Phishing Attacks

Phishing AttacksPhishing AttacksDr. Neminath HubballiDr. Neminath Hubballi

OutlineOutline Motivation Motivation IntroductionIntroduction Forms and means of Phishing AttacksForms and means of Phishing Attacks Phishing today Phishing today Staying safeStaying safe

Server side defenseServer side defense Personal level defensePersonal level defense Enterprise level defenseEnterprise level defense

Distributed phishing Distributed phishing Indian Institute of Technology IndoreIndian Institute of Technology Indore

Motivation: Phishing Attacks in Motivation: Phishing Attacks in India and Globally India and Globally

India lost India lost around $53 million (about Rs 328 crore) due to phishing scams with the country facing over 3,750 attacks in July-September last year

4th Largest target of phishing attacks in the world 7% of global phishing attacks are targeted in India US tops the rank with 27% of phishing attacks RSA identified 46,119 phishing attacks in September

globally with a 36 per cent increase as compared with August (33,861)

Indian Institute of Technology IndoreIndian Institute of Technology Indore

Courtesy: The Hindu Business http://www.thehindubusinessline.com/industry-and-economy/info-tech/india-lost-53-m-to-phishing-attacks-in-q3/article5414170.ece

Phishing AttacksPhishing Attacks It is made-up of It is made-up of

Phreaking + Fishing = PhishingPhreaking + Fishing = Phishing Phreaking = making phone calls for free back in 70’sPhreaking = making phone calls for free back in 70’s Fishing = Attract the fish to bite Fishing = Attract the fish to bite


There are lot of fishes in pondThere are lot of fishes in pondLure them to come and bite Lure them to come and bite Those who bite become victims Those who bite become victims

Courtesy: Google Images

Phishing AttacksPhishing Attacks Phishing is a form of social engineering attackPhishing is a form of social engineering attack

Not all social engineering attacks are phishing attacks !Not all social engineering attacks are phishing attacks ! Mimic the communication and appearance of another Mimic the communication and appearance of another

legitimate communications and companieslegitimate communications and companies The first fishing incident appeared in 1995The first fishing incident appeared in 1995 Attractive targets includeAttractive targets include

Financial institutionsFinancial institutions Gaming industry Gaming industry Social media Social media Security companiesSecurity companies


Phishing Information FlowPhishing Information Flow Three componentsThree components

Mail sender: sends Mail sender: sends large volume of large volume of fraudulent emailsfraudulent emails

Collector: collect Collector: collect sensitive sensitive information from information from usersusers

Casher: use the Casher: use the collected sensitive collected sensitive information to en-information to en-cashcash


Courtesy: Junxiao Shi and Sara Saleem

Phishing FormsPhishing Forms Creating Fake URLs and send itCreating Fake URLs and send it Misspelled URLsMisspelled URLs

www.sbibank.statebank.comwww.sbibank.statebank.com www.miwww.miccosoft.com osoft.com www.miwww.mircrcosoft.com osoft.com

Creating anchor textCreating anchor text <a href = "anchor text" > Link Text </a> Link Text

Fake SSL lockFake SSL lock Simply show it so that users feel secureSimply show it so that users feel secure

Getting valid certificates to illegal sitesGetting valid certificates to illegal sites Certifying agency not being alertCertifying agency not being alert

Sometimes users overlook security certificate warningsSometimes users overlook security certificate warnings URL Manipulation using JavaScriptURL Manipulation using JavaScript


Phishing PayloadPhishing Payload


Phishing PurposePhishing Purpose


Types of PhishingTypes of Phishing Clone Phishing: Clone Phishing:

Phisher creates a clone email Phisher creates a clone email Does by getting contents and addresses of recipients and senderDoes by getting contents and addresses of recipients and sender

Spear Phishing:Spear Phishing: Targeting a specific group of usersTargeting a specific group of users All users of that group have something in common All users of that group have something in common

Targeting all faculty members of IITITargeting all faculty members of IITI

Phone Phishing:Phone Phishing: Call up someone and say you are from bank Call up someone and say you are from bank Ask for password saying you need to do maintenanceAsk for password saying you need to do maintenance Use of VOIP is easy Use of VOIP is easy


Email Spoofing for Phishing An email concealing its true source Ex. [email protected] when it is actually

coming from somewhere else Send an email saying your bank account needs

to be verified urgently When the user believes

Sends her credit card Gives her password

Sending spoofed email is very easy There are so many spoof mail generators

Sample Email

Web Spoofing for Phishing Setting up a webpage which looks similar to the original

one Save any webpage as html page

Go to view source and save A php script which stores credentials to a file is what

required to harvest credentials In the html page search for submit form and change it to

written php script Host it in a server You are ready to go ! Send a spoofed email with link to spoofed webpage

Phishing TodayPhishing Today Use bots to perform large scale activity Use bots to perform large scale activity

Relays for sending spam and phishing emailsRelays for sending spam and phishing emails Phishing KitsPhishing Kits

Ready to useReady to use Contain clones of many banks and other websitesContain clones of many banks and other websites

Emails Emails JPEG images-Complete email is an image JPEG images-Complete email is an image Suspicious parts of URL may have same color as backgroundSuspicious parts of URL may have same color as background Use font differencesUse font differences

The substitution of uppercase “i” for lowercase “L”, andThe substitution of uppercase “i” for lowercase “L”, and Number zero for uppercase “O”.Number zero for uppercase “O”.

