Presentation is loading. Please wait.

Presentation is loading. Please wait.

Web Spoofing Steve Newell Mike Falcon Computer Security CIS 4360.

Published byDiane Weaver Modified over 8 years ago

Similar presentations

Presentation on theme: "Web Spoofing Steve Newell Mike Falcon Computer Security CIS 4360."— Presentation transcript:

1 Web Spoofing Steve Newell Mike Falcon Computer Security CIS 4360

2 Web Spoofing Introduction “Phishing” Is a form of identity theft in which deception is used to trick a user into revealing confidential information that has economic value.

3 Web Spoofing Introduction Definition Website spoofing is the act of creating a website, as a hoax, with the intention of misleading readers that the website has been created by a different person or organization. Web spoofing is a phishing scheme

4 Web Spoofing The Gartner group estimates the direct phishing-related loss to US banks and credit card issuers in the last year to be $1.2 billion. Statistic Indirect losses are much higher, including customer service expenses and account replacement costs.

5 Web Spoofing Chart

6 Web Spoofing The goal of phishing is to deceive the user via the following ways: Deceiving a user into believing a message comes from a trusted source. Deceiving a user into believing that a web site is a trusted institution. Deceiving a spam filter to classify a phishing email is legitimate. Phishing Technologies

7 Web Spoofing Deceptive return address information -Attempts to appear as a trusted source Fraudulent request for action -Prompts user to provide information. Deceptive appearance - Mimics visual target site Deception

8 Web Spoofing Misleadingly named http://security.commerceflow.com will lead to http://phisher.comhttp://phisher.com Redirected If the targeted company has an “open redirect”, then this can be used to redirect a legitimate URL to a phishing site. Deceptive Links

9 Web Spoofing Obfuscated Using encoded characters to hide the destination address of a link. “abc” = "abc” Programmatically Obscured Using a scripting language such as Javascript to hide the destination of a link address. For example, using the mouse- over function. Deceptive Links

10 Web Spoofing Not possible to determine whether a connection to a site is secure by looking at a lock icon in a browser: A lock icon by itself means only that the site has a certificate It is possible to get a browser to display a lock icon using a self-signed certificate A lock icon may be overlaid on top of the browser using the same technologies used to fake the URL bar Deceptive Location

11 Web Spoofing Information Flow Model

12 Web Spoofing 1.A deceptive message is sent from the phisher to the user. 2.A user provides confidential information to a phishing server (normally after some interaction with the server). 3.The phisher obtains the confidential information from the server. 4.The confidential information is used to impersonate the user. 5.The phisher obtains illicit monetary gain. Information Flow Model

13 Web Spoofing Preventing phishing attacks: The average phishing site stays active no more than 54 hours Pre-emptive domain registration “Holding period” for new domain registrations E-mail authentication could prevent forged or misleading email return addresses. Prevention

14 Web Spoofing Defenses Open Information – Allow different spam filters, e-mail clients, and browsers to exchange information about unsafe domains. Warn The User – Alert the user when they attempt to click on an obfuscated link. Show the user the actual link, whether the site is trusted or not, and prompt the user whether or not the wish to continue with the link. Defenses Against Early User Actions

15 Web Spoofing Disrupting Data Transmission Monitor Outgoing Data – Implement a browser tool-bar that hashes information and checks if confidential information is being sent. Blacklisting – Block IP ranges of known phishing sites. Encryption – Encrypt sensitive information before transmission. Defenses

16 Web Spoofing Defenses Advanced Authentication –Two-factor Authentication – Require proof of two out of three criteria (what you are, what you have, or what you know) –Requires some sort of hardware or time sensitive information –Use a checksum to verify that the information came from the users machine and not a phisher.

17 Web Spoofing Cross-site Scripting Cross-site scripting is inserting a malicious script inside a secure domain. –A phisher could insert a malicious script inside of an auction or a product review to attack the user. –The script would modify the host site so that the user believes he/she is interacting with the secure site. –Difficult to write sufficient filter to remove cross- site scripting. How do you know if a script is malicious? –Cross-site scripting could be hindered by introducing a tag on user supplied content.

