Phishing and PharmingNew Identity Theft Threats

Presentation by Jason Guthrie

Outline

• Phishing– Defined– How Phishing Works– Phishing Damage– What Phishing Looks Like– Prevention

• Pharming– How Pharming Works– Prevention

Phishing Defined

“Phishing is a form of criminal activity using social engineering techniques, characterized by attempts to fraudulently acquire sensitive information, such as passwords and credit card details, by masquerading as a trustworthy person or business in an apparently official electronic communication, such as an email or an instant message.”

-Wikipedia

How Phishing Works

• “Legitimate” emails seem to originate from trusted sources – banks or online retailers

• Social engineering tactics convince the reader that their information is needed– Fear is the #1 tactic– Solicitation of help

• Links and email look very real– Account Update– http://www.ebay.com/myaccount/update.asp

How Phishing Works

• Techniques– Mispelled URLs (

http://www.welllsfargo.com/account)– Spoofing URLs (

http://www.google.com@members.tripod.com)

– Javascript– Cross Site Scripting– International Domain Names

How Phishing Works

• The Stolen Results– Voluntary! Remember you gave it to them.– Login

• Username• Password

– Update Information• Social Security Number• Address• Bank Account Number• Credit Card Number

Phishing Damage

• Monetary– May 2004 and May 2005, roughly 1.2

million U.S. computer users suffered phishing losses valued at $929 million

– U.S. companies lose more than $2 billion annually as their clients fall victim

• Identity– New Credit Cards, loans, apartments, bank

accounts, etc.

Phishing Damage

Courtesy of: The Anti-Phishing Working Group

Phishing Targets

Courtesy of: The Anti-Phishing Working Group

Phishing Targets

• Users lack computer knowledge– Elderly

• Users lack security knowledge– Elderly– Teens– New Computer Users– Infrequent Computer Users

What Phishing Looks Like

#1: The link that appears legitimate

#2: The actual destination when you click on the link

Phishing Test

Real!

Real or Fake?

Phishing Test

Fake!

Real or Fake?

Phishing Test

Fake!

Real or Fake?

Phishing Test

• For the complete test go to: http://survey.mailfrontier.com/survey/quiztest.html

• A similar test was conducted by Rachna Dhamija, J.D. Tygar, and Marti Hearst with 20 websites and emails- 12 were fraudulent- 8 were legitimate

Phishing Test Results

How to Detect Phishing

• Software– Specialized “Anti-

Phishing” Software– Spam filters– Challenge

Questions– Firefox– Opera– IE 7

Prevention

• Education, education, education

• Look out for:– Misspelled words– “Dear Valued Customer”– Beware of the @ sign– Unusual company behavior

• Go to websites directly

from browser

How to Detect Phishing

• Other Resources:– McAfee’s Whitepaper: “Anti-Phishing: Best

Practices for Institutions and Consumers”– Why Phishing Works – study by Dhamija,

Tygar, and Hearst– The FTC “How Not to Get Hooked by a ‘

Phishing’ Scam“ website

Phishing’s Evil Cousin

• People are educating themselves and foiling many phishers– Leading many to develop more malicious

tools• Pharming• Spam• Viruses• Password Stealing Software

– Same end result, different method

How Pharming Works

• Email Viruses– Alters the computer’s host file

• DNS Poisoning– Nothing on your computer changes– The company’s website is “hijacked”– Google and Panix.com recent examples

• Detection is very difficult

Prevention

• Burden lies on businesses– Server-side scripts– Digital Certificates

• Browsers can help identify originating location– US customers would be wary of bank IP

address from Russia

Conclusion

• Educate yourself!

• Keep web applications up-to-date– “Check for Updates” button

• Be cautious– If it seems suspicious, don’t take a chance