2. Contents
Introduction
Comparison To Spam
Security Properties
How To Avoid Phishing
Dynamic Security Skins
Security Analysis
Anti-Phishing Tools
References
3. Introduction
Phishing is a way of fraudulently acquiring sensitive information
using social engineering and technical subterfuge
Pronounced "fishing“
The word has its Origin from two words “Password Harvesting” or
fishing for Passwords
Phishing is an online form of pretexting, a kind of deception in
which an attacker pretends to be someone else in order to obtain
sensitive information from the victim
Also known as "brand spoofing“
Phishers are phishing artists
4. Conti….
.
It tries to trick users with official-looking messages
Credit card
Bank account
eBay
Paypal
Some phishing e-mails also
contain malicious or unwanted
software that can track your
activities or slow your computer
5. Comparison To Spam
The purpose of a phishing message is to acquire sensitive information about a
user. For doing so the message needs to deceive the intended recipient. So it
doesn’t contains any useful information and hence falls under the category
of spam.
A spam message tries to sell a product or service, whereas phishing message
needs to look like it is from a legitimate organization.
Techniques applied to spam message cant be applied naively to phishing
messages.
6. Security Properties
The limited human skills property.
The general purpose graphics property.
The golden arches property.
The unmotivated user property.
The barn door property.
8. How To Avoid Phishing
DON’T CLICK THE LINK
Type the site name in your browser (such as www.paypal.com)
Never send sensitive account information by e-mail
Account numbers, SSN, passwords
Never give any password out to anyone
Verify any person who contacts you (phone or email).
If someone calls you on a sensitive topic, thank them, hang up and call them
back using a number that you know is correct, like from your credit card or
statement.
9. Dynamic Security Skins
Static Security Indicators :One solution is for the browser to display all “secure” windows
in a way that is distinct from windows that are not secure. Most browsers do this today by displaying a
closed lock icon on the status bar or by altering the location bar (e.g., Mozilla Firefox uses a yellow
background for the address bar) to indicate SSL protected sites.
Customized Security Indicators: Another possibility is for the user to create a custom security
indicator for each authenticated site, or one custom indicator to be used for all sites.
Automated Custom Security Indicators: We chose to automatically identify authenticated web pages
and their content using randomly generated images.
10. Security Analysis
Leak of the Verifier
Leak of the Images
Man-in-the-Middle Attacks
Spoofing the Trusted Window
Spoofing the Visual Hashes
11. Anti-Phishing Tools
eBay Toolbar :The eBay Toolbar is a browser plug-in that eBay offers to its customers to help
keep track of auction sites . The toolbar has a feature, called AccountGuard, which monitors web
pages that users visit and provides a warning in the form of a colored tab on the toolbar.
SpoofGuard: SpoofGuard is an Internet Explorer browser plug-in that examines web pages and
warns users when a certain page has a high probability of being a spoof.
Spoofstick: Spoofstick is a toolbar extension for Internet Explorer and Mozilla Firefox that
provides basic information about the domain name of the website.
12. References
Loftesness, Scott, Responding to "Phishing" Attacks.
2004, Glenbrook Partners,
http://www.glenbrook.com/opinions/phishing.htm
Litan, Avivah, Phishing Attack Victims Likely Targets for
Identity Theft, in Gartner First Take FT-22-8873. 2004,
Gartner Research
Anti-Phishing Working Group, Phishing Activity Trends
Report March 2005, http://antiphishing.org/
APWG_Phishing_Activity_Report_March_2005.pdf