E-business refers to electronic business usually conducted through the internet. Since the development of the World Wide Web, the commercial usage of the internet has increased over the years, and business has been made conveniently possible over the internet. However, there are many security risks involved during the E-commerce execution, and some pose serious threats to businesses. With the sweeping current developments of technology, there have been concerns that users and business people do not understand system architectures and software that they use. This increases the vulnerability of various security breaches that can cause immense losses to the business through identity theft.
The following paper is based on the research of a recent threat to the security of an E- commerce operation. The paper defines and describes the threat including its discovery, history, impact on E-business operations, technical features and the risk involved. Also, the paper explains the solution to address the recent threat to the security of the E-commerce operation.
Discovery
An example of a recent threat is the E-mail Scam Phishing sent to various stakeholders of the Better Business Bureau, while disguised as a genuine E-mail from the said company. This scam happened from the month of November, in the year 2011, and the affected company (Better Business Bureau) issued an urgent alert on 29th March 2012 about the phishing threat (Gillentine et al., 2012). The E mail used the name of Better Business Bureau (BBB), whereby the phishers issued threats to business stakeholders about receiving a number of complaints about unauthorized transaction from private banks to the concerned account of BBB. The phishers made sure to include a link that was said to contact the concerned business owner with an online center that listed all complaints. People received these mails at different times, and they started raising their concerns to the said corporate entity. To make matters worse, the E mails looked quite genuine, and, therefore, most people receiving them ended up following the said link that would extract vital financial data and steal sensitive information from the computer networks.
Technical features
The link’s URL had been created using various obfuscated techniques (Wright et al., 2010). For example, the phishers re-created the target URL by using international domain name registration while using characters from various alphabets. Also, BBB’s URL was imitated by the use of misspelled versions of the right URL. In other cases, the obfuscated links were written, in hexadecimal format, to represent the real URL, meaning that people would not know the correct URL. In some other cases, HTML would be used to create links that would deceptively link the user to the phisher’s website.
The Phishers use malicious software programs to execute their scams such as Key Loggers and screen capture Trojans set up to collect information and data while reporting every detail to the phisher (Wright et al., 2010). Also, remote access Trojans can be used to execute these phishing processes whereby the machines targeted are used to distribute more malicious Emails to other people.
How it works
The phishing attacks described above are executed through three cardinal phases (Thiyagarajan et al., 2012). The first phase involves the phisher sending a phish to the victim via the internet. The techniques used to send the phish is usually the normal way of sending E- mails, only that the URL is in most cases altered. The second phase during a phish attack is the process of the victim executing the requested action in the E mail. This is usually a link that is deceptive, but the victim can hardly notice, and once the link is clicked, the user becomes a victim of the threat. The phisher makes the phish deceptive by showing urgency in the information contained in the E- mail. For example, the phishing on BBB was executed such that the people who received the said mail felt that BBB was genuinely warning them about its activities. This would make the user curious and want to know more about the issue, thus clicking the link. The third phase involves the phisher monetizing the phished information without the knowledge of the victim. Once the link is clicked, the phisher can collect all the information that he needs and take advantage of the situation to make money.
Vulnerability it exploits
People usually fall for such phishing attacks due to the vulnerability that the phisher exploits. The phisher can be said to exploit the poor usability of many networks, and computer interfaces that do not allow users to assess the legitimacy and genuineness of all the E-mails that people receive in their inbox or Junk folders (Dong et al., 2010). According to Dong et al. (2010), a survey done to establish why so many people fall victim of such showed that most phishers were able to fool approximately 90 % of their target victims. Many people just look at the professionalism of the websites or E- mails and think that they are genuine. This is the reason as to why phishers will continue to take advantage of users.
Diagram Mechanism (Source Dong et al., 2010)
User opens executable link
With anti-virus software
User opens executable link
Exploit causes link to
Without antivirus software
execute without user
Trojan Trojan detected, user
Trojan
action
Detected &
ignores
not
Deleted
detected
Trojan captures vital information
The diagram above shows that the threat may be executed by following the link that is sent as an Email to the victims. Sometimes, the malware can be executed even without opening the attachment containing the link. However, the diagram shows that the mechanism of execution can be controlled through the use of anti- virus software. Once the link is executed the attacker takes control of the machine.
