Title | Phishing technology |
---|---|
Course | Cyber Security |
Institution | Malnad College of Engineering |
Pages | 27 |
File Size | 526.7 KB |
File Type | |
Total Downloads | 49 |
Total Views | 613 |
A Technical Seminar ReportOnPHISHINGSubmitted to JNTUK, Kakinada in partial fulfillment of the requirement for award of the degree of Bachelor Of Technology in department of Computer Science & EngineeringSubmitted ByK07A41ADEPARTMENT OF COMPUTER SCIENCE & ENGINEERINGLOYOLA INSTITUTE ...
A Technical Seminar Report On
PHISHING Submitted to JNTUK, Kakinada in partial fulfillment of the requirement for award of the degree of Bachelor Of Technology in department of Computer Science & Engineering
Submitted By K.NIRMALA 07A41A0529 DEPARTMENT OF COMPUTER SCIENCE & ENGINEERING
LOYOLA INSTITUTE OF TECHNOLOGY AND MANAGEMENT
Affiliated JNTUK, Kakinada DHULIPALLA-522 403, Guntur Dist. Academic Year 2010-11
LOYOLA INSTITUTE OF TECHNOLOGY AND MANAGEMENT (Affiliated JNTUK, Kakinada) Dhulipalla – 522 403, Guntur Dist.
Department of Computer Science & Engineering
CERTIFICATE
This is to certify that K.Nirmala(Regd. No.07A41A0529 ) have prepared a technical seminar report entitled “PHISHING“ as a partial fulfillment for the award of the degree of B.Tech in Computer Science & Engineering. He worked for a period of one semester under our supervision.
Sri.Y.Suresh
Sri K.Ramesh
Asst.Professor
Associate Professor
Technical Seminar Supervisior Computer science and Engineering
Head of the Department Computer science and Engineering
ABSTRACT In the field of computer security, phishing is the criminally fraudulent process of attempting to acquire sensitive information such as usernames, passwords and credit card details, by masquerading as a trustworthy entity in an electronic attempting to acquire sensitive information such as usernames, passwords and credit card details, by masquerading as a trustworthy entity in an electronic communication. Phishing is a fraudulent e-mail that attempts to get you to divulge personal data that can then be used for illegitimate purposes. There are many variations on this scheme. It is possible to Phish for other information in additions to usernames and passwords such as credit card numbers, bank account numbers, social security numbers and mothers’ maiden names. Phishing presents direct risks through the use of stolen credentials and indirect risk to institutions that conduct business on line through erosion of customer confidence. The damage caused by phishing ranges from denial of access to e-mail to substantial financial loss. This report also concerned with anti-phishing techniques. There are several different techniques to combat phishing, including legislation and technology created specifically to protect against phishing. No single technology will completely stop phishing. However a combination of good organization and practice, proper application of current technologies and improvements in security technology has the potential to drastically reduce the prevalence of phishing and the losses suffered from it. Anti-phishing software and computer programs are designed to prevent the occurrence of phishing and trespassing on confidential information. Anti-phishing software is designed to track websites and monitor activity; any suspicious behavior can be automatically reported and even reviewed as a report after a period of time. This also includes detecting phishing attacks, how to prevent and avoid being scammed, how to react when you suspect or reveal a phishing attack and what you can do to help stop phishers.
Contents 1.
Introduction
1
2.
Phishing Techniques
2
3.
Phishing Examples
3
4.
Reasons Of Phishing
5
5.
Damages Caused By Phishing
6
6.
Anti-Phishing Techniques
6
6.1 Social Responses 6.2 Technical Responses 6.3 Legal Responses 7.
Defend Against Phishing Attacks
9
7.1 Preventing A Phishing Attack Before It Begins 7.2 Detecting A Phishing Attack 7.3 Preventing The Delivery Of Phishing Messages 7.3.1 Filtering 7.3.2 Authentication 7.4 Preventing Deception In Phishing Messages And sites 7.4.1 Signing 7.4.2 Personally Identifiable Information 7.5 Counter Measures 7.5.1 Interfering With The Call To Action 7.5.2 Interfering With Transmission Of Confidential Data 7.5.3 Interfering W ith The Use Of Compromised Information 8.
Solution To Cross-Site Scripting Problem
16
9.
Anti-Phishing Software
17
10.
Conclusion
19
11.
