BATTLE AGAINST PHISHING2

8/14/2019 BATTLE AGAINST PHISHING2

1/22

BATTLE A GAINST PHI SHI NGATTLE A GAINST PHI SHI NGNew Identity TheftNew Identit

y TheftThreatsThreats


2/22

y

BATTL E A GAINS T PH ISHINGNew Identity Theft

Threats

Presentation by : ANUJ ARORA

HIMANSHU BHEDA


3/22

OUTLINE

Phishing

Defined

How Phishing Works

Studying BrowserSecurity and Phishing

Analysing PhishingDatabase

Study : DistinguishingLegitimate Websites

Results

Conclusion


4/22

Phishing Defined

Phishing is a form of criminal activityusing social engineering techniques,characterized by attempts to

fraudulently acquire sensitiveinformation, such as passwords andcredit card details, by masquerading asa trustworthy person or business in an

apparently official electroniccommunication, such as an email or aninstant message.

-Wikipedia


5/22

Ph ishing Vs H ac ki ng Phishing is when you are led to a fakewebsite, such as a fake bank websitewhere someone can get your details

when you log on.Hacking is when someone usessoftware or some other special devicethat allows someone to enter a users

computer without them knowing (orknowing) to get information.


6/22

Phishing Origination

Legitimate emails

Social engineering

tactics

Links and email thatlooks very real

Account Updatehttp://www.ebay.com/myaccount/update.asp


7/22

Password Phishing Problem

Bank A

Fake Site

User cannot reliably identify fake sites

Captured password can be used at

target site

pwdApwd

A


8/22

Phishing Damage

Courtesy of: The Anti-Phishing Working Group


9/22

Phishing Damage

Monetary

May 2004 and May 2005, roughly 1.2million U.S. computer users suffered

phishing losses valued at $929 millionU.S. companies lose more than $2 billionannually as their clients fall victim

IdentityNew Credit Cards, loans, apartments, bankaccounts, etc.


10/22

Ph ish in g t ec hniq ues

Link manipulation /Mispelled URLs (http://www.welllsfargo.com/account)

Spoofing URLs (http://[email protected])

Filter evasion

Website forgery using JavascriptPhone phishing
http://www.welllsfargo.com/accounthttp://[email protected]/http://[email protected]/http://www.welllsfargo.com/account


11/22

How t o Spot A Ph ishin g Sca m 1."From Field"

2.Logos or

images takenfrom the Web siteof the company.

3.Redirtectinglink


12/22

What Phishing Looks Like

#1: The link that appears

legitimate

#2: The actual destination when

you click on the link


13/22

Stu die s o f Br owse r S ecurity a ndPhishing

About 28% of the time, subjects incorrectlyidentified the phishing emails aslegitimate.

subjects often looked at the lock icon inthe status bar, but rarely clicked on thelock and thus didnt learn anything aboutthe sites certificate

interviewed 72 individuals about websecurity and found that participants couldnot reliably determine whether aconnection is secure.


14/22

Stu die s o f Br owse r S ecurity a ndPhishing

even when toolbarswere used to notifyusers of security

concerns, userswere tricked intoprovidinginformation 34% of

the timesocial context makephishing attacks farmore effective.


15/22

Ana lysis o f a Ph ishin g Da tabaseLack of Knowledge

Lack of Knowledge

Lack of knowledge of security and securityindicators .

Visual DeceptionVisually deceptive text

Images masking underlying text

Images mimicking windows

Windows masking underlying windows

Deceptive look and feel.


16/22

Ana lysis o f a Ph ishin g Da tabaseLack of Attention

Lack of attention to security indicators

Lack of attention to the absence of security

indicators .


17/22

Stu dy : D ist inguishin g L eg it imat eWebsitesFactors that are important forevaluating website security andauthenticity

Phishing Websites Used

Study Design

Scenario and Procedure

Participant Recruitment andDemographics


18/22

Phishi ng W ebsit es Use dAccording To Ciphertrust ,the top 5 targets and thepercentage of phishing attacks they represent are:

3. CitiBank 54.16%

4. Smith Barney 13.48%

5. SunTrust 10.02%

6. Paypal 7.57%

7. Wells Fargo 5.42%


19/22

Stu dy D esignParticipants were presented with 20websites;

7 legitimate websites

9 representative phishing websites

3 phishing websites constructed by us

using additional phishing techniques

1 website requiring users to accept aself-signed SSL certificate


20/22

Scen ario a nd Pr oce dureProvided with an email message thatasks to click on one of the links.

Click on the link to see if it is alegitimate website or a "spoof"(afraudulent copy of that website).


21/22

Parti cipa nt R ec ru it ment andDemo graphic s

participants :22

Male : 10

Female:12

Primary Browser

Used Operating System

Participant

Technical :3N-technical:19

Mozilla :10Internet ExpLr: 11

Apple Safari :1

Windows XP :13Mac OS X :6

Windows 2000 :2

Unknown :1

Staff : 11 Students :11

Bachelors :8Masters :2

Ph.D :1

Bachelors :7Masters :2

Ph.D :2

Weekly Hours

Of Usage:10-135 AGE : 18-56yrs


22/22

Conclusion

Educate yourself!Look out for:

Misspelled words

Dear Valued CustomerBeware of the @ signUnusual company behavior

Go to websites directlyfrom browser

Keep web applications up-to-dateCheck for Updates buttonBe cautious

If it seems suspicious, dont take a chance

BATTLE AGAINST PHISHING2

Documents

Transcript of BATTLE AGAINST PHISHING2