Phishing: Trends and Countermeasures

Blaine Wilson

Phishing

• What is Phishing• History of Phishing• Types of Phishing• Examples• What can we do

What is Phishing

• Phishing is the criminally fraudulent process of attempting to acquire sensitive information such as user names, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication

History of Phishing

• First documented in 1987• First called Phishing in 1996• Switched to financial institutions in 2001• 2005, 1.2 million impacted, $929 million• 2006, half done by Russian Business Network• 2007, 3.6 million impacted, $3.2 billion

Targets of Phishing

• Phishing• Spear Phishing• Whaling

Types of Phishing

• Link manipulation• Phone phishing

Link manipulation

• Tampering with the link to fool users– www.greatamercianinsurance.com– www.google.com@badsite.com

• Text not matching the link• Using images for links

Phone phishing

• Leaving a phone number instead of a website

Examples

What can we do

• Law enforcement• Industry• Consumers• us

Law enforcement

• Law– CAN-SPAM Act of 2003– Anti-Phishing Act of 2005

• Enforcement– 2004 Federal Trade Commission files charges– 2005 files 117 federal lawsuits– 2007 – first defendant of CAN-SPAM

Industry

• Eliminating phishing emails• Monitoring and takedown of phishing sites• Browsers alerting users to fraudulent websites

Users and Consumers

• Training like Anti Phishing Phil– Trains users to look at the URL– TCP/IP addresses– Misspelling

us

• Take training ourselves and pay attention• Don’t condition users to click on TCP/IP

addresses• Get a consistent domain and suffix• Don’t reduce the security settings of the

browser• Personalize the login process• Protect against cross site forgery requests

Questions?