References
21
LIST OF FIGURES
1.1
Simplified Flow Of Information In a Phishing Attack
1
3.1
Example of Phishing Email Msg
4
3.2
Example of Masked Web Address
4
7.1
Example of Uploaded Picture of a Canadian Penny
12
7.2
Example of Forgery Deceptive Mail
12
7.3
Example Of Warning About Unsafe
13
completely stop Phishing. However a
1. Introduction
combination of good organization and
In the field of computer security,
practice, proper application of current
Phishing is criminally fraudulent process
technologies & improvements in security
to acquire sensitive information such as
technology has the potential to drastically
passwords and credit card details, by
reduce the prevalence of Phishing and
masquerading as a trustworthy entity in
the losses suffered from it. Anti-Phishing
an electronic communication. Phishing is
software and computer programs are
a fraudulent e-mail that attempts to get
designed to prevent the occurrence of
you to divulge personal data that can then
Phishing and trespassing on confidential
be used for illegitimate purposes.
information. Anti-Phishing software is
There are many variations on this
designed to track websites and monitor
scheme. It is possible to Phish for other
activity; any suspicious behavior can be
information in additions to usernames and
automatically reported and even reviewed
passwords such as credit card numbers,
as a report after a period of time.
bank account numbers, social security
This includes detecting Phishing
numbers and mother’s maiden names.
attacks, how to prevent and avoid being
Phishing presents direct risks through the
scammed, how to react when you suspect
use of stolen credentials and indirect risk
or reveal a Phishing attack and what you
to institutions that conduct business
can do to help stop Phishers.
online through erosion of customer
The simplified flow of information
confidence. The damage caused by the
In a phishing attack is
Phishing ranges from denial of access to e-mail to substantial financial loss. This report also concerned with antiPhishing
techniques.
There
are
several different techniques to combat phishing including legislation, technology created specifically to protect against phishing. No single technology will
Figure 1.1
1
1. A deceptive message is sent from the
points to the "your bank" (i.e. Phishing)
Phishers to the user.
section of the example website.
2. A user provides confidential informat-
An old method of spoofing used
ion to a phishing server
links containing the @ symbol, originally
(Normally after some interaction with
intended as a way to include a username
the server).
and password. For example, http://www.
3. The phishers obtains the confidential
[email protected]/ might
information from the server.
deceive a casual observer into believing
4. The confidential information is used
that it will open a page on www.google.c
to impersonate the user.
om,whereas it actually directs the browser
5. The phishers obtains illicit monetary
to a page on members.tripod.com, using a
gain.
username of www.google.com: the page Steps 3 and 5 are of interest
open
primarily to law enforcement personnel
normally,
regardless
of
the
username supplied.
to identify and prosecute Phishers.
2.2 Filter Evasion
2. Phishing Techniques
Phishers
have
used
images
instead of text to make it harder for anti-
Phishers use a wide variety of
Phishing filters to detect text commonly
techniques, with one common thread.
used in Phishing e-mails.
2.1 Link Manipulation
2.3 Website forgery
Most methods of Phishing use form of technical deception designed to
Once a victim visits the Phishing
make a link in an e-mail appear to belong
website the deception is not over. Some
to the spoofed organization. Misspelled
Phishing scams use JavaScript commands
URLs or the use of sub domains are
in order to alter the address bar. This is
common tricks used by Phishers. In the
done either by placing a picture of a
following example http://www. your bank
legitimate URL over the address bar or by
.example.com/
closing the original address bar and opening a new one with the legitimate
It appears as though the URL will
URL.
take you to the example section of the your bank website; actually this URL 2
attack. Warning users of the possibility
2.4 Phone Phishing Messages that claimed to be from a
of phishing attacks, as well as providing
bank told users to dial a phone number
links to sites explaining how to avoid or
regarding problems with bank accounts.
spot such attacks are part of what makes
Once the phone number (owned by the
the Phishing email so deceptive. In this
Phishers) was dialed, prompts told users
example, the Phishing email warns the
to enter their account numbers and pin.
user that emails from PayPal will never
Vishing (voice Phishing) sometimes uses
ask for sensitive information. True to its
fake caller-ID data to give the appearance
word, it instead invites the user to follow
that calls come from trusted Organization
a link to "Verify" their account; this will
3. Phishing Examples
take them to a further Phishing website, engineered to look like PayPal's website,
3.1 PayPal Phishing
and will there ask for their sensitive
In an example PayPal phish,
information.
spelling mistakes in the e-mail and the
3.2 Rapid Share Phishing
presence of an IP address in the link are
On the Rapid Share web host,
both clues that this is a Phishing attempt.
Phishing is common in order to get a
Another give away is the lack of a
premium account, which removes speed
personal greeting, although the presence
caps on downloads, auto-removal of
of communication will always greet the
uploads, waits on downloads, and cool
user with his or her real name, not just
down times between the downloads.
with generic greeting like "Dear Account
Phishers will obtain premium accounts
holder." Other signs that the message is a
for Rapid Share by posting at warez sites
fraud are misspellings of simple words,
with links to files on Rapid Share.
bad grammar and threat of consequences
However, using link aliases like Tiny
such as account suspension if recipient
URL, they can disguise the real page's
fails to comply with message's requests.
