employee as an individual (because their identity could be stolen), but it also threatens the company if the phisher is after organisational data (e.g. username and password for company computer system) [1].
The second primary threat to the company and employees because of phishing and pharming is that malicious software (like key loggers, screen grabbers and other viruses ) could be installed onto the employee’s computer [2]. As previously mentioned, this threat introduces secondary threats; the software could record employee and company data and track the employee’s browsing habits.
There is a wide range of both phishing and pharming techniques available for an adversary to trick employees into visiting illegitimate websites they believe are legitimate. The visitation and use of illegitimate websites is a big threat to both the company and employees because it introduces secondary, more specific threats. Firstly, the unsuspecting employee will use the site as if it were legitimate, so any details entered can be captured by the adversary. Secondly, the illegitimate website could contain embedded code which could install malicious software like key loggers, screen grabbers and other viruses (Trojans, worms etc) [2]. Phishers can then use the malicious software to obtain details about employees or the company as well as track employee browsing habits [1].
The hijacking of employee sessions poses a threat to the company and individual employees because of the secondary threats it introduces; adversaries can “eavesdrop on sensitive content, forge transactions, (and) sniff secondary passwords” using a hijacked session [4]. Obviously these threats concern both the company and employees because both parties have sensitive information that could be obtained and used maliciously. The forging of transactions within a stolen session is also a large threat to the company and employees because the transactions could reflect poorly on each respective party.
References
[1] B. Mohamad, E.-S. Samer, and H. Ibrahim, “Phishing attacks and solutions,” in Proceedings of the 3rd international conference on Mobile multimedia communications Nafpaktos, Greece: ICST (Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering), 2007.
[2] G. Ollmann, “The Phishing Guide,” Next Generation Security Software Ltd., Sutton 2004.
[3] W. Knight, “Caught In The Net,” IEE Review, vol. 51, pp. 26-30, 2005.
[4] K. Chris, S. Umesh, J. D. Tygar, and W. David, “Dynamic pharming attacks and locked same-origin policies for web browsers,” in Proceedings of the 14th ACM conference on Computer and communications security Alexandria, Virginia, USA: ACM, 2007.
[6] A. R. Stefan and W. R. James, “Don’t be a phish: steps in user education,” SIGCSE Bull., vol. 38, pp. 237-241, 2006.
[7] O. Charles, “Managing phishing threats in an organization,” in Proceedings of the 3rd annual conference on Information security curriculum development Kennesaw, Georgia: ACM, 2006.
