何謂網路釣魚攻擊?網路釣魚攻擊者是藉由發送釣魚郵件(Phishing mail)給受害者，受害者點選了誤以為是來自合法網站的郵件中的惡意超連結(Hypelink)，受害者就被導向釣魚網頁，而在釣魚網頁上洩漏了個人的機密資訊給予攻擊者，如個人的信用卡號碼、帳號、密碼，釣魚者再將受害者導向合法的網頁，受害者根本很難發覺剛剛發生了什麼事而掉入釣魚者的陷阱。
因此本論文提出了一個Client端及Server端協同合作的方式，防止網路釣魚的攻擊，以此種協同方式強化線上交易網站，希望藉由此種方式能達到更加緊密的來防堵網路釣魚的攻擊，基於合作協防的立場，Client端可以提供一組假的帳號密碼代替使用者的正確帳號密碼，來協助舉報與追蹤受懷疑的攻擊者，此組假的帳號密碼是事先與Sever端協議好用來反制釣魚者的，釣魚者獲得此組協議的帳號密碼等於已被標記，釣魚者使用此組協議的帳號密碼來登入合法Server時，Server就能藉由這標記識別出釣魚者，Server端發現此異常帳號密碼後，可將釣魚者導向Trap Sever，使得釣魚者不會攻擊到受害者，因Trap Server是仿製合法網站，並可以在Trap Server監控釣魚者的一切活動，甚至可以收集到其他不知情的受害者的帳號資料並凍結帳號，如此一來，讓交易網站的Server端成為防禦網路釣魚的另一道防線，降低網路釣魚攻擊的威脅。過去防止網路釣魚的方式集中於Client端為多，其實在防堵網路釣魚方面，Server端也應該負起更多責任來協助，畢竟Server端的有此責任義務，同時也擁有較多的資源來防止網路釣魚的攻擊。

Because the network online transaction is increasingly popular, many users encounter the phishing attack. The phisher usually use phishing mail and web spoofing to lure the victims. The victims don’t pay attention to the phisher’s trick, they leak their secret information to phisher. The victims often carelessly fall into the trap because of lacking of attention.
In this thesis, we propose a Client-Server Cooperated Anti-Phishing method to detect phishing attacks. We use this method to strength the anti-phishing ability of a online transaction web site. The goal of Client-Server Cooperated Anti-Phishing method is how to detect phisher, how to notify client, how to report server, how to trace back phisher. Except client sides’ anti-phinsh, Server sides take more effort to anti-phish will be more safty in online transaction environment. Because Server sides have more resource to anti-phish.

[1] T. Raffetseder, E. Kirda and C. Kruegel, "Building anti-phishing browser plug-ins: An experience report," in Proceedings of the Third International Workshop on Software Engineering for Secure Systems, 2007,
[2] J. Chen and C. Guo, "Online detection and prevention of phishing attacks," in Communications and Networking in China, 2006. ChinaCom''06. First International Conference on, 2006, pp. 1-7.
