Open Proxy: A road block for Phishing investigations

Swapan Purkait*
Research Scholar, Vinod Gupta School of Management, Indian Institute of Technology, Kharagpur, India.
Periodicity:December - February'2013
DOI : https://doi.org/10.26634/jit.2.1.2142

Abstract

When a hacker sends a phishing email or host a phishing website, investigators must locate the source of the communication, they must trace the electronic trail leading from the email or the web server back to the perpetrator. Traceability is a key to the investigation of the cyber crime such as phishing. It is impossible to prevent all internet misuse but may be possible to identify and trace the user, and take appropriate legal action. Different phishing detection mechanisms have been addressed in research papers, but with little being focused on open proxy usage rather, misusages. This paper addresses the security concern for mushrooming of open proxy servers in the globe. This work highlights how anonymity provided to the phisher by an open proxy is becoming a major roadblock for cyber crime investigating agencies in India. We conducted personal interviews with various law enforcement officers involved in Cyber crime cases mainly, Phishing and prepared a flow chart how all these cases getting stalemate because of the open proxy servers. Helpless condition of theses investigating agencies proves that easy availability of free and easy anonymous proxy servers motivates phisher to plan the attack knowing very well that they will not be traced back. In our solution framework we propose two dimensional approach combining technical solution and legal cooperation among international law enforcement agencies. Our technical solution will be able to flag all emails that are using an open proxy, also it will be able to locate any website usage or update through an open proxy.

Keywords

Cyber Crime; Open Proxy; Phishing; Anti-Phishing; Internet Security

How to Cite this Article?

Swapan Purkait (2013). Open Proxy: A Road Block For Phishing Investigations. i-manager’s Journal on Information Technology, 2(1), 22-33. https://doi.org/10.26634/jit.2.1.2142

