Skip to main content
SpringerLink
Log in

Experimental Case Studies for Investigating E-Banking Phishing Techniques and Attack Strategies

  • Published:
Cognitive Computation Aims and scope Submit manuscript

Abstract

Phishing is a form of electronic identity theft in which a combination of social engineering and Web site spoofing techniques is used to trick a user into revealing confidential information with economic value. The problem of social engineering attack is that there is no single solution to eliminate it completely, since it deals largely with the human factor. This is why implementing empirical experiments is very crucial in order to study and to analyze all malicious and deceiving phishing Web site attack techniques and strategies. In this paper, three different kinds of phishing experiment case studies have been conducted to shed some light into social engineering attacks, such as phone phishing and phishing Web site attacks for designing effective countermeasures and analyzing the efficiency of performing security awareness about phishing threats. Results and reactions to our experiments show the importance of conducting phishing training awareness for all users and doubling our efforts in developing phishing prevention techniques. Results also suggest that traditional standard security phishing factor indicators are not always effective for detecting phishing websites, and alternative intelligent phishing detection approaches are needed.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7

Similar content being viewed by others

References

  1. Alnajim A, Munro M. An evaluation of users’ tips effectiveness for phishing websites detection, 978-1-4244-2917-2/08, IEEE; 2008. p. 63–68.

  2. APWG. Phishing activity trends report. 2005. http://antiphishing.org/reports/apwg_report_DEC2005_FINAL.pdf. Accessed 12 Apr 2007.

  3. APWG. Phishing activity trends report. 2008. http://antiphishing.org/reports/apwg_report_sep2008_final.pdf. Accessed 9 March 2009.

  4. APWG. 2009. http://www.apwg.org/reports/APWG_GlobalPhishingSurvey_1H2009.pdf. Accessed 8 Aug 2009.

  5. Brooks J. Anti-phishing best practices: keys to aggressively and effectively protecting your organization from phishing attacks, White Paper, Cyveillance; 2006.

  6. Business Security Guidance. How to protect insiders from social engineering threats. 2006. www.microsoft.com/technet/security/default.mspx. Accessed 8 Apr 2006.

  7. Chou N, Ledesma R, Teraguchi Y, Boneh D, Mitchell J. Client side defense against web-based identity theft. In: Proceeding of the 11th annual Network and Distributed System Security Symposium (NDSS ‘04); 2004.

  8. Dhamija R, Tygar J. The battle against phishing: dynamic security skins. In: Proceedings of ACM Symposium on Usable Security and Privacy (SOUPS 2005); 2005. p. 77–88.

  9. Dhamija R, Tygar J, Marti H. Why phishing works. In: CHI ‘06: Proceedings of the SIGCHI conference on human factors in computing systems. ACM Press, New York; 2006. p. 581–590.

  10. FDIC. Putting an end to account-hijacking identity theft, FDIC, Technical Report [Online]. 2004. Available: http://www.fdic.gov/consumers/consumer/idtheftstudy/identitytheft.pdf. Accessed 18 Apr 2007.

  11. FFIEC. E-Banking Introduction, Federal Financial Institutions Examination Council, Information Technology Examination Handbook (IT Handbook InfoBase). 2003. Available Online: http://www.ffiec.gov/ffiecinfobase/booklets/e_banking/ebanking_00_intro_def.html. Accessed 15 June 2007.

  12. Fu A, Wenyin L, Deng X. Detecting phishing web pages with visual similarity assessment based on Earth Mover’s Distance (EMD). IEEE Trans Dependable Secur Comput. 2006;3(4):301–11.

    Article  Google Scholar 

  13. Gabber E, Gibbons P, Kristol D, Matias Y, Mayer A. Consistent, yet anonymous, web access with LPWA. Commun ACM. 1999;42(2):42–7.

    Article  Google Scholar 

  14. Gartner. 2007. (http://www.gartner.com/it/page.jsp?id=565125). Accessed 10 Sept 2007.

  15. Gefen D. Reflections on the dimensions of trust and trustworthiness among online consumers. ACM SIGMIS Database. 2002;33(3):38–53.

    Article  Google Scholar 

  16. Herzberg A, Gbara A. Protecting naive web users, Draft of July 18; 2004.

  17. Jagatic T, Johnson N, Jakobsson M, Menczer F. Social phishing, community. ACM. 2007;50(10):94–100.

    Article  Google Scholar 

  18. Jakobsson M. Modeling and preventing phishing attacks, School of Informatics Indiana University at Bloomington; 2005.

