Let’s Go Phishing!

www.more.net | University of MissouriCopyright ©2005 MOREnet and The Curators of the University of Missouri

Let’s Go Phishing!


Objectives

• Phishing defined• Recognizing a phishing attack• Protecting your identity


What is phishing?Phishing attacks use both social engineering and technical

subterfuge to steal consumers' personal identity data and financial account credentials. Social-engineering schemes use “spoofed” e-mails to lead consumers to counterfeit websites designed to trick recipients into divulging financial data such as credit card numbers, account usernames, passwords and social security numbers. Hijacking brand names of banks, e-retailers and credit card companies, phishers often convince recipients to respond. Technical subterfuge schemes plant crimeware onto PCs to steal credentials directly, often using Trojan keylogger spyware.

Source: http://www.antiphishing.org/


Wow! OK, so what does that mean?

• Spoofed e-mail• Social engineering• Crimeware• Keylogger• Spyware


Anti-Phishing Working Group

In October 2005, – 15,820 phishing e-mail messages

reported to the APWG.– 4367 unique phishing sites identified.– 96 brand names were hi-jacked.– Average time a site stayed on-line was

5.5 days.


Statistics

43 percent of adults have received a phishing contact.

Five percent of those adults gave their personal information.

www.informationweek.com/story/showArticle.jhtml?articleID=163101877&tid=13692


Questions?


How many of you have seen a phishing e-mail?

Yes! I have seen one (or two or three).

x No, I have no idea what you are talking about .



Headers from e-mail:Return-Path: <[email protected]>X-Original-To: [email protected]: [email protected]: from nook.more.net (nook.more.net [207.160.130.11])

by vortex.more.net (Postfix) with ESMTP id 1FC8DC088Dfor <[email protected]>; Thu, 23 Jun 2005 06:52:31 -0500 (CDT)

Received: from localhost (localhost.more.net [127.0.0.1])by nook.more.net (Postfix) with ESMTP id EF4D8CFE8Bfor <[email protected]>; Thu, 23 Jun 2005 06:52:30 -0500 (CDT)

Received: from nook.more.net ([127.0.0.1]) by localhost (nook.more.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 14184-12 for <[email protected]>; Thu, 23 Jun 2005 06:52:30 -0500 (CDT)Received: from gangdeok.es.kr (unknown [211.248.95.131])

by nook.more.net (Postfix) with ESMTP id EF879CFE83for <[email protected]>; Thu, 23 Jun 2005 06:52:29 -0500 (CDT)

Received: from gangdeok.es.kr (gangdeok.es.kr [127.0.0.1])by gangdeok.es.kr (8.12.9/8.12.9) with ESMTP id j5NBeEKw000369for <[email protected]>; Thu, 23 Jun 2005 20:40:14 +0900

Received: (from root@localhost)by gangdeok.es.kr (8.12.9/8.12.9/Submit) id j5NBeDiu000367for [email protected]; Thu, 23 Jun 2005 20:40:13 +0900

Date: Thu, 23 Jun 2005 20:40:13 +0900To: [email protected]: Secure your ACCOUNTMessage-ID: <[email protected]>From: "[email protected]" <[email protected]>Content-Type: text/htmlX-Virus-Scanned: amavisd-new at more.net


Questions?


HTML of message:<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"><HTML><HEAD><TITLE>SouthTrust Online Banking</TITLE><META http-equiv=Content-Type content="text/html; charset=windows-1252"><LINK href="https://southtrustonlinebanking.com/retail/css/stylesheet.css" rel=stylesheet><META content="MSHTML 6.00.2800.1458" name=GENERATOR></HEAD><BODY style="BACKGROUND-COLOR: rgb(255,255,255)" leftMargin=0 topMargin=0 marginwidth="0" marginheight="0"><FORM name=frmLogin onsubmit="return handleLogin();" action=login.php method=post><TABLE style="WIDTH: 793px; HEIGHT: 784px" cellSpacing=0 cellPadding=0 width=793 border=0> <TBODY>


What you see on the screen:

Login to your SouthTrust Online Banking with your SouthTrust username and password.

Confirm your identity as a card memeber of SouthTrust.

