P h i s h i n g

Beware of this if you want to protect yourself from being stolen.

What is phishing?

• Phishing is a way of attempting to acquire information such as usernames, passwords, and credit card details by masquerading as a trustworthy entity in an electronic communication.

Popular Phishing Techniques

• Spear Phishing• Clone Phishing• Whaling• Link Manipulation• Filter Evasion• Website Forgery• Phone Phishing• Tabnabbing• Evil Twins

Spear Phishing

• Phishing attempts directed at specific individuals or companies have been termed Spear Phishing.

• The Spear Phisher thrives on familiarity.

• Personalized Salutations.

Spear Phishing Illustration

Clone Phishing

• Content of original mail (including link) copied to create false or duplicate email.

• The attachment or Link within the email is replaced.

• This technique could be used as a pivot.

Clone Phishing Illustration

Whaling

• Phishing attacks have been directed specifically at senior executives and other high profile targets within businesses is known as Whaling.

• The infected Site will ask the following:a. Enter confidential company information and passwords.b. Provide financial details or enter them when making a payment for a fake software download.

Link Manipulation

• Misspelled URLs or the use of sub-domains

• Make the displayed text for a link (the text between the <A> tags).

Link Manipulation Illustration

Filter Evasion

• Use of Images instead of Texts to fool filters.

• These filters use OCR (Optical Character Recognition) to optically scan the image and filter it.

Filter Evasion Illustration

Website Forgery

• Some phishing scams use JavaScript commands in order to alter the address bar.

• Use of Flash Based websites (Flashing).

Website Forgery Illustration

Phone Phishing

• Messages that claimed to be from a bank told users to dial a phone number regarding problems with their bank accounts.

• Vishing (voice phishing) sometimes uses fake caller-ID data to give the appearance that calls come from a trusted organization

Phone Phishing Illustration

Tab-Nabbing

• It takes advantage of tabbed browsing, which opens multiple tabs, that users use and silently redirects the user to the affected site.

• It doesn’t take you directly to the fraudulent site, but instead the phishers load their fake pages on one of the tabs.

Tab Nabbing Illustration

Evil Twins

• Evil Twin is a phishing technique that is hard to detect. A phisher creates a fake wireless network that looks similar to a legitimate public network that may be found in public places such as airports, hotels or coffee shops.

• Whenever someone logs on to the bogus network, fraudsters try to capture their passwords and/or credit card information.

Damages Caused by Phishing

• Monetary

• Data

• Business

• Time

Anti Phishing

• There are several different techniques to combat Phishing like social, technological, legal approaches, etc.

• Some of the techniques are discussed in the next slides.

Social Responses to Counter Phishing

• Awareness

• Education

• Anti-Phishing Working Groups

• Organizing Forums

• Discussion Platforms

Technical Responses to Counter Phishing

• Helping to Identify Legitimate Websites• Secure Connection• Browsers Alerting Users to Fraudulent

Websites• Augmenting Passwords• Eliminating Phishing Mails• Monitoring and Takedown• Transaction Verifying and Signing

Legal Responses

Information Technology Act 2000 has provisions to combat Phishing through the following articles in our Constitution:

• Section 66• Section 66A• Section 66C• Section 66D

Examples of Phishing in India

• Pharmaceutical Company

• RBI Phishing Scam

• Income Tax Department Phishing Scam

• ICC World Cup 2011

• Google Inc.

Modus Operandi of Bank Phishers

• Creating fake websites hosted at offshore servers.• Changing of contact numbers in the database of

the Bank.• After the Phisher gains access to the victim’s

account, he may perform one of the following:– Transfer money from the victim’s account to a

beneficiary’s account– Recharge Mobile Phones– Make Purchases online permissible by net banking

facility.

Modus Operandi of Bank Phishers Continued

• The Beneficiary Account is fake and made using fake documents.

• Closing account after completion of fraud.• Use of Proxy IP Addresses by Phishers to fool

Investigative Agencies.

Conclusion

As a future software engineer, it is imperative that we know about Phishing because in future we will be developing different systems and websites on our own and we must implement different security measures for protection against Phishing. This documentation has taught me a lot about creating some of those force fields.

Thank You for watching this presentation!

Any questions are most welcome!