- Social engineering is understood as the art of manipulating people into performing actions to reveal their confidential information
PHISHING ATTACKS:How Vulnerable Are We?by Jayaseelan VejayonMCP, CNE6, CEH
• What is phishing?• The statistics…• How is it done?• How to avoid?The main objective of this seminar presentationis to create awareness about phishingAgenda
So…what is phishing?• It is a crime, and it is committed byfraudsters who can persuade victims torespond to a “legitimate-looking” email orclick on a seemingly safe link.• To do that, the attackers create emails to playon human emotions, it is a con - it is a typeof deception.http://www.livehacking.com/tag/phishing/
Although phishing is a modern crime for theInternet agethe forces behind it;manipulation, deceit and persuasion – are not.We can relate these forces/tricks back to our epics…and even children story tales!
Why phish, bad guy???• It is designed to steal your valuable personaldata– credit card numbers– passwords– account data– other important personal information
Your data can be soldfor money!The value of US credit cards are:Visa: $2MasterCard: $3American Express: $5Discover: $6The value of UK credit cards are:Visa: $4MasterCard: $4American Express: $6Discover: $6The value of EU credit cards are:Visa: $6MasterCard: $6American Express: $8Discover: $8The value of Canadian credit cards are:Visa: $3MasterCard: $3American Express: $6Discover: $6
What is the value??Rank Last Goods andservicesCurrent Previous Prices1 2 Bank accounts 22% 21% $10-10002 1 Credit cards 13% 22% $0.40-$203 7 Full identity 9% 6% $1-154 N/R Online auction siteaccounts7% N/A $1-85 8 Scams 7% 6% $2.50/wk - $50/wk(hosting); $25 design6 4 Mailers 6% 8% $1-107 5 Email Addresses 5% 6% $0.83-$10/MB8 3 Email Passwords 5% 8% $4-309 N/R Drop (request oroffer)5% N/A 10-50% of drop amount10 6 Proxies 5% 6% $1.50-$30http://www.symantec.com/threatreport/topic.jsp?id=fraud_activity_trends&aid=underground_economy_servers
• Internet users are heavily relying on webmail and socialnetworking sites– by using phishing attacks to obtain access toFacebook or Gmail, successful attacks could open thedoors to many other avenues– if an email account is hacked by information usedduring a phishing attack then the attacker can resetpasswords for other important accounts tooWhy is it easy to be done?
Phreaking + Fishing = Phishing- Phreaking = making phone calls for free back in 70’s- Fishing = Use bait to lure the target Phishing in 1995Target: AOL usersPurpose: getting account passwords for free timeThreat level: lowTechniques: Similar names ( www.ao1.com forwww.aol.com ), social engineeringThe history
Phishing in 2001Target: Ebayers and major banksPurpose: getting credit card numbers, accountsThreat level: mediumTechniques: Same in 1995, keylogger Phishing in 2007Target: Paypal, banks, ebayPurpose: bank accountsThreat level: highTechniques: browser vulnerabilities, link obfuscationThe history (cont’d)
• 2,000,000 emails are sent• 5% get to the end user – 100,000 (APWG)• 5% click on the phishing link – 5,000 (APWG)• 2% enter data into the phishing site –100 (Gartner)• $1,200 from each person who enters data (FTC)• Potential reward: $120,000A bad day phishin’, beats a good day workin’In 2005 David Levi made over $360,000 from 160people using an eBay Phishing scamAPWG: Anti-Phishing Working Group; FTC: Federal Trade Commission
• Led by two brothers – Guy Levi,22, and the ringleader, DavidLevi, 28• Complaints were received fromeBay users who had paid forlaptops and Rolex watches thatnever arrived• Lett, the computer expert in thegang used a software tool ofthe spam trade called AtomicHarvester to sweep theinternet, gathering around6,000 email addresses. Hewrote to more than 2,000 ofthese addresses, purporting tobe eBay.The David Levi eBay Phishing Scam (2005)
