Phishing and Countermeasures: Understanding the Increasing Problem of Electronic Identity Theft / Edition 1

Hardcover (Print)
Used and New from Other Sellers
Used and New from Other Sellers
from $98.21
Usually ships in 1-2 business days
(Save 13%)
Other sellers (Hardcover)
  • All (8) from $98.21   
  • New (5) from $98.21   
  • Used (3) from $117.98   


Phishing attacks, or the practice of deceiving people into revealing sensitive data on a computer system, continue to mount. Here is the information you need to understand how phishing works, how to detect it, and how to prevent it. Phishing and Countermeasures begins with a technical introduction to the problem, setting forth the tools and techniques that phishers use, along with current security technology and countermeasures that are used to thwart them. Readers are not only introduced to current techniques of phishing, but also to emerging arid future threats and the countermeasures that will be needed to stop them. The potential and limitations of all countermeasures presented in the text are explored in detail. In spite of the fact that phishing attacks constantly evolve, much of the material in this book will remain valid, given that the book covers the general principles as much as actual instances of phishing.

While delving into a myriad of countermeasures and defense strategies, the authors also focus on the role of the user in preventing phishing attacks. The authors assert that countermeasures often fail not for technical reasons, but rather because users are unable or unwilling to use them. In response, the authors present a number of countermeasures that are simple for users to implement, or that can be activated without a user's direct participation. Moreover, the authors propose strategies for educating users. The text concludes with a discussion of how researchers and security professionals can ethically and legally perform phishing experiments to test the effectiveness of their defense strategies against the strength of current and future attacks.

Each chapterof the book features an extensive bibliography to help readers explore individual topics in greater depth. With phishing becoming an ever-growing threat, the strategies presented in this text are vital for technical managers, engineers, and security professionals tasked with protecting users from unwittingly giving out sensitive data. It is also recommended as a textbook for students in computer science and informatics.

Read More Show Less

Editorial Reviews

From the Publisher
"…I highly recommend this as a must-read book in the collection of phishing literature." (Computing, September 13, 2007)

"…may be used as a textbook or a comprehensive reference for individuals involved with Internet security…" (CHOICE, July 2007)

Read More Show Less

Product Details

  • ISBN-13: 9780471782452
  • Publisher: Wiley
  • Publication date: 11/28/2006
  • Edition number: 1
  • Pages: 736
  • Product dimensions: 6.48 (w) x 9.53 (h) x 1.30 (d)

Meet the Author

MARKUS JAKOBSSON, PhD, is Associate Professor in the School of Informatics at Indiana University, where he is also Associate Director of the Center for Applied Cybersecurity Research. Dr. Jakobsson is the former editor of RSA CryptoBytes. He is a noted authority on the subject of phishing and is regularly invited to speak on the topic at conferences and workshops.

STEVEN MYERS, PhD, is Assistant Professor in the School of Informatics at Indiana University and a member of the University's Center for Applied Cybersecurity Research. Dr. Myers worked on secure email anti-phishing technology at Echoworx Corporation, and has written several papers on cryptography, distributed systems, and probabilistic combinatorics.

