Presentation is loading. Please wait.

Presentation is loading. Please wait.

Learn to protect yourself... a 21 st Century Scam.. Phishing.

Published byMagdalen Wilson Modified over 10 years ago

Similar presentations

Presentation on theme: "Learn to protect yourself... a 21 st Century Scam.. Phishing."— Presentation transcript:

1 Learn to protect yourself..

2 a 21 st Century Scam.. Phishing.

3 Define: Phishing Phishing is a type of deception designed to steal your valuable personal data, such as credit card numbers, usernames, passwords, or other information. You might see a phishing scam: In e-mail messages, even if they appear to be from a coworker or someone you know On a fake Web site that accepts donations for charity. On Web sites that spoof your familiar sites using slightly different Web addresses, hoping you won't notice. In your instant message program. On your cell phone or other mobile device. On your social networking Web site.

4 Phishing: Statistics

5

6 Example: a Phishing Attack The following is an email sent to many thousands of Westpac banking customers in May 2004. While the language sophistication is poor (probably due to the writer not being a native English speaker), many recipients were still fooled.

7 Things to note with this particular attack: The email was sent in HTML format Lower-case L’s have been replaced with upper-case I’s. to fool the recipient into reading them as L’s.. These words were set to white (on the white background of the email) so they were not directly visible The purpose of these words was to help bypass standard anti- spam filters. Within the HTML-based email, the URL link https://oIb.westpac.com.au/ib/defauIt.asp in fact points to a escape-encoded version of the following URL: http://olb.westpac.com.au.userdll.com:4903/ib/index.htm This was achieved using standard HTML coding such as:

8 The Phishers have used a sub-domain of USERDLL.COM in order to lend the illusion of it really being the Westpac banking site. Many recipients are likely to be fooled by olb.westpac.com.au.userdll.com. Recipients that clicked on the link were then forwarded to the real Westpac application. However a JavaScript popup window containing a fake login page was presented to them. Expert analysis of this JavaScript code identified that pieces of it had been used previously in another phishing attack – one targeting HSBC. This fake login window was designed to capture and store the recipient’s authentication credentials. An interesting aspect to this particular phishing attack is that the JavaScript also submitted the authentication information to the real Westpac application and forwarded them on to the site. Therefore the recipient would be unaware that their initial connection had been intercepted and their credentials captured.

9 Example: facebook The emails sent by the phishers direct the users to fbstarter.com,fbaction.net and thisisnetfacebook.com, which has exaclty the same interface as the original facebook.

10 Example: Twitter

11 Phishing Attack: Vectors Man – in – the middle attacks Cross-site Scripting Attacks Observing Customer Data

12 Man- in- the- middle attack Transparent Proxies DNS Cache Poisoning URL Obfuscation THIS METHOD IS CARRIED OUT THROUGH A NUMBER OF WAYS

13 By overriding the customers web-browser setup and setting proxy configuration options, an attacker can force all web traffic through to their nominated proxy server. This method is not transparent to the customer, and the customer may easily review their web browser settings to identify an offending proxy server.In many cases browser proxy configuration changes setting up the attack will have been carried out in advance of receipt of the Phishing message. Browser Proxy Configuration

14 Cross Site Scripting Attacks

15 The customer has received the following URL via a Phishers email: http://mybank.com/ebanking?URL=http://evilsite.com/phishing/fakepage.htm While the customer is indeed directed and connected to the real MyBank web application, due to poor application coding by the bank, the ebanking component will accept an arbitrary URL for insertion within the URL field the returned page. Instead of the application providing a MyBank authentication form embedded within the page, the attacker has managed to reference a page under control on an external server (http://evilsite.com/phishing/fakepage.htm).http://evilsite.com/phishing/fakepage.htm  Unfortunately, as with most CSS vulnerabilities, the customer has no way of knowing that this authentication page is not legitimate. While the example URL may appear obvious, the attacker could easily obfuscate it using the techniques explained earlier. For example, http://evilsite.com/phishing/fakepage.htm may instead become: http%3A%2F%2F3515261219%2Fphishing%C0%AEfakepage%2Ehtm

16 Hidden Attacks  Hidden Frames Hiding HTML code from the customer. Customers will not be able to view the hidden pages code through the standard “View Source” functions available to them. Combined with client-side scripting languages, it is possible to replicate functionality of the browser toolbar; including the representation of URLinformation and pageheaders.

17  Overriding Page Content Several methods exist for Phishers to override displayed content. One of the most popular methods of inserting fake content within a page is to use the DHTML function - DIV. The DIV function allows an attacker to place content into a “virtual container” that, when given an absolute position and size through the STYLE method, can be positioned to hide or replace (by “sitting on top”) underlying content. This malicious content may be delivered as a very long URL or by referencing a stored script.

