CEHv6.1 Module 12 Phishing Attacks

63
Ethical Hacking and Countermeasures Version 6.1 Module XII Phishing

Transcript of CEHv6.1 Module 12 Phishing Attacks

Page 1: CEHv6.1 Module 12 Phishing Attacks

Ethical Hacking andCountermeasures

Version 6.1

Module XII

Phishing

Page 2: CEHv6.1 Module 12 Phishing Attacks

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

News

Source: http://cbs5.com/

Page 3: CEHv6.1 Module 12 Phishing Attacks

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

Module Objective

This module will familiarize you with:

Introduction

Reasons for Successful Phishing

Phishing Methods

Process of Phishing

Types of Phishing Attacks

Anti-phishing Tools

Page 4: CEHv6.1 Module 12 Phishing Attacks

Module Flow

Introduction

Reasons forSuccessful Phishing

Phishing Methods

EC-Council

Process of Phishing

Types of PhishingAttacks

Anti-phishing Tools

Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited

Page 5: CEHv6.1 Module 12 Phishing Attacks

Phishing- Introduction

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

Page 6: CEHv6.1 Module 12 Phishing Attacks

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

News

Source: http://www.zdnet.co.uk

Page 7: CEHv6.1 Module 12 Phishing Attacks

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

Introduction

Phishing is an Internet scam where the user is convinced to givevaluable information

Phishing will redirect the user to a different website throughemails, instant messages, spywares etc.

Phishers offer illegitimate websites to the user to fill personalinformation

The main purpose of phishing is to get access to the customer’ssbank accounts, passwords and other security information

Phishing attacks can target the audience through mass- mailingmillions of email addresses around the world

Page 8: CEHv6.1 Module 12 Phishing Attacks

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

Reasons for Successful Phishing

Lack of knowledge

• Lack of computer system knowledge by the user (as how the emails andweb works) can be exploited by the phishers to acquire sensitiveinformation

• Many users lack the knowledge of security and security indicators

Visual deception

• Phishers can fool users by convincing them to get into a fake website withthe domain name slightly different from the original website which isdifficult to notice

• They use the images of the legitimate hyperlink, which itself helps as ahyperlink to an unauthorized website

• Phishers track the users by using the images in the content of a web pagethat looks like a browser window

• Keeping an unauthorized browser window on top of, or next to alegitimate window having same looks, will make the user believe that theyare from the same source

• Setting the tone of the language same as the original website

Page 9: CEHv6.1 Module 12 Phishing Attacks

Reasons for Successful Phishing(cont’d)

Not giving attention to Security Indicators

• Users don’t give proper attention to read the warningmessages or security indicators

• In the absence of security indicators it will be easy toinsert spoofed images which will go unidentified by theusers

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

Page 10: CEHv6.1 Module 12 Phishing Attacks

Phishing Methods

Email and Spam

• Most of the phishing attacks are done through email• Phishers can send millions of emails to valid email

addresses by using the techniques and tools opted byspammers

• Phishing emails provide a sense of urgency in theminds of the user to give the important information

• Phishers take the advantage from SMTP flaws byadding fake “Mail from” header and incorporate anyorganization of choice

• Minor changes are made in the URL field by sendingmimic copies of legitimate emails

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

Page 11: CEHv6.1 Module 12 Phishing Attacks

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

Phishing Methods (cont’d)

Web-based Delivery

• This type of attack is carried out by targeting thecustomers through a third party website

• Providing malicious website content is a popularmethod of phishing attacks

• Keeping fake banner advertisements in somereputed websites to redirect the customers to thephishing website is also a form of web based delivery

IRC and Instant Messaging

• IRC and IM clients allow for embedded dynamiccontent

• The attackers send the fake information and links tothe users through IRC and IM

Page 12: CEHv6.1 Module 12 Phishing Attacks

Phishing Methods (cont’d)

Trojaned Hosts

• Trojan is a program that gives complete access of host computerto phishers after being installed at the host computer

• Phishers will make the user to install the trojaned software whichhelps in email propagating and hosting fraudulent websites

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

Page 13: CEHv6.1 Module 12 Phishing Attacks

Process of Phishing

The process involved in building a successful phishing siteis:

Registering a fake domain name

Building a look alike website

Sending emails to many users

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

Page 14: CEHv6.1 Module 12 Phishing Attacks

Types of Phishing Attacks

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

Page 15: CEHv6.1 Module 12 Phishing Attacks

Copyright © by EC-Council

News

EC-Council

Source: http://www.theregister.co.uk

All Rights Reserved. Reproduction is Strictly Prohibited

Page 16: CEHv6.1 Module 12 Phishing Attacks

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

Man-in-the-Middle Attacks

In this attack, the attacker’s computer is placed between the customer’s computer andthe real website. This helps the attacker in tracking the communications between thesystems