Read More Show Less

Table of Contents

Preface     xix
Acknowledgements     xxiv
Introduction to Phishing     1
What is Phishing?     1
A Brief History of Phishing     2
The Costs to Society of Phishing     4
A Typical Phishing Attack     5
Phishing Example: America's Credit Unions     6
Phishing Example: PayPal     10
Making the Lure Convincing     12
Setting The Hook     18
Making the Hook Convincing     20
The Catch     22
Take-Down and Related Technologies     23
Evolution of Phishing     23
Case Study: Phishing on Froogle     24
Protecting Users from Phishing     28
References     29
Phishing Attacks: Information Flow and Chokepoints     31
Types of Phishing Attacks     32
Deceptive Phishing     32
Malware-Based Phishing     34
DNS-Based Phishing ("Pharming")     35
Content-Injection Phishing     36
Man-in-the-Middle Phishing     36
Search Engine Phishing     37
Technology, Chokepoints, and Countermeasures     37
Step 0: Preventing a Phishing Attack Before It Begins     38
Step 1: Preventing Delivery of Phishing Payload     40
Step 2: Preventing or Disrupting a User Action     43
Steps 2 and 4: Prevent Navigation and Data Compromise     49
Step 3: Preventing Transmission of the Prompt     50
Step 4: Preventing Transmission of Confidential Information     52
Steps 4 and 6: Preventing Data Entry and Rendering It Useless     55
Step 5: Tracing Transmission of Compromised Credentials     57
Step 6: Interfering with the Use of Compromised Information     58
Step 7: Interfering with the Financial Benefit     62
References     62
Spoofing and Countermeasures     65
Email Spoofing     65
Filtering     68
Whitelisting and Greylisting     70
Anti-spam Proposals     71
User Education     73
IP Spoofing     74
IP Traceback     75
IP Spoofing Prevention     78
Intradomain Spoofing     80
Homograph Attacks Using Unicode     81
Homograph Attacks     81
Similar Unicode String Generation     82
Methodology of Homograph Attack Detection     83
Simulated Browser Attack      89
Using the Illusion     93
Web Spoofing     94
SSL and Web Spoofing     96
Ensnaring the User     98
SpoofGuard Versus the Simulated Browser Attack     99
Case Study: Warning the User About Active Web Spoofing     101
References     102
Pharming and Client Side Attacks     105
Malware     105
Viruses and Worms     106
Spyware     115
Adware     115
Browser Hijackers     115
Keyloggers     116
Trojan Horses     116
Rootkits     116
Session Hijackers     118
Malware Defense Strategies     118
Defense Against Worms and Viruses     118
Defense Against Spyware and Keyloggers     121
Defense Against Rootkits     121
Pharming     122
Overview of DNS     123
Role of DNS in Pharming     124
Defense Against Pharming     125
Case Study: Pharming with Appliances     126
A Different Phishing Strategy     127
The Spoof: A Home Pharming Appliance     128
Sustainability of Distribution in the Online Marketplace      131
Countermeasures     132
Case Study: Race-Pharming     133
Technical Description     134
Detection and Countermeasures     135
Contrast with DNS Pharming     136
References     137
Status Quo Security Tools     139
An Overview of Anti-Spam Techniques     139
Public Key Cryptography and its Infrastructure     144
Public Key Encryption     145
Digital Signatures     146
Certificates & Certificate Authorities     147
Certificates     149
SSL Without a PKI     151
Modes of Authentication     152
The Handshaking Protocol     152
SSL in the Browser     155
Honeypots     159
Advantages and Disadvantages     161
Technical Details     162
Honeypots and the Security Process     166
Email Honeypots     168
Phishing Tools and Tactics     170
References     172
Adding Context to Phishing Attacks: Spear Phishing     175
Overview of Context Aware Phishing     175
Modeling Phishing Attacks     177
Stages of Context Aware Attacks      182
Identity Linking     185
Analyzing the General Case     187
Analysis of One Example Attack     190
Defenses Against Our Example Attacks     190
Case Study: Automated Trawling for Public Private Data     191
Mother's Maiden Name: Plan of Attack     193
Availability of Vital Information     193
Heuristics for MMN Discovery     194
Experimental Design     196
Assessing the Damage     196
Time and Space Heuristics     198
MMN Compromise in Suffixed Children     199
Other Ways to Derive Mother's Maiden Names     199
Case Study: Using Your Social Network Against You     202
Motivations of a Social Phishing Attack Experiment     203
Design Considerations     203
Data Mining     204
Performing the Attack     206
Results     207
Reactions Expressed in Experiment Blog     208
Case Study: Browser Recon Attacks     210
Who Cares Where I've Been?     210
Mining Your History     211
CSS to Mine History     216
Bookmarks     218
Various Uses for Browser-Recon     218
Protecting Against Browser Recon Attacks     218
Case Study: Using the Autofill Feature in Phishing     219
Case Study: Acoustic Keyboard Emanations     221
Previous Attacks of Acoustic Emanations     223
Description of Attack     223
Technical Details     226
Experiments     231
References     237
Human-Centered Design Considerations     241
Introduction: The Human Context of Phishing and Online Security     241
Human Behavior     241
Browser and Security Protocol Issues in the Human Context     243
Overview of the HCI and Security Literature     246
Understanding and Designing for Users     247
Understanding Users and Security     248
Designing Usable Secure Systems     255
Mis-Education     260
How Does Learning Occur?     260
The Lessons     261
Learning to Be Phished     269
Solution Framework     271
References     273
Passwords     277
Traditional Passwords     277
Cleartext Passwords     277
Password Recycling     278
Hashed Passwords     278
Brute Force Attacks      280
Dictionary Attacks     281
Time-Memory Tradeoffs     281
Salted Passwords     283
Eavesdropping     284
One-Time Passwords     285
Alternatives to Passwords     285
Case Study: Phishing in Germany     286
Comparison of Procedures     286
Recent Changes and New Challenges     286
Security Questions as Password Reset Mechanisms     290
Knowledge-Based Authentication     291
Security Properties of Life Questions     292
Protocols Using Life Questions     296
Example Systems     298
One-Time Password Tokens     301
OTPs as a Phishing Countermeasure     306
Advanced Concepts     306
References     308
Mutual Authentication and Trusted Pathways     309
The Need for Reliable Mutual Authentication     309
Distinctions Between the Physical and Virtual World     310
The State of Current Mutual Authentication     311
Password Authenticated Key Exchange     312
A Comparison Between PAKE and SSL     312
An Example PAKE Protocol: SPEKE     313
