Upload
nazim
View
214
Download
0
Embed Size (px)
Citation preview
8/14/2019 BATTLE AGAINST PHISHING2
1/22
BATTLE A GAINST PHI SHI NGATTLE A GAINST PHI SHI NGNew Identity TheftNew Identit
y TheftThreatsThreats
8/14/2019 BATTLE AGAINST PHISHING2
2/22
y
BATTL E A GAINS T PH ISHINGNew Identity Theft
Threats
Presentation by : ANUJ ARORA
HIMANSHU BHEDA
8/14/2019 BATTLE AGAINST PHISHING2
3/22
OUTLINE
Phishing
Defined
How Phishing Works
Studying BrowserSecurity and Phishing
Analysing PhishingDatabase
Study : DistinguishingLegitimate Websites
Results
Conclusion
8/14/2019 BATTLE AGAINST PHISHING2
4/22
Phishing Defined
Phishing is a form of criminal activityusing social engineering techniques,characterized by attempts to
fraudulently acquire sensitiveinformation, such as passwords andcredit card details, by masquerading asa trustworthy person or business in an
apparently official electroniccommunication, such as an email or aninstant message.
-Wikipedia
8/14/2019 BATTLE AGAINST PHISHING2
5/22
Ph ishing Vs H ac ki ng Phishing is when you are led to a fakewebsite, such as a fake bank websitewhere someone can get your details
when you log on.Hacking is when someone usessoftware or some other special devicethat allows someone to enter a users
computer without them knowing (orknowing) to get information.
8/14/2019 BATTLE AGAINST PHISHING2
6/22
Phishing Origination
Legitimate emails
Social engineering
tactics
Links and email thatlooks very real
Account Updatehttp://www.ebay.com/myaccount/update.asp
8/14/2019 BATTLE AGAINST PHISHING2
7/22
Password Phishing Problem
Bank A
Fake Site
User cannot reliably identify fake sites
Captured password can be used at
target site
pwdApwd
A
8/14/2019 BATTLE AGAINST PHISHING2
8/22
Phishing Damage
Courtesy of: The Anti-Phishing Working Group
8/14/2019 BATTLE AGAINST PHISHING2
9/22
Phishing Damage
Monetary
May 2004 and May 2005, roughly 1.2million U.S. computer users suffered
phishing losses valued at $929 millionU.S. companies lose more than $2 billionannually as their clients fall victim
IdentityNew Credit Cards, loans, apartments, bankaccounts, etc.
8/14/2019 BATTLE AGAINST PHISHING2
10/22
Ph ish in g t ec hniq ues
Link manipulation /Mispelled URLs (http://www.welllsfargo.com/account)
Spoofing URLs (http://[email protected])
Filter evasion
Website forgery using JavascriptPhone phishing
http://www.welllsfargo.com/accounthttp://[email protected]/http://[email protected]/http://www.welllsfargo.com/account8/14/2019 BATTLE AGAINST PHISHING2
11/22
How t o Spot A Ph ishin g Sca m 1."From Field"
2.Logos or
images takenfrom the Web siteof the company.
3.Redirtectinglink
8/14/2019 BATTLE AGAINST PHISHING2
12/22
What Phishing Looks Like
#1: The link that appears
legitimate
#2: The actual destination when
you click on the link
8/14/2019 BATTLE AGAINST PHISHING2
13/22
Stu die s o f Br owse r S ecurity a ndPhishing
About 28% of the time, subjects incorrectlyidentified the phishing emails aslegitimate.
subjects often looked at the lock icon inthe status bar, but rarely clicked on thelock and thus didnt learn anything aboutthe sites certificate
interviewed 72 individuals about websecurity and found that participants couldnot reliably determine whether aconnection is secure.
8/14/2019 BATTLE AGAINST PHISHING2
14/22
Stu die s o f Br owse r S ecurity a ndPhishing
even when toolbarswere used to notifyusers of security
concerns, userswere tricked intoprovidinginformation 34% of
the timesocial context makephishing attacks farmore effective.
8/14/2019 BATTLE AGAINST PHISHING2
15/22
Ana lysis o f a Ph ishin g Da tabaseLack of Knowledge
Lack of Knowledge
Lack of knowledge of security and securityindicators .
Visual DeceptionVisually deceptive text
Images masking underlying text
Images mimicking windows
Windows masking underlying windows
Deceptive look and feel.
8/14/2019 BATTLE AGAINST PHISHING2
16/22
Ana lysis o f a Ph ishin g Da tabaseLack of Attention
Lack of attention to security indicators
Lack of attention to the absence of security
indicators .
8/14/2019 BATTLE AGAINST PHISHING2
17/22
Stu dy : D ist inguishin g L eg it imat eWebsitesFactors that are important forevaluating website security andauthenticity
Phishing Websites Used
Study Design
Scenario and Procedure
Participant Recruitment andDemographics
8/14/2019 BATTLE AGAINST PHISHING2
18/22
Phishi ng W ebsit es Use dAccording To Ciphertrust ,the top 5 targets and thepercentage of phishing attacks they represent are:
3. CitiBank 54.16%
4. Smith Barney 13.48%
5. SunTrust 10.02%
6. Paypal 7.57%
7. Wells Fargo 5.42%
8/14/2019 BATTLE AGAINST PHISHING2
19/22
Stu dy D esignParticipants were presented with 20websites;
7 legitimate websites
9 representative phishing websites
3 phishing websites constructed by us
using additional phishing techniques
1 website requiring users to accept aself-signed SSL certificate
8/14/2019 BATTLE AGAINST PHISHING2
20/22
Scen ario a nd Pr oce dureProvided with an email message thatasks to click on one of the links.
Click on the link to see if it is alegitimate website or a "spoof"(afraudulent copy of that website).
8/14/2019 BATTLE AGAINST PHISHING2
21/22
Parti cipa nt R ec ru it ment andDemo graphic s
participants :22
Male : 10
Female:12
Primary Browser
Used Operating System
Participant
Technical :3N-technical:19
Mozilla :10Internet ExpLr: 11
Apple Safari :1
Windows XP :13Mac OS X :6
Windows 2000 :2
Unknown :1
Staff : 11 Students :11
Bachelors :8Masters :2
Ph.D :1
Bachelors :7Masters :2
Ph.D :2
Weekly Hours
Of Usage:10-135 AGE : 18-56yrs
8/14/2019 BATTLE AGAINST PHISHING2
22/22
Conclusion
Educate yourself!Look out for:
Misspelled words
Dear Valued CustomerBeware of the @ signUnusual company behavior
Go to websites directlyfrom browser
Keep web applications up-to-dateCheck for Updates buttonBe cautious
If it seems suspicious, dont take a chance