The Levis and Lett wanted the usernames and passwords ofhighly-rated eBay sellers. Anyone trading on eBay has a feedbackscore and a percentage feedback rating. If a seller has positivefeedback rated at, say, 98%, a bidder will trust the seller todeliver. So Lett hijacked such accounts. First he changed thepasswords, to lock out the real account holders; then he and theLevis started selling.Those who fell for their ads for high-value items like Sony Vaiolaptops and Rolex Daytona watches – using text and images liftedfrom legitimate ads – would be contacted by email andpersuadedto pay off-line.Police located 160 people who paid money to David Levi’s gang;there may have been others. The police had evidence of almost£200,000 in criminal gains but they suspect that the total figurewas more than twice as much.Source: Out-Law Magazine Winter 2005 Issue 13
RSA’s figure on phishing attacks (Q1, 2012)• The news is not good• Attacks rose again (for the 4thtime)• 19% increase compared to the second half of 2011• The estimated worldwide financial losses – US$687millionThe Statistics
UKUSCanadaBrazilSouth AfricaCanada affected by a significant increase in phishing bynearly 400% in the Q1, 2012Top 5 countries targeted
Canada’s economic health during thatperiod was good and this only shows thatfraudsters follow the money!!!The Statistics
Google: Internet is a dangerous place• June 2012 finding– Google detects 9,500 new maliciouswebsites every day– Some are innocent websites that have beenhacked to serve up malware– Others are built specially for the purposeof distributing malware– Google displays over 300,000 download warningsevery day via its download protection service thatis built-in to Chrome.
• The number of phishing sites has peaked in2012 with over 300,000 new phishing sitesfound per month.• Approximately 12-14 million Google Searchqueries per day result in a web browsershowing a warning advising users not to visita currently compromised site.Google: Internet is a dangerous place
Most Targeted Industry Sectors 3rd Quarter ’12 Chart – APWG Report
Most Targeted Industry Sectors 4th Quarter ’12 Chart – APWG Report
https://www.antiphishing.my/statistics/Antiphishing.my is a portal that providesinformation related to phishing sites targetingInternet users in Malaysia.https://www.antiphishing.my/statistics/
Dont fall prey to online banking scamsThe Star OnlineDate: 19 February 2011PETALING JAYA: Internet users must ensure they install all necessary updates and use a reputable anti-virus software sothey dont fall prey to online banking scams.HSBC Bank Malaysia Berhad general manager for personal financial services, Lim Eng Seong, said the number of Malaysiansopting for online banking was increasing."Most banks offer safety advice on the login page of their e-banking websites to warn users about the existence of suchscams,"he said.Whenever there is a report of a scam, the bank immediately contacts Cyber Security Malaysias Computer EmergencyResponse Team (CERT) to remove the phishing website."For phishing websites operating from outside the country, we seek the assistance of the countrys local CERT team to shutdown the website,"he said.Travel agent Safura Mokhtar, 41, recently became a victim of a phishing scam.She lost RM4,600 but the local bank refused to offer her a refund although she was quick to report the incident.She had received an e-mail, claiming to be from the bank, in November last year."The e-mail stated that I needed to log in immediately to update my contact information for security purposes,"saidSafura who unsuspectingly clicked on the link provided."I am new to online banking and I was not aware that such scams existed,"said Safura who later received a textmessage from the bank informing her that money had been transferred out of her account.She received a letter from the bank a week later informing her that they could not compensate her for her losses.She was then referred to the Financial Mediation Bureau (FMB) which told her investigations would take up to six months."Cases of online banking scams in Malaysia have been increasing since the first such case was registered in 2005,"said FMBCEO John Thomas.Statistics from FMB showed that the number of cases had increased from only 46 in 2008 to 163 in 2010.On the chances of victims getting their money back, Thomas said that of the 163 cases last year, only 51 victims managed toget part or all of their money back.A check with Bank Negara showed that as of December last year, there were 9.8 million e-banking account holders in thecountry.