Other PAKE Protocols and Some Augmented Variations     316
Doppelganger Attacks on PAKE     317
Delayed Password Disclosure     318
DPD Security Guarantees     320
A DPD Protocol     323
Trusted Path: How To Find Trust in an Unscrupulous World     327
Trust on the World Wide Web     328
Trust Model: Extended Conventional Model     329
Trust Model: Xenophobia     333
Trust Model: Untrusted Local Computer     333
Trust Model: Untrusted Recipient     335
Usability Considerations     338
Dynamic Security Skins     339
Security Properties     340
Why Phishing Works     340
Dynamic Security Skins     341
User Interaction     349
Security Analysis     350
Browser Enhancements for Preventing Phishing     351
Goals for Anti-Phishing Techniques     353
Google Safe Browsing     354
Phoolproof Phishing Prevention     358
Final Design of the Two-Factor Authentication System     360
References     364
Biometrics and Authentication     369
Biometrics     369
Fundamentals of Biometric Authentication      371
Biometrics and Cryptography     377
Biometrics and Phishing     382
Phishing Biometric Characteristics     384
Hardware Tokens for Authentication and Authorization     385
Trusted Computing Platforms and Secure Operating Systems     387
Protecting Against Information Harvesting     392
Protecting Against Information Snooping     398
Protecting Against Redirection     405
Secure Dongles and PDAs     407
The Promise and Problems of PKI     408
Smart Cards and USB Dongles to Mitigate Risk     409
PorKI Design and Use     413
PorKI Evaluation     416
New Applications and Directions     419
Cookies for Authentication     420
Cache-Cookie Memory Management     423
Cache-Cookie Memory     423
C-Memory     424
TIF-Based Cache Cookies     425
Schemes for User Identification and Authentication     425
Identifier Trees     427
Rolling-Pseudonym Scheme     429
Denial-of-Service Attacks     430
Secret Cache Cookies     431
Audit Mechanisms     432
Proprietary Identifier-Trees      433
Implementation     434
Lightweight Email Signatures     435
Cryptographic and System Preliminaries     438
Lightweight Email Signatures     439
Technology Adoption     444
Vulnerabilities     447
Experimental Results     449
References     453
Making Takedown Difficult     461
Detection and Takedown     461
Avoiding Distributed Phishing Attacks-Overview     464
Collection of Candidate Phishing Emails     465
Classification of Phishing Emails     465
References     467
Protecting Browser State     469
Client-Side Protection of Browser State     469
Same-Origin Principle     470
Protecting Cache     473
Protecting Visited Links     474
Server-Side Protection of Browser State     476
Goals     478
A Server-Side Solution     480
Pseudonyms     481
Translation Policies     485
Special Cases     486
Security Argument     486
Implementation Details     487
Pseudonyms and Translation     487
General Considerations      490
References     491
Browser Toolbars     493
Browser-Based Anti-Phishing Tools     493
Information-Oriented Tools     494
Database-Oriented Tools     501
Domain-Oriented Tools     507
Do Browser Toolbars Actually Prevent Phishing?     514
Study Design     514
Results and Discussion     517
References     521
Social Networks     523
The Role of Trust Online     524
Existing Solutions for Securing Trust Online     527
Reputation Systems and Social Networks     527
Third-Party Certifications     532
First-Party Assertions     534
Existing Solutions for Securing Trust Online     535
Case Study: "Net Trust"     535
Identity     538
The Buddy List     539
The Security Policy     542
The Rating System     542
The Reputation System     543
Privacy Considerations and Anonymity Models     546
Usability Study Results     546
The Risk of Social Networks     548
References     549
Microsoft's Anti-Phishing Technologies and Tactics      551
Cutting the Bait: SmartScreen Detection of Email Spam and Scams     552
Cutting the Hook: Dynamic Protection Within the Web Browser     556
Prescriptive Guidance and Education for Users     560
Ongoing Collaboration, Education, and Innovation     561
References     562
Using S/MIME     563
Secure Electronic Mail: A Brief History     564
The Key Certification Problem     565
Sending Secure Email: Usability Concerns     567
The Need to Redirect Focus     568's Experience with S/MIME     569
Survey Methodology     569
Awareness of Cryptographic Capabilities     570
Segmenting the Respondents     573
Appropriate Uses of Signing and Sealing     574
Signatures Without Sealing     574
Evaluating the Usability Impact of S/MIME-Signed Messages     576
Problems from the Field     582
Conclusions and Recommendations     586
Promote Incremental Deployment     587
Extending Security from the Walled Garden     588
S/MIME for Webmail     589
Improving the S/MIME Client     590
References     590
Experimental evaluation of attacks and countermeasures     595
Behavioral Studies     595
Targets of Behavioral Studies     596
Techniques of Behavioral Studies for Security     597
Strategic and Tactical Studies     599
Case Study: Attacking eBay Users with Queries     600
User-to-User Phishing on eBay     602
eBay Phishing Scenarios     608
Experiment Design     609
Methodology     615
Case Study: Signed Applets     618
Trusting Applets     618
Exploiting Applets' Abilities     619
Understanding the Potential Impact     621
Case Study: Ethically Studying Man in the Middle     622
Man-in-the-Middle and Phishing     623
Experiment: Design Goals and Theme     628
Experiment: Man-in-the-Middle Technique Implementation     629
Experiment: Participant Preparation     632
Experiment: Phishing Delivery Method     634
Experiment: Debriefing     635
Preliminary Findings     635
Legal Considerations in Phishing Research     640
Specific Federal and State Laws     641
Contract Law: Business Terms of Use     651
Potential Tort Liability      652
The Scope of Risk     654
Case Study: Designing and Conducting Phishing Experiments     655
Ethics and Regulation     657
Phishing Experiments - Three Case Studies     661
Making It Look Like Phishing     665
Subject Reactions     666
The Issue of Timeliness     667
References     668
Liability for Phishing     671
Impersonation     671
Anti-SPAM     671
Trademark     674
Copyright     674
Obtaining Personal Information     675
Fraudulent Access     675
Identity Theft     676
Wire Fraud     677
Pretexting     677
Unfair Trade Practice     678
Phishing-Specific Legislation     678
Theft     680
Exploiting Personal Information     680
Fraud     680
Identity Theft     681
Illegal Computer Access     682
Trespass to Chattels     682
References     685
The Future     687
References     694
Index     695
About the Editors     700
Read More Show Less

