11

Getting A Hook On PhishingGetting A Hook On Phishing

Laurie WernerLaurie WernerMiami UniversityMiami University

Chuck FrankChuck FrankNorthern Kentucky UniversityNorthern Kentucky University

22

What is Phishing?What is Phishing?

Phishers go to a lot of trouble to catch phish, Phishers go to a lot of trouble to catch phish, not for fun but for not for fun but for PROFITPROFITThey develop schemes to steal consumers' They develop schemes to steal consumers' personal identity data and financial account personal identity data and financial account credentials viacredentials via

– Social EngineeringSocial Engineering– Technical SubterfugeTechnical Subterfuge– Hijacking of brand namesHijacking of brand names

Social Engineering SchemesSocial Engineering Schemes

Use 'spoofed' e-mails to lead consumers Use 'spoofed' e-mails to lead consumers to counterfeit websites designed to trick to counterfeit websites designed to trick recipients into divulging financial data such recipients into divulging financial data such as as – credit card numbers, credit card numbers, – account usernames and passwordsaccount usernames and passwords– social security numbers. social security numbers.

Holes in Listservs can be used to transmit Holes in Listservs can be used to transmit spoofed emails to thousands of usersspoofed emails to thousands of users

33

Technical SubterfugeTechnical Subterfuge

Technical subterfuge schemes plant Technical subterfuge schemes plant crimewarecrimeware onto PCs to steal credentials onto PCs to steal credentials directly, often using Trojan keylogger directly, often using Trojan keylogger spyware. spyware.

PharmingPharming crimeware misdirects users to crimeware misdirects users to fraudulent sites or proxy servers, typically fraudulent sites or proxy servers, typically through DNS hijacking or poisoning.through DNS hijacking or poisoning.

44

Hijacking Brand NamesHijacking Brand NamesPhishers use of a familiar brand name to Phishers use of a familiar brand name to convince recipients to respond to the convince recipients to respond to the fraudulent emailsfraudulent emails

Typical Brands hijacked areTypical Brands hijacked are– banks banks – e-retailerse-retailers– credit card companiescredit card companies

55

Phishing TrendsPhishing Trends

The average number of Phishing sites is increasing The average number of Phishing sites is increasing monthlymonthly

The total number of brands hijacked increases The total number of brands hijacked increases monthly monthly – APWG reports 629 companies’ brands have been hijacked APWG reports 629 companies’ brands have been hijacked

to dateto date– http://www.millersmiles.co.uk/scams.phphttp://www.millersmiles.co.uk/scams.php

The average time phishing websites live is The average time phishing websites live is decreasingdecreasing

The number of brands hijacked in a given month is The number of brands hijacked in a given month is fairly constantfairly constant

66

APWG Monthly Report posted October APWG Monthly Report posted October 18, 200718, 2007

77

APWG Report Released March 2007APWG Report Released March 2007

88

APWG Report APWG Report January vs. July 2007January vs. July 2007

Number of unique phishing Number of unique phishing reports received in January: reports received in January: 29930 29930

Number of unique phishing Number of unique phishing sites received in January: sites received in January: 27221 27221

Number of brands hijacked by Number of brands hijacked by phishing campaigns in January: phishing campaigns in January: 135 135

Average time online for site: Average time online for site: 4 4 days days

Longest time online for site: Longest time online for site: 30 30 days days

99

Number of unique phishing Number of unique phishing reports received in July: reports received in July: 2391723917

Number of unique phishing Number of unique phishing sites received in July: sites received in July: 3099930999

Number of brands hijacked Number of brands hijacked by phishing campaigns in by phishing campaigns in July: July: 126126

Average time online for Average time online for site: site: 3.63.6 days days

Longest time online for Longest time online for site: site: 3131 days days

Phishing CostsPhishing Costs

Consumer Reports, August 2007, reported Consumer Reports, August 2007, reported that 8% of households surveyed lost a that 8% of households surveyed lost a median of $200 by purchasing items via median of $200 by purchasing items via phishingphishing

