PHISHING - Clemson | slideum.com

PHISHING - Clemson

Transcript PHISHING - Clemson

PHISHING
By,
Himanshu Mishra
Parrag Mehta
OUTLINE
•
•
•
•
•
•
What is Phishing ?
Phishing Techniques
Message Delivery
Effects of Phishing
Anti-Phishing Techniques
Conclusion
WHAT IS PHISHING ?
• It is a form of identifying theft that uses both
social engineering and technical subterfuge
to steal consumer’s personal identity data as
well as financial account credentials
• Phishers attempt to fraudulently acquire
sensitive information, such as usernames,
passwords and credit card details, by
masquerading as a trustworthy entity in an
electronic communication.
PHISHING
• History
• Social Engineering Factors
• Psychological Factors
HISTORY
• First mentioned in AOL Usenet
newsgroup on January 2, 1996.
• Variant of the word “fish”.
• AOHell – custom written program
• Line added on all instant messages.
SOCIAL ENGINEERING FACTORS
• Methods include mix of technical deceit and
social engineering practices.
• Phishers persuade victims to perform series
of actions.
• Popular communication channels: email,
web pages, instant messaging services.
• Impersonate as a trusted source.
PSYCHOLOGICAL FACTORS
• Trust Of Authority
e.g. BOA questions the validity of
account
• Email and web pages can look real
http://bankofamerica.com/login may really be
http://bankofcrime.com/got_your_login
PHISHING TECHNIQUES
• Link Manipulation
• Filter Evasion
• Website forgery
• Phone Phishing
LINK MANIPULATION
• Bad domain names
– Actual domain host: http://privatebanking.mybank.com.
– Phisher manipulated host : http://privatebanking.mybank.com.ch
• Friendly login URL’s
– http://mybank.com:[email protected]/phishing/fakepage.htm
• Third-party shortened URL’s
– http://tinyurl.com changed to http://tinyurl.com/4outd
• Host name obfuscation
– http://mybank.com:[email protected]/phishing/fakepage.htm
– http://mybank.com:[email protected]/login.htm
FILTER EVASION
• Flash-based websites
• Images instead of text
WEBSITE FORGERY
• JavaScript commands.
• Cross-site scripting (CSS or XSS).
Full HTML substitution such as:
http://mybank.com/ebanking?URL=http://evilsite.com/phishing/fake
page.htm
• Universal Man-in-the-middle Phishing
Kit.
PHONE PHISHING
• Phone number owned by the phisher and
provided by VOIP.
– Fake Caller ID
– Prompts user to enter account numbers and PIN
– Vishing (voice Phishing)
MESSAGE DELIVERY
• Web-based
• Email and Spam
• Instant Messaging
• Trojan Hosts
WEB BASED
• Banner advertising graphics.
• Use of web-bugs
• Pop-up or frameless window.
• Embed malicious content and install
software.
EMAIL & SPAM
EMAIL & SPAM
• Official looking and sounding emails
• Copies of legitimate corporate emails with minor
URL changes
• HTML based email used to obfuscate target URL
information
• Standard virus/worm attachments to emails
• A plethora of anti spam-detection inclusions
Contd.
• Crafting of “personalised” or unique email
messages
• Fake postings to popular message boards and
mailing lists
• Use of fake “Mail From:” addresses and open
mail relays for disguising the source of the
email
INSTANT MESSAGING
• More popular with home users with
more functionality included within the
s/w
• Bots (automated programs that listen
and participate in group discussions)
TROJANED HOSTS
• Trick home users to install software.
• Selective Information recorded.
• Java applet – “javautil.zip”
– Key Logger
EFFECTS
• Financial Loss
– Losses ranging from hundreds to tens of
thousands of dollars
• Loss of Trust
– Users Refrain from using Internet for business
• Law Enforcement Difficulties
– Cross border attacks
ANTI-PHISHING
• Social Response
• Technical Response
– Browser Alerts
– Digitally Signed Emails
– Augmenting Password Logins
– Filters
– Anti-virus
• Legal Response
SOCIAL RESPONSE
Generic addressing
Fraud Link
Do not accept friend requests from
people you don’t know on Facebook even
though you may have many mutual
friends with them
TECHNICAL RESPONSE
Browser Alerts
TECHNICAL RESPONSE
CA Server
Sender
Digitally Signed Email
Email Server
Receiver
TECHNICAL RESPONSE
Augmented
Password Login
TECHNICAL RESPONSE
Spam Filter
CONCLUSION
• Phishing affects both consumers and
organizations
• User Education can help prevent / fight
Phishing
• Co-operation between governments can
help nab Phishers
REFERENCES
• http://en.wikipedia.org/wiki/Phishing
• www.justice.gov
• http://www.infosecwriters.com/text_resource
s/pdf/Phishing_DMosley.pdf
• http://www.ngssoftware.com

PHISHING - Clemson

Transcript PHISHING - Clemson

Directory