The OWASP Foundation OWASP Chennai 2007 Phishing.

Slides:

Advertisements

Similar presentations

Cyber Stalking Cyber Stalking Phishing Hacker 1. Never reveal your home address !!! This rule is especially important for women who are business professionals.

Advertisements

PHISHING AND ANTI-PHISHING TECHNIQUES Sumanth, Sanath and Anil CpSc 620.

Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.

How It Applies In A Virtual World. Phishing Definition: n. To request confidential information over the Internet under false pretenses in order to fraudulently.

Breaking Trust On The Internet

Phishing and Pharming New Identity Theft Threats Presentation by Jason Guthrie.

PHISHING By, Himanshu Mishra Parrag Mehta. OUTLINE What is Phishing ? Phishing Techniques Message Delivery Effects of Phishing Anti-Phishing Techniques.

COMP 321 Week 12. Overview Web Application Security  Authentication  Authorization  Confidentiality Cross-Site Scripting Lab 12-1 Introduction.

Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.

Phishing (pronounced “fishing”) is the process of sending messages to lure Internet users into revealing personal information such as credit card.

Internet Phishing Not the kind of Fishing you are used to.

Security Issues and Challenges in Cloud Computing

A Third Party Service for Providing Trust on the Internet Work done in 2001 at HP Labs by Michael VanHilst and Ski Ilnicki.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Phishing – Read Behind The Lines Veljko Pejović

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

Chapter 4 Application Security Knowledge and Test Prep

 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

SSL (Secure Socket Layer) and Secure Web Pages Rob Sodders, University of Florida CIS4930 “Advanced Web Design” Spring 2004

How It Applies In A Virtual World

Lecture 11 Electronic Business (MGT-485). Recap – Lecture 10 Transaction costs Network Externalities Switching costs Critical mass of customers Pricing.

E-business Security Dana Vasiloaica Institute of Technology Sligo 22 April 2006.

INTRODUCTION Coined in 1996 by computer hackers. Hackers use to fish the internet hoping to hook users into supplying them the logins, passwords.

Information Security 2013 Roadshow. Roadshow Outline  Why We Care About Information Security  Safe Computing Recognize a Secure Web Site (HTTPS) How.

STAY SAFE ONLINE. STAY SAFE ONLINE! PLEASE MAKE SURE YOU LOGIN AT THE CORRECT BANK URL / ADDRESS 1.NEVER LOGIN VIA LINKS 2.NEVER REVEAL YOUR PIN.

Scholarship Scams Avoiding Scholarship Scams, Phishing & Identity Theft at All Cost.

WEB SPOOFING by Miguel and Ngan. Content Web Spoofing Demo What is Web Spoofing How the attack works Different types of web spoofing How to spot a spoofed.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

IT security By Tilly Gerlack.

Information Security 2013 Roadshow. Roadshow Outline  Why We Care About Information Security  Safe Computing Recognize a Secure Web Site (HTTPS) How.

Adam Soph, Alexandra Smith, Landon Peterson. Phishing is a way of attempting to acquire information such as usernames, passwords, and credit card details.

Malicious Attack Corporate Awareness and Walk through Date 29 September 2011.

ED 505 Educational Technology By James Moore.  What is the definition of Netiquette and how does it apply to social media sites? ◦ Netiquette is the.

Protecting Internet Communications: Encryption  Encryption: Process of transforming plain text or data into cipher text that cannot be read by anyone.

Phishing Pharming Spam. Phishing: Definition  A method of identity theft carried out through the creation of a website that seems to represent a legitimate.

Types of Electronic Infection

Web Application Security ECE ECE Internetwork Security What is a Web Application? An application generally comprised of a collection of scripts.

Web Spoofing Steve Newell Mike Falcon Computer Security CIS 4360.

Computer Security Hacking, Phishing, Passwords Kausalya S. And Sushil Mujumdar (CCCF) 04 - Aug - 15.

Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.

CCT355H5 F Presentation: Phishing November Jennifer Li.

VENKAT DEEP RAJAN SUMALATHA REDDY KARTHIK INJARAPU CPSC 620 CLEMSON UNIVERSITY.

How Phishing Works Prof. Vipul Chudasama.

