Phishing like the first step to gaining access
DOI:
https://doi.org/10.34185/1562-9945-4-147-2023-13Keywords:
phishing, cyber security, multifactor authentication, social engineering.Abstract
Phishing as a term that means the technique of sending phishing messages will be re-searched based on findings in public access and using the listed links. The process of a phish-ing attack will be analyzed, and then we will pay attention to the technical vectors of how us-ers become victims of the attack. Finally, existing research on phishing attacks and related prevention approaches will be reviewed. Mitigating phishing attacks is an important research topic worth exploring. Although a lot of research has been done, this threat still exists in the real world, and its prevalence is constantly increasing. According to research results, detecting phishing attacks is a difficult problem. There are two main strategies used to mitigate phishing attacks; or improving the performance of phishing detection technology or improving people's awareness of these at-tacks. Developing human expertise is a key way to defeat phishing attacks, as phishing attacks exploit human weaknesses rather than network weaknesses. Also, humans are always the weakest link in social engineering attacks. Compared to phishing website detection, phishing email detection may require user in-volvement to achieve better detection results. Because the success of a phishing email de-pends on its context. Specifically, when the premise of the phishing email is consistent with the user's work context (or current situation). Most anti-phishing solutions are implemented to mitigate general phishing attacks, but they ignore some specific situations, such as advanced phishing attacks. To prevent advanced phishing attacks, phishing websites are difficult to detect if a victim is attacked using stolen DNS data because the URL content and website content are the same as legitimate websites. Most content-based approaches may not work because the content of the accessed URL is an important factor in the decision. To prevent subdomain hijacking attacks, it is difficult to detect a phishing website if the phishers have hosted the website on a subdomain taken from a legitimate website. Regardless of the web content, URL, and SSL certificate information, they will all be the same as the le-gitimate website. Moreover, the approach to enumeration of subdomains needs improvement, as most current tools are based on rough enumeration, existing dictionaries may not cover all instances of subdomains, as some subdomains may be meaningless.
References
Verizon, “2023 Data Breach Investigations Report”. 2023. [Online]. Access: https://www.verizon.com/business/en-gb/resources/reports/dbir/
A. K. Jain and B. B. Gupta, “Phishing detection: Analysis of visual similarity based approaches”. In Journal of Security and Communication Networks, vol. 2017, Article ID. 5421046, pp. 1-20, Jan 2017. DOI: 10.1155/2017/5421046.
Zainab Alkhalil, Chaminda Hewage, Liqaa Nawaf and Imtiaz Khan, “Phishing Attacks: A Recent Comprehensive Study and a New Anatomy” 2021. DOI: 10.3389/fcomp.2021.563060
F. Castaño et al., “Evaluation of state-of-art phishing detection strategies based on machine learning”. 2021. DOI: 10.18239/jornadas_2021.34.06.
Report Phishing by industry benchmarking report 2023. Access: https://info.knowbe4.com/en-us/phishing-by-industry-benchmarking-report
HKCERT, Browser’s Anti-phishing feature: What is it and how it helps to block phishing attack? Access: https://www.hkcert.org/blog/browser-s-anti-phishing-feature-what-is-it-and-how-it-helps-to-block-phishing-attack
Google is enabling Chrome real-time phishing protection for everyone. Доступ: https://www.cnet.com/news/privacy/google-chrome-can-now-warn-you-in-real-time-if-youre-getting-phished/
Phishing feeds. Access: https://openphish.com/
PhishTank. Access: https://phishtank.org/
G. Liu, G. Xiang, B. A. Pendleton, J. I. Hong, and W. Liu, “Smartening the crowds: Computational techniques for improving human verification to fight phishing scams”. 2011. DOI: 10.1145/2078827.2078838.
G. G. Geng, Z. W. Yan, Y. Zeng, and X. B. Jin, “RRPhish: Anti-phishing via mining brand resources request”. 2018. DOI: 10.1109/ICCE.2018.8326085.
O. K. Sahingoz, E. Buber, O. Demir, and B. Diri, “Machine learning based phishing detection from URLs.” 2019. DOI: 10.1016/j.eswa.2018.09.029
A. Niakanlahiji, B. T. Chu, and E. Al-haer, “PhishMon: A machine learning framework for detecting phishing webpages”. 2018. DOI: 10.1109/ISI.2018.8587410.
M. Papathanasaki, L. Maglaras, N. Ayres, “Modern Authentication Methods: A Comprehensive Survey” 2022 DOI:10.5772/acrt.08
Evilginx - Bypassing MFA, phishing is back on the menu. Access: https://bleekseeks.com/blog/evilnginx-bypassing-mfa-phishing-is-back-on-the-menu
How hackers beat MFA at-scale. Access: https://www.mantra.ms/blog/beating-mfa
