State of Research on Phishing and Recent Trends of Attacks

Aniket Bhadane*, Sunil B. Mane**
* M.Tech Scholar, Department of Computer Engineering, Government College of Engineering Pune (COEP), Shivajinagar, Pune, Maharashtra, India.
** Associate Professor, Department of Computer Engineering and Information Technology, Government College of Engineering Pune (COEP), Shivajinagar, Pune, Maharashtra, India.
Periodicity:December - February'2018
DOI : https://doi.org/10.26634/jcom.5.4.14608

Abstract

Phishing attacks cause companies and individuals huge economic as well as intangible damages. Phishing attacks employ a litany of attack vectors. To deal with such attacks, counter work needs to be done in several areas. In this paper, the authors have presented a survey of literature on phishing detection and the current trends in phishing. The authors have also mentioned that phishing detection can be classified into three main categories namely, disallowing attacks to reach the users, user training, and more useful user interfaces. The goal of this paper is to cover all important aspects involved in phishing detection as compared to existing surveys on phishing detection that have focused on individual aspects. There has been a continuous increase in phishing attacks, with a sharp rise in Spear phishing and attacks over Social Media.

Keywords

Phishing, Social Engineering, Phishing Detection, Usable Security, Human Computer Interaction.

How to Cite this Article?

Bhadane, A., and Mane, S.B. (2018). State of Research on Phishing and Recent Trends of Attacks. i-manager’s Journal on Computer Science, 5(4), 14-35. https://doi.org/10.26634/jcom.5.4.14608

