Presentation on theme: "Internet Phishing Not the kind of Fishing you are used to."— Presentation transcript:
Internet Phishing Not the kind of Fishing you are used to.
Phishing Definition A criminal activity using social engineering techniques (a collection of techniques used to manipulate people into performing actions or divulging confidential information). Phishers attempt to fraudulently acquire sensitive information, such as usernames, passwords and credit card details, by masquerading as a trustworthy entity in an electronic communication.
Phishing eBay and PayPal are two of the most targeted companies, and online banks are also common targets. Phishing is typically carried out by email or instant messaging, and often directs users to give details at a website, although phone contact has been used as well. E-mails supposedly from the Internal Revenue Service have also been used.
Phishing Social Networking sites are also a target of phishing, since the personal details in such sites can be used in identity theft. Experiments show a success rate of over 70% for phishing attacks on social networks. In late 2006 a computer worm took over pages on MySpace and altered links to direct surfers to websites designed to steal login details.
Phishing – Link Manipulation Most methods of phishing use some form of technical deception designed to make a link in an email (and the spoofed website it leads to) appear to belong to the spoofed organization. Misspelled URLs (Uniform resource locator ) or the use of subdomains are common tricks used by phishers, such as this example URL, http://www.Suntrust.com.bank.com/. Another common trick is to make the anchor text for a link appear to be a valid URL when the link actually goes to the phishers' site.
Phishing – Link Manipulation An old method of spoofing links used links containing the @ symbol, originally intended as a way to include a username and password in a web link. For example, the link http://email@example.com/ might deceive a casual observer into believing that the it will open a page on Google.com, whereas the link actually directs the browser to a page on members.tripod.com, using a username of www.google.com: the page opens normally, regardless of the username supplied.
Phishing – Website Forgery An attacker can even use a trusted website's own scripts against the victim. These types of attacks (known as cross-site scripting) are particularly problematic, because they direct the user to sign in at their bank or service's own web page, where everything from the web address to the security certificates appears correct. In reality, the link to the website is crafted to carry out the attack, although it is very difficult to spot without specialist knowledge. Just such a flaw was used in 2006 against PayPal.
Phone (Voice) Phishing Not all phishing attacks require a fake website. In an incident in 2006, messages that claimed to be from a bank told users to dial a phone number regarding problems with their bank accounts. Once the phone number (owned by the phisher, and provided by a Voice over IP provider) was dialed, prompts told users to enter their account numbers and PIN. Voice phishing sometimes uses fake caller-ID data to give the appearance that the calls come from a trusted organization.
Phishing - How To Protect Yourself Users can take steps to avoid phishing attempts by slightly modifying their browsing habits. Users who are contacted about an account needing to be "verified" (or any other topic used by phishers) can contact the company that is the subject of the email to check that the email is legitimate, They can also type in a trusted web address for the company's website into the address bar of their browser to bypass the link in the suspected phishing message.
Phishing - How To Protect Yourself Nearly all legitimate email messages from companies to their customers will contain an item of information that is not readily available to phishers. Some companies, like PayPal, always address their customers by their username in emails, so if an email addresses a user in a generic fashion ("Dear PayPal customer") it is likely to be an attempt at phishing. SPAM filters can also help by reducing the number of phishing emails that users receive in their inboxes.
Phishing - How To Protect Yourself Anti-phishing measures have been implemented as features embedded in browsers, as extensions or toolbars for browsers, and as part of website login procedures. For example, some anti-phishing toolbars display the real domain name for the visited website. The petname extension for Firefox lets users type in their own labels for websites, so they can later recognize when they are back at the correct site. If the site is a suspect, then the software may either warn the user or block the site outright. Internet Explorer Version 7 is intended to defend users from phishing as well as deceptive or malicious software, and it also features full user control of ActiveX and better security framework.
Phishing Example In this example, targeted at South Trust Bank users, the phisher has used an image to make it harder for anti-phishing filters to detect by scanning for text commonly used in phishing emails.
Phishing Example In this example, spelling mistakes in the email and the presence of an IP Address in the link (visible in the tooltip under the yellow box) are both clues that this is a phishing attempt. Another giveaway is the lack of a personal greeting, although the presence of personal details is not a guarantee of legitimacy.
Thank You for your Attention All information in this presentation derived from Wikipedia, the free encyclopedia. http://en.wikipedia.org/wiki/Phishing Stay Alert. Be Safe.