Phishing_ Spoof Spam_ Security.ppt

8/2/2019 Phishing_ Spoof Spam_ Security.ppt

1/17

Phishing, Spoofing,

Spamming and SecurityHow To Protect Yourself

Additional Credits: Educause/SonicWall, Hendra Harianto Tuty, Microsoft Corporation, some images from Anti-Phishing Workgroups Phishing Archive,Carnegie Mellon CyLab

Dr. Harold L. Bud Cothern


2/17

Recognize Phishing Scams and Fraudulent E-mails

Phishing is a type of deception designed to stealyour valuable personal data, such as credit cardnumbers, passwords, account data, or otherinformation.

Con artists might send millions of fraudulent e-mailmessages that appear to come from Web sites youtrust, like your bank or credit card company, andrequest that you provide personal information.


3/17

Phreaking + Fishing = Phishing- Phreaking= making phone calls for free back in 70s- Fishing = Use bait to lure the target

Phishing in 1995Target: AOL usersPurpose: getting account passwords for free timeThreat level: lowTechniques: Similar names ( www.ao1.com for www.aol.com ), social

engineering

Phishing in 2001Target: Ebayers and major banksPurpose: getting credit card numbers, accountsThreat level: medium

Techniques: Same in 1995, keylogger

Phishing in 2007

Target: Paypal, banks, ebay

Purpose: bank accounts

Threat level: high

Techniques: browser vulnerabilities, link obfuscation

History of Phishing
http://www.ao1.com/http://www.aol.com/http://www.aol.com/http://www.ao1.com/


4/17

2,000,000 emails are sent

5% get to the end user 100,000 (APWG) 5% click on the phishing link 5,000 (APWG)

2% enter data into the phishing site100 (Gartner)

$1,200 from each person who enters data (FTC)

Potential reward: $120,000

A bad day phishin, beats a good day workin

In 2005 David Levi made over $360,000 from 160people using an eBay Phishing scam


5/17

Over 28,000 unique phishing attacks reported in Dec.2006, about double the number from 2005

Estimates suggest phishing affected 2 million UScitizens and cost businesses billions of dollars in2005

Additional losses due to consumer fears

Phishing: A Growing Problem


6/17

What Does a Phishing Scam Look Like?

As scam artists become more sophisticated, sodo their phishing e-mail messages and pop-upwindows.

They often include official-looking logos from realorganizations and other identifying informationtaken directly from legitimate Web sites.


7/17

Employ visual elements from target site DNS Tricks:

[email protected]

www.gooogle.comUnicode attacks

JavaScript AttacksSpoofed SSL lock

CertificatesPhishers can acquire certificates for domainsthey ownCertificate authorities make mistakes

Current Phishing Techniques


8/17

The following is an example of what a phishing scam e-mail message might look like:

QuickTime and a

TIFF (Uncompressed) decompressorare needed to see this picture.

Example of a phishing e-mail message, including adeceptive URL address

linking to a scam Web site.To make these phishing e-mail messages look evenmore legitimate, the scamartists may place a link inthem that appears to go tothe legitimate Web site (1),but it actually takes you to aphony scam site (2) orpossibly a pop-up windowthat looks exactly like the

official site.These copycatsites are also called"spoofed" Web sites. Onceyou're at one of thesespoofed sites, you mightunwittingly send personal

information to the con artists.


9/17

Socially aware attacksMine social relationships from public data

Phishing email appears to arrive from someone known to the victim

Use spoofed identity of trusted organization to gain trust Urge victims to update or validate their account

Threaten to terminate the account if the victims not reply Use gift or bonus as a bait

Security promises

Context-aware attacksYour bid on eBay has won!The books on your Amazon wish list are on sale!

Spear-Phishing: Improved Target Selection


10/17

Another Example:


11/17

But wait

WHOIS 210.104.211.21:Location: Korea, Republic Of

Even bigger problem:

I dont have an account with US Bank!

Images from Anti-Phishing Working Groups Phishing Archive


12/17

Here are a few phrases to look for if you think an e-mail message is a

phishing scam.

"Verify your account."Businesses should not ask you to sendpasswords, login names, Social Security numbers, or other personalinformation through e-mail. If you receive an e-mail from anyone askingyou to update your credit card information, do not respond: this is aphishing scam.

"If you don't respond within 48 hours, your account will beclosed."These messages convey a sense of urgency so that you'llrespond immediately without thinking. Phishing e-mail might even claim

that your response is required because your account might have beencompromised.

How To Tell If An E-mail Message is Fraudulent


13/17

How To Tell If An E-mail Message is Fraudulent (contd)

"Dear Valued Customer."Phishing e-mail messages areusually sent out in bulk and often do not contain your first orlast name.

"Click the link below to gain access to youraccount."HTML-formatted messages can contain links orforms that you can fill out just as you'd fill out a form on a Web

site.The links that you are urged to click may contain all orpart of a real company's name and are usually "masked,"meaning that the link you see does not take you to that address

but somewhere different, usually a phony Web site. Notice in the following example that resting the mouse pointer

on the link reveals the real Web address, as shown in the boxwith the yellow background. The string of cryptic numbers looksnothing like the company's Web address, which is a suspicioussign.

QuickTime and a

TIFF (Uncompressed) decompressorare needed to s ee this picture.

Example of masked

URL address


14/17

Con artists also use Uniform Resource Locators (URLs)that resemble the name of a well-known company but areslightly altered by adding, omitting, or transposing letters.

For example, the URL "www.microsoft.com" could appearinstead as:www.micosoft.comwww.mircosoft.comwww.verify-microsoft.com

How To Tell If An E-mail Message is Fraudulent (contd)


15/17

Never respond to an email asking for personal information

Always check the site to see if it is secure. Call the phonenumber if necessary

Never click on the link on the email. Retype the address in anew window

Keep your browser updated

Keep antivirus definitions updated Use a firewall

P.S: Always shred your home documents before discarding them.


16/17

Phishing Filter

(http://www.microsoft.com/athome/security/online/phishing_filter.mspx) helps protect you from Web fraud and the risks ofpersonal data theft by warning or blocking you from reported

phishing Web sites. Install up-to-date antivirus and antispyware software.Some phishing e-mail contains malicious or unwanted software(like keyloggers) that can track your activities or simply slowyour computer.

Numerous antivirus programs exist as well as comprehensivecomputer maintenance services like Norton Utilities. To helpprevent spyware or other unwanted software, downloadWindows Defender.

Install the Microsoft Phishing Filter Using

Internet Explorer 7 or Windows Live Toolbar


17/17

Thank You

For Your

Documents

Phishing_ Spoof Spam_ Security.ppt