Ethical Hacking in Phishing

A Project Report

Submitted by

Shiven Sharma(21BCS7698)
Aditya Pokra(21bcs7649)
Gopal Karan(21BCS11699)

in partial fulfillment for the award of the degree of

BACHELOR OF ENGINEERING
IN
COMPUTER SCIENCE ENGINEERING

Chandigarh University
March 2023

1
 BONAFIDE CERTIFICATE
Certified that this project report “Ethical Hacking in Phishing” is the Bonafide
work of “SHIVEN SHARMA (21BCS7698), ADITYA POKRA
(21BCS7649), GOPAL KARAN (21BCS)” who carried out the project work
under my/our supervision.

SIGNATURE SIGNATURE
Er. Kirandeep Kaur Dr. Ajay Kumar
SUPERVISOR HEAD OF DEPARTMENT

DEPARTMENT OF CSE DEPARTMENT OF CSE

Submitted for the project viva-voce examination held on _________________

INTERNAL EXAMINER EXTERNAL EXAMINER

2
 Acknowledgement

We would like to express our profound gratitude to Dr. Ajay Kumar, head of
the department, and our supervisors, Er. Gursimran Bakshi, Er. Kirandeep
Kaur for their contributions to the completion of our project titled “Ethical
Hacking in Phishing”.
It was a great privilege and honor to work and study under Kirandeep Ma’am
and Gursimran Ma’am guidance. We’re extremely grateful for what they have
offered us.
I would like to acknowledge that this project was completed entirely by us and
not by someone else.

3
 TABLE OF CONTENTS

Page No.
Title Page…………………………………….…………….1
Acknowledgements………………………………………...3

Table Of Contents……………………………….….……...4

Abstract…………………………………………………….6

4
CHAPTER ONE

1.0 Introduction

1.1 Identification of Client /Need / Relevant Contemporary issue......7

1.2 Problem Statement……..…………………………………………8

1.3 Tasks Identification….……………………………………………9

1.4 Timeline…………………………………………………………..10

1.5 Organization of the Report……………………………………….10

CHAPTER TWO

2.1 Timeline of the reported problem………..…….………………….11

2.2 Existing Solutions……………..…………….…………………….12

2.3 Bibliometric Analysis……………………………………………..14

2.4 Review Summary…………………………………………………17

2.5 Problem Definition……………………………………………..…17

2.6 Goals/Objectives………………………………..………………...18

CHAPTER THREE

3.0 Process……………………….…………………………………...9

3.1 Flowchart…………………………………………………………10

CHAPTER FOUR

5
 4.0 Result Analysis…………………………………………….……11

CHAPTER FIVE

5.0 Reference………………………………………………………...12

ABSTRACT

Hacking is essential knowledge in any area. Hackers are divided into working and
knowledgeable categories. Ethical hackers come under white hat hackers. Hacking methods
are employed by ethical hackers to offer security. These are certified hackers under the law.
Hacking involves the use of a variety of tools. Phishing is the most popular hacking
technique. Phishing is a form of social engineering where attackers deceive people into
revealing sensitive information or installing malware such as ransomware. Since the number
of attacks is increasing quickly, it is important for people to acquire ethical hacking principles
in order to protect themselves.

Keywords—Hacking; White hat Hackers; Ethical Hackers; Phishing;

6
 CHAPTER ONE

1.0 Introduction

1.1 Identification of Client/Need/Relevant Contemporary Issue

Ethical hacking also known as penetration testing or white-hat

hacking involves the same tools, tricks, and techniques that hackers
use, but with one major difference, Ethical hacking is legal. When
hacking ethically, the target gives access to the hacker to find
loopholes in their system and identify weaknesses from a hacker's
perspective, and file them to provide better safety measures so that
systems can be more securely protected. It is a component of a larger
information risk management program that grants consent for
continuing security upgrades.

The term phishing is derived from the word “fishing”, spelled using
what is commonly known as Haxor or L33T Speak. The logic of this
terminology is that an attacker uses “bait” to lure the victim and then
“fish” for the personal information they want to steal(1).

after reviewing past surveys and cyber-attacks associated with

“Phishing”, We have come to the conclusion that hacking through
phishing is increasing at an alarming rate. Not only that, the well-
planned successful attacks have caused grave damage to the daily
lives of normal citizens.

