1 getting a hook on phishing laurie werner miami university chuck frank northern kentucky university
TRANSCRIPT
11
Getting A Hook On PhishingGetting A Hook On Phishing
Laurie WernerLaurie WernerMiami UniversityMiami University
Chuck FrankChuck FrankNorthern Kentucky UniversityNorthern Kentucky University
22
What is Phishing?What is Phishing?
Phishers go to a lot of trouble to catch phish, Phishers go to a lot of trouble to catch phish, not for fun but for not for fun but for PROFITPROFITThey develop schemes to steal consumers' They develop schemes to steal consumers' personal identity data and financial account personal identity data and financial account credentials viacredentials via
– Social EngineeringSocial Engineering– Technical SubterfugeTechnical Subterfuge– Hijacking of brand namesHijacking of brand names
Social Engineering SchemesSocial Engineering Schemes
Use 'spoofed' e-mails to lead consumers Use 'spoofed' e-mails to lead consumers to counterfeit websites designed to trick to counterfeit websites designed to trick recipients into divulging financial data such recipients into divulging financial data such as as – credit card numbers, credit card numbers, – account usernames and passwordsaccount usernames and passwords– social security numbers. social security numbers.
Holes in Listservs can be used to transmit Holes in Listservs can be used to transmit spoofed emails to thousands of usersspoofed emails to thousands of users
33
Technical SubterfugeTechnical Subterfuge
Technical subterfuge schemes plant Technical subterfuge schemes plant crimewarecrimeware onto PCs to steal credentials onto PCs to steal credentials directly, often using Trojan keylogger directly, often using Trojan keylogger spyware. spyware.
PharmingPharming crimeware misdirects users to crimeware misdirects users to fraudulent sites or proxy servers, typically fraudulent sites or proxy servers, typically through DNS hijacking or poisoning.through DNS hijacking or poisoning.
44
Hijacking Brand NamesHijacking Brand NamesPhishers use of a familiar brand name to Phishers use of a familiar brand name to convince recipients to respond to the convince recipients to respond to the fraudulent emailsfraudulent emails
Typical Brands hijacked areTypical Brands hijacked are– banks banks – e-retailerse-retailers– credit card companiescredit card companies
55
Phishing TrendsPhishing Trends
The average number of Phishing sites is increasing The average number of Phishing sites is increasing monthlymonthly
The total number of brands hijacked increases The total number of brands hijacked increases monthly monthly – APWG reports 629 companies’ brands have been hijacked APWG reports 629 companies’ brands have been hijacked
to dateto date– http://www.millersmiles.co.uk/scams.phphttp://www.millersmiles.co.uk/scams.php
The average time phishing websites live is The average time phishing websites live is decreasingdecreasing
The number of brands hijacked in a given month is The number of brands hijacked in a given month is fairly constantfairly constant
66
APWG Monthly Report posted October APWG Monthly Report posted October 18, 200718, 2007
77
APWG Report Released March 2007APWG Report Released March 2007
88
APWG Report APWG Report January vs. July 2007January vs. July 2007
Number of unique phishing Number of unique phishing reports received in January: reports received in January: 29930 29930
Number of unique phishing Number of unique phishing sites received in January: sites received in January: 27221 27221
Number of brands hijacked by Number of brands hijacked by phishing campaigns in January: phishing campaigns in January: 135 135
Average time online for site: Average time online for site: 4 4 days days
Longest time online for site: Longest time online for site: 30 30 days days
99
Number of unique phishing Number of unique phishing reports received in July: reports received in July: 2391723917
Number of unique phishing Number of unique phishing sites received in July: sites received in July: 3099930999
Number of brands hijacked Number of brands hijacked by phishing campaigns in by phishing campaigns in July: July: 126126
Average time online for Average time online for site: site: 3.63.6 days days
Longest time online for Longest time online for site: site: 3131 days days
Phishing CostsPhishing Costs
Consumer Reports, August 2007, reported Consumer Reports, August 2007, reported that 8% of households surveyed lost a that 8% of households surveyed lost a median of $200 by purchasing items via median of $200 by purchasing items via phishingphishing
In 2005, US consumers lost a billion In 2005, US consumers lost a billion dollars in phishing scams (InfoWorld)dollars in phishing scams (InfoWorld)
1010
Divergent Views of PhishingDivergent Views of PhishingPhishing is a security breachPhishing is a security breach– ““Phishing involves an attacker, posing as bank, vendor, Phishing involves an attacker, posing as bank, vendor,
