This document defines phishing as tricking individuals into providing private information like passwords or credit card numbers through fake websites or emails posing as legitimate companies. It discusses types of phishing like deceptive emails, malware-based attacks, and content injection. Phishing affects industries like financial services and online retailers. To combat phishing, the document recommends educating users, enforcing best security practices for applications, and using techniques like strong authentication, session management, and content validation.
3. Defination
Examples
Types of Phishing
Causes of Phishing
Effects of Phishing
Industries affected
Phishing Trends
How to combat phishing
Educate application users
Formulate and enforce Best practices
Reinforce application development / maintenance
processes:
Web page personalization
3
4. o Content Validation
o Session Handling
o Authentication process
o Transaction non-repudiation
o Image Regulation
Bibliogarphy
4
5. It is the act of tricking someone into giving
confidential information (like passwords and
credit card information) on a fake web page or
email form pretending to come from a legitimate
company (like their bank).
For example: Sending an e-mail to a user falsely claiming to be an
established legitimate enterprise in an attempt to scam the user
into surrendering private information that will be used for identity
theft.
5
7. Deceptive - Sending a deceptive email, in bulk, with a “call
to action” that demands the recipient click on a link.
7
8. Malware-Based - Running malicious software on the
user’s machine. Various forms of malware-based phishing are:
Key Loggers & Screen Loggers
Session Hijackers
Web Trojans
Data Theft
8
10. Content-Injection – Inserting malicious content into
legitimate site.
Three primary types of content-injection phishing:
Hackers can compromise a server through a security
vulnerability and replace or augment the legitimate
content with malicious content.
Malicious content can be inserted into a site through a
cross-site scripting vulnerability.
Malicious actions can be performed on a site through a
SQL injection vulnerability.
10
12. Search Engine Phishing - Create web pages for fake
products, get the pages indexed by search engines, and wait for
users to enter their confidential information as part of an order,
sign-up, or balance transfer.
12
13. Misleading e-mails
No check of source address
Vulnerability in browsers
No strong authentication at websites of banks and
financial institutions
Limited use of digital signatures
Non-availability of secure desktop tools
Lack of user awareness
Vulnerability in applications
13
14. Internet fraud
Identity theft
Financial loss to the original institutions
Difficulties in Law Enforcement Investigations
Erosion of Public Trust in the Internet.
14
17.
Educate application users
Think before you open
Never click on the links in an email , message boards or mailing
lists
Never submit credentials on forms embedded in emails
Inspect the address bar and SSL certificate
Never open suspicious emails
Ensure that the web browser has the latest security patch
applied
Install latest anti-virus packages
Destroy any hard copy of sensitive information
Verify the accounts and transactions regularly
Report the scam via phone or email.
17
18. Formulate and enforce Best practices
Authorization controls and access privileges for systems,
databases and applications.
Access to any information should be based on need-to-know
principle
Segregation of duties.
Media should be disposed only after erasing sensitive
information.
18
19. Reinforce application development / maintenance processes:
1. Web page personalization
Using two pages to authenticate the users.
Using Client-side persistent cookies.
19
20. 2. Content Validation
Never inherently trust the submitted data
Never present the submitted data back to an application user
without sanitizing the same
Always sanitize data before processing or storing
Check the HTTP referrer header
20
21. 3. Session Handling
Make session identifiers long, complicated and difficult to
guess.
Set expiry time limits for the SessionID’s and should be
checked for every client request.
Application should be capable of revoking active SessionID’s
and not recycle the same SessionID.
Any attempt the invalid SessionID should be redirected to the
login page.
Never accept session information within a URL.
Protect the session via SSL.
Session data should be submitted as a POST.
After authenticating, a new SessionID should be used (HTTP
& HTTPS).
Never let the users choose the SessionID.
21
22. 4. Authentication Process
Ensure that a 2-phase login process is in place
Personalize the content
Design a strong token-based authentication
22
25. Anti-Phishing Working Group (APWG)
The APWG has over 2300+ members from over 1500
companies & agencies worldwide. Member companies include
leading security companies such as Symantec, McAfee and
VeriSign. Financial Industry members include the ING
Group,VISA, Mastercard and the American Bankers Association.
