Computer Forensics for Preventing Email Capstone Project

Excerpt from Capstone Project :

i.e. modifying the domain name system.

7. DNS-Based Phishing ("Pharming"): This offense is based on interference in the domain name searching process by modifying the domain name resolution sending the user to a different IP address.

8. Content-Injection Phishing: The phisher introduces fraudulent content into a legitimate website.

9. Data Theft: Malicious code that collects sensitive information stored within the machines in which it is installed.

10. Man-in-the-Middle Phishing: The phisher takes a position between user's PC and the server filtering, reading and modifying information.

11. Hosts File Poisoning: This is another option for pharming. In this case the attack is carried out by the host's card index hosted on DNS' servers.

12. Spear Phishing: One of the newest phishing strategies. It targets a specific company and uses e-mails to train individuals at various locations. (Frost and Sullivan, nd)

It is reported that the types of websites attacked by phishers include such as banks and customers with online payment services. The general method of attack is carried out through an email or instant message that persuades users to enter personal details at a fraudulent website that appears to be a legitimate one. The majority of phishing attacks use "misspelled URLs or use sub-domains provided in emails which appear to belong to the legitimate organization. Another form of phishing known as IDN spoofing involves the use of URLs and IDNs by phishers in web browsers that appear identical to those of a trusted organization however, the open URL redirectors are used for disguising malicious URLs with a trusted domain. It is reported that certificates fail to address this problem since the phisher can purchase a valid certificate which can be modified in order to spoof a real website.

Other attacks include 'cross-site scripting' which is reported as a "type of an attack which is very difficult to spot without a specialist's knowledge; this is when phishers use errors in a trusted website's own scripts against the victim. The script directs the user to sign in at their own web page (the web address and security certificates seem to be correct), but in reality the link to the website is crafted to carry out the attack." (Frost and Sullivan, nd) Finally, another technique used is popup windows that request the individual's credentials "on top of the legitimate website, in a way that seems that the website is requesting this sensitive information." (Frost and Sullivan, nd) This is a technique reported to be used primarily in banks.

The report of Frost and Sullivan states that challenges include those of:

(1) Lack of knowledge in the differentiation of threats;

(2) Perception of high prices;

(3) Lack of quantifiable ROI; and (4) Fear of outsourcing security. (Frost and Sullivan, nd)

Trends and technologies reported by Sullivan and Frost include those related to the evolution of phishing attacks in the short, medium and long-term. Included in short-term phishing evolution is stated to be the increase in the "volume and degree of vulnerabilities and attacks is turning electronic security into an increasingly complex and broad issue, so the need for specialized professionals and solutions reinforcing network and electronic security is becoming clearer to companies." (Frost and Sullivan, nd)

It is reported that another strong driver of growth of the internet security market in view of the short-term is the "pressure of regulatory acts, such as the Sarbanes-Oxley, Basel II, and compliance with payment card industry international regulations (PCI)…" (Frost and Sullivan, nd) it is additionally reported that the "enterprise scope turn virtual by incorporating mobile workers, remote sites, home-offices and even vendors and partners within the same corporate network. In this context, security solutions appear as a strategic tool for a reliable and efficient network operation." (Frost and Sullivan, nd) in the analysis of industries it is reported that ISPs as well as banking and finance and retail are the most attacked by security threats since the economic crisis started and by the short-term end the advantages of such as detect monitoring services requires that services be clearer to corporations and mid-sized companies.

In regards to the medium term stated as 2011 and 2012 and the long-term, stated as 2013 and 2014 it is reported that security threats "are expected to present at an increasingly growth patterns, mainly leveraged by new and improved telecommunications infrastructure and due to new market entrants." (Frost and Sullivan, nd) in view of the long-term it is reported that the changes in pricing which are "inevitable…will redefine segmentation in the long-term." (Frost and Sullivan, nd)

IV. in-depth Computer Forensics: Communication of Methods, Processes and Procedures

Frost and Sullivan report that there are several forensic applications that can be used for detecting phishing including those as follows:

(1) Detect Monitoring Service -- work through identification accuracy checking and used for addressing phishing issues. This is a real-time connection monitoring service that is in receipt of transactional sites on the client side, with the client's information "correlated with data obtained from malicious activity in the industry. (Frost and Sullivan, nd)

