Title: Internet Security Phishing
1Internet Security - Phishing
- Sergei Agoureev
- Kevin Gorman
- Pranay Harsh
- Taiji Kamiya
- Douglas Shaffren
2Agenda
- Introduction
- News
- Attacks
- Demo
- Education
- Authentication
- Legislation
- Conclusion
3Phishing Intro
- Phishing
- The electronic attempt to steal sensitive data by
impersonating official communications. - Preys on inexperience, fear, greed, loneliness.
- Origin of the term phishing
- Coined by early AOL crackers in 1996
Introduction
News
Attacks
Education
Authentication
Legislation
Conclusion
4The Phishing Process
Introduction
News
Attacks
Education
Authentication
Legislation
Conclusion
5The History of Phishing
Introduction
News
Attacks
Education
Authentication
Legislation
Conclusion
6Westpac Bank
Introduction
News
Attacks
Education
Authentication
Legislation
Conclusion
7Bank of America
Introduction
News
Attacks
Education
Authentication
Legislation
Conclusion
8Trends
- Anti-Phishing Working Group up to 5 of
recipients provide personal information
Introduction
News
Attacks
Education
Authentication
Legislation
Conclusion
9The costs of phishing
- ID Theft costs 53 billion annually
- One million consumers have already been
victimized - Consumers pay for about 10 of the total costs
Introduction
News
Attacks
Education
Authentication
Legislation
Conclusion
10Lack of consumer trust
- Bank competency
- 13 would switch banks
Introduction
News
Attacks
Education
Authentication
Legislation
Conclusion
11Nigerian 419 Scam
- 419 is the Nigerian statute against fraud
- Computer savvy kids harvest e-mail addresses and
sit in chat rooms - People in the US convince victims
- One person can make 900-7000 a month
- Types of 419 Scams
- Next of kin
- Laundering crooked money
- Nigerian National Petroleum Co.
- Job offer you cant refuse
- Gorgeous person in trouble
Introduction
News
Attacks
Education
Authentication
Legislation
Conclusion
12Phishing News
- Vectors of attack
- IM
- E-mail
- Techniques of Attack
- Using personal information
- Keystroke loggers
- Pharming
- ID theft advice
- What companies should do to protect you
Hacker News
Phishing Attacks Up
Introduction
News
Attacks
Education
Authentication
Legislation
Conclusion
13Obtaining e-mail addresses
- You don't need to be a genius to obtain email
addresses. All it takes is some work and
creativity - School, work and other e-mail addresses that are
constantly used are the best targets - Know your audience
- Like in football, luck, hard work, talent and
persistence pay off
Introduction
News
Attacks
Education
Authentication
Legislation
Conclusion
14The Directory
- Many organizations and universities maintain a
open directory listing of employees, students,
staff, etc. - Very easy way to get a lot of e-mail addresses
fast - I'd hate to be a Smith or Patel
Introduction
News
Attacks
Education
Authentication
Legislation
Conclusion
15Derek Zoolander
- Can you really say no to this face?
Introduction
News
Attacks
Education
Authentication
Legislation
Conclusion
16The online community
- Most online communities or forums require a valid
e-mail address, which is sometimes displayed - Facebook.com is a stalker and a phishers dream
- Almost all e-mails are visible (in your school)
- They need to be school e-mails
- People can get friends at other schools by
pretending to be a celebrity or fictional
character
Introduction
News
Attacks
Education
Authentication
Legislation
Conclusion
17Newsgroups
- Many professionals rely on newsgroups to get work
done - Easily searchable on Google
- E-mail addresses supplied are likely to be
checked often
Introduction
News
Attacks
Education
Authentication
Legislation
Conclusion
18Pyramid Scheme
- Who doesn't want free stuff (especially if it
works)? - Web sites can be used to gain references, and
therefore more e-mail addresses - You know your victims motivation free stuff
Introduction
News
Attacks
Education
Authentication
Legislation
Conclusion
19Email Harvesting
Program Inputs - Starting URL - Tree Depth
20Email Harvesting
Program Outputs - LOTS OF EMAILS! - Print to
ASCII text file
21Regular Expression
"( \tgt\"\\\\()a-zA-Z0-9.-_at_(a-zA-Z0-9
\\.)(a-zA-Z3a-zA-Z2 ))"
22Regular Expression
"((?ltDisplayNamegt(\t\x20!-'\\\-/-9\?A-Z\
-\t\x20"\x01-\x09\x0B\x0C\x0E-\x21\x23-\x5
B\x5D\x7F"))?\t\x20lt(?ltLocalPart1gt(\t\x20
!-'\\\-/-9\?A-Z\-(\.!-'\\\-/-9\?A-Z\
-)"\x01-\x09\x0B\x0C\x0E-\x21\x23-\x5B\x5D-
\x7F"))_at_(?ltDomain1gt((a-zA-Z0-9-a-zA-Z0-9a-
zA-Z0-9\.)a-zA-Z2,\((0-9?0-910-90-
920-40-9250-5)\.)3(0-9?0-910-90
-920-40-9250-5)\))gt\t\x20(?ltLocalPar
t2gt(\t\x20!-'\\\-/-9\?A-Z\-(\.!-'\\
\-/-9\?A-Z\-)"\x01-\x09\x0B\x0C\x0E-\x21\
x23-\x5B\x5D-\x7F"))_at_(?ltDomain2gt((a-zA-Z0-9-a
-zA-Z0-9 a-zA-Z0-9\.)a-zA-Z2,\((0-9?