Customer Reviews

Be the first to write a review
( 0 )
Rating Distribution

5 Star


4 Star


3 Star


2 Star


1 Star


Your Rating:

Your Name: Create a Pen Name or

Barnes & Review Rules

Our reader reviews allow you to share your comments on titles you liked, or didn't, with others. By submitting an online review, you are representing to Barnes & that all information contained in your review is original and accurate in all respects, and that the submission of such content by you and the posting of such content by Barnes & does not and will not violate the rights of any third party. Please follow the rules below to help ensure that your review can be posted.

Reviews by Our Customers Under the Age of 13

We highly value and respect everyone's opinion concerning the titles we offer. However, we cannot allow persons under the age of 13 to have accounts at or to post customer reviews. Please see our Terms of Use for more details.

What to exclude from your review:

Please do not write about reviews, commentary, or information posted on the product page. If you see any errors in the information on the product page, please send us an email.

Reviews should not contain any of the following:

  • - HTML tags, profanity, obscenities, vulgarities, or comments that defame anyone
  • - Time-sensitive information such as tour dates, signings, lectures, etc.
  • - Single-word reviews. Other people will read your review to discover why you liked or didn't like the title. Be descriptive.
  • - Comments focusing on the author or that may ruin the ending for others
  • - Phone numbers, addresses, URLs
  • - Pricing and availability information or alternative ordering information
  • - Advertisements or commercial solicitation


  • - By submitting a review, you grant to Barnes & and its sublicensees the royalty-free, perpetual, irrevocable right and license to use the review in accordance with the Barnes & Terms of Use.
  • - Barnes & reserves the right not to post any review -- particularly those that do not follow the terms and conditions of these Rules. Barnes & also reserves the right to remove any review at any time without notice.
  • - See Terms of Use for other conditions and disclaimers.
Search for Products You'd Like to Recommend

Recommend other products that relate to your review. Just search for them below and share!

Create a Pen Name

Your Pen Name is your unique identity on It will appear on the reviews you write and other website activities. Your Pen Name cannot be edited, changed or deleted once submitted.

Your Pen Name can be any combination of alphanumeric characters (plus - and _), and must be at least two characters long.

Continue Anonymously

    If you find inappropriate content, please report it to Barnes & Noble
    Why is this product inappropriate?
    Comments (optional)