PHISHINGAn introduction

by Jayaseelan Vejayon

So…what is phishing?

• type of deception

• designed to steal your valuable personal data

– credit card numbers– passwords– account data– other important personal information

Phreaking + Fishing = Phishing- Phreaking = making phone calls for free back in 70’s- Fishing = Use bait to lure the target

Phishing in 1995Target: AOL usersPurpose: getting account passwords for free timeThreat level: lowTechniques: Similar names ( www.ao1.com for

www.aol.com ), social engineering

The history

Phishing in 2001Target: Ebayers and major banksPurpose: getting credit card numbers, accountsThreat level: mediumTechniques: Same in 1995, keylogger

Phishing in 2007Target: Paypal, banks, ebayPurpose: bank accountsThreat level: highTechniques: browser vulnerabilities, link obfuscation

The history (cont’d)

• 2,000,000 emails are sent• 5% get to the end user – 100,000 (APWG)• 5% click on the phishing link – 5,000 (APWG)• 2% enter data into the phishing site –100 (Gartner)• $1,200 from each person who enters data (FTC)• Potential reward: $120,000

A bad day phishin’, beats a good day workin’

In 2005 David Levi made over $360,000 from 160 people using an eBay Phishing scam

Don't fall prey to online banking scamsThe Star OnlineDate: 19 February 2011

PETALING JAYA: Internet users must ensure they install all necessary updates and use a reputable anti-virus software so they don't fall prey to online banking scams.

HSBC Bank Malaysia Berhad general manager for personal financial services, Lim Eng Seong, said the number of Malaysians opting for online banking was increasing."Most banks offer safety advice on the login page of their e-banking websites to warn users about the existence of such scams,"he said.

Whenever there is a report of a scam, the bank immediately contacts Cyber Security Malaysia's Computer Emergency Response Team (CERT) to remove the phishing website."For phishing websites operating from outside the country, we seek the assistance of the country's local CERT team to shut down the website,"he said.

Travel agent Safura Mokhtar, 41, recently became a victim of a phishing scam.She lost RM4,600 but the local bank refused to offer her a refund although she was quick to report the incident.She had received an e-mail, claiming to be from the bank, in November last year.

"The e-mail stated that I needed to log in immediately to update my contact information for security purposes,"said Safura who unsuspectingly clicked on the link provided."I am new to online banking and I was not aware that such scams existed,"said Safura who later received a text message from the bank informing her that money had been transferred out of her account.

She received a letter from the bank a week later informing her that they could not compensate her for her losses .She was then referred to the Financial Mediation Bureau (FMB) which told her investigations would take up to six months."Cases of online banking scams in Malaysia have been increasing since the first such case was registered in 2005,"said FMB CEO John Thomas.

Statistics from FMB showed that the number of cases had increased from only 46 in 2008 to 163 in 2010.On the chances of victims getting their money back, Thomas said that of the 163 cases last year, only 51 victims managed to get part or all of their money back.A check with Bank Negara showed that as of December last year, there were 9.8 million e-banking account holders in the country.

Travel agent Safura Mokhtar, 41, recently became a victim of a phishing scam. She lost

RM4,600 but the local bank refused to offer her a refund although she was quick to report

the incident. She had received an e-mail, claiming to be from the bank, in November last

year.

"The e-mail stated that I needed to log in immediately to update my contact

information for security purposes,"said Safura who unsuspectingly clicked on the link provided.

"I am new to online banking and I was not aware that such scams existed,"said Safura

who later received a text message from the bank informing her that money had been transferred out of

her account.

She received a letter from the bank a week later informing her that they could not compensate her for her

losses. She was then referred to the Financial Mediation Bureau (FMB) which told her investigations would

take up to six months. "Cases of online banking scams in Malaysia have been increasing since the first such

case was registered in 2005,"said FMB CEO John Thomas.

What Does a Phishing Scam Look Like?

As scam artists become more sophisticated, so do their phishing e-mail messages and pop-up windows

They often include official-looking logos from real organizations and other identifying information taken directly from legitimate Web sites

• Employ visual elements from target site

• DNS Tricks:–www.ebay.com.kr–www.ebay.com@192.168.0.5–www.gooogle.com

• Certificates–Phishers can acquire certificates for domains they own–Certificate authorities make mistakes

Phishing Techniques

• Socially aware attacks Mine social relationships from public data Phishing email appears to arrive from someone known to the victim Use spoofed identity of trusted organization to gain trust Urge victims to update or validate their account Threaten to terminate the account if the victims not reply Use gift or bonus as a bait Security promises

• Context-aware attacks“Your bid on eBay has won!”“The books on your Amazon wish list are on sale!”

Spear-Phishing: Improved Target Selection

An example

Here are a few phrases to look for

"Verify your account."Businesses should not ask you to send passwords, login names, Social Security numbers, or other personal information through e-mail. If you receive an e-mail from anyone asking you to update your credit card information, do not respond: this is a phishing scam.

"If you don't respond within 48 hours, your account will be closed."These messages convey a sense of urgency so that you'll respond immediately without thinking. Phishing e-mail might even claim that your response is required because your account might have been compromised.

How To Tell If An E-mail Message is Fraudulent

How To Tell If An E-mail Message is Fraudulent (cont’d)

"Dear Valued Customer."Phishing e-mail messages are usually sent out in bulk and often do not contain your first or last name.

"Click the link below to gain access to your account."HTML-formatted messages can contain links or forms that you can fill out just as you'd fill out a form on a Web site. The links that you are urged to click may contain all or part of a real company's name and are usually “masked”, meaning that the link you see does not take you to that address but somewhere different, usually a phony Web site.

Con artists also use Uniform Resource Locators (URLs) that resemble the name of a well-known company but are slightly altered by adding, omitting, or transposing letters.

For example, the URL "www.microsoft.com" could appear instead as:

•www.micosoft.com •www.mircosoft.com •www.verify-microsoft.com

How To Tell If An E-mail Message is Fraudulent (cont’d)

Never respond to an email asking for personal information

Always check the site to see if it is secure. Call the phone number if necessary

Never click on the link on the email. Retype the address in a new window

Keep your browser updated

Keep antivirus definitions updated

Use a firewallP.S: Always shred your home documents before discarding them.

How do I avoid from becoming a victim …

Thank you