12-04-2013, 02:56 PM
Phishing
Phishing.doc (Size: 647 KB / Downloads: 21)
ABSTRACT
In the field of computer security, phishing is the criminally fraudulent process of attempting to acquire sensitive information such as usernames, passwords and credit card details, by masquerading as a trustworthy entity in an electronic attempting to acquire sensitive information such as usernames, passwords and credit card details, by masquerading as a trustworthy entity in an electronic communication. Phishing is a fraudulent e-mail that attempts to get you to divulge personal data that can then be used for illegitimate purposes.
There are many variations on this scheme. It is possible to Phish for other information in additions to usernames and passwords such as credit card numbers, bank account numbers, social security numbers and mothers’ maiden names. Phishing presents direct risks through the use of stolen credentials and indirect risk to institutions that conduct business on line through erosion of customer confidence. The damage caused by phishing ranges from denial of access to e-mail to substantial financial loss.
This report also concerned with anti-phishing techniques. There are several different techniques to combat phishing, including legislation and technology created specifically to protect against phishing. No single technology will completely stop phishing. However a combination of good organization and practice, proper application of current technologies and improvements in security technology has the potential to drastically reduce the prevalence of phishing and the losses suffered from it. Anti-phishing software and computer programs are designed to prevent the occurrence of phishing and trespassing on confidential information. Anti-phishing software is designed to track websites and monitor activity; any suspicious behavior can be automatically reported and even reviewed as a report after a period of time.
INTRODUCTION
In the field of computer security, Phishing is the criminally fraudulent process of attempting to acquire sensitive information such as usernames, passwords and credit card details, by masquerading as a trustworthy entity in an electronic communication. Phishing is a fraudulent e-mail that attempts to get you to divulge personal data that can then be used for illegitimate purposes.
There are many variations on this scheme. It is possible to Phish for other information in additions to usernames and passwords such as credit card numbers, bank account numbers, social security numbers and mothers’ maiden names. Phishing presents direct risks through the use of stolen credentials and indirect risk to institutions that conduct business on line through erosion of customer confidence. The damage caused by Phishing ranges from denial of access to e-mail to substantial financial loss.
This report also concerned with anti-Phishing techniques. There are several different techniques to combat Phishing, including legislation and technology created specifically to protect against Phishing. No single technology will completely stop Phishing. However a combination of good organization and practice, proper application of current technologies and improvements in security technology has the potential to drastically reduce the prevalence of Phishing and the losses suffered from it. Anti-Phishing software and computer programs are designed to prevent the occurrence of Phishing and trespassing on confidential information. Anti-Phishing software is designed to track websites and monitor activity; any suspicious behavior can be automatically reported and even reviewed as a report after a period of time.
PHISHING TECHNIQUES
Phishers use a wide variety of techniques, with one common thread.
LINK MANIPULATION
Most methods of Phishing use some form of technical deception designed to make a link in an e-mail appear to belong to the spoofed organization. Misspelled URLs or the use of sub domains are common tricks used by Phishers. In the following example, http://www.yourbank.example, it appears as though the URL will take you to the example section of the yourbank website; actually this URL points to the "yourbank" (i.e. Phishing) section of the example website.An old method of spoofing used links containing the '@' symbol, originally intended as a way to include a username and password. For example, http://www.google.com[at]members.tripod might deceive a casual observer into believing that it will open a page on www.google.com, whereas it actually directs the browser to a page on members.tripod.com, using a username of www.google.com: the page opens normally, regardless of the username supplied.
TRUST OF AUTHORITY
When a Phishing email arrives marked as “High Priority” that threatens to close our bank account unless we update our data immediately, it engages the same authority response mechanisms that we've obeyed for millennia. In our modern culture, the old markers of authority – physical strength, aggressiveness, ruthlessness – have largely given way to signs of economic power. “He's richer than I am, so he must be a better man”. If you equate market capitalization with GDP then Bank of America is the 28th most powerful country in the world. If you receive a personal email purported to come from BOA questioning the validity of your account data, you will have a strong compulsion to respond, and respond quickly.