18 Web Spoofing Examples Example 1 http://http://www.msfirefox.com/ http://www.msfirefox.net/ Example 2 Florida Commerce Credit Union Example 3 Thomas Scott’s Parody Unofficial site Official site

19 Web Spoofing Leading Nations

20 Web Spoofing Current technology is unable to completely stop phishing and web spoofing. Improvements in security technology can drastically reduce the amount of phishing schemes. Conclusion

21 Web Spoofing Documentary Footage Identity theft victims Don’t let this happen to you. Videos

22 Web Spoofing ANY QUESTIONS?

Download ppt "Web Spoofing Steve Newell Mike Falcon Computer Security CIS 4360."

Similar presentations

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.
Reporter: Jing Chiu Advisor: Yuh-Jye Lee 2015/7/181Data Mining & Machine Learning Lab.

Reporter: Jing Chiu Advisor: Yuh-Jye Lee /7/181Data Mining & Machine Learning Lab.
Phishing Scams use spoofed emails and websites as lures to prompt people to voluntarily hand over sensitive information Phishing emails may contain.

Phishing Scams use spoofed s and websites as lures to prompt people to voluntarily hand over sensitive information Phishing s may contain.
Security and Trust in E- Commerce. The E-commerce Security Environment: The Scope of the Problem  Overall size of cybercrime unclear; amount of losses.

Security and Trust in E- Commerce. The E-commerce Security Environment: The Scope of the Problem  Overall size of cybercrime unclear; amount of losses.
ICT & Crime Data theft, phishing & pharming. Data loss/theft Data is often the most valuable commodity any business has. The cost of creating data again.

ICT & Crime Data theft, phishing & pharming. Data loss/theft Data is often the most valuable commodity any business has. The cost of creating data again.
How It Applies In A Virtual World. Phishing Definition: n. To request confidential information over the Internet under false pretenses in order to fraudulently.

How It Applies In A Virtual World. Phishing Definition: n. To request confidential information over the Internet under false pretenses in order to fraudulently.
Hacker’s tricks for online users to reveal their sensitive information such as credit card, bank account, and social security. Phishing emails are designed.

Hacker’s tricks for online users to reveal their sensitive information such as credit card, bank account, and social security. Phishing s are designed.
By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)

By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)
Phishing and Pharming New Identity Theft Threats Presentation by Jason Guthrie.

Phishing and Pharming New Identity Theft Threats Presentation by Jason Guthrie.
Learn to protect yourself... a 21 st Century Scam.. Phishing.

Learn to protect yourself... a 21 st Century Scam.. Phishing.
Bsharah Presentation Threats to Information Security Protecting Your Personal Information from Phishing Scams.

Bsharah Presentation Threats to Information Security Protecting Your Personal Information from Phishing Scams.
Internet Phishing Not the kind of Fishing you are used to.

Internet Phishing Not the kind of Fishing you are used to.
10/20/2009 Loomi Liao.  The problems  Some anti-phishing solutions  The Web Wallet solutions  The Web Wallet User Interface  User study  Discussion.

10/20/2009 Loomi Liao.  The problems  Some anti-phishing solutions  The Web Wallet solutions  The Web Wallet User Interface  User study  Discussion.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
URL Obscuring COEN 152/252 Computer Forensics  Thomas Schwarz, S.J. 2004.

URL Obscuring COEN 152/252 Computer Forensics  Thomas Schwarz, S.J
Phishing – Read Behind The Lines Veljko Pejović

Phishing – Read Behind The Lines Veljko Pejović
Phishing, Pharming, and Spam Margaret StewartTuesday, Oct. 21, 2006.

Phishing, Pharming, and Spam Margaret StewartTuesday, Oct. 21, 2006.
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.
The OWASP Foundation OWASP Chennai 2007 Phishing.

The OWASP Foundation OWASP Chennai Phishing.
Norman SecureSurf Protect your users when surfing the Internet.

Norman SecureSurf Protect your users when surfing the Internet.

Similar presentations

Ads by Google