Download Phishing: Don`t Phall Phor It Part 1

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

Document related concepts

URL redirection wikipedia , lookup

Transcript
Phishing:
Don’t Phall Phor It
Part 1
Software Training Services
Welcome to Part 1 of the online course: Phishing: Don’t Fall for it!
1
Objectives
•
•
•
•
•
•
•
Definition of Phishing
State of Phishing Today
Recognizing Phishing/Phishing Tricks
Examples
Best Practices
What to do if you get “hooked”
Summary
This course is the first of a two-part series on Phishing. All of the objectives listed
will be covered in the complete course. In part 1, the following topics will be
discussed:
•Define phishing and distinguish it from spam
•Provide phishing statistics to give some insight into the state of phishing today
•Show how to recognize phishing and expose some phishing tricks
•And
•Provide some examples of phishing and point out how to identify these as phishing
scams
You will want to make sure you watch Part 2 of the presentation in order to
complete this course.
2
Disclaimer:
Many of the links in this presentation are
not authentic web addresses, but are
intended to illustrate hostile activity. DO
NOT type these into your browser, unless
they are provided in the “Resources”
section.
3
Here’s Phil the Phisher.
4
Definition
• Web Address
– Located in the top portion of the screen
– Begins with http or https
– The unique address of the web page
Throughout this course we will refer to a “web address”. It’s important that you
understand what a web address is, and where to find it. The web address is located
in the top portion of the screen and will normally begin with http or https. It is the
unique address of the web page.
5
Web Address Example
In this example, the web address is http://www.uakron.edu
6
Phishing Defined
• It’s NOT what you do with a worm and a
hook on a sunny afternoon
Let’s start with a definition of phishing. Contrary to what it sounds like, it’s NOT
what you do with a worm and a hook on a sunny afternoon.
7
A Definition of Phishing:
• The process by which someone obtains
private information - often authenticating
credentials - through deceptive or illicit
means in order to falsely assume another
person’s identity.
Phishing is the process by which someone obtains private information, often
authenticating credentials, through deceptive or illicit means. They use this
information for the purpose of identify theft
8
Phishing Defined
• Use spoofed emails to lead the recipient
to counterfeit websites
– Tricked into divulging credit card information,
personal information, account usernames and
passwords, social security numbers, etc.
Phishing involves the use of spoofed emails to lead the victim to counterfeit
websites
The phisher makes the message appear to come from a legitimate source – such
as Paypal, E-bay, the victim’s bank, credit union, etc.
Once at the website, they are tricked into divulging credit card information, personal
information, account usernames and passwords, social security numbers, etc.
Frequently, people will use the same username and password for multiple (or all)
sites so phishers will try to get a username and Password and then try to re-use it
on other popular websites to gain access to multiple additional accounts
9
Identity Theft Defined
• A crime in which an imposter obtains key
pieces of personal information in order to
impersonate someone else:
– Social Security number
– Driver's license numbers
Identity Theft is a crime in which an imposter obtains key pieces of personal
information, such as social security number and drivers license number, in order to
impersonate someone else.
10
Identity Theft Defined
• Information can be used to carry out
transaction in the name of the victim:
– Obtain credit
– Purchase merchandise and services
• Provides the thief with false credentials
– Can create a criminal record for the victim
– Leave outstanding arrest warrants for the
person whose identity has been stolen
Once the thief has this personal information, one way they may use it is to obtain
credit and purchase merchandise and services under the victim’s identity.
In addition, the thief may also use the information for the purpose of providing them
with false credentials. In this manner, they can create a criminal record for the
victim resulting in outstanding arrest warrants for the person whose identity has
been stolen, as the thief commits crimes under the assumed identity.
11
The State of Phishing Today
• Anti-Phishing Working Group :
– 5.7 billion – Number of phishing emails sent
each month
– 9,715 – Number of unique phishing websites
in January 2006
– 17,877 - Number of unique phishing reports
received in January 2006
– 16,000+ sites for 2005 YTD
– 5 days - Average time online for a site
Let’s take a look at some of the statistics from the Anti-Phishing Working Group
which provides us with a good view of the state of phishing today.
5.7 billion – that’s the number of phishing emails sent each month!
Just for the month of January 2006 there were 9,715 unique phishing websites.
Those are fake websites set up by phishers to lure unsuspecting users into entering
their personal information. It might also surprise you to know that the majority of
these fake web sites are originating in the United States.
17,877 is the number of unique phishing reports received for the month of January
in 2006
There were more than 16,000 phishing sites for the entire year in 2005
5 days is the average time online for a phishing site. That means it is taking an
average of 5 days before the web site is discovered and taken down. Frequently,
the phisher just moves the page to another site
Keep in mind that these numbers continue to increase – the situation is getting
worse, not better.
