phishing attacks and its vectors

23
All Rights Reserved © gaganjain.com 2015 PHISHING ATTACKS AND ITS SOLUTIONS GRIN Archive No: V295346 Phishing!

Upload: gagan-jain-bs

Post on 02-Oct-2015

224 views

Category:

Documents


0 download

DESCRIPTION

Phishing attacks and its preventive measures

TRANSCRIPT

  • All Rights Reserved gaganjain.com 2015

    PHISHING ATTACKS AND ITS SOLUTIONS GRIN Archive No: V295346

    Phishing!

  • All rights reserved gaganjain.com 2015

    Paper:

    GAG

    AN

    JAIN

    B S

    ATIS

    H

    2

    Contents

    1.1 Introduction ............................................................................................. 3 2. PHISHING ATTACKS AND ITS VECTORS ...................................................... 5

    2.1 PHISHING ATTACK ................................................................................. 5 2.2 TYPES OF ATTACKS FOR TYPES OF USERS! ............................................ 6 2.3 WHAT CAN AN ATTACKER GET FROM THESE ATTACKS? ...................... 8

    3.HOW TO RESOLVE THESE ATTACKS .......................................................... 12 3.2 b) Social Engineering ........................................................................... 13 3.1 c) QR Code ........................................................................................... 16

    4.REPORTS BY ANTIVIRUS GAINTS ............................................................... 18 AVAST REPORT : ........................................................................................ 19 TOP TEN TLDs PHISHING ORIGINATING FROM : ...................................... 20

    Conclusion .................................................................................................... 22 References:................................................................................................... 22

  • All rights reserved gaganjain.com 2015

    Paper:

    GAG

    AN

    JAIN

    B S

    ATIS

    H

    3

    1.1 Introduction

    In todays world people are so interconnected that it is easy to communicate with the people who we dont get to meet every day. People are into these online Social networks, blogs, Websites and other media to communicate with people and share things with each other. But this all fun stuffs have a disadvantage which can cause a big situation. Just a matter of victims first and last name can be easy tools to hack into an individual in todays world. After all these fancy technologies the hackers also have become so sophisticated that they are bringing up tools which is an automated attacker scripts which hacks into the system with given credentials. Today we are going to talk about an attack like those which can exploit a users credentials by supplying him with a dummy page which looks the site

    he wanted to login and after he enters his credentials the page is redirected to the original page so that the user thinks It reloaded but in reality weve stolen your username and password.

  • All rights reserved gaganjain.com 2015

    Paper:

    GAG

    AN

    JAIN

    B S

    ATIS

    H

    4

    PHISHING ATTACKS AND ITS VECTORS

    Prepared by

    GAGAN JAIN B SATISH

    [email protected]

  • All rights reserved gaganjain.com 2015

    Paper:

    GAG

    AN

    JAIN

    B S

    ATIS

    H

    5

    2. PHISHING ATTACKS AND ITS VECTORS

    2.1 PHISHING ATTACK A Phishing attack is a type of hacking technique where an attacker fools the victim into entering his credentials into a fake/dummy page which looks like a real login page of that website. Phishing attack is a easiest way of hacking into a victim. There are many kinds of scenarios where a phishing attacks are used. Main areas of phishing happen on:

    - Social Networking sites - Bank - Company - Job banks

    - Gaming Sites

    What exactly happens in a Phishing attack??

    ATTACKER EMAIL

    VICTIM

    Clicks on

    the Link

    in the

    email

    FAKE PAGE

    Redirects to

    Original Page ORIGINAL

    PAGE

  • All rights reserved gaganjain.com 2015

    Paper:

    GAG

    AN

    JAIN

    B S

    ATIS

    H

    6

    This is a common attack scenario of a phishing attack. This attack shows how

    a common email phishing attack is happened.

    2.2 TYPES OF ATTACKS FOR TYPES OF USERS!

    Phishing attacks are not only performed by only spoofing a email address.

    The victim can be attacked locally. There are types of attacks for different

    cases :

    - Victim at an Unknown or remote location This can be achieved by sending mail or a text so that the victim is redirected to the fake page where he can enter his credentials.

