1. PHISHING ATTACKS
(Not The Kind of Fishing You are Used to)
Sourav Newatia
31603206
Mtech Cyber Security
2. ➤ Motivation
➤ Introduction
➤ Phishing Attack Motives
➤ Statistics of Phishing
➤ Types of Phishing
➤ Anti-Phishing Tools
➤ Case-Study
➤ Phishing Detection
➤ Conclusion
TABLE OF CONTENT:-
3. ➤ India lost around $53 million (about Rs 328 crore) due to
phishing scams with the country facing over 3,750 attacks in
2014.
➤ 4th Largest target of phishing attacks in the world.
➤ 7% of global phishing attacks are targeted in India.
➤ US tops the rank with 27% of phishing attacks.
http://www.business-standard.com/article/technology/india-fourth-most-targeted-country-by-phishing-attacks-
113120200343_1.html
MOTIVATION:-
4. ➤ Phishing is a fraudulent attempt, usually made through
email,to steal your personal information.
➤ Phishing is the attempt to obtain sensitive information such
as usernames, passwords, and credit card details (and
sometimes, indirectly, money), often for malicious reasons
through an electronic communication(such as Email).
What is Phishing ?
5. ➤ Financial gain : Phishers can use stolen banking credential
to their Financial benefits.
➤ Identity hiding : instead of using stolen identities directly,
phishers might sell the identities to others whom might be
criminals seeking ways to hide their identities and activities
(e.g. purchase of goods).
➤ Fame and notoriety: phishers might attack victims for the
sake of peer recognition.
Phishing Motives:-
10. ➤ eBay and PayPal are two of the most targeted companies, and
online banks are also common targets.
➤ Attractive targets include
☗ Financial institutions
☗ Gaming industry
☗ Social media
☗ Security companies
v
11. In this example ,Spelling mistake in
the E-mail ,and the presence of an
IP Address in the Link (Visible in the
tooltip under the yellow box ) are
both clues that this is a phishing
attempt.
12. In this Example , targeted at South
Trust Bank Users , the phisher has
used an image to make it harder for
anti-phishing filters to detect by
scanning for text commonly used in
phishing Emails.
14. ➤ Deceptive Phishing
The Common method is deceptive phishing is E-mail.
Phisher Sends a bulk of deceptive emails which command the
user to click on link provided.
➤ Malware -Based Phishing
Running malicious software on the user’s machine.
☗ Key-Loggers & Screen-Loggers
☗ Session HIjackers
TYPES OF PHISHING ATTACKS :-
15. ➤ DNS-Based Phishing
☗ It is used to Pollute the DNS Cache with Incorrect Information which directs the
user to the other location.
☗ This type of phishing can be done directly when the user has a misconfigured
DNS cache.
TYPES OF PHISHING ATTACKS :-
16. ➤ Content-Injection Phishing
☗ In this Attack , a Malicious content is injected into a
legitimate site.
☗ This malicious content can direct the user to some other
sites or it can install malwares on the computers.
TYPES OF PHISHING ATTACKS :-
17. ➤ NETCraft
☗ It alerts the user when connect to the phishing sites.
☗ When a user connects to a phishing site it block the user by
showing a warning sign.
☗ It traps suspicious URLs in which the character have no common
purpose other than to deceive the user.
ANTI-PHISHING TOOLS:-
18.
19. ➤ ThreatFire
☗ ThreatFire Provides Behaviour based security monitoring solution protecting unsafe
system.
☗ It Continuously analyses the programs and processes on the system and if it find
any suspicious actions.
☗ It can be Used with the normal antivirus programs or firewall which adds an
additional level of security of the system.
20.
21. ☗ It is an adware and spyware utility which identifies and clears any potential
adware , trojans ,key-loggers , spyware , and other malware of the system.
☗ It also features browser monitoring immunization again ActiveX controls , and
automatic cookie deletion.
➤ Spyware Doctor
24. ➤ ACTIVE WARNING
The warning does not block the content-area and enables the user to view both the
content and the warning as in the snapshot.