References

[1]. Afroz, S., & Greenstadt, R. (2011). Phishzoo: Detecting phishing websites by looking at them. In Semantic Computing (ICSC), 2011 Fifth IEEE International Conference on (pp. 368-375). IEEE.
[2]. Agari dmarc adoption report Open Season for Phishers. Retrieved from https://www.agari.com/wpcontent/ uploads/2017/08/Agari_DMARC_Adoption_Rep ort_PR1.pdf
[3]. Aggarwal, A., Rajadesingan, A., & Kumaraguru, P. (2012). PhishAri: Automatic realtime phishing detection on twitter. In eCrime Researchers Summit (eCrime), 2012 (pp. 1-12). IEEE.
[4]. Almomani, A., Gupta, B. B., Atawneh, S., Meulenberg, A., & Almomani, E. (2013). A survey of phishing email filtering techniques. IEEE Communications Surveys & Tutorials, 15(4), 2070-2090.
[5]. Alnajim, A., & Munro, M. (2009). An anti-phishing approach that uses training intervention for phishing websites detection. In Information Technology: New Generations, 2009. ITNG'09. Sixth International Conference on (pp. 405-410). IEEE.
[6]. Ardi, C., & Heidemann, J. (2016). Auntietuna: Personalized content-based phishing detection. In NDSS Usable Security Workshop (USEC).
[7]. Bergholz, A., De Beer, J., Glahn, S., Moens, M. F., Paaß, G., & Strobel, S. (2010). New filtering approaches for phishing email. Journal of Computer Security, 18(1), 7-35.
[8]. Steve. (2014). DKIM replay attacks Word to the Wise [Blog Post]. Retrieved from https://wordtothewise.com/ 2014/05/dkim-replay-attacks/
[9]. Bravo-Lillo, C., Komanduri, S., Cranor, L. F., Reeder, R. W., Sleeper, M., Downs, J., & Schechter, S. (2013). Your attention please: designing security-decision UIs to make genuine risks harder to ignore. In Proceedings of the Ninth Symposium on Usable Privacy and Security (p. 6). ACM.
[10]. Canfield, C. I., Fischhoff, B., & Davis, A. (2016). Quantifying phishing susceptibility for detection and behavior decisions. Human Factors, 58(8), 1158-1172.
[11]. Cao, Y., Han, W., & Le, Y. (2008). Anti-phishing based on automated individual white-list. In Proceedings of the th 4 ACM Workshop on Digital Identity Management (pp. 51-60). ACM.
[12]. Caputo, D. D., Pfleeger, S. L., Freeman, J. D., & Johnson, M. E. (2014). Going spear phishing: Exploring embedded training and awareness. IEEE Security & Privacy, 12(1), 28-38.
[13]. Cardinal , D. (2012). Diving into DMARC: Can it really end spam, or at least phishing? ExtremeTech. Retrieved from https://www.extremetech.com/or-at-least-phishing
[14]. Chen, K. T., Chen, J. Y., Huang, C. R., & Chen, C. S. (2009). Fighting phishing with discriminative keypoint features. IEEE Internet Computing, 13(3), 56-63.
[15]. Chen, T. C., Dick, S., & Miller, J. (2010). Detecting visually similar web pages: Application to phishing detection. ACM Transactions on Internet Technology (TOIT), 10(2), 5:1–5:38.
[16]. Chou, N., Ledesma, R., Teraguchi, Y., & Mitchell, J. C. (2004). ClientSide Defense Against Web-Based Identity Theft (pp. 1-15). In NDSS.
[17]. Cimpanu, C. (2016). Toy Maker Mattel Loses $3M in BEC Scam, Then Fights for it and Gets It Back. Retrieved from https://news.softpedia.com/news/toy-makermattel- loses-3m-in-bec-scam-then-fights-for-it-andgets- it-back-502401.shtml
[18]. Cobb, M . (2011). The fight against phishing: Utilizing SPF and DKIM authentication technology. Retrieved from http://searchsecurity.techtarget.com/answer/The-fightagainst- phishing-Utilizing-SPF-and-DKIM-authenticationtechnology
[19]. Comparison of DNS blacklists. (2017). In Wikipedia. Retrieved from https://en.wikipedia.org/w/index.php? title=Comparison_of_DNS_blacklists&oldid=79565 9445
[20]. Conway, D., Taib, R., Harris, M., Yu, K., Berkovsky, S., & Chen, F. (2017). A qualitative investigation of bank employee experiences of information security and phishing. In Thirteenth Symposium on Usable Privacy and Security (SOUPS 2017) (pp. 115-129). USENIX Association.
