1

PHISHING ANDSPAMMING

Submitted by : Kavis PandeyDepartment of Electronics, ETC 2 1004093email: kavis.pandey@yahoo.co.inmob: 8984523393

2

Phishing & SpammingPhreaking + Fishing = Phishing

-Phreaking = making phone calls for free in 70’s-Fishing = use bait to lure the target

Defn: act of obtaining username, passwords, credit card and other personal details by masquerading as a trustworthy entity in electronic comm.

Popular on social websites, auction sites, banks, online payment processors and most commonly in the inboxes of almost everyone’s email

3

History & current status of phishingFirst mentioned in the context of “AOHELL” – a

hacking tool for AOL usersRecently, a popular case involved Chinese phishing

campaign targeting US and South Korean’s gov military and political activities.

In the past most popular phishing attack dates back to 1995 – phishers posed as AOL staffs and sent instant messages to victims to reveal their passwords

Post 9/11 ID check scam Thousands of cases reported to

customerfraudreporting.org in that period

4

History & current status……..Bank -56% , retailer - 14% , gov - 13% ,

spearphish - 7% , payment processors - 5%, others - 5% …… targets of phishing attacks

Haiti earthquake scamFIFA world cup 2010 scamTax rebate scams in UKPiP scams

5

Identifying a fraudName of the company mentioned as scam on

customerfraudreporting.orgEmail format matches one of the several mentioned on the

above website The org. has no website and can’t be located on Google Email asks for personal info like account info, driver license

no, passport no etc The email claims you’ve won a lottery in which you haven’t

participated The prize promoters ask for a fee in advanceThe email addresses you as dear customer rather than using

specific names and detailsTo get the prize you might need to travel overseas at own cost

6

Phishing TechniquesEmail / Spam – emails sent to thousands asking for their

personal infoWeb based delivery – “Man in the middle”, hacker located

b/w the website and userInstant messaging – user receives a msg with a link directing

them to a fake website looking similar to a legitimate website Trojan hosts – invisible hackers trying to hack into the

machine to extract personal infoLink manipulation – phishers send a false link to a website.Key loggers – softwares used to identify inputs from keyboard Session hacking – “Session sniffing”, phishers exploit web

session control mechanism to steal info

7

Phishing TechniquesSystem reconfiguration – For eg, “Turn off your

firewall to run this software “ etcContent injection – phishers changes part of the

content on a webpage luring the user to go to a page outside the legitimate website

Phishing through search engines – users may be redirected to fake websites offering cheap products

Phone phishing – phishers make calls to the user about exciting offers and products so as to reveal their details for buying the products

Malware phishing – malware attached to spam emails and upon clicking these malwares may harm the system

8

Why phishing works? 1. Lack of knowledge

a) Lack of computer system knowledgeb)Lack of knowledge of security indicators

2. Visual deception a) Visually deceptive text – “paypai” instead of “paypal”, using “1” instead of “l” , “o” instead of “0” etc , this is called typejacking.b)Images masking underlying textc)Images mimicking windowsd)Windows masking underlying windowse)Deceptive look and feel

3. Bounded attentiona)Lack on attention to security indicatorsb)Lack of attention to the absence of security indicators

9

Anti - PhishingSocial responses – train people to recognize

phishing attacks. People need to slightly modify their browsing habits in order to prevent being scammed.

Technical responses – use of anti phishing measures such as extensions or toolbars for browsers, anti phishing software

Helping to identify legitimate websites – complain about the fake websites. SFIO deals with internet frauds in India. There are also cyber cells where we can make complaints.

10

Anti - Phishing Secure connection – from 1990s to late 2000s Mozilla used padlocks as a symbol for

secure connection, now certificates and “https” are also included. Which site – check if the url of the website matches the site that you are looking for

11

Anti PhishingWho is the authority – The browser needs to state who the real

authority is who is issuing the EV (Extended Validation) certificate for a website. The browser needs to have a root list of trusted CAs (Certification Authorities).

Fundamental flaws in security model of secure browsing – (a) users tend to overlook the security indicators (b) users have learned to bypass most of the warnings and treat through all the warnings with same disdain, resulting in a “click through disdain” (c) gaining security authentication are very costly for websites resulting in negligence (d) threat models tend to re-invent themselves as much faster pace

Browsers alerting users of fraudulent websites – IE7, Mozilla Firefox 2.0 onwards uses Google’s anti-phishing software, Chrome, Safari 3.2, Opera 9.1 uses live blacklist from Phishtank and GeoTrust as well as live whitelist from GeoTrust

Augmenting Password Log-ins – avoid being logged on for continuous periods even when not using the services, using virtual keyboards is safer when entering passwords

12

Anti - PhishingEliminating Phishing Emails – use specialized filters

to eliminate phishing emails, keep your inboxes free from spams

Monitoring and takedown – contribute by reporting to both volunteer and industry groups such as PhishTank, report to cyber cells and help them takedown the guilty

Transaction verification and signing – steps are implemented to connect mobile phones with internet accounts. It informs the users when transactions are being made or any other security issues.

Legal Responses : there is pride in being an evidence against a crime, support legal cases against cyber crimes and help punish the guilty

13

ConclusionCon artists have been there in the society for

centuries but with web & internet they get access to a larger group of people

They live on our mistakesFinal technical solution to phishing involves major

changes in internet infrastructure. These changes are beyond any one institution

However, there are steps that can be deployedIt is all up to USBe cautious, be careful

Stop Phishing

14

Thank you for your patience and attention .Comments and Questions.