  19. Jakobsson M, Tsow A, Shah A, Blevis E, Lim Y. What instills trust? A qualitative study of phishing. Bloomington: Indiana University; 2007. p. 356–61.

    Google Scholar 

  20. James L. Phishing exposed, Tech Target Article sponsored by: Sunbelt software. 2006. searchexchange.com.

  21. Kinjo H, Snodgrass JG. Is there a picture superiority effect in perceptual implicit tasks? Eur J Cogn. 2000;12(2):145–64.

    Article  Google Scholar 

  22. Kirda E, Kruegel C. Filching attack of on-line status. J Netw Secur Technol Appl. 2005;6(4):17–20.

    Google Scholar 

  23. Kirda E, Kruegel C Protecting users against phishing attacks with antiphishing. In: Proceedings of the 29th annual international Computer Software and Applications Conference (COMPSAC); 2005b. p. 517–524.

  24. Liu W, Guanglin H, Liu X, Xiaotie D, Zhang M. Phishing webpage detection. In: Proceedings of the 2005 eight international conference on Document Analysis and Recognition (ICDAR’05), IEEE; 2005. p. 560–564.

  25. Microsoft Corporation. Microsoft phishing filter: a new approach to building trust in E-Commerce Content, White Paper; 2008.

  26. Ollmann G. The phishing guide, understanding and preventing phishing attacks (online available). 2004. http://www.nextgenss.com/papers/NISR-WP-Phishing.pdf.

  27. PassMark. Two-factor two-way authentication, PassMark Security. 2005. http://www.passmarksecurity.com.

  28. Pettersson J, Fischer-Hübner S, Danielsson N, Nilsson J, Bergmann M, Clauss S, Kriegelstein T, Krasemann H. Making prime usable. In: Proceedings of SOUPS’05. ACM Press, Pittsburgh; 2005. p. 53–64.

  29. Phishtank. 2008 http://www.phishtank.com/phish_archive.php. Accessed 14 Nov 2008.

  30. Rhodes JS. Human memory limitations and web site usability. 1998. Moving WebWord from http://www.webword.com/moving/memory.html. Accessed 28 May 2008.

  31. Ross B, Jackson C, Miyake N, Boneh D, Mitchell J. Stronger password authentication using browser extensions. In: Proceedings of the 14th Usenix Security Symposium; 2005.

  32. Sharif T. Phishing filter in IE7. 2005. http://blogs.msdn.com/ie/archive/2005/09/09/463204.aspx. Accessed 6 Apr 2007.

  33. Stenberg G. Conceptual and perceptual factors in the picture superiority effect. Eur J Cogn. 2006;18(6):813–47.

    Article  Google Scholar 

  34. Stepp M. Phishhook: a tool to detect and prevent phishing attacks. In: DIMACS workshop on theft in E-Commerce: content, identity, and service; 2005.

  35. Suh B, Han I. Effect of trust on customer acceptance of Internet banking. Electron Commer Res Appl. 2002;1(3):247–63.

    Article  Google Scholar 

  36. Watson D, Holz T, Mueller S. Know your enemy: phishing, behind the scenes of phishing attacks, The Honeynet Project & Research Alliance; 2005.

  37. Wu M, Miller R, Little G. Web wallet: preventing phishing attacks by revealing user intentions. MIT Computer Science and Artificial Intelligence Lab; 2006.

  38. Ye Z, Smith S. Trusted paths for browsers. ACM Trans Inform Syst Secur. 2005;8(2):153–86.

    Article  Google Scholar 

  39. Zin A, Yunos Z. How to make online banking secure, article published in The Star InTech; 2005.

Download references

Author information

Authors and Affiliations

  1. Department of Computing, University of Bradford, Bradford, England, UK

    Maher Aburrous, M. A. Hossain & Keshav Dahal

  2. MIS Department, Philadelphia University, Amman, Jordan

    Fadi Thabtah

Authors
  1. Maher Aburrous
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. M. A. Hossain
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Keshav Dahal
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Fadi Thabtah
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Maher Aburrous.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Aburrous, M., Hossain, M.A., Dahal, K. et al. Experimental Case Studies for Investigating E-Banking Phishing Techniques and Attack Strategies. Cogn Comput 2, 242–253 (2010). https://doi.org/10.1007/s12559-010-9042-7

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s12559-010-9042-7

Keywords

Search

Navigation