[21]. Crowe, J. (2016). Phishing by the Numbers: Must- Know Phishing Statistics 2016 [Blog Post]. Retrieved from https://blog.barkly.com/phishing-statistics-2016
[22]. Cui, Q., Jourdan, G.V., Bochmann, G. V., Couturier, R., & Onut, I.V. (2017). Tracking phishing attacks over time. th In Proceedings of the 26 International Conference on World Wide Web WWW '17 (pp. 667-676). Republic and Canton of Geneva, Switzerland: International World Wide Web Conferences Steering Committee.
[23]. Denning, T., Lerner, A., Shostack, A., & Kohno, T. (2013). Control-Alt Hack: The design and evaluation of a card game for computer security awareness and education. In Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security CCS '13 (pp. 915– 928). New York, NY, USA: ACM.
[24]. Dewan, P., & Kumaraguru, P. (2015). Detecting Malicious Content on Facebook. arXiv preprint arXiv:1501.00802.
[25]. Dewan, P., & Kumaraguru, P. (2017). Facebook Inspector (FbI): Towards automatic real-time detection of malicious content on Facebook. Social Network Analysis and Mining, 7(1), 15.
[26]. Dewan, P., Bagroy, S., & Kumaraguru, P. (2016). Hiding in plain sight: Characterizing and detecting malicious Facebook pages. In 2016 IEEE/ACM International Conference on Advances in Social Networks Analysis and Mining (ASONAM), 193-196.
[27]. Dewan, P., Kashyap,A.,& Kumaraguru, P. (2014). Analyzing social and stylometric features to identify spear phishing emails. In 2014 APWG Symposium on Electronic Crime Research (eCrime) (pp. 1-13).
[28]. DNSBL. (2017). In Wikipedia. Retrieved from https://en.wikipedia.org/w/index.php?title=DNSBL& oldid=800548089
[29]. Duman, S., Kalkan-Cakmakci, K., Egele, M., Robertson, W., & Kirda, E. (2016). Email Profiler: Spearphishing filtering with header and stylometric features of emails. In Computer Software and th Applications Conference (COMPSAC), 2016 IEEE 40 Annual (Vol. 1, pp. 408-416). IEEE.
[30]. Durumeric, Z., Adrian, D., Mirian, A., Kasten, J., Bursztein, E., Lidzborski, N., & Halderman, J. A. (2015). Neither snow nor rain nor MITM...: An empirical analysis of email delivery security. In Proceedings of the 2015 Internet Measurement Conference (pp. 27-39). ACM.
[31]. Egelman, S., Cranor, L. F., & Hong, J. (2008). You've been warned: An empirical study of the effectiveness of web browser phishing warnings. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (pp. 1065-1074). ACM.
[32]. Email Security or Anti-Phishing PhyllisTM | Wombat Security. (2017). Retrieved from https://www.wombat security.com/training-modules/email-security-or-antiphishing- phyllis
[33]. Equifax or Equiphish? — Krebs on Security. (2017). Retrieved from https://krebsonsecurity.com/2017/09/ equifax-or-equiphish/
[34]. Felt, A. P., Reeder, R. W., Ainslie, A., Harris, H., Walker, M., Thompson, C.,... & Consolvo, S. (2016). Rethinking Connection Security Indicators. In SOUPS (pp. 1-14).
[35]. Ferguson, A. J. (2005). Fostering E-Mail Security Awareness: The West Point Carronade. EDUCASE Quarterly, 1. Retrieved March 22, 2006 from http://www.educause.edu/ ir/library/pdf/eqm0517.pdf
[36]. Fette, I., Sadeh, N., & Tomasic, A. (2007). Learning to th detect phishing emails. In Proceedings of the 16 International Conference on World Wide Web (pp. 649- 656). ACM.
[37]. Fox-Brewster, T. (2016). Who's Better at Phishing Twitter, Me Or Artificial Intelligence? Retrieved from h t t p s : / / w w w. f o r b e s. c o m / s i t e s / t h o m a s b r e w s t e r / 2016/07/25/artificial-intelligence-phishing- twitter-bots
[38]. Gaffney, G. (2011). The Myth of the stupid user. Information & Design. Retrieved from http://infodesign. com.au/usabilityresources/articles/themythofthestu piduser/
[39]. Garera, S., Provos, N., Chew, M., & Rubin, A. D. (2007). A framework for detection and measurement of phishing attacks. In Proceedings of the 2007 ACM workshop on Recurring malcode (pp. 1-8). ACM.
