Phishing, Spoofing,
Spamming and Security
How To Protect Yourself
Additional Credits: Educause/SonicWall, Hendra Harianto ...
Recognize Phishing Scams and Fraudulent E-mails
• Phishing is a type of deception designed to steal
your valuable personal...
 Phreaking + Fishing = Phishing
- Phreaking = making phone calls for free back in 70’s
- Fishing = Use bait to lure the t...
• 2,000,000 emails are sent
• 5% get to the end user – 100,000 (APWG)
• 5% click on the phishing link – 5,000 (APWG)
• 2% ...
• Over 28,000 unique phishing attacks reported in Dec.
2006, about double the number from 2005
• Estimates suggest phishin...
What Does a Phishing Scam Look Like?
• As scam artists become more sophisticated, so
do their phishing e-mail messages and...
• Employ visual elements from target site
• DNS Tricks:
–www.ebay.com.kr
–www.ebay.com@192.168.0.5
–www.gooogle.com
–Unico...
• Socially aware attacks
 Mine social relationships from public data
 Phishing email appears to arrive from someone know...
Another Example:
But wait…
WHOIS 210.104.211.21:
Location: Korea, Republic Of
Even bigger problem:
I don’t have an account with US Bank!
Here are a few phrases to look for if you think an e-mail message is a
phishing scam.
• "Verify your account."Businesses s...
How To Tell If An E-mail Message is Fraudulent (cont’d)
• "Dear Valued Customer."Phishing e-mail messages are
usually sent...
Con artists also use Uniform Resource Locators (URLs)
that resemble the name of a well-known company but are
slightly alte...
• Never respond to an email asking for personal information
• Always check the site to see if it is secure. Call the phone...
Upcoming SlideShare
Loading in...5
×

Introduction to phishing

654

Published on

An brief introduction to phishing and the ways of hacking and phishing, how to protect us from hacking and phishing

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
654
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
24
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Introduction to phishing

  1. 1. Phishing, Spoofing, Spamming and Security How To Protect Yourself Additional Credits: Educause/SonicWall, Hendra Harianto Tuty, Microsoft Corporation, some images from Anti- Phishing Workgroup’s Phishing Archive,Carnegie Mellon CyLab Dr. Harold L. “Bud” Cothern
  2. 2. Recognize Phishing Scams and Fraudulent E-mails • Phishing is a type of deception designed to steal your valuable personal data, such as credit card numbers, passwords, account data, or other information. • Con artists might send millions of fraudulent e-mail messages that appear to come from Web sites you trust, like your bank or credit card company, and request that you provide personal information.
  3. 3.  Phreaking + Fishing = Phishing - Phreaking = making phone calls for free back in 70’s - Fishing = Use bait to lure the target  Phishing in 1995 Target: AOL users Purpose: getting account passwords for free time Threat level: low Techniques: Similar names ( www.ao1.com for www.aol.com ), social engineering  Phishing in 2001 Target: Ebayers and major banks Purpose: getting credit card numbers, accounts Threat level: medium Techniques: Same in 1995, keylogger  Phishing in 2007 Target: Paypal, banks, ebay Purpose: bank accounts Threat level: high Techniques: browser vulnerabilities, link obfuscation History of Phishing
  4. 4. • 2,000,000 emails are sent • 5% get to the end user – 100,000 (APWG) • 5% click on the phishing link – 5,000 (APWG) • 2% enter data into the phishing site –100 (Gartner) • $1,200 from each person who enters data (FTC) • Potential reward: $120,000 A bad day phishin’, beats a good day workin’ In 2005 David Levi made over $360,000 from 160 people using an eBay Phishing scam
  5. 5. • Over 28,000 unique phishing attacks reported in Dec. 2006, about double the number from 2005 • Estimates suggest phishing affected 2 million US citizens and cost businesses billions of dollars in 2005 • Additional losses due to consumer fears Phishing: A Growing Problem
  6. 6. What Does a Phishing Scam Look Like? • As scam artists become more sophisticated, so do their phishing e-mail messages and pop-up windows. • They often include official-looking logos from real organizations and other identifying information taken directly from legitimate Web sites.
  7. 7. • Employ visual elements from target site • DNS Tricks: –www.ebay.com.kr –www.ebay.com@192.168.0.5 –www.gooogle.com –Unicode attacks • JavaScript Attacks –Spoofed SSL lock • Certificates –Phishers can acquire certificates for domains they own –Certificate authorities make mistakes Current Phishing Techniques
  8. 8. • Socially aware attacks  Mine social relationships from public data  Phishing email appears to arrive from someone known to the victim  Use spoofed identity of trusted organization to gain trust  Urge victims to update or validate their account  Threaten to terminate the account if the victims not reply  Use gift or bonus as a bait  Security promises • Context-aware attacks “Your bid on eBay has won!” “The books on your Amazon wish list are on sale!” Spear-Phishing: Improved Target Selection
  9. 9. Another Example:
  10. 10. But wait… WHOIS 210.104.211.21: Location: Korea, Republic Of Even bigger problem: I don’t have an account with US Bank!
  11. 11. Here are a few phrases to look for if you think an e-mail message is a phishing scam. • "Verify your account."Businesses should not ask you to send passwords, login names, Social Security numbers, or other personal information through e-mail. If you receive an e-mail from anyone asking you to update your credit card information, do not respond: this is a phishing scam. • "If you don't respond within 48 hours, your account will be closed."These messages convey a sense of urgency so that you'll respond immediately without thinking. How To Tell If An E-mail Message is Fraudulent
  12. 12. How To Tell If An E-mail Message is Fraudulent (cont’d) • "Dear Valued Customer."Phishing e-mail messages are usually sent out in bulk and often do not contain your first or last name. • "Click the link below to gain access to your account." HTML-formatted messages can contain links or forms that you can fill out just as you'd fill out a form on a Web site. The links that you are urged to click may contain all or part of a real company's name and are usually "masked," meaning that the link you see does not take you to that address but somewhere different, usually a phony Web site. • Resting the mouse pointer on the link reveals the real Web address. The string of cryptic numbers looks nothing like the company's Web address, which is a suspicious sign.
  13. 13. Con artists also use Uniform Resource Locators (URLs) that resemble the name of a well-known company but are slightly altered by adding, omitting, or transposing letters. For example, the URL "www.microsoft.com" could appear instead as: www.micosoft.com www.mircosoft.com www.verify-microsoft.com How To Tell If An E-mail Message is Fraudulent (cont’d)
  14. 14. • Never respond to an email asking for personal information • Always check the site to see if it is secure. Call the phone number if necessary • Never click on the link on the email. Retype the address in a new window • Keep your browser updated • Keep antivirus definitions updated • Use a firewall P.S: Always shred your home documents before discarding them.
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×