Use of first 4 digits of credit card number – which is not unique to Use of first 4 digits of credit card number – which is not unique to customercustomer


Phishing Today

Uncommon encoding mechanismsUncommon encoding mechanisms

Cross site scriptingCross site scripting Accept user input and lack of sanity checkAccept user input and lack of sanity check Vulnerable Vulnerable

Fake banner advertisementsFake banner advertisements

Phishing Today Dynamic code

Phishing emails contain links to sites whose contents change When email came in midnight it was ok but next day when you

clicked its vulnerable Numbers (IP address ) in urls Use of targeted email

Gather enough information about user from social networking sites

Send a targeted email using the knowledge of previous step Unsuspecting user clicks on link Attacker takes control of recipient machine (backdoor, trojan) Steal / harvest credentials

Enterprise Level ProtectionEnterprise Level Protection Collecting data from usersCollecting data from users

About emails receivedAbout emails received Websites linksWebsites links Why any one should give you such dataWhy any one should give you such data

Her interest also included Her interest also included Incentives Incentives

Analyzing spam emails for keywords Analyzing spam emails for keywords ““click on the link bellow”click on the link bellow” ““enter user name password here”enter user name password here” ““account will be deleted” etc.account will be deleted” etc.

Personalization of emailsPersonalization of emails Every email should quote some secrete that proves the idntity Every email should quote some secrete that proves the idntity Ex: Phrase as Dear Dr. Neminath Instead of Dear Customer Ex: Phrase as Dear Dr. Neminath Instead of Dear Customer Referring to timing of previous emailReferring to timing of previous email


What Banks are Doing to What Banks are Doing to Protect from PhishingProtect from Phishing

Banks and their customers lose crores of rupees every Banks and their customers lose crores of rupees every yearyear

They hire professional security agencies who constantly They hire professional security agencies who constantly monitor the web for phishing sitesmonitor the web for phishing sites

Regularly alert the users “Regularly alert the users “to be alertto be alert” and not to fall fray ” and not to fall fray Use best state of the art security software and hardwareUse best state of the art security software and hardware White list and blacklist of phishing sitesWhite list and blacklist of phishing sites


Personal Level ProtectionPersonal Level Protection Email ProtectionEmail Protection

Blocking dangerous email attachments Blocking dangerous email attachments Disable HTML capability in all emailsDisable HTML capability in all emails

Awareness and education Awareness and education Web browser toolbarsWeb browser toolbars

Connect to a database of FQDN IP address mapping of Phishing siteConnect to a database of FQDN IP address mapping of Phishing site I think Google chrome does it automatically I think Google chrome does it automatically

Multifactor authentication Multifactor authentication Gmail has it nowGmail has it now


Case Study 1: Phone Phishing Experiment Case Study 1: Phone Phishing Experiment

50 employees were contacted by 50 employees were contacted by female female crookscrooks Had friendly conversation Had friendly conversation Managed to get e-banking passwordsManaged to get e-banking passwords

Do not believe the statistics but believe the takeaway !Do not believe the statistics but believe the takeaway !

Indian Institute of Technology IndoreIndian Institute of Technology IndoreSource: Experimental Case Studies for Investigating E-Banking Phishing Intelligent Techniques and Attack Strategies

Money LaunderingMoney Laundering Phishing allows you to make moneyPhishing allows you to make money

Many banks do not allow money transfer to foreign banks just Many banks do not allow money transfer to foreign banks just like thatlike that

But how to stay undetected But how to stay undetected Launder money Launder money

How to launder moneyHow to launder money Offer jobs to needy people Offer jobs to needy people Ask them to open accounts in the same bankAsk them to open accounts in the same bank Put money into their accountPut money into their account Ask them to take small commission and transfer the rest to their Ask them to take small commission and transfer the rest to their

account in nigeria account in nigeria


Distributed Phishing Attack Till now we understood there is one collection center for

data What if attacker raises multiple such sites and collect

data An extreme example is - every user is redirected to a different

site An attacker can look for more cheaper options for

collecting such data Use malware to erect more such sites hidden in

someone else webpage Users with reliable connectivity and have popular

software like games are targets

Phishing Attacks

Documents

Transcript of Phishing Attacks