Phishing, Spoofing, Spamming and Security

How To Protect Yourself

Dr. Harold L. Bud Cothern

Additional Credits: Educause/SonicWall, Hendra Harianto Tuty, Microsoft Corporation, some images from AntiPhishing Workgroups Phishing Archive,Carnegie Mellon CyLab

Recognize Phishing Scams and Fraudulent E-mails

Phishing is a type of deception designed to steal

your valuable personal data, such as credit card numbers, passwords, account data, or other information. Con artists might send millions of fraudulent e-mail messages that appear to come from Web sites you trust, like your bank or credit card company, and request that you provide personal information.

History of Phishing


Phreaking + Fishing = Phishing Phreaking = making phone calls for free back in 70s Fishing = Use bait to lure the target Phishing in 1995 Target: AOL users Purpose: getting account passwords for free time Threat level: low Techniques: Similar names ( www.ao1.com for www.aol.com ), social engineering

Phishing in 2001 Target: Ebayers and major banks Purpose: getting credit card numbers, accounts Threat level: medium Techniques: Same in 1995, keylogger  Phishing in 2007 Target: Paypal, banks, ebay Purpose: bank accounts Threat level: high Techniques: browser vulnerabilities, link obfuscation

A bad day phishin, beats a good day workin

2,000,000 emails are sent 5% get to the end user 100,000 (APWG) 5% click on the phishing link 5,000 (APWG) 2% enter data into the phishing site 100 (Gartner) $1,200 from each person who enters data (FTC) Potential reward: $120,000

In 2005 David Levi made over $360,000 from 160 people using an eBay Phishing scam

Phishing: A Growing Problem

Over 28,000 unique phishing attacks reported in Dec. 2006, about double the number from 2005 Estimates suggest phishing affected 2 million US citizens and cost businesses billions of dollars in 2005 Additional losses due to consumer fears

What Does a Phishing Scam Look Like?

As scam artists become more sophisticated, so do their phishing e-mail messages and pop-up windows. They often include official-looking logos from real organizations and other identifying information taken directly from legitimate Web sites.

Current Phishing Techniques Employ visual elements from target site DNS Tricks: www.ebay.com.kr www.ebay.com@192.168.0.5 www.gooogle.com Unicode attacks JavaScript Attacks Spoofed SSL lock Certificates Phishers can acquire certificates for domains they own Certificate authorities make mistakes

The following is an example of what a phishing scam e-mail message might look like:

QuickTime and a TIFF (Uncompressed) decompressor are needed to see this picture.

Example of a phishing email message, including a deceptive URL address linking to a scam Web site. To make these phishing email messages look even more legitimate, the scam artists may place a link in them that appears to go to the legitimate Web site (1), but it actually takes you to a phony scam site (2) or possibly a pop-up window that looks exactly like the official site.These copycat sites are also called "spoofed" Web sites. Once you're at one of these spoofed sites, you might unwittingly send personal information to the con artists.

Spear-Phishing: Improved Target Selection

Socially aware attacks

 Mine social relationships from public data

 Phishing email appears to arrive from someone known to the victim  Use spoofed identity of trusted organization to gain trust  Urge victims to update or validate their account  Threaten to terminate the account if the victims not reply  Use gift or bonus as a bait  Security promises

Context-aware attacks
Your bid on eBay has won! The books on your Amazon wish list are on sale!

Another Example:

But wait

WHOIS 210.104.211.21: Location: Korea, Republic Of

Even bigger problem: I dont have an account with US Bank!

Images from Anti-Phishing Working Groups Phishing Archive

How To Tell If An E-mail Message is Fraudulent

Here are a few phrases to look for if you think an e-mail message is a phishing scam. "Verify your account." Businesses should not ask you to send passwords, login names, Social Security numbers, or other personal information through e-mail. If you receive an e-mail from anyone asking you to update your credit card information, do not respond: this is a phishing scam. "If you don't respond within 48 hours, your account will be closed." These messages convey a sense of urgency so that you'll respond immediately without thinking. Phishing e-mail might even claim that your response is required because your account might have been compromised.

How To Tell If An E-mail Message is Fraudulent (contd)

"Dear Valued Customer." Phishing e-mail messages are usually sent out in bulk and often do not contain your first or last name. "Click the link below to gain access to your account." HTML-formatted messages can contain links or forms that you can fill out just as you'd fill out a form on a Web site. The links that you are urged to click may contain all or part of a real company's name and are usually "masked," meaning that the link you see does not take you to that address but somewhere different, usually a phony Web site. Notice in the following example that resting the mouse pointer on the link reveals the real Web address, as shown in the box with the yellow background. The string of cryptic numbers looks nothing like the company's Web address, which is a suspicious sign.
QuickTime and a TIFF (Uncompressed) decompressor are needed to see this picture.

Example of masked URL address

How To Tell If An E-mail Message is Fraudulent (contd)

Con artists also use Uniform Resource Locators (URLs) that resemble the name of a well-known company but are slightly altered by adding, omitting, or transposing letters. For example, the URL "www.microsoft.com" could appear instead as: www.micosoft.com www.mircosoft.com www.verify-microsoft.com

 Never respond to an email asking for personal information Always check the site to see if it is secure. Call the phone number if necessary Never click on the link on the email. Retype the address in a new window Keep your browser updated Keep antivirus definitions updated Use a firewall
P.S: Always shred your home documents before discarding them.

Install the Microsoft Phishing Filter Using Internet Explorer 7 or Windows Live Toolbar
Phishing Filter (http://www.microsoft.com/athome/security/online/phishing _filter.mspx) helps protect you from Web fraud and the risks of personal data theft by warning or blocking you from reported phishing Web sites. Install up-to-date antivirus and antispyware software. Some phishing e-mail contains malicious or unwanted software (like keyloggers) that can track your activities or simply slow your computer. Numerous antivirus programs exist as well as comprehensive computer maintenance services like Norton Utilities. To help prevent spyware or other unwanted software, download Windows Defender.

Thank You For Your