Internet Security Phishing - PowerPoint PPT Presentation

1 / 40
About This Presentation
Title:

Internet Security Phishing

Description:

Preys on inexperience, fear, greed, loneliness. ... 'friends' at other schools by pretending to be a celebrity or fictional character ... Vigilante Justice ... – PowerPoint PPT presentation

Number of Views:81
Avg rating:3.0/5.0
Slides: 41
Provided by: pranay6
Category:

less

Transcript and Presenter's Notes

Title: Internet Security Phishing


1
Internet Security - Phishing
  • Sergei Agoureev
  • Kevin Gorman
  • Pranay Harsh
  • Taiji Kamiya
  • Douglas Shaffren

2
Agenda
  • Introduction
  • News
  • Attacks
  • Demo
  • Education
  • Authentication
  • Legislation
  • Conclusion

3
Phishing Intro
  • Phishing
  • The electronic attempt to steal sensitive data by
    impersonating official communications.
  • Preys on inexperience, fear, greed, loneliness.
  • Origin of the term phishing
  • Coined by early AOL crackers in 1996

Introduction
News
Attacks
Education
Authentication
Legislation
Conclusion
4
The Phishing Process
Introduction
News
Attacks
Education
Authentication
Legislation
Conclusion
5
The History of Phishing
Introduction
News
Attacks
Education
Authentication
Legislation
Conclusion
6
Westpac Bank
Introduction
News
Attacks
Education
Authentication
Legislation
Conclusion
7
Bank of America
Introduction
News
Attacks
Education
Authentication
Legislation
Conclusion
8
Trends
  • Anti-Phishing Working Group up to 5 of
    recipients provide personal information

Introduction
News
Attacks
Education
Authentication
Legislation
Conclusion
9
The costs of phishing
  • ID Theft costs 53 billion annually
  • One million consumers have already been
    victimized
  • Consumers pay for about 10 of the total costs

Introduction
News
Attacks
Education
Authentication
Legislation
Conclusion
10
Lack of consumer trust
  • Bank competency
  • 13 would switch banks

Introduction
News
Attacks
Education
Authentication
Legislation
Conclusion
11
Nigerian 419 Scam
  • 419 is the Nigerian statute against fraud
  • Computer savvy kids harvest e-mail addresses and
    sit in chat rooms
  • People in the US convince victims
  • One person can make 900-7000 a month
  • Types of 419 Scams
  • Next of kin
  • Laundering crooked money
  • Nigerian National Petroleum Co.
  • Job offer you cant refuse
  • Gorgeous person in trouble

Introduction
News
Attacks
Education
Authentication
Legislation
Conclusion
12
Phishing News
  • Vectors of attack
  • IM
  • E-mail
  • Techniques of Attack
  • Using personal information
  • Keystroke loggers
  • Pharming
  • ID theft advice
  • What companies should do to protect you

Hacker News
Phishing Attacks Up
Introduction
News
Attacks
Education
Authentication
Legislation
Conclusion
13
Obtaining e-mail addresses
  • You don't need to be a genius to obtain email
    addresses. All it takes is some work and
    creativity
  • School, work and other e-mail addresses that are
    constantly used are the best targets
  • Know your audience
  • Like in football, luck, hard work, talent and
    persistence pay off

Introduction
News
Attacks
Education
Authentication
Legislation
Conclusion
14
The Directory
  • Many organizations and universities maintain a
    open directory listing of employees, students,
    staff, etc.
  • Very easy way to get a lot of e-mail addresses
    fast
  • I'd hate to be a Smith or Patel

Introduction
News
Attacks
Education
Authentication
Legislation
Conclusion
15
Derek Zoolander
  • Can you really say no to this face?

Introduction
News
Attacks
Education
Authentication
Legislation
Conclusion
16
The online community
  • Most online communities or forums require a valid
    e-mail address, which is sometimes displayed
  • Facebook.com is a stalker and a phishers dream
  • Almost all e-mails are visible (in your school)
  • They need to be school e-mails
  • People can get friends at other schools by
    pretending to be a celebrity or fictional
    character

Introduction
News
Attacks
Education
Authentication
Legislation
Conclusion
17
Newsgroups
  • Many professionals rely on newsgroups to get work
    done
  • Easily searchable on Google
  • E-mail addresses supplied are likely to be
    checked often

Introduction
News
Attacks
Education
Authentication
Legislation
Conclusion
18
Pyramid Scheme
  • Who doesn't want free stuff (especially if it
    works)?
  • Web sites can be used to gain references, and
    therefore more e-mail addresses
  • You know your victims motivation free stuff

Introduction
News
Attacks
Education
Authentication
Legislation
Conclusion
19
Email Harvesting
Program Inputs - Starting URL - Tree Depth
20
Email Harvesting
Program Outputs - LOTS OF EMAILS! - Print to
ASCII text file
21
Regular Expression
  • Our RegEx

"( \tgt\"\\\\()a-zA-Z0-9.-_at_(a-zA-Z0-9
\\.)(a-zA-Z3a-zA-Z2 ))"
22
Regular Expression
"((?ltDisplayNamegt(\t\x20!-'\\\-/-9\?A-Z\
-\t\x20"\x01-\x09\x0B\x0C\x0E-\x21\x23-\x5
B\x5D\x7F"))?\t\x20lt(?ltLocalPart1gt(\t\x20
!-'\\\-/-9\?A-Z\-(\.!-'\\\-/-9\?A-Z\
-)"\x01-\x09\x0B\x0C\x0E-\x21\x23-\x5B\x5D-
\x7F"))_at_(?ltDomain1gt((a-zA-Z0-9-a-zA-Z0-9a-
zA-Z0-9\.)a-zA-Z2,\((0-9?0-910-90-
920-40-9250-5)\.)3(0-9?0-910-90
-920-40-9250-5)\))gt\t\x20(?ltLocalPar
t2gt(\t\x20!-'\\\-/-9\?A-Z\-(\.!-'\\
\-/-9\?A-Z\-)"\x01-\x09\x0B\x0C\x0E-\x21\
x23-\x5B\x5D-\x7F"))_at_(?ltDomain2gt((a-zA-Z0-9-a
-zA-Z0-9 a-zA-Z0-9\.)a-zA-Z2,\((0-9?
0-910-90-920-40-9250-5)\.)3(0-9
?0-910-90-920-40-9250-5)\)))"
23
Stumbling Blocks
  • Robots Exclusion Standard
  • Meta Tags