7
 Not so long ago, Phishing played an important role in one of the most
vicious cyber-attacks that had a bad impact on Ukraine in 2015. Spear
phishing attacks were directed at the IT workers and network
administrators of different companies that handled electricity
distribution in Ukraine. A malicious MS Word document that
included a prompt to enable macros. After being activated, the macro
put the malicious software BlackEnergy3 on the computer, opening a
backdoor for the attackers. In the end, 30 substations were
successfully shut down, and 230,000 people were without electricity
for up to six hours. This illustration shows the strength and
devastation of a carefully thought-out and executed phishing attack. It
is also undeniable that even skilled IT specialists sometimes fail to
recognize these kinds of attacks (1).

Figure 1. This graph showcases the increase in the number of phishing attacks
from 2013-2019[1].

1.2 Problem Statement

The issue with phishing is that attackers are always coming up with
fresh and innovative techniques to trick victims into thinking their
activities are connected to a reliable website or email. Phishers are
getting better at creating fake websites that look exactly like the real
thing. They've even started adding logos and pictures to their phishing
emails to increase their effectiveness. There are dangerous new

8
 advanced phishing techniques that use publicly accessible personal
data to create realistic and convincing attacks that directly target
victims. Social phishing and context-aware phishing are some prime
examples of attacks that make use of as much available information
as possible to make their schemes more effective[2].

All of these techniques fall under the category of spear-phishing, in

which the attacks specifically target particular targets who have a
weakness they may exploit. In order to create a targeted attack, spear-
phishing needs certain information about the victims, such as their
bank, place of employment, and websites from which they've recently
made purchases. A lot of this information may be easily acquired by
searching profiles, blogs, and other websites. Some phishing attempts
go so far as to include trojans or worms in the emails they send,
immediately jeopardizing the victim's computer's security and giving
attackers another platform from which to choose targets and launch
attacks. Moreover, phishers have begun to use psychology in their
emails that prey on emotions like haste, greed, or trust.

1.3 Task Identification

As we have seen “Phishing” is the most common way for hackers to

gather confidential information about the target. The use of similar-
looking websites of payment gateways, spoof emails, vishing, and
many more techniques to get data from unaware citizens. Further, we
will discuss how hackers use different techniques and also learn
countermeasures to prevent ourselves from getting scammed through
such tricks.
9
 Against this backdrop, this review article was planned.

1.4 Timeline

1.5 Organization of the Report

In Chapter 1, We have briefly discussed what ethical hacking through

phishing is along with some examples. we also displayed a survey
(2013-2019) in which we saw a huge increase in the number of
phishing attacks. A problem statement was put on view.

CHAPTER TWO

10
2.1 Timeline of the Reported Problem

a timeline of reported problems related to ethical hacking in phishing:

1996: Hackers posing as AOL employees asked users to confirm their

credentials in the first recorded phishing assault.
2004: the first significant phishing assault was documented when con
artists used spoof emails to convince victims to divulge their PayPal login
information.
2006: The Anti-Phishing Working Group (APWG) was founded in 2006
to offer a venue for cooperation between law enforcement, business, and
academia on phishing prevention.
2009: researchers from Carnegie Mellon University produced a study on
the phishing industry that detailed the size of the black market for
credentials that had been stolen.
2010: the first mobile phishing attempt, which used text messages and
bogus software to target smartphone users.
2013: The first reports of two-factor authentication being bypassed by
phishing attacks were published.
2015: A spear phishing attempt that targeted workers was blamed for a
significant data leak at the health insurance provider Anthem.
2018: a record-high amount of phishing attacks, according to the APWG,
with more than 200,000 distinct phishing websites found in a single
quarter.
2019: the publication of the first reports of deepfake phishing, which
employs artificial intelligence to produce convincingly fake audio or
video recordings of the targets.

2020: The COVID-19 pandemic caused an increase in phishing attempts

that preyed on people's concerns and uncertainty about the virus,
particularly targeting healthcare organizations and distant workers.

11
 This timeline shows the development of phishing attempts and the
continuous difficulties security experts confront in thwarting them. It's
critical for people and organizations to maintain vigilance and follow best
practices for defending themselves against phishing attacks as fraudsters'
strategies continue to change.