12
Identity Theft Statistics
• From FTC Identity Theft Survey Report
2003:
– 9.9 million – Number of victims
– $47.6 billion – Loss to businesses
– $5 billion – Total loss to victims
– 2 – 10,000 hours – Range of time spent by
victims on resolving the problem (Average
was 600 hours)
You might be wondering “how does this affect me?” Well, phishing is used for the
purpose of identity theft and the statistics on identity theft are overwhelming:
There were 9.9 million victims of identity theft in 2003
The loss to businesses was $47.6 billion and the total loss to victims was $5 billion
The amount of time spent by victims on resolving the problem ranges from 2 hours
to 10,000 hours – with an average of 600 hours. Keep in mind, some of the victims
are still clearing records over 10 years since the initial theft as the imposter
continues to open accounts in their name.
13
The State of Phishing Today
• “Why Phishing Works” study found:
– People do not know how to scrutinize web addresses
– Even when presented with a choice between a valid
and a hoax site, the hoax was selected 40% of the
time
• Spam VS. Phishing
– Spam – Selling
– Phishing - Stealing
A study was conducted to determine why phishing scams are successful and the
results showed that people don’t know how to scrutinize a web address to
determine if it is valid or not.
Even when people were presented with a choice between a valid and a hoax site,
the hoax was selected 40% of the time.
You might be asking, is there a difference between spam and phishing? Are they
the same thing? Well, they are not the same thing and it’s important to differentiate
between the two. Spam is selling – someone is trying to sell you a product –
Viagra, low mortgage rates, Vitamins, etc
Phishing is actually stealing – they are trying to steal your identity by tricking you
into divulging personal information
14
Recognizing Phishing
• Look for the following three components:
– Build credibility (sounds good)
• Spoof a real company
• You may or may not be a member or have an account
– Create a reason to act
• Urgency, plausible premise, requires quick response
– A call to action
• Click a link or button
– Subtle changes to web address
– Actual web address with changed link properties
– Not going where you think you are going!
There are some standard items to look for in an email to help you identify it as a
phishing scam. Most phishing emails will have 3 components:
First, they will try to build credibility by spoofing a real company. Typically, the
phisher will use very popular and well-known businesses, such as e-bay, paypal,
Amazon, or major banks.
Second, they will express a sense of urgency to get you to take immediate action.
They may try to scare you into believing that someone may have tried to access
your account and they need you to verify your account information immediately.
Finally, there is a call to action – a very quick and convenient method for you to
provide the requested information by completing a form or clicking a link.
They may even make it look as though you are clicking a valid web address. When
in fact, they have modified the link properties so that you are NOT actually going
where you think they are.
15
Recognizing Phishing
• Exercise caution when:
– Notified of “internal accounting errors”,
requesting your cooperation
– Warnings of your account being closed if
action is not taken
– Requests to update your account or profile
– Apparent notices from your ISP informing you
of problems generated by your PC
You should exercise caution any time you are notified of warnings such as “internal
accounting errors” or threats that your account is going to be closed unless you take
immediate action. Some other popular ploys include requests to update your
account or profile, and notices that seem to come from your Internet Service
Provider informing you of problems that have been generated by your pc.
All of these are tricks of the phisher to scare you into taking immediate action. By
placing urgency on the request they are hoping to increase their chances that you
will respond immediately without thinking about the possible consequences.
16
For Example
Take this example which appears to be coming from Paypal.
This request informs the recipient that they have recently enhanced their web site
and therefore, they are updating their account information and noticed some
discrepancies in the client’s account.
Notice the simple link to click on in order to be taken to a web page where the
account information can be entered.
This email does contain some tell-tale signs that it is a phishing scheme. Let’s take
a closer look.
17
First, notice the generic “Dear paypal customer” If this were a legitimate message,
the email would be personalized to include the account holder’s name. In addition,
take a look at the improper Grammar used –the first sentence includes the phrase
“to verify that the informations you have provided are accurate”. Then, the poorly
worded note “Unable to do so may result to abnormal account behavior during
transactions.”
Sometimes, poor grammar and misspellings are a good indication of a phishing
scheme, but they are not always present.
Let’s click on the link and see where it takes us – that will provide us with additional
clues as to the legitimacy of the message
18
Takes you to …
Let’s analyze this web page.
ANYTIME you enter personal information on the web, you should always verify that
the site is secure by looking for https in the web address and a Lock icon in the
lower right – both should be present.
You can see by this example, http is used and not https and there is no lock icon in
the lower right. The “Secure Log In” and lock symbol used towards the top of the
page are being used to fool you into believing the web page is secure, when in fact
it is not. The lock icon should be located in the status bar at the bottom of the page.
19
This is an example of valid, secure web site. Notice the https web address and lock
icon are both present. This is the legitimate web site for paypal.
20
Secure Site
• Https
– Internet Explorer Lock icon:
• Displayed in lower right
– Mozilla FireFox Lock icon:
• Displayed in lower left
– Netscape Lock icon:
• Displayed in lower left
Throughout this presentation we will use Internet Explorer as the browser.
However, you may be using another browser, such as Mozilla FireFox or Netscape.
Therefore, on this slide we have provided a sample of the lock icon from all three of
these browsers so you are aware of what to look for.
