new internet financial fraud trend ---fighting the phishing scam
DESCRIPTION
New Internet Financial Fraud Trend ---Fighting the Phishing Scam. CNCERT/CC APCERT. Jan. 2005 APAN www.cert.org.cn. Abstract :. Overview of Phishing Phishing analyses Prevention CNCERT/CC activities in Anti-phishing. Overview of Phishing. What is Phishing?. - PowerPoint PPT PresentationTRANSCRIPT
New Internet Financial Fraud Trend
---Fighting the Phishing Scam
CNCERT/CCAPCERT
Jan. 2005 APANwww.cert.org.cn
National Computer network Emergency Response technical Team/Coordination Center of China
Abstract:
Overview of Phishing
Phishing analyses
Prevention
CNCERT/CC activities in Anti-phishing
National Computer network Emergency Response technical Team/Coordination Center of China
Overview of Phishing
• -- Phishing attacks use 'spoofed' e-mails and fake websites designed to bamboozle recipients into revealing confidential information with economic value such as credit card numbers, account usernames and passwords, social security numbers, etc.
What is Phishing?
National Computer network Emergency Response technical Team/Coordination Center of China
Overview of Phishing
Phishing is Epidemic:
• --7 of 10 people, who received phishing E-mail, are spoofed
• --15% are tricked into providing personal information
National Computer network Emergency Response technical Team/Coordination Center of China
Overview of Phishing
• Statistics
Till the end of 2004, CNCERT/CC received 230 Phishing report from over 33 worldwide financial and security organi
zation.
National Computer network Emergency Response technical Team/Coordination Center of China
Overview of Phishing
• Statistics Oct. 2004
National Computer network Emergency Response technical Team/Coordination Center of China
• Dec. 2004
National Computer network Emergency Response technical Team/Coordination Center of China
Overview of Phishing
• Oct. Vs Dec.• it appears to be on the decline with 29% of the total the nu
mber of sites hosted in the US decreasing during October. China, Korea, and Russia are next on the list with 16%, 9%.
• United States continues to be the top location geographic location for hosting Phishing sites with more than 32%. Other top countries are, in order: China 12%, Korea 11%, Japan 2.8%, Germany 2.7%, France 2.7%, Brazil 2.7%, Romania 2.2%, Canada 2.1%, and India 2.1%.
National Computer network Emergency Response technical Team/Coordination Center of China
Overview of Phishing
• Statistics
CNCERT/CC Monthl y Phi shi ng Report
0
10
20
30
40
50
60
70
Jan. Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec
National Computer network Emergency Response technical Team/Coordination Center of China
Overview of Phishing
• Damage
--Average economic loss of $115 per adult duped. (E-Trust)
--$500 million lost due to Phishing in U.S. (APWG)
--A Phishing site had been visited 98 time in 48 hour (98 different IPs)
49 person/day*10*15%*$115=$8452.5/case
National Computer network Emergency Response technical Team/Coordination Center of China
Overview of Phishing
• Number of active phishing sites reported in December: 1707• Average monthly growth rate in phishing sites July through December:
24%• Number of brands hijacked by phishing campaigns in December: 55• Number of brands comprising the top 80% of phishing campaigns in
December: 7• Country hosting the most phishing websites in December: United Stat
es• Contain some form of target name in URL: 24%• No hostname just IP address: 63%• Percentage of sites not using port 80: 13.1%• Average time online for site: 5.9 days• Longest time online for site: 30 days
National Computer network Emergency Response technical Team/Coordination Center of China
Phishing analyses
• How it works Spoofed E-mail
National Computer network Emergency Response technical Team/Coordination Center of China
Phishing analyses
• How it works
Fake Web Site
National Computer network Emergency Response technical Team/Coordination Center of China
Phishing analyses
• Tech in Phishing Fake log in window pop-up
National Computer network Emergency Response technical Team/Coordination Center of China
Phishing analyses
• Tech in Phishing
Fake log in window pop-up
The Site look like the normal Bank site, however, it host in different location. Most of the host was intruded, and the site was planted in by Hacker. It also contain malicious code sometimes.
National Computer network Emergency Response technical Team/Coordination Center of China
Phishing analyses
• Tech in Phishing
Hide the fake URL by cover the address bar
National Computer network Emergency Response technical Team/Coordination Center of China
Phishing analyses
• Tech in Phishing
IP Filter $file_ip = fopen("ip.txt", "r");
while (! feof($file_ip)):$line = fgets($file_ip, 100);$line = trim($line);$flood_ip = ereg($ip, $line);if ($flood_ip):
$file = "$folder/bad.txt";$need_to_add_ip = 0;
else:$file = "$folder/good.txt";$need_to_add_ip = 1;
endif;endwhile;fclose($file_ip);if ($need_to_add_ip == 1):$add_ip = fopen("ip.txt", "a+");$success_ip =fwrite($add_ip, "$ip");fclose($add_ip);endif;
National Computer network Emergency Response technical Team/Coordination Center of China
Phishing analyses
• Tech in Phishing
IP Filter
The same IP may not visit the site twice. The IP, which provided the bad information, is baned……..
