PHISHING

1
PHISHING
VENKAT DEEP RAJAN SUMALATHA REDDY
KARTHIK INJARAPU CPSC 620 CLEMSON UNIVERSITY
2
INTRODUCTION

• Identity Theft
• Number of phishing cases escalating in number
• Customers tricked into submitting their personal
  data

3
Phishing .. ?

• Defined as the task of sending an email, falsely
  claiming to be an established enterprise in an
  attempt to scam a user into surrendering private
  information
• Redirects user to a scam website, where the user
  is asked to submit his private data.
• Derivation of the word phishing

4
Social Engineering Factors

• Phishing attacks rely on a combination of
  technical deceit and social engineering practices
  
• Phisher persuades the victim to perform some
  series of actions
• Phisher impersonates a trusted source for the
  victim to believe

5
How does it look .. ?

• Sophisticated e-mail messages and pop-up windows.
  
• Official-looking logos from real organizations

6
A Phishing mail
7
Another example
8
Delivery Techniques

• Mails or spams
• Most common way and done by utilizing spam tools.
• Web-sites
• Embedding malicious content into the website.

9
Delivery Techniques

• Redirecting
• Cheat the customer to enter illicit website.
• Trojan horse
• Capturing home PCs and utilizing them to
  propagate the attacks.

10
Attack Techniques

• Man-in-the-middle Attacks
• URL Obfuscation Attacks
• Cross-site Scripting Attacks
• Preset Session Attack
• Hidden Attacks

11
Man-in-the-middle Attacks
12
Cross-site Scripting Attacks
13
Preset Session Attack
14
Defensive mechanisms

• Client-Side
• Server-Side
• Enterprise Level

15
Client-Side

• Desktop Protection Technologies
• Browser Capabilities
• Digitally signed Emails
• User-application level monitoring solutions

16
Desktop Protection Technologies

• Local Anti-Virus protection
• Personal Firewall
• Personal IDS
• Personal Anti-Spam
• Spy ware Detection

17
Browser Capabilities

• Disable all window pop-up functionality
• Disable Java runtime support
• Disable ActiveX support
• Disable all multimedia and auto-play/auto-execute
  extensions
• Prevent the storage of non-secure cookies

18
Digitally Signed Email
19
Server-side

• Validating Official Communications
• Strong token based authentication

20
Validating Official Communications

• Digital Signatures
• Visual or Audio personalization of email

21
Strong token based authentication
22
Enterprise Level

• Mail Server Authentication
• Digitally Signed Email
• Domain Monitoring

23
Mail Server Authentication
24
Digitally Signed Email
25
Domain Monitoring

• Monitor the registration of Internet domains
  relating to their organization
• The expiry and renewal of existing corporate
  domains
• The registration of similarly named domains

26
Conclusion

• Understanding the tools and technologies
• User awareness
• Implementing Multi-tier defense mechanisms

27
References

• Cyveillance the brand monitoring network
  www.cyveillance.com
• http//www.technicalinfo.net/index.html
• The phishing Guide www.ngssoftware.com
• http//www.webopedia.com/TERM/P/phishing.html
• http//www.wordspy.com/words/phishing.asp
• Stutz, Michael (January 29, 1998). "AOL A
  Cracker's Paradise
• http//www.technicalinfo.net/papers/Phishing.html