Phishing PPT

1
Phishing

• A computer scam on the rise!

By S.Shiva Kumar CSE-10QM1A0547
2
Did you know

• One in four people have never heard of the term
  Phishing.
• Half of the people surveyed could not accurately
  define phishing.

3
What is Phishing? 

• Phishing is a type of deception designed to steal
  your valuable personal data, such as credit card
  numbers, passwords, account data, or other
  information.

4
Types of Phishing Phishing has spread beyond
email to include SMS, Instant messaging,
Social networking sites (ExampleYahoo,BestBuy
etc) and Even multiplayer games.
5
Phishing Facts

• 6.1 Billion Number of phishing e-mails sent
  world-wide each month.
• 7,484 Number of phishing Web sites in January 06.
• A new phishing scam is launched every two minutes.

6
Be Alert, Be Wary, and Be Informed.
7
Introduction In October 2004, the Canada-U.S.
Cross-Border Crime Forum released and prepared
jointly by the U.S. Department of Justice(DOJ)
and Public Safety and Emergency Preparedness
Canada (PSEPC), on Identity Theft. The report
identified,among other methods of committing
identity theft, the growing use of a technique
known as phishing.
8
Phishing Scam Occur when

• You get an email that looks like it comes from
  your bank, credit card company, etc.
• Asking you to update their records
• May be due to potential fraud, other reasons
• Provides a hyperlink to a web page where you
  enter your personal information
• The link takes you to a thiefs website that is
  disguised to look like the companys.

9
What kinds of personal information do the thieves
want?

• Your name, address and date of birth
• Social Security number
• Drivers License number
• Credit Card numbers
• ATM cards
• Telephone calling cards

10
Why people fall for phishing scams.

• Typically, the messages appear to come from
  well known and trustworthy Web sites. Web sites
  that are frequently spoofed by phishers include
  PayPal, eBay, MSN, Yahoo, BestBuy, and America
  Online.

11
How To Tell If An E-mail Message is Fraudulent
Artists also use Uniform Resource Locators (URLs)
that resemble the name of a well-known company
but are slightly altered by adding, omitting, or
transposing letters. For example, the URL
"www.microsoft.com" could appear instead
as? www.micosoft.com ? www.mircosoft.com
? www.verify-microsoft.com
12
The Scope of Phishing
The APWG received 26,150 unique phishing reports
(compared to 13,776 in August 2005 and 6,957 in
October 2004). This total represents the
second highest number of phishing reports that
the APWG has received in a single month. The
APWG detected 10,091 unique phishing websites
worldwide (compared to 5,259 websites detected in
August 2005, and only 1,142 in October 2004).
13
Origin of phishing attacks
14
Current Phishing Techniques

• Employ visual elements from target site
• Tricks
• www.ebay.com.kr
• www.ebay.com_at_192.168.0.5
• www.gooogle.com
• Unicode attacks
• Certificates
• Phishers can acquire certificates for domains
  they own
• Certificate authorities make mistakes

15
Example
16
But wait
WHOIS 210.104.211.21 Location Korea,
Republic Of
Even bigger problem I dont have an account
with US Bank!
17
Browser security indicator HTTPS padlock (a)
http, no padlock
(b) Padlock on https A padlock icon appears in
address bar when visiting an https website
HTTPS, the combination of Hypertext Transfer
Protocol and Transport Layer Security, provides
encryption and identication through public key
infrastructure. Modern web browsers display
a padlock icon when visiting an https website.
18
Figure 5 The address bar turns Red on invalid
certificate
Figure 6 The padlock icon disappears on mixed
content
Web browsers verify the certificate presented by
the web browser. The certificate is considered
invalid if any of the following applies the
certificate is expired the certificate is not
signed by a root. So, the browser will display a
prominent warning (usually a full page), and the
address bar would turn red if the user choose to
continue onto the website (Figure 5). Sometimes
an https webpage may contain les from http
scheme. Every piece of code should be trusted,
before a webpage can be trusted. Thus, the
padlock icon would disappear (Figure 6).
19
Phishing E-mails Examples
20
More Phishing E-mails
21
More Phishing Examples
22
How can you tell if the message is real ?

• There are many other clues to look for
• See if the email contains obvious grammatical or
  spelling errors ("Due to concerns, for")
• The message opening very
• general, or incorrectly identifies you, or only
  your email account name
• The email asks you to renew or update your
  account information.
• The message asks you to link to a web site which
  seems to be legitimate, but has extra information
  or characters at the end (http//www.amazon.com/my
  hacksite?brth2y3bn45uidKan13245).
• The web site prompts you for your userid and
  password, and then opens a page asking for credit
  card numbers, bank account numbers and so forth.

23
What should I do if I suspect the email is a
fake?

• Report it. Most legitimate companies encourage
  you to forward suspicious emails to their
  security department, if you are unsure of the
  email's authenticity, and will respond within 24
  hours with an answer.
• Then, delete it. Drag it to the trash, then empty
  the trash. And forget about it. You've defeated
  the spammers by not falling for their tricks.

24
How to Protect Yourself.

• Never click on hyperlinks in emails. never cut
  and paste the link into your web browser. -
  INSTEAD, type in the url to go to the website in
  your search engine.
• Call the company directly to confirm whether the
  website is valid.
• Dont reply to email or pop-up messages that ask
  for personal or financial information.
• Dont email personal information.
• Be cautious opening attachments
• Forward spam that is phishing for information to
  spam_at_uce.gov and visit FTCs

25
How do you avoid a Phishing Scam

• Never respond to an email asking for personal
  information
• Always check the site to see if it is secure.
  Call the phone number if necessary
• Never click on the link on the email. Retype the
  address in a new window.

26

• Keep your browser updated
• Keep antivirus definitions updated
• Use a firewall

27
Thank You