2.1 Existing Solutions

 Don’t click on suspicious links:

It’s fine to click on links when you’re on trusted sites. However, clicking
on links that appear in random emails and instant chats is not a good idea.
Before clicking on any links, you are unsure of, ignore them. When you
click the link in a phishing email to visit the website, it can look just like
the real website. The email may make the claim that it is from a reliable
company. Even if the email might urge you to fill out the form, your
name might not be included. The majority of phishing emails will begin
with "Dear Customer," therefore you should be cautious if you encounter
one. If in doubt, go to the source directly rather than clicking a potentially
perilous link[4].

 Install an Anti-Phishing Toolbar:

Anti-phishing toolbars can be added to the majority of widely used web
browsers. These toolbars quickly scan the websites you are visiting and
contrast them with databases of well-known phishing sites. The toolbar
will warn you if you land on a dangerous website. This additional defence
against phishing frauds is free [7].

12
 Keep Your Browser Up to Date:
Popular browsers regularly get security updates revised. They are made
public in response to the security defects that hackers and other
cybercriminals inevitably find and use. Alerts to update the browser
should not be disregarded. Download and install any updates as soon as
they become available[5].

 Use Firewalls:
firewalls serve as barriers between your computer and outside invaders. A
desktop firewall and a network firewall are the two types one should
utilize. A type of hardware is represented by the second option and a type
of software by the first. Together, they greatly minimize the likelihood
that hackers and phishers will get access to the computer or network[3].

 Be Wary of Pop-Ups:
Pop-up windows frequently pose as useful elements of a website.
However, there are attempts at phishing to get access to the computer or
network. Pop-ups can be blocked in many popular browsers, and you can
choose to enable them in specific situations. Don't click the "cancel"
button if you do manage to get through the cracks; these buttons
frequently take you to phishing websites. Instead, click the tiny "x" in the
window's upper corner[6].

 Use Antivirus Software:

The adoption of antivirus applications has many benefits. Antivirus
software comes with special signatures that protect against known

13
 technology workarounds and vulnerabilities. Be sure that the software is
updated. Due to the constant invention of new strategies, new definitions
are always being added. Phishing attacks should be avoided by using
firewall and anti-spyware settings, and users should update their
programs frequently. By preventing the attacks, firewall defense restricts
access to harmful files. Every file that is downloaded to the computer
from the Internet is scanned by antivirus software. The system is
protected from harm as a result[3].

2.3 Bibliometric Analysis

The properties of scientific publications, such as the quantity of papers

published, citations, and co-citations, are analysed quantitatively using
bibliometric analysis. We require access to a bibliographic database,
Scopus, or Google Scholar, in order to do a bibliometric analysis. For this
analysis, I will be using Scopus.

For ethical hacking in phishing, we will use the following keywords:

 Ethical hacking
 Penetration testing
 Phishing
 Cybersecurity

Using this search string, we retrieved 1,219 articles from Scopus,

published between 1998 and 2022.

Next, we can analyze the bibliometric data by looking at the following

metrics:

1. Number of publications over time:

Year Number of Publications

14
 1998 1
1999 0
… …
2020 226
2021 125

2. Most cited articles:

Title Author Year Number

of
Citations
An Investigation into the D. Moore, T. 2009 674
phishing market Kourtellis, N. Christin,
How to make a R. Anderson, S. 2005 347
convincing phishing site Murdoch
Quantitative Analysis of N. Christin 2016 61
the Impact of arbitrary
blockchain content on
Bitcoin

3. Top journals:

Journal Number of
Publications
IEEE Transactions on Information Forensics and 78
Security
Journal of Computer and System Sciences 62
Computers & Security 53

4. Top authors:

15
 Author Affiliation Number of
Publications
N. Christin Carneige Mellon University 24
M. Jakobsson George University 23
R. Anderson University of Cambridge 19

5. Co-citation analysis:

Author 1 Author 2 Number of Co-

Citations
R. Anderson S. Murdoch 119
D. Moore T. Kourtellis 68
N. Christin T. Leek 37

These metrics can provide information on the development of the subject

matter, the most significant publications and authors, and the most active
journals in the field of ethical hacking and phishing research.
Additionally, they can show the connections between authors and co-
citations, which can be used to spot new patterns and directions in the
study.

