Phishing, Spoofing,

Spamming and Security

How To Protect Yourself

Dr. Harold L. “Bud” Cothern

Additional Credits: Educause/SonicWall, Hendra Harianto Tuty, Microsoft Corporation, some images from Anti-
Phishing Workgroup’s Phishing Archive,Carnegie Mellon CyLab
Recognize Phishing Scams and Fraudulent E-mails

• Phishing is a type of deception designed to steal

your valuable personal data, such as credit card
numbers, passwords, account data, or other
information.
• Con artists might send millions of fraudulent e-mail
messages that appear to come from Web sites you
trust, like your bank or credit card company, and
request that you provide personal information.
 History of Phishing
 Phreaking + Fishing = Phishing
- Phreaking = making phone calls for free back in 70’s
- Fishing = Use bait to lure the target

 Phishing in 1995
Target: AOL users
Purpose: getting account passwords for free time
Threat level: low
Techniques: Similar names ( www.ao1.com for www.aol.com ), social
engineering

 Phishing in 2001
Target: Ebayers and major banks
Purpose: getting credit card numbers, accounts
Threat level: medium
Techniques: Same in 1995, keylogger
 Phishing in 2007

Target: Paypal, banks, ebay

Purpose: bank accounts
Threat level: high
Techniques: browser vulnerabilities, link obfuscation
 A bad day phishin’, beats a good day workin’

• 2,000,000 emails are sent

• 5% get to the end user – 100,000 (APWG)
• 5% click on the phishing link – 5,000 (APWG)
• 2% enter data into the phishing site –100 (Gartner)
• $1,200 from each person who enters data (FTC)
• Potential reward: $120,000

In 2005 David Levi made over $360,000 from 160

people using an eBay Phishing scam
 Phishing: A Growing Problem

• Over 28,000 unique phishing attacks reported in Dec.

2006, about double the number from 2005
• Estimates suggest phishing affected 2 million US
citizens and cost businesses billions of dollars in
2005
• Additional losses due to consumer fears
 What Does a Phishing Scam Look Like?

• As scam artists become more sophisticated, so

do their phishing e-mail messages and pop-up
windows.
• They often include official-looking logos from real
organizations and other identifying information
taken directly from legitimate Web sites.
 Current Phishing Techniques

• Employ visual elements from target site

• DNS Tricks:
–www.ebay.com.kr
–www.ebay.com@192.168.0.5
–www.gooogle.com
–Unicode attacks
• JavaScript Attacks
–Spoofed SSL lock
• Certificates
–Phishers can acquire certificates for domains
they own
–Certificate authorities make mistakes
 Spear-Phishing: Improved Target Selection

• Socially aware attacks

 Mine social relationships from public data
 Phishing email appears to arrive from someone known to the victim
 Use spoofed identity of trusted organization to gain trust
 Urge victims to update or validate their account
 Threaten to terminate the account if the victims not reply
 Use gift or bonus as a bait
 Security promises
• Context-aware attacks
“Your bid on eBay has won!”
“The books on your Amazon wish list are on sale!”
Another Example:
 But wait…

WHOIS 210.104.211.21:

Location: Korea, Republic Of

Even bigger problem:

I don’t have an account with US Bank!

 How To Tell If An E-mail Message is Fraudulent

Here are a few phrases to look for if you think an e-mail message is a
phishing scam.
• "Verify your account."Businesses should not ask you to send
passwords, login names, Social Security numbers, or other personal
information through e-mail. If you receive an e-mail from anyone asking
you to update your credit card information, do not respond: this is a
phishing scam.
• "If you don't respond within 48 hours, your account will be
closed."These messages convey a sense of urgency so that you'll
respond immediately without thinking.
How To Tell If An E-mail Message is Fraudulent (cont’d)
• "Dear Valued Customer."Phishing e-mail messages are
usually sent out in bulk and often do not contain your first or
last name.
• "Click the link below to gain access to your account."
HTML-formatted messages can contain links or forms that you
can fill out just as you'd fill out a form on a Web site. The links
that you are urged to click may contain all or part of a real
company's name and are usually "masked," meaning that the
link you see does not take you to that address but somewhere
different, usually a phony Web site.
• Resting the mouse pointer on the link reveals the real Web
address. The string of cryptic numbers looks nothing like the
company's Web address, which is a suspicious sign.
How To Tell If An E-mail Message is Fraudulent (cont’d)

Con artists also use Uniform Resource Locators (URLs)

that resemble the name of a well-known company but are
slightly altered by adding, omitting, or transposing letters.

For example, the URL "www.microsoft.com" could appear

instead as:
www.micosoft.com
www.mircosoft.com
www.verify-microsoft.com
• Never respond to an email asking for personal information
• Always check the site to see if it is secure. Call the phone
number if necessary
• Never click on the link on the email. Retype the address in a
new window
• Keep your browser updated
• Keep antivirus definitions updated
• Use a firewall

P.S: Always shred your home documents before discarding them.