CIS 450 – Network Security Chapter 4 - Spoofing. Definition - To fool. In networking, the term is used to describe a variety of ways in which hardware.

What is Spam? d min.

A Euronet Worldwide Company Welcome to epay WebPOS! Use this index to find detailed instructions for WebPOS and begin taking payments today!! 1.Downloading.

Security fundamentals Topic 5 Using a Public Key Infrastructure.

Basics What is ? is short for electronic mail. is a method for sending messages electronically from one computer.

Web Application (In)security Note: Unless noted differently, all scanned figures were from the textbook, Stuttard & Pinto, 2011.

Extra Credit Presentation: Allegra Earl CSCI 101 T 3:30.

Computer Concepts 2014 Chapter 7 The Web and .

PHISHING PRESENTED BY: ARQAM PASHA. AGENDA What is Phishing? Phishing Statistics Phishing Techniques Recent Examples Damages Caused by Phishing How to.

ONLINE SECURITY Tips 1 Online Security Online Security Tips.

Spoofing The False Digital Identity. What is Spoofing?  Spoofing is the action of making something look like something that it is not in order to gain.

E-Commerce & Bank Security By: Mark Reed COSC 480.

SAP – our anti-hacking software. Banking customers can do most transactions, payments and transfer online, through very secure encrypted connections.

1 Web Technologies Website Publishing/Going Live! Copyright © Texas Education Agency, All rights reserved.

Yes, it’s the holidays... A time of joy, a time of good cheer, a time of celebration... From the Office of the Chief Human Capital Officer (CHCO ) Privacy.

Phishing and Internet Scams. Definitions and recent statistics Why is it dangerous? Phishing techniques and identifiers Examples of phishing and scam.

CNP Fraud. Occurs when a fraudster falsifies an application to acquire a credit card using an individual’s personal information. (Eg: postal intercept)

Setting and Upload Products

ISYM 540 Current Topics in Information System Management

PAYMENT GATEWAY Presented by SHUJA ASHRAF SHAH ENROLL: 4471

Information Security and Privacy Pertaining to Phishing and Internet Scams Brian Corl COSC 316 Information Security and Privacy.

I S P S loss Prevention.

Phishing, what you should know

Phishing is a form of social engineering that attempts to steal sensitive information.

What is Phishing? Pronounced “Fishing”

Module 4 System and Application Security

Presentation transcript:

The OWASP Foundation OWASP Chennai Phishing

OWASP Chennai Chapter Kick-off 2 Definition It is the act of tricking someone into giving confidential information (like passwords and credit card information) on a fake web page or form pretending to come from a legitimate company (like their bank). For example: Sending an to a user falsely claiming to be an established legitimate enterprise in an attempt to scam the user into surrendering private information that will be used for identity theft.

OWASP Chennai Chapter Kick-off 3 Examples

4 Examples

5 Examples

6 Types of Phishing  Deceptive - Sending a deceptive , in bulk, with a “call to action” that demands the recipient click on a link.

OWASP Chennai Chapter Kick-off 7 Types of Phishing  Malware-Based - Running malicious software on the user’s machine. Various forms of malware-based phishing are:  Key Loggers & Screen Loggers  Session Hijackers  Web Trojans  Data Theft

OWASP Chennai Chapter Kick-off 8 Types of Phishing  DNS-Based - Phishing that interferes with the integrity of the lookup process for a domain name. Forms of DNS-based phishing are:  Hosts file poisoning  Polluting user’s DNS cache  Proxy server compromise

OWASP Chennai Chapter Kick-off 9 Types of Phishing  Content-Injection – Inserting malicious content into legitimate site. Three primary types of content-injection phishing:  Hackers can compromise a server through a security vulnerability and replace or augment the legitimate content with malicious content.  Malicious content can be inserted into a site through a cross- site scripting vulnerability.  Malicious actions can be performed on a site through a SQL injection vulnerability.

OWASP Chennai Chapter Kick-off 10 Types of Phishing  Man-in-the-Middle Phishing - Phisher positions himself between the user and the legitimate site.

OWASP Chennai Chapter Kick-off 11 Types of Phishing  Search Engine Phishing - Create web pages for fake products, get the pages indexed by search engines, and wait for users to enter their confidential information as part of an order, sign-up, or balance transfer.

