2. Phishing & Spamming
Phreaking + Fishing = Phishing
-Phreaking = making phone calls for free in 70’s
-Fishing = use bait to lure the target
Defn: act of obtaining username, passwords, credit
card and other personal details by masquerading
as a trustworthy entity in electronic comm.
Popular on social websites, auction sites, banks, online
payment processors and most commonly in the
inboxes of almost everyone’s email
2
3. History & current status of phishing
First mentioned in the context of “AOHELL” – a
hacking tool for AOL users
Recently, a popular case involved Chinese phishing
campaign targeting US and South Korean’s gov
military and political activities.
In the past most popular phishing attack dates back to
1995 – phishers posed as AOL staffs and sent instant
messages to victims to reveal their passwords
Post 9/11 ID check scam
Thousands of cases reported to
customerfraudreporting.org in that period
3
4. History & current status……..
Bank -56% , retailer - 14% , gov - 13% , spearphish 7% , payment processors - 5%, others - 5% ……
targets of phishing attacks
Haiti earthquake scam
FIFA world cup 2010 scam
Tax rebate scams in UK
PiP scams
4
5. Identifying a fraud
Name of the company mentioned as scam on
customerfraudreporting.org
Email format matches one of the several mentioned on the above
website
The org. has no website and can’t be located on Google
Email asks for personal info like account info, driver license no,
passport no etc
The email claims you’ve won a lottery in which you haven’t
participated
The prize promoters ask for a fee in advance
The email addresses you as dear customer rather than using
specific names and details
To get the prize you might need to travel overseas at own cost
5
6. Phishing Techniques
Email / Spam – emails sent to thousands asking for their personal
info
Web based delivery – “Man in the middle”, hacker located b/w the
website and user
Instant messaging – user receives a msg with a link directing them
to a fake website looking similar to a legitimate website
Trojan hosts – invisible hackers trying to hack into the machine to
extract personal info
Link manipulation – phishers send a false link to a website.
Key loggers – softwares used to identify inputs from keyboard
Session hacking – “Session sniffing”, phishers exploit web session
control mechanism to steal info
6
7. Phishing Techniques
System reconfiguration – For eg, “Turn off your firewall to
run this software “ etc
Content injection – phishers changes part of the content on
a webpage luring the user to go to a page outside the
legitimate website
Phishing through search engines – users may be redirected
to fake websites offering cheap products
Phone phishing – phishers make calls to the user about
exciting offers and products so as to reveal their details for
buying the products
Malware phishing – malware attached to spam emails and
upon clicking these malwares may harm the system
7
8. Why phishing works?
1. Lack of knowledge
a) Lack of computer system knowledge
b)Lack of knowledge of security indicators
2. Visual deception
a) Visually deceptive text – “paypai” instead of “paypal”, using “1” instead
of “l” , “o” instead of “0” etc , this is called typejacking.
b)Images masking underlying text
c)Images mimicking windows
d)Windows masking underlying windows
e)Deceptive look and feel
3. Bounded attention
a)Lack on attention to security indicators
b)Lack of attention to the absence of security indicators
8
9. Anti - Phishing
Social responses – train people to recognize phishing
attacks. People need to slightly modify their browsing
habits in order to prevent being scammed.
Technical responses – use of anti phishing measures
such as extensions or toolbars for browsers, anti
phishing software
Helping to identify legitimate websites – complain
about the fake websites. SFIO deals with internet
frauds in India. There are also cyber cells where we can
make complaints.
9
10. Anti - Phishing
Secure connection – from 1990s to late 2000s Mozilla used padlocks as a symbol for
secure connection, now certificates and “https” are also included.
Which site – check if the url of the website matches the site that you are looking for
10
11. Anti Phishing
Who is the authority – The browser needs to state who the real
authority is who is issuing the EV (Extended Validation) certificate for
a website. The browser needs to have a root list of trusted CAs
(Certification Authorities).
Fundamental flaws in security model of secure browsing – (a)
users tend to overlook the security indicators (b) users have learned to
bypass most of the warnings and treat through all the warnings with
same disdain, resulting in a “click through disdain” (c) gaining security
authentication are very costly for websites resulting in negligence (d)
threat models tend to re-invent themselves as much faster pace
Browsers alerting users of fraudulent websites – IE7, Mozilla
Firefox 2.0 onwards uses Google’s anti-phishing software, Chrome,
Safari 3.2, Opera 9.1 uses live blacklist from Phishtank and GeoTrust as
well as live whitelist from GeoTrust
Augmenting Password Log-ins – avoid being logged on for
continuous periods even when not using the services, using virtual
keyboards is safer when entering passwords
11
12. Anti - Phishing
Eliminating Phishing Emails – use specialized filters to
eliminate phishing emails, keep your inboxes free from
spams
Monitoring and takedown – contribute by reporting to
both volunteer and industry groups such as PhishTank,
report to cyber cells and help them takedown the guilty
Transaction verification and signing – steps are
implemented to connect mobile phones with internet
accounts. It informs the users when transactions are being
made or any other security issues.
Legal Responses : there is pride in being an evidence
against a crime, support legal cases against cyber crimes
and help punish the guilty
12
13. Conclusion
Con artists have been there in the society for centuries but
with web & internet they get access to a larger group of
people
They live on our mistakes
Final technical solution to phishing involves major changes
in internet infrastructure. These changes are beyond any
one institution
However, there are steps that can be deployed
It is all up to US
Be cautious, be careful
Stop Phishing
13
14. Thank you for your patience
and attention .
Comments and Questions.
14