Bhoj Reddy Engineering College for Women: Hyderabad Department of Information Technology IV B. Tech. II Sem. A Sec. Seminar Presentation Academic year 2017-18 Date:22/02/2018
Phishing Technology Presented by Anusha Maddireddy (14321A1209)
Mr.T.Santosh Seminar Guide
Ms Tasneem Rahath Coordinator
Mr. M. Vinod HOD-IT
PHISHING TECHNOLOGY
Phishing Basics • Pronounced "fishing“ The word has its Origin from two words “Password Harvesting ” or fishing for Passwords. • Phishing is an online form of pretexting, a kind of deception in which an attacker pretends to be someone else in order to obtain sensitive information from the victim. • Also known as "brand spoofing“. • Phishers are phishing artists.
Phishing • Phishing is a way of fraudulently acquiring sensitive information using social engineering and technical subterfuge. • It tries to trick users with official-looking messages. ◦ Credit card ◦ Bank account ◦ eBay ◦ Paypal • Some phishing e-mails also contain malicious or unwanted software that can track your activities or slow your computer.
Existing Systems 1) Detect and block the phishing Web sites in time. 2) Enhance the security of the web sites. 3) Block the phishing e-mails by various spam filters. 4) Install online anti-phishing software in user’s computers.
Proposed System i)Classification of the hyperlinks in the phishing e-mails. ii) Link guard algorithm. Iii)Link guard implemented client. Iv) Feasibility study.
Phishing Hosting Sites
Types Of Phishing • • • • • • • • • • • •
Deceptive phishing Malware-Based Phishing Keyloggers and Screenloggers Session Hijacking Web Trojans Hosts File Poisoning System Reconfiguration Attacks Data Theft DNS-Based Phishing ("Pharming"). Content-Injection Phishing Man-in-the-Middle Phishing Search Engine Phishing
Deceptive Phishing 1) The term "phishing" originally referred to account theft using instant messaging but the most common broadcast method today is a deceptive email message. 2) Messages about the need to verify account information, system failure requiring users to re-enter their information, fictitious account charges, undesirable account changes, new free services requiring quick action, and many other scams are broadcast to a wide group of recipients with the hope that the unwary will respond by clicking a link to or signing onto a bogus site where their confidential information can be collected.
Malware-Based Phishing 1) Refers to scams that involve running malicious software on users' PCs. 2) Malware can be introduced as an email attachment, as a downloadable file from a web site, or by exploiting known security vulnerabilities--a particular issue for small and medium businesses (SMBs) who are not always able to keep their software applications up to date.
Keyloggers and Screenloggers 1) Are particular varieties of malware that track keyboard input and send relevant information to the hacker via the Internet. 2) They can embed themselves into users' browsers as small utility programs known as helper objects that run automatically when the browser is started as well as into system files as device drivers or screen monitors.
Session Hijacking 1) Describes an attack where users' activities are monitored until they sign in to a target account or transaction and establish their bona fide credentials. 2) At that point the malicious software takes over and can undertake unauthorized actions, such as transferring funds, without the user's knowledge.
Web Trojans 1) Pop up invisibly when users are attempting to log in. They collect the user's credentials locally and transmit them to the phisher.
Hosts File Poisoning 1) When a user types a URL to visit a website it must first be translated into an IP address before it's transmitted over the Internet. 2) The majority of SMB users' PCs running a Microsoft Windowsoperating system first look up these "host names" in their "hosts" file before undertaking a Domain Name System (DNS) lookup. 3) By "poisoning" the hosts file, hackers have a bogus address transmitted,taking the user unwittingly to a fake "look alike" website where their information can be stolen.
System Reconfiguration Attack 1) Modify settings on a user's PC for malicious purposes. For example: URLs in a favorites file might be modified to direct users to look alike websites. For example: a bank website URL may be changed from "bankofabc.com" to "bancofabc.com".
Data Theft 1) Unsecured PCs often contain subsets of sensitive information stored elsewhere on secured servers. 2) Certainly PCs are used to access such servers and can be more easily compromised. Data theft is a widely used approach to business espionage. 3) By stealing confidential communications, design documents, legal opinions, employee related records, etc., thieves profit from selling to those who may want to embarrass or cause economic damage or to competitors.
DNS-Based Phishing ("Pharming") 1) Pharming is the term given to hosts file modification or Domain Name System (DNS)-based phishing. 2) With a pharming scheme, hackers tamper with a company's hosts files or domain name system so that requests for URLs or name service return a bogus address and subsequent communications are directed to a fake site. 3) The result: users are unaware that the website where they are entering confidential information is controlled by hackers and is probably not even in the same country as the legitimate website.
Content-Injection Phishing 1) Describes the situation where hackers replace part of the content of a legitimate site with false content designed to mislead or misdirect the user into giving up their confidential information to the hacker. 2) For example, hackers may insert malicious code to log user's credentials or an overlay which can secretly collect information and deliver it to the hacker's phishing server.
