Phishing technology PDF

Preview

Summary

A Technical Seminar ReportOnPHISHINGSubmitted to JNTUK, Kakinada in partial fulfillment of the requirement for award of the degree of Bachelor Of Technology in department of Computer Science & EngineeringSubmitted ByK07A41ADEPARTMENT OF COMPUTER SCIENCE & ENGINEERINGLOYOLA INSTITUTE ...

Description

A Technical Seminar Report On

PHISHING Submitted to JNTUK, Kakinada in partial fulfillment of the requirement for award of the degree of Bachelor Of Technology in department of Computer Science & Engineering

Submitted By K.NIRMALA 07A41A0529 DEPARTMENT OF COMPUTER SCIENCE & ENGINEERING

LOYOLA INSTITUTE OF TECHNOLOGY AND MANAGEMENT

Affiliated JNTUK, Kakinada DHULIPALLA-522 403, Guntur Dist. Academic Year 2010-11

LOYOLA INSTITUTE OF TECHNOLOGY AND MANAGEMENT (Affiliated JNTUK, Kakinada) Dhulipalla – 522 403, Guntur Dist.

Department of Computer Science & Engineering

CERTIFICATE

This is to certify that K.Nirmala(Regd. No.07A41A0529 ) have prepared a technical seminar report entitled “PHISHING“ as a partial fulfillment for the award of the degree of B.Tech in Computer Science & Engineering. He worked for a period of one semester under our supervision.

Sri.Y.Suresh

Sri K.Ramesh

Asst.Professor

Associate Professor

Technical Seminar Supervisior Computer science and Engineering

Head of the Department Computer science and Engineering

ABSTRACT In the field of computer security, phishing is the criminally fraudulent process of attempting to acquire sensitive information such as usernames, passwords and credit card details, by masquerading as a trustworthy entity in an electronic attempting to acquire sensitive information such as usernames, passwords and credit card details, by masquerading as a trustworthy entity in an electronic communication. Phishing is a fraudulent e-mail that attempts to get you to divulge personal data that can then be used for illegitimate purposes. There are many variations on this scheme. It is possible to Phish for other information in additions to usernames and passwords such as credit card numbers, bank account numbers, social security numbers and mothers’ maiden names. Phishing presents direct risks through the use of stolen credentials and indirect risk to institutions that conduct business on line through erosion of customer confidence. The damage caused by phishing ranges from denial of access to e-mail to substantial financial loss. This report also concerned with anti-phishing techniques. There are several different techniques to combat phishing, including legislation and technology created specifically to protect against phishing. No single technology will completely stop phishing. However a combination of good organization and practice, proper application of current technologies and improvements in security technology has the potential to drastically reduce the prevalence of phishing and the losses suffered from it. Anti-phishing software and computer programs are designed to prevent the occurrence of phishing and trespassing on confidential information. Anti-phishing software is designed to track websites and monitor activity; any suspicious behavior can be automatically reported and even reviewed as a report after a period of time. This also includes detecting phishing attacks, how to prevent and avoid being scammed, how to react when you suspect or reveal a phishing attack and what you can do to help stop phishers.

Contents 1.

Introduction

1

2.

Phishing Techniques

2

3.

Phishing Examples

3

4.

Reasons Of Phishing

5

5.

Damages Caused By Phishing

6

6.

Anti-Phishing Techniques

6

6.1 Social Responses 6.2 Technical Responses 6.3 Legal Responses 7.

Defend Against Phishing Attacks

9

7.1 Preventing A Phishing Attack Before It Begins 7.2 Detecting A Phishing Attack 7.3 Preventing The Delivery Of Phishing Messages 7.3.1 Filtering 7.3.2 Authentication 7.4 Preventing Deception In Phishing Messages And sites 7.4.1 Signing 7.4.2 Personally Identifiable Information 7.5 Counter Measures 7.5.1 Interfering With The Call To Action 7.5.2 Interfering With Transmission Of Confidential Data 7.5.3 Interfering W ith The Use Of Compromised Information 8.

Solution To Cross-Site Scripting Problem

16

9.

Anti-Phishing Software

17

10.

Conclusion

19

11.

