Phishing Attacks

1
Phishing Attacks

• Dr. Neminath Hubballi

2
Outline

• Motivation
• Introduction
• Forms and means of Phishing Attacks
• Phishing today
• Staying safe
• Server side defense
• Personal level defense
• Enterprise level defense
• Distributed phishing

3
Motivation Phishing Attacks in India and
Globally

• India lost around 53 million (about Rs 328
  crore) due to phishing scams with the country
  facing over 3,750 attacks in July-September last
  year
• 4th Largest target of phishing attacks in the
  world
• 7 of global phishing attacks are targeted in
  India
• US tops the rank with 27 of phishing attacks
• RSA identified 46,119 phishing attacks in
  September globally with a 36 per cent increase as
  compared with August (33,861)

Courtesy The Hindu Business http//www.thehindub
usinessline.com/industry-and-economy/info-tech/ind
ia-lost-53-m-to-phishing-attacks-in-q3/article5414
170.ece
Indian Institute of Technology Indore
4
Phishing Attacks

• It is made-up of
• Phreaking Fishing Phishing
• Phreaking making phone calls for free back in
  70s
• Fishing Attract the fish to bite

There are lot of fishes in pond Lure them to come
and bite Those who bite become victims
Courtesy Google Images
5
Phishing Attacks

• Phishing is a form of social engineering attack
• Not all social engineering attacks are phishing
  attacks !
• Mimic the communication and appearance of another
  legitimate communications and companies
• The first fishing incident appeared in 1995
• Attractive targets include
• Financial institutions
• Gaming industry
• Social media
• Security companies

6
Phishing Information Flow

• Three components
• Mail sender sends large volume of fraudulent
  emails
• Collector collect sensitive information from
  users
• Casher use the collected sensitive information
  to en-cash

Courtesy Junxiao Shi and Sara Saleem
7
Phishing Forms

• Creating Fake URLs and send it
• Misspelled URLs
• www.sbibank.statebank.com
• www.micosoft.com
• www.mircosoft.com ?
• Creating anchor text
• lta href "anchor text" gt Link Text lt/agt
• Link Text
• Fake SSL lock
• Simply show it so that users feel secure
• Getting valid certificates to illegal sites
• Certifying agency not being alert
• Sometimes users overlook security certificate
  warnings
• URL Manipulation using JavaScript

8
Phishing Means
9
Phishing Payload
10
Phishing Purpose
11
Motivation for Phishing

• Theft of login credentials
• Theft of banking credentials
• Observation of Credit Card details
• Capture of address and other personal information
• Distribution of botnet and DDoS agents
• Attack Propagation

12
Types of Phishing

• Clone Phishing
• Phisher creates a clone email
• Does by getting contents and addresses of
  recipients and sender
• Spear Phishing
• Targeting a specific group of users
• All users of that group have something in common
• Targeting all faculty members of IITI
• Phone Phishing
• Call up someone and say you are from bank
• Ask for password saying you need to do
  maintenance
• Use of VOIP is easy

13
Email Spoofing for Phishing

• An email concealing its true source
• Ex. customercare_at_sbi.com when it is actually
  coming from somewhere else
• Send an email saying your bank account needs to
  be verified urgently
• When the user believes
• Sends her credit card
• Gives her password
• Sending spoofed email is very easy
• There are so many spoof mail generators

14
Sample Email
15
Web Spoofing for Phishing

• Setting up a webpage which looks similar to the
  original one
• Save any webpage as html page
• Go to view source and save
• A php script which stores credentials to a file
  is what required to harvest credentials
• In the html page search for submit form and
  change it to written php script
• Host it in a server
• You are ready to go !
• Send a spoofed email with link to spoofed webpage
  

16
Phishing Today

• Use bots to perform large scale activity
• Relays for sending spam and phishing emails
• Phishing Kits
• Ready to use
• Contain clones of many banks and other websites
• Emails
• JPEG images-Complete email is an image
• Suspicious parts of URL may have same color as
  background
• Use font differences
• The substitution of uppercase i for lowercase
  L, and
• Number zero for uppercase O.
• Use of first 4 digits of credit card number
  which is not unique to customer

17
Phishing Today

• Uncommon encoding mechanisms
• Cross site scripting
• Accept user input and lack of sanity check
• Vulnerable
• Fake banner advertisements

18
Phishing Today

• Dynamic code
• Phishing emails contain links to sites whose
  contents change
• When email came in midnight it was ok but next
  day when you clicked its vulnerable
• Numbers (IP address ) in urls
• Use of targeted email
• Gather enough information about user from social
  networking sites
• Send a targeted email using the knowledge of
  previous step
• Unsuspecting user clicks on link
• Attacker takes control of recipient machine
  (backdoor, trojan)
• Steal / harvest credentials

19
Enterprise Level Protection

• Collecting data from users
• About emails received
• Websites links
• Why any one should give you such data
• Her interest also included
• Incentives
• Analyzing spam emails for keywords
• click on the link bellow
• enter user name password here
• account will be deleted etc.
• Personalization of emails
• Every email should quote some secrete that proves
  the idntity
• Ex Phrase as Dear Dr. Neminath Instead of
  Dear Customer
• Referring to timing of previous email

20
What Banks are Doing to Protect from Phishing

• Banks and their customers lose crores of rupees
  every year
• They hire professional security agencies who
  constantly monitor the web for phishing sites
• Regularly alert the users to be alert and not
  to fall fray
• Use best state of the art security software and
  hardware
• White list and blacklist of phishing sites

21
Personal Level Protection

• Email Protection
• Blocking dangerous email attachments
• Disable HTML capability in all emails
• Awareness and education
• Web browser toolbars
• Connect to a database of FQDN IP address mapping
  of Phishing site
• I think Google chrome does it automatically
• Multifactor authentication
• Gmail has it now

22
Case Study 1 Phone Phishing Experiment

• 50 employees were contacted by female crooks
• Had friendly conversation
• Managed to get e-banking passwords
• Do not believe the statistics but believe the
  takeaway !

Source Experimental Case Studies for
Investigating E-Banking Phishing Intelligent
Techniques and Attack Strategies
23
Money Laundering

• Phishing allows you to make money
• Many banks do not allow money transfer to foreign
  banks just like that
• But how to stay undetected
• Launder money
• How to launder money
• Offer jobs to needy people
• Ask them to open accounts in the same bank
• Put money into their account
• Ask them to take small commission and transfer
  the rest to their account in nigeria

24
Distributed Phishing Attack

• Till now we understood there is one collection
  center for data
• What if attacker raises multiple such sites and
  collect data
• An extreme example is - every user is redirected
  to a different site
• An attacker can look for more cheaper options for
  collecting such data
• Use malware to erect more such sites hidden in
  someone else webpage
• Users with reliable connectivity and have popular
  software like games are targets