This attack supports both HTTP and HTTPS communications

In order to make this attack successful, the attacker has to direct the customer toproxy server rather than the real server

The following are the techniques used to direct thecustomer to proxy server:

• Transparent Proxies located at the real server captures all the data byforcing the outbound HTTP and HTTPS traffic towards itself

• DNS Cache Poisoning can be used to disturb the normal traffic routing byestablishing false IP address at the key domain names

• Browser proxy configuration is used to set a proxy configuration options byoverriding the users web browser settings

Page 17: CEHv6.1 Module 12 Phishing Attacks

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

URL Obfuscation Attacks

The user is made to follow a URL by sending a message which navigatesthem to the attacker’s server

The different methods of URL obfuscationinclude:

• Making few changes to the authorized URL’s whichmakes difficult to identify it as a phishing site

• Giving friendly login URL’s to the users which negatesthe complexity of authentication that navigates them tothe look-a-like target URL

• Many third party organizations offer to design shorterURL’s for free of service, which can be used to obfuscatethe true URL

• The IP address of a domain name can be used as a part ofthe URL to obfuscate the host and also to bypass contentfiltering systems

Page 18: CEHv6.1 Module 12 Phishing Attacks

Cross-site Scripting Attacks

This type of attack makes use of custom URL or code to inject into avalid web-based application URL or imbedded data field

Most of the CSS attacks are carried out using URL formatting

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

Page 19: CEHv6.1 Module 12 Phishing Attacks

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

Hidden Attacks

Attacker uses the HTML, DHTML, or otherscriptable code to:

• Change the display of rendered information by interpreting withthe customers’ web browser

• Disguise content as coming from the real site with fake content

Methods used for hidden attacks are:

• Hidden Frame:• Frames are used to hide attack content with their uniform browser

support and easy coding style• Overriding Page Content• Graphical Substitution

Page 20: CEHv6.1 Module 12 Phishing Attacks

Client-side Vulnerabilities

Most customers are vulnerable towards the phishing attacks whilethey browse the web for any software

These client side vulnerabilities can be exploited in a number of wayssimilar to the worms and viruses

The anti virus software are not useful for these vulnerabilities as theyare harder to identify

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

Page 21: CEHv6.1 Module 12 Phishing Attacks

Deceptive Phishing

The common method of deceptive phishing is email

Phishser sends a bulk of deceptive emails which command the user to click onthe link provided

Phisher’s call to action contains daunting information about the recipient’saccount

Phisher then collects the confidential information given by the user

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

Page 22: CEHv6.1 Module 12 Phishing Attacks

Malware-Based Phishing

In this method, phishers use malicious software to attack on the user machines

This phishing attack spreads due to social engineering or security vulnerabilities

In social engineering, the user is convinced to open an email attachment thatattracts the user regarding some important information and download itcontaining some malwares

Exploiting the security vulnerabilities by injecting worms and viruses is anotherform of malware based phishing

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

Page 23: CEHv6.1 Module 12 Phishing Attacks

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

Malware-Based Phishing(cont’d)

Keyloggers and Screenloggers

• It is a program that installs itself into the webbrowser or as a device driver that monitorsthe input data and sends it to the phishingserver

• It monitors the data and sends to a phishingserver

• The techniques used by keyloggers andscreenloggers are:

• Key logging is used to monitor and record the keypresses by the customer

• The device driver monitoring the keyboard andmouse inputs by the user

• The screen logger monitoring both the user inputsand the display

Page 24: CEHv6.1 Module 12 Phishing Attacks

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

Malware-Based Phishing(cont’d)

Web Trojans

• These malicious programs are popped up over thelogin screen when the user is entering informationon the website

• The information is entered locally rather than on theweb site which is later transmitted to the phisher

Hosts File Poisoning

• The Operating systems consists of ‘hosts’ file whichchecks the host names before a DNS lookup isperformed

• It is the modification of the host file to make theuser navigate to an illegitimate website and giveconfidential information

• This allows the phishers to modify the host file toredirect the user

Page 25: CEHv6.1 Module 12 Phishing Attacks

Malware-Based Phishing (cont’d)

System ReconfigurationAttacks

• This attack is used to reconfigure thesetting at the user computer

• The systems DNS server is modified witha faulty DNS information by poisoningthe host file

