This document discusses the history and techniques of phishing attacks. It notes that phishing originated in the 1990s as a way to steal AOL account passwords but has since evolved to target banks, PayPal, and other financial institutions to steal credit card numbers and bank account credentials. Modern phishing uses official-looking websites, email messages, links, and social engineering to trick users into providing sensitive information. The document recommends ways for individuals and businesses to protect themselves, including being wary of unsolicited messages requesting personal details, verifying website URLs, keeping software updated, and reporting suspicious activity.

1. Submitted by:Harpinder kaur

2.  History
 INTRODUCTION
 TECHNIQUES
 SPEAR PHISHING
 HOW TO PROTECT
 PREVENTIONS
 CONCLUSION
 REFERENCES

3.  Phreaking + Fishing = Phishing
- Phreaking = making phone calls for free back in 70’s
◦ - Fishing = Use bait to lure the target
 Phishing in 1995
Target: AOL users
Purpose: getting account passwords for free time
Threat level: low
Techniques: Similar names ( www.ao1.com for www.aol.com ), social
engineering
 Phishing in 2001
Target: Ebayers and major banks
Purpose: getting credit card numbers, accounts
Threat level: medium
Techniques: Same in 1995,
 Phishing in 2007
Target: Paypal, banks, ebay
Purpose: bank accounts
Threat level: high
Techniques: browser vulnerabilities, link obfuscation

4. • Phishing is a type of deception designed to steal your
valuable personal data, such as credit card numbers,
passwords, account data, or other information.
• Con artists might send millions of fraudulent e-mail
messages that appear to come from Web sites you trust,
like your bank or credit card company, and request that
you provide personal information

5. • As scam artists become more sophisticated, so
do their phishing e-mail messages and pop-up
windows.
• They often include official-looking logos
from real organizations and other identifying
information taken directly from legitimate
Web sites.

6. • Employ visual elements from target site
• DNS Tricks:
– www.ebay.com.kr
– www.ebay.com@192.168.0.5
– www.gooogle.com
– Unicode attacks
• JavaScript Attacks
– Spoofed SSL lock
• Certificates
– Phishers can acquire certificates for domains they own
– Certificate authorities make mistakes

7.  Example of a phishing e-mail message, including a
deceptive URL address linking to a scam Web site. To
make these phishing e-mail messages look even
more legitimate, the scam artists may place a link in
them that appears to go to the legitimate Web site (1),
but it actually takes you to a phony scam site (2) or
possibly a pop-up window that looks exactly like the
official site.These copy cat sites are also called
"spoofed" Web sites. Once you're at one of these
spoofed sites, you might unwittingly send personal
information to the con artists.

8. • Socially aware attacks
 Mine social relationships from public data
 Phishing email appears to arrive from someone known to
the victim
 Use spoofed identity of trusted organization to gain trust
 Urge victims to update or validate their account
 Threaten to terminate the account if the victims not reply
 Use gift or bonus as a bait
 Security promises
• Context-aware attacks
“Your bid on eBay has won!”
“The books on your Amazon wish list are on sale!”

9. • "Verify your account." Businesses should not ask
you to send passwords, login names, Social Security
numbers, or other personal information through e-
mail. If you receive an e-mail from anyone asking
you to update your credit card information, do not
respond: this is a phishing scam.
• "If you don't respond within 48 hours, your
account will be closed." These messages convey a
sense of urgency so that you'll respond immediately
without thinking. Phishing e-mail might even claim
that your response is required because your account
might have been compromised.

10. • "Dear Valued Customer." Phishing e-mail
messages are usually sent out in bulk and often do not
contain your first or last name.
• "Click the link below to gain access to your
account." HTML-formatted messages can contain
links or forms that you can fill out just as you'd fill
out a form on a Web site. The links that you are
urged to click may contain all or part of a real
company's name and are usually "masked," meaning
that the link you see does not take you to that address
but somewhere different, usually a phony Web site.

11.  Con artists also use Uniform Resource Locators
(URLs) that resemble the name of a well-known
company but are slightly altered by adding, omitting,
or transposing letters.
 For example, the URL "www.microsoft.com" could
appear instead as:
 www.micosoft.com
 www.mircosoft.com
 www.verify-microsoft.com

12. • Never respond to an email asking for personal
information
• Always check the site to see if it is secure.
Call the phone number if necessary
• Never click on the link on the email. Retype
the address in a new window
• Keep your browser updated
• Keep antivirus definitions updated
• Use a firewall

13.  In order to combat phishing, business and consumers need to
adopt best practices and practice awareness, educate
themselves about phishing and anti-phishing techniques, use
current security protection and protocols, and report suspicious
activities. By doing so, they can reduce their exposure to fraud
and identity theft, safeguard their confidential

14.  [1] Angelo P.E. Rosiello, Engin Kirda Christopher
kruegel and Fabrizio Ferrandi.”A Layout Similarity
Based Approach For Detecting Phishing Pages”.
IEEE Conference on Security and Privacy in
Communication Networks, Nice, France, September
2007.