How Phishing WorksProf. Vipul Chudasama

Phishing

• Phishing is the attempt to acquire sensitive information such as usernames, passwords, and credit card details (and sometimes, indirectly, money) by masquerading as a trustworthy entity in an electronic communication.

• Majorly by • Email Spoofing• Instant Messaging• Social engineering • Domain ,subdomain

History

• The first recorded mention of the term "phishing" is found in the hacking tool AOHell (according to its creator), which included a function for attempting to steal the passwords or financial details of America Online users.[1995]

• A phisher might pose as an AOL staff member and send an instant message to a potential victim, asking him to reveal his password.

• In order to lure the victim into giving up sensitive information, the message might include imperatives such as "verify your account" or "confirm billing information".

• Once the victim had revealed the password, the attacker could access and use the victim's account for fraudulent purposes or spamming.

Phishing

Phishing Types

• Phishing – Spoofed email[like American Express]• Spare phishing :Phishing attempts directed at specific individuals or

companies• Clone phishing:

• The attachment or link within the email is replaced with a malicious version and then sent from an email address spoofed to appear to come from the original sender.

• Whaling: senior executives and other high profile targets• Rogue WiFi (MitM)

How phishing carried out

Phisher Contact to malware software

developer

Malware software sends email to

thousand of people

Email is designed to look like same as legitimated sites

and insert link

Person click on link which is spoofed

Website

Phisher captures user information

Phisher steal the money from user

account

Other Techniques

• Link Manipulation

• Website Forgery

• Phone (Voice) Phishing

Phishing – Link Manipulation

Most methods of phishing use some form of technical deception designed to make a link in an email (and the spoofed website it leads to) appear to belong to the spoofed organization.

Misspelled URLs (Uniform resource locator ) or the use of subdomains are common tricks used by phishers, such as this example URL, http://www.Suntrust.com.bank.com/.

Another common trick is to make the anchor text for a link appear to be a valid URL when the link actually goes to the phishers' site.

Phishing – Link Manipulation

An old method of spoofing links used links containing the @ symbol, originally intended as a way to include a username and password in a web link.

For example, the link http://www.google.com@members.tripod.com/might deceive a casual observer into believing that the it will open a page on Google.com, whereas the link actually directs the browser to a page on members.tripod.com, using a username of www.google.com: the page opens normally, regardless of the username supplied.

Phishing – Website Forgery

Once the victim visits the website the deception is not over. Some phishing scams use JavaScript commands in order to

alter the address bar. This is done either by placing a picture of the legitimate entity's URL over the address bar, or by closing the original address bar and opening a new one containing the legitimate URL.

Phishing – Website Forgery

An attacker can even use a trusted website's own scripts against the victim.

These types of attacks (known as cross-site scripting) are particularly problematic, because they direct the user to sign in at their bank or service's own web page, where everything from the web address to the security certificates appears correct.

In reality, the link to the website is crafted to carry out the attack, although it is very difficult to spot without specialist knowledge. Just such a flaw was used in 2006 against PayPal.

Phone (Voice) Phishing

Not all phishing attacks require a fake website. In an incident in 2006, messages that claimed to be from a bank told

users to dial a phone number regarding problems with their bank accounts.

Once the phone number (owned by the phisher, and provided by a Voice over IP provider) was dialed, prompts told users to enter their account numbers and PIN.

Voice phishing sometimes uses fake caller-ID data to give the appearance that the calls come from a trusted organization.

Phishing - How To Protect Yourself

Users can take steps to avoid phishing attempts by slightly modifying their browsing habits.

Users who are contacted about an account needing to be "verified" (or any other topic used by phishers) can contact the company that is the subject of the email to check that the email is legitimate, They can also type in a trusted web address for the company's website into the address bar of their browser to bypass the link in the suspected phishing message.

Phishing - How To Protect Yourself

Nearly all legitimate email messages from companies to their customers will contain an item of information that is not readily available to phishers.

Some companies, like PayPal, always address their customers by their username in emails, so if an email addresses a user in a generic fashion ("Dear PayPal customer") it is likely to be an attempt at phishing.

SPAM filters can also help by reducing the number of phishing emails that users receive in their inboxes.

Phishing - How To Protect Yourself

Anti-phishing measures have been implemented as features embedded in browsers, as extensions or toolbars for browsers, and as part of website login procedures.

For example, some anti-phishing toolbars display the real domain name for the visited website.

The petname extension for Firefox lets users type in their own labels for websites, so they can later recognize when they are back at the correct site. If the site is a suspect, then the software may either warn the user or block the site outright.

Internet Explorer Version 7 is intended to defend users from phishing as well as deceptive or malicious software, and it also features full user control of ActiveX and better security framework.

Phishing ExampleIn this example, targeted at South Trust Bank users, the phisher has used an image to make it harder for anti-phishing filters to detect by scanning for text commonly used in phishing emails.

Quiz

Legitimate

or

Phishing

Phishing

Quiz

Legitimate

or

Phishing

Legitmate