URL, which is hosted somewhere else
Note that many Phishing emails will
and is a look-a-like of Rapid Share’s
include,a real email from PayPal would,
"free user or premium user" page. If the
large warnings about never giving out
victim selects free user, the Phishers just
your password in case of a Phishing 3
Example of a Phishing e-mail
passes them along to the real Rapid
msg which includes a deceptive Web
Share site.
addresses that links to a scam Web site.
But if they select premium, then the Phishing site records their login
To make these Phishing e-mail
before passing them to the download.
messages look even more legitimate, the
Thus the Phishers has lifted the premium
scam artists may place a link in them
account information from the victim.
that appears to go to the legitimate Web
3.3 Examples of Phishing
site (1), but actually takes you to a
E-mails
phony scam site (2) or possibly a pop-up window that looks exactly like the
Phishing e-mail messages take a
official site. Phishing links that you are
number of forms. They might appear to
urged to click in e-mail messages, on
come from bank or financial institution,
Web sites, or even in instant messages
a company you regularly do business
may contain all or part of a real
with, such as Microsoft, or from your
company’s
social networking site. The main thing
name
and
are
usually
masked, meaning that the link you see
Phishing e-mail messages ask for the
does not take you to that address but
personal data, or direct you to Web sites
somewhere
or phone numbers to call where they ask
different,
usually
an
illegitimate Web site.
you to provide personal data. The
Notice in the following example
following is an example of what a
that resting (but not clicking) the mouse
Phishing scam in an e-mail message
pointer on the link reveals the real Web
might look like.
address, as shown in the box with the yellow background. The string of cryptic numbers looks nothing like company's Web address, which is a suspicious sign. Example of a masked Web address
Figure 3.2 Figure 3.1
4
word in his spiel. Without clues from the
4. Reasons of Phishing
verbal and physical realms, our ability to
Consider some of the reasons
determine
people fall victim to Phishing scams.
the
validity of
business
transactions is diminished. This is a
4.1 Trust of Authority
cornerstone of the direct mail advertising
When a Phishing email arrives
business. If a piece of mail resembles
marked as “High Priority” that threatens
some type of official correspondence,
to close our bank account unless we
you are much more likely to open it. Car
update our data immediately, it engages
dealers send sales flyers in manila
the same authority response mechanisms
envelopes stamped “Official Business”
that we've obeyed for millennia. In our
that look like the envelopes tax refund
modern culture, the old markers of
checks are mailed in. Banks send credit
authority physical strength, aggressive-
card offers in large cardboard envelopes
eness, and ruthlessness have largely
that are almost indistinguishable from
given way to signs of economic power.
Fed Ex overnight packages. Political
“He's richer than I am, so he must be a
advertisements are adorned with all
better man”. If you have to equate
manner of patriotic symbols to help us
market capitalization with GDP then
link the candidate with our nationalistic
Bank of America is the 28th most
feelings.
powerful country in the world. If you
4.3 E-mail and web pages can
receive a personal email purported to
look real
come from BOA questioning the validity of your account data, you will have a
The use of symbols laden with
strong compulsion to respond, and
familiarity and repute lends legitimacy
respond quickly.
(or illusion of legitimacy) to information
4.2 Textual and Graphic Presen-
whether accurate or fraudulent that is placed on the imitating page. Deception
tation Lacks Clues of Validity
is possible because the symbols that
Most people feel that they can
represent a trusted company are no more
tell an honest man by looking him in the
'real'
eye. You can spot a “professional”
than
the
symbols
that
are
reproduced for a fictitious company.
panhandler before he gets to the fourth
Certain 5
elements
of
dynamic web
content can be difficult to copy directly
may use a person's details to create fake
but are often easy enough to fake,
accounts in a victim's name. They can
especially when 100% accuracy is not
then ruin the victims' credit, or even
required. Email messages are usually
deny the victims access to their own
easier to replicate than web pages since
accounts.
their elements are predominately text or
It is estimated that between May
static HTML and associated images.
2004 and May 2005 approximately 1.2
Hyperlinks are easily subverted since the
million computer users in the United
visible tag does not have to match the
States
URL that your click will actually
Phishing approximately US$929 million
redirect your browser to. The link can
6. ANTI-PHISHING
look like http://bankofamerica.com/login
suffered
losses
caused
by
TECHNIQUES
but the URL could actually link to
There
http://bankofcrime.com/got_your_login
are
several
different
techniques to combat Phishing including
5. DAMAGES CAUSED BY
legisla...