In 2005, US consumers lost a billion In 2005, US consumers lost a billion dollars in phishing scams (InfoWorld)dollars in phishing scams (InfoWorld)

1010

Divergent Views of PhishingDivergent Views of PhishingPhishing is a security breachPhishing is a security breach– ““Phishing involves an attacker, posing as bank, vendor, Phishing involves an attacker, posing as bank, vendor,

or other trusted source, who sends an email asking the or other trusted source, who sends an email asking the recipient to “confirm” personally identifying information recipient to “confirm” personally identifying information by entering it on a website. This information is then by entering it on a website. This information is then used in identity theft.” Gross, 2007used in identity theft.” Gross, 2007

– Browsers, firewalls, tools should reliably detect and Browsers, firewalls, tools should reliably detect and reject phishingreject phishing

Phishing is simple to detectPhishing is simple to detect– Despite research showing that users often have Despite research showing that users often have

sophisticated strategies for protecting sensitive data, sophisticated strategies for protecting sensitive data, even the most sophisticated users rarely score even the most sophisticated users rarely score perfectly on the Phishing IQ testperfectly on the Phishing IQ test

1111

1212

Phishing FrustrationsPhishing Frustrations

UsersUsers are often accused of being the weakest are often accused of being the weakest link in security, leaving system designers off the link in security, leaving system designers off the hookhookIt is up to It is up to usersusers to ensure the authenticity of the to ensure the authenticity of the phishing email or the instant messagephishing email or the instant messageTools exist to aid in the elimination of phishing Tools exist to aid in the elimination of phishing emails, but many still find a way throughemails, but many still find a way throughFear of being phished hinders e-commerce Fear of being phished hinders e-commerce growthgrowth

Phishing PreventionsPhishing PreventionsVendor side has been slow to protect Vendor side has been slow to protect users from scamsusers from scams– Use of dynamic skins was presented in a Use of dynamic skins was presented in a

paper in 2005paper in 2005– Implementation by Bank of America in 2007Implementation by Bank of America in 2007– Protect the bank rather than the customerProtect the bank rather than the customer

Sign-in Seals are beginning to appearSign-in Seals are beginning to appear– Authenticate the site to the consumerAuthenticate the site to the consumer– Authenticating the consumer to site has been Authenticating the consumer to site has been

done for a longer timedone for a longer time1313

1414

What does this mean to us as What does this mean to us as educators?educators?

Our students are end users first, security Our students are end users first, security specialists secondspecialists second

End users need help to identify security threatsEnd users need help to identify security threats

Phishing awareness has positive benefits for Phishing awareness has positive benefits for computing majors and non-majorscomputing majors and non-majors

In a literacy course, phishing awarenessIn a literacy course, phishing awareness– Provides a critical thinking exerciseProvides a critical thinking exercise– Provides a practical experienceProvides a practical experience

In a major’s course, phishing is part of security In a major’s course, phishing is part of security educationeducation

1515

Why Introduce Phishing Awareness Why Introduce Phishing Awareness in the in the Lab?Lab?

Research indicates students retain more, Research indicates students retain more, longer when they practice in a lab settinglonger when they practice in a lab settingStudents liven up when they get to play a Students liven up when they get to play a gamegameStudents often find it entertaining to play Students often find it entertaining to play “hacker” for “credit”“hacker” for “credit”

Phishing Lab ActivitiesPhishing Lab ActivitiesPhishing IQ testPhishing IQ test– http://www.sonicwall.com/phishinghttp://www.sonicwall.com/phishing

Anti-Phishing Phil gameAnti-Phishing Phil game– http://www.cups.cs.cmu.edu/antiphishing_philhttp://www.cups.cs.cmu.edu/antiphishing_phil

Analyze a phishing scam Analyze a phishing scam – http://www.millersmiles.co.ukhttp://www.millersmiles.co.uk

