Introduction to phishing


Published on

An brief introduction to phishing and the ways of hacking and phishing, how to protect us from hacking and phishing

Published in: Technology
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Introduction to phishing

  1. 1. Phishing, Spoofing, Spamming and Security How To Protect Yourself Additional Credits: Educause/SonicWall, Hendra Harianto Tuty, Microsoft Corporation, some images from Anti- Phishing Workgroup’s Phishing Archive,Carnegie Mellon CyLab Dr. Harold L. “Bud” Cothern
  2. 2. Recognize Phishing Scams and Fraudulent E-mails • Phishing is a type of deception designed to steal your valuable personal data, such as credit card numbers, passwords, account data, or other information. • Con artists might send millions of fraudulent e-mail messages that appear to come from Web sites you trust, like your bank or credit card company, and request that you provide personal information.
  3. 3.  Phreaking + Fishing = Phishing - Phreaking = making phone calls for free back in 70’s - Fishing = Use bait to lure the target  Phishing in 1995 Target: AOL users Purpose: getting account passwords for free time Threat level: low Techniques: Similar names ( for ), social engineering  Phishing in 2001 Target: Ebayers and major banks Purpose: getting credit card numbers, accounts Threat level: medium Techniques: Same in 1995, keylogger  Phishing in 2007 Target: Paypal, banks, ebay Purpose: bank accounts Threat level: high Techniques: browser vulnerabilities, link obfuscation History of Phishing
  4. 4. • 2,000,000 emails are sent • 5% get to the end user – 100,000 (APWG) • 5% click on the phishing link – 5,000 (APWG) • 2% enter data into the phishing site –100 (Gartner) • $1,200 from each person who enters data (FTC) • Potential reward: $120,000 A bad day phishin’, beats a good day workin’ In 2005 David Levi made over $360,000 from 160 people using an eBay Phishing scam
  5. 5. • Over 28,000 unique phishing attacks reported in Dec. 2006, about double the number from 2005 • Estimates suggest phishing affected 2 million US citizens and cost businesses billions of dollars in 2005 • Additional losses due to consumer fears Phishing: A Growing Problem
  6. 6. What Does a Phishing Scam Look Like? • As scam artists become more sophisticated, so do their phishing e-mail messages and pop-up windows. • They often include official-looking logos from real organizations and other identifying information taken directly from legitimate Web sites.
  7. 7. • Employ visual elements from target site • DNS Tricks: – – – –Unicode attacks • JavaScript Attacks –Spoofed SSL lock • Certificates –Phishers can acquire certificates for domains they own –Certificate authorities make mistakes Current Phishing Techniques
  8. 8. • Socially aware attacks  Mine social relationships from public data  Phishing email appears to arrive from someone known to the victim  Use spoofed identity of trusted organization to gain trust  Urge victims to update or validate their account  Threaten to terminate the account if the victims not reply  Use gift or bonus as a bait  Security promises • Context-aware attacks “Your bid on eBay has won!” “The books on your Amazon wish list are on sale!” Spear-Phishing: Improved Target Selection
  9. 9. Another Example:
  10. 10. But wait… WHOIS Location: Korea, Republic Of Even bigger problem: I don’t have an account with US Bank!
  11. 11. Here are a few phrases to look for if you think an e-mail message is a phishing scam. • "Verify your account."Businesses should not ask you to send passwords, login names, Social Security numbers, or other personal information through e-mail. If you receive an e-mail from anyone asking you to update your credit card information, do not respond: this is a phishing scam. • "If you don't respond within 48 hours, your account will be closed."These messages convey a sense of urgency so that you'll respond immediately without thinking. How To Tell If An E-mail Message is Fraudulent
  12. 12. How To Tell If An E-mail Message is Fraudulent (cont’d) • "Dear Valued Customer."Phishing e-mail messages are usually sent out in bulk and often do not contain your first or last name. • "Click the link below to gain access to your account." HTML-formatted messages can contain links or forms that you can fill out just as you'd fill out a form on a Web site. The links that you are urged to click may contain all or part of a real company's name and are usually "masked," meaning that the link you see does not take you to that address but somewhere different, usually a phony Web site. • Resting the mouse pointer on the link reveals the real Web address. The string of cryptic numbers looks nothing like the company's Web address, which is a suspicious sign.
  13. 13. Con artists also use Uniform Resource Locators (URLs) that resemble the name of a well-known company but are slightly altered by adding, omitting, or transposing letters. For example, the URL "" could appear instead as: How To Tell If An E-mail Message is Fraudulent (cont’d)
  14. 14. • Never respond to an email asking for personal information • Always check the site to see if it is secure. Call the phone number if necessary • Never click on the link on the email. Retype the address in a new window • Keep your browser updated • Keep antivirus definitions updated • Use a firewall P.S: Always shred your home documents before discarding them.