➤ PASSIVE WARNING
The warning blocks the content-data, which prohibits the user from viewing the
content-data while the warning is displayed.
PHISHING ATTACK WARNINGS:-
27. ➤ The US and Egyptian fraudsters were accused of using phishing scams to steal
account details from hundreds, possibly thousands, of people, and transferring
about $1.5 million into fake accounts they controlled.
➤ The group of fraudsters were accused of targeting US financial institutions and
victimising a number of account holders by fraudulently using their personal
financial information after they were successfully Phished.
➤ American authorities charged 53 people, while Egypt charged 47, with offences
including conspiracy to commit bank fraud, computer fraud, money laundering and
aggravated identity theft. The bank fraud alone could lead to jail sentences of 20
years.
CASE STUDY I
(The Largest International Phishing Case)
28. ➤ A few customers of ICICI Bank received an email asking for their Internet login
name and password to their account.
➤ The email seemed so genuine that some users even clicked on the URL given in
the mail to a Web page that very closely resembled the official site.
➤ The scam was finally discovered when an assistant manager of ICICI Bank's
information security cell received emails forwarded by the bank's customers
seeking to crosscheck the validity of the emails with the bank.
➤ Lost 43 Lakhs Approx.
CASE STUDY II
(ICICI BANK PHISHING CASE)
29. ➤ The Hackers compromised the EA Games server by exploiting one of the
vulnerabilities in an outdated WebCalendar application and used it as a weapon
to create the fake "My Apple ID" page designed to look like the legitimate
Apple login page, as shown. Once the users submit the details, they are
redirected to the legitimate Apple ID website.
➤ Using hijacked Apple ID details, hackers can gain access users' personal data
stored on iCloud, including email, contacts, calendars, and photos, that could
even be used to clone an iPhone or iPad by restoring an iCloud backup to a
device in their possession.
CASE STUDY III
(EA Games website hacked; Phishing page hosted to steal Apple IDs)
30. ➤ In this phishing attack, victims are asked to enter their account number, mobile
number, email address, one time password (OTP) and other details.
➤ FireEye identified a new domain (csecurepay[.]com) that was registered on October
23 this year and appears to be an online payment gateway but actually is a phishing
website that leads to the capturing of customer information from 26 banks
operating
in the country, the company said in a statement on Thursday.
➤ In this phishing attack, victims are asked to enter their account number, mobile
number, email address, one time password (OTP) and other details. Once the
information is collected, the website displays a fake failed login message to the
victim.
CASE STUDY IV
(Phishing website spoof 26 banks, including SBI, BOB )
31. ➤ Awareness and training programs
1. Making use of regular communications to explain the phishing
Problem.
2. Establishing a simple mechanism for reporting phishing attacks
3. Posting alerts on security website
32. ➤ Blacklists hold URLs that refer to sites that are considered malicious. Whenever a
browser loads page, it queries blacklist to determine whether currently visited URL
is on this list. If so, appropriate countermeasures can be taken. Otherwise, the
page is considered legitimate.
➤ The drawback of this approach is that the blacklist usually cannot cover all
phishing websites since newly created fraudulent website takes considerable time
before it can be added to the list.
Phishing Detection Using Blacklist
33. ➤ The proposed heuristics in are:
1) Extract company name from the suspected URL.
2) Search for the extracted company name in Google, and return the rest 10
results.
3) If the suspected URL belongs to the rst 10 returned Google results, then the
page is legitimate.
4) If the suspected URL does not belong to the rst 10 returned Google results,
then the suspected URL is classfied as phishing.
5) If the suspected URL is classfied as phishing, it will be saved in a database.
A Phishing Sites Blacklist Generator
34. ➤ CANTINA is an Internet Explorer toolbar that decides whether a visited page is a
phishing page by analyzing its content.
➤ CANTINA uses Term Frequency-Inverse Document Frequency (TF-IDF), search
engines.