TEXTUAL AND GRAPHIC PRESENTATION LACKS TRADITIONAL CLUES OF VALIDITY
Most people feel that they can tell an honest man by looking him in the eye. You can spot a “professional” panhandler before he gets to the fourth word in his spiel. Without clues from the verbal and physical realms, our ability to determine the validity of business transactions is diminished. This is a cornerstone of the direct mail advertising business. If a piece of mail resembles some type of official correspondence, you are much more likely to open it. Car dealers send sales flyers in manila envelopes stamped “Official Business” that look like the envelopes tax refund checks are mailed in. Banks send
credit card offers in large cardboard envelopes that are almost indistinguishable from FedEx overnight packages. Political advertisements are adorned with all manner of patriotic symbols to help us link the candidate with our nationalistic feelings.
E-MAIL AND WEB PAGES CAN LOOK REAL
The use of symbols laden with familiarity and repute lends legitimacy (or the illusion of legitimacy) to information—whether accurate or fraudulent—that is placed on the imitating page. Deception is possible because the symbols that represent a trusted company are no more 'real' than the symbols that are reproduced for a fictitious company. Certain elements of dynamic web content can be difficult to copy directly but are often easy enough to fake, especially when 100% accuracy is not required. Email messages are usually easier to replicate than web pages since their elements are predominately text or static HTML and associated images. Hyperlinks are easily subverted since the visible tag does not have to match the URL that your click will actually redirect your browser to.
DAMAGES CAUSED BY PHISHING
The damage caused by Phishing ranges from denial of access to e-mail to substantial financial loss. This style of identity theft is becoming more popular, because of the readiness with which unsuspecting people often divulge personal information to Phishers, including credit card numbers, social security numbers, and mothers' maiden names. There are also fears that identity thieves can add such information to the knowledge they gain simply by accessing public records. Once this information is acquired, the Phishers may use a person's details to create fake accounts in a victim's name. They can then ruin the victims' credit, or even deny the victims access to their own accounts.
Personally identifiable information
The simplest way to reduce the deceptiveness of phishing messages is to include personally identifiable information with all legitimate communications. For example, if every email from bank.com begins with the user’s name, and every email from bank.com educates the user about this practice, then an email that does not include a user’s name is suspect. While implementing this practice can be complex due to the widespread use of third-party mailing services, it is an effective measure.
Personalized imagery may also be used to transmit messages. For example, when a user creates or updates account information, he or she may be allowed (or required) to enter textual and/or graphical information that will be used in subsequent personalized information. In this example, a customer of the Large Bank and Trust Company has typed in the personalized text “You were born in Prague” and selected or uploaded a picture of a Canadian penny.
HOW ANTI-PHISHING SOFTWARE WORKS
Anti-phishing software consists of computer programs that attempt to identify phishing content contained in websites and e-mail. It is often integrated with web browsers and email clients as a toolbar that displays the real domain name for the website the viewer is visiting, in an attempt to prevent fraudulent websites from masquerading as other legitimate web sites. Anti-phishing functionality may also be included as a built-in capability of some web browsers
Common phishing tactics take advantage of a visitor by requesting them to link out to another site, asking that the enter personal information and passwords, or redirecting them to another site completely for registration. The process usually begins by sending out a forged e-mail that looks like it was sent from the company. Some tactics include saying an account has expired and needs to be updated, or has experienced unauthorized use and needs to be verified. Many banking and financial institutions become targets for these types of scams, and they can be a considerable threat to millions of account holders and users.
Many leading web browsers and software programs have realized the impact of this trend, and have created programs that can limit the frequency of these types of scams. Micirosoft Windows Internet Explorer 7, Firefox 2.0, Google Safe Browsing, and Earthlink ScamBlocker are just a few programs that have reduced the risks involved.
CONCLUSION
No single technology will completely stop phishing. However, a combination of good organization and practice, proper application of current technologies, and improvements in security technology has the potential to drastically reduce the prevalence of phishing and the losses suffered from it. In particular:
• .High-value targets should follow best practices and keep in touch with continuing evolution of them.
• Phishing attacks can be detected rapidly through a combination of customer reportage, bounce monitoring, image use monitoring, honeypots and other techniques.
• Email authentication technologies such as Sender-ID and cryptographic signing, when widely deployed, have the potential to prevent phishing emails from reaching users.
• Analysis of imagery is a promising area of future research to identify phishing emails.
• Personally identifiable information should be included in all email communications. Systems allowing the user to enter or select customized text and/or imagery are particularly promising.