• It Changes the proxy server setting on thesystem to redirect the user’s traffic toother sites

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

Page 26: CEHv6.1 Module 12 Phishing Attacks

DNS-Based Phishing

DNS based phishing is used to pollute the DNS cache with incorrectinformation which directs the user to the other location

This type of phishing can be done directly when the user has amisconfigured DNS cache

The user’s DNS server can be changed with a system reconfigurationattack

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

Page 27: CEHv6.1 Module 12 Phishing Attacks

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

Content-Injection Phishing

In this attack, a malicious content is injected into a legitimate site

This malicious content can direct the user to some other site or it caninstall malwares on the computer

Types of content-injectionphishing are:

• Hackers replace the legitimate content withmalicious content by compromising a serverthrough security vulnerability

• Malicious content can be injected into a siteusing a cross-site scripting vulnerability

• Illegitimate actions can be performed on a siteusing an SQL injection vulnerability

Page 28: CEHv6.1 Module 12 Phishing Attacks

Search Engine Phishing

The phishers create an identical websites for fake products and getthe pages indexed by the search engine

Phishers convince the user to give their confidential information byproviding interesting offers

The major success in search engine phishing comes from onlinebanking and online shopping

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

Page 29: CEHv6.1 Module 12 Phishing Attacks

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

News

Source: http://www.usatoday.com

Page 30: CEHv6.1 Module 12 Phishing Attacks

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

Phishing Statistics: March 2008

Current Phishing Targets

Source: http://www.marshal.com/

Page 31: CEHv6.1 Module 12 Phishing Attacks

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

Phishing Statistics: March 2008(cont’d)

Phishing Sources by Country

Source: http://www.marshal.com/

Page 32: CEHv6.1 Module 12 Phishing Attacks

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

Phishing Statistics: March 2008(cont’d)

Phishing Sources by Continent

Source: http://www.marshal.com/

Page 33: CEHv6.1 Module 12 Phishing Attacks

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

Phishing Statistics: March 2008(cont’d)

Phishing Percentage over Time

Source: http://www.marshal.com/

Page 34: CEHv6.1 Module 12 Phishing Attacks

Anti-Phishing

Phishing attacks are prevented by anti-phishing software

Anti-Phishing

Anti-Phishing Software detects the phishing attacks in thewebsite or in the customer’s email

These software's display the real website domain that thecustomer is visiting by residing at the web browsers andemail servers, as an integral tool

Phishing attacks can be prevented both at the server sideand at the client side

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

Page 35: CEHv6.1 Module 12 Phishing Attacks

Anti-Phishing Tools

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

Page 36: CEHv6.1 Module 12 Phishing Attacks

PhishTank SiteChecker

PhishTank SiteChecker blocks the phishing pages with reference tothe data present in the phish tank

It is an extension of firefox, SeaMonkey, Internet Explorer, Opera,Mozilla, and Flock

The SiteChecker checks the current site the user is in, against adatabase of PhishTank

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

Page 37: CEHv6.1 Module 12 Phishing Attacks

PhishTank SiteChecker:Screenshot

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

Page 38: CEHv6.1 Module 12 Phishing Attacks

NetCraft

NetCraft tool alerts the user when connected to the phishingsite

Warning

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

When the user connects to a phishing site it blocks the user byshowing a warning sign

It traps suspicious URLs in which the characters have nocommon purpose other than to deceive the user

It imposes the browser navigational controls in all windows toprotect against the pop ups which hides the navigationalcontrols

It displays the countries hosting the sites to detect fraudulentURLs

Page 39: CEHv6.1 Module 12 Phishing Attacks

NetCraft: Screenshot

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

Page 40: CEHv6.1 Module 12 Phishing Attacks

GFI MailEssentials

GFI MailEssentials’ anti-phishing module detects and blocks threats posed by phishingemails

It updates the database of blacklisted mails which ensures the capture of all latestphishing mails

It also checks for typical phishing keywords in every email sent to the organization

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

Page 41: CEHv6.1 Module 12 Phishing Attacks

GFI MailEssentials: Screenshot

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

Page 42: CEHv6.1 Module 12 Phishing Attacks

SpoofGuard

spoofGuard prevents a form of malicious attacks, such as webspoofing and phishing

It places a traffic light at the users browser toolbar that turns fromgreen to yellow to red when navigated to a spoof site

When the user enters private data into a spoofed site, spoofguardsaves the data and warns the user

