Phishing - PowerPoint PPT Presentation

1 / 30
About This Presentation
Title:

Phishing

Description:

Phishing - University of Calgary ... Phishing – PowerPoint PPT presentation

Number of Views:1063
Avg rating:3.0/5.0
Slides: 31
Provided by: Cog78
Category:

less

Transcript and Presenter's Notes

Title: Phishing


1
Phishing
2
Definition
  • It is the act of tricking someone into giving
    confidential information (like passwords and
    credit card information) on a fake web page or
    email form pretending to come from a legitimate
    company (like their bank).
  • For example Sending an e-mail to a user
    falsely claiming to be an established legitimate
    enterprise in an attempt to scam the user into
    surrendering private information that will be
    used for identity theft.

3
Examples
4
Examples
5
Examples
6
Types of Phishing
  • Deceptive - Sending a deceptive email, in bulk,
    with a call to action that demands the
    recipient click on a link.

7
Types of Phishing
  • Malware-Based - Running malicious software on the
    users machine. Various forms of malware-based
    phishing are
  • Key Loggers Screen Loggers
  • Session Hijackers
  • Web Trojans
  • Data Theft

8
Types of Phishing
  • DNS-Based - Phishing that interferes with the
    integrity of the lookup process for a domain
    name. Forms of DNS-based phishing are
  • Hosts file poisoning
  • Polluting users DNS cache
  • Proxy server compromise

9
Types of Phishing
  • Content-Injection Inserting malicious content
    into legitimate site.
  • Three primary types of content-injection
    phishing
  • Hackers can compromise a server through a
    security vulnerability and replace or augment the
    legitimate content with malicious content.
  • Malicious content can be inserted into a site
    through a cross-site scripting vulnerability.
  • Malicious actions can be performed on a site
    through a SQL injection vulnerability.

10
Types of Phishing
  • Man-in-the-Middle Phishing - Phisher positions
    himself between the user and the legitimate site.

11
Types of Phishing
  • Search Engine Phishing - Create web pages for
    fake products, get the pages indexed by search
    engines, and wait for users to enter their
    confidential information as part of an order,
    sign-up, or balance transfer.

12
Causes of Phishing
  • Misleading e-mails
  • No check of source address
  • Vulnerability in browsers
  • No strong authentication at websites of banks and
    financial institutions
  • Limited use of digital signatures
  • Non-availability of secure desktop tools
  • Lack of user awareness
  • Vulnerability in applications
  • and more

13
Effects of Phishing
  • Internet fraud
  • Identity theft
  • Financial loss to the original institutions
  • Difficulties in Law Enforcement Investigations
  • Erosion of Public Trust in the Internet.

14
Industries affected
  • Major industries affected are
  • Financial Services
  • ISPs
  • Online retailers

15
Phishing Trends
16
Phishing Trends
17
How to combat phishing?
  • Educate application users
  • Think before you open
  • Never click on the links in an email , message
    boards or mailing lists
  • Never submit credentials on forms embedded in
    emails
  • Inspect the address bar and SSL certificate
  • Never open suspicious emails
  • Ensure that the web browser has the latest
    security patch applied
  • Install latest anti-virus packages
  • Destroy any hard copy of sensitive information
  • Verify the accounts and transactions regularly
  • Report the scam via phone or email.

18
How to combat phishing?
  • Formulate and enforce Best practices
  • Authorization controls and access privileges for
    systems, databases and applications.
  • Access to any information should be based on
    need-to-know principle
  • Segregation of duties.
  • Media should be disposed only after erasing
    sensitive information.

19
How to combat phishing?
  • Reinforce application development / maintenance
    processes
  • 1. Web page personalization
  • Using two pages to authenticate the users.
  • Using Client-side persistent cookies.

20
How to combat phishing?
  • 2. Content Validation
  • Never inherently trust the submitted data
  • Never present the submitted data back to an
    application user without sanitizing the same
  • Always sanitize data before processing or storing
  • Check the HTTP referrer header

21
How to combat phishing?
  • 3. Session Handling
  • Make session identifiers long, complicated and
    difficult to guess.
  • Set expiry time limits for the SessionIDs and
    should be checked for every client request.
  • Application should be capable of revoking active
    SessionIDs and not recycle the same SessionID.
  • Any attempt the invalid SessionID should be
    redirected to the login page.
  • Never accept session information within a URL.
  • Protect the session via SSL.
  • Session data should be submitted as a POST.
  • After authenticating, a new SessionID should be
    used (HTTP HTTPS).
  • Never let the users choose the SessionID.

22
How to combat phishing?
  • 4. URL Qualification
  • Do not reference redirection URL in the browsers
    URL
  • Always maintain a valid approved list of
    redirection urls
  • Never allow customers to supply their own URLs
  • Never allow IP addresses to be user in URL
    information

23
How to combat phishing?
  • 5. Authentication Process
  • Ensure that a 2-phase login process is in place
  • Personalize the content
  • Design a strong token-based authentication

24
How to combat phishing?
  • 6. Transaction non-repudiation
  • To ensure authenticity and integrity of the
    transaction

25
How to combat phishing?
  • 7. Image Regulation
  • Image Cycling
  • Session-bound images

26
Organizations
  • Anti-Phishing Working Group (APWG)
  • The APWG has over 2300 members from over 1500
    companies agencies worldwide. Member companies
    include leading security companies such as
    Symantec, McAfee and VeriSign. Financial Industry
    members include the ING Group,VISA, Mastercard
    and the American Bankers Association.

27
What does all the above imply?
  • It is better to be safer now than feel sorry
    later.

28
References
  • http//www.antiphishing.org/reports/apwg_report_no
    vember_2006.pdf
  • http//72.14.235.104/search?qcache-T6-U5dhgYAJw
    ww.avira.com/en/threats/what_is_phishing.htmlPhis
    hingconsequenceshlenglinctclnkcd7
  • Phishing-dhs-report.pdf
  • Report_on_phishing.pdf
  • http//www.cert-in.org.in/training/15thjuly05/phis
    hing.pdf
  • http//www.antiphishing.org/consumer_recs.html

29
  • Questions?

30
  • Thank You!
Write a Comment
User Comments (0)
About PowerShow.com