24
Robots Exclusion Standard
  • Prevents access to all or parts of a website
  • Voluntary
  • Can be completely ignored

User-agent Disallow /about/images/
Disallow /about/includes/ Disallow
/about/styles/
25
Meta Tags
  • Prevents access to all or parts of a website
  • Voluntary
  • Can be completely ignored

ltheadgt ltmeta namerobots
contentnoindex,nofollow /gt lt/headgt
26
Stumbling Blocks
  • Solution
  • IGNORE
  • Robots Exclusion Standard
  • Meta Tags

27
Cross Site Scripting (XSS)
  • Demo
  • http//www.poetry.com/Publications/search.asp?Firs
    tltscriptgtalert(Test)lt/scriptgt

28
What you can do
  • User spam detectors to block malicious e-mail
  • Detect and delete malicious software using
    commercial programs
  • Block outgoing delivery of sensitive information
    using software products

Introduction
News
Attacks
Education
Authentication
Legislation
Conclusion
29
What corporations can do
  • Establish corporate policies and communicate them
  • Provide a way for users to validate the
    legitimacy of corporate e-mails
  • Stronger authentication
  • Monitor Internet for potential phishing websites

Introduction
News
Attacks
Education
Authentication
Legislation
Conclusion
30
Measures of Protection
  • Two-Factor Authentication
  • Zero-Footprint Solution
  • Digital Signatures
  • Detecting Phishing Webpages

Introduction
News
Attacks
Education
Authentication
Legislation
Conclusion
31
Two-Factor Authentication
  • As simple as a password
  • Each customer has an authenticator
  • New code every 60 seconds

Introduction
News
Attacks
Education
Authentication
Legislation
Conclusion
32
Zero-Footprint Solution
  • Passwords can be easily stolen
  • Store an encrypted cookie in the users browser
  • Combine password cookie for authentication
  • Bank provides information and user authenticates
    server

Introduction
News
Attacks
Education
Authentication
Legislation
Conclusion
33
Detecting Phishing Webpages
  • Generate intermediate representation of actual
    webpage
  • Search the web for suspicious URLs
  • Compare those representations to actual webpages
    representation

Introduction
News
Attacks
Education
Authentication
Legislation
Conclusion
34
Legislation and legal action
  • On January 26, 2004, the Federal Trade Commission
    filed its first lawsuit against a California
    teenager suspected of impersonating the America
    Online web site in order to collect credit card
    numbers
  • Arrests in many countries followed (Estonia,
    Brazil, Europe, etc)
  • Major arrests were made - Valdir Paulo de
    Almeida, Brazilian phishing crime ring leader,
    stole between 18 and 36 million USD

Introduction
News
Attacks
Education
Authentication
Legislation
Conclusion
35
Legislation
  • March 2005 - Democratic Senator Patrick Leahy
    introduced the Anti-Phishing Act of 2005
  • Two major points of the act
  • 5 year prison sentence plus fines if convicted
  • Allow for prosecution of phishers without
    requiring a showing of specific damages to any
    individual

Introduction
News
Attacks
Education
Authentication
Legislation
Conclusion
36
Anti-Phishing Act of 2005
  • From Senator Leahy's Staff phishing scammers
    already violate a host of identity theft and
    fraud laws, but prosecuting them under those
    statutes can be challenging . . . . To charge
    scammers now, law enforcers need to prove that a
    victim suffered measurable losses. By the time
    they do that . . . the scammer has often
    disappeared.

Introduction
News
Attacks
Education
Authentication
Legislation
Conclusion
37
State Legislation
  • Virginia and New Mexico introduced legislation in
    2005 that would treat phishing as a felony (not
    as a misdemeanour)
  • California signed a bill making phishing a crime
    (civil violation) in 2005. Victims could seek
    either full compensation or 500,000 depending on
    which is greater

Introduction
News
Attacks
Education
Authentication
Legislation
Conclusion
38
More Legal Actions
  • Private companies such as Microsoft also joined
    the battle
  • Filed 117 federal lawsuits in the US District
    court of the Southern District of Washington on
    March 31, 2005
  • Hopes that this and similar lawsuits will lead to
    the unearthing of larger phishing operators in
    the US and abroad

Introduction
News
Attacks
Education
Authentication
Legislation
Conclusion
39
Vigilante Justice
  • In July 2005, Vardan Kushnir, Russia's most
    notorious spammer, was found dead in his
    apartment
  • The motive was not clear, however, Russia had no
    spam laws in the books so he was free to spam as
    much as he wanted
  • Good legislation and government action can
    prevent disgruntled victims from taking the law
    into their own hands

Introduction
News
Attacks
Education
Authentication
Legislation
Conclusion
40
Bottom Line
  • Stronger authentication
  • People are the weak link
  • Learn how to detect phishing
  • Be suspicious

Introduction
News
Attacks
Education
Authentication
Legislation
Conclusion
Write a Comment
User Comments (0)
About PowerShow.com