View your transaction history and report suspicious activity or any unauthorized change.

https://southtrustonlinebanking.com/retail/


What the HTML really does:<U>Login to your SouthTrust Online Banking with your SouthTrust username and password.</U></P><P> <U>Confirm your identity as a card

memeber of SouthTrust.</U></P><P> <U>View your transaction history

and report suspicious activity or any unauthorized change.</U></P><A

href="http://202.39.131.162/.southtrustonlinebanking.com/retail/">https://southtrustonlinebanking.com/retail/

</A>


GEEKTOOLS - Looking up IP address owner


Whois reveals:inetnum: 202.39.128.0 - 202.39.255.255netname: HINETdescr: Data Communication Business Group,descr: Chunghwa Telecom Co., Ltd.descr: Commerical ISPdescr: 21, Section 1, Hsin-Yi Road, Taipei,descr: Taipei 100, Taiwan, R.O.C.country: TWadmin-c: HN27-APtech-c: HN28-APmnt-by: MAINT-TW-TWNICchanged: [email protected] 19940401changed: [email protected] 20040713status: ALLOCATED PORTABLEsource: APNIC


Questions?


Installation of crimeware

• If a website does not ask you for personally identifiable information, you may still be at risk from installed software.


Be suspicious of any e-mail with urgent requests for personal financial information • NEVER respond to an e-mail

requesting personally identifiable information

• NEVER click on the link provided in the e-mail message

• NEVER fill out fields included in an e-mail message


Always ensure that you're using a secure website when submitting credit card or other sensitive information via your Web browser

• Type in the web address and do not click on an e-mail link

• "https://" rather than just "http://" • Check for the lock on the browser


Others:

• Review credit card and bank account statements as soon as you receive it

• Check your credit report on a regular basis (every six months recommended)

• Use anti-virus software and keep it up to date

• Be cautious about opening any attachment or downloading any files from e-mails you receive, regardless of who sent them


Questions?


Fair Credit Reporting ActA recent amendment to the federal Fair Credit Reporting Act requires

each of the major nationwide consumer reporting companies to provide you with a free copy of your credit reports, at your request, once every 12 months.

MISSOURI: free reports began March 1, 2005.

www.annualcreditreport.comcall toll-free 877-322-8228


Report phishing or spoofed e-mails

• Always include header information http://www.spamcop.net/fom-serve/cache/19.html

• Forward the e-mail to [email protected]

• Forward the e-mail to the Federal Trade Commission at [email protected]

• Forward the e-mail to the "abuse" e-mail address at the company that is being spoofed (e.g., [email protected])


What to do if you think your identity has been stolen:

• Contact the fraud department of any of the three major credit bureaus and place a fraud alert on your credit file.– Equifax - 800-525-6285 – TransUnion - 800-680-7289– Experian - 888-EXPERIAN (397-3742)

• Close the accounts that you know or believe have been tampered with or opened fraudulently. Use the ID Theft Affidavit when disputing new unauthorized accounts.

www.ftc.gov/bcp/conline/pubs/credit/affidavit.pdf


What to do, continued

• File a police report• File your complaint with the FTChttps://rn.ftc.gov/pls/dod/widtpubl$.startup?Z_ORG_CODE=PU03


Questions?


Resources:

ID Theft Homepagewww.consumer.gov/idtheft/

Identity Theft Victims: Immediate Steps http://www.consumer.gov/idtheft/con_steps.htm

Take Charge: Fighting Back Against Identity Theft www.ftc.gov/bcp/conline/pubs/credit/idtheft.htm

Chart Your Course of Action - Checklist http://www.ftc.gov/bcp/conline/pubs/credit/idtheftform.pdf

Anit-Phishing Work Groupwww.antiphishing.org/


Resources:

Ten Ways to Recognize Fake (Spoof) E-mail www.woai.com/news/cyberstuff/story.aspx?content_id=F483011C-F9D7-41B8-B240-4A50632D8182

Dear Sir: Your Data Was Stolen www.wired.com/news/privacy/0,1848,67811,00.html?tw=wn_1polihead

Home PCs hijacked to spread spam news.bbc.co.uk/1/hi/technology/3528810.stm

Documents

Let’s Go Phishing!