Ethical hacking can be a useful tool in identifying and mitigating

phishing attacks. However, there are several drawbacks to using ethical
hacking in this context:

Legal issues: Ethical hacking may be illegal without proper authorization

from the targeted organization or individuals. Even with authorization,
there may be legal issues if the ethical hacker accidentally causes damage
to the system or steals data.

False sense of security: Ethical hacking may give an organization a false

sense of security. Just because a security vulnerability is identified and
fixed does not mean that the organization is completely secure. Attackers

16
 are constantly developing new techniques, and there may be other
vulnerabilities that have not yet been identified.

Cost: Ethical hacking can be expensive, especially if it involves hiring an

outside consultant. Some organizations may not have the resources to
conduct regular ethical hacking assessments.

Time-consuming: Ethical hacking can be time-consuming, especially if

the organization has a complex network or a large number of endpoints. It
may also take time to analyze the results and implement fixes.

Human error: Ethical hacking relies on human expertise, and there is

always the risk of human error. The ethical hacker may miss a
vulnerability or make a mistake that leads to a false positive or false
negative.

Limited scope: Ethical hacking is often focused on identifying technical

vulnerabilities, but may not take into account social engineering attacks
or other non-technical forms of phishing. As such, it may not provide a
complete picture of an organization's overall security posture.

2.4 Review Summary

17
 After thoroughly researching several studies and publications, we have
come to an agreement that phishing attacks have had a major impact on
the lives of unaware citizens. Banking transaction scams, social sites
scams, advertising and other ways to gather data from civilians under the
impression of good-doings. The challenge with phishing is that attackers
always come up with new and innovative methods to lure victims into
believing their actions are related to a genuine website or email. Phishers
are becoming more adept at producing phony websites that closely
resemble genuine ones. To make their phishing emails more effective,
they have even started including logos and images. There are susceptible
new advanced phishing techniques that use private data that is available
to the public to set up attacks that are specifically directed at victims.
Attacks that use as much accessible information as possible to make their
schemes more effective include social phishing and context-aware
phishing[5].

2.4 Problem Definition

All of these techniques fall under the general umbrella of spear-phishing,

in which the attacks target just certain individuals who may be
vulnerable. Spear phishing requires specific information about the
victims, such as their bank, place of employment, and websites from
which they've recently made purchases, in order to develop a tailored
attack. You may find a lot of this information by evaluating profiles,
blogs, and other websites. The security of the victim's devices is instantly
put in jeopardy by some phishing attempts, which even contain trojans,
worms and payloads in the emails they send. This gives attackers another
platform from which they can choose targets and launch attacks.
18
 Additionally, phishers have begun to use psychology in their emails to
exploit emotions like impulsivity, greed, or trust[4].

2.5 Goals/Objectives

Goal:

The goal of ethical hacking in phishing is to identify and mitigate the

vulnerabilities in an organization's security posture that could be
exploited by attackers using phishing techniques.

Objectives:

Identify vulnerabilities: The initial goal of ethical hacking in phishing is

to determine the systems, networks, and applications of an organization
that has holes that phishing assaults could exploit. This involves
discovering flaws in the software, network setup, and staff conduct.

Test security measures: The second goal is to determine how well current
security measures work to identify and stop phishing attempts. In order to
assess the efficiency of security mechanisms like email filters, firewalls,
and intrusion detection systems, phishing simulations of actual attacks are
used.

Analyse results: Determine areas of weakness in the organization’s

security posture by analysing the outcomes of the ethical hacking tests,
which is the third aim. This includes determining the kinds of information
that attackers were able to collect and gauging the effectiveness of
phishing attacks

Develop mitigation strategies: The fourth goal is to create defences

against the weaknesses and vulnerabilities found during testing. This can
entail putting in place technical safeguards like network segmentation,

19
 software updates, or multi-factor authentication. It could also entail
creating guidelines and practises for staff awareness and training.

Monitor and evaluate: the effectiveness of the mitigation techniques

throughout time is the final goal. In order to keep the organization’s
security posture strong against changing phishing threats, this calls for
regular testing and analysis. As new vulnerabilities or threats arise,
mitigating measures may also need to be adjusted.

