Transcript Phishing and Pharming

Phishing and Pharming
New Identity Theft Threats
Presentation by Jason Guthrie
Outline
• Phishing
– Defined
– How Phishing Works
– Phishing Damage
– What Phishing Looks Like
– Prevention
• Pharming
– How Pharming Works
– Prevention
Phishing Defined
“Phishing is a form of criminal activity
using social engineering techniques,
characterized by attempts to
fraudulently acquire sensitive
information, such as passwords and
credit card details, by masquerading as
a trustworthy person or business in an
apparently official electronic
communication, such as an email or an
instant message.”
-Wikipedia
How Phishing Works
• “Legitimate” emails seem to originate from
trusted sources – banks or online retailers
• Social engineering tactics convince the
reader that their information is needed
– Fear is the #1 tactic
– Solicitation of help
• Links and email look very real
– Account Update
– http://www.ebay.com/myaccount/update.asp
How Phishing Works
• Techniques
– Mispelled URLs
(http://www.welllsfargo.com/account)
– Spoofing URLs
(http://[email protected])
– Javascript
– Cross Site Scripting
– International Domain Names
How Phishing Works
• The Stolen Results
– Voluntary! Remember you gave it to them.
– Login
• Username
• Password
– Update Information
•
•
•
•
Social Security Number
Address
Bank Account Number
Credit Card Number
Phishing Damage
• Monetary
– May 2004 and May 2005, roughly 1.2
million U.S. computer users suffered
phishing losses valued at $929 million
– U.S. companies lose more than $2 billion
annually as their clients fall victim
• Identity
– New Credit Cards, loans, apartments, bank
accounts, etc.
Phishing Damage
Courtesy of: The Anti-Phishing Working Group
Phishing Targets
Courtesy of: The Anti-Phishing Working Group
Phishing Targets
• Users lack computer knowledge
– Elderly
• Users lack security knowledge
– Elderly
– Teens
– New Computer Users
– Infrequent Computer Users
What Phishing Looks Like
#1: The link that appears
legitimate
#2: The actual destination
when you click on the link
Phishing Test
Real or Fake?
Real!
Phishing Test
Real or Fake?
Fake!
Phishing Test
Real or Fake?
Fake!
Phishing Test
• For the complete test go to:
http://survey.mailfrontier.com/survey/qui
ztest.html
• A similar test was conducted by Rachna
Dhamija, J.D. Tygar, and Marti Hearst
with 20 websites and emails
- 12 were fraudulent
- 8 were legitimate
Phishing Test Results
How to Detect Phishing
• Software
– Specialized “AntiPhishing” Software
– Spam filters
– Challenge
Questions
– Firefox
– Opera
– IE 7
Prevention
• Education, education, education
• Look out for:
– Misspelled words
– “Dear Valued Customer”
– Beware of the @ sign
– Unusual company behavior
• Go to websites directly
from browser
How to Detect Phishing
• Other Resources:
– McAfee’s Whitepaper: “Anti-Phishing: Best
Practices for Institutions and Consumers”
– Why Phishing Works – study by Dhamija,
Tygar, and Hearst
– The FTC “How Not to Get Hooked by a ‘
Phishing’ Scam“ website
Phishing’s Evil Cousin
• People are educating themselves and
foiling many phishers
– Leading many to develop more malicious
tools
•
•
•
•
Pharming
Spam
Viruses
Password Stealing Software
– Same end result, different method
How Pharming Works
• Email Viruses
– Alters the computer’s host file
• DNS Poisoning
– Nothing on your computer changes
– The company’s website is “hijacked”
– Google and Panix.com recent examples
• Detection is very difficult
Prevention
• Burden lies on businesses
– Server-side scripts
– Digital Certificates
• Browsers can help identify originating
location
– US customers would be wary of bank IP
address from Russia
Conclusion
• Educate yourself!
• Keep web applications up-to-date
– “Check for Updates” button
• Be cautious
– If it seems suspicious, don’t take a chance