eScience Lectures Notes : Phishing
Slide 1 : 1/31: Phishing
COMP1710 Tools for New Media and Web
Phishing
then 'n'ext or 'b'ack
Slide 2 : ToC : Phishing
Table of Contents (31 slides) for the presentation :
Phishing
Slide 3 : 3/31: What can go wrong?
In this lecture:
What can go wrong?
Spam
Phishing, vishing
Slide 4 : 4/31: Spam
SPAM: YOU SHOULD NEVER SPAM
To read: "Spam in Australia", from the Australian Communications Authority
What is Spam ?
Spam is a generic term used to describe electronic ‘junk
mail’ – unwanted messages sent to your email account or mobile phone.
These messages vary, but are essentially commercial and often annoying in their
sheer volume. They may try to persuade you to buy a product or service, or visit
a website where you can make purchases; or they may attempt to trick you into
divulging your bank account or credit card details.
In Australia, spam is defined as ‘unsolicited commercial electronic messaging’.
New Australian legislation relating to spam – the Spam Act 2003 –
came into effect on 10 April 2004. This consumer guide outlines the new law;
it also offers practical advice on how you can reduce the amount of spam you
receive, and suggestions on what to do when you receive spam
Unsolicited mail
SPAM = Stupid Pointless Annoying Messages (this is a
backronym)
Slide 5 : 5/31: More spam
Spam according to the Australian Law: Spam Act 2003 – came into effect
on 10 April 2004.
To comply with Australia’s spam laws, a commercial
electronic message must meet the following conditions.
Any message sent to you that doesn’t meet all three of these conditions
is defined as spam:
Consent
it must be sent with your consent. You may give express consent, or consent
may be inferred from your conduct and ‘existing business or other relationships’
Identify
it must contain accurate information about the person or organisation that
authorised the sending of the message
Unsubscribe
it must contain a functional ‘unsubscribe’ facility to allow you
to opt out from receiving messages from that source in the future
A spam message is not necessarily sent out in ‘bulk’ to numerous
addresses – under Australian law, a single electronic message can also
be considered spam.
Exemptions
Electronic messages from certain sources are exempted from the legislation.
These include messages from: government bodies, registered political parties,
charities, religious organizations, educational institutions (sent to attending
and former students and their households).
Slide 6 : 6/31: Why Phishing
?
What is Phishing?
"Phishing attacks use both social engineering and technical
subterfuge to steal consumers' personal identity data and financial
account credentials
Reproduced with permission. Please visit
www.SecurityCartoon.com
for more material.
Slide 7 : 7/31: What's Phishing?
How bad is the problem?
The number of websites hosting keylogging crimeware
systems rose by over 1,100, reaching 3,362, the second
highest number recorded in the preceding 12 months.
Websense Security Labs believes much of this increase is
due to attackersincreasing ability to co-opt sites
to spread crimeware using automated tools.
Reference: http://www.antiphishing.org/
Slide 8 : 8/31: More Phishing
Web page spoofing
Reproduced with permission. Please visit
www.SecurityCartoon.com
for more material.
Slide 9 : 9/31: Even more Phishing
What is Phishing (continued)?
Social engineering aspects:
Sending spoofed
e-mails
Building confidence between a phisher and a victim
-
Upsetting or exciting statements - must react immediately
-
Ask for information such as username, passwords, credit card numbers,
social security numbers, etc.
-
Emails are typically NOT personalized
Technical aspects:
Spyware
Pharming - DNS poisoning
Spoof web pages
Slide 10 : 10/31: PhishEx1
Phishing Example
Reference for examples and some other slides: veljko@cs.ucsb.edu
Anti-Phishing Working Group
The Honeynet Project & Research
Alliance: Behind the Scenes of Phishing Attacks
Slide 11 : 11/31: PhishEx2
Phishing Example
Slide 12 : 12/31: PhishEx3
Caught like a phish
Slide 13 : 13/31: Consequences
Consequences of (successful) Phishing
Customers:
Financial consequences ? stolen financial information
Trust and effective communication can suffer
Service providers (banks, retailers...)