0-910-90-920-40-9250-5)\.)3(0-9
?0-910-90-920-40-9250-5)\)))"
23Stumbling Blocks
- Robots Exclusion Standard
- Meta Tags
24Robots Exclusion Standard
- Prevents access to all or parts of a website
- Voluntary
- Can be completely ignored
User-agent Disallow /about/images/
Disallow /about/includes/ Disallow
/about/styles/
25Meta Tags
- Prevents access to all or parts of a website
- Voluntary
- Can be completely ignored
ltheadgt ltmeta namerobots
contentnoindex,nofollow /gt lt/headgt
26Stumbling Blocks
- Solution
- IGNORE
- Robots Exclusion Standard
- Meta Tags
27Cross Site Scripting (XSS)
- Demo
- http//www.poetry.com/Publications/search.asp?Firs
tltscriptgtalert(Test)lt/scriptgt
28What you can do
- User spam detectors to block malicious e-mail
- Detect and delete malicious software using
commercial programs - Block outgoing delivery of sensitive information
using software products
Introduction
News
Attacks
Education
Authentication
Legislation
Conclusion
29What corporations can do
- Establish corporate policies and communicate them
- Provide a way for users to validate the
legitimacy of corporate e-mails - Stronger authentication
- Monitor Internet for potential phishing websites
Introduction
News
Attacks
Education
Authentication
Legislation
Conclusion
30Measures of Protection
- Two-Factor Authentication
- Zero-Footprint Solution
- Digital Signatures
- Detecting Phishing Webpages
Introduction
News
Attacks
Education
Authentication
Legislation
Conclusion
31Two-Factor Authentication
- As simple as a password
- Each customer has an authenticator
- New code every 60 seconds
Introduction
News
Attacks
Education
Authentication
Legislation
Conclusion
32Zero-Footprint Solution
- Passwords can be easily stolen
- Store an encrypted cookie in the users browser
- Combine password cookie for authentication
- Bank provides information and user authenticates
server
Introduction
News
Attacks
Education
Authentication
Legislation
Conclusion
33Detecting Phishing Webpages
- Generate intermediate representation of actual
webpage - Search the web for suspicious URLs
- Compare those representations to actual webpages
representation
Introduction
News
Attacks
Education
Authentication
Legislation
Conclusion
34Legislation and legal action
- On January 26, 2004, the Federal Trade Commission
filed its first lawsuit against a California
teenager suspected of impersonating the America
Online web site in order to collect credit card
numbers - Arrests in many countries followed (Estonia,
Brazil, Europe, etc) - Major arrests were made - Valdir Paulo de
Almeida, Brazilian phishing crime ring leader,
stole between 18 and 36 million USD
Introduction
News
Attacks
Education
Authentication
Legislation
Conclusion
35Legislation
- March 2005 - Democratic Senator Patrick Leahy
introduced the Anti-Phishing Act of 2005 - Two major points of the act
- 5 year prison sentence plus fines if convicted
- Allow for prosecution of phishers without
requiring a showing of specific damages to any
individual
Introduction
News
Attacks
Education
Authentication
Legislation
Conclusion
36Anti-Phishing Act of 2005
- From Senator Leahy's Staff phishing scammers
already violate a host of identity theft and
fraud laws, but prosecuting them under those
statutes can be challenging . . . . To charge
scammers now, law enforcers need to prove that a
victim suffered measurable losses. By the time
they do that . . . the scammer has often
disappeared.
Introduction
News
Attacks
Education
Authentication
Legislation
Conclusion
37State Legislation
- Virginia and New Mexico introduced legislation in
2005 that would treat phishing as a felony (not
as a misdemeanour) - California signed a bill making phishing a crime
(civil violation) in 2005. Victims could seek
either full compensation or 500,000 depending on
which is greater
Introduction
News
Attacks
Education
Authentication
Legislation
Conclusion
38More Legal Actions
- Private companies such as Microsoft also joined
the battle - Filed 117 federal lawsuits in the US District
court of the Southern District of Washington on
March 31, 2005 - Hopes that this and similar lawsuits will lead to
the unearthing of larger phishing operators in
the US and abroad
Introduction
News
Attacks
Education
Authentication
Legislation
Conclusion
39Vigilante Justice
- In July 2005, Vardan Kushnir, Russia's most
notorious spammer, was found dead in his
apartment - The motive was not clear, however, Russia had no
spam laws in the books so he was free to spam as
much as he wanted - Good legislation and government action can
prevent disgruntled victims from taking the law
into their own hands
Introduction
News
Attacks
Education
Authentication
Legislation
Conclusion
40Bottom Line
- Stronger authentication
- People are the weak link
- Learn how to detect phishing
- Be suspicious
Introduction
News
Attacks
Education
Authentication
Legislation
Conclusion