[40]. Google Chrome Privacy Whitepaper. (2017). Retrieved from https://www.google.co.in/chrome/ browser/privacy/whitepaper.html
[41]. Google Safe Browsing. (2017). In Wikipedia. Retrieved from https://en.wikipedia.org/wiki/Google_ Safe_Browsing
[42]. Gorling, S. (2006). The Myth of User Education. In th Proceedings of the 16 Virus Bulletin International Conference.
[43]. Hara, M., Yamada, A., & Miyake, Y. (2009). Visual similarity-based phishing detection without victim site information. In Computational Intelligence in Cyber Security, 2009. CICS'09. IEEE Symposium on (pp. 30-36). IEEE.
[44]. He, M., Horng, S. J., Fan, P., Khan, M. K., Run, R. S., Lai, J. L., ...& Sutanto, A. (2011). An efficient phishing webpage detector. Expert Systems with Applications, 38(10), 12018-12027.
[45]. Herley, C. (2009). So long, and no thanks for the externalities: the rational rejection of security advice by users. In Proceedings of the 2009 Workshop on New security paradigms workshop (pp. 133-144). ACM.
[46]. Ho, G., Sharma, A., Javed, M., Paxson, V., & Wagner, D. (2017). Detecting Credential Spearphishing in th Enterprise Settings. In 26 Security Symposium (pp. 469- 485). USENIX Association.
[47]. Hong, J. (2012). The state of phishing attacks. Communications of the ACM, 55(1), 74-81.
[48]. Internet Crime Complaint Center (IC3) (2016). Business E-mail Compromise: The 3.1 Billion Dollar Scam. Retrieved from https://www.ic3.gov/media/2016/ 160614.aspx
[49]. Jackson, C., Simon, D. R., Tan, D. S., & Barth, A. (2007). An evaluation of extended validation and picturein- picture phishing attacks. In International Conference on Financial Cryptography and Data Security (pp. 281- 293). Springer, Berlin, Heidelberg.
[50]. Jagatic, T. N., Johnson, N. A., Jakobsson, M., & Menczer, F. (2007). Social phishing. Communications of the ACM, 50(10), 94-100.
[51]. Jain, A. K., & Gupta, B. B. (2017). Phishing detection: Analysis of visual similarity based approaches. Security and Communication Networks, 2017.
[52]. Kennedy, M. (2017). After Massive Data Breach, Equifax Directed Customers to Fake Site. Retrieved from h t t p : / / w w w. n p r. o r g / s e c t i o n s / t h e t w o -w a y / 2 0 1 7 / 09/21/552681357/after-massive-data-breach-equifaxdirected- customers-to-fake-site
[53]. Khonji, M., Iraqi, Y., & Jones, A. (2011). Mitigation of spear phishing attacks: A content-based authorship identification framework. In Internet Technology and Secured Transactions (ICITST), 2011 International Conference on (pp. 416-421). IEEE.
[54]. Khonji, M., Iraqi, Y., & Jones, A. (2013). Phishing detection: A literature survey. IEEE Communications Surveys & Tutorials, 15(4), 2091-2121.
[55]. Kumaraguru, P. (2009). Phishguru: A system for educating users about semantic attacks. Carnegie Mellon University.
[56]. Kumaraguru, P., Cranshaw, J., Acquisti, A., Cranor, L., Hong, J., Blair, M. A., & Pham, T. (2009). School of phish: A real-world evaluation of anti-phishing training. In th Proceedings of the 5 Symposium on Usable Privacy and Security (p. 3). ACM.
[57]. Kumaraguru, P., Rhee, Y., Acquisti, A., Cranor, L. F., Hong, J., & Nunge, E. (2007). Protecting people from phishing: The design and evaluation of an embedded training email system. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (pp. 905-914). ACM.
[58]. Kumaraguru, P., Sheng, S., Acquisti, A., Cranor, L. F., & Hong, J. (2010). Teaching Johnny not to fall for phish. ACM Transactions on Internet Technology (TOIT), 10(2), 7.
[59]. Lastdrager, E., Gallardo, I. C., Hartel, P., & Junger, M. (2017). How Effective is Anti-Phishing Training for Children? In Symposium on Usable Privacy and Security (SOUPS).
[60]. Lin, E., Greenberg, S., Trotter, E., Ma, D., & Aycock, J. (2011). Does domain highlighting help people identify phishing sites? In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (pp. 2075- 2084). ACM.
