網路釣魚對資訊安全威脅之相關探討

a relative research of phishing threat to the information security

林明哲 (M.T.Lin) 、潘美瑤 (M.Y.Pan) 、潘逸潔 (E.J.Pan) 、黃文正 (W.Z.Huang) 、洪嘉緯 (J.W.Hong) 、曾寶弘 (B.H.Tseng) 、李孟修 (M.X.Li)

高苑科技大學 資訊管理系

Department of Information Management, Kao Yuan University of Science and Technology


摘要

    網際網路已成為現代人生活中不可或缺的一部分,然而當我們在網際網路上遨遊時卻隱藏著許多資訊安全的威脅,網路釣魚 (Phishing) 即為其中一例。

    早期網路釣魚是藉由社交工程 (Social Engineering) 利用電子郵件 (E-Mail) 來進行,經時代演變,駭客亦針對營利或非營利企業進行入侵,藉由控制伺服器竊取私密資料進而獲利。網站安全問題管理主要因素有: Web 伺服器 (IIS 、 Apache) 管理與漏洞未修正、 Web 網頁應用程式設計不當、及網路安全控管問題所造成。在網頁安全漏洞方面,駭客經常使用 Script Insertion ( 客戶端指令碼植入攻擊 ) 、 XSS ( 跨網站指令碼攻擊 ) 、 SQL Injection ( 資料庫隱碼攻擊 ) 等等手法來取得網站控制權進行網路捕魚。

    本篇論文將藉由網路釣魚詐騙案例、網路犯罪文獻、統計資料等加以分析整理出釣客們使用的工具及策略、程式碼攻擊技術,以及如何配合網路特性、利用人性疏忽,誘騙使用者上勾,並進而提出網路釣魚的應變之道。

關鍵字: 網路釣魚、資訊安全、網路犯罪

 

Abstract

Internet has become an integral part of modern world. But when we are surfing on it, encountering with the threats to information safety is inev i table . One of the threats is from P hishing.

The early Phishing events was processed by social engineering through e-mail, but it has been evolved over time, now hackers invade the nonprofit & profit entities to exploit the information by control the web server. Factors which relate to the website management problems can be poor management and uncorrected deficiency of web server, faults on program design and defects of internet security. For instance, usually the uncorrected deficiency of any web server will be harnessed for Phishing through Script insertion, XSS, SQL Injection etc.

In this study, through Phishing cases, criminal records, and statistic data, we'll reveal how the hackers employ internet features along with human nature to lure victims including their tools and strategies, more over, to give suggestions to prevent from Phishing.

 Keywords Phishing 、 information security 、 internet crime