Internet Security Phishing

1
Internet Security - Phishing

• Sergei Agoureev
• Kevin Gorman
• Pranay Harsh
• Taiji Kamiya
• Douglas Shaffren

2
Agenda

• Introduction
• News
• Attacks
• Demo
• Education
• Authentication
• Legislation
• Conclusion

3
Phishing Intro

• Phishing
• The electronic attempt to steal sensitive data by
  impersonating official communications.
• Preys on inexperience, fear, greed, loneliness.
• Origin of the term phishing
• Coined by early AOL crackers in 1996

Introduction
News
Attacks
Education
Authentication
Legislation
Conclusion
4
The Phishing Process
Introduction
News
Attacks
Education
Authentication
Legislation
Conclusion
5
The History of Phishing
Introduction
News
Attacks
Education
Authentication
Legislation
Conclusion
6
Westpac Bank
Introduction
News
Attacks
Education
Authentication
Legislation
Conclusion
7
Bank of America
Introduction
News
Attacks
Education
Authentication
Legislation
Conclusion
8
Trends

• Anti-Phishing Working Group up to 5 of
  recipients provide personal information

Introduction
News
Attacks
Education
Authentication
Legislation
Conclusion
9
The costs of phishing

• ID Theft costs 53 billion annually
• One million consumers have already been
  victimized
• Consumers pay for about 10 of the total costs

Introduction
News
Attacks
Education
Authentication
Legislation
Conclusion
10
Lack of consumer trust

• Bank competency
• 13 would switch banks

Introduction
News
Attacks
Education
Authentication
Legislation
Conclusion
11
Nigerian 419 Scam

• 419 is the Nigerian statute against fraud
• Computer savvy kids harvest e-mail addresses and
  sit in chat rooms
• People in the US convince victims
• One person can make 900-7000 a month
• Types of 419 Scams
• Next of kin
• Laundering crooked money
• Nigerian National Petroleum Co.
• Job offer you cant refuse
• Gorgeous person in trouble

Introduction
News
Attacks
Education
Authentication
Legislation
Conclusion
12
Phishing News

• Vectors of attack
• IM
• E-mail
• Techniques of Attack
• Using personal information
• Keystroke loggers
• Pharming
• ID theft advice
• What companies should do to protect you

Hacker News
Phishing Attacks Up
Introduction
News
Attacks
Education
Authentication
Legislation
Conclusion
13
Obtaining e-mail addresses

• You don't need to be a genius to obtain email
  addresses. All it takes is some work and
  creativity
• School, work and other e-mail addresses that are
  constantly used are the best targets
• Know your audience
• Like in football, luck, hard work, talent and
  persistence pay off

Introduction
News
Attacks
Education
Authentication
Legislation
Conclusion
14
The Directory

• Many organizations and universities maintain a
  open directory listing of employees, students,
  staff, etc.
• Very easy way to get a lot of e-mail addresses
  fast
• I'd hate to be a Smith or Patel

Introduction
News
Attacks
Education
Authentication
Legislation
Conclusion
15
Derek Zoolander

• Can you really say no to this face?

Introduction
News
Attacks
Education
Authentication
Legislation
Conclusion
16
The online community

• Most online communities or forums require a valid
  e-mail address, which is sometimes displayed
• Facebook.com is a stalker and a phishers dream
• Almost all e-mails are visible (in your school)
• They need to be school e-mails
• People can get friends at other schools by
  pretending to be a celebrity or fictional
  character

Introduction
News
Attacks
Education
Authentication
Legislation
Conclusion
17
Newsgroups

• Many professionals rely on newsgroups to get work
  done
• Easily searchable on Google
• E-mail addresses supplied are likely to be
  checked often

Introduction
News
Attacks
Education
Authentication
Legislation
Conclusion
18
Pyramid Scheme

• Who doesn't want free stuff (especially if it
  works)?
• Web sites can be used to gain references, and
  therefore more e-mail addresses
• You know your victims motivation free stuff

Introduction
News
Attacks
Education
Authentication
Legislation
Conclusion
19
Email Harvesting
Program Inputs - Starting URL - Tree Depth
20
Email Harvesting
Program Outputs - LOTS OF EMAILS! - Print to
ASCII text file
21
Regular Expression

• Our RegEx

"( \tgt\"\\\\()a-zA-Z0-9.-_at_(a-zA-Z0-9
\\.)(a-zA-Z3a-zA-Z2 ))"
22
Regular Expression
"((?ltDisplayNamegt(\t\x20!-'\\\-/-9\?A-Z\
-\t\x20"\x01-\x09\x0B\x0C\x0E-\x21\x23-\x5
B\x5D\x7F"))?\t\x20lt(?ltLocalPart1gt(\t\x20
!-'\\\-/-9\?A-Z\-(\.!-'\\\-/-9\?A-Z\
-)"\x01-\x09\x0B\x0C\x0E-\x21\x23-\x5B\x5D-
\x7F"))_at_(?ltDomain1gt((a-zA-Z0-9-a-zA-Z0-9a-
zA-Z0-9\.)a-zA-Z2,\((0-9?0-910-90-
920-40-9250-5)\.)3(0-9?0-910-90
-920-40-9250-5)\))gt\t\x20(?ltLocalPar
t2gt(\t\x20!-'\\\-/-9\?A-Z\-(\.!-'\\
\-/-9\?A-Z\-)"\x01-\x09\x0B\x0C\x0E-\x21\
x23-\x5B\x5D-\x7F"))_at_(?ltDomain2gt((a-zA-Z0-9-a
-zA-Z0-9 a-zA-Z0-9\.)a-zA-Z2,\((0-9?
0-910-90-920-40-9250-5)\.)3(0-9
?0-910-90-920-40-9250-5)\)))"
23
Stumbling Blocks