National Computer network Emergency Response technical Team/Coordination Center of China
Phishing analyses
• Tech in Phishing unconventional port
Pid Process Port Proto Path436 svchost -> 135 TCP C:\WINNT\system32\svchost.exe492 msdtc -> 1025 TCP C:\WINNT\system32\msdtc.exe912 MSTask -> 1026 TCP C:\WINNT\system32\MSTask.exe792 sqlservr ->1433 TCP d:\PROGRA~1\MICROS~1\MSSQL\binn\sqlservr.exe896 r_server -> 4899 TCP C:\WINNT\System32\r_server.exe964 http -> 5121 TCP c:\winnt\system32\http.exe964 http -> 5125 TCP c:\winnt\system32\http.exe964 http -> 5180 TCP c:\winnt\system32\http.exe996 web -> 6121 TCP c:\winnt\system32\web.exe996 web -> 6125 TCP c:\winnt\system32\web.exe996 web -> 6180 TCP c:\winnt\system32\web.exe
National Computer network Emergency Response technical Team/Coordination Center of China
Prevention
• Whose responsibility?
--Bank or Financial organization
--Internet User or IDC
--CERTs
--Internet Banking Customer
National Computer network Emergency Response technical Team/Coordination Center of China
Prevention
• Whose responsibility?
--Bank or Financial organization
The organization that provide internet dealing or banking service have the responsibility to ensure that their website is uneasy to be imitated or mimic. Also, responsible to provide the security awareness education.
National Computer network Emergency Response technical Team/Coordination Center of China
Prevention
• Whose responsibility?
--Internet User or IDC
Every internet users is responsible to protect themselves. Most of host was intrude because of un-patch or unprotected system. Therefore, users should frequently update their system and install the firewall, anti-virus, and other protection before they connect to the internet.
National Computer network Emergency Response technical Team/Coordination Center of China
Prevention
• Whose responsibility?
--CERTs
Up to now, there are many people and countris affacted by the Phishing incident. Fighting with Phishing needs somebody’s to coordinate. They are CERTs.
National Computer network Emergency Response technical Team/Coordination Center of China
Prevention
• Whose responsibility? --Internet Banking Customer
User needs to aware how to protect themselve and how to distinguish Phishing site.
National Computer network Emergency Response technical Team/Coordination Center of China
Prevention
• How to prevent
E-mail:
Make sure the e-mail is from the Bank…..
- Check the ‘from IP’
National Computer network Emergency Response technical Team/Coordination Center of China
Prevention
• How to prevent
Host IP:
Confirm the IP location by visiting www.whois.net
- the website will able to provide the host info
National Computer network Emergency Response technical Team/Coordination Center of China
Prevention
• How to prevent
Direct contact:
Double confirm the info in the mail by calling the bank directly.
National Computer network Emergency Response technical Team/Coordination Center of China
Prevention
• How to prevent
Stop spoofed mail (for bank)
Sender ID:
Support by Microsoft, E-trust, Hotmail, Sendmail, etc
IIM (Identify Internet Mail) :
Cisco and IETF (Internet Engineering Task Force)
National Computer network Emergency Response technical Team/Coordination Center of China
CNCERT/CC activities in Anti-phishing
• Bank, Financial organization or other national CERT
CNCERT receive report and investigate the info of the host, such as the location, owner, ISP.
National Computer network Emergency Response technical Team/Coordination Center of China
CNCERT/CC activities in Anti-phishing
• Host owner
CNCERT/CC’s certain branch convince them to take the site down, provide the data, tech support and security consultant.
*CERT is not police, and host owner is also a victim. CERT may only convince host owner to cooperate.
National Computer network Emergency Response technical Team/Coordination Center of China
CNCERT/CC activities in Anti-phishing
• ISP
Ask for help, and assist ISP to do investigation in certain case.
National Computer network Emergency Response technical Team/Coordination Center of China
CNCERT/CC activities in Anti-phishing
• Public
Awareness education and consultant
National Computer network Emergency Response technical Team/Coordination Center of China
Conclusion
• Aware the security always
• Protect your system
• Help people to investigate the incident
• Tell people about network security
• Report the incident to ISP or CERT
• Consult the CERT about security
National Computer network Emergency Response technical Team/Coordination Center of China
Question?
National Computer network Emergency Response technical Team/Coordination Center of China
Thank you
E-mail:[email protected]