Phishing.doc (Size: 647 KB / Downloads: 21)
ABSTRACT
In the field of computer security, phishing is the criminally fraudulent process of attempting to acquire sensitive information such as usernames, passwords and credit card details, by masquerading as a trustworthy entity in an electronic attempting to acquire sensitive information such as usernames, passwords and credit card details, by masquerading as a trustworthy entity in an electronic communication. Phishing is a fraudulent e-mail that attempts to get you to divulge personal data that can then be used for illegitimate purposes.
There are many variations on this scheme. It is possible to Phish for other information in additions to usernames and passwords such as credit card numbers, bank account numbers, social security numbers and mothers’ maiden names. Phishing presents direct risks through the use of stolen credentials and indirect risk to institutions that conduct business on line through erosion of customer confidence. The damage caused by phishing ranges from denial of access to e-mail to substantial financial loss.
This report also concerned with anti-phishing techniques. There are several different techniques to combat phishing, including legislation and technology created specifically to protect against phishing. No single technology will completely stop phishing. However a combination of good organization and practice, proper application of current technologies and improvements in security technology has the potential to drastically reduce the prevalence of phishing and the losses suffered from it. Anti-phishing software and computer programs are designed to prevent the occurrence of phishing and trespassing on confidential information. Anti-phishing software is designed to track websites and monitor activity; any suspicious behavior can be automatically reported and even reviewed as a report after a period of time.
INTRODUCTION
In the field of computer security, Phishing is the criminally fraudulent process of attempting to acquire sensitive information such as usernames, passwords and credit card details, by masquerading as a trustworthy entity in an electronic communication. Phishing is a fraudulent e-mail that attempts to get you to divulge personal data that can then be used for illegitimate purposes.
There are many variations on this scheme. It is possible to Phish for other information in additions to usernames and passwords such as credit card numbers, bank account numbers, social security numbers and mothers’ maiden names. Phishing presents direct risks through the use of stolen credentials and indirect risk to institutions that conduct business on line through erosion of customer confidence. The damage caused by Phishing ranges from denial of access to e-mail to substantial financial loss.
This report also concerned with anti-Phishing techniques. There are several different techniques to combat Phishing, including legislation and technology created specifically to protect against Phishing. No single technology will completely stop Phishing. However a combination of good organization and practice, proper application of current technologies and improvements in security technology has the potential to drastically reduce the prevalence of Phishing and the losses suffered from it. Anti-Phishing software and computer programs are designed to prevent the occurrence of Phishing and trespassing on confidential information. Anti-Phishing software is designed to track websites and monitor activity; any suspicious behavior can be automatically reported and even reviewed as a report after a period of time.
PHISHING TECHNIQUES
Phishers use a wide variety of techniques, with one common thread.
LINK MANIPULATION
Most methods of Phishing use some form of technical deception designed to make a link in an e-mail appear to belong to the spoofed organization. Misspelled URLs or the use of sub domains are common tricks used by Phishers. In the following example, http://www.yourbank.example, it appears as though the URL will take you to the example section of the yourbank website; actually this URL points to the "yourbank" (i.e. Phishing) section of the example website.An old method of spoofing used links containing the '@' symbol, originally intended as a way to include a username and password. For example, http://www.google.com[at]members.tripod might deceive a casual observer into believing that it will open a page on www.google.com, whereas it actually directs the browser to a page on members.tripod.com, using a username of www.google.com: the page opens normally, regardless of the username supplied.
TRUST OF AUTHORITY
When a Phishing email arrives marked as “High Priority” that threatens to close our bank account unless we update our data immediately, it engages the same authority response mechanisms that we've obeyed for millennia. In our modern culture, the old markers of authority – physical strength, aggressiveness, ruthlessness – have largely given way to signs of economic power. “He's richer than I am, so he must be a better man”. If you equate market capitalization with GDP then Bank of America is the 28th most powerful country in the world. If you receive a personal email purported to come from BOA questioning the validity of your account data, you will have a strong compulsion to respond, and respond quickly.
