Phishing, Spoofing,

Spamming and Security

How To Protect Yourself

Additional Credits: Educause/SonicWall, Hendra Harianto Tuty, Microsoft Corporation, some images from Anti-

Phishing Workgroup’s Phishing Archive,Carnegie Mellon CyLab

Dr. Harold L. “Bud” Cothern

Recognize Phishing Scams and Fraudulent E-mails

• Phishing is a type of deception designed to steal

your valuable personal data, such as credit card

numbers, passwords, account data, or other

information.

• Con artists might send millions of fraudulent e-mail

messages that appear to come from Web sites you

trust, like your bank or credit card company, and

request that you provide personal information.

Phreaking + Fishing = Phishing

- Phreaking = making phone calls for free back in 70’s

- Fishing = Use bait to lure the target

Phishing in 1995

Target: AOL users

Purpose: getting account passwords for free time

Threat level: low

Techniques: Similar names ( www.ao1.com for www.aol.com ), social

engineering

Phishing in 2001

Target: Ebayers and major banks

Purpose: getting credit card numbers, accounts

Threat level: medium

Techniques: Same in 1995, keylogger

Phishing in 2007

Target: Paypal, banks, ebay

Purpose: bank accounts

Threat level: high

Techniques: browser vulnerabilities, link obfuscation

History of Phishing

• 2,000,000 emails are sent

• 5% get to the end user – 100,000 (APWG)

• 5% click on the phishing link – 5,000 (APWG)

• 2% enter data into the phishing site –100 (Gartner)

• $1,200 from each person who enters data (FTC)

• Potential reward: $120,000

A bad day phishin’, beats a good day workin’

In 2005 David Levi made over $360,000 from 160

people using an eBay Phishing scam

• Over 28,000 unique phishing attacks reported in Dec.

2006, about double the number from 2005

• Estimates suggest phishing affected 2 million US

citizens and cost businesses billions of dollars in

2005

• Additional losses due to consumer fears

Phishing: A Growing Problem

What Does a Phishing Scam Look Like?

• As scam artists become more sophisticated, so

do their phishing e-mail messages and pop-up

windows.

• They often include official-looking logos from real

organizations and other identifying information

taken directly from legitimate Web sites.

• Employ visual elements from target site

• DNS Tricks:

–www.ebay.com.kr

–www.ebay.com@192.168.0.5

–www.gooogle.com

–Unicode attacks

• JavaScript Attacks

–Spoofed SSL lock

• Certificates

–Phishers can acquire certificates for domains they own

–Certificate authorities make mistakes

Current Phishing Techniques

The following is an example of what a phishing scam e-mail message might look like:

QuickTime™ and aTIFF (Uncompressed) decompressor

are needed to see this p icture.

Example of a phishing e-

mail message, including a

deceptive URL address

linking to a scam Web site.

To make these phishing e-

mail messages look even

more legitimate, the scam

artists may place a link in

them that appears to go to

the legitimate Web site (1),

but it actually takes you to a

phony scam site (2) or

possibly a pop-up window

that looks exactly like the

official site.These copycat

sites are also called

"spoofed" Web sites. Once

you're at one of these

spoofed sites, you might

unwittingly send personal

information to the con artists.

• Socially aware attacks Mine social relationships from public data

Phishing email appears to arrive from someone known to the victim

Use spoofed identity of trusted organization to gain trust

Urge victims to update or validate their account

Threaten to terminate the account if the victims not reply

Use gift or bonus as a bait

Security promises

• Context-aware attacks “Your bid on eBay has won!”

“The books on your Amazon wish list are on sale!”

Spear-Phishing: Improved Target Selection

Another Example:

But wait…

WHOIS 210.104.211.21:

Location: Korea, Republic Of

Even bigger problem:

I don’t have an account with US Bank!

Images from Anti-Phishing Working Group’s Phishing Archive

Here are a few phrases to look for if you think an e-mail message is a

phishing scam.

• "Verify your account."Businesses should not ask you to send

passwords, login names, Social Security numbers, or other personal

information through e-mail. If you receive an e-mail from anyone asking

you to update your credit card information, do not respond: this is a

phishing scam.

• "If you don't respond within 48 hours, your account will be

closed."These messages convey a sense of urgency so that you'll

respond immediately without thinking. Phishing e-mail might even claim

that your response is required because your account might have been

compromised.

How To Tell If An E-mail Message is Fraudulent

How To Tell If An E-mail Message is Fraudulent (cont’d)

• "Dear Valued Customer."Phishing e-mail messages are

usually sent out in bulk and often do not contain your first or

last name.

• "Click the link below to gain access to your

account."HTML-formatted messages can contain links or

forms that you can fill out just as you'd fill out a form on a Web

site. The links that you are urged to click may contain all or

part of a real company's name and are usually "masked,"

meaning that the link you see does not take you to that address

but somewhere different, usually a phony Web site.

• Notice in the following example that resting the mouse pointer

on the link reveals the real Web address, as shown in the box

with the yellow background. The string of cryptic numbers looks

nothing like the company's Web address, which is a suspicious

sign.

QuickTime™ and aTIFF (Uncompressed) decompressor

are needed to see this picture.

Example of masked

URL address

Con artists also use Uniform Resource Locators (URLs)

that resemble the name of a well-known company but are

slightly altered by adding, omitting, or transposing letters.

For example, the URL "www.microsoft.com" could appear

instead as: www.micosoft.com www.mircosoft.com www.verify-microsoft.com

How To Tell If An E-mail Message is Fraudulent (cont’d)

• Never respond to an email asking for personal information

• Always check the site to see if it is secure. Call the phone number if necessary

• Never click on the link on the email. Retype the address in a new window

• Keep your browser updated

• Keep antivirus definitions updated

• Use a firewall

P.S: Always shred your home documents before discarding them.

Phishing Filter

(http://www.microsoft.com/athome/security/online/phishing

_filter.mspx) helps protect you from Web fraud and the risks of

personal data theft by warning or blocking you from reported

phishing Web sites.

• Install up-to-date antivirus and antispyware software.

Some phishing e-mail contains malicious or unwanted software

(like keyloggers) that can track your activities or simply slow

your computer.

• Numerous antivirus programs exist as well as comprehensive

computer maintenance services like Norton Utilities. To help

prevent spyware or other unwanted software, download

Windows Defender.

Install the Microsoft Phishing Filter Using

Internet Explorer 7 or Windows Live Toolbar

Thank You

For Your