1. Phishing and Pharming New Identity Theft Threats Presentation by Jason Guthrie

2. Outline Phishing –Defined –How Phishing Works –Phishing Damage –What Phishing Looks Like –Prevention Pharming –How Pharming Works –Prevention

3. Phishing Defined “Phishing is a form of criminal activity using social engineering techniques, characterized by attempts to fraudulently acquire sensitive information, such as passwords and credit card details, by masquerading as a trustworthy person or business in an apparently official electronic communication, such as an email or an instant message.” -Wikipedia

4. How Phishing Works “Legitimate” emails seem to originate from trusted sources – banks or online retailers Social engineering tactics convince the reader that their information is needed –Fear is the #1 tactic –Solicitation of help Links and email look very real –Account Update –http://www.ebay.com/myaccount/update.asp

5. How Phishing Works Techniques –Mispelled URLs (http://www.welllsfargo.com/account)http://www.welllsfargo.com/account –Spoofing URLs (http://www.google.com@members.tripod.com)http://www.google.com@members.tripod.com –Javascript –Cross Site Scripting –International Domain Names

6. How Phishing Works The Stolen Results –Voluntary! Remember you gave it to them. –Login Username Password –Update Information Social Security Number Address Bank Account Number Credit Card Number

7. Phishing Damage Monetary –May 2004 and May 2005, roughly 1.2 million U.S. computer users suffered phishing losses valued at $929 million –U.S. companies lose more than $2 billion annually as their clients fall victim Identity –New Credit Cards, loans, apartments, bank accounts, etc.

8. Phishing Damage Courtesy of: The Anti-Phishing Working Group

9. Phishing Targets Courtesy of: The Anti-Phishing Working Group

10. Phishing Targets Users lack computer knowledge –Elderly Users lack security knowledge –Elderly –Teens –New Computer Users –Infrequent Computer Users

11. What Phishing Looks Like #1: The link that appears legitimate #2: The actual destination when you click on the link

12. Phishing Test Real! Real or Fake?

13. Phishing Test Fake! Real or Fake?

14. Phishing Test Fake! Real or Fake?

15. Phishing Test For the complete test go to: http://survey.mailfrontier.com/survey/qui ztest.html http://survey.mailfrontier.com/survey/qui ztest.html A similar test was conducted by Rachna Dhamija, J.D. Tygar, and Marti Hearst with 20 websites and emails -12 were fraudulent - 8 were legitimate

16. Phishing Test Results

17. How to Detect Phishing Software –Specialized “Anti- Phishing” Software –Spam filters –Challenge Questions –Firefox –Opera –IE 7

18. Prevention Education, education, education Look out for: –Misspelled words –“Dear Valued Customer” –Beware of the @ sign –Unusual company behavior Go to websites directly from browser

19. How to Detect Phishing Other Resources: –McAfee’s Whitepaper: “Anti-Phishing: Best Practices for Institutions and Consumers”McAfee’s Whitepaper: “Anti-Phishing: Best Practices for Institutions and Consumers” –Why Phishing Works – study by Dhamija, Tygar, and HearstWhy Phishing Works –The FTC “How Not to Get Hooked by a ‘ Phishing’ Scam“ websiteHow Not to Get Hooked by a ‘ Phishing’ Scam

20. Phishing’s Evil Cousin People are educating themselves and foiling many phishers –Leading many to develop more malicious tools Pharming Spam Viruses Password Stealing Software –Same end result, different method

21. How Pharming Works Email Viruses –Alters the computer’s host file DNS Poisoning –Nothing on your computer changes –The company’s website is “hijacked” –Google and Panix.com recent examples Detection is very difficult

22. Prevention Burden lies on businesses –Server-side scripts –Digital Certificates Browsers can help identify originating location –US customers would be wary of bank IP address from Russia

23. Conclusion Educate yourself! Keep web applications up-to-date –“Check for Updates” button Be cautious –If it seems suspicious, don’t take a chance