Phishing, Spoofing,

Spamming and Security

How To Protect Yourself

Dr. Harold L. Bud Cothern

Additional Credits: Educause/SonicWall, Hendra Harianto Tuty, Microsoft Corporation, some images from AntiPhishing Workgroups Phishing Archive,Carnegie Mellon CyLab

Recognize Phishing Scams and Fraudulent E-mails

Phishing

is a type of deception designed to steal

your valuable personal data, such as credit card
numbers, passwords, account data, or other
information.
Con artists might send millions of fraudulent e-mail
messages that appear to come from Web sites you
trust, like your bank or credit card company, and
request that you provide personal information.

History of Phishing

Phreaking + Fishing = Phishing

Phreaking = making phone calls for free back in 70s
Fishing = Use bait to lure the target

Phishing in 1995
Target: AOL users
Purpose: getting account passwords for free time
Threat level: low
Techniques: Similar names ( www.ao1.com for www.aol.com ), social
engineering

Phishing in 2001
Target: Ebayers and major banks
Purpose: getting credit card numbers, accounts
Threat level: medium
Techniques: Same in 1995, keylogger
Phishing in 2007
Target: Paypal, banks, ebay
Purpose: bank accounts
Threat level: high
Techniques: browser vulnerabilities, link obfuscation

A bad day phishin, beats a good day workin

2,000,000 emails are sent

5% get to the end user 100,000 (APWG)
5% click on the phishing link 5,000 (APWG)
2% enter data into the phishing site 100 (Gartner)
$1,200 from each person who enters data (FTC)
Potential reward: $120,000

In2005DavidLevimadeover$360,000from160
peopleusinganeBayPhishingscam

Phishing: A Growing Problem

Over 28,000 unique phishing attacks reported in Dec.

2006, about double the number from 2005
Estimates suggest phishing affected 2 million US
citizens and cost businesses billions of dollars in
2005
Additional losses due to consumer fears

What Does a Phishing Scam Look Like?

As scam artists become more sophisticated, so

do their phishing e-mail messages and pop-up
windows.
They often include official-looking logos from real
organizations and other identifying information
taken directly from legitimate Web sites.

Current Phishing Techniques

Employ visual elements from target site
DNS Tricks:
www.ebay.com.kr
www.ebay.com@192.168.0.5
www.gooogle.com
Unicode attacks
JavaScript Attacks
Spoofed SSL lock
Certificates
Phishers can acquire certificates for domains
they own
Certificate authorities make mistakes

Spear-Phishing: Improved Target Selection

Socially aware attacks

Mine social relationships from public data

Phishing email appears to arrive from someone known to the victim

Use spoofed identity of trusted organization to gain trust
Urge victims to update or validate their account
Threaten to terminate the account if the victims not reply
Use gift or bonus as a bait
Security promises

Context-aware attacks
Your bid on eBay has won!
The books on your Amazon wish list are on sale!

Another Example:

But wait

WHOIS 210.104.211.21:
Location: Korea, Republic Of

Even bigger problem:

I dont have an account with US Bank!

How To Tell If An E-mail Message is Fraudulent

Here are a few phrases to look for if you think an e-mail message is a
phishing scam.
"Verify your account."Businesses should not ask you to send
passwords, login names, Social Security numbers, or other personal
information through e-mail. If you receive an e-mail from anyone asking
you to update your credit card information, do not respond: this is a
phishing scam.
"If you don't respond within 48 hours, your account will be
closed."These messages convey a sense of urgency so that you'll
respond immediately without thinking.

How To Tell If An E-mail Message is Fraudulent (contd)

"Dear Valued Customer."Phishing e-mail messages are
usually sent out in bulk and often do not contain your first or
last name.
"Click the link below to gain access to your account."
HTML-formatted messages can contain links or forms that you
can fill out just as you'd fill out a form on a Web site. The links
that you are urged to click may contain all or part of a real
company's name and are usually "masked," meaning that the
link you see does not take you to that address but somewhere
different, usually a phony Web site.
Resting the mouse pointer on the link reveals the real Web
address. The string of cryptic numbers looks nothing like the
company's Web address, which is a suspicious sign.

How To Tell If An E-mail Message is Fraudulent (contd)

Con artists also use Uniform Resource Locators (URLs)

that resemble the name of a well-known company but are
slightly altered by adding, omitting, or transposing letters.
For example, the URL "www.microsoft.com" could appear
instead as:
www.micosoft.com
www.mircosoft.com
www.verify-microsoft.com

 Never respond to an email asking for personal information

Always check the site to see if it is secure. Call the phone
number if necessary
Never click on the link on the email. Retype the address in a
new window
Keep your browser updated
Keep antivirus definitions updated
Use a firewall
P.S: Always shred your home documents before discarding them.