PHISHING TECHNIQUE IN E-MAIL
Presented by
ABSTRACT:Phishing is a scam which attempts to entice email recipients into clicking on a link that takes them to a bogus website. In this paper, in the first half we discussed about the phishing history , 21st century scam, attacks. In the second half we covered the antiphishing ,how do we know that ,what can we do for this and finally the conclusion. INTRODUCTION: WHAT IS PHISHING? Phishing is a scam which attempts to entice email recipients into clicking on a link that takes them to a bogus website. The website may prompt the recipient to provide personal information such as Social Security number, bank account number, or credit card number, and/or it may download malicious software onto the recipients computer. Both the link and website may appear authentic; however, they are not legitimate HOW DOES IT WORK? Phishing scams try to bait the recipient in a number of ways: The types of messages used in phishing are expanding almost every day, so it is important to be cautious of all communications that you receive. When an employee clicks on the link contained in that email, malware is downloaded to the employees computer. The attacker may be targeting specific employee information, such as user names and passwords or proprietary organization information. 1. A 21st CENTURY SCAM: 1 A phishing attack today now targets audience sizes that range from mass-mailings to millions of email addresses around the world, through to highly targeted groups of customers that have been enumerated through security faults in small clicks and-mortar retail websites. Phishers can easily fool customers into submitting personal, financial and password data. While Spam was (and continues to be) annoying, distracting and burdensome to all its recipients, Phishing has already shown the potential to inflict serious losses of data and direct losses due to fraudulent currency transfers. National Phishing Webcast October 9, 2008 at 2:00pm Eastern. Register at www.msisac.org Recent phishing attempts
A chart showing the increase in phishing reports from October 2004 to June 2005 Phishers are targeting the customers of banks and online payment services
�2. PHISHING HISTORY: The word phishing originally comes from the analogy that early Internet criminals used email failures to phish for passwords and financial data from sea of Internet users. The use of ph in the terminology is partly lost in the annals of time, but most likely linked to popular hacker naming conventions such as Phreaks which traces back to early hackers who were involved in phreaking the hacking of telephone systems. The term was coined in the 1996 timeframe by hackers who were stealing America Online (AOL) accounts 3. PHISHING ATTACK VECTORS: For a Phishing attack to be successful, it must use a number of methods to trick the customer into doing something with their server and/or supplied page content. There are an ever increasing number of ways to do this. The most common methods are explained in detail below, and include: Man-in-the-middle Attacks URL Obfuscation Attacks Cross-site Scripting Attacks Preset Session Attacks Observing Customer Data Hidden attacks 3.1. Man-in-the-middle Attacks:One of the most successful vectors for gaining control of customer information and resources is through man-in-the-
by scamming passwords from unsuspecting AOL users. The popularised first mention on the Internet of phishing was made in alt.2600 hacker newsgroup in January 1996, however the term may have been used even earlier in the popular hacker newsletter 2600.By 1996, hacked accounts were called "phish", and by 1997 phish were actively being traded between hackers as a form of electronic currency. The term Phishing covers not only obtaining user account details, but now includes access to all personal and financial data. Due to the Phishers high success rate, an extension to the classic phishing scam now includes the use of fake jobsites or job offers. Applicants are enticed with the notion of making a lot of money for very little work just creating a new bank account,
middle attacks. In this class of attack, the attacker situates themselves between the customer and the real web-based application, and proxies all communications between the systems. From this vantage point, the attacker can observe and record all transactions. This form of attack is successful for both HTTP and HTTPS communications. The customer connects to the attackers server as if it was the real site, while the attackers server makes a simultaneous connection to the real site. The attackers server then proxies all communications between the customer and the real web-
taking the funds that have been transferred into it (less their personal commission) and sending it on as an international money order - classic money laundering techniques.
based application server typically in real-time.
�For man-in-the-middle attacks to be successful, the attacker must be able to direct the customer to their proxy server instead of the real server. This may be carried out through a number of methods: Transparent Proxies DNS Cache Poisoning URL Obfuscation
3.2. URL Obfuscation Attacks The secret for many phishing attacks is to get the message recipient to follow a hyperlink (URL) to the attackers server, without them realising that they have been duped. Unfortunately phishers have access to an increasingly large arsenal of methods for Obfuscating the final destination of the
manage access to resources that require authentication. The most common way of managing state within such an application is through Session Identifiers (SessionIDs). These SessionIDs may be implemented through cookies, hidden fields or fields contained within page URLs. 3.5. Observing Customer Data An old favourite amongst the hacker community and becoming increasingly popular amongst Phishers, key-loggers and screen-grabbers can be used to observe confidential customer data as it is entered into a web-based application. This information is collected locally and typically retrieved through by attacker through the following different methods: Continuous streaming of data (i.e. data is sent as soon as it is generated) using a custom data sender/receiver pair. To do this, the attacker must often keep a connections open to the customers computer. Local collection and batching of information for upload to the attackers server. This may be done through protocols such as FTP, HTTP, SMTP, etc. Backdoor collection by the attacker. The observation software allows the attacker to connect remotely to the customers machine and pull back the data as and when required. 3.6.Hidden attacks:Extending beyond the obfuscation techniques discussed earlier, an attacker may make use of HTML, DHTML and other scriptable code that can be interpreted by the customers web browser and used to manipulate the display of the rendered information. In many instances the attacker will use
customers web request. The most common methods of URL Obfuscation include: Bad domain names Friendly login URLs Third-party shortened URLs Host name obfuscation URL obfuscation
3.3. Preset Session Attacks:Since both HTTP and HTTPS are stateless protocols, web-based applications must use custom methods of tracking users through its pages and also
