A Forensic Framework for Tracing Phishers

  • Sebastian Gajek
  • Ahmad-Reza Sadeghi
Part of the IFIP — The International Federation for Information Processing book series (IFIPAICT, volume 262)


Identity theft — in particular through phishing — has become a major threat to privacy and a valuable means for (organized) cybercrime. In this paper, we propose a forensic framework that allows for profiling and tracing of the agents involved in phishing networks. The key idea is to apply phishing methods against phishing agents. In order to profile and trace phishers, their databases are filled with fingerprinted credentials (indistinguishable from real ones) whose deployment lures phishers to a fake system that simulates the original service.


Money Laundering Financial Agent Identity Theft Criminal Network Original Service 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    A. Adelsbach, S. Gajek, and J. Schwenk. Visual Spoofing of SSL Protected Web Sites and Effective Countermeasures. In Information Security Practice and Experience Conference, 2005.Google Scholar
  2. 2.
    D. Agarwal. An empirical bayes approach to detect anomalies in dynamic multidimensional arrays. In ICDM’ 05: Proceedings of the Fifth IEEE International Conference on Data Mining, pages 26-33. IEEE Computer Society, 2005.Google Scholar
  3. 3.
    R. Beverly. A robust classifier for passive TCP/IP fingerprinting. In Passive and Active Network Measurement, LNCS, pages 158-167, 2004.Google Scholar
  4. 4.
    D. Birk, S. Gajek, F. Gröbert, and A.-R. Sadeghi. Phishing phishers-observing and tracing organized cybercrime. In ICIMP’07: Proceedings of the Second International Conference on Internet Monitoring and Protection. IEEE Computer Society, 2007.Google Scholar
  5. 5.
    M. Chandrasekaran, R. Chinchani, and S. Upadhyaya. Phoney: Mimicking user response to detect phishing attacks. wowmom, 0:668–672, 2006.Google Scholar
  6. 6.
    T. Fawcett and F. Provost. Fraud detection. In W. Kloesgen and J. Zytkow, editors, Handbook of Knowledge Discovery and Data Mining. Oxford University Press, 2002. CeDER Working Paper #IS-99-18, Stern School of Business, New York University, NY, NY 10012.Google Scholar
  7. 7.
    D. Florencio and C. Herley. Stopping a Phishing Attack, Even when the Victims Ignore Warnings. Technical Report MSR-TR-2005-142, Microsoft Research (MSR), 2005.Google Scholar
  8. 8.
    T. Kohno, A. Broido, and K. C. Claffy. Remote physical device fingerprintin. IEEE Trans. Dependable Sec. Comput, 2(2):93–108, 2005.CrossRefGoogle Scholar
  9. 9.
    A. Litan. Increased Phishing and Online Attacks Cause Dip in Consumer Confidence. Gartner Study, June 2005.Google Scholar
  10. 10.
    A. Litan. Phishing Attacks Leapfrog Despite Attempts to Stop Them. Gartner Study, November 2006.Google Scholar
  11. 11.
    C. M. McRae, R. W. McGrew, and R. B. Vaughn. Honey tokens and web bugs: Developing reactive techniques for investigating phishing scams. Digital Forensic Practice, 1(3): 193–199, 2006.CrossRefGoogle Scholar
  12. 12.
    R. Molva and G. Tsudik. Authentication method with impersonal token cards. In SP’91: Proceedings of the Symposium on Research in Security and Privacy, pages 55-65, May 1991.Google Scholar
  13. 13.
    T. Moore and R. Clayton. An empirical analysis of the current state of phishing attack and defence. In Workshop on the Economics of Information Security, 2007.Google Scholar
  14. 14.
    M. Najork and A. Heydon. On high-performance web crawling. Technical report, Compaq Systems Research Center, 2001.Google Scholar
  15. 15.
    V. Paxson. An analysis of using reflectors for distributed denial-of-service attacks. SIGCOMM Comput. Commun. Rev., 31(3):38–47, 2001.CrossRefGoogle Scholar
  16. 16.
    S. L. Scott. A bayesian paradigm for designing intrusion detection systems. Computational Statistics & Data Analysis, 45(1):69–83, 2004.MathSciNetCrossRefMATHGoogle Scholar
  17. 17.
    M. Smart, G. R. Malan, and F. Jahanian. Defeating TCP/IP stack fingerprinting. In USENIX Security Symposium, 2000.Google Scholar
  18. 18.
    L. Spitzner. Honeytokens: The Other Honeypot, 2003. http://www. Scholar
  19. 19.
    M. J. T. Jagatic, N. Johnson and F. Menczer. Social phishing, 2007. To appear in Communications of the ACM.Google Scholar
  20. 20.
    The Honeynet Project and Research Alliance. Know your Enemy: Phishing, Identifying remote hosts, without them knowing, 2005. papers/phishing/.Google Scholar
  21. 21.
    M. Zalewski and W. Stearns. Passive os fingerprinting tool, 2006. http://lcamtuf. Scholar

Copyright information

© IFIP International Federation for Information Processing 2008

Authors and Affiliations

  • Sebastian Gajek
    • 1
  • Ahmad-Reza Sadeghi
    • 1
  1. 1.Horst Görtz Institute for IT-SecurityRuhr UniversityBochumGermany

Personalised recommendations