PHISHING
AND
SPAMMING
Submitted by : Kavis Pandey
Department of Electronics, ETC 2
1004093
email: kavis.pandey@yahoo.co.in...
Phishing & Spamming
 Phreaking + Fishing = Phishing

-Phreaking = making phone calls for free in 70’s
-Fishing = use bait...
History & current status of phishing
 First mentioned in the context of “AOHELL” – a







hacking tool for AOL user...
History & current status……..
 Bank -56% , retailer - 14% , gov - 13% , spearphish 7% , payment processors - 5%, others - ...
Identifying a fraud
 Name of the company mentioned as scam on








customerfraudreporting.org
Email format matc...
Phishing Techniques
 Email / Spam – emails sent to thousands asking for their personal








info
Web based deliv...
Phishing Techniques
 System reconfiguration – For eg, “Turn off your firewall to





run this software “ etc
Content...
Why phishing works?
1. Lack of knowledge
a) Lack of computer system knowledge
b)Lack of knowledge of security indicators
2...
Anti - Phishing
 Social responses – train people to recognize phishing

attacks. People need to slightly modify their bro...
Anti - Phishing
 Secure connection – from 1990s to late 2000s Mozilla used padlocks as a symbol for
secure connection, no...
Anti Phishing
 Who is the authority – The browser needs to state who the real

authority is who is issuing the EV (Extend...
Anti - Phishing
 Eliminating Phishing Emails – use specialized filters to

eliminate phishing emails, keep your inboxes f...
Conclusion
 Con artists have been there in the society for centuries but






with web & internet they get access t...
Thank you for your patience
and attention .
Comments and Questions.

14
Upcoming SlideShare
Loading in …5
×

Phishing & spamming

452 views

Published on

  • Be the first to comment

  • Be the first to like this

Phishing & spamming

  1. 1. PHISHING AND SPAMMING Submitted by : Kavis Pandey Department of Electronics, ETC 2 1004093 email: kavis.pandey@yahoo.co.in mob: 8984523393 1
  2. 2. Phishing & Spamming  Phreaking + Fishing = Phishing -Phreaking = making phone calls for free in 70’s -Fishing = use bait to lure the target  Defn: act of obtaining username, passwords, credit card and other personal details by masquerading as a trustworthy entity in electronic comm.  Popular on social websites, auction sites, banks, online payment processors and most commonly in the inboxes of almost everyone’s email 2
  3. 3. History & current status of phishing  First mentioned in the context of “AOHELL” – a     hacking tool for AOL users Recently, a popular case involved Chinese phishing campaign targeting US and South Korean’s gov military and political activities. In the past most popular phishing attack dates back to 1995 – phishers posed as AOL staffs and sent instant messages to victims to reveal their passwords Post 9/11 ID check scam Thousands of cases reported to customerfraudreporting.org in that period 3
  4. 4. History & current status……..  Bank -56% , retailer - 14% , gov - 13% , spearphish 7% , payment processors - 5%, others - 5% …… targets of phishing attacks  Haiti earthquake scam  FIFA world cup 2010 scam  Tax rebate scams in UK  PiP scams 4
  5. 5. Identifying a fraud  Name of the company mentioned as scam on        customerfraudreporting.org Email format matches one of the several mentioned on the above website The org. has no website and can’t be located on Google Email asks for personal info like account info, driver license no, passport no etc The email claims you’ve won a lottery in which you haven’t participated The prize promoters ask for a fee in advance The email addresses you as dear customer rather than using specific names and details To get the prize you might need to travel overseas at own cost 5
  6. 6. Phishing Techniques  Email / Spam – emails sent to thousands asking for their personal       info Web based delivery – “Man in the middle”, hacker located b/w the website and user Instant messaging – user receives a msg with a link directing them to a fake website looking similar to a legitimate website Trojan hosts – invisible hackers trying to hack into the machine to extract personal info Link manipulation – phishers send a false link to a website. Key loggers – softwares used to identify inputs from keyboard Session hacking – “Session sniffing”, phishers exploit web session control mechanism to steal info 6
  7. 7. Phishing Techniques  System reconfiguration – For eg, “Turn off your firewall to     run this software “ etc Content injection – phishers changes part of the content on a webpage luring the user to go to a page outside the legitimate website Phishing through search engines – users may be redirected to fake websites offering cheap products Phone phishing – phishers make calls to the user about exciting offers and products so as to reveal their details for buying the products Malware phishing – malware attached to spam emails and upon clicking these malwares may harm the system 7
  8. 8. Why phishing works? 1. Lack of knowledge a) Lack of computer system knowledge b)Lack of knowledge of security indicators 2. Visual deception a) Visually deceptive text – “paypai” instead of “paypal”, using “1” instead of “l” , “o” instead of “0” etc , this is called typejacking. b)Images masking underlying text c)Images mimicking windows d)Windows masking underlying windows e)Deceptive look and feel 3. Bounded attention a)Lack on attention to security indicators b)Lack of attention to the absence of security indicators 8
  9. 9. Anti - Phishing  Social responses – train people to recognize phishing attacks. People need to slightly modify their browsing habits in order to prevent being scammed.  Technical responses – use of anti phishing measures such as extensions or toolbars for browsers, anti phishing software  Helping to identify legitimate websites – complain about the fake websites. SFIO deals with internet frauds in India. There are also cyber cells where we can make complaints. 9
  10. 10. Anti - Phishing  Secure connection – from 1990s to late 2000s Mozilla used padlocks as a symbol for secure connection, now certificates and “https” are also included.  Which site – check if the url of the website matches the site that you are looking for 10
  11. 11. Anti Phishing  Who is the authority – The browser needs to state who the real authority is who is issuing the EV (Extended Validation) certificate for a website. The browser needs to have a root list of trusted CAs (Certification Authorities).  Fundamental flaws in security model of secure browsing – (a) users tend to overlook the security indicators (b) users have learned to bypass most of the warnings and treat through all the warnings with same disdain, resulting in a “click through disdain” (c) gaining security authentication are very costly for websites resulting in negligence (d) threat models tend to re-invent themselves as much faster pace  Browsers alerting users of fraudulent websites – IE7, Mozilla Firefox 2.0 onwards uses Google’s anti-phishing software, Chrome, Safari 3.2, Opera 9.1 uses live blacklist from Phishtank and GeoTrust as well as live whitelist from GeoTrust  Augmenting Password Log-ins – avoid being logged on for continuous periods even when not using the services, using virtual keyboards is safer when entering passwords 11
  12. 12. Anti - Phishing  Eliminating Phishing Emails – use specialized filters to eliminate phishing emails, keep your inboxes free from spams  Monitoring and takedown – contribute by reporting to both volunteer and industry groups such as PhishTank, report to cyber cells and help them takedown the guilty  Transaction verification and signing – steps are implemented to connect mobile phones with internet accounts. It informs the users when transactions are being made or any other security issues.  Legal Responses : there is pride in being an evidence against a crime, support legal cases against cyber crimes and help punish the guilty 12
  13. 13. Conclusion  Con artists have been there in the society for centuries but      with web & internet they get access to a larger group of people They live on our mistakes Final technical solution to phishing involves major changes in internet infrastructure. These changes are beyond any one institution However, there are steps that can be deployed It is all up to US Be cautious, be careful Stop Phishing 13
  14. 14. Thank you for your patience and attention . Comments and Questions. 14

×