Examples of a “call to action” include: ! A statement that there is a problem with the recipient’s account at a financial institution or other business. The email asks the recipient to visit a web site to correct the problem, using a deceptive link in the email. ! A statement that the recipient’s account is at risk, and offering to enroll the recipient in an anti-fraud program. ! A fictitious invoice for merchandise, often offensive merchandise, that the recipient did not order, with a link to “cancel” the fake order. ! A fraudulent notice of an undesirable change made to the user’s account, with a link to “dispute” the unauthorized change. ! A claim that a new service is being rolled out at a financial institution, and offering the recipient, as a current member, a limited-time opportunity to get the service for free.
Key Loggers & Screen Loggers - Monitors data being input and sends relevant data to a phishing server Session Hijackers - Malicious software “hijacks” the session once the user has legitimately established his or her credentials. Web Trojans – Malicious programs that pop up to collect credentials. Host File Poisoning – Host file modification to refer to a malicious address. Data Theft – Stealing confidential information stored on the computer
Internet fraud - Phishers can run up charges on your account Identity theft – Can open new accounts, sign utility or loan contracts in your name or use a false ID and commit crimes using your personal information Loss to the original institutions- Approximately 1.2 million computer users in the United States suffered losses caused by phishing, totaling approximately $929 million USD Difficulties in Law Enforcement Investigations . Unlike certain other types of identity theft that law enforcement agencies can successfully investigate in a single geographic area (e.g., theft of wallets, purses, or mail), phishing – like other types of crime that exploit the Internet -- can be conducted from any location where phishers can obtain Internet access. This can include situations in which a phisher in one country takes control of a computer in another country, then uses that computer to host his phishing website or send his phishing e-mails to residents of still other countries. Moreover, online criminal activity in recent years has often reflected clearcut divisions of labor.
ISPs-Internet service provide
Think twice before you open an email and never get carried away by the social engineering statements in the mail. Never click on links provided in an email, message boards or mailing lists Never submit sensitive information on forms embedded in emails Inspect the address bar and the SSL certificate to see if they match with the exact name of the site. Pay attention to SSL certificate warning prompts that appear when contacting a spoofed site. Make sure that you have the latest patched version of Web browser Install latest anti-virus packages, personal firewall and spyware / spam blockers Never open any suspicious email attachments Destroy all PIN / password letters and never write them down somewhere. Never disclose personal / sensitive information to anyone at any instant. Regularly log in to your accounts and check the activities In the event of a phishing attack, Provide a means for the user to report the scam via phone or email. Clearly instruct them about the procedure to follow to report the scam Instruct the user to reset his password / PIN immediately.
Web page personalization – two ways to do it. Web sites can use two page to authenticate the users. The first page asks the user to provide only the user name. Upon receiving a valid user name, the user is given a personalized page for entering his authentication token. The second page is personalized with last login details or based on some user provided phrase or a user chose image. This will make it difficult for a fake site to provide the second page. (For static authentication tokens like password) Client-side persistent cookies can be user. On first login, a cookie will be generated with a simple personal string such as first name. Next time, the app greets ther user with this string bfore he logs in. But the succes of this option depends a lot on the alertness of the end user.
Never inherent trust the submitted data Always sanitize date before processing or storing Check the HTTP referrer header – when tricked customers are directed from the phishing site to the targeted website, there is the option to check the referrer hearder in the requests to the targeted website and act on it by for example redirecting the tricked customer to the warning page.
Design a strong token-based authentication – Hardware tokens & Smart cards Things to have in mind – randomness of the one-time password, Expiry time of the one-time password Length Quality of challenge in a challenge and response based authentication
Transaction non-repudiation can be implemented through electronic signatures, either digital signatures or MAC. To ensure authenticity and integrity of the transaction so as to ensure the origin of the transaction and identifying whether the message content has been altered during transit. A transaction signature is a one-way value that uses aspects of the customer’s key, transaction content date and time. This signature is then validated using the appropriate scheme. MACS are supported by the challenge and response functionality of the hardware tokens.