    This is an type of attack where an attack tries to send a mail pretending to be

    from a company or a organization or a website. In this attack where an

    attacker creates an email template which looks like a real email and it has a

    link which redirects the victim to the fake page where the victim enters his

    username and password. After clicking the login button the page reloads and

    it redirects to the original page it looks like the page just reloaded. Now the

  • All rights reserved gaganjain.com 2015

    Paper:

    GAG

    AN

    JAIN

    B S

    ATIS

    H

    7

    attacker has a txt file in his server where the fake page is hosted where the

    victims credentials are stored.

  • All rights reserved gaganjain.com 2015

    Paper:

    GAG

    AN

    JAIN

    B S

    ATIS

    H

    8

    - Victim on a Local Network This is a case where the victim is in the same network as of the attacker. The attacker injects the network access points for the ARP table and spoofs the table for victims IP address. This attack is also called as ARP Poisoning attack. Here what happens the attackers scans the access point and get the list of all the devices connected to the same access

    point as he is connected. Then the attacker asses the victims machines MAC address and IP address and he spoof the victims machine IP. Now he poisons the ARP table in the Access point so that whatever request the victim send to the access point the attacker is responding to it, so he can redirect the victims machine to his local server. This attack is called as MITM (MAN IN THE MIDDLE) attack. The Victim is redirected to the attackers local server or machine and the landed

    on the fake page which looks like the same page which the victim requested, which basically works the same way to all the phishing attacks.

    2.3 WHAT CAN AN ATTACKER GET FROM THESE ATTACKS?

    An attacker can possibly gain admin rights i.e., attacker can access your email

    ID, Username, Passwords, Credit card numbers, SSN, SIN, anything that a

    victim uses on the internet to identify himself and to purchase something.

    This is a very high level threat and easy to deploy if you know standard HTML,

    PHP and Web hosting.

    In a Simple way an attacker can gain everything from you.

    Here are 3 examples where a victim account is compromised and sensitive

    data has been stolen.

  • All rights reserved gaganjain.com 2015

    Paper:

    GAG

    AN

    JAIN

    B S

    ATIS

    H

    9

    FACEBOOK:

    This is a fake email that looks just like an original email.

  • All rights reserved gaganjain.com 2015

    Paper:

    GAG

    AN

    JAIN

    B S

    ATIS

    H

    1

    0

    FACEBOOK PHISHING PAGE:

    GMAIL:

    https://blog.fierydragonlord.com/uploads/gmail-phishing/fake-gmail-login.png

  • All rights reserved gaganjain.com 2015

    Paper:

    GAG

    AN

    JAIN

    B S

    ATIS

    H

    1

    1

    RBC BANK PHISING PAGE:

    https://blog.fierydragonlord.com/uploads/gmail-phishing/fake-gmail-login.png

    https://blog.fierydragonlord.com/uploads/gmail-phishing/fake-gmail-login.png

  • All rights reserved gaganjain.com 2015

    Paper:

    GAG

    AN

    JAIN

    B S

    ATIS

    H

    1

    2

    3.HOW TO RESOLVE THESE ATTACKS

    3.1 a)MAIL

    1. Guard against spam. Be especially cautious of emails that:

    * Come from unrecognized senders.

    * Ask you to confirm personal or financial information over the Internet

    and/or make urgent requests for this information.

    * Arent personalized.

    * Try to upset you into acting quickly by threatening you with frightening

    information.

    2. Communicate personal information only via phone or secure web sites.

    In fact:

    When conducting online transactions, look for a sign that the site is secure

    such as a lock icon on the browsers status bar or a https: URL whereby the

    s stands for secure rather than a http: Also, beware of phone phishing

    schemes. Do not divulge personal information over the phone unless you

    initiate the call. Be cautious of emails that ask you to call a phone number to

    update your account information as well.

    3. Do not click on links, download files or open attachments in emails from

    unknown senders. It is best to open attachments only when you are

    expecting them and know what they contain, even if you know the sender.

    4. Never email personal or financial information, even if you are close with

    the recipient. You never know who may gain access to your email account, or

    to the persons account to whom you are emailing.

