Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Getting A Hook On Phishing Laurie Werner Miami University Chuck Frank Northern Kentucky University.

Published byAnabel Riley Modified over 8 years ago

Similar presentations

Presentation on theme: "1 Getting A Hook On Phishing Laurie Werner Miami University Chuck Frank Northern Kentucky University."— Presentation transcript:

1 1 Getting A Hook On Phishing Laurie Werner Miami University Chuck Frank Northern Kentucky University

2 2 What is Phishing? Phishers go to a lot of trouble to catch phish, not for fun but for PROFIT They develop schemes to steal consumers' personal identity data and financial account credentials via –Social Engineering –Technical Subterfuge –Hijacking of brand names

3 Social Engineering Schemes Use 'spoofed' e-mails to lead consumers to counterfeit websites designed to trick recipients into divulging financial data such as –credit card numbers, –account usernames and passwords –social security numbers. Holes in Listservs can be used to transmit spoofed emails to thousands of users 3

4 Technical Subterfuge Technical subterfuge schemes plant crimeware onto PCs to steal credentials directly, often using Trojan keylogger spyware. Pharming crimeware misdirects users to fraudulent sites or proxy servers, typically through DNS hijacking or poisoning. 4

5 Hijacking Brand Names Phishers use of a familiar brand name to convince recipients to respond to the fraudulent emails Typical Brands hijacked are – banks –e-retailers – credit card companies 5

6 Phishing Trends The average number of Phishing sites is increasing monthly The total number of brands hijacked increases monthly –APWG reports 629 companies’ brands have been hijacked to date –http://www.millersmiles.co.uk/scams.php–http://www.millersmiles.co.uk/scams.php The average time phishing websites live is decreasing The number of brands hijacked in a given month is fairly constant 6

7 APWG Monthly Report posted October 18, 2007 7

8 APWG Report Released March 2007 8

9 APWG Report January vs. July 2007 Number of unique phishing reports received in January: 29930 Number of unique phishing sites received in January: 27221 Number of brands hijacked by phishing campaigns in January: 135 Average time online for site: 4 days Longest time online for site: 30 days 9 Number of unique phishing reports received in July: 23917 Number of unique phishing sites received in July: 30999 Number of brands hijacked by phishing campaigns in July: 126 Average time online for site: 3.6 days Longest time online for site: 31 days

10 Phishing Costs Consumer Reports, August 2007, reported that 8% of households surveyed lost a median of $200 by purchasing items via phishing In 2005, US consumers lost a billion dollars in phishing scams (InfoWorld) 10

11 Divergent Views of Phishing Phishing is a security breach –“Phishing involves an attacker, posing as bank, vendor, or other trusted source, who sends an email asking the recipient to “confirm” personally identifying information by entering it on a website. This information is then used in identity theft.” Gross, 2007 –Browsers, firewalls, tools should reliably detect and reject phishing Phishing is simple to detect –Despite research showing that users often have sophisticated strategies for protecting sensitive data, even the most sophisticated users rarely score perfectly on the Phishing IQ test 11

12 12 Phishing Frustrations Users are often accused of being the weakest link in security, leaving system designers off the hook It is up to users to ensure the authenticity of the phishing email or the instant message Tools exist to aid in the elimination of phishing emails, but many still find a way through Fear of being phished hinders e-commerce growth

13 Phishing Preventions Vendor side has been slow to protect users from scams –Use of dynamic skins was presented in a paper in 2005 –Implementation by Bank of America in 2007 –Protect the bank rather than the customer Sign-in Seals are beginning to appear –Authenticate the site to the consumer –Authenticating the consumer to site has been done for a longer time 13

14 14 What does this mean to us as educators? Our students are end users first, security specialists second End users need help to identify security threats Phishing awareness has positive benefits for computing majors and non-majors In a literacy course, phishing awareness –Provides a critical thinking exercise –Provides a practical experience In a major’s course, phishing is part of security education

15 15 Why Introduce Phishing Awareness in the Lab? Research indicates students retain more, longer when they practice in a lab setting Students liven up when they get to play a game Students often find it entertaining to play “hacker” for “credit”

16 Phishing Lab Activities Phishing IQ test –http://www.sonicwall.com/phishing–http://www.sonicwall.com/phishing Anti-Phishing Phil game – http://www.cups.cs.cmu.edu/antiphishing_phil Analyze a phishing scam –http://www.millersmiles.co.uk–http://www.millersmiles.co.uk Spoofing email –Use telnet to send an email on port 25 –May need to adapt your AV or firewall to allow telnet on port 25 16

17 Sonicwall IQ Phishing Facts 6.1 Billion - Number of phishing e-mails sent world-wide each month $1,200 - Average loss to each person successfully phished (Federal Trade Commission) 15,451 - Number of unique phishing attacks in January 2006 (Anti-Phishing Working Group) 7,484 - Number of phishing Web sites found in January 2006 (Anti-Phishing Working Group) 17

18 Sonic Wall IQ test Example of phish email explanation –The SonicWALL Phishing IQ Test Copyright 2006 SonicWALL Inc.doc The SonicWALL Phishing IQ Test Copyright 2006 SonicWALL Inc.docThe SonicWALL Phishing IQ Test Copyright 2006 SonicWALL Inc.doc 18 The SonicWALL Phishing IQ Test Copyright 2006 SonicWALL Inc.SonicWALL All trademarks are property of their respective owners.