18 Observing Customer Data Key - Logging The purpose of key loggers is to observe and record all key presses by the customer – in particular, when they must enter their authentication information into the web-based application login pages

19 Countering Phishing: Strategies Never trust strangers: The same rules you were taught as a child come into play here; DO NOT open emails that are from people you don’t know. Set your junk and spam mail filter to deliver only content from those in your address book. Sidestep those links: What happens if your spam filter is fooled into delivering junk mail to your inbox, and you happen to open it? Simple – NEVER click on links embedded in your email. Guard your privacy: Your mouse just happened to move over the link and lo and behold, you’re transported to another website where you’re asked to provide sensitive information like user names, account numbers, password and credit card and social security numbers. Just one word for you - DON’T. Use the keypad, not the mouse: TYPE in URLs instead of clicking on links to online shopping and banking sites that typically ask for credit card and account numbers.

20 Look for the lock: Valid sites that use encryption to securely transfer sensitive information are characterized by a lock on the bottom right of your browser window, NOT your web page. They also have addresses that begin with https:// rather than the usual http://. Spot the difference: Sometimes, just the presence of the lock alone is proof enough that the site is authentic. To verify its genuineness, double- click the lock to display the site’s security certificate, and CHECK if the name on the certificate and the address bar match. If they don’t you’re on a problem site, so get the hell out of there.

21

22 than Q

Download ppt "Learn to protect yourself... a 21 st Century Scam.. Phishing."

Similar presentations

Providing protection from potential security threats that exist for any internet-connected computer is termed e- security. It is important to be able to.

Providing protection from potential security threats that exist for any internet-connected computer is termed e- security. It is important to be able to.
How the Internet Works Course Objectives Introduce the various web browsers Introduce some new terms Explain the basic Internet to PC hookup  ISP  Wired.

How the Internet Works Course Objectives Introduce the various web browsers Introduce some new terms Explain the basic Internet to PC hookup  ISP  Wired.
Parameter Tampering. Attacking the Ecommerce Shopping Cart In the above image we see that a user who wants to purchase a Television visits an online Store.

Parameter Tampering. Attacking the Ecommerce Shopping Cart In the above image we see that a user who wants to purchase a Television visits an online Store.
Phishing and Pharming New Identity Theft Threats Presentation by Jason Guthrie.

Phishing and Pharming New Identity Theft Threats Presentation by Jason Guthrie.
A few simple steps, hints and tips to figure out if it is indeed fake. - By Emily Breuss.

A few simple steps, hints and tips to figure out if it is indeed fake. - By Emily Breuss.
Bsharah Presentation Threats to Information Security Protecting Your Personal Information from Phishing Scams.

Bsharah Presentation Threats to Information Security Protecting Your Personal Information from Phishing Scams.
Jason Rich CIS - 158 1.  The purpose of this project is to inform the audience about the act of phishing. Phishing is when fake websites are created.

Jason Rich CIS  The purpose of this project is to inform the audience about the act of phishing. Phishing is when fake websites are created.
PHISHING By, Himanshu Mishra Parrag Mehta. OUTLINE What is Phishing ? Phishing Techniques Message Delivery Effects of Phishing Anti-Phishing Techniques.

PHISHING By, Himanshu Mishra Parrag Mehta. OUTLINE What is Phishing ? Phishing Techniques Message Delivery Effects of Phishing Anti-Phishing Techniques.
Users Are Not Dependable How to make security indicators that protect them better Min Wu, Simson Garfinkel, Robert Miller MIT Computer Science and Artificial.

Users Are Not Dependable How to make security indicators that protect them better Min Wu, Simson Garfinkel, Robert Miller MIT Computer Science and Artificial.
Internet Phishing Not the kind of Fishing you are used to.

Internet Phishing Not the kind of Fishing you are used to.
Chapter 7: The Web and E-mail1 The Web and E-mail Chapter 7.

Chapter 7: The Web and 1 The Web and Chapter 7.
Threats To A Computer Network

Threats To A Computer Network
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.

Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.
URL Obscuring COEN 152/252 Computer Forensics  Thomas Schwarz, S.J. 2004.

URL Obscuring COEN 152/252 Computer Forensics  Thomas Schwarz, S.J
Phishing – Read Behind The Lines Veljko Pejović

Phishing – Read Behind The Lines Veljko Pejović
Basics: Getting Started Uploading and Sharing Videos on YouTube. Basics: Getting Started Uploading and Sharing Videos on YouTube. 1.

Basics: Getting Started Uploading and Sharing Videos on YouTube. Basics: Getting Started Uploading and Sharing Videos on YouTube. 1.
Teach a man (person) to Phish Recognizing email scams, spams and other personal security attacks July 17 th, 2013 High Tea at IT, Summer, 2013.

Teach a man (person) to Phish Recognizing scams, spams and other personal security attacks July 17 th, 2013 High Tea at IT, Summer, 2013.
Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.

Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.
The OWASP Foundation OWASP Chennai 2007 Phishing.

The OWASP Foundation OWASP Chennai Phishing.
Lesson 46: Using Information From the Web copy and paste information from a Web site print a Web page download information from a Web site customize Web.

Lesson 46: Using Information From the Web copy and paste information from a Web site print a Web page download information from a Web site customize Web.

Similar presentations

Ads by Google