Phishing, Spoofing, Spamming and Security

1
Phishing, Spoofing, Spamming and Security

• How To Protect Yourself

Dr. Harold L. Bud Cothern
Additional Credits Educause/SonicWall, Hendra
Harianto Tuty, Microsoft Corporation, some images
from Anti-Phishing Workgroups Phishing
Archive,Carnegie Mellon CyLab
2
Recognize Phishing Scams and Fraudulent E-mails

• Phishing is a type of deception designed to
  steal your valuable personal data, such as credit
  card numbers, passwords, account data, or other
  information.
• Con artists might send millions of fraudulent
  e-mail messages that appear to come from Web
  sites you trust, like your bank or credit card
  company, and request that you provide personal
  information.

3
History of Phishing

• Phreaking Fishing Phishing
• - Phreaking making phone calls for free back in
  70s
• - Fishing Use bait to lure the target
• Phishing in 1995
• Target AOL users
• Purpose getting account passwords for free time
• Threat level low
• Techniques Similar names ( www.ao1.com for
  www.aol.com ), social
• engineering
• Phishing in 2001
• Target Ebayers and major banks
• Purpose getting credit card numbers, accounts
• Threat level medium
• Techniques Same in 1995, keylogger
• Phishing in 2007
• Target Paypal, banks, ebay
• Purpose bank accounts

4
A bad day phishin, beats a good day workin

• 2,000,000 emails are sent
• 5 get to the end user 100,000 (APWG)
• 5 click on the phishing link 5,000 (APWG)
• 2 enter data into the phishing site 100
  (Gartner)
• 1,200 from each person who enters data (FTC)
• Potential reward 120,000

In 2005 David Levi made over 360,000 from 160
people using an eBay Phishing scam
5
Phishing A Growing Problem

• Over 28,000 unique phishing attacks reported in
  Dec. 2006, about double the number from 2005
• Estimates suggest phishing affected 2 million US
  citizens and cost businesses billions of dollars
  in 2005
• Additional losses due to consumer fears

6
What Does a Phishing Scam Look Like?

• As scam artists become more sophisticated, so do
  their phishing e-mail messages and pop-up
  windows.
• They often include official-looking logos from
  real organizations and other identifying
  information taken directly from legitimate Web
  sites.

7
Current Phishing Techniques

• Employ visual elements from target site
• DNS Tricks
• www.ebay.com.kr
• www.ebay.com_at_192.168.0.5
• www.gooogle.com
• Unicode attacks
• JavaScript Attacks
• Spoofed SSL lock
• Certificates
• Phishers can acquire certificates for domains
  they own
• Certificate authorities make mistakes

8
The following is an example of what a phishing
scam e-mail message might look like
Example of a phishing e-mail message, including a
deceptive URL address linking to a scam Web site.
To make these phishing e-mail messages look even
more legitimate, the scam artists may place a
link in them that appears to go to the legitimate
Web site (1), but it actually takes you to a
phony scam site (2) or possibly a pop-up window
that looks exactly like the official site.These
copycat sites are also called "spoofed" Web
sites. Once you're at one of these spoofed sites,
you might unwittingly send personal information
to the con artists.
9
Spear-Phishing Improved Target Selection

• Socially aware attacks
• Mine social relationships from public data
• Phishing email appears to arrive from someone
  known to the victim
• Use spoofed identity of trusted organization to
  gain trust
• Urge victims to update or validate their account
• Threaten to terminate the account if the victims
  not reply
• Use gift or bonus as a bait
• Security promises
• Context-aware attacks
• Your bid on eBay has won!
• The books on your Amazon wish list are on sale!

10
Another Example
11
But wait
WHOIS 210.104.211.21 Location Korea,
Republic Of
Even bigger problem I dont have an account
with US Bank!
Images from Anti-Phishing Working Groups
Phishing Archive
12
How To Tell If An E-mail Message is Fraudulent

• Here are a few phrases to look for if you think
  an e-mail message is a phishing scam.
• "Verify your account."?Businesses should not ask
  you to send passwords, login names, Social
  Security numbers, or other personal information
  through e-mail. If you receive an e-mail from
  anyone asking you to update your credit card
  information, do not respond this is a phishing
  scam.
• "If you don't respond within 48 hours, your
  account will be closed."?These messages convey a
  sense of urgency so that you'll respond
  immediately without thinking. Phishing e-mail
  might even claim that your response is required
  because your account might have been compromised.

13
How To Tell If An E-mail Message is Fraudulent
(contd)

• "Dear Valued Customer."?Phishing e-mail messages
  are usually sent out in bulk and often do not
  contain your first or last name.
• "Click the link below to gain access to your
  account."?HTML-formatted messages can contain
  links or forms that you can fill out just as
  you'd fill out a form on a Web site. ?The links
  that you are urged to click may contain all or
  part of a real company's name and are usually
  "masked," meaning that the link you see does not
  take you to that address but somewhere different,
  usually a phony Web site.?
• Notice in the following example that resting the
  mouse pointer on the link reveals the real Web
  address, as shown in the box with the yellow
  background. The string of cryptic numbers looks
  nothing like the company's Web address, which is
  a suspicious sign.

Example of masked URL address
14
How To Tell If An E-mail Message is Fraudulent
(contd)
Con artists also use Uniform Resource Locators
(URLs) that resemble the name of a well-known
company but are slightly altered by adding,
omitting, or transposing letters. For example,
the URL "www.microsoft.com" could appear instead
as? www.micosoft.com ? www.mircosoft.com
? www.verify-microsoft.com
15

• Never respond to an email asking for personal
  information
• Always check the site to see if it is secure.
  Call the phone number if necessary
• Never click on the link on the email. Retype the
  address in a new window
• Keep your browser updated
• Keep antivirus definitions updated
• Use a firewall

P.S Always shred your home documents before
discarding them.
16
Install the Microsoft Phishing Filter Using
Internet Explorer 7 or Windows Live Toolbar

• Phishing Filter (http//www.microsoft.com/athome/s
  ecurity/online/phishing_filter.mspx) helps
  protect you from Web fraud and the risks of
  personal data theft by warning or blocking you
  from reported phishing Web sites.
• Install up-to-date antivirus and antispyware
  software. Some phishing e-mail contains malicious
  or unwanted software (like keyloggers) that can
  track your activities or simply slow your
  computer.
• Numerous antivirus programs exist as well as
  comprehensive computer maintenance services like
  Norton Utilities. To help prevent spyware or
  other unwanted software, download Windows
  Defender.

17
Thank You For Your