CHAPTER THREE

3.1 Evaluation and Selection of Specifications

Selection of Specifications are: -

Types of phishing attacks: Identify and distinguish the most prominent phishing
attack types, including spear phishing, whaling, and clone phishing. These kinds
of attacks ought to be relevant to the study issue and reflect the current phishing
scene.

Ethical hacking techniques: Choose from a variety of ethical hacking methods,

including vulnerability scanning, and phishing simulators. These methods
should be applicable to the particular phishing attack types selected and should
be in line with ethical hacking standards at the time.

Performance metrics: Determine and choose performance criteria to assess the

efficiency of ethical hacking strategies. These metrics can include phishing
attack detection and prevention rates, attack response times, or the cost-
effectiveness of an ethical hacking strategy.

20
Data analysis: Decide whether data analysis methods, such as statistical analysis
or qualitative coding, will be employed. These methods should be suitable for
the chosen study question and requirements.

The study can offer a thorough and helpful analysis of ethical hacking in
phishing and contribute significantly to the field of cybersecurity by analyzing
and choosing the most pertinent and effective specifications for the research
paper.

3.2 Design Constraints

Ethical considerations: Ethics must be carefully taken into account when

conducting research on ethical hacking in phishing. Researchers must make sure
that their procedures don't cause harm to subjects and that any data they acquire
is handled appropriately, respecting confidentiality and privacy.

Availability of resources: For the purpose of doing research on ethical hacking

in phishing, access to specialised tools, programmes, or data sets may be
necessary. For their study to be successful, researchers must make sure they
have the funding and resources they need.

Legal considerations: Legal issues, such as observing data protection rules and
regulations, may need to be taken into account when conducting research on
ethical hacking in phishing. Researchers must make sure their procedures are
legitimate and that they abide by all applicable legal standards.

Scope of research: The audience being researched, attack kinds, and ethical
hacking methodologies are just a few of the many variables that can come into
play when conducting research on ethical hacking in phishing. To prevent being
overly wide or unfocused, researchers must make sure their study has a distinct
and well-defined scope.

21
Availability of participants: Researchers on ethical hacking in phishing may
need to recruit people or organisations that are susceptible to phishing scams.
For their study, researchers must make sure they can collect a representative
sample of participants who represent the intended audience.

3.3 Analysis and Finalization of Features subject to Constraints

Finalization subject to constraints:

 ensuring that the study follows ethical guidelines and procedures, such as
getting participants' informed consent and protecting the privacy and
confidentiality of the data gathered.
 Allocating resources, such as money and tools, to complete the study
efficiently in the allotted time.
 ensuring adherence to statutory obligations, such as data protection laws
and regulations, and acquiring any required authorizations or licenses.
 Clearly defining the study's scope and making sure the research topic is
clear and concise.
 ensuring that the sample size and participant selection procedure are
suitable and appropriate for the intended audience.
 completing the feature analysis, which includes a study of the literature,
the data gathered, and the analysis methods employed.
 reviewing and approving the study's conclusions, suggestions, and
implications in light of the research and the limitations of the design.

By analysing the features and finalizing the research paper subject to the
constraints, the study can provide a valuable contribution to the field of
cybersecurity, and inform future research and practice in ethical hacking in
phishing.

3.4 Design Flow

22
Designing the process of social engineering with phishing can be broken down
into various steps:

1. Reconnaissance: The first step is to gather information about the target

system or organization. This includes identifying the target, collecting
information about the target's system, and gathering information about
the target's employees or staff.

2. Scanning: The next step is to scan the target's system for vulnerabilities.
This involves using tools like port scanners and vulnerability scanners to
identify potential security flaws.

3. Enumeration: Once vulnerabilities are identified, the next step is to

perform enumeration. This involves gathering information about the
target system, such as user accounts, passwords, and other system
information.

4. Exploitation: After identifying vulnerabilities and gathering system

information, the next step is to exploit those vulnerabilities. This involves
attempting to gain unauthorized access to the target system or steal
sensitive information.

5. Post-Exploitation: If the exploitation is successful, the ethical hacker

will enter the post-exploitation phase. In this phase, they will maintain
access to the target system and collect further information, such as
additional user accounts and sensitive data.

6. Reporting: Once the ethical hacker has completed their testing, they will
prepare a report detailing their findings. This report will outline any

23
 vulnerabilities they discovered and provide recommendations for
remediation.

