phishing
DESCRIPTION
Phishing intro, methodology, types, effects, identification, avoidanceTRANSCRIPT
PHISHING
BY:JAVERIA
11-ARID-3303 MIT-4
UNIVERSITY INSTITUTE OF INFORMATION TECHNOLOGY,
RAWALPINDI(UIIT,UAAR) PAKISTAN
PHISHING ORIGINS The first documented use of the word
"phishing" took place in 1996. Most people believe it originated as an alternative spelling of "fishing," as in "to fish for information"
What is PHISHING
“Phishing is an illegal activity using social engineering techniques to fraudulently solicit sensitive information or install
malicious software.”
Phishing attempts to obtain sensitive information such as usernames, passwords, personal information, military operations details, financial information and so on.
Phishing emails can also include malicious links or attachments.
Emotional Triggers Exploited by Phishing
Greed Fear Heroism Desire to be liked Authority
Example
Suppose you check your e-mail one day and find
a message from your bank. You've gotten e-mail
from them before, but this one seems
suspicious, especially since it threatens to close
your account if you don't reply immediately.
This message and others like it are examples
of phishing, a method of online identity theft.
In addition to stealing personal and financial
data, phishers can infect computers with viruses.
Tools and Tactics Using IP addresses instead of domain names in hyperlinks that
address the fake web site.
Registering similar sounding DNS domains and setting up fake web
sites that closely mimic the domain name of the target web site.
Embedding hyperlinks from the real target web site into the HTML
contents of an email about the fake phishing web site, so that the
user's web browser makes most of the HTTP connections to the
real web server and only a small number of connections to the fake
web server.
If the user's email client software supports auto-rendering
of the content, their client may attempt to connect automatically to
the fake web server as soon as the email is read, and manual
browsers may not notice the small number of connections to a
malicious server amongst the normal network activity to the real
web site.
Effects of Phishing
Identity theft Internet fraud Financial loss to the original institutions Difficulties in Law Enforcement
Investigations Erosion of Public Trust in the Internet.
STATISTICS
Industries most affected by phishing:
oFinancialoPayment ServicesoGamingoRetailoSocial Networks
STATISTICS
Number of brands effected
Types of Phishing
Deceptive - Sending a deceptive email, in bulk, with a “call to action”
that demands the recipient click on a link.
Malware-Based - Running malicious software on the user’s machine.
Content-Injection – Inserting malicious content into legitimate site.
Man-in-the-Middle Phishing - Phisher positions himself between the
user and the legitimate site.
Search Engine Phishing - Create web pages for fake products, get
the pages indexed by search engines, and wait for users to enter their
confidential information as part of an order, sign-up, or balance
transfer.
Identifying a phishing scam
Phishing scams tend to have common characteristics
which make them easy to identify.
Spelling and punctuation errors.
Include a redirect to malicious URL’s which
require you input usernames and passwords to
access.
Try to appear genuine by using legitimate
operational terms, key words, company logos
and accurate personal information.
Fake or unknown sender.
Identifying a phishing scam(ctd)
Scare tactics to entice a target to provide personal information
or follow links.
Sensational subject lines to entice targets to click on attached
links or provide personal information.
Example
Example
• Yahoo link URL spoofing
• A fake or forged URL which impersonates a legitimate website.
• Requests credit card information
• Threatens service interruption
Example
How to avoid a phishing scam
Protect yourself from phishing scams:
Think before you open
Beware the unknown sender or sensational subject line. Be suspicious of any email with urgent requests for personal
financial information
Regularly check your bank, credit and debit card statements
to ensure that all transactions are legitimate
Install latest anti-virus packages
Inspect the address bar and SSL certificate
Digitally sign and encrypt emails where ever possible.
How to avoid a phishing scam(ctd) Do not follow links included in emails or text
messages, use a known good link instead.
Do not follow links to unsubscribe from spam,
simply mark as spam and delete..
You will never get a free iPad, don’t fill anything
out!
Anti-Phishing Working Group(anti-phishing.org )
The organization provides a forum to discuss phishing issues,
define the scope of the phishing problem in terms of hard and
soft costs, and share information and best practices for
eliminating the problem.
The APWG has over 2300+ members from over 1500
companies & agencies worldwide. Member companies include
leading security companies such as○ Symantec
○ McAfee
○ Kaspersky
Financial Industry members include○ VISA
○ Mastercard
○ American Bankers Association.
REFERENCES http://www.antiphishing.org/reports/
apwg_report_november_2006.pdf http://72.14.235.104/search?q=cache:-T6-
U5dhgYAJ:www.avira.com/en/threats/what_is_phishing.html+Phishing+consequences&hl=en&gl=in&ct=clnk&cd=7
Phishing-dhs-report.pdf Report_on_phishing.pdf http://www.cert-in.org.in/training/15thjuly05/phishing.pdf http://www.antiphishing.org
YOUR PASSWORD, YOUR DATA, YOUR LIFE!!!!