1 Getting A Hook On Phishing Laurie Werner Miami University Chuck Frank Northern Kentucky University.

Slides:

Advertisements

Similar presentations

Providing protection from potential security threats that exist for any internet-connected computer is termed e- security. It is important to be able to.

Advertisements

Security and Trust in E- Commerce. The E-commerce Security Environment: The Scope of the Problem  Overall size of cybercrime unclear; amount of losses.

Fraud, Scams and ID Theft …oh my! Deb Ramsay ESD 101 Chief Information Officer Technology Division.

Identity Theft: How to Protect Yourself. Identity Theft Identity theft defined:  the crime of obtaining the personal or financial information of another.

ICT & Crime Data theft, phishing & pharming. Data loss/theft Data is often the most valuable commodity any business has. The cost of creating data again.

Phishing and Pharming New Identity Theft Threats Presentation by Jason Guthrie.

1 What is Phishing? …listening to music by the band called Phish or perhaps …a hobby, sport or recreation involving the ocean, rivers or streams…nope.

Bsharah Presentation Threats to Information Security Protecting Your Personal Information from Phishing Scams.

DO YOU LOVE FISHING “PHISHING” ? OR Global Wealth Management Group MORGAN STANLEY & SMITH BARNEY A term used to describe fraudulent attempts to steal.

Jason Rich CIS  The purpose of this project is to inform the audience about the act of phishing. Phishing is when fake websites are created.

Phishing (pronounced “fishing”) is the process of sending messages to lure Internet users into revealing personal information such as credit card.

Internet Phishing Not the kind of Fishing you are used to.

Threats To A Computer Network

Phishing Definition: a criminal mechanism employing both social engineering and technical subterfuge to steal consumers’ personal identity data and financial.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

October is National Cyber Security Month OIT and IT providers are launching an awareness campaign to provide tips and resources to help you stay safe online.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

Phishing – Read Behind The Lines Veljko Pejović

Cyber Security - Threats James Clement Network Specialist ETS: Communications & Network Services

Phishing on the Internet? Presented by Naveed Farooq Naveed Farooq Admin Nidokidos Network Make Money Online | Join Nidokidos Forum |

How It Applies In A Virtual World

Lecture 11 Electronic Business (MGT-485). Recap – Lecture 10 Transaction costs Network Externalities Switching costs Critical mass of customers Pricing.

COMPUTER CRIME AND TYPES OF CRIME Prepared by: NURUL FATIHAH BT ANAS.

INTRODUCTION Coined in 1996 by computer hackers. Hackers use to fish the internet hoping to hook users into supplying them the logins, passwords.

E-commerce Fraud: The New Reality Thomas Chim Raj Nair Chris Geegan Mike Grimsley.

Confidential On-line Banking Risks & Countermeasures By Vishal Salvi – CISO HDFC Bank IBA Banking Security Summit 2009.

Web Spoofing John D. Cook Andrew Linn. Web huh? Spoof: A hoax, trick, or deception Spoof: A hoax, trick, or deception Discussed among academics in the.

Scholarship Scams Avoiding Scholarship Scams, Phishing & Identity Theft at All Cost.

PHISHING AND SPAM INTRODUCTION There’s a good chance that in the past week you have received at least one that pretends to be from your bank,

Day 3 Cybersafety Presented by FJUHSD Teacher Librarian.

P HI SH I NG !. WHAT IS PHISHING ? In computer security phishing is trying to acquire important information such as; passwords, usernames and credit card.

Matthew Hardaway CSCI101 Thursday 3:30pm.  Fishing (Encyclopedia Britannica): ◦ Sport of catching fish—freshwater or saltwater— typically with rod, line,

Adam Soph, Alexandra Smith, Landon Peterson. Phishing is a way of attempting to acquire information such as usernames, passwords, and credit card details.

Phishing Webpage Detection Jau-Yuan Chen COMS E6125 WHIM March 24, 2009.

Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.

Chapter 7 Phishing, Pharming, and Spam. Phishing Phishing is a criminal activity using computer security techniques. Phishers try to acquire information.

CCT355H5 F Presentation: Phishing November Jennifer Li.

Mail-Filters The Global Leader in OEM Anti-Spam Solutions.

Phishing Internet scams. Phishing phishing is an attempt to criminally and fraudulently acquire sensitive information, such as usernames, passwords and.