Man-in-the-Middle Phishing 1) Is harder to detect than many other forms of phishing. In these attacks hackers position themselves between the user and the legitimate website or system. 2) They record the information being entered but continue to pass it on so that users' transactions are not affected. Later they can sell or use the information or credentials collected when the user is not active on the system.
Search Engine Phishing 1) Occurs when phishers create websites with attractive (often too attractive) sounding offers and have them indexed legitimately with search engines. 2) Users find the sites in the normal course of searching for products or services and are fooled into giving up their information. 3) For example, scammers have set up false banking sites offering lower credit costs or better interest rates than other banks. 4) Victims who use these sites to save or make more from interest charges are encouraged to transfer existing accounts and deceived into giving up their details.
The simplified flow of information in a Phishing attack is:-
1.A deceptive message is sent from the Phishers to the user. 2. A user provides confidential information to a Phishing server (normally after some interaction with the server). 3. The Phishers obtains the confidential information from the server. 4. The confidential information is used to impersonate the user. 5. The Phishers obtains illicit monetary gain.
Phishing Techniques • • • •
Link Manipulation Filter Evasion Website Forgery Phone Phishing
Link Manipulation An old method of spoofing used links containing the '@' symbol, originally intended as a way to include a username and password. For example, http://
[email protected]/ might deceive a casual observer into believing that it will open a page on www.google.com, whereas it actually directs the browser to a page on members.tripod.com, using a username of www.google.com: the page opens normally, regardless of the username supplied.
Filter Evasion 1) Phishers have used images instead of text to make it harder for anti-Phishing filters to detect text commonly used in Phishing e-mails.
Website Forgery 1) Once a victim visits the Phishing website the deception is not over. Some Phishing scams use JavaScript commands in order to alter the address bar. 2) This is done either by www.studymafia.org placing a picture of a legitimate URL over the address bar, or by closing the original address bar and opening a new one with the legitimate URL.
Phone Phishing 1) Messages that claimed to be from a bank told users to dial a phone number regarding problems with their bank accounts. 2) Once the phone number (owned by the Phishers) was dialed, prompts told users to enter their account numbers and PIN. 3) Vishing (voice Phishing) sometimes uses fake caller-ID data to give the appearance that calls come from a trusted organization
Phishing Examples • Paypal Phishing. • Rapid Share Phishing.
Paypal Phishing 1) In an example PayPal phish, spelling mistakes in the e-mail and the presence of an IP address in the link are both clues that this is a Phishing attempt. 2) Another giveaway is the lack of a personal greeting, although the presence of personal details would not be a guarantee of legitimacy. 3) A legitimate Paypal communication will always greet the user with his or her real name, not just with a generic greeting like, "Dear Accountholder." Other signs that the message is a fraud are misspellings of simple words, bad grammar and the threat of consequences such as account suspension if the recipient fails to comply with the message's requests.
Rapid Share Phishing 1) On the RapidShare web host, Phishing is common in order to get a premium account, which removes speed caps on downloads, auto-removal of uploads, waits on downloads, and cool down times between downloads. 2) If the victim selects free user, the Phishers just passes them along to the real RapidShare site. But if they select premium, then the Phishing site records their login before passing them to the download. Thus, the Phishers has lifted the premium account information from the victim.
Reasons Of Phishing 1. Trust Of Authority. 2. Textual and Graphic Presentation Lacks Traditional Clues Of Validity . 3. E-Mail and Web Pages Can Look Real.
Trust Of Authority 1) When a Phishing email arrives marked as “High Priority” that threatens to close our bank account unless we update our data immediately, it engages the same authority response mechanisms that we've obeyed for millennia. 2) In our modern culture, the old markers of authority – physical strength, aggressiveness, ruthlessness – have largely given way to signs of economic power. 3) “He's richer than I am, so he must be a better man”. If you equate market capitalization with GDP then Bank of America is the 28th most powerful country in the world. If you receive a personal email purported to come from BOA questioning the validity of your account data, you will have a strong compulsion to respond, and respond quickly.
Textual And Graphic Presentation Lacks Traditional Clues Of Validity 1) Most people feel that they can tell an honest man by looking him in the eye. 2) Without clues from the verbal and physical realms, our ability to determine the validity of business transactions is diminished. 3) This is a cornerstone of the direct mail advertising business. If a piece of mail resembles some type of official correspondence, you are much more likely to open it.
E-Mail And Web Pages Can Look Real 1) The use of symbols laden with familiarity and repute lends legitimacy to information—whether accurate or fraudulent—that is placed on the imitating page. 2) Deception is possible because the symbols that represent a trusted company are no more 'real' than the symbols that are reproduced for a fictitious company. 3) Certain elements of dynamic web content can be difficult to copy directly but are often easy enough to fake, especially when 100% accuracy is not required. 4)Hyperlinks are easily subverted since the visible tag does not have to match the URL that your click will actually redirect your browser to. The link can look like • http://bankofamerica.com/login but the URL could actually link to • http://bankofcrime.com/got_your_login
Damages Caused By Phishing 1) The damage caused by Phishing ranges from denial of access to e-mail to substantial financial loss. 2) This style of identity theft is becoming more popular, because of the readiness with which unsuspecting people often divulge personal information to Phishers, including credit card numbers, social security numbers. 3) There are also fears that identity thieves can add such information to the knowledge they gain simply by accessing public records. 4) Once this information is acquired, the Phishers may use a person's details to create fake accounts in a victim's name. 5) It is estimated that between May 2004 and May 2005, approximately 1.2 million computer users in the United States suffered losses caused by Phishing.