Also keep in mind that unlike Internet Explorer where the lock icon is displayed in
the lower right, both Mozilla and Netscape display the lock icon in the lower left.
This lock icon is not just a picture. You can click the icon or or double-click
(depending upon your browser) and examine the security information displayed
about the web site.
21
Recognizing Phishing
• The actual domain comes JUST BEFORE the
domain suffix
– Example: www.uakron.edu
• Uakron = domain
• .edu = suffix
– Suffixes:
•
•
•
•
•
•
.com = Commercial business
.edu = Educational institutions
.gov = Government
.org = Non-Profit organizations
.mil = Military
.net = Network organizations
You’ll need to understand how to identify domains and suffixes in the web address
so keep in mind the following: To help clarify, the actual domain comes just
BEFORE the domain suffix.
So, for www.uakron.edu Uakron is the domain and .edu is the suffix.
It’s helpful to know some common suffixes – such as:
.com for commercial institutions. Businesses such as ebay, paypal, starbucks, lands
end, etc would all use the suffix of .com
.edu is for educational institutions, such as The University of Akron
.gov is used for government entitities. For example, the United States Postal
Service is usps.gov the FBI is fbi.gov
.org is used by non-profit organizations, such as the Red Cross, the American
Cancer Society, etc.
.mil is used by military organizations – The marines are USmc.mil, the army is
army.mil
.net is for network organizations and is typically used for Internet Service Providers
It helps to be able to identify the domain and suffix in order to determine if a web
site is legitimate.
22
Recognizing Phishing
• Look for the following (examples of
fraudulent links):
– http://eBay.signon.com
– http://BanesAndNoble.com
– [email protected]
– www.xyz.com/paypal-login.html
• Anything after a ‘slash’ is a subdirectory
of the website
Let’s take a look at what we learned about domains and suffixes and apply it to
these web address examples:
In the first example ebay.signon.com – you see the ebay and immediately assume it
is legitimate – it’s NOT. For the legitimate ebay site, ebay is the domain and in this
example signon is the domain, making it invalid.
Banesand Noble.com – they want you to think it’s Barnes and Noble.com – they’re
hoping you glance at it quickly and ignore the missing “r”.
The next one is a good one [email protected] You might be thinking, this is
ebay because it’s ebay.com The fact is, whenever there is an @ symbol –
everything to the left is ignored and the actual address is to the right – so, this is
really xyz.com and NOT ebay
The last one xyz.com/paypal-login.html - Again, you might be thinking it’s paypal
when in fact anything after the slash is a subdirectory of the website - Therefore,
the true domain is xyz and the suffix is .com
23
Phishing Tricks
• Credible-looking web address
– http://81.109.44.105/ebay/account_update/now.php
• The @ sign
– Uses everything to the right of the @
– Everything to the left of the @ is forgotten
– http://www.usbank.com/[email protected]/
usb/upd.pl
• Long status line
– Web address is so long it cannot be completely
displayed in the status bar (combine with @ sign)
Here’s some more credible-looking examples: The first one has the number
81.109.44.105 which is the IP address. Think of the IP address as being
similar to a phone number. Sometimes, phishers use the IP address in place
of the web address in order to fool you. Any time you see a series of
numbers such as this in the web address it should be an indication that the
web site it not legitimate.
The next one uses the @ symbol the www.usbank.com/update.pl part looks real too bad it’s to the LEFT of the @ symbol. Remember, everything to the left of the
@ is ignored.
Another trick is to use a very long web address.
I’ll point out in a minute how you can move your mouse over the link and see the
actual web address it points to in the status bar at the bottom of the page. Phishers
will make the address so long that when you hover over it the full address it will not
be displayed – you only see part of the name – and it’s the part they want you to
see. They frequently combine this with the @ symbol so they can put anything they
want in front of the @ symbol and none of it is real .
We will show you an example of a long web address on the next slide.
24
In this example, the phisher is pretty good at disguising the url
If we place the mouse over the link labeled internal/loginupdate.html the status bar
at the bottom of the screen will display internal/login/update/accounts, etc
However, the actual url is really quite long as you can see from the address
displayed in the light grey box. What this phisher did was combine a long address
with the @ symbol to confuse the recipient. Scan the long address and look for the
@ symbol – we’ve highlighted the text in red to help make it stand out for you.
Remember, everything to the left of the @ is ignored, everything to the right is the
real address. Therefore, the real address is www.sisterstuff.com/images/index.html
25
Part 1 Conclusion
To advance to Part 2 click the link below:
Phishing: Don’t Phall Phor It Part 2
Questions?
[email protected]
[email protected]
This concludes Part 1 of Phising, Don’t Phall Phor it!
Please – don’t forget to watch Part 2 of this course. It contains valuable information
on advanced phishing tricks and provides advice on what to do should you become
a victim of phishing. In addition, many valuable resources are provided in Part 2.
Should you have any questions, you may direct them to either [email protected]
or [email protected]
26