How Phishing Works Prof. Vipul Chudasama.

What is risk online operation:  massive movement of operation to the internet has attracted hackers who try to interrupt such operation daily.  To unauthorized.

Copyright ©2005 CNET Networks, Inc. All rights reserved. Practice safety Learn how to protect yourself against common attacks.

Detecting Phishing in s Srikanth Palla Ram Dantu University of North Texas, Denton.

Topic 5: Basic Security.

Get Safe Online Expert advice for everyone In association with.

MANAGING RISK. CYBER CRIME The use of the internet and developments in IT bring with it a risk of cyber crime. Credit card details are stolen, hackers.

INTRODUCTION & QUESTIONS.

Computer Crime: Identity Theft, Misuse of Personal Information, and How to Protect Yourself (Tawny Walsh, Irina Lohina, Renair Jackson, Jahmele Betterson,

Extra Credit Presentation: Allegra Earl CSCI 101 T 3:30.

PHISHING PRESENTED BY: ARQAM PASHA. AGENDA What is Phishing? Phishing Statistics Phishing Techniques Recent Examples Damages Caused by Phishing How to.

Phishing & Pharming Methods and Safeguards Baber Aslam and Lei Wu.

OCTOBER IS CYBER SECURITY AWARENESS MONTH. October is Cyber Security Awareness Month  Our Cyber Security Awareness Campaign focuses on topics such as.

Spoofing The False Digital Identity. What is Spoofing?  Spoofing is the action of making something look like something that it is not in order to gain.

Maximize Your Hosting Business: Covering all your SSL requirements Tim Callan May 31, 2006 VeriSign / thawte Confidential.

Phishing and Internet Scams. Definitions and recent statistics Why is it dangerous? Phishing techniques and identifiers Examples of phishing and scam.

CNP Fraud. Occurs when a fraudster falsifies an application to acquire a credit card using an individual’s personal information. (Eg: postal intercept)

Fall Phishing - attempt to acquire sensitive information, like bank account information or an account password, by posing as a legitimate entity.

Digital Security Identity theft Copyright Laws Plagiarism, and More.

An Introduction to Phishing and Viruses

Done by… Hanoof Al-Khaldi Information Assurance

Learn how to protect yourself against common attacks

ISYM 540 Current Topics in Information System Management

Phishing is a form of social engineering that attempts to steal sensitive information.

Protect Your Computer Against Harmful Attacks!

Information Security Session October 24, 2005

What is Phishing? Pronounced “Fishing”

Presentation transcript:

1 Getting A Hook On Phishing Laurie Werner Miami University Chuck Frank Northern Kentucky University

2 What is Phishing? Phishers go to a lot of trouble to catch phish, not for fun but for PROFIT They develop schemes to steal consumers' personal identity data and financial account credentials via –Social Engineering –Technical Subterfuge –Hijacking of brand names

Social Engineering Schemes Use 'spoofed' s to lead consumers to counterfeit websites designed to trick recipients into divulging financial data such as –credit card numbers, –account usernames and passwords –social security numbers. Holes in Listservs can be used to transmit spoofed s to thousands of users 3

Technical Subterfuge Technical subterfuge schemes plant crimeware onto PCs to steal credentials directly, often using Trojan keylogger spyware. Pharming crimeware misdirects users to fraudulent sites or proxy servers, typically through DNS hijacking or poisoning. 4

Hijacking Brand Names Phishers use of a familiar brand name to convince recipients to respond to the fraudulent s Typical Brands hijacked are – banks –e-retailers – credit card companies 5

Phishing Trends The average number of Phishing sites is increasing monthly The total number of brands hijacked increases monthly –APWG reports 629 companies’ brands have been hijacked to date – The average time phishing websites live is decreasing The number of brands hijacked in a given month is fairly constant 6

APWG Monthly Report posted October 18,

APWG Report Released March

APWG Report January vs. July 2007 Number of unique phishing reports received in January: Number of unique phishing sites received in January: Number of brands hijacked by phishing campaigns in January: 135 Average time online for site: 4 days Longest time online for site: 30 days 9 Number of unique phishing reports received in July: Number of unique phishing sites received in July: Number of brands hijacked by phishing campaigns in July: 126 Average time online for site: 3.6 days Longest time online for site: 31 days

