The Analysis of The Article "Phishing Attacks" by Mehdi Dadkhah

This article was written by Mehdi Dadkhah from Department of Computer and Information Technology, Foulad Institute of Technology, Isfahan, Iran, Shahaboddin Shamshirband and Ainuddin Wahid Abdul Wahab from Department of Computer System and Information technology, University of Malaya, Kuala Lumpur, Malaysia in 2016. The subject of this article is to review the literature to the existing of hybrid approach based on classification algorithms that was capable to identifying different types of phishing websites. The author stated according to McRae and Vaughn (2007) phishing is stands for “password harvesting fishing” brings meaning hunting for user passwords using bait but the “f” had been replace with “ph” for fascinating concept.

The author mentioned according to Butler (2007) usernames, passwords and credit card information via social engineering techniques are commonly the highest information that will be attack by phishing attacks. The author stated the major goal of a phishing attack is to create fake URL derived from bank web site or government entity through an email. This article examines previous writings and attempts to differentiate types of phishing attacks and to clearly define procedures to confront them. The author discussed the phishing attacks based on mischievous software, web Trojans, pharming, phishing injection, man-in-the-middle attacks, phishing using fake programs, domain hijacking, spear phishing and phishing through changing user system settings. The authors stated in order to encounter these problems users need to detect phishing web sites and fuzzy-based classifiers providing strong protection and aware of the phishing attack problem and need to look after the solution of these problems.

The authors explained in this article about the techniques have been developed such as sign-in seal (Agarwal, 2009), expert systems based on web page features to detect phishing web sites (Aburrous, 2010a), phishing hyperlink detection using genetic algorithms (Shreeram, 2010), phishing attack detection by hyperlink classification (Chen and Guo, 2006), attribute-based prevention of phishing attacks (Atighetchi and Pal, 2009), images for content-based phishing analysis (Dunlop, 2010), preventive anti-phishing using code word (Mishra and Jain, 2012), phishing page identification according to the degree of similarity between web page content and domain classification (Sanglerdsinlapachai and Rungsawang, 2010), relations for phishing detection (Liu, 2010), phishing page identification through comparing the degree of URL string deference against a white list (Reddy, 2011), phishing URL detection using ranking algorithms (Khonji, 2011) and data mining algorithms (Larose, 2014; Ramya, 2011; Aburrous, 2010).

The authors mentioned that the approach proposed in this article containing 27 features of confronting phishing attacks using expert system deployment. This technique has a vast set of rules and does not determine how the measures related to human factors that extracted from web sites (Mohammad, 2014; Larose, 2014; Ramya, 2011). The author mentioned about the detection of known phishing web sites and according to past research by Aburrous, 2010, Larose, 2014 Mohammad, 2014 and Ramya, 2011 the features; using IP address, long URL, HTTPS status, domain registration length, request URL, anchor URL, submitting information by e-mail, DNS record, PR, web site redirection, server from handler (SFH), status bar customization, using pop-up windows, disabling right click, adding a prefix or suffix, URL has the “@” symbol and abnormal URL are practical in the existing approach and these features help to identify phishing web sites or other than journal phishing. The author explained that the IBM SPSS Modeler data mining tools deliver the option to apply a set of classification algorithms on a data set and current suitable facilities to perform actions connected data mining. The author detailed that the error rate of each algorithm for data classification is assessable after applying the four algorithm on the training set designed with the “IBM SPSS Modeler” data mining tools.

Cyber law that related to Malaysia for the case mentioned in this article are attracting consumers to bogus website and reveal their private information are an uncertain summons under Computer Crime Act 1997. The Phisher could protect that they did not purposely adapt the real website for their purpose to illegitimately attain others personal data. Later, it is up to the prosecutor to illustration that the respondent has purposely adapted contents of the other computer without actual agreement. A scammer who involves in “phishing” activities may be charged for cheating under Section 415. Phisher can be accusing under section 3 of CCA 1997 for illegal access. The lure and transmitting their victims without their agreement is an official action base on Section 2 Subsection 5 of CCA 1997. Though there are uncertainty on phrase ’causes a computer to perform any function’ could be used by phisher to protect themselves. Section 4 of CCA 1997 denial for their protector by ‘offence of illegal access to a computer with determined to obligate a crime involving scam or fraudulence. Yet to relate Section 4, Section 3 must be shown first.

My recommendations about the article topic regarding the phishing web site includes aware with the phishing techniques. Be aware of phishing web site as early as possible, you will be at much minor threat of getting trapped by one. For IT administrators, ongoing security awareness training and fake phishing for all users is highly commended in custody security top of mind through the organization. A phishing email may entitlement to be from a genuine company and when you click the link to the website, it may aspect accurately like the actual website. The email might ask you to fill in the information but the email might not cover your name. Most phishing emails will start with “Dear Customer” so you must be attentive when come through these emails. Install an anti-phishing toolbar. Before submitting any information, make sure the site’s URL begins with “https” and there should be a closed lock icon near the address bar. Check for the site’s security permit as well. Do not open the web site if the message uttering an assured web site might contain mean files. Never give your personal information or financial information on internet. Download the anti-virus software on your device.

As the conclusion, some of the features have been previously presented, which is also exact for journal phishing attacks, the usable features for identifying these attacks were introduced individually. The author also mentioned that a hybrid approach based on classification algorithms was offered which is able to classify numerous types of phishing pages. In this approach, the features that do not show a significant part in detecting phishing attacks were abolished and the method of searching page titles in search engines were added, monitored by adding the competence to find journal phishing and phishing pages embedded in legal sites as part of the approach.