[61]. Ludl, C., McAllister, S., Kirda, E., & Kruegel, C. (2007). On the effectiveness of techniques to detect phishing sites. In International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (pp. 20-39). Springer, Berlin, Heidelberg.
[62]. Ma, J., Saul, L. K., Savage, S., & Voelker, G. M. (2009). Beyond blacklists: learning to detect malicious web sites th from suspicious URLs. In Proceedings of the 15 ACM SIGKDD International Conference on Knowledge Discovery and Data Mining (pp. 1245-1254). ACM.
[63]. Muncaster, P. (2017). Social Media Phishing Attacks Soar 500%. Retrieved from https://www.infosecuritymagazine. com/news/social-media-phishing-attackssoar/
[64]. New York State Office of Cyber Security & Critical Infrastructure Coordination. Gone Phishing. A Briefing on the Anti-Phishing Exercise Initiative for New York State Government. Aggregate Exercise Results for public release.
[65]. Nicholson, J., Coventry, L., & Briggs, P. (2017). Can we fight social engineering attacks by social means? Assessing social salience as a means to improve phish detection. In Thirteenth Symposium on Usable Privacy and Security (SOUPS 2017) (pp. 285-298). USENIX Association.
[66]. Oliveira, D., Rocha, H., Yang, H., Ellis, D., Dommaraju, S., Muradoglu, M., ... & Ebner, N. (2017). Dissecting spear phishing emails for older vs young adults: On the interplay of weapons of influence and life domains in predicting susceptibility to phishing. In Proceedings of the 2017 CHI Conference on Human Factors in Computing Systems (pp. 6412-6424). ACM.
[67]. Phishing Activity Trends Report. Retrieved from http://docs.apwg.org/reports/apwg_trends_report_q4_2 016.pdf
[68]. Phishing Scamsat All-TimeHigh, Employee Training NotKeeping Pace | Wombat Security. (2017). Retrieved from https://www.wombatsecurity.com/about/news/ phishing-scams-all-time-high-employee-training-notkeeping- pace
[69]. Phishing threatens today’s economy. (2017). In NY Times. Retrieved from https://cdn2.hubspot.net/hub/ 372792/file-1519503800-pdf/ Phishing Threatens Todays Economy NY Times FINAL.pdf
[70]. PhishTank > Frequently Asked Questions (FAQ). (2017). Retrieved from http://www.phishtank.com/faq. php#howisphishtankdiffer
[71]. PhishTank> Friends of PhishTank. (2017). Retrieved from https://www.phishtank.com/friends.php
[72]. Postmaster Tools – Google. (2017). Retrieved from https://gmail.com/ postmaster/
[73]. Prakash, P., Kumar, M., Kompella, R. R., & Gupta, M. (2010). Phishnet: Predictive blacklisting to detect phishing attacks. In INFOCOM, 2010 Proceedings IEEE (pp. 1-5). IEEE.
[74]. Ramesh, G., Krishnamurthi, I., & Kumar, K. S. S. (2014). An efficacious method for detecting phishing webpages through target domain identification. Decision Support Systems, 61, 12-22.
[75]. Robertson, A. (2017). Google Docs users hit with sophisticated phishing attack. Retrieved from https://www.theverge.com/2017/5/3/15534768/googledocs-phishing-attack-share-this-document-with-youspam
[76]. Rosiello, A. P., Kirda, E., & Ferrandi, F. (2007). A layoutsimilarity- based approach for detecting phishing pages. In Security and Privacy in Communications Networks and the Workshops, 2007. SecureComm 2007. Third International Conference on (pp. 454-463). IEEE.
[77]. Sachs, D. (2013). How to Take Down a Phishing Site: 5 Crucial Steps. Retrieved from http://info.brand protect.com/blog/blog/bid/88212/how-to- take-down-aphishing- site-5-crucial-steps
[78]. Schechter, S. E., Dhamija, R., Ozment, A., & Fischer, I. (2007). The emperor's new security indicators. In Security and Privacy, 2007. SP'07. IEEE Symposium on (pp. 51-65). IEEE.
[79]. Sheng, S., Holbrook, M., Kumaraguru, P., Cranor, L. F., & Downs, J. (2010). Who falls for phish?: A demographic analysis of phishing susceptibility and effectiveness of interventions. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (pp. 373-382). ACM.