Travel agent Safura Mokhtar, 41, recently became a victim of a phishing scam. She lostRM4,600 but the local bank refused to offer her a refund although she wasquick to report the incident. She had received an e-mail, claiming to be from the bank, inNovember last year."The e-mail stated that I needed to log in immediately to update my contactinformation for security purposes,"said Safura who unsuspectingly clicked on the link provided."I am new to online banking and I was not aware that such scams existed,"said Safurawho later received a text message from the bank informing her that money had been transferred out ofher account.She received a letter from the bank a week later informing her that they could notcompensate her for her losses. She was then referred to the Financial Mediation Bureau(FMB) which told her investigations would take up to six months. "Cases of online bankingscams in Malaysia have been increasing since the first such case was registered in2005,"said FMB CEO John Thomas.
What Does a Phishing Scam Look Like?As scam artists become more sophisticated, so dotheir phishing e-mail messages and pop-upwindowsThey often include official-looking logos fromreal organizations and other identifying informationtaken directly from legitimate Web sites
A good phish targets weaknesses and lapses in human nature. For example,we often click “OK” without reading a warning.A phish needs YOUR HELP in order to succeed.Phishing is often conducted by organized crime.Phishing groups are dynamic and can be in any country. They often usepeople in multiple countries simultaneously.Credit and debit card users are the primary targets of phishers right now(going for fast cash).Phishing can come in more than one form: email, instant messages, pop-up,online postings, and telephone.Phishing Quick Factshttps://www.hvfcu.org/eservices/safe-computing/phishing/phishing-quick-facts
A phish NEVER includes a real email address for the phisher, so itis pointless to reply to one.A phish has a hook (Trust us. Here’s why.), a required action(Here’s what we want you to do.), and a push (Hurry, act now!).Most servers that host phish sites are legitimate servers thathave been compromised. Phishers must use the site’s URL or IPaddress in the phish. Some servers that host phish sites arefraudulently registered. Phishers can use any URL and try tomake it similar to the victim site.https://www.hvfcu.org/eservices/safe-computing/phishing/phishing-quick-factsPhishing Quick Facts
• Social-aware attacks Mine social relationships from public data Phishing email appears to arrive from someone known tothe victim Use spoofed identity of trusted organization to gain trust Urge victims to update or validate their account Threaten to terminate the account if the victims not reply Use gift or bonus as a bait Security promises• Context-aware attacks “Your bid on eBay has won!” “The books on your Amazon wish list are on sale!”Spear-Phishing:Improved Target Selection
• Employ visual elements from target site• DNS Tricks:–www.ebay.com.kr–email@example.com–www.gooogle.com• Certificates–Phishers can acquire certificates for domains they own–Certificate authorities make mistakesPhishing Techniques
How is it done? Some live examples…Cloning a Website•Manually create a website with logos and themes of thelegitimate website•Automatically create website using tools – i.e BackTrack SocialEngineering toolsLive Demo
How is it done? Some live examples…DNS tricks– www.ebay.com.kr– firstname.lastname@example.org– www.gooogle.comAnything between http:// and @ will be processed by thebrowser as input for username and password. If the usernameand password are not required, the browser discards those andthe page will appear as usual.
How is it done? Some live examples…To access a website, we can use:•Domain name (www.google.com.my)•IP address (220.127.116.11)•IP address decimal value (1249740638)Now, I can usehttp://www.cimbclicks.com.my@1249740638 toprovide a link which looks legit but actually diverting youto another site.
How is it done? Some live examples…Text and Link•Click here to CIMBClicks’ site•CIMBClicks•http://www.cimbclicks.com.my
How is it done? Some live examples…Spoof the email accountEmail spoofing is the creation of email messages with a forgedsender address - something which is simple to do because thecore SMTP protocols do no authentication. It is commonly used inspam and phishing emails to hide the origin of the email message(Wikipedia)•Eg. Deadfake (http://deadfake.com/Send.aspx)
How is it done? Some live examples…Email MessageFrom: email@example.comSubject: URGENT: Change Your PasswordMessageDear Colleagues,There is a security breach in our environment. Please change yourpassword immediately! Please click on the link below and followthe instructions on the screen.http://mail.quip.com.myFailing to change your password by COB today will cause youraccount to be suspended.