References

[1]. Adinolfi, D. (2003), "Open Web Proxies on the Cornell University Network", available at: http://www.it.cornell.edu/cms/security/depth/strategy/upload/OpenWebProxies.pdf, (accessed February 2013)
[2]. Altintas, M. H. and Gursakal, N. (2007). Phishing Attacks and Perceptions of Service Quality: A Content Analysis of Internet Banking in Turkey. Journal of Internet Banking & Commerce, Aug2007, Vol. 12 Issue 2, pp. 1-13.
[3]. Anderson, K. B., Durbin, E., and Salinger, M. A., (2008). Identity Theft. Journal of Economic Perspectives. Volume 22, Number 2. Spring 2008, 171–192
[4]. APWG (2012), "Global Phishing Survey: Trends and Domain Name Use in 1H2012", available at: http://docs.apwg.org/reports/APWG_GlobalPhishingSurvey_1H2012.pdf, (accessed February 2013)
[5]. Bainbridge, D. (2007). Criminal law tackles computer fraud and misuse. Computer Law and Security Report, 23, 276-281.
[6]. Bielski, L. (2004). Phishing Phace-Off. American Bankers Association. ABA Banking Journal, Vol. 96, Sep 2004, pp. 46-54.
[7]. Bielski, L. (2005). Security Breaches Hitting Home. American Bankers Association. ABA Banking Journal, Vol. 97, June 2005, pp. 7-8.
[8]. Blair, D. (2009), "US struggles to pinpoint cyber attacks: Top official", available at: http://phys.org/news155937581. html, (accessed February 2013)
[9]. Boneh, D. (2004), “The Difficulties of Tracing Spam Email", available at: http://www.ftc.gov/reports/rewardsys/ expertrpt_boneh.pdf, (accessed February 2013)
[10]. Bose, I. and Leung, A.C.M. (2008). Assessing anti-phishing preparedness: A study of online banks in Hong Kong. Decision Support Systems, 45, pp. 897-912.
[11]. Bose, I. and Leung, A.C.M. (2009). What Drives The Adoption Of Antiphishing Measures By Hong Kong Banks?. Communications of the ACM, Volume 52, Issue 8, 141-143
[12]. Brody, R.G., Mulig, E. and Kimball, V. (2007). Phishing, Pharming and Identity Theft. Academy of Accounting and Financial Studies Journal, Volume 11, 43-56.
[13]. Calman, C. (2006). Bigger Phish To Fry: California'S Antiphishing Statute And Its Potential Imposition Of Secondary Liability On Internet Service Providers. Richmond Journal of Law & Technology, Volume XIII, Issue1, 1-24
[14]. Canini, M., Li, W. and Moore, A. W. (2009), "Toward the Identification of Anonymous Web Proxies", Proceedings of Passive and Active Network Measurement 10th International Conference, PAM 2009, Seoul, Korea, April 1-3, 2009
[15]. CERT-IN (2013), Indian Computer Emergency Response Team (CERT-IN), available at: http://www.cert-in.org.in, (accessed February 2013)
[16]. Chen, X., Bose, I., Leung, A. C. M. and Guo, C. (2010). Assessing the severity of phishing attacks: A hybrid data mining approach. Decision Support Systems, Volume 50, Issue 4, March 2011, pp. 662-672.
[17]. CoDeen (2013), “A Content Distribution Network for PlanetLab”, available at: http://codeen.cs.princeton.edu, (accessed February 2013)
[18]. Deity (2013), Department of Electronics and Information Technology, Ministry of Communications & Information Technology, Government of India, available at : http://deity.gov.in/content/information-technology-act, (accessed February 2013)
[19]. Denvpn (2013), “Unrestricted Internet Access”, available at: http://www.denvpn.com/?gclid= CJz9gKSW754CFQQwpAoduX7XzQ, (accessed February 2013)
[20]. Dinna., N. M. M., Leau., Y. B., Habeeb., S. A. H. and Yanti., A. S. (2007). Managing Legal, Consumers and Commerce Risks in Phishing. Proceedings of World Academy of Science Engineering and Technology, Volume 26, 562-567.
[21]. Eggendorfer, T. (2005), “Anonymous surfing with Java Anonymous Proxy GHOST SURFING”, Linux Magazine, Issue 60, available at: http://www.linux-magazine.com/content/download/62640/485598/file/Java_Anonymous_Proxy.pdf, (accessed February 2013)
[22]. Eisenstein, E. M. (2008). Identity theft: An exploratory study with implications for marketers. Journal of Business Research, Volume 61, Issue 11, November 2008, 1160-1172
[23]. Emm, D. (2006). Phishing update, and how to avoid getting hooked. Network Security. Volume 2006, Issue 8, August 2006, 13–15.
[24]. Featherman, M. S., Miyazaki, A. D. and Sprott, D. E. (2010).Reducing online privacy risk to facilitate e-service adoption: the influence of perceived ease of use and corporate credibility. Journal of Services Marketing, Vol. 24 Iss: 3, pp. 219 - 229.
[25]. Furnell, M. (2004). Getting caught in the phishing net. Network Security, Issue 5, May 2004, pp. 14-18.
[26]. Furnell, S. (2004a). E-Commerce Security: A Question Of Trust. Computer Fraud & Security, Volume 2004, Issue 10, October 2004, pp. 10-14
[27]. Furnell, S. (2008). It's a jungle out there: Predators, prey and protection in the online wilderness. Computer Fraud & Security, Volume 2008, Issue 10, October 2008, pp. 3-6.
