1. Phishing Attacks Dr. Neminath Hubballi

2. Outline  Motivation  Introduction  Forms and means of Phishing Attacks  Phishing today  Staying safe  Server side defense  Personal level defense  Enterprise level defense  Distributed phishing Indian Institute of Technology Indore

3. Motivation: Phishing Attacks in India and Globally  India lost  India lost around $53 million (about Rs 328 crore) due to phishing scams with the country facing over 3,750 attacks in July-September last yearphishing   4 th Largest target of phishing attacks in the world   7% of global phishing attacks are targeted in India   US tops the rank with 27% of phishing attacks   RSA identified 46,119 phishing attacks in September globally with a 36 per cent increase as compared with August (33,861) Indian Institute of Technology Indore Courtesy: The Hindu Business http://www.thehindubusinessline.com/industry-and-economy/info- tech/india-lost-53-m-to-phishing-attacks-in-q3/article5414170.ecehttp://www.thehindubusinessline.com/industry-and-economy/info- tech/india-lost-53-m-to-phishing-attacks-in-q3/article5414170.ece

4. Phishing Attacks  It is made-up of  Phreaking + Fishing = Phishing  Phreaking = making phone calls for free back in 70’s  Fishing = Attract the fish to bite Indian Institute of Technology Indore There are lot of fishes in pond Lure them to come and bite Those who bite become victims Courtesy: Google Images

5. Phishing Attacks  Phishing is a form of social engineering attack  Not all social engineering attacks are phishing attacks !  Mimic the communication and appearance of another legitimate communications and companies  The first fishing incident appeared in 1995  Attractive targets include  Financial institutions  Gaming industry  Social media  Security companies Indian Institute of Technology Indore

6. Phishing Information Flow  Three components  Mail sender: sends large volume of fraudulent emails  Collector: collect sensitive information from users  Casher: use the collected sensitive information to en- cash Indian Institute of Technology Indore Courtesy: Junxiao Shi and Sara Saleem

7. Phishing Forms  Creating Fake URLs and send it  Misspelled URLs  www.sbibank.statebank.com www.sbibank.statebank.com  www.micosoft.com  www.mircosoft.com  www.mircosoft.com  Creating anchor text   Link Text Link Text   Link Text Link Text  Fake SSL lock  Simply show it so that users feel secure  Getting valid certificates to illegal sites  Certifying agency not being alert  Sometimes users overlook security certificate warnings  URL Manipulation using JavaScript Indian Institute of Technology Indore

8. Phishing Means Indian Institute of Technology Indore

9. Phishing Payload Indian Institute of Technology Indore

10. Phishing Purpose Indian Institute of Technology Indore

11. Motivation for Phishing  Theft of login credentials  Theft of banking credentials  Observation of Credit Card details  Capture of address and other personal information  Distribution of botnet and DDoS agents  Attack Propagation

12. Types of Phishing  Clone Phishing:  Phisher creates a clone email  Does by getting contents and addresses of recipients and sender  Spear Phishing:  Targeting a specific group of users  All users of that group have something in common  Targeting all faculty members of IITI  Phone Phishing:  Call up someone and say you are from bank  Ask for password saying you need to do maintenance  Use of VOIP is easy Indian Institute of Technology Indore

13. Email Spoofing for Phishing   An email concealing its true source   Ex. customercare@sbi.com when it is actually coming from somewhere elsecustomercare@sbi.com   Send an email saying your bank account needs to be verified urgently   When the user believes   Sends her credit card   Gives her password   Sending spoofed email is very easy   There are so many spoof mail generators

14. Sample Email

15. Web Spoofing for Phishing   Setting up a webpage which looks similar to the original one   Save any webpage as html page   Go to view source and save   A php script which stores credentials to a file is what required to harvest credentials   In the html page search for submit form and change it to written php script   Host it in a server   You are ready to go !   Send a spoofed email with link to spoofed webpage

16. Phishing Today  Use bots to perform large scale activity  Relays for sending spam and phishing emails  Phishing Kits  Ready to use  Contain clones of many banks and other websites  Emails  JPEG images-Complete email is an image  Suspicious parts of URL may have same color as background  Use font differences  The substitution of uppercase “i” for lowercase “L”, and  Number zero for uppercase “O”.  Use of first 4 digits of credit card number – which is not unique to customer Indian Institute of Technology Indore

17. Phishing Today  Uncommon encoding mechanisms  Cross site scripting  Accept user input and lack of sanity check  Vulnerable  Fake banner advertisements

18. Phishing Today   Dynamic code   Phishing emails contain links to sites whose contents change   When email came in midnight it was ok but next day when you clicked its vulnerable   Numbers (IP address ) in urls   Use of targeted email   Gather enough information about user from social networking sites   Send a targeted email using the knowledge of previous step   Unsuspecting user clicks on link   Attacker takes control of recipient machine (backdoor, trojan)   Steal / harvest credentials

19. Enterprise Level Protection  Collecting data from users  About emails received  Websites links  Why any one should give you such data  Her interest also included  Incentives  Analyzing spam emails for keywords  “click on the link bellow”  “enter user name password here”  “account will be deleted” etc.  Personalization of emails  Every email should quote some secrete that proves the idntity  Ex: Phrase as Dear Dr. Neminath Instead of Dear Customer  Referring to timing of previous email Indian Institute of Technology Indore

20. What Banks are Doing to Protect from Phishing  Banks and their customers lose crores of rupees every year  They hire professional security agencies who constantly monitor the web for phishing sites  Regularly alert the users “to be alert” and not to fall fray  Use best state of the art security software and hardware  White list and blacklist of phishing sites Indian Institute of Technology Indore

21. Personal Level Protection  Email Protection  Blocking dangerous email attachments  Disable HTML capability in all emails  Awareness and education  Web browser toolbars  Connect to a database of FQDN IP address mapping of Phishing site  I think Google chrome does it automatically  Multifactor authentication  Gmail has it now Indian Institute of Technology Indore

22. Case Study 1: Phone Phishing Experiment  50 employees were contacted by female crooks  Had friendly conversation  Managed to get e-banking passwords  Do not believe the statistics but believe the takeaway ! Indian Institute of Technology Indore Source: Experimental Case Studies for Investigating E-Banking Phishing Intelligent Techniques and Attack Strategies

23. Money Laundering  Phishing allows you to make money  Many banks do not allow money transfer to foreign banks just like that  But how to stay undetected  Launder money  How to launder money  Offer jobs to needy people  Ask them to open accounts in the same bank  Put money into their account  Ask them to take small commission and transfer the rest to their account in nigeria Indian Institute of Technology Indore

24. Distributed Phishing Attack   Till now we understood there is one collection center for data   What if attacker raises multiple such sites and collect data   An extreme example is - every user is redirected to a different site   An attacker can look for more cheaper options for collecting such data   Use malware to erect more such sites hidden in someone else webpage   Users with reliable connectivity and have popular software like games are targets