Phishing

1
Phishing
2
Definition

• It is the act of tricking someone into giving
  confidential information (like passwords and
  credit card information) on a fake web page or
  email form pretending to come from a legitimate
  company (like their bank).
• For example Sending an e-mail to a user
  falsely claiming to be an established legitimate
  enterprise in an attempt to scam the user into
  surrendering private information that will be
  used for identity theft.

3
Examples
4
Examples
5
Examples
6
Types of Phishing

• Deceptive - Sending a deceptive email, in bulk,
  with a call to action that demands the
  recipient click on a link.

7
Types of Phishing

• Malware-Based - Running malicious software on the
  users machine. Various forms of malware-based
  phishing are
• Key Loggers Screen Loggers
• Session Hijackers
• Web Trojans
• Data Theft

8
Types of Phishing

• DNS-Based - Phishing that interferes with the
  integrity of the lookup process for a domain
  name. Forms of DNS-based phishing are
• Hosts file poisoning
• Polluting users DNS cache
• Proxy server compromise

9
Types of Phishing

• Content-Injection Inserting malicious content
  into legitimate site.
• Three primary types of content-injection
  phishing
• Hackers can compromise a server through a
  security vulnerability and replace or augment the
  legitimate content with malicious content.
• Malicious content can be inserted into a site
  through a cross-site scripting vulnerability.
• Malicious actions can be performed on a site
  through a SQL injection vulnerability.

10
Types of Phishing

• Man-in-the-Middle Phishing - Phisher positions
  himself between the user and the legitimate site.

11
Types of Phishing

• Search Engine Phishing - Create web pages for
  fake products, get the pages indexed by search
  engines, and wait for users to enter their
  confidential information as part of an order,
  sign-up, or balance transfer.

12
Causes of Phishing

• Misleading e-mails
• No check of source address
• Vulnerability in browsers
• No strong authentication at websites of banks and
  financial institutions
• Limited use of digital signatures
• Non-availability of secure desktop tools
• Lack of user awareness
• Vulnerability in applications
• and more

13
Effects of Phishing

• Internet fraud
• Identity theft
• Financial loss to the original institutions
• Difficulties in Law Enforcement Investigations
• Erosion of Public Trust in the Internet.

14
Industries affected

• Major industries affected are
• Financial Services
• ISPs
• Online retailers

15
Phishing Trends
16
Phishing Trends
17
How to combat phishing?

• Educate application users
• Think before you open
• Never click on the links in an email , message
  boards or mailing lists
• Never submit credentials on forms embedded in
  emails
• Inspect the address bar and SSL certificate
• Never open suspicious emails
• Ensure that the web browser has the latest
  security patch applied
• Install latest anti-virus packages
• Destroy any hard copy of sensitive information
• Verify the accounts and transactions regularly
• Report the scam via phone or email.

18
How to combat phishing?

• Formulate and enforce Best practices
• Authorization controls and access privileges for
  systems, databases and applications.
• Access to any information should be based on
  need-to-know principle
• Segregation of duties.
• Media should be disposed only after erasing
  sensitive information.

19
How to combat phishing?

• Reinforce application development / maintenance
  processes
• 1. Web page personalization
• Using two pages to authenticate the users.
• Using Client-side persistent cookies.

20
How to combat phishing?

• 2. Content Validation
• Never inherently trust the submitted data
• Never present the submitted data back to an
  application user without sanitizing the same
• Always sanitize data before processing or storing
• Check the HTTP referrer header

21
How to combat phishing?

• 3. Session Handling
• Make session identifiers long, complicated and
  difficult to guess.
• Set expiry time limits for the SessionIDs and
  should be checked for every client request.
• Application should be capable of revoking active
  SessionIDs and not recycle the same SessionID.
• Any attempt the invalid SessionID should be
  redirected to the login page.
• Never accept session information within a URL.
• Protect the session via SSL.
• Session data should be submitted as a POST.
• After authenticating, a new SessionID should be
  used (HTTP HTTPS).
• Never let the users choose the SessionID.

22
How to combat phishing?

• 4. URL Qualification
• Do not reference redirection URL in the browsers
  URL
• Always maintain a valid approved list of
  redirection urls
• Never allow customers to supply their own URLs
• Never allow IP addresses to be user in URL
  information

23
How to combat phishing?

• 5. Authentication Process
• Ensure that a 2-phase login process is in place
• Personalize the content
• Design a strong token-based authentication

24
How to combat phishing?

• 6. Transaction non-repudiation
• To ensure authenticity and integrity of the
  transaction

25
How to combat phishing?

• 7. Image Regulation
• Image Cycling
• Session-bound images

26
Organizations

• Anti-Phishing Working Group (APWG)
• The APWG has over 2300 members from over 1500
  companies agencies worldwide. Member companies
  include leading security companies such as
  Symantec, McAfee and VeriSign. Financial Industry
  members include the ING Group,VISA, Mastercard
  and the American Bankers Association.

27
What does all the above imply?

• It is better to be safer now than feel sorry
  later.

28
References

• http//www.antiphishing.org/reports/apwg_report_no
  vember_2006.pdf
• http//72.14.235.104/search?qcache-T6-U5dhgYAJw
  ww.avira.com/en/threats/what_is_phishing.htmlPhis
  hingconsequenceshlenglinctclnkcd7
• Phishing-dhs-report.pdf
• Report_on_phishing.pdf
• http//www.cert-in.org.in/training/15thjuly05/phis
  hing.pdf
• http//www.antiphishing.org/consumer_recs.html

29

• Questions?

30

• Thank You!