• Robots Exclusion Standard
• Meta Tags

24
Robots Exclusion Standard

• Prevents access to all or parts of a website
• Voluntary
• Can be completely ignored

User-agent Disallow /about/images/
Disallow /about/includes/ Disallow
/about/styles/
25
Meta Tags

• Prevents access to all or parts of a website
• Voluntary
• Can be completely ignored

ltheadgt ltmeta namerobots
contentnoindex,nofollow /gt lt/headgt
26
Stumbling Blocks

• Solution
• IGNORE
• Robots Exclusion Standard
• Meta Tags

27
Cross Site Scripting (XSS)

• Demo
• http//www.poetry.com/Publications/search.asp?Firs
  tltscriptgtalert(Test)lt/scriptgt

28
What you can do

• User spam detectors to block malicious e-mail
• Detect and delete malicious software using
  commercial programs
• Block outgoing delivery of sensitive information
  using software products

Introduction
News
Attacks
Education
Authentication
Legislation
Conclusion
29
What corporations can do

• Establish corporate policies and communicate them
• Provide a way for users to validate the
  legitimacy of corporate e-mails
• Stronger authentication
• Monitor Internet for potential phishing websites

Introduction
News
Attacks
Education
Authentication
Legislation
Conclusion
30
Measures of Protection

• Two-Factor Authentication
• Zero-Footprint Solution
• Digital Signatures
• Detecting Phishing Webpages

Introduction
News
Attacks
Education
Authentication
Legislation
Conclusion
31
Two-Factor Authentication

• As simple as a password
• Each customer has an authenticator
• New code every 60 seconds

Introduction
News
Attacks
Education
Authentication
Legislation
Conclusion
32
Zero-Footprint Solution

• Passwords can be easily stolen
• Store an encrypted cookie in the users browser
• Combine password cookie for authentication
• Bank provides information and user authenticates
  server

Introduction
News
Attacks
Education
Authentication
Legislation
Conclusion
33
Detecting Phishing Webpages

• Generate intermediate representation of actual
  webpage
• Search the web for suspicious URLs
• Compare those representations to actual webpages
  representation

Introduction
News
Attacks
Education
Authentication
Legislation
Conclusion
34
Legislation and legal action

• On January 26, 2004, the Federal Trade Commission
  filed its first lawsuit against a California
  teenager suspected of impersonating the America
  Online web site in order to collect credit card
  numbers
• Arrests in many countries followed (Estonia,
  Brazil, Europe, etc)
• Major arrests were made - Valdir Paulo de
  Almeida, Brazilian phishing crime ring leader,
  stole between 18 and 36 million USD

Introduction
News
Attacks
Education
Authentication
Legislation
Conclusion
35
Legislation

• March 2005 - Democratic Senator Patrick Leahy
  introduced the Anti-Phishing Act of 2005
• Two major points of the act
• 5 year prison sentence plus fines if convicted
• Allow for prosecution of phishers without
  requiring a showing of specific damages to any
  individual

Introduction
News
Attacks
Education
Authentication
Legislation
Conclusion
36
Anti-Phishing Act of 2005

• From Senator Leahy's Staff phishing scammers
  already violate a host of identity theft and
  fraud laws, but prosecuting them under those
  statutes can be challenging . . . . To charge
  scammers now, law enforcers need to prove that a
  victim suffered measurable losses. By the time
  they do that . . . the scammer has often
  disappeared.

Introduction
News
Attacks
Education
Authentication
Legislation
Conclusion
37
State Legislation

• Virginia and New Mexico introduced legislation in
  2005 that would treat phishing as a felony (not
  as a misdemeanour)
• California signed a bill making phishing a crime
  (civil violation) in 2005. Victims could seek
  either full compensation or 500,000 depending on
  which is greater

Introduction
News
Attacks
Education
Authentication
Legislation
Conclusion
38
More Legal Actions

• Private companies such as Microsoft also joined
  the battle
• Filed 117 federal lawsuits in the US District
  court of the Southern District of Washington on
  March 31, 2005
• Hopes that this and similar lawsuits will lead to
  the unearthing of larger phishing operators in
  the US and abroad

Introduction
News
Attacks
Education
Authentication
Legislation
Conclusion
39
Vigilante Justice

• In July 2005, Vardan Kushnir, Russia's most
  notorious spammer, was found dead in his
  apartment
• The motive was not clear, however, Russia had no
  spam laws in the books so he was free to spam as
  much as he wanted
• Good legislation and government action can
  prevent disgruntled victims from taking the law
  into their own hands

Introduction
News
Attacks
Education
Authentication
Legislation
Conclusion
40
Bottom Line

• Stronger authentication
• People are the weak link
• Learn how to detect phishing
• Be suspicious

Introduction
News
Attacks
Education
Authentication
Legislation
Conclusion