    5. Beware of links in emails that ask for personal information, even if the

    email appears to come from an enterprise you do business with. Phishing

    web sites often copy the entire look of a legitimate web site, making it

    appear authentic. To be safe, call the legitimate enterprise first to see if they

  • All rights reserved gaganjain.com 2015

    Paper:

    GAG

    AN

    JAIN

    B S

    ATIS

    H

    1

    3

    really sent that email to you. After all, businesses should not request

    personal information to be sent via email.

    6. Beware of pop-ups and follow these tips:

    * Never enter personal information in a pop-up screen.

    * Do not click on links in a pop-up screen.

    * Do not copy web addresses into your browser from pop-ups.

    * Legitimate enterprises should never ask you to submit personal

    information in pop-up screens, so dont do it.

    7. Protect your computer with a firewall, spam filters, anti-virus and anti-

    spyware software. Do some research to ensure you are getting the most up-

    to-date software, and update them all regularly to ensure that you are

    blocking from new viruses and spyware.

    8. Check your online accounts and bank statements regularly to ensure that

    no unauthorized transactions have been made.(Identitytheftkiller.com,n.d)

    3.2 b) Social Engineering

    Introduction

    Social engineering techniques are among the most powerful tools in the

    hackers' toolbox. Generically, social engineering is the motivation of

    someone ('the mark') to disclose personal or other important information

    that the hacker can use to their own advantage (e.g., to steal an identity in

    order to exploit financial information or extract an important password in

    order to break into a server).

    Just like the traditional grifters of the past, hackers use the general tendency

    of people to want to 'be nice', 'stay out of trouble', and/or 'protect their own

  • All rights reserved gaganjain.com 2015

    Paper:

    GAG

    AN

    JAIN

    B S

    ATIS

    H

    1

    4

    assets' to motivate them to give out information and even feel good about

    doing it.

    Examples

    Probably the most popular and well-known social engineering scam is known

    as the '419 scam' (after the section of the Nigerian Penal Code that discusses

    this sort of infraction) or, more generically, as an 'Advance Fee Fraud'. In this

    scam, an important government official (or similar personage) has tragically

    died, leaving behind a large sum of money. In exchange for your help in

    moving the money from an unfriendly foreign country to a more friendly

    bank account, you will be rewarded with a substantial reward (e.g., 20% of

    60 million dollars). Who could resist doing good and being rewarded for your

    good deed? This scam has been conducted via postal mail, fax, and telex in

    addition to the far less expensive e-mail proliferation mechanism.

    Surprisingly, the proffering of your bank account number is not usually the

    way 419 scammers make money. Their income derives from the fees you

    must pay to bribe certain officials, lubricate the liberation of the money from

    a bank account, and so on. It is believed that no one has ever received money

    in return for these investments. In fact, many folks have lost small fortunes (a

    New Yorker article, from Fox News (with a reference to the pastor's wife who

    killed him after losing their family savings), folks in Japan, and a BBC report of

    a scammed Briton.

    While most people these days have heard of the 419 scam and recognize it

    by the telltale "too good to be true" litmus test, social engineers use other

    motivations to extract folks' information:

    "This email confirms you have paid $xxx for [some product]": Of course, you

    never bought anything from the company and will give them information to

    find the errant payment and refund your money. The scam is that they are

    just collecting your credit information to make actual charges.

  • All rights reserved gaganjain.com 2015

    Paper:

    GAG

    AN

    JAIN

    B S

    ATIS

    H

    1

    5

    "Paypal (or someone) needs you to reconfirm your information": No they

    don't. The web page is legitimate except for one little link that sends your

    information to the scammer instead of to Paypal. Everything look legitimate

    until that very last click.

    "Your account at [xxx] has been suspended for ...": No it hasn't. But you'll

    have to supply a goodly amount of personal information to get it back. Don't

    do this!

    CLICK HERE TO SEE THESE EMAILS :

    http://web.stanford.edu/group/security/securecomputing/phishingexample.

    html

    Defence

    Vigilance is the only defence against social engineering. Look for these

    markers to know you're getting ready to divulge too much:

    "Here's your big chance to play the new fantastic version of the [xxx] game!"

    The link, of course, goes somewhere where they will extract some private

    information (real name? a password that might work somewhere else? your

    birthdate in order to prove you are 'old enough' to play, etc.). This really is

    the #1 rule: Avoid clicking links people send you instead of using a search

    engine to find the proper link.

