Post on 24-Feb-2016
description
Phishing: Trends and Countermeasures
Blaine Wilson
Phishing
• What is Phishing• History of Phishing• Types of Phishing• Examples• What can we do
What is Phishing
• Phishing is the criminally fraudulent process of attempting to acquire sensitive information such as user names, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication
History of Phishing
• First documented in 1987• First called Phishing in 1996• Switched to financial institutions in 2001• 2005, 1.2 million impacted, $929 million• 2006, half done by Russian Business Network• 2007, 3.6 million impacted, $3.2 billion
Targets of Phishing
• Phishing• Spear Phishing• Whaling
Types of Phishing
• Link manipulation• Phone phishing
Link manipulation
• Tampering with the link to fool users– www.greatamercianinsurance.com– www.google.com@badsite.com
• Text not matching the link• Using images for links
Phone phishing
• Leaving a phone number instead of a website
Examples
What can we do
• Law enforcement• Industry• Consumers• us
Law enforcement
• Law– CAN-SPAM Act of 2003– Anti-Phishing Act of 2005
• Enforcement– 2004 Federal Trade Commission files charges– 2005 files 117 federal lawsuits– 2007 – first defendant of CAN-SPAM
Industry
• Eliminating phishing emails• Monitoring and takedown of phishing sites• Browsers alerting users to fraudulent websites
Users and Consumers
• Training like Anti Phishing Phil– Trains users to look at the URL– TCP/IP addresses– Misspelling
us
• Take training ourselves and pay attention• Don’t condition users to click on TCP/IP
addresses• Get a consistent domain and suffix• Don’t reduce the security settings of the
browser• Personalize the login process• Protect against cross site forgery requests
Questions?