1 Submitted to: Presented by: Er. Ajit Saxena Hitesh Khemnani Lecturer 1047110008(B.tech-CS) (Department of Computer Science) Phishi ng
1
Submitted to: Presented by:Er. Ajit Saxena Hitesh Khemnani Lecturer 1047110008(B.tech-CS)(Department of Computer Science)
Phishing
2
Hitesh
Login
Password
Defination Examples Types of Phishing Causes of Phishing Effects of Phishing Industries affected Phishing Trends How to combat phishing
Educate application users Formulate and enforce Best practices Reinforce application development / maintenance
processes: Web page personalization
3
o Content Validationo Session Handlingo Authentication process o Transaction non-repudiationo Image Regulation
Bibliogarphy
4
It is the act of tricking someone into giving confidential information (like passwords and credit card information) on a fake web page or email form pretending to come from a legitimate company (like their bank).
For example: Sending an e-mail to a user falsely
claiming to be an established legitimate enterprise in an attempt to scam the user into surrendering private information that will be used for identity theft.
5
6
Deceptive - Sending a deceptive email, in bulk, with a “call to action” that demands the recipient click on a link.
7
Malware-Based - Running malicious software on the user’s machine. Various forms of malware-based phishing are:
Key Loggers & Screen Loggers Session Hijackers Web Trojans Data Theft
8
9
Content-Injection – Inserting malicious content into legitimate site.
Three primary types of content-injection phishing:
Hackers can compromise a server through a security vulnerability and replace or augment the legitimate content with malicious content.
Malicious content can be inserted into a site through a cross-site scripting vulnerability.
Malicious actions can be performed on a site through a SQL injection vulnerability.
10
Man-in-the-Middle Phishing - Phisher positions himself between the user and the legitimate site.
11
Search Engine Phishing - Create web pages for fake products, get the pages indexed by search engines, and wait for users to enter their confidential information as part of an order, sign-up, or balance transfer.
12
Misleading e-mails No check of source address Vulnerability in browsers No strong authentication at websites of banks
and financial institutions Limited use of digital signatures Non-availability of secure desktop tools Lack of user awareness Vulnerability in applications
13
Internet fraud Identity theft Financial loss to the original institutions Difficulties in Law Enforcement Investigations Erosion of Public Trust in the Internet.
14
Major industries affected are: Financial Services ISPs Online retailers
15
16
Educate application users Think before you open Never click on the links in an email , message boards or
mailing lists Never submit credentials on forms embedded in emails Inspect the address bar and SSL certificate Never open suspicious emails Ensure that the web browser has the latest security
patch applied Install latest anti-virus packages Destroy any hard copy of sensitive information Verify the accounts and transactions regularly Report the scam via phone or email.
17
Formulate and enforce Best practices
Authorization controls and access privileges for systems, databases and applications.
Access to any information should be based on need-to-know principle
Segregation of duties. Media should be disposed only after erasing sensitive
information.
18
Reinforce application development / maintenance processes:
1. Web page personalization Using two pages to authenticate the
users. Using Client-side persistent cookies.
19
2. Content Validation
Never inherently trust the submitted data Never present the submitted data back to an
application user without sanitizing the same Always sanitize data before processing or storing Check the HTTP referrer header
20
3. Session Handling
Make session identifiers long, complicated and difficult to guess.
Set expiry time limits for the SessionID’s and should be checked for every client request.
Application should be capable of revoking active SessionID’s and not recycle the same SessionID.
Any attempt the invalid SessionID should be redirected to the login page.
Never accept session information within a URL. Protect the session via SSL. Session data should be submitted as a POST. After authenticating, a new SessionID should be used
(HTTP & HTTPS). Never let the users choose the SessionID.
21
4. Authentication Process
Ensure that a 2-phase login process is in place Personalize the content Design a strong token-based authentication
22
5. Transaction non-repudiation To ensure authenticity and integrity of the transaction
23
6. Image Regulation Image Cycling Session-bound images
24
Anti-Phishing Working Group (APWG)
The APWG has over 2300+ members from over 1500 companies & agencies worldwide. Member companies include leading security companies such as Symantec, McAfee and VeriSign. Financial Industry members include the ING Group,VISA, Mastercard and the American Bankers Association.
25
It is better to be safer now than feel sorry later.
26
• http://www.antiphishing.org/reports/apwg_report_november_2006.pdf
• http://72.14.235.104/search?q=cache:-T6-U5dhgYAJ:www.avira.com/en/threats/what_is_phishing.html+Phishing+consequences&hl=en&gl=in&ct=clnk&cd=7
• Phishing-dhs-report.pdf• Report_on_phishing.pdf• http://www.cert-in.org.in/training/15thjuly05/phishing.pdf• http://www.antiphishing.org
27
28