Consequences
The consequences of this phishing can either be personal, institutional or both (Hazel, 2011). The first personal risk to be seen in such a situation is the fact that, attackers can use the confidential information obtained to access private accounts associated with the victim. This way, they can withdraw money or perform certain transactions such as purchasing of merchandise. Also, attackers can maliciously use the information to open bank accounts using the phished information, and go ahead to carry out illegitimate transactions using the account. The final personal risk involved is that the attacker can use the victim’s computer to send more phishing E-mails to other people.
Also, there exists an institutional risk during phishing. Apart from personal details, attackers can access other institutional information such as banking information, health data or social security numbers that can then be used to destroy institutions’ processes. In the process, most internet providers may blacklist various institutions suspected to have been through a security breach (Hazel, 2011). This can easily cause reputational damage. Once blacklisted, an institution or business may not carry out their regular.
Security compromise
The security aspect compromised is the confidentiality of information. Confidentiality of information refers to the protection of systems and data from unauthorized access or use. When attackers use phishing to create attacks, private and confidential data is compromised since it gets accessed by an unauthorized party (Swann, 2005). The confidentiality of data is further destroyed by the identity theft that occurs in the cases of phishing. The attacker uses the confidential information to steal another person’s identity. He then uses the identity to carry out some malicious acts so as to make money. Confidentiality is an extremely vital aspect of internet security, and phishing is a threat to this aspect of security. It would be crucial for E- businesses to employ some measure to reduce the occurrences of such confidentiality compromises.
Risk assessment
The risk assessment in the case of phishing involves quite a complex examination of the information systems in an organization. The first step would be to map the network systems into abstract levels so as to make it easier and more convenient to examine various components that form the entire system (Moore, 2010). The most fundamental aspects that should be considered in the cases of risk assessment are information leakages, flawed password systems and insufficient erroneous firewall definitions. The risk needs to be established based on the importance of a system. The risk assessment must be budgeted for to ensure that there is a return on investment.
Solution
Phishing can be prevented or reduced by using anti- phishing software (Business Wire, 2004). Anti-phishing software is a set of programs that try and identify any phishing content that could be sent through E mail attachments or websites. It is usually implemented in computer systems whereby it could be installed and integrated with browsers just like a toolbar. This way, it guides a user to see the real domain name of each website he or she is visiting regardless of how much the attacker wanted to disguise the link. In other cases, the anti-phishing software could be found in the form of built- in application within certain browsers.
Conclusion
Malicious phishing has continued to cause losses of dollars to many organizations across the world. Also, it has continued to cause identity theft while making it hard for E business owners to continue having trust on E commerce. The above paper is based on the research of a recent threat to the security of an E- commerce operation. The paper describes the security threat caused by a unique phishing attack used to maliciously harm BBB. The paper has defined and described the threat including its discovery, history, impact on E-business operations, technical features and the risk involved. Also, the paper explains the solution to address the recent threat to the security of the E-commerce operation.
Dong, X., Clark, J. A., & Jacob, J. L. (2010). Defending the weakest link: Phishing websites detection by analysing user behaviours. Telecommunication Systems, 45(2-3), 215-226
Gillentine, A. (2012). Better business bureau target of phishing scam. The Colorado Springs Business Journal, , n/a. Retrieved from http://search.proquest.com/docview/917817661?accountid=45049
Hazel, H. H. (2011). The rise of phishing scams. Malaysian Business, , 2-n/a. Retrieved from http://search.proquest.com/docview/876197091?accountid=45049
Moore, J. W. (2010). From phishing to advanced persistent threats: The application of cybercrime risk to the enterprise risk management model. The Review of Business Information Systems, 14(4), 27-36.
Swann, J. (2005). Fighting the growing scourge of identity theft and phishing. Community Banker, 14(4), 52-52.
Symantec joins the anti-phishing working group. (2004, Sep 01). Business Wire, pp. 1-1. Retrieved from http://search.proquest.com/docview/445585713?accountid=45049
Thiyagarajan, P., Aghila, G., & Venkatesan, V. P. (2012). Pixastic: Steganography based anti-phishing browser plug-in. Journal of Internet Banking and Commerce, 17(1), 1-19
Wright, R., Chakraborty, S., Basoglu, A., & Marett, K. (2010). Where did they go right? understanding the deception in phishing communications. Group Decision and Negotiation, 19(4), 391-416
