Name: B. sreevidya Rno: 08491D5804 FINDIND & STOPING OF PHISHING ATTACKS THROUGH ONLINE ABSTRACT: Phishing is a new type of network attack where the attacker creates accurate copy of an existing web page to fool users ex submitting personal, financial, or password data to what they think is their service provider’s website. The concept is an anti-phishing algorithm, called the Link Guard, by utilizing the generic characteristics of the hyperlinks in phishing attacks. The link Guard algorithm is the concept for finding the phishing emails sent by the phisher to grasp the information of the end user.
Link Guard is based on the careful analysis of the characteristics of phishing hyperlinks. Each end user is implemented with Link Guard algorithm. Existing System: 1) Detect and block the phishing Web sites in time: If we can detect the phishing Web sites in time, we then can block the sites and prevent phishing attacks. But it’s difficult to find those phishing sites out in time. There are two methods for phishing site detection. a) The Web master of a legal Web site periodically scans the root DNS for suspicious sites. ) Since the phisher must duplicate the content of the target site, he must use tools to (automatically) download the Web pages from the target site. It is therefore possible to detect this kind of download at the Web server and trace back to the phisher. Drawbacks:-Many phishing attacks simply do not require a DNS name. For phishing download detection, clever phishers may easily write tools 2) Enhance the security of the web sites: The business Websites such as the Web sites of banks can take new methods to guarantee the security of users’ personal information.
There two method to enhance the security a) Using hardware devices: For example, a hand-held card reader b)Biometrics characteristic: e. g. voice, fingerprint, iris, etc. Drawbacks:-All these techniques need additional hardware and also will increase the cost. Therefore, it still needs time for these techniques to be widely adopted. Block the phishing e-mails by various spam filters: The phishers hide their identities when sending the spoofed e-mails, therefore, if anti-spam systems can determine whether an e-mail is sent by the announced sender the phishing attacks will be decreased dramatically.
The techniques that preventing senders from counterfeiting their Send ID (e. g. SIDF of Microsoft) can defeat phishing attacks efficiently. SIDF is a combination of Microsoft’s Caller ID for E-mail and the SPF (Sender Policy Framework). Both Caller ID and SPF check e-mail sender’s domain name to verify if the e-mail is sent from a server that is authorized to send e-mails of that domain and from that to determine whether that e-mail use spoofed e-mail address. If it’s faked, the Internet service provider can then determine that e-mail is a spam e-mail.
The spoofed e-mails used by phishers are one type of spam e-mails. the spam filters can also be used to filter those phishing e-mails. Spam filters are designed for general spam e-mails and may not very suitable for filtering phishing e-mails since they generally do not consider the specific characteristics of phishing attacks. 4) Install online anti-phishing software in user’s computers: Despite all the above efforts, it is still possible for the users to visit the spoofed Web sites. As a last defense, users can install anti-phishing tools in their computers.
The anti-phishing tools in use today can be divided into two categories: blacklist/white list based and rule-based. a) When a user visits a Web site, the antiphishing tool searches the address of that site in a blacklist stored in the database. If the visited site is on the list, the anti-phishing tool then warns the users . They cannot prevent the attacks from the newly emerged (unknown) phishing sites. b) Uses certain rules in their software, and checks the security of a Web site according to these rules.
Examples Spoof Guard and Trust Watch provide a toolbar in the browsers all the above defense methods are useful and complementary to each other, but none of them are perfect at the current stage. PROPOSED SYSTEM A. Classification of the hyperlinks in the phishing e-mails The hyperlinks used in the phishing e-mail into the following categories: 1) The hyperlink provides DNS domain names in the anchor text, but the destination DNS name in the visible link doesn’t match that in the actual link. For instance, the following hyperlink: <a href= “http://www. profusenet. et/checksession. php”>https://secure. regionset. com/EBanking/logon/ </a> appears to be linked to secure. regionset. com, which is the portal of a bank, but it actually is linked to a phishing site www. profusenet. net. 2) Dotted decimal IP address is used directly in the URI or the anchor text instead of DNS name. For example. <a href= “http://61. 129. 33. 105/secured-site/www. skyfi. Com/ index. html? MfclSAPICommand=SignInFPP&UsingSSL= 1″> SIGN IN </a> 3) The hyperlink is counterfeited maliciously by using certain encoding schemes.
There are two cases: a) The link is formed by encoding alphabets into their corresponding ASCII codes. See below for such a hyperlink. <a href=”http://034%02E%0333%34%2E%311%39%355%2E%o340o31:%34%39%30%33/%6C/%69%6E%64%65%78%2E%68%74%6D”> www. citibank. com </a> While this link is seemed pointed www. citibank. com, it actually points to http://4. 34. 195. 41:34/l/index. htm. b) Special characters (e. g. (in the visible link) are used to fool the user to believe that the e-mail is from a trusted sender.
For instance, the following link seems is linked to amazons, but it actually is linked to IP address 69. 10. 142. 34. http://www. amazon. com:[email protected] 10. 142. 34. 4) The hyperlink does not provide destination information in its anchor text and uses DNS names in its URI. The DNS name in the URI usually is similar with a famous company or organization. For instance, the following link seems to be sent from PayPal, but it actually is not. Since paypal-cgi is actually registered by the phisher to let the users believe that it has something to do with paypal <a href= “http://www. aypal-cgi. us/webscr. php? Cmd=Login”> Click here to confirm your account </a> 5) The attackers utilize the vulnerabilities of the target Web site to redirect users to their phishing sites or to launch CSS (cross site scripting) attacks. For example, the following link <a href=”http://usa. visa. com/track/dyredirjsp? rDirl=http://200. 251. 251. 10/. verified/”> Click here <a> Once clicked, will redirect the user to the phishing site 200. 251. 251. 10 due to a vulnerability of usa. visa. com. B. LINK GUARD ALGORITHM:
LinkGuard works by analyzing the differences between the visual link and the actual link. It also calculates the similarities of a URI with a known trusted site C. LINK GUARD IMPLEMENTED CLIENT: It includes two parts: a whook. dll dynamic library and a LinkGuard executive. Whook is a dynamic link library; it is dynamically loaded into the address spaces of the executing processes by the operating system. Whook is responsible for collecting data, such as the called links and visual links, the user input URLs. LinkGuard is the key component of the implementation.
It’s composed of 5 parts Comm: This collects the information of the input process, and sends these related information’s to the Analyzer. Database: Store the white list, blacklist, and the user input URLs. Analyzer: It is the key component of Link Guard, which implements the Link Guard algorithm; it uses data provided by Comm and Database, and sends the results to the Alert and Logger modules. Alerter: When receiving a warning message from Analyzer, it shows the related information to alert the users and send back the reactions of the user back to the Analyzer.
Logger: Archive the history information, such as user events, alert information, for future use. Software And Hardware Specification HARDWARE REQUIREMENTS * Hard disk:20 GB and above * RAM:256 MB and above * Processor speed: 1. 6 GHz and above SOFTWARE REQUIREMENTS * Operating System: Windows 2000/XP * Documentation Tool:Ms word 2000 * Technology used : jsp,servlets,Apache Tomact 5. 5 * Database : Oracle XE