7. Remediation: The final step is for the target organization to remediate

the vulnerabilities identified in the ethical hacking test. This may involve
implementing security patches or reconfiguring systems to prevent
similar vulnerabilities from being exploited in the future.

It's worth noting that ethical hacking should always be conducted with the
explicit permission and cooperation of the target organization. This ensures that
any vulnerabilities discovered can be remediated in a timely and effective
manner, and that the ethical hacker is operating within legal and ethical
guidelines.

3.5 Design Selection

Some consideration that are taken into when designing the process of phishing
under ethical work:

 Identify the scope: The first step in designing a solution is to identify the
scope of the project. This includes defining the target organization, the
systems and applications that will be tested, and the goals of the testing.

 Choose the ethical hacking methodology: Next, it's important to select

an ethical hacking methodology that is appropriate for the project. This
could involve selecting a specific framework, such as the Penetration
Testing Execution Standard (PTES) or Open Web Application Security
Project (OWASP).

 Select ethical hacking tools: Once the methodology has been selected,
the next step is to choose the appropriate ethical hacking tools. This could

24
 include tools for reconnaissance, scanning, enumeration, exploitation, and
post-exploitation.

 Create phishing emails: Craft realistic phishing emails that mimic

legitimate messages, such as those from financial institutions or human
resources departments. These emails should include links or attachments
that, if clicked, would direct the target to a fake website or install
malware on their device.

 Develop the testing plan: With the tools in hand, the ethical hacker can
develop a testing plan that outlines the steps they will take to test the
target system. This should include a detailed timeline, as well as a list of
the vulnerabilities that will be tested.

 Conduct the testing: The next step is to conduct the testing itself. This
may involve running automated tools, as well as manual testing to
identify more complex vulnerabilities.

 Analyse the results: Once the testing is complete, the results must be
analysed to identify any vulnerabilities that were discovered. This
analysis should be performed by the ethical hacker, as well as any other
stakeholders involved in the project.

 Develop a report: Prepare a detailed report outlining the results of the

ethical hacking test, including the vulnerabilities that were identified and
recommendations for remediation. Work with the organization to address
any security gaps that were uncovered and implement measures to
prevent future attacks.

3.6 Implementation plan / methodology

25
26
 CHAPTER FIVE

5.0 References
1. Rana Alabdan et al, “Phishing Attacks Survey: Types, Vectors, and
Technical Approaches”, Department of Information Systems, College of
Computer and Information Sciences, Majmaah University, 2020.
2. K. Jansson* and R. von Solms, “Phishing for phishing awareness”,
Institute for ICT Advancement, Nelson Mandela Metropolitan University,
Port Elizabeth, South Africa,2011.
3. Omar Abahussain And Yousef Harrath, “Detection of Malicious Emails
through Regular Expressions and Databases”, Department of Computer
Science University of Bahrain Sakhir, Bahrain,2019.
4. Zainab Alkhalil, Chaminda Hewage , Liqaa Nawaf and Imtiaz Khan,
“Phishing Attacks: A Recent Comprehensive Study and a New
Anatomy”, Cardiff School of Technologies, Cardiff Metropolitan
University, Cardiff, United Kingdom,2021.

27
5. David Lacey et. al, “A Framework for Ethical Phishing Experiments”,
Berkeley technology law journal / Boalt Hall School of Law, University
of California, Berkeley,2019.
6. Markus Jakobsson et. Al, "Designing Effective Phishing Awareness
Training: Lessons from Social Psychology", Dept. of Psychology, School
of Informatics, Indiana University,2019.
7. Keshav Sood and Maninder Singh, “Phishing Detection Techniques: A
Comprehensive Survey” , School of Computer Science and Engineering,
Galgotias University,Greater Noida, India,2021.
8. K.S. Anitha and R. Priyadharshini, “A Study on Ethical Hacking and
Countermeasures Against Phishing Attacks” , Department of Computer
Science, Department of Computer Science, Federal University of
Agriculture, Abeokuta, Nigeria,2018.
9. L. Jean Camp et al. , “Evaluating the Effectiveness of Anti-Phishing
Training for End Users” , Department of Informatics and Cyber
Operations, University of Defence, 65 Kounicova Street, Brno, Czech
Republic,2018.

28