these techniques to disguise fake content as coming from the real site whether this is a man-in-the-middle attack, or a fake copy of the site hosted on the 3
�attackers own systems. common vectors include: Hidden Frames Overriding Page Content Graphical Substitution
The
most
3.6.1.Hidden Frames Frames are a popular method of hiding attack content due to their uniform browser support and easy coding style. Hidden frames may be used for: Hiding the source address of the attackers content server. Only the URL of the master frameset document will be visible from the browser interface unless the user follows a link with the target attribute site to "_top". Page Properties will only indicate the top most viewable page source in most browser software. Loading images and HTML content in the background for later use by a malicious application. 3.6.2. Overriding Page Content Several methods exist for Phishers to override displayed content. One of the most popular methods of inserting fake content within a page is to use the
very long URL or by referencing a stored script. 3.6.3. Graphical Substitution A common method used to overcome these visual clues is through the use of browser scripting languages (such as JavaScript, VBScript and Java) to position specially created graphics over these key areas with fake information It is important to note that Phishing attacks in the past have combined graphical substitution with additional scripting code to fake other browser functionality. Examples include:
Implementing right-click functionality and menu access, Presenting false popup messages just as the real browser or web application would, Displaying fake SSL certificate details when reviewing page properties or security settings through the use of images. 4.PHONE PHISHING:Not all phishing attacks require a fake website. Messages that claimed to be from a bank told users to dial a phone number regarding problems with their bank accounts.[41] Once the phone number (owned by the phisher, and provided by a Voice over IP service) was dialed, prompts told users to enter their account numbers and PIN. Vishing (voice phishing) sometimes uses fake
DHTML function - DIV. The DIV function allows an attacker to place content into a virtual container that, when given an absolute position and size
through the STYLE method, can be positioned to hide or replace (by sitting on top) underlying content. This malicious content may be delivered as a
caller-ID data to give the appearance that calls come from a trusted organization. 5.ANTI PHISHING: 4
�There are several different techniques to combat phishing, including legislation and technology created specifically to protect against phishing. 5.1.Social responses :One strategy for combating phishing is to train people to recognize phishing attempts, and to deal with them. Education can be effective, especially where training provides direct feedback. People can take steps to avoid phishing attempts by slightly modifying their browsing habits. When contacted about an account needing to be "verified" (or any other topic used by phishers), it is a sensible precaution to contact the company from which the e-mail apparently originates to check that the email is legitimate. 5.2. Technical responses:Anti-phishing measures have been implemented as features embedded in browsers, as extensions or toolbars for browsers, and as part of website login procedures. The following are some of the main approaches to the problem. 5.3. Augmenting password logins:The Bank of America's website is one of several that ask users to select a personal image, and display this user-selected image with any forms that request a password. Users of the bank's online services are instructed to enter a password only when they see the image they selected. However, a recent study suggests few users refrain from entering their password when images are absent 5.4.Eliminating phishing mail:Specialized spam filters can reduce the number of phishing e-mails that reach
natural language processing approaches to classify phishing e-mails.
5.5.Monitoring and takedown:Several companies offer banks and other organizations likely to suffer from phishing scams round-the-clock services to monitor, analyze and assist in shutting down phishing websites.[85] Individuals can contribute by reporting phishing to both volunteer and industry groups,[86] such as PhishTank. 5.6.Legal responces:In January 2007, Jeffrey Brett Goodin of California became the first defendant convicted by a jury under the provisions of the CAN-SPAM Act of 2003. He was found guilty of sending thousands of emails to America Online users, while posing as AOL's billing department, which prompted customers to submit personal and credit card information. Facing a possible 101 years in prison for the CAN-SPAM violation and ten other counts including wire fraud, the unauthorized use of credit cards, and the misuse of AOL's trademark, he was sentenced to serve 70 months. Goodin had been in custody since failing to appear for an earlier court hearing and began serving his prison term immediately. 6. HOW DO I KNOW ITS A PHISHING SCAM? If you receive an email appearing to be from a legitimate business requesting you to submit personal information, it is most likely a scam. Legitimate businesses do not send emails requesting personal information.
their addressees' inboxes. These approaches rely on machine learning and
7.WHAT CAN I DO? 5
�Be cautious about all communications you receive. Think before you click. If the communication looks too good to be true, it probably is. If it appears to be a phishing communication, do not respond. Delete it. You can also forward it to the Federal Trade Commission at spam@uce.gov. Do not click on any link listed in the email message, and do not open any attachments contained in suspicious emails. Do not enter personal information in a pop-up screen. Legitimate companies, agencies, and organizations dont ask for personal information via pop-up screens. Install a phishing filter on your email application and also on your web browser. These filters will not keep out all phishing messages, but they will reduce the numbers of phishing attempts. Ensure that your computer is upto-date on all patches. Ensure that your antivirus program is installed and up-todate. Look for unauthorized charges or withdrawals on your credit card and bank statements.
can take a proactive stance in defending against future attacks. Organisations have within their grasp numerous techniques and processes that may be used to protect the trust and integrity of their customers personal data. The points raised within this paper, and the solutions proposed, represent key steps in securing online services from fraudulent phishing attacks and also go a long way in protecting against many other popular hacking or criminal attack vectors. REFERENCES: www.google.com www.yahoo.com phishing-wikipidia
8. CONCLUSIONS: Phishing started off being part of popular hacking culture. Now, as more organizations provide greater online access for their customers, professional criminals are successfully using phishing techniques to steal personal finances and conduct identity theft at a global Level.By understanding the tools and
technologies Phishers have in their arsenal, businesses and their customers 6
