1. Phishing, Spoofing, Spamming and Security How To Protect Yourself Additional Credits: Dr. Harold Cothern, Educause/SonicWall, Hendra Harianto Tuty, Microsoft Corporation, some images from Anti-Phishing Workgroup’s Phishing Archive,Carnegie Mellon CyLab

2. Agenda What is Phishing? History Current Phishing Techniques How to tell if any email or URL is fraudulent

3. From: Chase Online Sent: Mon, February 14, 2011 2:17:52 PM Subject: Account Maintenance Dear client, T his is your official notification that the service(s) listed below will be deactivated and deleted if your profile is not verified immediately. A recent Message was sent to you but there was no response, please do respond as soon as possible. As the Primary Contact, you must renew the service(s) listed below: SERVICE: Chase Online and Bill Pay services. EXPIRATION:February 18, 2011Chase Online Bill Pay What you need to do: 1. Log in to your account at www.Chase.com, by clicking the URL. 2. Enter your user ID and Password (that you selected during the online enrollment process). If you have not signed up for online access, you can enroll easily by clicking "Enroll" at the bottom of the Login page.www.Chase.com Sincerely, Carter Franke Chief Marketing Officer

4. What is Phishing? Phishing is a type of deception designed to steal your valuable personal data, such as credit card numbers, passwords, account data, or other information. Con artists might send millions of fraudulent e-mail messages that appear to come from Web sites you trust, like your bank or credit card company, and request that you provide personal information.

5. Phreaking + Fishing = Phishing -Phreaking = making phone calls for free back in 70’s -Fishing = Use bait to lure the target Phishing in 1995 Target: AOL users Purpose: getting account passwords for free time Threat level: low Techniques: Similar names ( www.ao1.com for www.aol.com ), socialwww.ao1.comwww.aol.com engineering Phishing in 2001 Target: Ebayers and major banks Purpose: getting credit card numbers, accounts Threat level: medium Techniques: Same in 1995, keylogger Phishing in 2007 Target: Paypal, banks, ebay Purpose: bank accounts Threat level: high Techniques: browser vulnerabilities, link obfuscation History of Phishing

6. 2,000,000 emails are sent 5% get to the end user – 100,000 (APWG) 5% click on the phishing link – 5,000 (APWG) 2% enter data into the phishing site – 100 (Gartner) $1,200 from each person who enters data (FTC) Potential reward: $120,000 A bad day phishin’, beats a good day workin’ In 2005 David Levi made over $360,000 from 160 people using an eBay Phishing scam

7. What Does a Phishing Scam Look Like? As scam artists become more sophisticated, so do their phishing e-mail messages and pop-up windows. They often include official-looking logos from real organizations and other identifying information taken directly from legitimate Web sites.

8. Employ visual elements from target site DNS Tricks: –www.ebay.com.kr –www.ebay.com@192.168.0.5 –www.gooogle.com –Unicode attacks JavaScript Attacks –Spoofed SSL lock Certificates –Phishers can acquire certificates for domains they own –Certificate authorities make mistakes Current Phishing Techniques

9. Socially aware attacks Mine social relationships from public data Phishing email appears to arrive from someone known to the victim Use spoofed identity of trusted organization to gain trust Urge victims to update or validate their account Threaten to terminate the account if the victims not reply Use gift or bonus as a bait Security promises Context-aware attacks “Your bid on eBay has won!” “The books on your Amazon wish list are on sale!” Spear-Phishing: Improved Target Selection

10. Example

11. Here are a few phrases to look for if you think an e-mail message is a phishing scam. "Verify your account." Businesses should not ask you to send passwords, login names, Social Security numbers, or other personal information through e-mail. If you receive an e-mail from anyone asking you to update your credit card information, do not respond: this is a phishing scam. "If you don't respond within 48 hours, your account will be closed." These messages convey a sense of urgency so that you'll respond immediately without thinking. How To Tell If An E-mail Message is Fraudulent

12. How To Tell If An E-mail Message is Fraudulent (cont’d) "Dear Valued Customer." Phishing e-mail messages are usually sent out in bulk and often do not contain your first or last name. "Click the link below to gain access to your account." HTML-formatted messages can contain links or forms that you can fill out just as you'd fill out a form on a Web site. The links that you are urged to click may contain all or part of a real company's name and are usually "masked," meaning that the link you see does not take you to that address but somewhere different, usually a phony Web site. Resting the mouse pointer on the link reveals the real Web address. The string of cryptic numbers looks nothing like the company's Web address, which is a suspicious sign.

13. Con artists also use Uniform Resource Locators (URLs) that resemble the name of a well-known company but are slightly altered by adding, omitting, or transposing letters. For example, the URL "www.microsoft.com" could appear instead as: www.micosoft.com www.mircosoft.com www.verify-microsoft.com How To Tell If An E-mail Message is Fraudulent (cont’d)

14. Never respond to an email asking for personal information Always check the site to see if it is secure. Call the phone number if necessary Never click on the link on the email. Retype the address in a new window Keep your browser updated Keep antivirus definitions updated Use a firewall P.S: Always shred your home documents before discarding them.

15. Quiz (Find the correct paypal URL) http://pages.paypal.com/answercenter/ http://147.46.233.32/paypal/login/html http://paypal.paypaal.com/login/html www.paypalsecure.com

16. Quiz (Find the correct paypal URL) http://pages.paypal.com/answercenter/ http://147.46.233.32/paypal/login/html http://paypal.paypaal.com/login/html www.paypalsecure.com