Diminishes value of a brand
Customer loss
Could affect stakeholders
Slide 14 : 14/31: Spear Phishing
Spear Phishing
Traditional phishing = steal info from individuals
Targeted phishing = access to a company's systems
Targeted at a specific company, government agency, organization, or group
Phisher gets an e-mail address of an administrator/colleague
Spoofed e-mail asks employees to log on to a corporate network
A key-logger application records passwords
Phisher can access corporate information
Slide 15 : 15/31: Trust the internet
Trust the internet blindly
Reproduced with permission. Please visit
www.SecurityCartoon.com
for more material.
Slide 16 : 16/31: Whaling
Targeting CEOs and other high-ranking execs
E.g. masquerade as an official
subpoena requiring
the recipient to appear before a federal grand jury
correctly address CEOs by their full name
include their phone number and company name
website for detailed copy of subpoena requires installation of
a browser add-on to read document ...
(Yes, it was a key logger)
Slide 17 : 17/31: Vishing
Vishing = 'Voice' + Phishing
Using social engineering and Voice over IP
(VoIP)
Vishing exploits the public's trust in landline telephone services
traditionally terminated in physical locations which are known to
the telephone company, and associated with a bill-payer
but VoIP allows for caller ID spoofing, inexpensive, complex
automated systems and anonymity for the bill-payer
Vishing is very hard for legal authorities to monitor or trace
A good example of a vish: I Work For The Credit Card Company ...
See also the cheque and e-mail forms ones on the same page
Reference:
Wikipedia: Vishing
Slide 18 : 18/31: Phishing Tech1
Phishing Techniques
Phishing through compromised web servers
Find vulnerable servers
Gain access to the server
Pre-built phishing web sites are up
Mass emailing tools are downloaded and used to advertise the fake web
site via spam email
Web traffic begins to arrive at the phishing web site and potential
victims access the malicious content
Slide 19 : 19/31: Phishing Tech2
Phishing Techniques
Phishing through port redirection
They find vulnerable servers
They install software that will forward port 80 traffic (default port for
HTTP Transmission Control Protocol connection) to a remote server
They make sure that it is running even after a reboot,
They try not to get detected
Web traffic begins to arrive at the phishing web site and potential
victims access the malicious content
Slide 20 : 20/31: Pharming
Pharming
a hacker's attack to redirect a website's traffic to another,
bogus website.
- by changing the hosts file on a victim's computer or
- by exploitation of a vulnerability in DNS server software
-
Typing URL e.g.
www.newegg.com
translates to IP address
216.52.208.185
-
DNS: a dictionary with pairs URL - IP
-
What happens if somebody hacks DNS?
-
Instead of
216.52.208.185, www.newegg.com
might take us to
192.168.10.103
-
Usually, a false web page is there
Slide 21 : 21/31: Phishing Tech3
Phishing Techniques
Additional aproaches
They register similar sounding DNS domains and setting up fake web sites,
e.g. www.paypa1.com
www.connbank.com.au
(also see www.combank.com.au)
They configure the fake phishing web site to
-
record any input data that the user submits
-
silently log them and then
-
forward the user to the real web site
They attempt to exploit weaknesses in the user's web browser to mask the
true nature of the message content
Slide 22 : 22/31: An e-mail ...
This was an e-mail I received a while ago
I've emphasised a few places ...
868 Mynes Consulting and Fin is 1 of the leading providers a
consulting services of the world. Our success depends both on high
quality of service and on professionally managed and reliable business
structure.
It is the reason why quality is our general concern. However, the only
way to reach top-notch quality at our business is permanent struggle
for quality & engineering in stable procedures.
It is not possible to reach high quality standards without dedicated
personnel striving for faultless operation of processes & projects at
their daily life. Currently we have a Main Manager opening. No
deadlines for applications are set.
The Job a Financial Manager includes processing of money transfers,
sent to his personal bank accounts by company clients. Upon receiving
a transfer the Financier has to redirect it to the account specified
by our dispatchers. All you need for this job are: 3-4 free hours a
day, your wish, ability to work in a team and responsibility. The
initial salary will equal five percent of total monthly turnover.