[3] Min Wu, "Fighting Phishing at the User Interface," 2006
[4] APWG, "http://www.antiphishing.org/,"
[5] APWG Phishing Attack Trends Report, "http://www.antiphishing.org/phishReportsArchive.html,"
[6] M. Jakobsson and S. Myers, Phishing and Countermeasures: Understanding the Increasing Problem of Electronic Identity Theft. Wiley-Interscience, 2006, pp. 37
[7] SpoofGuard, "http://crypto.stanford.edu/SpoofGuard/,"
[8] N. Chou, R. Ledesma, Y. Teraguchi, D. Boneh and J. C. Mitchell, "Client-side defense against web-based identity theft," in 11th Annual Network and Distributed System Security Symposium (NDSS’04), San Diego, 2005,
[9] Cloudmark, "http://www.cloudmark.com/desktop/ie-toolbar/,"
[10] EarthLink Toolbar, "http://www.earthlink.net/software/free/toolbar/,"
[11] eBay Toolbar, "http://pages.ebay.com/ebay_toolbar/,"
[12] GeoTrust TrustWatch Toolbar, "http://toolbar.trustwatch.com/,"
[13] Google Safe Browsing, "http://www.google.com/tools/firefox/safebrowsing/,"
[14] McAfee SiteAdvisor, "http://www.siteadvisor.com/,"
[15] Microsoft Phishing Filter in Windows Internet Explorer 7, "http://www.microsoft.com/taiwan/windows/ie/downloads/default.mspx,"
[16] Netcraft Anti-Phishing Toolbar, "http://toolbar.netcraft.com/,"
[17] Netscape Browser 8.1, "http://browser.netscape.com/ns8/,"
[18] SpoofStick, "http://www.spoofstick.com/,"
[19] Petname, "http://petname.mozdev.org/,"
[20] PhiskTank, "http://www.phishtank.com/,"
[21] Y. Zhang, S. Egelman, L. Cranor and J. Hong, "Phinding phish: Evaluating anti-phishing tools," in Proceedings of the 14th Annual Network and Distributed System Security Symposium (NDSS 2007), 2007,
[22] S. Sheng, B. Magnien, P. Kumaraguru, A. Acquisti, L. F. Cranor, J. Hong and E. Nunge, "Anti-phishing phil: The design and evaluation of a game that teaches people not to fall for phish," in Proceedings of the 3rd Symposium on Usable Privacy and Security, 2007, pp. 88-99.
[23] P. Kumaraguru, Y. Rhee, S. Sheng, S. Hasan, A. Acquisti, L. F. Cranor and J. Hong, "Getting users to pay attention to anti-phishing education: Evaluation of retention and transfer," in Proceedings of the Anti-Phishing Working Groups 2nd Annual eCrime Researchers Summit, 2007, pp. 70-81.
[24] Y. Pan and X. Ding, "Anomaly based web phishing page detection," in Computer Security Applications Conference, 2006. ACSAC''06. 22nd Annual, 2006, pp. 381-392.
[25] W. Liu, X. L. GH, M. Zhang and X. Deng, "Phishing webpage detection," in Proc. 8th Int’l Conf. Document Analysis and Recognition, pp. 560–564.
[26] S. Garera, N. Provos, M. Chew and A. D. Rubin, "A framework for detection and measurement of phishing attacks," in Proceedings of the 2007 ACM Workshop on Recurring Malcode, 2007, pp. 1-8.
[27] M. Sharifi and S. H. Siadati, "A phishing sites blacklist generator," in Computer Systems and Applications, 2008. AICCSA 2008. IEEE/ACS International Conference on, 2008, pp. 840-843.
[28] C. Karlof, U. Shankar, J. Tygar and D. Wagner, "Dynamic pharming attacks and locked same-origin policies for web browsers," in Proceedings of the 14th ACM Conference on Computer and Communications Security, 2007, pp. 58-71.
[29] PwdHash, "http://crypto.stanford.edu/PwdHash/,"
[30] E. Kirda and C. Kruegel, "Protecting Users Against Phishing Attacks with AntiPhish," COMPSAC-NEW YORK-, pp. 517, 2005.
[31] ZDNet, "惡意網站、網路軟體數目創新高紀錄", http://www.zdnet.com.tw/news/software/0,2000085678,20135004,00.htm
[32] APWG, "Phishing Activity Trends Report 2008/Q2", http://www.apwg.org/reports/apwg_report_Q2_2008.pdf
[33] Yahoo安全圖章, http://tw.info.yahoo.com/seal/index.html
[34] ZDNet, "Yahoo新增防釣魚詐騙功能", http://www.zdnet.com.tw/news/software/0,2000085678,20108922,00.htm
[35] ZDNet, "雅虎奇摩新增防網釣機制", http://www.zdnet.com.tw/news/software/0,2000085678,20116123,00.htm