[28]. Gartner (2009), "Gartner Says Number of Phishing Attacks on U.S. Consumers Increased 40 Percent in 2008", available at: http://www.gartner.com/it/ page.jsp?id=936913, (accessed February 2013)
[29]. Granova, A. and Eloff, JHP. (2005). A Legal overview of Phishing. Computer Fraud & Security, Issue 7, 6-7.
[30]. Hill, B. A. (2009), “Cyber Security problems at Nuclear Lab”, available at: http://abcnews.go.com/Blotter/ security-shortcomings-nuclear-labs/story?id=9394614, (accessed February 2013)
[31]. Hinde, S. (2004). All you need to be a phisherman is patience and a worm, Computer Fraud & Security, Volume 2004, Issue 3, March 2004, 4-6.
[32]. Huang, P., Yang, C. and Ahn, T. (2009),"Design and Implementation of a Distributed Early Warning System Combined with Intrusion Detection System and Honeypot", Proceedings of the ICHIT '09, International Conference on Hybrid Information Technology, Korea, pp. 232-238.
[33]. Kim, W., Jeong, O., Kim, C. and So, J. (2011). The Dark Side Of The Internet: Attacks, Costs And Responses. Information Systems, Volume 36, Issue 3, May 2011, 675-705
[34]. Krawetz, N. (2004), "Anti-honeypot technology", Security & Privacy, IEEE, Volume: 2, Issue:1, pp. 76-79.
[35]. Larcom, G. and Elbirt, A.J. (2006). Gone Phishing. Technology and Society Magazine. IEEE, Volume: 25 , Issue: 3 , 52-55
[36]. Larson, J. S. (2010). Enforcing Intellectual Property Rights to Deter Phishing. Intellectual Property & Technology Law Journal, Volume 22, Number I, 1-8.
[37]. Lovet, G. (2009), "Fighting Cybercrime: Technical, Juridical and Ethical Challenges", Proceedings of the Virus Bulletin Conference, pp. 63-76.
[38]. Martin, D. and Schulman, A. (2002), "Deanonymizing Users of the SafeWeb Anonymizing Service", Proceedings of the 11th USENIX Security Symposium San Francisco, California, USA, available at: http://static.usenix.org/event/sec02/full_papers/martin/martin.pdf, (accessed February 2013)
[39]. Martin, D. and Alsaid, A. (2003), "Hidden surveillance by Web sites: Web bugs in contemporary use", Communications of the ACM - Mobile computing opportunities and challenges, Volume 46 Issue 12, pp. 258-264.
[40]. Mcnealy, J. (2008). Angling for Phishers: Legislative Responses to Deceptive E-Mail. Communication Law and Policy, Volume 13, Issue 2, Taylor & Francis, USA, 275-300.
[41]. McRae, C. M. and Vaughn, R. B. (2007), "Phighting the Phisher: Using Web Bugs and Honeytokens to Investigate the Source of Phishing Attacks", Proceedings of the HICSS 2007, Hawaii
[42]. Medvet, E., Kirda, E. and Kruegel, C. (2008). Visual-Similarity-Based Phishing Detection. Proceedings of the 4th international conference on Security and privacy in communication networks, Istanbul, Turkey.
[43]. Mercuri, R. T. (2006). Scoping Identity Theft. Communications of the ACM, Volume 49, Issue 5, 17-21.
[44]. Mokube, I. and Adams, M. (2007), "Honeypots: concepts, approaches, and challenges", Proceedings of the 45th Annual Southeast Regional Conference, pp. 312-326
[45]. Pai, V. S., Wang, L., Park, K., Pang, R. and Peterson, L. (2004), "The dark side of the Web: an open proxy's view", ACM SIGCOMM Computer Communication Review, Volume 34 Issue 1, pp. 57-62.
[46]. Parno, B., Kuo, C. and Perrig, A. (2006). Phoolproof Phishing Prevention. Financial Cryptography and Data Security Lecture Notes in Computer Science, Volume 4107, pp. 1 -19.
[47]. PhishTank (2012), "PhishTank > Statistics about phishing activity and PhishTank usage > July 2012", available at: http://www.phishtank.com/stats/2012/07/ (accessed February 2013)
[48]. Shein, E. (2011). The Gods Of Phishing. Infosecurity, Volume 8, Issue 2, March–April 2011, 28-31.
[49]. Thosmas, D. and Loader, D. B. (2000), “Cyber crime: Security and Surveillance in the Information Age”, Routledge, New York USA
[50]. Wang, J., Chen, R., Herath, T. and Rao, H. R. (2009). Visual E-Mail Authentication And Identification Services: An Investigation Of The Effects On E-Mail Use, Decision Support Systems, Volume 48, Issue 1, December 2009, pp. 92-102.
If you have access to this article please login to view the article or kindly login to purchase the article

Purchase Instant Access

Single Article

North Americas,UK,
Middle East,Europe
India Rest of world
USD EUR INR USD-ROW
Pdf 35 35 200 20
Online 35 35 200 15
Pdf & Online 35 35 400 25

Options for accessing this content:
  • If you would like institutional access to this content, please recommend the title to your librarian.
    Library Recommendation Form
  • If you already have i-manager's user account: Login above and proceed to purchase the article.
  • New Users: Please register, then proceed to purchase the article.