    Anything that sounds too good to be true probably is. It is unlikely that you

    have won the Irish Sweepstakes, even if you elect to send in a $1,000 security

    payment.

    Any time you get a solicitation in email that you did not request even from

    a trusted friend should be discarded immediately. No reputable company

    works this way. Email with misspelled, mispunctuated, or bizarrely formatted

    text is almost surely a scam. If something feels like it requires action, confirm

    via telephone with someone you know (or at least can verify, e.g., by calling

    http://web.stanford.edu/group/security/securecomputing/phishingexample.htmlhttp://web.stanford.edu/group/security/securecomputing/phishingexample.html

  • All rights reserved gaganjain.com 2015

    Paper:

    GAG

    AN

    JAIN

    B S

    ATIS

    H

    1

    6

    the corporate headquarters) before you send money. A recent scam asks for

    money because your best friend (or aunt or grandmother or ...) is caught in

    Europe (or some faraway place) and can't return until they pay bail, or a fee,

    or some other money-requirement. You, the trustworthy friend or relative

    can help them! Call them at home to make sure they're not there before

    sending money.

    Any time you are getting ready to feel good about giving away some money

    or information, think twice: Why am I really doing this? Do I know who is on

    the other end of my bequest? "Hey, John, please remind me of the

    combination to get into the machine room." Who is really asking?

    Keywords to avoid: verify, account, won, lottery, respond [now, quickly], or

    you will suffer [some horrible thing] See these? Click delete.

    Vishing: These same pitches and scams work in airports, for panhandlers,

    and all sorts of non-computer scammers, too, by the way. They even work

    when people call you on the phone! "Hey, Jill, this is Ralph over in accounting.

    I've forgotten [xxx], can you help me out?" Look up their number and call

    them back.

    SMSiShing: Same idea for text messages are you phone. Don't believe a bank

    will text you; call them on an independently verified number.

    With eyes wide open, the Internet can be a happy and safe place for many

    sorts of transactions.(Stanford, May 2014)

    3.1 c) QR Code

  • All rights reserved gaganjain.com 2015

    Paper:

    GAG

    AN

    JAIN

    B S

    ATIS

    H

    1

    7

    WHAT is QR CODE?

    The QR in the name stands for quick response, expressing the development

    concept for the code, whose focus was placed on high-speed reading. When

    it was announced, however, even Hara, one of the original developers of the

    code, could not be sure whether it would actually be accepted as a two-

    dimensional code to replace barcodes.

    Example :

    Nowadays QR codes are pretty famous and

    people use these QR codes to generate their Identity proof and exchange

    them also. This is Actually pretty cool!!. Lets say I join a company and the

    company gives my visiting card with a QR code printed on it!!! Thats pretty

    cool!! Anyways so as I was explaining that QR codes can be used to generate

    a QR CODE for my Facebook profile so that new friends can add me easier.

    Now one day as I was going by I saw a QR code stuck up on a pole in the

    street I walk up to see what was it all about I see a party night poster next to

    it and it points to QR code to get invited to the party. JUST POINT YOUR

    DEVICE TO THIS QR CODE AND GET INIVITED VIA FB EVENTS

  • All rights reserved gaganjain.com 2015

    Paper:

    GAG

    AN

    JAIN

    B S

    ATIS

    H

    1

    8

    So I thought this was interesting why would someone wants to get invited to

    the party who they dont even know? So I decided to look for myself and

    scanned the code.

    As I scan this Code it redirects me to FACEBOOK LOGIN page. Intern its also

    converted to a mobile site. NICEEEEEEE!! Then I glazed up the URL I see :

    http://Facibok.me/login.php

    This is some new level of hacking. This must have hacked atleast 200 peoples

    facebook accounts.

