This is the presentation of phishing seminar.pptx. created and published by m nadeem qazi(mnqazi). This is perfect for those student who wants to help in creating their presentation on the topic of Phishing or hacking.
2. 2INTEGRAL UNIVERSITY LUCKNOW4/23/2017 4:48 PM
Definition
It is the act of tricking someone into giving
confidential information (like passwords and
credit card information) on a fake web page or
email form pretending to come from a legitimate
company (like their bank).
For example: Sending an e-mail to a user falsely claiming to
be an established legitimate enterprise in an attempt to scam
the user into surrendering private information that will be
used for identity theft.
2
6. 6INTEGRAL UNIVERSITY LUCKNOW
Types of Phishing
Deceptive - Sending a deceptive email, in bulk,
with a “call to action” that demands the
recipient click on a link.
6
7. 7INTEGRAL UNIVERSITY LUCKNOW
Types of Phishing
Malware-Based - Running malicious software on the
user’s machine. Various forms of malware-based phishing
are:
Key Loggers & Screen Loggers
Session Hijackers
Web Trojans
Data Theft
7
8. 8INTEGRAL UNIVERSITY LUCKNOW
Types of Phishing
DNS-Based - Phishing that interferes with the integrity of
the lookup process for a domain name. Forms of DNS-based
phishing are:
Hosts file poisoning
Polluting user’s DNS cache
Proxy server compromise
8
9. 9INTEGRAL UNIVERSITY LUCKNOW
Types of Phishing
Content-Injection – Inserting malicious content into legitimate site.
Three primary types of content-injection phishing:
Hackers can compromise a server through a security vulnerability and
replace or augment the legitimate content with malicious content.
Malicious content can be inserted into a site through a cross-site
scripting vulnerability.
Malicious actions can be performed on a site through a SQL injection
vulnerability.
9
10. 10INTEGRAL UNIVERSITY LUCKNOW
Types of Phishing
Man-in-the-Middle Phishing - Phisher positions
himself between the user and the legitimate site.
1
0
11. 11INTEGRAL UNIVERSITY LUCKNOW
Types of Phishing
Search Engine Phishing - Create web pages for fake
products, get the pages indexed by search engines, and wait
for users to enter their confidential information as part of an
order, sign-up, or balance transfer.
1
1
12. 12INTEGRAL UNIVERSITY LUCKNOW
Causes of Phishing
Misleading e-mails
No check of source address
Vulnerability in browsers
No strong authentication at websites of banks and financial
institutions
Limited use of digital signatures
Non-availability of secure desktop tools
Lack of user awareness
Vulnerability in applications
… and more
1
2
13. 13INTEGRAL UNIVERSITY LUCKNOW
Effects of Phishing
Internet fraud
Identity theft
Financial loss to the original institutions
Difficulties in Law Enforcement Investigations
Erosion of Public Trust in the Internet.
1
3
17. 17INTEGRAL UNIVERSITY LUCKNOW
How to combat phishing?
Educate application users
Think before you open
Never click on the links in an email , message boards or mailing lists
Never submit credentials on forms embedded in emails
Inspect the address bar and SSL certificate
Never open suspicious emails
Ensure that the web browser has the latest security patch applied
Install latest anti-virus packages
Destroy any hard copy of sensitive information
Verify the accounts and transactions regularly
Report the scam via phone or email.
1
7
18. 18INTEGRAL UNIVERSITY LUCKNOW
How to combat phishing?
Formulate and enforce Best practices
Authorization controls and access privileges for systems,
databases and applications.
Access to any information should be based on need-to-know
principle
Segregation of duties.
Media should be disposed only after erasing sensitive
information.
1
8
19. 19INTEGRAL UNIVERSITY LUCKNOW
How to combat phishing?
Reinforce application development / maintenance
processes:
1. Web page personalization
Using two pages to authenticate the users.
Using Client-side persistent cookies.
1
9
20. 20INTEGRAL UNIVERSITY LUCKNOW
How to combat phishing?
2. Content Validation
Never inherently trust the submitted data
Never present the submitted data back to an
application user without sanitizing the same
Always sanitize data before processing or storing
Check the HTTP referrer header
2
0
21. 21INTEGRAL UNIVERSITY LUCKNOW
How to combat phishing?
3. Session Handling
Make session identifiers long, complicated and difficult to guess.
Set expiry time limits for the SessionID’s and should be checked for every
client request.
Application should be capable of revoking active SessionID’s and not
recycle the same SessionID.
Any attempt the invalid SessionID should be redirected to the login page.
Never accept session information within a URL.
Protect the session via SSL.
Session data should be submitted as a POST.
After authenticating, a new SessionID should be used (HTTP & HTTPS).
Never let the users choose the SessionID.
2
1
22. 22INTEGRAL UNIVERSITY LUCKNOW
How to combat phishing?
4. URL Qualification
Do not reference redirection URL in the browser’s URL
Always maintain a valid approved list of redirection url’s
Never allow customers to supply their own URL’s
Never allow IP addresses to be user in URL information
2
2
23. 23INTEGRAL UNIVERSITY LUCKNOW
How to combat phishing?
5. Authentication Process
Ensure that a 2-phase login process is in place
Personalize the content
Design a strong token-based authentication
2
3
24. 24INTEGRAL UNIVERSITY LUCKNOW
How to combat phishing?
6. Transaction non-repudiation
To ensure authenticity and integrity of the transaction
2
4
26. 26INTEGRAL UNIVERSITY LUCKNOW
Organizations
Anti-Phishing Working Group (APWG)
The APWG has over 2300+ members from over 1500
companies & agencies worldwide. Member companies include
leading security companies such as Symantec, McAfee and
VeriSign. Financial Industry members include the ING
Group,VISA, Mastercard and the American Bankers
Association.
2
6