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

Page 43: CEHv6.1 Module 12 Phishing Attacks

SpoofGuard: Screenshot 1

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

Page 44: CEHv6.1 Module 12 Phishing Attacks

SpoofGuard: Screenshot 2

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

Page 45: CEHv6.1 Module 12 Phishing Attacks

SpoofGuard: Screenshot 3

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

Page 46: CEHv6.1 Module 12 Phishing Attacks

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

Phishing Sweeper Enterprise

It installs phishing sweeper products throughoutthe organization

It is an effective utility for spam and spoofedemails

It allows to create groups of users with differentpolicies, produce customized reports, installphishing updates, and view the status of all clients

It provides mail protection, WebSite Protection,Alerts, and Logs

Page 47: CEHv6.1 Module 12 Phishing Attacks

Phishing Sweeper Enterprise:Screenshot

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

Page 48: CEHv6.1 Module 12 Phishing Attacks

TrustWatch Toolbar

TrustWatch performs a trusted search with built in search box

Intimates the user whether the site is verified and warns for thecaution

It provides personal security ID to prevent from toolbar spoofing

Reports the suspected fraudulent sites and indicates the real site theuser is in

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

Page 49: CEHv6.1 Module 12 Phishing Attacks

ThreatFire

ThreatFire provides behavior based security monitoring solutionprotecting from unsafe programs

It continuously analyses the programs and processes on the system andif it finds any suspicious actions, it alerts the user

It can be used with the normal antivirus programs or firewalls whichadds an additional level of security for the system

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

Page 50: CEHv6.1 Module 12 Phishing Attacks

ThreatFire: Screenshot

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

Page 51: CEHv6.1 Module 12 Phishing Attacks

GralicWrap

GralicWrap automatically stops loading the fraudulentwebsites to prevent data theft

The private data of the user is protected from distributing it tothe third party

It updates the fraudulent database automatically at the userssystem

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

Page 52: CEHv6.1 Module 12 Phishing Attacks

GralicWrap: Screenshot

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

Page 53: CEHv6.1 Module 12 Phishing Attacks

Spyware Doctor

Spyware Doctor is an adware and spyware utility which identifies andclears many potential adware, trojans, keyloggers, spyware and othermalware of the system

It also features browser monitoring, immunization against ActiveXcontrols, and automatic cookie deletion

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

Page 54: CEHv6.1 Module 12 Phishing Attacks

Spyware Doctor: Screenshot

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

Page 55: CEHv6.1 Module 12 Phishing Attacks

Track Zapper Spyware-AdwareRemover

Spyware remover is an Adware, SpyWare, Key Loggers, Trojans, Dialers,Hijackers, Trackware, and Thiefware removal utility with multi-languagesupport

It scans the primary memory, registry, and drives for the known adwares andspywares and lets the user to remove safely from the system

It also features spywatch which monitors and watches the memory

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

Page 56: CEHv6.1 Module 12 Phishing Attacks

Track Zapper Spyware-AdwareRemover: Screenshot

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

Page 57: CEHv6.1 Module 12 Phishing Attacks

AdwareInspector

Adwareinspector is a program which removes all adwares, spywares,viruses, Dialers, and hijackers that are present in the user’s computer

It consists of a database of many fingerprints of spyware adware,trojans, and worms that are updated automatically to alert from latestdangers

It can be set for automatic updating or manual updating

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

Page 58: CEHv6.1 Module 12 Phishing Attacks

AdwareInspector: Screenshot

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

Page 59: CEHv6.1 Module 12 Phishing Attacks

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

Email-Tag.com

Email-Tag.com is used to protect the email accounts, protect thecomputer, and hide the email address

Using this technique, the user’s accounts will be invisible for thespammers

It will generate an email-tag image using the preset templates

Automated email harvesters will read the text and recognizesemail address formats and adds them to their spam database

The spammers can be deceived by using images instead of textfor email address as email harvesters cannot read images

Page 60: CEHv6.1 Module 12 Phishing Attacks

Email-Tag.com: Screenshot

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

Page 61: CEHv6.1 Module 12 Phishing Attacks

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

Summary

Phishing is an Internet scam where the user is convinced to give valuableinformation

Lack of computer system knowledge by the user (as how the emails and webworks) can be exploited by the phishers to acquire sensitive information

Most of the phishing attacks are done through email

Trojan hosts is a software that is installed at the customer’s computer whichallows the phishers to access the user’s information

Phishing attacks are prevented by anti-phishing software

Page 62: CEHv6.1 Module 12 Phishing Attacks

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

Page 63: CEHv6.1 Module 12 Phishing Attacks

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited