2. • What is phishing?
• The statistics…
• How is it done?
• How to avoid?
The main objective of this seminar presentation
is to create awareness about phishing
Agenda
3. So…what is phishing?
• It is a crime, and it is committed by
fraudsters who can persuade victims to
respond to a “legitimate-looking” email or
click on a seemingly safe link.
• To do that, the attackers create emails to play
on human emotions, it is a con - it is a type
of deception.
http://www.livehacking.com/tag/phishing/
4. Although phishing is a modern crime for the
Internet age
the forces behind it;
manipulation, deceit and persuasion – are not.
We can relate these forces/tricks back to our epics…
and even children story tales!
5. Why phish, bad guy???
• It is designed to steal your valuable personal
data
– credit card numbers
– passwords
– account data
– other important personal information
6. Your data can be sold
for money!
The value of US credit cards are:
Visa: $2
MasterCard: $3
American Express: $5
Discover: $6
The value of UK credit cards are:
Visa: $4
MasterCard: $4
American Express: $6
Discover: $6
The value of EU credit cards are:
Visa: $6
MasterCard: $6
American Express: $8
Discover: $8
The value of Canadian credit cards are:
Visa: $3
MasterCard: $3
American Express: $6
Discover: $6
7. What is the value??
Rank Last Goods and
services
Current Previous Prices
1 2 Bank accounts 22% 21% $10-1000
2 1 Credit cards 13% 22% $0.40-$20
3 7 Full identity 9% 6% $1-15
4 N/R Online auction site
accounts
7% N/A $1-8
5 8 Scams 7% 6% $2.50/wk - $50/wk
(hosting); $25 design
6 4 Mailers 6% 8% $1-10
7 5 Email Addresses 5% 6% $0.83-$10/MB
8 3 Email Passwords 5% 8% $4-30
9 N/R Drop (request or
offer)
5% N/A 10-50% of drop amount
10 6 Proxies 5% 6% $1.50-$30
http://www.symantec.com/threatreport/topic.jsp?id=fraud_activity_trends&aid=underground_economy_servers
8. • Internet users are heavily relying on webmail and social
networking sites
– by using phishing attacks to obtain access to
Facebook or Gmail, successful attacks could open the
doors to many other avenues
– if an email account is hacked by information used
during a phishing attack then the attacker can reset
passwords for other important accounts too
Why is it easy to be done?
10. Phreaking + Fishing = Phishing
- Phreaking = making phone calls for free back in 70’s
- Fishing = Use bait to lure the target
Phishing in 1995
Target: AOL users
Purpose: getting account passwords for free time
Threat level: low
Techniques: Similar names ( www.ao1.com for
www.aol.com ), social engineering
The history
11. Phishing in 2001
Target: Ebayers and major banks
Purpose: getting credit card numbers, accounts
Threat level: medium
Techniques: Same in 1995, keylogger
Phishing in 2007
Target: Paypal, banks, ebay
Purpose: bank accounts
Threat level: high
Techniques: browser vulnerabilities, link obfuscation
The history (cont’d)
12. • 2,000,000 emails are sent
• 5% get to the end user – 100,000 (APWG)
• 5% click on the phishing link – 5,000 (APWG)
• 2% enter data into the phishing site –100 (Gartner)
• $1,200 from each person who enters data (FTC)
• Potential reward: $120,000
A bad day phishin’, beats a good day workin’
In 2005 David Levi made over $360,000 from 160
people using an eBay Phishing scam
APWG: Anti-Phishing Working Group; FTC: Federal Trade Commission
13. • Led by two brothers – Guy Levi,
22, and the ringleader, David
Levi, 28
• Complaints were received from
eBay users who had paid for
laptops and Rolex watches that
never arrived
• Lett, the computer expert in the
gang used a software tool of
the spam trade called Atomic
Harvester to sweep the
internet, gathering around
6,000 email addresses. He
wrote to more than 2,000 of
these addresses, purporting to
be eBay.