References

21

LIST OF FIGURES

1.1

Simplified Flow Of Information In a Phishing Attack

1

3.1

Example of Phishing Email Msg

4

3.2

Example of Masked Web Address

4

7.1

Example of Uploaded Picture of a Canadian Penny

12

7.2

Example of Forgery Deceptive Mail

12

7.3

Example Of Warning About Unsafe

13

completely stop Phishing. However a

1. Introduction

combination of good organization and

In the field of computer security,

practice, proper application of current

Phishing is criminally fraudulent process

technologies & improvements in security

to acquire sensitive information such as

technology has the potential to drastically

passwords and credit card details, by

reduce the prevalence of Phishing and

masquerading as a trustworthy entity in

the losses suffered from it. Anti-Phishing

an electronic communication. Phishing is

software and computer programs are

a fraudulent e-mail that attempts to get

designed to prevent the occurrence of

you to divulge personal data that can then

Phishing and trespassing on confidential

be used for illegitimate purposes.

information. Anti-Phishing software is

There are many variations on this

designed to track websites and monitor

scheme. It is possible to Phish for other

activity; any suspicious behavior can be

information in additions to usernames and

automatically reported and even reviewed

passwords such as credit card numbers,

as a report after a period of time.

bank account numbers, social security

This includes detecting Phishing

numbers and mother’s maiden names.

attacks, how to prevent and avoid being

Phishing presents direct risks through the

scammed, how to react when you suspect

use of stolen credentials and indirect risk

or reveal a Phishing attack and what you

to institutions that conduct business

can do to help stop Phishers.

online through erosion of customer

The simplified flow of information

confidence. The damage caused by the

In a phishing attack is

Phishing ranges from denial of access to e-mail to substantial financial loss. This report also concerned with antiPhishing

techniques.

There

are

several different techniques to combat phishing including legislation, technology created specifically to protect against phishing. No single technology will

Figure 1.1

1

1. A deceptive message is sent from the

points to the "your bank" (i.e. Phishing)

Phishers to the user.

section of the example website.

2. A user provides confidential informat-

An old method of spoofing used

ion to a phishing server

links containing the @ symbol, originally

(Normally after some interaction with

intended as a way to include a username

the server).

and password. For example, http://www.

3. The phishers obtains the confidential

[email protected]/ might

information from the server.

deceive a casual observer into believing

4. The confidential information is used

that it will open a page on www.google.c

to impersonate the user.

om,whereas it actually directs the browser

5. The phishers obtains illicit monetary

to a page on members.tripod.com, using a

gain.

username of www.google.com: the page Steps 3 and 5 are of interest

open

primarily to law enforcement personnel

normally,

regardless

of

the

username supplied.

to identify and prosecute Phishers.

2.2 Filter Evasion

2. Phishing Techniques

Phishers

have

used

images

instead of text to make it harder for anti-

Phishers use a wide variety of

Phishing filters to detect text commonly

techniques, with one common thread.

used in Phishing e-mails.

2.1 Link Manipulation

2.3 Website forgery

Most methods of Phishing use form of technical deception designed to

Once a victim visits the Phishing

make a link in an e-mail appear to belong

website the deception is not over. Some

to the spoofed organization. Misspelled

Phishing scams use JavaScript commands

URLs or the use of sub domains are

in order to alter the address bar. This is

common tricks used by Phishers. In the

done either by placing a picture of a

following example http://www. your bank

legitimate URL over the address bar or by

.example.com/

closing the original address bar and opening a new one with the legitimate

It appears as though the URL will

URL.

take you to the example section of the your bank website; actually this URL 2

attack. Warning users of the possibility

2.4 Phone Phishing Messages that claimed to be from a

of phishing attacks, as well as providing

bank told users to dial a phone number

links to sites explaining how to avoid or

regarding problems with bank accounts.

spot such attacks are part of what makes

Once the phone number (owned by the

the Phishing email so deceptive. In this

Phishers) was dialed, prompts told users

example, the Phishing email warns the

to enter their account numbers and pin.

user that emails from PayPal will never

Vishing (voice Phishing) sometimes uses

ask for sensitive information. True to its

fake caller-ID data to give the appearance

word, it instead invites the user to follow

that calls come from trusted Organization

a link to "Verify" their account; this will

3. Phishing Examples

take them to a further Phishing website, engineered to look like PayPal's website,

3.1 PayPal Phishing

and will there ask for their sensitive

In an example PayPal phish,

information.

spelling mistakes in the e-mail and the

3.2 Rapid Share Phishing

presence of an IP address in the link are

On the Rapid Share web host,

both clues that this is a Phishing attempt.

Phishing is common in order to get a

Another give away is the lack of a

premium account, which removes speed

personal greeting, although the presence

caps on downloads, auto-removal of

of communication will always greet the

uploads, waits on downloads, and cool

user with his or her real name, not just

down times between the downloads.

with generic greeting like "Dear Account

Phishers will obtain premium accounts

holder." Other signs that the message is a

for Rapid Share by posting at warez sites

fraud are misspellings of simple words,

with links to files on Rapid Share.

bad grammar and threat of consequences

However, using link aliases like Tiny

such as account suspension if recipient

URL, they can disguise the real page's

fails to comply with message's requests.