Here are a few phrases to look for"Verify your account."Businesses should not ask you to sendpasswords, login names, Social Security numbers, or otherpersonal information through e-mail. If you receive an e-mailfrom anyone asking you to update your credit card information,do not respond: this is a phishing scam."If you dont respond within 48 hours, your account will beclosed."These messages convey a sense of urgency so that youllrespond immediately without thinking. Phishing e-mail mighteven claim that your response is required because your accountmight have been compromised.How to tell if an e-mail message is fraudulent
"Dear Valued Customer."Phishing e-mail messages are usuallysent out in bulk and often do not contain your first or last name."Click the link below to gain access to your account."HTML-formatted messages can contain links or forms that you can fillout just as youd fill out a form on a Web site. The links that youare urged to click may contain all or part of a real companysname and are usually “masked”, meaning that the link you seedoes not take you to that address but somewhere different,usually a phony Web site.
Con artists also use Uniform Resource Locators (URLs)that resemble the name of a well-known companybut are slightly altered by adding, omitting, ortransposing letters.For example, the URL "www.microsoft.com" couldappear instead as:•www.micosoft.com•www.mircosoft.com•www.verify-microsoft.com
Never respond to an email asking for personal informationAlways check the site to see if it is secure. Call the phone number if necessaryNever click on the link on the email. Retype the address in a new windowKeep your browser updatedKeep antivirus definitions updatedUse a firewallDon’t ignore browser warnings. Since legitimate sites can be hacked and modifiedto contain malware, don’t visit a website if a browser warning is shown, nomatter how well-known the website is to you.P.S: Always shred your documents before discarding them.How do I avoid from becoming a victim …
“It’s hard for criminals to duplicate my institution’s website,so if it looks good, it must be the real site.”The Truth: Many fake sites look identical to the originalsite.“If I see a lock anywhere on the page, I know it is a securewebsite.”The Truth: The lock or key that signifies a secure site mustappear on the body or chrome of the browser, not as apicture on a webpage.“I can tell by the poor grammar if it is a phish."The Truth: Fake sites often have perfect grammar andspelling.Don’t fall for the Myths …https://www.hvfcu.org/eservices/safe-computing/phishing/phishing-quick-facts
DontPhishMe is an initiative of MyCERT,CyberSecurity Malaysia, to provide a securitymechanism in preventing online banking phishingthreat specifically for local Malaysian banks.DontPhishMe is an addon to Firefox that alerts you ifan online banking web page that you visit appears tobe asking for your personal or financial informationunder false pretenses. This type of attack, known asphishing or spoofing, is becoming moresophisticated, widespread and dangerous. That’swhy it’s important to browse safely withDontPhishMe. DontPhishMe will automatically warnyou when you encounter a page that’s trying to trickyou into disclosing personal information.Get this add-on for Mozilla Firefox and GoogleChrome.
Cyber999 Help CentreCyber999 is a service provided forInternet users to report or escalatecomputer security incidents.Computer security incidents may bereported to Cyber999 via thefollowing ways:SMS:CYBER999 REPORT <EMAIL> <COMPLAINT> to15888TELEPHONE:Office Hours: 1-300-88-299924x7 (Emergency): +6019 - 266 5850Calls to MyCERT and the Cyber999 Hotline aremonitored during the business hours(9:00 AM – 6:00 PM)WEB REPORTING:http://www.mycert.org.myEMAIL:cyber999 [at] cybersecurity.my
Thank YouJayaseelan VejayonAssistant Director & HeadInformation & Communications Technology DivisionQuest International University Perakjayaseelan.firstname.lastname@example.org://jayitsecurity.blogspot.comDon’t be a phishing victim…it is NO “PHUN”Think before your click!