The David Levi eBay Phishing Scam (2005)
14. The Levis and Lett wanted the usernames and passwords of
highly-rated eBay sellers. Anyone trading on eBay has a feedback
score and a percentage feedback rating. If a seller has positive
feedback rated at, say, 98%, a bidder will trust the seller to
deliver. So Lett hijacked such accounts. First he changed the
passwords, to lock out the real account holders; then he and the
Levis started selling.
Those who fell for their ads for high-value items like Sony Vaio
laptops and Rolex Daytona watches – using text and images lifted
from legitimate ads – would be contacted by email and
persuaded
to pay off-line.
Police located 160 people who paid money to David Levi’s gang;
there may have been others. The police had evidence of almost
£200,000 in criminal gains but they suspect that the total figure
was more than twice as much.Source: Out-Law Magazine Winter 2005 Issue 13
15. RSA’s figure on phishing attacks (Q1, 2012)
• The news is not good
• Attacks rose again (for the 4th
time)
• 19% increase compared to the second half of 2011
• The estimated worldwide financial losses – US$687
million
The Statistics
17. Canada’s economic health during that
period was good and this only shows that
fraudsters follow the money!!!
The Statistics
18. Google: Internet is a dangerous place
• June 2012 finding
– Google detects 9,500 new malicious
websites every day
– Some are innocent websites that have been
hacked to serve up malware
– Others are built specially for the purpose
of distributing malware
– Google displays over 300,000 download warnings
every day via its download protection service that
is built-in to Chrome.
19. • The number of phishing sites has peaked in
2012 with over 300,000 new phishing sites
found per month.
• Approximately 12-14 million Google Search
queries per day result in a web browser
showing a warning advising users not to visit
a currently compromised site.
Google: Internet is a dangerous place
20. A tank full of phish
http://www.phishtank.com/
26. Don't fall prey to online banking scams
The Star Online
Date: 19 February 2011
PETALING JAYA: Internet users must ensure they install all necessary updates and use a reputable anti-virus software so
they don't fall prey to online banking scams.
HSBC Bank Malaysia Berhad general manager for personal financial services, Lim Eng Seong, said the number of Malaysians
opting for online banking was increasing.
"Most banks offer safety advice on the login page of their e-banking websites to warn users about the existence of such
scams,"he said.
Whenever there is a report of a scam, the bank immediately contacts Cyber Security Malaysia's Computer Emergency
Response Team (CERT) to remove the phishing website.
"For phishing websites operating from outside the country, we seek the assistance of the country's local CERT team to shut
down the website,"he said.
Travel agent Safura Mokhtar, 41, recently became a victim of a phishing scam.
She lost RM4,600 but the local bank refused to offer her a refund although she was quick to report the incident.
She had received an e-mail, claiming to be from the bank, in November last year.
"The e-mail stated that I needed to log in immediately to update my contact information for security purposes,"said
Safura who unsuspectingly clicked on the link provided.
"I am new to online banking and I was not aware that such scams existed,"said Safura who later received a text
message from the bank informing her that money had been transferred out of her account.
She received a letter from the bank a week later informing her that they could not compensate her for her losses.
She was then referred to the Financial Mediation Bureau (FMB) which told her investigations would take up to six months.
"Cases of online banking scams in Malaysia have been increasing since the first such case was registered in 2005,"said FMB
CEO John Thomas.
Statistics from FMB showed that the number of cases had increased from only 46 in 2008 to 163 in 2010.
On the chances of victims getting their money back, Thomas said that of the 163 cases last year, only 51 victims managed to
get part or all of their money back.
A check with Bank Negara showed that as of December last year, there were 9.8 million e-banking account holders in the
country.
27. Travel agent Safura Mokhtar, 41, recently became a victim of a phishing scam. She lost
RM4,600 but the local bank refused to offer her a refund although she was
quick to report the incident. She had received an e-mail, claiming to be from the bank, in
November last year.
"The e-mail stated that I needed to log in immediately to update my contact
information for security purposes,"said Safura who unsuspectingly clicked on the link provided.
"I am new to online banking and I was not aware that such scams existed,"said Safura
who later received a text message from the bank informing her that money had been transferred out of
her account.
She received a letter from the bank a week later informing her that they could not
compensate her for her losses. She was then referred to the Financial Mediation Bureau
(FMB) which told her investigations would take up to six months. "Cases of online banking
scams in Malaysia have been increasing since the first such case was registered in
2005,"said FMB CEO John Thomas.
28.
29.
30. What Does a Phishing Scam Look Like?
As scam artists become more sophisticated, so do
their phishing e-mail messages and pop-up
windows
They often include official-looking logos from
real organizations and other identifying information
taken directly from legitimate Web sites
35. A good phish targets weaknesses and lapses in human nature. For example,
we often click “OK” without reading a warning.
A phish needs YOUR HELP in order to succeed.
Phishing is often conducted by organized crime.
Phishing groups are dynamic and can be in any country. They often use
people in multiple countries simultaneously.
Credit and debit card users are the primary targets of phishers right now
(going for fast cash).
Phishing can come in more than one form: email, instant messages, pop-up,
online postings, and telephone.
Phishing Quick Facts
https://www.hvfcu.org/eservices/safe-computing/phishing/phishing-quick-facts
36. A phish NEVER includes a real email address for the phisher, so it
is pointless to reply to one.
A phish has a hook (Trust us. Here’s why.), a required action
(Here’s what we want you to do.), and a push (Hurry, act now!).
Most servers that host phish sites are legitimate servers that
have been compromised. Phishers must use the site’s URL or IP
address in the phish. Some servers that host phish sites are
fraudulently registered. Phishers can use any URL and try to
make it similar to the victim site.
https://www.hvfcu.org/eservices/safe-computing/phishing/phishing-quick-facts
Phishing Quick Facts
37. • Social-aware attacks
Mine social relationships from public data
Phishing email appears to arrive from someone known to
the victim
Use spoofed identity of trusted organization to gain trust
Urge victims to update or validate their account
Threaten to terminate the account if the victims not reply
Use gift or bonus as a bait
Security promises
• Context-aware attacks
“Your bid on eBay has won!”
“The books on your Amazon wish list are on sale!”
Spear-Phishing:
Improved Target Selection
38. • Employ visual elements from target site
• DNS Tricks:
–www.ebay.com.kr
–www.ebay.com@192.168.0.5
–www.gooogle.com
• Certificates
–Phishers can acquire certificates for domains they own
–Certificate authorities make mistakes
Phishing Techniques
39. How is it done? Some live examples…
Cloning a Website
•Manually create a website with logos and themes of the
legitimate website
•Automatically create website using tools – i.e BackTrack Social
Engineering tools
Live Demo
40. How is it done? Some live examples…
DNS tricks
– www.ebay.com.kr
– www.ebay.com@192.168.0.5
– www.gooogle.com
Anything between http:// and @ will be processed by the
browser as input for username and password. If the username
and password are not required, the browser discards those and
the page will appear as usual.
41. How is it done? Some live examples…
To access a website, we can use:
•Domain name (www.google.com.my)
•IP address (74.125.135.94)
•IP address decimal value (1249740638)
Now, I can use
http://www.cimbclicks.com.my@1249740638 to
provide a link which looks legit but actually diverting you
to another site.
42. How is it done? Some live examples…
Text and Link
•Click here to CIMBClicks’ site
•CIMBClicks
•http://www.cimbclicks.com.my
43. How is it done? Some live examples…
Spoof the email account
Email spoofing is the creation of email messages with a forged
sender address - something which is simple to do because the
core SMTP protocols do no authentication. It is commonly used in
spam and phishing emails to hide the origin of the email message
(Wikipedia)
•Eg. Deadfake (http://deadfake.com/Send.aspx)
44. How is it done? Some live examples…
Email Message
From: jayaseelan.vejayon@qiup.edu.my
Subject: URGENT: Change Your Password
Message
Dear Colleagues,
There is a security breach in our environment. Please change your
password immediately! Please click on the link below and follow
the instructions on the screen.
http://mail.quip.com.my
Failing to change your password by COB today will cause your
account to be suspended.
45. Here are a few phrases to look for
"Verify your account."Businesses should not ask you to send
passwords, login names, Social Security numbers, or other
personal information through e-mail. If you receive an e-mail
from anyone asking you to update your credit card information,
do not respond: this is a phishing scam.
"If you don't respond within 48 hours, your account will be
closed."These messages convey a sense of urgency so that you'll
respond immediately without thinking. Phishing e-mail might
even claim that your response is required because your account
might have been compromised.
How to tell if an e-mail message is fraudulent
46. "Dear Valued Customer."Phishing e-mail messages are usually
sent out in bulk and often do not contain your first or last name.
"Click the link below to gain access to your account."HTML-
formatted messages can contain links or forms that you can fill
out just as you'd fill out a form on a Web site. The links that you
are urged to click may contain all or part of a real company's
name and are usually “masked”, meaning that the link you see
does not take you to that address but somewhere different,
usually a phony Web site.
47. Con artists also use Uniform Resource Locators (URLs)
that resemble the name of a well-known company
but are slightly altered by adding, omitting, or
transposing letters.
For example, the URL "www.microsoft.com" could
appear instead as:
•www.micosoft.com
•www.mircosoft.com
•www.verify-microsoft.com
48. Never respond to an email asking for personal information
Always check the site to see if it is secure. Call the phone number if necessary
Never click on the link on the email. Retype the address in a new window
Keep your browser updated
Keep antivirus definitions updated
Use a firewall
Don’t ignore browser warnings. Since legitimate sites can be hacked and modified
to contain malware, don’t visit a website if a browser warning is shown, no
matter how well-known the website is to you.
P.S: Always shred your documents before discarding them.
How do I avoid from becoming a victim …
49. “It’s hard for criminals to duplicate my institution’s website,
so if it looks good, it must be the real site.”
The Truth: Many fake sites look identical to the original
site.
“If I see a lock anywhere on the page, I know it is a secure
website.”
The Truth: The lock or key that signifies a secure site must
appear on the body or chrome of the browser, not as a
picture on a webpage.
“I can tell by the poor grammar if it is a phish."
The Truth: Fake sites often have perfect grammar and
spelling.
Don’t fall for the Myths …
https://www.hvfcu.org/eservices/safe-computing/phishing/phishing-quick-facts
50. DontPhishMe is an initiative of MyCERT,
CyberSecurity Malaysia, to provide a security
mechanism in preventing online banking phishing
threat specifically for local Malaysian banks.
DontPhishMe is an addon to Firefox that alerts you if
an online banking web page that you visit appears to
be asking for your personal or financial information
under false pretenses. This type of attack, known as
phishing or spoofing, is becoming more
sophisticated, widespread and dangerous. That’s
why it’s important to browse safely with
DontPhishMe. DontPhishMe will automatically warn
you when you encounter a page that’s trying to trick
you into disclosing personal information.
Get this add-on for Mozilla Firefox and Google
Chrome.
51. Cyber999 Help Centre
Cyber999 is a service provided for
Internet users to report or escalate
computer security incidents.
Computer security incidents may be
reported to Cyber999 via the
following ways:
SMS:
CYBER999 REPORT <EMAIL> <COMPLAINT> to
15888
TELEPHONE:
Office Hours: 1-300-88-2999
24x7 (Emergency): +6019 - 266 5850
Calls to MyCERT and the Cyber999 Hotline are
monitored during the business hours
(9:00 AM – 6:00 PM)
WEB REPORTING:
http://www.mycert.org.my
EMAIL:
cyber999 [at] cybersecurity.my
52. Thank You
Jayaseelan Vejayon
Assistant Director & Head
Information & Communications Technology Division
Quest International University Perak
jayaseelan.vejayon@qiup.edu.my
http://jayitsecurity.blogspot.com
Don’t be a phishing victim…it is NO “PHUN”
Think before your click!
Notas do Editor
- Social engineering is understood as the art of manipulating people into performing actions to reveal their confidential information