URL, which is hosted somewhere else

Note that many Phishing emails will

and is a look-a-like of Rapid Share’s

include,a real email from PayPal would,

"free user or premium user" page. If the

large warnings about never giving out

victim selects free user, the Phishers just

your password in case of a Phishing 3

Example of a Phishing e-mail

passes them along to the real Rapid

msg which includes a deceptive Web

Share site.

addresses that links to a scam Web site.

But if they select premium, then the Phishing site records their login

To make these Phishing e-mail

before passing them to the download.

messages look even more legitimate, the

Thus the Phishers has lifted the premium

scam artists may place a link in them

account information from the victim.

that appears to go to the legitimate Web

3.3 Examples of Phishing

site (1), but actually takes you to a

E-mails

phony scam site (2) or possibly a pop-up window that looks exactly like the

Phishing e-mail messages take a

official site. Phishing links that you are

number of forms. They might appear to

urged to click in e-mail messages, on

come from bank or financial institution,

Web sites, or even in instant messages

a company you regularly do business

may contain all or part of a real

with, such as Microsoft, or from your

company’s

social networking site. The main thing

name

and

are

usually

masked, meaning that the link you see

Phishing e-mail messages ask for the

does not take you to that address but

personal data, or direct you to Web sites

somewhere

or phone numbers to call where they ask

different,

usually

an

illegitimate Web site.

you to provide personal data. The

Notice in the following example

following is an example of what a

that resting (but not clicking) the mouse

Phishing scam in an e-mail message

pointer on the link reveals the real Web

might look like.

address, as shown in the box with the yellow background. The string of cryptic numbers looks nothing like company's Web address, which is a suspicious sign. Example of a masked Web address

Figure 3.2 Figure 3.1

4

word in his spiel. Without clues from the

4. Reasons of Phishing

verbal and physical realms, our ability to

Consider some of the reasons

determine

people fall victim to Phishing scams.

the

validity of

business

transactions is diminished. This is a

4.1 Trust of Authority

cornerstone of the direct mail advertising

When a Phishing email arrives

business. If a piece of mail resembles

marked as “High Priority” that threatens

some type of official correspondence,

to close our bank account unless we

you are much more likely to open it. Car

update our data immediately, it engages

dealers send sales flyers in manila

the same authority response mechanisms

envelopes stamped “Official Business”

that we've obeyed for millennia. In our

that look like the envelopes tax refund

modern culture, the old markers of

checks are mailed in. Banks send credit

authority physical strength, aggressive-

card offers in large cardboard envelopes

eness, and ruthlessness have largely

that are almost indistinguishable from

given way to signs of economic power.

Fed Ex overnight packages. Political

“He's richer than I am, so he must be a

advertisements are adorned with all

better man”. If you have to equate

manner of patriotic symbols to help us

market capitalization with GDP then

link the candidate with our nationalistic

Bank of America is the 28th most

feelings.

powerful country in the world. If you

4.3 E-mail and web pages can

receive a personal email purported to

look real

come from BOA questioning the validity of your account data, you will have a

The use of symbols laden with

strong compulsion to respond, and

familiarity and repute lends legitimacy

respond quickly.

(or illusion of legitimacy) to information

4.2 Textual and Graphic Presen-

whether accurate or fraudulent that is placed on the imitating page. Deception

tation Lacks Clues of Validity

is possible because the symbols that

Most people feel that they can

represent a trusted company are no more

tell an honest man by looking him in the

'real'

eye. You can spot a “professional”

than

the

symbols

that

are

reproduced for a fictitious company.

panhandler before he gets to the fourth

Certain 5

elements

of

dynamic web

content can be difficult to copy directly

may use a person's details to create fake

but are often easy enough to fake,

accounts in a victim's name. They can

especially when 100% accuracy is not

then ruin the victims' credit, or even

required. Email messages are usually

deny the victims access to their own

easier to replicate than web pages since

accounts.

their elements are predominately text or

It is estimated that between May

static HTML and associated images.

2004 and May 2005 approximately 1.2

Hyperlinks are easily subverted since the

million computer users in the United

visible tag does not have to match the

States

URL that your click will actually

Phishing approximately US$929 million

redirect your browser to. The link can

6. ANTI-PHISHING

look like http://bankofamerica.com/login

suffered

losses

caused

by

TECHNIQUES

but the URL could actually link to

There

http://bankofcrime.com/got_your_login

are

several

different

techniques to combat Phishing including

5. DAMAGES CAUSED BY

legisla...