Spoofing emailSpoofing email– Use telnet to send an email on port 25Use telnet to send an email on port 25– May need to adapt your AV or firewall to allow telnet May need to adapt your AV or firewall to allow telnet

on port 25on port 25

1616

Sonicwall IQ Phishing FactsSonicwall IQ Phishing Facts

6.1 Billion6.1 Billion - Number of phishing e-mails sent - Number of phishing e-mails sent world-wide each month world-wide each month

$1,200$1,200 - Average loss to each person - Average loss to each person successfully phished (Federal Trade successfully phished (Federal Trade Commission) Commission)

15,45115,451 - Number of unique phishing attacks in - Number of unique phishing attacks in January 2006 (Anti-Phishing Working Group) January 2006 (Anti-Phishing Working Group)

7,4847,484 - Number of phishing Web sites found in - Number of phishing Web sites found in January 2006 (Anti-Phishing Working Group) January 2006 (Anti-Phishing Working Group)

1717

Sonic Wall IQ test Sonic Wall IQ test

Example of phish email explanationExample of phish email explanation– The SonicWALL Phishing IQ Test Copyright The SonicWALL Phishing IQ Test Copyright

2006 SonicWALL Inc.doc2006 SonicWALL Inc.doc

1818

The SonicWALL Phishing IQ Test Copyright 2006 SonicWALL Inc. All trademarks are property of their respective owners.

Anti-Phishing PhilAnti-Phishing Phil

1919

Figure 1: Anti-Phishing Phil game screen. Phil, the small fish near the top of the screen, is asked to examine the URL next to the worm he is about to eat and determine whether it is associated with a legitimate web site or a phishing site. Phil’s father (lower right corner) offers some advice. The game is available at: http://cups.cs.cmu.edu/antiphishing_phil/

Spoof an emailSpoof an email1. Open a command shell.1. Open a command shell.

Start | Run Start | Run

cmdcmd

2. Telnet to the mail server on port 2. Telnet to the mail server on port 25.25.

C:> telnet mail.nku.edu 25C:> telnet mail.nku.edu 25

3. Identify by saying HELO3. Identify by saying HELO

HELOHELO

4. Enter the spoofed sender and the 4. Enter the spoofed sender and the recipient of the email. “partner” is recipient of the email. “partner” is your lab partner’s email address. your lab partner’s email address. “you” is your email address.“you” is your email address.

MAIL FROM: partner@nku.eduMAIL FROM: partner@nku.edu

RCPT TO: you@nku.eduRCPT TO: you@nku.edu

5. Use the DATA 5. Use the DATA command to send command to send the message.the message.

Subject: Test Subject: Test

Write some Write some messagemessage

to you from your to you from your partner.partner.

6. Enter a period on a 6. Enter a period on a separate line to send separate line to send the email and “QUIT” the email and “QUIT” to terminate telnet.to terminate telnet.

..

QUITQUIT

2020

Phroogle Phroogle Shopping Shopping

This lab illustrates a potential phishing This lab illustrates a potential phishing manipulation of a shop-bot like Google manipulation of a shop-bot like Google Shopping, which used to be name Froogle, or Shopping, which used to be name Froogle, or Yahoo Shopping. This lab is based on a case Yahoo Shopping. This lab is based on a case study found in Jakobsson and Myers’ fake study found in Jakobsson and Myers’ fake shopping phishing site named Phroogleshopping phishing site named Phroogle

Jakobsson, Markus and Myers, Stephen, (2007), Jakobsson, Markus and Myers, Stephen, (2007), Phishing and Countermeasures, Wiley-Phishing and Countermeasures, Wiley-Interscience, New Jersey.Interscience, New Jersey.

2121

2222

ConclusionConclusionPhishing is a serious security threat Phishing is a serious security threat that deserves attention in both that deserves attention in both computing literacy and security computing literacy and security curriculum.curriculum.

Anti-Phishing is one aspect of security Anti-Phishing is one aspect of security educationeducation

RecommendationRecommendation

Practice Security DailyPractice Security Daily– intertwine security awareness throughout the intertwine security awareness throughout the

computing curriculumcomputing curriculum– use lab activities to influence student thinking use lab activities to influence student thinking

about securityabout security

2323