(2) Early Notification -- Detect CA proprietary methodology that has the capacity to identify "specific patterns and behaviors that typically occur at the early stages of a phishing attack, providing a way to stop an attack even before it becomes a real threat." (Frost and Sullivan, nd)

(3) Malware Monitoring Services - monitors on a daily basis hundreds of samples of new financially-motivated malware which enables the company to proactively and quickly implement an action plan when a malicious code is attacking clients. (Frost and Sullivan, nd)

(4) Phishing Alerts - prevents, detects and recovers from phishing and malware attacks. The solution addresses the entire lifecycle of an alert, providing the right, just-in-time help when clients need it most. (Frost and Sullivan, nd)

The work of Abu-Nimeh, Nappa, Wang and Nair (2007) entitled "A Comparison of Machine Learning Techniques for Phishing Detection" reports that there are three main categories of phishing and fraud defense mechanisms:

(1) detective;

(2) preventive; and (3) corrective. (Abu-Nimeh, Nappa, Wang and Nair, 2007)

These solutions include such as 'anti-phishing toolbars' which are used for attempting to alleviate the problem of phishing. According to Abu-Nimeh, Nappa, Wang and Nair Although these toolbars help mitigate the problem, many research studies have demonstrated the ineffectiveness of such techniques." (2007)

Two primary problems with this solution are those of:

(1) quite often the spoofed link is tested without any consideration to the context in which it was presented to the user thereby losing accuracy; and (2) once the user enters the address of the phishing site in the browser address bar, the user is exposed immediately to any attack carried by the site. (Abu-Nimeh, Nappa, Wang and Nair, 2007)

The phishing and fraud solutions in the three categories are listed in the table below.

Figure 1

Categories of Phishing and Fraud Solutions

Source: Abu-Nimeh, Nappa, Wang and Nair (2007)

The work of Wu, et al.

(2006) conducted an evaluation of the effectiveness of security toolbars in the prevention of phishing attacks. Experiments were performed on three security toolbars, as well as the browsers address bar and the status bar. Included in the study were 30 individuals which all showed that the toolbars that were tested were "ineffective in preventing phishing attacks. Users were spoofed 34% of the time. 20 out of 30 users got spoofed by at least one phishing attack. 85% of the spoofed users thought that websites look legitimate or exactly the same as they visited before. 40% of the spoofed users were tricked because of poorly designed websites, especially when using improper redirections." (Abu-Nimeh, Nappa, Wang and Nair, 2007) Two primary reasons that users fell under these attacks are stated to be those as follows:

(1) users discarded the toolbar display, as the content of the web pages looks legitimate or professional; and (2) companies do not follow good practice in designing their websites and the toolbar cannot help users distinguish poorly designed website from malicious phishing attacks. (Abu-Nimeh, Nappa, Wang and Nair, 2007)

The work of Knickerbocker, Yu, and Li (2009) entitled "Humboldt: A Distributed Phishing Disruption System" states that conventional techniques "for combating phishing have focused primarily on detecting phishing web sites and preventing users from revealing their passwords to such sites." This type of protection is stated to be inherently "incomplete and does nothing to protect users that do not reveal their passwords. Combating the phishing threat requires more than simple avoidance -- it requires a more active approach to disrupting even successful phishing operations." (Knickerbocker, Yu and Li, 2009)

The anti-phishing system introduced by Knickerbocker, Yu and Li (2009) is that called "Humboldt" which is similar to another system 'BogusBiter' which "…poisons the data that phishers obtain en masse in order to actively disrupt phishing activity." (Knickerbocker, Yu and Li, 2009) Specifically it is stated that Humboldt "…takes a different approach to injecting fraudulent submissions into the phishing site's collected data. It relies…

Cite This Capstone Project:

"Computer Forensics For Preventing Email" (2010, July 07) Retrieved February 20, 2018, from

"Computer Forensics For Preventing Email" 07 July 2010. Web.20 February. 2018. <>

"Computer Forensics For Preventing Email", 07 July 2010, Accessed.20 February. 2018,