Phishing Detection Using CANTINA
35. ➤ The following procedures are performed by CANTINA to detect phishing
websites:
1) TF-IDF of each term on a suspected web page is calculated.
2) Top 5 terms with highest TF-IDF values are taken to represent the document.
3) Submit the 5 terms into a search engine Google search query and store domain
names of the first returned n entries.
(e.g.http://www.google.ae/search?q=t1,t2,t3,t4,t5,)
4) If the suspected domain name is found within the n number of returned results,
then the site is legitimate.
36. ➤ Social Security number
➤ Drivers license number
➤ Account, credit card, and debit card numbers
➤ Mothers maiden name
➤ Passwords, access codes and PINs
➤ Pets name and name of first school (often used for forgotten password resets)
What kind of information should I protect ?
37. ➤ PhishGuard’s implementation is a proof of concept that only detects phishing
attacks based on testing HTTP Digest authentications.
➤ The work in bases its protection against phishing on the idea that phishing
websites do not often verify user credentials, but merely store them for later
use by the phisher.
PhishGuard: A Browser Plug-in
38. 1) The user visits a page.
2) If the visited page sends an authentication request, and if the user submitted the
authentication form, then PhishGuard starts its testing procedures.
3) PhishGuard would send the same user ID, followed by a random password that
does not match the real password, for random n times.
4) If the page responded with HTTP 200 OK message, then it would mean the page
is a phishing site, and is simply returning fake authentication success messages.
39. 5) If the page responded with HTTP 401 Unauthorized message, then it could
possibly mean: • The site is a phishing site that blindly responds with failure
authentication messages. • The site is a legitimate site.
6) To distinguish between the two possibilities above, PhishGuard would send
real credentials to the website for the n + 1 time.
40. ➤ The proposed solution aims toward providing:
● Better protection against zero-hour attacks than blacklists.
● A solution that requires relatively minimal resources (11 rules), which is far
lower than number of rules in SpamAssassin ; at the time of writing the paper
SpamAssassin used 795 rules.
● Minimum false positives.
Phishwish: A Stateless Phishing Filter Using Minimal Rules
41. The proposed rules are (where positive indicates phishiness):
• Rule 1: If a URL is a login page that is not a business’s real login page, the result
is positive. The paper specifies that this is analyzed based on data returned from
search engines.
• Rule 2: If the email is formatted as HTML, and an included URL uses Transport
Layer Security (TLS) while the actual Hypertext Reference (HREF) attribute does
not use TLS, then the result is positive.
• Rule 3: If the host-name portion of a URL is an IP address, the result is positive.
• Rule 4: If a URL mentions an organization’s name (e.g. PayPal) in a URL path but
not in the domain name, the result is positive.
• Rule 5: If URL’s displayed domain does not match the domain name as specified
in HREF attribute, the result is positive
42. ➤ Phishing has becoming a serious network security problem,
causing financial loss of billions of dollars to both consumer
send e-commerce companies.
➤ As a future , We educate the user about this policy will results
in avoiding user to give his sensitive information to phished
Website.
CONCLUSION:-
43. ➤ Rao, Routhu Srinivasa, and Syed Taqi Ali. "PhishShield: A desktop application
to detect phishing webpages through heuristic approach." Procedia Computer
Science 54 (2015): 147-156.
➤ 1.M. Khonji, Y. Iraqi, Andrew Jones. “Phishing detection: A Literature
Survey”, Communications Survey & Tutorials, IEEE, pp. 2091-2121, Vol. 15, No. 4,
Fourth Quarter 2013.
➤ 1.B. B. Gupta , Aakanksha Tewari , Ankit Kumar Jain, Dharma P. Agrawal
“Fighting against phishing attacks: state of the art and future challenges” Review
,Springer, March 2016.
➤Anti-Phishing Working Group (APWG), “Phishing activity trends report — second half
2010,” http://apwg.org/reports/apwg report h2 2010.pdf, 2010, accessed December
2011
REFERENCES