[80]. Sheng, S., Magnien, B., Kumaraguru, P., Acquisti, A., Cranor, L. F., Hong, J., & Nunge, E. (2007). Anti-phishing phil: The design and evaluation of a game that teaches rd people not to fall for phish. In Proceedings of the 3 Symposium on Usable Privacy and Security (pp. 88-99). ACM.
[81]. Sheng, S., Wardman, B., Warner, G., Cranor, L. F., Hong, J., & Zhang, C. (2009). An empirical analysis of phishing blacklists. In CEAS 2009 - Sixth Conference on Email and Anti-Spam.
[82]. Social engineering (security) page Version ID: 800193757. (2017). In Wikipedia. Retrieved from https://en.wikipedia. org/wiki/Webserver_directory_index
[83]. Stringhini, G., & Thonnard, O. (2015). That ain't you: Blocking spearphishing through behavioral modelling. In International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (pp. 78-97). Springer, Cham.
[84]. The Spamhaus Project Frequently Asked Questions (FAQ). (2017). Retrieved from https://www.spamhaus.org/ faq/section/Spamhaus20DBL#371
[85]. Thunderbird's Scam Detection | Thunderbird Help (2017). Retrieved from https://support.mozilla.org/en- US/kb/thunderbirds-scam-detection#wthunderbirdsautomatic- scam-filtering
[86]. Toolan, F., & Carthy, J. (2009). Phishing detection using classifier ensembles. In eCrime Researchers Summit, 2009. eCRIME'09 (pp. 1-9). IEEE.
[87]. Vaas, L. (2016). How hackers broke into John Podesta, DNC Gmail accounts – Naked Security. Retrieved from https://nakedsecurity.sophos.com/ 2016/10/25/how-hackers-broke-into-john-podesta-dncgmail- accounts/
[88]. Vishwanath, A. (2014). Habitual Facebook use and its impact on getting deceived on social media. Journal of Computer-Mediated Communication, 20(1), 83-98.
[89]. Wang, J., Li, Y., & Rao, H. R. (2016). Overconfidence in phishing email detection. Journal of the Association for Information Systems, 17(11), 759-783.
[90]. Weinberg, N. (2013). How to blunt spear phishing attacks?. Retrieved from https://www.networkworld.com/ article/2164139/network-security/how-to-blunt-spearphishing- attacks.html
[91]. Welcome to APWG & CMU's Phishing Education Landing Page (2017). Retrieved from http://phishphisheducation. apwg.org/r/en/index.htm
[92]. Wen, Z. A., Li, Y., Wade, R., Huang, J., & Wang, A. (2017). What.Hack: Learn Phishing Email Defence the Fun Way. In Proceedings of the 2017 CHI Conference Extended Abstracts on Human Factors in Computing Systems (pp. 234-237). ACM.
[93]. Wenyin, L., Liu, G., Qiu, B., & Quan, X. (2012). Antiphishing through phishing target discovery. IEEE Internet Computing, 16(2), 52-61.
[94]. Whittaker, C., Ryner, B., & Nazif, M. (2010). Largescale automatic classification of phishing pages. In NDSS (Vol. 10, p. 2010).
[95]. Wu, M., Miller, R. C., & Garfinkel, S. L. (2006). Do security toolbars actually prevent phishing attacks?, In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (pp. 601-610). ACM.
[96]. Zhang, H., Liu, G., Chow, T. W., & Liu, W. (2011). Textual and visual content-based anti-phishing: A Bayesian approach. IEEE Transactions on Neural Networks, 22(10), 1532-1546.
[97]. Zhang, Y., Hong, J. I., & Cranor, L. F. (2007). Cantina: a content-based approach to detecting phishing web th sites. In Proceedings of the 16 International Conference on World Wide Web (pp. 639-648). ACM.
If you have access to this article please login to view the article or kindly login to purchase the article

Purchase Instant Access

Single Article

North Americas,UK,
Middle East,Europe
India Rest of world
USD EUR INR USD-ROW
Online 15 15

Options for accessing this content:
  • If you would like institutional access to this content, please recommend the title to your librarian.
    Library Recommendation Form
  • If you already have i-manager's user account: Login above and proceed to purchase the article.
  • New Users: Please register, then proceed to purchase the article.