    4.REPORTS BY ANTIVIRUS GAINTS

    According to the APWGs Global Phishing report:

    http://facibok.me/login.php

  • All rights reserved gaganjain.com 2015

    Paper:

    GAG

    AN

    JAIN

    B S

    ATIS

    H

    1

    9

    http://docs.apwg.org/reports/APWG_Global_Phishing_Report_1H_2014.pdf

    AVAST REPORT :

    http://docs.apwg.org/reports/APWG_Global_Phishing_Report_1H_2014.pdf

  • All rights reserved gaganjain.com 2015

    Paper:

    GAG

    AN

    JAIN

    B S

    ATIS

    H

    2

    0

    https://encrypted-

    tbn2.gstatic.com/images?q=tbn:ANd9GcRGKZ8EXRxTdywoLiMY6_iJv1yGobB

    1vCZaQVGp9DCYB57Cxi4lOQ

    TOP TEN TLDs PHISHING ORIGINATING FROM :

    https://encrypted-tbn2.gstatic.com/images?q=tbn:ANd9GcRGKZ8EXRxTdywoLiMY6_iJv1yGobB1vCZaQVGp9DCYB57Cxi4lOQhttps://encrypted-tbn2.gstatic.com/images?q=tbn:ANd9GcRGKZ8EXRxTdywoLiMY6_iJv1yGobB1vCZaQVGp9DCYB57Cxi4lOQhttps://encrypted-tbn2.gstatic.com/images?q=tbn:ANd9GcRGKZ8EXRxTdywoLiMY6_iJv1yGobB1vCZaQVGp9DCYB57Cxi4lOQ

  • All rights reserved gaganjain.com 2015

    Paper:

    GAG

    AN

    JAIN

    B S

    ATIS

    H

    2

    1

    These are the Top 10 domain TLDs ( Eg: .com , .in , .org , .edu ). These are

    the domain TLDs you should lookout for :

    http://docs.apwg.org/reports/APWG_Global_Phishing_Report_1H_2014.p

    df

  • All rights reserved gaganjain.com 2015

    Paper:

    GAG

    AN

    JAIN

    B S

    ATIS

    H

    2

    2

    Conclusion

    Phishing attacks are evolving day by day and the scams are becoming even

    more realistic. So the users have to become more technologically educated

    how to use things and how to use them securely.

    Online world is a bigger world than you think. So you are a unique on your

    own there. Each users have their own pattern of using Internet. So your

    Identity is your secret. Never trust anybody online , never show up your

    identity to unknown sources.

    Almost forgot! To check your email or your username you use frequently has

    been hacked???

    Visit this site:

    https://haveibeenpwned.com

    References:

    https://haveibeenpwned.com/

  • All rights reserved gaganjain.com 2015

    Paper:

    GAG

    AN

    JAIN

    B S

    ATIS

    H

    2

    3

    1.Phishing & Social Engineering. (2014, May 25). Retrieved March 28, 2015,

    from

    http://web.stanford.edu/group/security/securecomputing/phishing.html

    2. Aaron,, G. (2014). Global Phishing Survey 1H2014: Trends and Domain

    Name Use. Global Phishing Survey: Trends and Domain Name Use in 1H2014,

    1, 36-36. Retrieved March 28, 2015, from

    http://docs.apwg.org/reports/APWG_Global_Phishing_Report_1H_2014.pdf

    3. Are You Phishing For Trouble? These 8 Ways To Prevent "Phishing Scams"

    Will Keep You From Getting Wet. (n.d.). Retrieved March 28, 2015, from

    http://www.identitytheftkiller.com/prevent-phishing-scams.php

    4. HOREJSI, J. (2014, April 14). Avast blog Email with subject FW:Bank docs

    leads to information theft. Retrieved March 28, 2015, from

    https://blog.avast.com/2014/04/01/email-with-subject-fwbank-docs-leads-

    to-information-theft/

    5. GMAIL PHISHING. (n.d.). Retrieved March 28, 2015, from

    https://blog.fierydragonlord.com/uploads/gmail-phishing/fake-gmail-

    login.png

    http://web.stanford.edu/group/security/securecomputing/phishing.htmlhttp://docs.apwg.org/reports/APWG_Global_Phishing_Report_1H_2014.pdfhttp://www.identitytheftkiller.com/prevent-phishing-scams.phphttps://blog.avast.com/2014/04/01/email-with-subject-fwbank-docs-leads-to-information-theft/https://blog.avast.com/2014/04/01/email-with-subject-fwbank-docs-leads-to-information-theft/https://blog.fierydragonlord.com/uploads/gmail-phishing/fake-gmail-login.pnghttps://blog.fierydragonlord.com/uploads/gmail-phishing/fake-gmail-login.png