1 / 29

PHISHING

PHISHING. By, Himanshu Mishra Parrag Mehta. OUTLINE. What is Phishing ? Phishing Techniques Message Delivery Effects of Phishing Anti-Phishing Techniques Conclusion. WHAT IS PHISHING ?.

carl
Télécharger la présentation

PHISHING

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. PHISHING By, HimanshuMishra Parrag Mehta

  2. OUTLINE • What is Phishing ? • Phishing Techniques • Message Delivery • Effects of Phishing • Anti-Phishing Techniques • Conclusion

  3. WHAT IS PHISHING ? • It is a form of identifying theft that uses both social engineering and technical subterfuge to steal consumer’s personal identity data as well as financial account credentials • Phishersattempt to fraudulently acquire sensitive information, such as usernames, passwords and credit card details, by masquerading as a trustworthy entity in an electronic communication.

  4. PHISHING • History • Social Engineering Factors • Psychological Factors

  5. HISTORY • First mentioned in AOL Usenet newsgroup on January 2, 1996. • Variant of the word “fish”. • AOHell – custom written program • Line added on all instant messages.

  6. SOCIAL ENGINEERING FACTORS • Methods include mix of technical deceit and social engineering practices. • Phishers persuade victims to perform series of actions. • Popular communication channels: email, web pages, instant messaging services. • Impersonate as a trusted source.

  7. PSYCHOLOGICAL FACTORS • Trust Of Authority e.g. BOA questions the validity of account • Email and web pages can look real http://bankofamerica.com/login may really be http://bankofcrime.com/got_your_login

  8. PHISHING TECHNIQUES • Link Manipulation • Filter Evasion • Website forgery • Phone Phishing

  9. LINK MANIPULATION • Bad domain names • Actual domain host: http://privatebanking.mybank.com. • Phisher manipulated host : http://privatebanking.mybank.com.ch • Friendly login URL’s • http://mybank.com:ebanking@evilsite.com/phishing/fakepage.htm • Third-party shortened URL’s • http://tinyurl.com changed to http://tinyurl.com/4outd • Host name obfuscation • http://mybank.com:ebanking@evilsite.com/phishing/fakepage.htm • http://mybank.com:ebanking@210.134.161.35/login.htm

  10. FILTER EVASION • Flash-based websites • Images instead of text

  11. WEBSITE FORGERY • JavaScript commands. • Cross-site scripting (CSS or XSS). Full HTML substitution such as: http://mybank.com/ebanking?URL=http://evilsite.com/phishing/fakepage.htm • Universal Man-in-the-middle Phishing Kit.

  12. PHONE PHISHING • Phone number owned by the phisher and provided by VOIP. • Fake Caller ID • Prompts user to enter account numbers and PIN • Vishing (voice Phishing)

  13. MESSAGE DELIVERY • Web-based • Email and Spam • Instant Messaging • Trojan Hosts

  14. WEB BASED • Banner advertising graphics. • Use of web-bugs • Pop-up or frameless window. • Embed malicious content and install software.

  15. EMAIL & SPAM

  16. EMAIL & SPAM • Official looking and sounding emails • Copies of legitimate corporate emails with minor URL changes • HTML based email used to obfuscate target URL information • Standard virus/worm attachments to emails • A plethora of anti spam-detection inclusions

  17. Contd. • Crafting of “personalised” or unique email messages • Fake postings to popular message boards and mailing lists • Use of fake “Mail From:” addresses and open mail relays for disguising the source of the email

  18. INSTANT MESSAGING • More popular with home users with more functionality included within the s/w • Bots (automated programs that listen and participate in group discussions)

  19. TROJANED HOSTS • Trick home users to install software. • Selective Information recorded. • Java applet – “javautil.zip” • Key Logger

  20. EFFECTS • Financial Loss • Losses ranging from hundreds to tens of thousands of dollars • Loss of Trust • Users Refrain from using Internet for business • Law Enforcement Difficulties • Cross border attacks

  21. ANTI-PHISHING • Social Response • Technical Response • Browser Alerts • Digitally Signed Emails • Augmenting Password Logins • Filters • Anti-virus • Legal Response

  22. SOCIAL RESPONSE Generic addressing Fraud Link Do not accept friend requests from people you don’t know on Facebookeven though you may have many mutual friends with them

  23. TECHNICAL RESPONSE Browser Alerts

  24. TECHNICAL RESPONSE CA Server Digitally Signed Email Sender EmailServer Receiver

  25. TECHNICAL RESPONSE Augmented Password Login

  26. TECHNICAL RESPONSE Spam Filter

  27. CONCLUSION • Phishing affects both consumers and organizations • User Education can helpprevent / fight Phishing • Co-operation between governments can help nab Phishers

  28. REFERENCES • http://en.wikipedia.org/wiki/Phishing • www.justice.gov • http://www.infosecwriters.com/text_resources/pdf/Phishing_DMosley.pdf • http://www.ngssoftware.com

More Related