19 Anti-Phishing Phil 19 Figure 1: Anti-Phishing Phil game screen. Phil, the small fish near the top of the screen, is asked to examine the URL next to the worm he is about to eat and determine whether it is associated with a legitimate web site or a phishing site. Phil’s father (lower right corner) offers some advice. The game is available at: http://cups.cs.cmu.edu/antiphishing_phil/

20 Spoof an email 1. Open a command shell. Start | Run cmd 2. Telnet to the mail server on port 25. C:> telnet mail.nku.edu 25 3. Identify by saying HELO HELO 4. Enter the spoofed sender and the recipient of the email. “partner” is your lab partner’s email address. “you” is your email address. MAIL FROM: partner@nku.edu RCPT TO: you@nku.edu 5. Use the DATA command to send the message. Subject: Test Write some message to you from your partner. 6. Enter a period on a separate line to send the email and “QUIT” to terminate telnet..QUIT 20

21 Phroogle Shopping This lab illustrates a potential phishing manipulation of a shop-bot like Google Shopping, which used to be name Froogle, or Yahoo Shopping. This lab is based on a case study found in Jakobsson and Myers’ fake shopping phishing site named Phroogle Jakobsson, Markus and Myers, Stephen, (2007), Phishing and Countermeasures, Wiley- Interscience, New Jersey. 21

22 22 Conclusion Phishing is a serious security threat that deserves attention in both computing literacy and security curriculum. Anti-Phishing is one aspect of security education

23 Recommendation Practice Security Daily –intertwine security awareness throughout the computing curriculum –use lab activities to influence student thinking about security 23

Download ppt "1 Getting A Hook On Phishing Laurie Werner Miami University Chuck Frank Northern Kentucky University."

Similar presentations

Providing protection from potential security threats that exist for any internet-connected computer is termed e- security. It is important to be able to.

Providing protection from potential security threats that exist for any internet-connected computer is termed e- security. It is important to be able to.
Security and Trust in E- Commerce. The E-commerce Security Environment: The Scope of the Problem  Overall size of cybercrime unclear; amount of losses.

Security and Trust in E- Commerce. The E-commerce Security Environment: The Scope of the Problem  Overall size of cybercrime unclear; amount of losses.
Fraud, Scams and ID Theft …oh my! Deb Ramsay ESD 101 Chief Information Officer Technology Division.

Fraud, Scams and ID Theft …oh my! Deb Ramsay ESD 101 Chief Information Officer Technology Division.
Identity Theft: How to Protect Yourself. Identity Theft Identity theft defined:  the crime of obtaining the personal or financial information of another.

Identity Theft: How to Protect Yourself. Identity Theft Identity theft defined:  the crime of obtaining the personal or financial information of another.
ICT & Crime Data theft, phishing & pharming. Data loss/theft Data is often the most valuable commodity any business has. The cost of creating data again.

ICT & Crime Data theft, phishing & pharming. Data loss/theft Data is often the most valuable commodity any business has. The cost of creating data again.
Phishing and Pharming New Identity Theft Threats Presentation by Jason Guthrie.

Phishing and Pharming New Identity Theft Threats Presentation by Jason Guthrie.
1 What is Phishing? …listening to music by the band called Phish or perhaps …a hobby, sport or recreation involving the ocean, rivers or streams…nope.

1 What is Phishing? …listening to music by the band called Phish or perhaps …a hobby, sport or recreation involving the ocean, rivers or streams…nope.
Bsharah Presentation Threats to Information Security Protecting Your Personal Information from Phishing Scams.

Bsharah Presentation Threats to Information Security Protecting Your Personal Information from Phishing Scams.
DO YOU LOVE FISHING “PHISHING” ? OR Global Wealth Management Group MORGAN STANLEY & SMITH BARNEY A term used to describe fraudulent attempts to steal.

DO YOU LOVE FISHING “PHISHING” ? OR Global Wealth Management Group MORGAN STANLEY & SMITH BARNEY A term used to describe fraudulent attempts to steal.
Jason Rich CIS - 158 1.  The purpose of this project is to inform the audience about the act of phishing. Phishing is when fake websites are created.

Jason Rich CIS  The purpose of this project is to inform the audience about the act of phishing. Phishing is when fake websites are created.
Phishing (pronounced “fishing”) is the process of sending e-mail messages to lure Internet users into revealing personal information such as credit card.

Phishing (pronounced “fishing”) is the process of sending messages to lure Internet users into revealing personal information such as credit card.
Internet Phishing Not the kind of Fishing you are used to.

Internet Phishing Not the kind of Fishing you are used to.
Threats To A Computer Network

Threats To A Computer Network
Phishing Definition: a criminal mechanism employing both social engineering and technical subterfuge to steal consumers’ personal identity data and financial.

Phishing Definition: a criminal mechanism employing both social engineering and technical subterfuge to steal consumers’ personal identity data and financial.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
October is National Cyber Security Month OIT and IT providers are launching an awareness campaign to provide tips and resources to help you stay safe online.

October is National Cyber Security Month OIT and IT providers are launching an awareness campaign to provide tips and resources to help you stay safe online.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
Phishing – Read Behind The Lines Veljko Pejović

Phishing – Read Behind The Lines Veljko Pejović
Cyber Security - Threats James Clement Network Specialist ETS: Communications & Network Services

Cyber Security - Threats James Clement Network Specialist ETS: Communications & Network Services
Phishing on the Internet? Presented by Naveed Farooq Naveed Farooq Admin Nidokidos Network www.Nidokidos.org Make Money Online | Join Nidokidos Forum |

Phishing on the Internet? Presented by Naveed Farooq Naveed Farooq Admin Nidokidos Network Make Money Online | Join Nidokidos Forum |

Similar presentations

Ads by Google