Phishing Costs Consumer Reports, August 2007, reported that 8% of households surveyed lost a median of $200 by purchasing items via phishing In 2005, US consumers lost a billion dollars in phishing scams (InfoWorld) 10

Divergent Views of Phishing Phishing is a security breach –“Phishing involves an attacker, posing as bank, vendor, or other trusted source, who sends an asking the recipient to “confirm” personally identifying information by entering it on a website. This information is then used in identity theft.” Gross, 2007 –Browsers, firewalls, tools should reliably detect and reject phishing Phishing is simple to detect –Despite research showing that users often have sophisticated strategies for protecting sensitive data, even the most sophisticated users rarely score perfectly on the Phishing IQ test 11

12 Phishing Frustrations Users are often accused of being the weakest link in security, leaving system designers off the hook It is up to users to ensure the authenticity of the phishing or the instant message Tools exist to aid in the elimination of phishing s, but many still find a way through Fear of being phished hinders e-commerce growth

Phishing Preventions Vendor side has been slow to protect users from scams –Use of dynamic skins was presented in a paper in 2005 –Implementation by Bank of America in 2007 –Protect the bank rather than the customer Sign-in Seals are beginning to appear –Authenticate the site to the consumer –Authenticating the consumer to site has been done for a longer time 13

14 What does this mean to us as educators? Our students are end users first, security specialists second End users need help to identify security threats Phishing awareness has positive benefits for computing majors and non-majors In a literacy course, phishing awareness –Provides a critical thinking exercise –Provides a practical experience In a major’s course, phishing is part of security education

15 Why Introduce Phishing Awareness in the Lab? Research indicates students retain more, longer when they practice in a lab setting Students liven up when they get to play a game Students often find it entertaining to play “hacker” for “credit”

Phishing Lab Activities Phishing IQ test – Anti-Phishing Phil game – Analyze a phishing scam – Spoofing –Use telnet to send an on port 25 –May need to adapt your AV or firewall to allow telnet on port 25 16

Sonicwall IQ Phishing Facts 6.1 Billion - Number of phishing s sent world-wide each month $1,200 - Average loss to each person successfully phished (Federal Trade Commission) 15,451 - Number of unique phishing attacks in January 2006 (Anti-Phishing Working Group) 7,484 - Number of phishing Web sites found in January 2006 (Anti-Phishing Working Group) 17

Sonic Wall IQ test Example of phish explanation –The SonicWALL Phishing IQ Test Copyright 2006 SonicWALL Inc.doc The SonicWALL Phishing IQ Test Copyright 2006 SonicWALL Inc.docThe SonicWALL Phishing IQ Test Copyright 2006 SonicWALL Inc.doc 18 The SonicWALL Phishing IQ Test Copyright 2006 SonicWALL Inc.SonicWALL All trademarks are property of their respective owners.

Anti-Phishing Phil 19 Figure 1: Anti-Phishing Phil game screen. Phil, the small fish near the top of the screen, is asked to examine the URL next to the worm he is about to eat and determine whether it is associated with a legitimate web site or a phishing site. Phil’s father (lower right corner) offers some advice. The game is available at:

Spoof an 1. Open a command shell. Start | Run cmd 2. Telnet to the mail server on port 25. C:> telnet mail.nku.edu Identify by saying HELO HELO 4. Enter the spoofed sender and the recipient of the . “partner” is your lab partner’s address. “you” is your address. MAIL FROM: RCPT TO: 5. Use the DATA command to send the message. Subject: Test Write some message to you from your partner. 6. Enter a period on a separate line to send the and “QUIT” to terminate telnet..QUIT 20

Phroogle Shopping This lab illustrates a potential phishing manipulation of a shop-bot like Google Shopping, which used to be name Froogle, or Yahoo Shopping. This lab is based on a case study found in Jakobsson and Myers’ fake shopping phishing site named Phroogle Jakobsson, Markus and Myers, Stephen, (2007), Phishing and Countermeasures, Wiley- Interscience, New Jersey. 21

22 Conclusion Phishing is a serious security threat that deserves attention in both computing literacy and security curriculum. Anti-Phishing is one aspect of security education

Recommendation Practice Security Daily –intertwine security awareness throughout the computing curriculum –use lab activities to influence student thinking about security 23