Web Spoofing Steve Newell Mike Falcon Computer Security CIS 4360.

Slides:



Advertisements
Similar presentations
Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.
Advertisements

Reporter: Jing Chiu Advisor: Yuh-Jye Lee /7/181Data Mining & Machine Learning Lab.
Phishing Scams use spoofed s and websites as lures to prompt people to voluntarily hand over sensitive information Phishing s may contain.
Security and Trust in E- Commerce. The E-commerce Security Environment: The Scope of the Problem  Overall size of cybercrime unclear; amount of losses.
ICT & Crime Data theft, phishing & pharming. Data loss/theft Data is often the most valuable commodity any business has. The cost of creating data again.
How It Applies In A Virtual World. Phishing Definition: n. To request confidential information over the Internet under false pretenses in order to fraudulently.
Hacker’s tricks for online users to reveal their sensitive information such as credit card, bank account, and social security. Phishing s are designed.
By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)
Phishing and Pharming New Identity Theft Threats Presentation by Jason Guthrie.
Learn to protect yourself... a 21 st Century Scam.. Phishing.
Bsharah Presentation Threats to Information Security Protecting Your Personal Information from Phishing Scams.
Internet Phishing Not the kind of Fishing you are used to.
10/20/2009 Loomi Liao.  The problems  Some anti-phishing solutions  The Web Wallet solutions  The Web Wallet User Interface  User study  Discussion.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
URL Obscuring COEN 152/252 Computer Forensics  Thomas Schwarz, S.J
Phishing – Read Behind The Lines Veljko Pejović
Phishing, Pharming, and Spam Margaret StewartTuesday, Oct. 21, 2006.
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.
The OWASP Foundation OWASP Chennai Phishing.
Norman SecureSurf Protect your users when surfing the Internet.
Web Spoofing John D. Cook Andrew Linn. Web huh? Spoof: A hoax, trick, or deception Spoof: A hoax, trick, or deception Discussed among academics in the.
PHISHING AND SPAM INTRODUCTION There’s a good chance that in the past week you have received at least one that pretends to be from your bank,
Prevent Cross-Site Scripting (XSS) attack
Day 3 Cybersafety Presented by FJUHSD Teacher Librarian.
Safe Internet Use Mark Wheatley CSI Onsite
WEB SPOOFING by Miguel and Ngan. Content Web Spoofing Demo What is Web Spoofing How the attack works Different types of web spoofing How to spot a spoofed.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
Reliability & Desirability of Data
Adam Soph, Alexandra Smith, Landon Peterson. Phishing is a way of attempting to acquire information such as usernames, passwords, and credit card details.
Phishing, Spoofing, Spamming and Security How To Protect Yourself Additional Credits: Educause/SonicWall, Hendra Harianto Tuty, Microsoft Corporation,
URL Obscuring COEN 252 Computer Forensics  Thomas Schwarz, S.J
CHAPTER 11 Spoofing Attack. INTRODUCTION Definition Spoofing is the act of using one machine in the network communication to impersonate another. The.
Phishing Pharming Spam. Phishing: Definition  A method of identity theft carried out through the creation of a website that seems to represent a legitimate.
Phishing Internet scams. Phishing phishing is an attempt to criminally and fraudulently acquire sensitive information, such as usernames, passwords and.
BY : MUHAMMAD KHUZAIMI B. ISHAK 4 ADIL PUAN MAZITA INFORMATION AND COMMUNICATION OF TECHNOLOGY.
Phishing A practical case study. What is phishing? Phishing involves fraudulently acquiring sensitive information (e.g. passwords, credit card details.
VENKAT DEEP RAJAN SUMALATHA REDDY KARTHIK INJARAPU CPSC 620 CLEMSON UNIVERSITY.
How Phishing Works Prof. Vipul Chudasama.
URL Obscuring COEN 252 Computer Forensics  Thomas Schwarz, S.J
Copyright ©2005 CNET Networks, Inc. All rights reserved. Practice safety Learn how to protect yourself against common attacks.
Saphe surfing! 1 SAPHE Secure Anti-Phishing Environment Presented by Uri Sternfeld.
Return to the PC Security web page Lesson 6: Improving Security.
An Evaluation of Extended Validation and Picture-in-Picture Phishing Attacks Collin Jackson et. all Presented by Roy Ford.
Staff addresses Availability tradeoffs December 13, 2012.
Any criminal action perpetrated primarily through the use of a computer.
PHISHING PRESENTED BY: ARQAM PASHA. AGENDA What is Phishing? Phishing Statistics Phishing Techniques Recent Examples Damages Caused by Phishing How to.
Spoofing The False Digital Identity. What is Spoofing?  Spoofing is the action of making something look like something that it is not in order to gain.
E-Commerce & Bank Security By: Mark Reed COSC 480.
Windows Vista Configuration MCTS : Internet Explorer 7.0.
Phishing and Internet Scams. Definitions and recent statistics Why is it dangerous? Phishing techniques and identifiers Examples of phishing and scam.
Exposing Private Information by Timing Web Applications Stephen Kleinheider.
SlideSet #20: Input Validation and Cross-site Scripting Attacks (XSS) SY306 Web and Databases for Cyber Operations.
Agenda Spoofing Types of Spoofing o IP Spoofing o URL spoofing o Referrer spoofing o Caller ID spoofing o Address Spoofing.
Done by… Hanoof Al-Khaldi Information Assurance
PHISHING Hi, The comms team asked if I could refresh everyone about Phishing after a fairly successful phishing circulated last week that led to.
Learn how to protect yourself against common attacks
ISYM 540 Current Topics in Information System Management
Information Security and Privacy Pertaining to Phishing and Internet Scams Brian Corl COSC 316 Information Security and Privacy.
Phishing, what you should know
FJUHSD Teacher Librarian
Phishing is a form of social engineering that attempts to steal sensitive information.
Social Media Cybersafety.
Information Security Session October 24, 2005
Computer Security.
Business Compromise and Cyber Threat
What is Phishing? Pronounced “Fishing”
Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems
Spear Phishing Awareness
Wireless Spoofing Attacks on Mobile Devices
Cybersecurity Simplified: Phishing
Presentation transcript:

Web Spoofing Steve Newell Mike Falcon Computer Security CIS 4360

Web Spoofing Introduction “Phishing” Is a form of identity theft in which deception is used to trick a user into revealing confidential information that has economic value.

Web Spoofing Introduction Definition Website spoofing is the act of creating a website, as a hoax, with the intention of misleading readers that the website has been created by a different person or organization. Web spoofing is a phishing scheme

Web Spoofing The Gartner group estimates the direct phishing-related loss to US banks and credit card issuers in the last year to be $1.2 billion. Statistic Indirect losses are much higher, including customer service expenses and account replacement costs.

Web Spoofing Chart

Web Spoofing The goal of phishing is to deceive the user via the following ways: Deceiving a user into believing a message comes from a trusted source. Deceiving a user into believing that a web site is a trusted institution. Deceiving a spam filter to classify a phishing is legitimate. Phishing Technologies

Web Spoofing Deceptive return address information -Attempts to appear as a trusted source Fraudulent request for action -Prompts user to provide information. Deceptive appearance - Mimics visual target site Deception

Web Spoofing Misleadingly named will lead to Redirected If the targeted company has an “open redirect”, then this can be used to redirect a legitimate URL to a phishing site. Deceptive Links

Web Spoofing Obfuscated Using encoded characters to hide the destination address of a link. “abc” = "abc” Programmatically Obscured Using a scripting language such as Javascript to hide the destination of a link address. For example, using the mouse- over function. Deceptive Links

Web Spoofing Not possible to determine whether a connection to a site is secure by looking at a lock icon in a browser: A lock icon by itself means only that the site has a certificate It is possible to get a browser to display a lock icon using a self-signed certificate A lock icon may be overlaid on top of the browser using the same technologies used to fake the URL bar Deceptive Location

Web Spoofing Information Flow Model

Web Spoofing 1.A deceptive message is sent from the phisher to the user. 2.A user provides confidential information to a phishing server (normally after some interaction with the server). 3.The phisher obtains the confidential information from the server. 4.The confidential information is used to impersonate the user. 5.The phisher obtains illicit monetary gain. Information Flow Model

Web Spoofing Preventing phishing attacks: The average phishing site stays active no more than 54 hours Pre-emptive domain registration “Holding period” for new domain registrations authentication could prevent forged or misleading return addresses. Prevention

Web Spoofing Defenses Open Information – Allow different spam filters, clients, and browsers to exchange information about unsafe domains. Warn The User – Alert the user when they attempt to click on an obfuscated link. Show the user the actual link, whether the site is trusted or not, and prompt the user whether or not the wish to continue with the link. Defenses Against Early User Actions

Web Spoofing Disrupting Data Transmission Monitor Outgoing Data – Implement a browser tool-bar that hashes information and checks if confidential information is being sent. Blacklisting – Block IP ranges of known phishing sites. Encryption – Encrypt sensitive information before transmission. Defenses

Web Spoofing Defenses Advanced Authentication –Two-factor Authentication – Require proof of two out of three criteria (what you are, what you have, or what you know) –Requires some sort of hardware or time sensitive information –Use a checksum to verify that the information came from the users machine and not a phisher.

Web Spoofing Cross-site Scripting Cross-site scripting is inserting a malicious script inside a secure domain. –A phisher could insert a malicious script inside of an auction or a product review to attack the user. –The script would modify the host site so that the user believes he/she is interacting with the secure site. –Difficult to write sufficient filter to remove cross- site scripting. How do you know if a script is malicious? –Cross-site scripting could be hindered by introducing a tag on user supplied content.

Web Spoofing Examples Example Example 2 Florida Commerce Credit Union Example 3 Thomas Scott’s Parody Unofficial site Official site

Web Spoofing Leading Nations

Web Spoofing Current technology is unable to completely stop phishing and web spoofing. Improvements in security technology can drastically reduce the amount of phishing schemes. Conclusion

Web Spoofing Documentary Footage Identity theft victims Don’t let this happen to you. Videos

Web Spoofing ANY QUESTIONS?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.