Prevention and control of phishing sites is very challenging, especially when the overall safety environment of the Internet is relatively poor and the overall infrastructure is far from adequate. The dilemma lies in the fact that the benefits compared with spending on this cause is very little. Prevention and control of phishing sites has to be done step by step in the hope that the efforts will finally be fruitful.
Phishing sites are mainly spread through e-mails, IM, etc. Difference of the website business may vary in the sections of comments, blogs, and forums with phishing links. As SNS and microblogs are very popular nowadays, they are also the main routes of transmission of phishing sites.
Control the Routes of Transmission of Phishing Sites
Implementing ways to control the spreading of phishing sites will curb the spread of phishing websites.
f there are IMs, mails, and other Internet-based services in a website, it can use its own resources to check and control user-generated content, especially in interactive sections, and filter any links to phishing sites. Phishing also spreads through third-party websites. Many websites do not have their own mail service and, hence, a third-party mail carrier such as Gmail or Yahoo Mail is in charge of user registration. If a phishing e-mail is sent to user’s mailbox, it is out of the scope of the site itself.
The entire Internet should work together to fight phishing; hence, in cases where combating phishing is out of the scope of the target site, it should actively seek the cooperation of external resources to build a safe environment, that is, to establish an antiphishing unity. Many large Internet companies have realized the importance of antiphishing unity and it has begun to take shape. Websites, other Internet-based services, browser vendors, antivirus vendors, banks, and governments have all come together to be a part of it. Browser has an important part to play in this because it is the gate to the Internet. Phishing, regardless of the medium through which it is spreading, will go through a browser. If phishing can be blocked from the browser itself, it can achieve more with less effort. Figure 16.11 shows how Chrome blocks phishing sites with a warning. Browsers and antivirus software share similar difficulties in dealing with phishing: sharing the information of phishing sites and user coverage of software. Only when different browser vendors and antivirus software vendors synchronize a blacklist of phishing URLs can the final line of defense be reinforced.
Blacklists of phishing sites can be published on the Internet so that any browser and antivirus vendors can access and use these blacklists. Google disclosed a Safe Browsing API using which blacklists of phishing sites, hanging horse websites, or fraud URLs can be obtained.
Direct Fight against Phishing Sites
Shutting down websites that are involved in phishing sites is a direct way of fighting them. Many DNS and IDC operators have started providing site shut down. However, as it is not easy for the operators to identify if a URL is a phishing site, they rely on some thirdparty security companies to acquire information and shut down malicious websites. This has been developed into a business where site-related services can be purchased to protect brands, and the services provided include shutting down a domain name as well as security applications on the virtual host. The fastest response time for shutting down a site can be within a few hours.
RSA, Mark Monitor, and NetCraft are some of the known players in this business. In China, the Anti-Phishing Alliance (APAC) under CNNIC is one of the leading organizations that provide shutting down service for .cn domain names and hosts.
With the increasing intensity of supervision on operators, in order to avoid legal risks and to avoid being traced, the growing number of phishing sites has begun to shift to foreign operators. An investigation found that many of the phishing sites are hosted with operators in the United States and South Korea. In China, the laws against cyber crime are not well-formed. Cybercrimes are still dealt with traditional legal provisions. Cybercrimes are included in the category of theft and defraud crimes.
Phishing is a fraudulent act and can be punished under fraud. However, the individual losses of many phishing victims may not always be big enough for forensics and litigation. A lot of crooks use proxy servers or fake IP addresses to avoid being traced, which adds a certain degree of difficulty to evidence gathering. Although curbing phishing activities is a challenging task, in China, fraudsters are punished strictly under the existing laws. Catching a phishing group will in turn lead to a drop in the total number of phishing cases; hence, it is a significant deterrent.
User education will always be an indispensable part of online security. Websites need to inform their users of what is good and what is bad. Crying wolf is useless; too much warning will only make users lose their vigilance. I have come across such a case:
A Trojan in an IM was active and many users were deceived. When the operators came to know about this, they added a function to the IM to fight this: the function checks if the file a user transfers is an executable file (.exe) and if it is a compressed package, it checks if the compressed file contains .exe. If yes, the function issues a warning to the user about a possible Trojan.
Later, we found that the cheat told the users: “Are you using the latest version? This version reports anything as a Trojan. Do not worry, just click.” This incident underlines the need for better user education.
Automatic Identification of Phishing Sites
In phishing sites interception process, the key is to quickly and accurately identify phishing sites. Manually handling phishing sites cannot be relied upon as the workload is huge, so it is necessary to use technical means for automated identification of phishing sites.
Many security companies have begun to conduct research in this area and these researches have started showing good results. The domain names of phishing sites are deceptive, for example, the normal URL for Taobao baby page contains the parameter value “-0db2-b857a497c356d873h536h26ae7c69” and this value has almost become a feature of Taobao URL.
Automatically identifying phishing sites is a complex task and different approaches may bear different results. However, constant scrutiny and confrontation with cheats will help improve this identification. There are no set rules and models for automated identification and control of phishing sites as these sites and the way they function also changes. But even the most accurate system will have false positives; hence, eventually we need human intervention in reviewing the results.