25
26. It is better to be safer now than feel sorry later.
26
Examples of a “call to action” include: ! A statement that there is a problem with the recipient’s account at a financial institution or other business. The email asks the recipient to visit a web site to correct the problem, using a deceptive link in the email. ! A statement that the recipient’s account is at risk, and offering to enroll the recipient in an anti-fraud program. ! A fictitious invoice for merchandise, often offensive merchandise, that the recipient did not order, with a link to “cancel” the fake order. ! A fraudulent notice of an undesirable change made to the user’s account, with a link to “dispute” the unauthorized change. ! A claim that a new service is being rolled out at a financial institution, and offering the recipient, as a current member, a limited-time opportunity to get the service for free.
Key Loggers & Screen Loggers - Monitors data being input and sends relevant data to a phishing server Session Hijackers - Malicious software “hijacks” the session once the user has legitimately established his or her credentials. Web Trojans – Malicious programs that pop up to collect credentials. Host File Poisoning – Host file modification to refer to a malicious address. Data Theft – Stealing confidential information stored on the computer
Internet fraud - Phishers can run up charges on your account Identity theft – Can open new accounts, sign utility or loan contracts in your name or use a false ID and commit crimes using your personal information Loss to the original institutions- Approximately 1.2 million computer users in the United States suffered losses caused by phishing, totaling approximately $929 million USD Difficulties in Law Enforcement Investigations . Unlike certain other types of identity theft that law enforcement agencies can successfully investigate in a single geographic area (e.g., theft of wallets, purses, or mail), phishing – like other types of crime that exploit the Internet -- can be conducted from any location where phishers can obtain Internet access. This can include situations in which a phisher in one country takes control of a computer in another country, then uses that computer to host his phishing website or send his phishing e-mails to residents of still other countries. Moreover, online criminal activity in recent years has often reflected clearcut divisions of labor.
ISPs-Internet service provide
Think twice before you open an email and never get carried away by the social engineering statements in the mail. Never click on links provided in an email, message boards or mailing lists Never submit sensitive information on forms embedded in emails Inspect the address bar and the SSL certificate to see if they match with the exact name of the site. Pay attention to SSL certificate warning prompts that appear when contacting a spoofed site. Make sure that you have the latest patched version of Web browser Install latest anti-virus packages, personal firewall and spyware / spam blockers Never open any suspicious email attachments Destroy all PIN / password letters and never write them down somewhere. Never disclose personal / sensitive information to anyone at any instant. Regularly log in to your accounts and check the activities In the event of a phishing attack, Provide a means for the user to report the scam via phone or email. Clearly instruct them about the procedure to follow to report the scam Instruct the user to reset his password / PIN immediately.
Web page personalization – two ways to do it. Web sites can use two page to authenticate the users. The first page asks the user to provide only the user name. Upon receiving a valid user name, the user is given a personalized page for entering his authentication token. The second page is personalized with last login details or based on some user provided phrase or a user chose image. This will make it difficult for a fake site to provide the second page. (For static authentication tokens like password) Client-side persistent cookies can be user. On first login, a cookie will be generated with a simple personal string such as first name. Next time, the app greets ther user with this string bfore he logs in. But the succes of this option depends a lot on the alertness of the end user.
Never inherent trust the submitted data Always sanitize date before processing or storing Check the HTTP referrer header – when tricked customers are directed from the phishing site to the targeted website, there is the option to check the referrer hearder in the requests to the targeted website and act on it by for example redirecting the tricked customer to the warning page.
Design a strong token-based authentication – Hardware tokens & Smart cards Things to have in mind – randomness of the one-time password, Expiry time of the one-time password Length Quality of challenge in a challenge and response based authentication
Transaction non-repudiation can be implemented through electronic signatures, either digital signatures or MAC. To ensure authenticity and integrity of the transaction so as to ensure the origin of the transaction and identifying whether the message content has been altered during transit. A transaction signature is a one-way value that uses aspects of the customer’s key, transaction content date and time. This signature is then validated using the appropriate scheme. MACS are supported by the challenge and response functionality of the hardware tokens.
Depending on whether a phisher has mirrored the entire website or is just hosting a modified HTML page, it may be possible to identify the source of the attack. Image Cycling – Each legitimate application page references its constituent graphical images by a unique name. Periodically, the names of the images are changed and the requesting page must reference these new image names. Therefore, any out-of-date static copies of the page will become dated quickly. If an out-of-date image is requested, a different image is supplied – perhaps recommending that the customer login again to the real site – (e.g. “Warning Image Expired”). Session-bound images – it is possible to reference all images with a name that includes the user’s current sessionID. Therefore, once a fake website has been discovered, the logs can be reviewed and analyzed in order to discover the originating source of the copied website.