Dan Pratico - PowerPoint PPT Presentation

1 / 25
About This Presentation
Title:

Dan Pratico

Description:

MySpace worm Samy. Cross-site Request Forgery. PHISHING ... users to fraudulent sites or proxy servers, typically through DNS hijacking or poisoning. ... – PowerPoint PPT presentation

Number of Views:206
Avg rating:3.0/5.0
Slides: 26
Provided by: DpTi
Category:
Tags: dan | myspace | pratico | proxy

less

Transcript and Presenter's Notes

Title: Dan Pratico


1
PHISHING
  • Dan Pratico
  • July 13, 2006

2
Overview of Presentation
  • Definition
  • History
  • Types
  • Prevention
  • Questions

PHISHING
3
Definition
Phishing is a broadly launched social
engineering attack in which an electronic
identity is misrepresented in an attempt to trick
individuals into revealing personal credentials
that can be used fraudulently.
PHISHING
4
History
Early phishing on AOL
Recent phishing on banks and online services
PHISHING
5
May 2006 Statistics from APWG
http//www.antiphishing.org
PHISHING
6
Received Reports from APWG
http//www.antiphishing.org
PHISHING
7
2005 Pie Chart from APWG
http//www.antiphishing.org
PHISHING
8
Email Phishing
Most Common
  • General Information
  • Grammar Mistakes
  • IP Address
  • Links
  • Entire message image

Fake Site
http//www.identitytheftsecrets.com/videos/wellsfa
rgo.html
Pop-Up
http//www.identitytheftsecrets.com/videos/suntrus
t.html
PHISHING
9
Email Phishing
PHISHING
10
Email Phishing
PHISHING
11
Cross-site Scripting
Cross-site scripting (XSS) is a type of computer
security vulnerability typically found in web
applications which can be used by an attacker to
compromise the same origin policy of client-side
scripting languages.

http//en.wikipedia.org/wiki/Cross-site_scripting
PHISHING
12
Cross-site Scripting

PHISHING
13
Cross-Site
PHISHING
14
Cross-site Scripting
XSS Examples
  • Simple Attack
  • Hacker finds forum website with posts and content
  • Hacker creates post with malicious JavaScript on
    controversial topic
  • User views posted message and session cookies
    are sent to hacker to post messages on users
    behalf

MySpace worm Samy

PHISHING
15
Cross-site Request Forgery
Cross-site request forgery (CSRF or XSRF)
exploits the trust a web site has in a user by
forging the user and making a request appear to
come from a trusted user
The most common CSRF attack is to trick a user
into making a request by including the target URL
in an image tag. The user's browser makes the
request, sending with it any cookie information
provided by the user and performing any actions
associated with visiting the URL
Examples
gattack /
http//www.google.com/search?qHeroscape
http//www.heroscapehq.com/EditProfile?actionset
keyemailAddressvaluescammed_at_heroscapehq.com
PHISHING
16
Spear Phishing
Highly targeted phishing attack that scammers
will send only to people within a small group,
such as a company.
PHISHING
17
Phishing Trojans and Keyloggers
Very Dangerous
  • Exploit vulnerabilities in operating systems
  • Exploit vulnerabilities in browsers
  • Can not visually detect
  • Non-social engineering

PHISHING
18
Pharming
Crimeware that misdirects users to fraudulent
sites or proxy servers, typically through DNS
hijacking or poisoning.
Pharmers can scoop up many victims in a single
pass," said Chris Risley, president and chief
executive officer of Nominum, a provider of IP
address infrastructure technology for businesses.
"DNS just isn't as secure as we'd like to think
it is," said Nominum's Risley. "Every internet
request has to go through a DNS server, and
malicious hackers realized a long time ago the
profit potential in hacking DNS records."
PHISHING
19

Phishing Scam Calls on VoIP
Voice over Internet Protocol Phones
Vishing ???
http//www.pcworld.com/news/article/0,aid,126373,0
0.asp
PHISHING
20
Prevention
  • Install and update anti-virus and spyware
    removal Software
  • Never reveal personal or financial information
    in an e-mail request
  • Never click links on an e-mail message that
    requests personal or financial information
  • Report any e-mail that you suspect might be a
    phishing campaign
  • Double-click lock icon on the status bar to see
    security certificate
  • Enter web addresses directly

PHISHING
21
Prevention
US Safe Web Act 2005
  • Improved the FTCs ability to cooperate with
    foreign counterparts in specific cases and
    investigations
  • Improved the FTCs ability to gather information
  • Enhanced the FTCs ability to obtain monetary
    consumer redress
  • Strengthened the FTCs enforcement cooperation
    networks

http//www.ftc.gov/reports/ussafeweb/Proposed20US
20SAFE20WEB20Act.pdf
PHISHING
22
Phishing Help Sites
http//www.antiphishing.org/
http//www.ftc.gov/
http//www.identitytheftsecrets.com/
http//www.cyveillance.com/web/online_risks/phishi
ng.htm
http//www.verisign.com/verisign-business-solution
s/anti-phishing-solutions/page_005737.html
PHISHING
23
Test Your Knowledge
http//www.microsoft.com/athome/security/quiz/phis
hingbasics1.mspx
http//survey.mailfrontier.com/survey/quiztest.htm
l
http//www.washingtonpost.com/wp-srv/technology/ar
ticles/phishingtest.html
http//www.cbc.ca/consumers/market/files/scams/phi
shing/quiz.html
http//www.kiplinger.com/personalfinance/tools/qui
z/quiz-tpl.php
PHISHING
24
Phishing Media
Google Video 1
Google Video 2
Microsoft Phishing Video
PayPal Video
Phishing Solutions Video
Ebay Power Seller Video
PHISHING
25
Questions /Comments ?
PHISHING
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Dan Pratico" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!