Depending on whether a phisher has mirrored the entire website or is just hosting a modified HTML page, it may be possible to identify the source of the attack. Image Cycling – Each legitimate application page references its constituent graphical images by a unique name. Periodically, the names of the images are changed and the requesting page must reference these new image names. Therefore, any out-of-date static copies of the page will become dated quickly. If an out-of-date image is requested, a different image is supplied – perhaps recommending that the customer login again to the real site – (e.g. “Warning Image Expired”). Session-bound images – it is possible to reference all images with a name that includes the user’s current sessionID. Therefore, once a fake website has been discovered, the logs can be reviewed and analyzed in order to discover the originating source of the copied website.
1Submitted to: Presented by:Er. Ajit Saxena Hitesh KhemnaniLecturer 1047110008(B.tech-CS)(Department of Computer Science)Phishing
Defination Examples Types of Phishing Causes of Phishing Effects of Phishing Industries affected Phishing Trends How to combat phishing Educate application users Formulate and enforce Best practices Reinforce application development / maintenanceprocesses: Web page personalization3
o Content Validationo Session Handlingo Authentication processo Transaction non-repudiationo Image RegulationBibliogarphy4
It is the act of tricking someone into givingconfidential information (like passwords andcredit card information) on a fake web page oremail form pretending to come from a legitimatecompany (like their bank).For example: Sending an e-mail to a user falsely claiming to be anestablished legitimate enterprise in an attempt to scam the userinto surrendering private information that will be used for identitytheft.5
Content-Injection – Inserting malicious content intolegitimate site.Three primary types of content-injection phishing: Hackers can compromise a server through a securityvulnerability and replace or augment the legitimatecontent with malicious content. Malicious content can be inserted into a site through across-site scripting vulnerability. Malicious actions can be performed on a site through aSQL injection vulnerability.10
Man-in-the-Middle Phishing - Phisher positionshimself between the user and the legitimate site.11
Search Engine Phishing - Create web pages for fakeproducts, get the pages indexed by search engines, and wait forusers to enter their confidential information as part of an order,sign-up, or balance transfer.12
Misleading e-mails No check of source address Vulnerability in browsers No strong authentication at websites of banks andfinancial institutions Limited use of digital signatures Non-availability of secure desktop tools Lack of user awareness Vulnerability in applications13
Internet fraud Identity theft Financial loss to the original institutions Difficulties in Law Enforcement Investigations Erosion of Public Trust in the Internet.14
Major industries affected are: Financial Services ISPs Online retailers15
Educate application users Think before you open Never click on the links in an email , message boards or mailinglists Never submit credentials on forms embedded in emails Inspect the address bar and SSL certificate Never open suspicious emails Ensure that the web browser has the latest security patchapplied Install latest anti-virus packages Destroy any hard copy of sensitive information Verify the accounts and transactions regularly Report the scam via phone or email.17
Formulate and enforce Best practices Authorization controls and access privileges for systems,databases and applications. Access to any information should be based on need-to-knowprinciple Segregation of duties. Media should be disposed only after erasing sensitiveinformation.18
Reinforce application development / maintenance processes:1. Web page personalization Using two pages to authenticate the users. Using Client-side persistent cookies.19
2. Content Validation Never inherently trust the submitted data Never present the submitted data back to an application userwithout sanitizing the same Always sanitize data before processing or storing Check the HTTP referrer header20
3. Session Handling Make session identifiers long, complicated and difficult toguess. Set expiry time limits for the SessionID’s and should bechecked for every client request. Application should be capable of revoking active SessionID’sand not recycle the same SessionID. Any attempt the invalid SessionID should be redirected to thelogin page. Never accept session information within a URL. Protect the session via SSL. Session data should be submitted as a POST. After authenticating, a new SessionID should be used (HTTP& HTTPS). Never let the users choose the SessionID.21
4. Authentication Process Ensure that a 2-phase login process is in place Personalize the content Design a strong token-based authentication22
5. Transaction non-repudiation To ensure authenticity and integrity of the transaction23
Anti-Phishing Working Group (APWG)The APWG has over 2300+ members from over 1500companies & agencies worldwide. Member companies includeleading security companies such as Symantec, McAfee andVeriSign. Financial Industry members include the INGGroup,VISA, Mastercard and the American Bankers Association.25
It is better to be safer now than feel sorry later.26