TEXTUAL AND GRAPHIC PRESENTATION LACKS TRADITIONAL CLUES OF VALIDITY
Most people feel that they can tell an honest man by looking him in the eye. You can spot a “professional” panhandler before he gets to the fourth word in his spiel. Without clues from the verbal and physical realms, our ability to determine the validity of business transactions is diminished. This is a cornerstone of the direct mail advertising business. If a piece of mail resembles some type of official correspondence, you are much more likely to open it. Car dealers send sales flyers in manila envelopes stamped “Official Business” that look like the envelopes tax refund checks are mailed in. Banks send
credit card offers in large cardboard envelopes that are almost indistinguishable from FedEx overnight packages. Political advertisements are adorned with all manner of patriotic symbols to help us link the candidate with our nationalistic feelings.
E-MAIL AND WEB PAGES CAN LOOK REAL
The use of symbols laden with familiarity and repute lends legitimacy (or the illusion of legitimacy) to information—whether accurate or fraudulent—that is placed on the imitating page. Deception is possible because the symbols that represent a trusted company are no more 'real' than the symbols that are reproduced for a fictitious company. Certain elements of dynamic web content can be difficult to copy directly but are often easy enough to fake, especially when 100% accuracy is not required. Email messages are usually easier to replicate than web pages since their elements are predominately text or static HTML and associated images. Hyperlinks are easily subverted since the visible tag does not have to match the URL that your click will actually redirect your browser to.
DAMAGES CAUSED BY PHISHING
The damage caused by Phishing ranges from denial of access to e-mail to substantial financial loss. This style of identity theft is becoming more popular, because of the readiness with which unsuspecting people often divulge personal information to Phishers, including credit card numbers, social security numbers, and mothers' maiden names. There are also fears that identity thieves can add such information to the knowledge they gain simply by accessing public records. Once this information is acquired, the Phishers may use a person's details to create fake accounts in a victim's name. They can then ruin the victims' credit, or even deny the victims access to their own accounts.
Personally identifiable information
The simplest way to reduce the deceptiveness of phishing messages is to include personally identifiable information with all legitimate communications. For example, if every email from bank.com begins with the user’s name, and every email from bank.com educates the user about this practice, then an email that does not include a user’s name is suspect. While implementing this practice can be complex due to the widespread use of third-party mailing services, it is an effective measure.
Personalized imagery may also be used to transmit messages. For example, when a user creates or updates account information, he or she may be allowed (or required) to enter textual and/or graphical information that will be used in subsequent personalized information. In this example, a customer of the Large Bank and Trust Company has typed in the personalized text “You were born in Prague” and selected or uploaded a picture of a Canadian penny.
HOW ANTI-PHISHING SOFTWARE WORKS
Anti-phishing software consists of computer programs that attempt to identify phishing content contained in websites and e-mail. It is often integrated with web browsers and email clients as a toolbar that displays the real domain name for the website the viewer is visiting, in an attempt to prevent fraudulent websites from masquerading as other legitimate web sites. Anti-phishing functionality may also be included as a built-in capability of some web browsers
Common phishing tactics take advantage of a visitor by requesting them to link out to another site, asking that the enter personal information and passwords, or redirecting them to another site completely for registration. The process usually begins by sending out a forged e-mail that looks like it was sent from the company. Some tactics include saying an account has expired and needs to be updated, or has experienced unauthorized use and needs to be verified. Many banking and financial institutions become targets for these types of scams, and they can be a considerable threat to millions of account holders and users.
Many leading web browsers and software programs have realized the impact of this trend, and have created programs that can limit the frequency of these types of scams. Micirosoft Windows Internet Explorer 7, Firefox 2.0, Google Safe Browsing, and Earthlink ScamBlocker are just a few programs that have reduced the risks involved.
CONCLUSION
No single technology will completely stop phishing. However, a combination of good organization and practice, proper application of current technologies, and improvements in security technology has the potential to drastically reduce the prevalence of phishing and the losses suffered from it. In particular:
• .High-value targets should follow best practices and keep in touch with continuing evolution of them.
• Phishing attacks can be detected rapidly through a combination of customer reportage, bounce monitoring, image use monitoring, honeypots and other techniques.
• Email authentication technologies such as Sender-ID and cryptographic signing, when widely deployed, have the potential to prevent phishing emails from reaching users.
• Analysis of imagery is a promising area of future research to identify phishing emails.
• Personally identifiable information should be included in all email communications. Systems allowing the user to enter or select customized text and/or imagery are particularly promising.