PHISHING BASICS •
•
•
•
•
Pronounced Pronounced "fishing“ The word has its Origin from two words “ Password Passwords Harvesting” or fishing for Passwords Phishing is an online form of pretexting pretexting, a kind of deception in which an attacker pretends to be someone else in order to obtain sensitive information from the victim Also known as "brand spoofing“ Phishers are phishing artists
COMP COMPARISO ARISON N TO SPAM SPAM •
•
•
•
The purpose of a phishing message is to acquire sensitive information about a user. user. For doing so the message mess age needs to deceive the intended recipient. So it doesn’t contains any useful information and hence falls under the category of spam. A spam message tries to sell a product or service, whereas phishing message needs to look like it is from a legitimate organization. Techniques Techniques applied to spam message cant be applied naively to phishing messages.
ANATOMY OF PHISHING MESSAGE
•
•
A raw phishing message can be split into two components: Content Headers
ANATOMY OF PHISHING MESSAGE
Sting
CONTENT It is further subdivided into two parts: •
•
Cover Sting
HEADERS It is further subdivided into two parts: •
•
Mail clients Mail relays
WHY WH Y PHIS PHISHIN HING G ATT ATTACK ACK!! Lack of Knowledge •
•
•
computer system security and security indicators web fraud
Visual Deception •
•
Visually deceptive text Images masking underlying text
Lack of computer computer knowledge www.ebay.com
www.ebay-memberssecurit .com
Lack of knowledge of security and securit indicators
Lack of knowledge of web-fraud
Visually Deceptive Text Original website
Phishing website
Image Masking Underlying Text
MANTRA OF PHISHERS
Decei
Neglect
Configuration
Legal Response •
In the United Un ited State, Senator Patrick Leahy introduced the Anti-Phishing Act of 2005 in Congress on March 1, 2005.
How to Avoid being a Phishing victim 1.
Never re respond to to re requests fo for pe personal information via email. When in doubt, call the institution that claims to have sent you the email. E.g. “Dear Sir or Madam” rather than “Dear Dr. Phatak” 2. If you suspect the message might not be authentic, don't use the links within the email to get to a web page. 3. Never fill out forms in email messages that ask for confidential information
How to Avoid Avoid being a Phishing victim…
How to Avoid Avoid being a Phishing victim… 4. Always ensure that you're using a secure website when submitting credit card or other sensitive information via your web browser •
•
check the beginning of the Web address in your browsers address bar - it should be ‘https://’ rather than just ‘http://’ look for the locked
How to Avoid Avoid being a Phishing victim… 5.
Regularly check your bank, credit and debit card statements to ensure that all transactions are legitimate and if anything is suspicious, contact your bank and all card issuers immediately
6. Ensure that your browser and OS
software is up-to-date and that latest security patches are applied
How to Avoid Avoid being a Phishing victim… 7. Verify the real address of a web site. •
javascript:alert("The actual URL of this site has been verified as: " + location. protocol + "//" + location. hostname +"/");
ANAL ANALYSIS YSIS OF A PHISHIN PHISHING G DAT DATABASE ABASE
•
•
•
•
The Anti Phishing Working Group maintains a “Phishing Archive” Certificate (digital certificate, public key certificate) Certificate Authority (CA) HTTPS Secure Sockets Layer (SSL) and Transport Layer Security(TLS)
MANTRA OF VICTIMS
-
Solution
F
Myths
REFERENCES 1. 2. 3. 4. 5. 6. 7. 8. 9.
Cannon, J.C. Privacy. Pearson Education, 2005. Hilley Hilley,, Sarah. Sarah. “Inter “Interne nett war: war: pickin picking g on the financ finance e Sector Sector-survey.” Computer Fraud & Security , October 2006. Bellow Bellowin ing, g, Steven Steven.. “Spa “Spammi mming, ng, Phishi Phishing, ng, Authen Authentic ticati ation on and and Privacy.” Inside Risks, December 2004 Mulre Mulrean an,, Jenn Jennife iferr. “Phi “Phishi shing ng scams: scams: How to avoi avoid d Gett Getting ing hooked.” Dollar Wise. Hunt Hunter er,, Phil Philip ip.. “Mic “Micro roso soft ft dec decla larres war war on on phis phishe hers rs.” .” Computer Fraud & Security May 2006: Google. http://www.google.com Anti-P Anti-Phis hishi hing ng Work Working ing Gro Group. up. Phish Phishing ing Acti Activit vity y Tre Trends nds Repo Report rt November 2005 Anti Anti-P -Phi hish shin ing g Wor Worki king ng Gr Group oup Phis Phishi hing ng Ar Archiv chive. e. http://antiphishing.org/phishing_ar http://antiphishing.or g/phishing_archive.htm chive.htm Ba, S. S. & P. P. Pav Pavlov lov.. Eviden Evidence ce of the the Effe Effect ct of Trus Trustt Buildi Building ng Technology in Electronic Markets: Price Premiums and Buyer Behavior.
THANK YOU