PHISHINGTHERE IS SOMETHING FISHY ABOUT IT

WHAT IS PHISHING?Phishing (pronounced "fishing") is an online fraud technique used by criminals to lure you into disclosing your personal information.

There are many different tactics used to lure you, including e-mail and Web sites that mimic well-known, trusted brands. A common phishing practice uses spoofed messages that are disguised to look like they are from a well-known company or Web site, such as a bank, credit card company, charity, or e-commerce online shopping site. The purpose of these spoofed messages is to trick you into providing personally identifiable information (PII), such as the following:

• Name and user name

• Address and telephone number

• Password or PIN

• Bank account number

• ATM/debit or credit card number

• Credit card validation code (CVC) or card verification value (CVV)

• Social Security Number (SSN)

HISTORY OF PHISHING

Phreaking + Fishing = Phishing

- Phreaking = making phone calls for free back in 70’s

- Fishing = Use bait to lure the target

Phishing in 1995

Target: AOL users

Purpose: getting account passwords for free time

Threat level: low

Techniques: Similar names ( www.ao1.com for www.aol.com ), social

engineering

HISTORY OF PHISHING

Phishing in 2001

Target: Ebayers and major banks

Purpose: getting credit card numbers, accounts

Threat level: medium

Techniques: Same in 1995, keylogger

Phishing in 2007

Target: Paypal, banks, ebay

Purpose: bank accounts

Threat level: high

Techniques: browser vulnerabilities, link obfuscation

PHISHING TECHNIQUES• Dragmet Method This method involves the use of spammed emails, bearing

falsified corporate identification, that are addressed to a large class of people to websites or pop-up windows with similarly falsified identification to trigger immediate response.

• Rod-and-Reel method This method targets prospective victims with whom initial contact is already made. Specific prospective victims so defined are targeted with false information to them to prompt their disclosure of personal and financial data.

• Lobsterpot Method It consists of creation of websites similar to legitimate corporate websites which narrowly defined class of victims by phishers. Smaller class of prospective victims identified in advance, but no triggering of victim response. It is enough that the victims mistake the spoofed website as a legitimate and trust worthy site and provides information of personal data.

• Gillnet phishing In gillnet phishing; phishers introduce malicious code into emails and websites. They can, for example misuse browser functionality by injecting hostile content into another site’s pop – up window. Merely by opening a particular email, or browsing a particular website, Internet users may have a Trojan horse introduced into their systems. In some cases, the malicious code will change settings in user’s systems, so that users who want to visit legitimate banking websites will be redirected to a look alike phishing site. In other cases, the malicious code will record user’s keystrokes and passwords when they visit legitimate banking sites, then transmit those data to phishers for later illegal access to users’ financial accounts

CAUSES OF PHISHING• Misleading e-mails

• No check of source address

• Vulnerability in browsers

• No strong authentication at websites of banks and financial institutions

• Limited use of digital signatures

• Non-availability of secure desktop tools

• Lack of user awareness

• Vulnerability in applications

• … and more

EFFECTS OF PHISHING• Internet fraud

• Identity theft

• Financial loss to the original institutions

• Difficulties in Law Enforcement Investigations

• Erosion of Public Trust in the Internet.

PHISHING FACTS

PHISHING FACTS

PHISHING FACTS

PHISHING FACTS

PHISHING FACTS

PHISHING FACTS

PHISHING FACTS

PHISHING FACTS

PHISHING FACTS

HOW TO COMBAT PHISHING?• Educate application users

• Think before you open

• Never click on the links in an email , message boards or mailing lists

• Never submit credentials on forms embedded in emails

• Inspect the address bar and SSL certificate

• Never open suspicious emails

• Ensure that the web browser has the latest security patch applied

• Install latest anti-virus packages

• Destroy any hard copy of sensitive information

• Verify the accounts and transactions regularly

• Report the scam via phone or email.

HOW TO COMBAT PHISHING?• Formulate and enforce Best practices

• Authorization controls and access privileges for systems, databases and applications.

• Access to any information should be based on need-to-know principle

• Segregation of duties.

• Media should be disposed only after erasing sensitive information.

•

HOW TO COMBAT PHISHING?

Reinforce application development / maintenance processes:

1. Web page personalization

2. Content Validation

3. Session Handling

4. URL Qualification

5. Authentication Process

6. Transaction non-repudiation

7. Image Regulation

ORGANIZATIONS

Anti-Phishing Working Group (APWG)

The APWG has over 2300+ members from over 1500 companies & agencies worldwide. Member companies include leading security companies such as Symantec, McAfee and VeriSign. Financial Industry members include the ING Group,VISA, Mastercard and the American Bankers Association.

REFERENCEShttp://www.arraydev.com/commerce/jibc/2007-08/singh_final_pdf%20ready.pdf - Prof N.P.Singh ‘Online Frauds in Banks with Phishing’

http://www.phishtank.com/stats/2013/01/

http://articles.economictimes.indiatimes.com/2013-06-18/news/40049357_1_phishing-attacks-april-2013-five-attacks

http://www.emc.com/collateral/fraud-report/rsa-online-fraud-report-012013.pdf

http://www.slideshare.net/emcacademics/rsa-fraud-report-january-2013