phishing and i dentity theft itec810 n.
Skip this Video
Loading SlideShow in 5 Seconds..
Phishing and I dentity theft ITEC810 PowerPoint Presentation
Download Presentation
Phishing and I dentity theft ITEC810

Loading in 2 Seconds...

play fullscreen
1 / 26

Phishing and I dentity theft ITEC810 - PowerPoint PPT Presentation

  • Uploaded on

Phishing and I dentity theft ITEC810. Saravana Venkatesh Chellam 42323088 Supervisor : Josef Pieprzyk. Roadmap :. Aim Significance Introduction to phishing & its attacks Overview of phishing techniques Countermeasures of phishing techniques. Conclusion and future scope. Aim:.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

Phishing and I dentity theft ITEC810

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
phishing and i dentity theft itec810

Phishing and Identity theftITEC810

Saravana Venkatesh Chellam


Supervisor : Josef Pieprzyk

Roadmap :
  • Aim
  • Significance
  • Introduction to phishing & its attacks
  • Overview of phishing techniques
  • Countermeasures of phishing techniques.
  • Conclusion and future scope.
  • To understand phishing and its impacts in different industries.
  • To Identify the phishing techniques.
  • To provide the counter measures of anti-phishing techniques.
  • To provide recommendation and identify future scope of phishing.
project significance
Project significance:
  • Few important aspects: loss of privacy by clients, identity of clients is compromised, stolen client credentials can be abused (sold on black market, used to commit computer crimes, etc.)
  • Due to the scale of the attacks, there is the potential for huge financial loses(average theft of $4000 USD per attack)
  • Customers of financial institutions, retail companies, social networking sites and internet service providers were frequent targets.
project significance1
Project significance:
  • In 2010, RSA witnessed a total of 203,985 phishing attacks launched(RSA online Fraud, 2010)
  • As compared to the total in 2009, this marks a 27 percent increase in the phishing attack volume over the previous year (RSA online Fraud, 2010)
project significance2
Project significance:

APWG(Anti-phishing group) - 2010

project significance3
Project significance:

Results of an phishing attack: (Simon Whitehouse, 2007)

  • 5% Get To The End User – 100,000 (APWG)
  • 5% Click On The Phishing Link – 5,000 (APWG)
  • 60% of banks suffered from Phishing attacks against their brands – (Gartner)
  • 2% Enter Data Into The Phishing Site –100 (Gartner)
  • Phishing is a form of identity theft that aims to steal sensitive information from user such as password and credit card information.
  • Mediums include:Emails,Websites,IM.
  • The Goal is to extract information from a target.
  • The Major driver of phishing is –Money Money Money !!!
  • With organisations becoming more aware phishers had to come up with advanced methods.
  • Phishing attacks nowadays use pre packaged toolkits and advanced spam techniques to ensure maximum exposure.
phishing attack representation
Phishing attack representation:

Stan Hegt - May 2008 - Analysis of phishing attacks

overview of phishing techniques
Overview of Phishing techniques

Phishing delivery modes:

  • E-mail and Spam
  • Web-based Delivery
  • IRC and Instant Messaging
  • Trojaned Hosts.
phishing methods
Phishing methods:

Gunter 2007 - The Phishing Guide

phishing techniques
Phishing techniques:

Email techniques :-

  • Attachments to e-mails –
  • Use of font differences –
  • Hyperlinks to similar domain names-
  • Filling forms .

Web –based techniques:-

  • Fake banner advertising.
  • IM .
  • Fake websites(having similar domain names).
  • Browser vulnerabilities,Spyware,malware.
phishing techniques1
Phishing techniques:

Spoofed mails:

  • A formal email request is sent to the user to send back sensitive information.
  • Some scams are like winning notifications which ask for credit card number and other information.

Spoofed websites:

  • Here fake websites of financial organisation etc are crafted by attackers similar to the legitimate site.
  • Mostly these websites are http enabled not https .
some tricks
Some tricks:

To reduce suspicion and increase authenticity:-

  • The URLs might be obfuscated to look like the legitimate site.

Example : as

  • It uses real logos and corporate identity elements in the spoofed website.
typical attack
Typical attack:
  • Attacker sends a large number of people of spoofed emails(that act like to be coming from a legitimate organisation) to users.
  • The emails have hyperlink to spoofed websites wherein the users are directed to.
  • The victims are then asked to enter their sensitive information.
phishing techniques2
Phishing techniques:

Instant messenger:

  • As IM clients allow for embedded dynamic content (such as graphics, URLs, multimedia includes, etc.) to be sent by channel participants.
  • Usage of bots (automated programs that listen and participate in group discussions) in many of the popular channels, means that it is very easy for a phisher to anonymously send semi-relevant links and fake information to would-be victims.
phishing techniques3
Phishing techniques

Web based- Phishing attacks :

  • Client-side Vulnerability Exploitation

Browser vulnerabilities – Add-ons , plugins etc

  • Observing Customer Data

key-loggers and screen-grabbers

phishing techniques4
Phishing Techniques:

Observing customer data:


  • The purpose of key loggers is to observe and record all key presses by the customers.
  • Some sophisticated phishing attacks make use of code designed to take a screen shot of data that has been entered into a web-based application
countermeasure against phishing
Countermeasure against phishing

The defensive mechanisms to counter the phishing technique threats.

  • The Client-side – this includes the user’s PC and desktop.
  • The Server-side – this includes the business’ Internet visible systems and custom applications.
  • Enterprise Level – distributed technologies and third-party management services.
client side
Client side :

At the client-side, protection against phishing can be afforded by:

  • Desktop protection technologies
  • User application-level monitoring solutions
  • Locking-down browser capabilities
  • Digital signing and validation of email
  • General security awareness
server side
Server side:
  • Improving customer awareness
  • Providing validation information for official communications
  • Ensuring that the Internet web application is securely developed and doesn’t include easily exploitable attack vectors.
  • Using strong token-based authentication systems
  • Keeping naming(domain name) systems simple and understandable
enterprise level
Enterprise level:
  • Automatic validation of sending e-mail server addresses
  • Digital signing of e-mail services
  • Monitoring of corporate domains and notification of “similar” registrations
  • Perimeter or gateway protection agents
  • Third-party managed services
future scope of phishing
Future scope of phishing:
  • We expect that the future of scope of phishing is expected to rise especially in the mobile environment.
  • The mobile operating systems and browsers lack the security indicators,as a result the users cannot always check if they are in the correct site .
  • Android phones could be more vulnerable to phishing .

(Free market phishy apps online)

  • The driver of phishing is money and phishing is expected to rise in future !!!
  • Awareness and education among users and businesses
  • Usage of technology to fight phishing.
  • The combat the phishing techniques we need sound anti- phishing policies, measures(defense) and law enforcement.