Requirements to candidates:
+ twenty years and up
~ Be able to check your e mail several times of day
# Should have personal or business bank account, or open fresh
# Have a skill to communicate & access to the Internet.
* Confident PC user (SW package Office), mail programs, Internet
~ Foreign language (English is preferable).
# To have have an opportunity of any working hours to go to closest
Western Union location & make money trans .
Note:
^ Generous wages
(Your earnings will originally make five percent at each payment. Your
earnings will originally made 5 % at each payment. After 5 remittances
at you will operatively work and correct, your earnings raises high to
ten %. )
~ Opportunity of increase in your salary.
+ Free conference and training courses (After 6 months of great job).
Interested of this opening, send you request on mynescf.com@gmail.com
2006 c Mynes Consulting and Finance.
All right reserved.
Personal number: 123B7fVdoc822b1751731672b50
Slide 23 : 23/31: Botnets
Botnets
jargon term for a collection of software robots, or bots,
which run autonomously and automatically. They run on groups of
zombie computers
controlled remotely
-
A botnet operator sends out viruses or worms, infecting ordinary
users' computers, whose payload is a malicious application -- the
bot.
-
The bot on the infected PC logs into a particular IRC server
(or in some cases a web server). That server is known as the
command-and-control server (C&C).
-
A spammer purchases access to the botnet from the operator.
-
The spammer sends instructions via the IRC server to the infected
PCs, ...
-
...causing them to send out spam messages to mail servers.
|
|
Slide 24 : 24/31: Use botnet
Uses of a botnet
Botnets are exploited for various purposes, including
denial-of-service attacks, creation or misuse of SMTP mail relays for
spam (see Spambot), click fraud, spamdexing and the theft of
application serial numbers, login IDs, and financial information such
as credit card numbers
- Denial-of-service attack where multiple systems
autonomously access a single Internet system or service in a way
that appears legit, but much more frequently than normal use and
cause the system to become busy.
- Adware exists to advertise some commercial entity
actively and without the user's permission or awareness.
- Spyware is software which sends information to its
creators about a user's activities.
- E-mail spam are e-mail messages disguised as
messages from people, but are either advertising, annoying, or
malicious in nature.
- Click fraud is the user's computer visiting websites
without the user's awareness to create false web traffic for the
purpose of personal or commercial gain.
Reference:
Wikipedia: Botnet
Slide 25 : 25/31: Phishing prevention
Phising prevention
Public Education:
Do not believe anyone addressing you as a 'Dear Customer' 'Dear
business partner', etc. (Caveats on this! Cf. Ebay)
Do not respond to an e-mail requesting username, password, bank
account number, etc.
Do not click on the link provided in an e-mail message
Report phishing or spoofed e-mails
Necessary software infrastructure:
- Website authentication
- E-mail authentication
- Anti-virus software
Slide 26 : 26/31: Recognising Phishing
Recognising phishing
Reproduced with permission. Please visit
www.SecurityCartoon.com
for more material.
Slide 27 : 27/31: Recognising What?
Recognising phishing
Reproduced with permission. Please visit
www.SecurityCartoon.com
for more material.
Slide 28 : 28/31: Passwords
Recognising phishing
Reproduced with permission. Please visit
www.SecurityCartoon.com
for more material.
Slide 29 : 29/31: More scams
More scams
The Australian Securities and Investments Commission has a list
of Typical scams:
- Cold calling and phone scams
- Fake bank emails/phishing
- Early release of super scams
- Fake job emails/money transfer schemes
- 'Nigerian' letters and advance fee frauds
- Lottery scams
- Pyramid schemes
- Ponzi schemes
- Fake debt invoices
- Affinity fraud through people you know
- International investing
- Identity theft
Slide 30 : 30/31: Some protection
Protection against ISP tracking
Tor is free software which
prevents ISP tracking by routing through a server network with cryptography
(Normally data packets indicate the IP address of the last server it
passed through)
Checking for ISP tracking
There is an on-line test
which detects some forms of ISP tracking / ad delivery
Slide 31 : ToC : Phishing
Table of Contents (31 slides) for the presentation :
Phishing
