Phishing Phishing by Farhan Sajjad Outline  Introduction  by wuyunqing


Farhan Sajjad
   Introduction
   What is Phishing?
   Ethics of Phishing
   Case Studies
   Defense Methods
   Conclusion
   Discussion topics
             What is Phishing?
   A criminal act using Social Engineering.
       Social engineering: Techniques used to
        manipulate people into performing actions
        or giving out confidential information.
       Definition: To fraudulently acquire sensitive
        information, by masquerading as a
        trustworthy person or business in an
        electronic communication.
How much Phishing?
     A Typical Phishing Scheme
   A fraudulent email is sent from a financial
    institution asking the victim to verify
    account details or transactions.
   Victim is then pointed towards a fake
    website using JavaScript and URL Masking
   The fake website collects the confidential
    information such as passwords and credit
    card details.
Example of Phishing:
(using JavaScript and URL Masking)
              Ethics of Phishing
   How is the information gathered?
       In a fraudulent way! Phishers steal
        confidential information.
   What could be done with the information?
       Very sensitive information such as: SSN,
        passwords, credit card numbers, personal
       Identity Theft!
   It is WRONG because it is stealing!
             Threats of Phishing
   Identity theft
       Stolen bank accounts and passwords/PINs
       Stolen social security numbers, addresses
       Stolen credit card numbers
   Download spyware to victim PC to
    eavesdrop and use as zombies
   Infect victim with virus
          The Victims of Phishing
   Individual consumers
   Financial organizations:
       Banks: Citibank, SAMBA…
       Credit Card Companies: Visa, MasterCard…
       Online Retailers: eBay, Amazon, PayPal…
       ISPs: AOL, Yahoo!, MSN…
   Between May 2004 and May 2005, approximately 1.2
    million computer users in the United States suffered
    losses caused by phishing, totaling approximately $929
    million USD.
   In U.S.A. alone businesses lose an estimated $2 billion
    USD a year as their clients become victims.
Case Study I

      Linked to a website in China
       Case Study II
   Phishing continues social engineering in
    modern vectors (email + Web)
       Will keep increasing as long as it works
   Current defenses are educational and
       Defenses are trying to keep up with attacks,
        not keep ahead
   International Phishing Laws need to
    drafted and standardized.
               Defense Methods
   Never click on email links especially if they come from a
    financial organization.
   Verify the receipt of such emails with the organization.
   Use secure connections and the HTTPS protocol.
   Make sure the security certificate issued by reputed
    security authorities such as VeriSign.
   Carefully check the domain name and the links and see
    if you are being directed elsewhere.
   Type web addresses manually and stay within the
   Use updated versions of internet browsers.
               Discussion Points
   Motivation of the Phishers:
       Easy Profits:
          Low cost setup
          Easy to craft and setup

          Very low success rates can be very profitable

       Low Risks:
          Zombies are used to relay Phishing emails
          Phishing websites are registered with phony
          International laws are not standard

To top