270 likes | 545 Vues
PHISHING. VENKAT DEEP RAJAN SUMALATHA REDDY KARTHIK INJARAPU CPSC 620 CLEMSON UNIVERSITY. INTRODUCTION. Identity Theft Number of phishing cases escalating in number Customers tricked into submitting their personal data. Phishing .. ?.
E N D
PHISHING VENKAT DEEP RAJAN SUMALATHA REDDY KARTHIK INJARAPU CPSC 620 CLEMSON UNIVERSITY
INTRODUCTION • Identity Theft • Number of phishing cases escalating in number • Customers tricked into submitting their personal data
Phishing .. ? • Defined as the task of sending an email, falsely claiming to be an established enterprise in an attempt to scam a user into surrendering private information • Redirects user to a scam website, where the user is asked to submit his private data. • Derivation of the word “phishing”
Social Engineering Factors • Phishing attacks rely on a combination of technical deceit and social engineering practices • Phisher persuades the victim to perform some series of actions • Phisher impersonates a trusted source for the victim to believe
How does it look .. ? • Sophisticated e-mail messages and pop-up windows. • Official-looking logos from real organizations
Delivery Techniques • Mails or spam’s: • Most common way and done by utilizing spam tools. • Web-sites: • Embedding malicious content into the website.
Delivery Techniques • Redirecting: • Cheat the customer to enter illicit website. • Trojan horse: • Capturing home PC’s and utilizing them to propagate the attacks.
Attack Techniques Man-in-the-middle Attacks URL Obfuscation Attacks Cross-site Scripting Attacks Preset Session Attack Hidden Attacks
Defensive mechanisms Client-Side Server-Side Enterprise Level
Client-Side • Desktop Protection Technologies • Browser Capabilities • Digitally signed Emails • User-application level monitoring solutions
Desktop Protection Technologies • Local Anti-Virus protection • Personal Firewall • Personal IDS • Personal Anti-Spam • Spy ware Detection
Browser Capabilities Disable all window pop-up functionality Disable Java runtime support Disable ActiveX support Disable all multimedia and auto-play/auto-execute extensions Prevent the storage of non-secure cookies
Server-side • Validating Official Communications • Strong token based authentication
Validating Official Communications Digital Signatures Visual or Audio personalization of email
Enterprise Level Mail Server Authentication Digitally Signed Email Domain Monitoring
Domain Monitoring • Monitor the registration of Internet domains relating to their organization • The expiry and renewal of existing corporate domains • The registration of similarly named domains
Conclusion Understanding the tools and technologies User awareness Implementing Multi-tier defense mechanisms
References Cyveillance the brand monitoring network www.cyveillance.com http://www.technicalinfo.net/index.html The phishing Guide www.ngssoftware.com http://www.webopedia.com/TERM/P/phishing.html http://www.wordspy.com/words/phishing.asp Stutz, Michael (January 29, 1998). "AOL: A Cracker's Paradise” http://www.technicalinfo.net/papers/Phishing.html