OWASP Chennai Chapter Kick-off 12 Causes of Phishing  Misleading s  No check of source address  Vulnerability in browsers  No strong authentication at websites of banks and financial institutions  Limited use of digital signatures  Non-availability of secure desktop tools  Lack of user awareness  Vulnerability in applications  … and more

OWASP Chennai Chapter Kick-off 13 Effects of Phishing  Internet fraud  Identity theft  Financial loss to the original institutions  Difficulties in Law Enforcement Investigations  Erosion of Public Trust in the Internet.

OWASP Chennai Chapter Kick-off 14 Industries affected Major industries affected are:  Financial Services  ISPs  Online retailers

OWASP Chennai Chapter Kick-off 15 Phishing Trends

OWASP Chennai Chapter Kick-off 16 Phishing Trends

OWASP Chennai Chapter Kick-off 17 How to combat phishing?  Educate application users Think before you open Never click on the links in an , message boards or mailing lists Never submit credentials on forms embedded in s Inspect the address bar and SSL certificate Never open suspicious s Ensure that the web browser has the latest security patch applied Install latest anti-virus packages Destroy any hard copy of sensitive information Verify the accounts and transactions regularly Report the scam via phone or .

OWASP Chennai Chapter Kick-off 18 How to combat phishing?  Formulate and enforce Best practices Authorization controls and access privileges for systems, databases and applications. Access to any information should be based on need-to-know principle Segregation of duties. Media should be disposed only after erasing sensitive information.

OWASP Chennai Chapter Kick-off 19 How to combat phishing? Reinforce application development / maintenance processes: 1. Web page personalization Using two pages to authenticate the users. Using Client-side persistent cookies.

OWASP Chennai Chapter Kick-off 20 How to combat phishing? 2. Content Validation Never inherently trust the submitted data Never present the submitted data back to an application user without sanitizing the same Always sanitize data before processing or storing Check the HTTP referrer header

OWASP Chennai Chapter Kick-off 21 How to combat phishing? 3. Session Handling Make session identifiers long, complicated and difficult to guess. Set expiry time limits for the SessionID’s and should be checked for every client request. Application should be capable of revoking active SessionID’s and not recycle the same SessionID. Any attempt the invalid SessionID should be redirected to the login page. Never accept session information within a URL. Protect the session via SSL. Session data should be submitted as a POST. After authenticating, a new SessionID should be used (HTTP & HTTPS). Never let the users choose the SessionID.

OWASP Chennai Chapter Kick-off 22 How to combat phishing? 4. URL Qualification Do not reference redirection URL in the browser’s URL Always maintain a valid approved list of redirection url’s Never allow customers to supply their own URL’s Never allow IP addresses to be user in URL information

OWASP Chennai Chapter Kick-off 23 How to combat phishing? 5. Authentication Process Ensure that a 2-phase login process is in place Personalize the content Design a strong token-based authentication

OWASP Chennai Chapter Kick-off 24 How to combat phishing? 6. Transaction non-repudiation To ensure authenticity and integrity of the transaction

OWASP Chennai Chapter Kick-off 25 How to combat phishing? 7. Image Regulation Image Cycling Session-bound images

OWASP Chennai Chapter Kick-off 26 Organizations  Anti-Phishing Working Group (APWG) The APWG has over members from over 1500 companies & agencies worldwide. Member companies include leading security companies such as Symantec, McAfee and VeriSign. Financial Industry members include the ING Group,VISA, Mastercard and the American Bankers Association.

OWASP Chennai Chapter Kick-off 27 What does all the above imply? It is better to be safer now than feel sorry later.

OWASP Chennai Chapter Kick-off 28References U5dhgYAJ: onsequences&hl=en&gl=in&ct=clnk&cd=7http:// /search?q=cache:-T6- U5dhgYAJ: onsequences&hl=en&gl=in&ct=clnk&cd=7 Phishing-dhs-report.pdf Report_on_phishing.pdf

OWASP Chennai Chapter Kick-off 29 Questions?

OWASP Chennai Chapter Kick-off 30 Thank You!