Anti-Phishing 1. Social Responses 2. Technical Responses 3. Legal Responses
Social Responses 1) One strategy for combating Phishing is to train people to recognize Phishing attempts, and to deal with them. Education can be effective, especially where training provides direct feedback. 2) One newer Phishing tactic, which uses Phishing emails targeted at a specific company, known as Spear Phishing, has been harnessed to train individuals at various locations. 3) People can take steps to avoid Phishing attempts by slightly modifying their browsing habits. When contacted about an account needing to be "verified" , it is a sensible precaution to contact the company from which the e-mail apparently originates to check that the e-mail is legitimate.
Technical Responses 1.Helping to identify legitimate sites: 1) Most Phishing websites are secure websites, meaning that SSL with strong cryptography is used for server authentication, where the website's URL is used as identifier. 2) The problem is that users often do not know or recognize the URL of the legitimate sites they intend to connect to, so that the authentication becomes meaningless. 3) Simply displaying the domain name for the visited website as some some anti-Phishing toolbars do is not sufficient. 4) A better approach is the pet name extension for Firefox which lets users type in their own labels for websites, so they can later recognize when they have returned to the site.
2.Browsers alerting users to fraudulent websites: 1) Another popular approach to fighting Phishing is to maintain a list of known Phishing sites and to check websites against the list. Microsoft's IE7 browser, Mozilla Firefox 2.0, and Opera all contain this type of anti-Phishing measure. Firefox 2 uses Google anti-Phishing software. 2) To mitigate the problem of Phishing sites impersonating a victim site by embedding its images , several site owners have altered the images to send a message to the visitor that a site may be fraudulent. 3) The image may be moved to a new filename and the original permanently replaced, or a server can detect that the image was not requested as part of normal browsing, and instead send a warning image.
3.Augmenting password logins: 1) The Bank of America's website is one of several that ask users to select a personal image, and display this user-selected image with any forms that request a password. 2) Users of the bank's online services are instructed to enter a password only when they see the image they selected. However, a recent study suggests few users refrain from entering their password when images are absent. 3) Security skins are a related technique that involves overlaying a user-selected image onto the login form as a visual cue that the form is legitimate.
4.Eliminating Phishing mail: 1) Specialized spam filters can reduce the number of Phishing e-mails that reach their addressees' inboxes. These approaches rely on machine learning and natural language processing approaches to classify Phishing e-mails.
5.Monitoring and takedown: Several companies offer banks and other organizations likely to suffer from Phishing scams round-theclock services to monitor, analyze and assist in shutting down Phishing websites. Individuals can contribute by reporting Phishing to both volunteer and industry groups, such as PhishTank.
Legal Resposes 1) On January 26, 2004, the U.S. Federal Trade Commission filed the first lawsuit against a suspected Phisher. 2) The defendant, a Californian teenager, allegedly created a webpage designed to look like the America Online website, and used it to steal credit card information. In the United States, Senator Patrick Leahy introduced the Anti-Phishing Act of 2005. Companies have also joined the effort to crack down on Phishing.
SUPER PHISHER
My3gb.com
The Real Process!! The Hacker copies the URL (Uniform Resource Locator ) Of a website eg.www.gmail.co.in , www.yahoo.co.in
And puts it in the software Url space
Building New Page
Once the fake page is build , it appears in the folder where the software is installed, or kept .
Facebook Phisher Page file:///C:/Users/pc/Desktop/usb%20webserver/root/fb/index.html
G-Mail Phisher Page file:///C:/Users/pc/Desktop/SUPER%20PHISHER/output/index.html
How To Avoid Phishing • DON’T CLICK THE LINK ◦ Type the site name in your browser (such as www.paypal.com) • Never send sensitive account information by e-mail. ◦ Account numbers, SSN, passwords • Never give any password out to anyone. Verify any person who contacts you (phone or email). ◦ If someone calls you on a sensitive topic, thank them, hang up and call them back using a number that you know is correct, like from your credit card or statement.
Conclusion • No single technology will completely stop phishing. However, a combination of good organization and practice, proper application of current technologies, and improvements in security technology has the potential to drastically reduce the prevalence of phishing and the losses suffered from it. In particular: • Email authentication technologies such as Sender-ID and cryptographic signing, when widely deployed, have the potential to prevent phishing emails from reaching users. • Personally identifiable information should be included in all email communications.
So better think twice before clicking on a link!!