PHISHING BASICS Pronounced "fishing The word has its Origin from two words Password Harvesting or fishing for Passwords Phishing is an online form of pretexting, a kind of deception in which an attacker pretends to be someone else in order to obtain sensitive information from the victim Also known as "brand spoofing Phishers are phishing artists

Dept. of I&CT, MIT, Manipal

COMPARISON TO SPAM The purpose of a phishing message is to acquire sensitive information about a user. For doing so the message needs to deceive the intended recipient. So it doesnt contains any useful information and hence falls under the category of spam. A spam message tries to sell a product or service, whereas phishing message needs to look like it is from a legitimate organization. Techniques applied to spam message cant be applied naively to phishing messages.

Dept. of I&CT, MIT, Manipal

ANATOMY OF PHISHING MESSAGEA raw phishing message can be split into two components: Content Headers

Dept. of I&CT, MIT, Manipal

ANATOMY OF PHISHING MESSAGE

Sting

Dept. of I&CT, MIT, Manipal

CONTENTIt is further subdivided into two parts:

Cover Sting

Dept. of I&CT, MIT, Manipal

HEADERSIt is further subdivided into two parts:

Mail clients Mail relays

Dept. of I&CT, MIT, Manipal

WHY PHISHING ATTACK!Lack of Knowledge computer system security and security indicators web fraud Visually deceptive text Images masking underlying text

Visual Deception

Dept. of I&CT, MIT, Manipal

Lack of computer knowledgewww.ebay.com www.ebay-memberssecurity.com

Dept. of I&CT, MIT, Manipal

Lack of knowledge of security and security indicators

Dept. of I&CT, MIT, Manipal

Lack of knowledge of web-fraud

Dept. of I&CT, MIT, Manipal

Visually Deceptive TextOriginal website Phishing website

Dept. of I&CT, MIT, Manipal

Image Masking Underlying Text

Dept. of I&CT, MIT, Manipal

MANTRA OF PHISHERS

Succ

Decei t

attack

Neglect

ConfigurationDept. of I&CT, MIT, Manipal

Legal Response In the United State, Senator Patrick Leahy introduced the Anti-Phishing Act of 2005 in Congress on March 1, 2005.

Dept. of I&CT, MIT, Manipal

How to Avoid being a Phishing victim1. Never respond to requests for personal information via email. When in doubt, call the institution that claims to have sent you the email. E.g. Dear Sir or Madam rather than Dear Dr. Phatak 2. If you suspect the message might not be authentic, don't use the links within the email to get to a web page. 3. Never fill out forms in email messages that ask for confidential information

Dept. of I&CT, MIT, Manipal

How to Avoid being a Phishing victim

Dept. of I&CT, MIT, Manipal

How to Avoid being a Phishing victim4. Always ensure that you're using a secure website when submitting credit card or other sensitive information via your web browser check the beginning of the Web address in your browsers address bar - it should be https:// rather than just http:// look for the locked padlock icon on yourDept. of I&CT, MIT, Manipal

How to Avoid being a Phishing victim5.Regularly check your bank, credit and debit card statements to ensure that all transactions are legitimate and if anything is suspicious, contact your bank and all card issuers immediately is up-to-date and that latest security patches are applied

6. Ensure that your browser and OS software

Dept. of I&CT, MIT, Manipal

How to Avoid being a Phishing victim7. Verify the real address of a web site. javascript:alert("The actual URL of this site has been verified as: " + location. protocol + "//" + location. hostname +"/");

Dept. of I&CT, MIT, Manipal

ANALYSIS OF A PHISHING DATABASEThe Anti Phishing Working Group maintains a Phishing Archive Certificate (digital certificate, public key certificate) Certificate Authority (CA) HTTPS Secure Sockets Layer (SSL) and Transport Layer Security(TLS)

Dept. of I&CT, MIT, Manipal

MANTRA OF VICTIMS

Un-

F act

attack

Solution

MythsDept. of I&CT, MIT, Manipal

REFERENCES1. 2. 3. 4. 5. 6. 7. 8. 9. Cannon, J.C. Privacy. Pearson Education, 2005. Hilley, Sarah. Internet war: picking on the finance Sectorsurvey. Computer Fraud & Security, October 2006. Bellowing, Steven. Spamming, Phishing, Authentication and Privacy. Inside Risks, December 2004 Mulrean, Jennifer. Phishing scams: How to avoid Getting hooked. Dollar Wise. Hunter, Philip. Microsoft declares war on phishers. Computer Fraud & Security May 2006: Google. http://www.google.com Anti-Phishing Working Group. Phishing Activity Trends Report November 2005 Anti-Phishing Working Group Phishing Archive. http://antiphishing.org/phishing_archive.htm Ba, S. & P. Pavlov. Evidence of the Effect of Trust Building Technology in Electronic Markets: Price Premiums and Buyer Behavior.

Dept. of I&CT, MIT, Manipal

Dept. of ICT, MIT, Manipal

THANK YOUDept. of I&CT, MIT, Manipal