or other trusted source, who sends an email asking the or other trusted source, who sends an email asking the recipient to “confirm” personally identifying information recipient to “confirm” personally identifying information by entering it on a website. This information is then by entering it on a website. This information is then used in identity theft.” Gross, 2007used in identity theft.” Gross, 2007
– Browsers, firewalls, tools should reliably detect and Browsers, firewalls, tools should reliably detect and reject phishingreject phishing
Phishing is simple to detectPhishing is simple to detect– Despite research showing that users often have Despite research showing that users often have
sophisticated strategies for protecting sensitive data, sophisticated strategies for protecting sensitive data, even the most sophisticated users rarely score even the most sophisticated users rarely score perfectly on the Phishing IQ testperfectly on the Phishing IQ test
1111
1212
Phishing FrustrationsPhishing Frustrations
UsersUsers are often accused of being the weakest are often accused of being the weakest link in security, leaving system designers off the link in security, leaving system designers off the hookhookIt is up to It is up to usersusers to ensure the authenticity of the to ensure the authenticity of the phishing email or the instant messagephishing email or the instant messageTools exist to aid in the elimination of phishing Tools exist to aid in the elimination of phishing emails, but many still find a way throughemails, but many still find a way throughFear of being phished hinders e-commerce Fear of being phished hinders e-commerce growthgrowth
Phishing PreventionsPhishing PreventionsVendor side has been slow to protect Vendor side has been slow to protect users from scamsusers from scams– Use of dynamic skins was presented in a Use of dynamic skins was presented in a
paper in 2005paper in 2005– Implementation by Bank of America in 2007Implementation by Bank of America in 2007– Protect the bank rather than the customerProtect the bank rather than the customer
Sign-in Seals are beginning to appearSign-in Seals are beginning to appear– Authenticate the site to the consumerAuthenticate the site to the consumer– Authenticating the consumer to site has been Authenticating the consumer to site has been
done for a longer timedone for a longer time1313
1414
What does this mean to us as What does this mean to us as educators?educators?
Our students are end users first, security Our students are end users first, security specialists secondspecialists second
End users need help to identify security threatsEnd users need help to identify security threats
Phishing awareness has positive benefits for Phishing awareness has positive benefits for computing majors and non-majorscomputing majors and non-majors
In a literacy course, phishing awarenessIn a literacy course, phishing awareness– Provides a critical thinking exerciseProvides a critical thinking exercise– Provides a practical experienceProvides a practical experience
In a major’s course, phishing is part of security In a major’s course, phishing is part of security educationeducation
1515
Why Introduce Phishing Awareness Why Introduce Phishing Awareness in the in the Lab?Lab?
Research indicates students retain more, Research indicates students retain more, longer when they practice in a lab settinglonger when they practice in a lab settingStudents liven up when they get to play a Students liven up when they get to play a gamegameStudents often find it entertaining to play Students often find it entertaining to play “hacker” for “credit”“hacker” for “credit”
Phishing Lab ActivitiesPhishing Lab ActivitiesPhishing IQ testPhishing IQ test– http://www.sonicwall.com/phishinghttp://www.sonicwall.com/phishing
Anti-Phishing Phil gameAnti-Phishing Phil game– http://www.cups.cs.cmu.edu/antiphishing_philhttp://www.cups.cs.cmu.edu/antiphishing_phil
Analyze a phishing scam Analyze a phishing scam – http://www.millersmiles.co.ukhttp://www.millersmiles.co.uk
Spoofing emailSpoofing email– Use telnet to send an email on port 25Use telnet to send an email on port 25– May need to adapt your AV or firewall to allow telnet May need to adapt your AV or firewall to allow telnet
on port 25on port 25
1616
Sonicwall IQ Phishing FactsSonicwall IQ Phishing Facts
6.1 Billion6.1 Billion - Number of phishing e-mails sent - Number of phishing e-mails sent world-wide each month world-wide each month
$1,200$1,200 - Average loss to each person - Average loss to each person successfully phished (Federal Trade successfully phished (Federal Trade Commission) Commission)
15,45115,451 - Number of unique phishing attacks in - Number of unique phishing attacks in January 2006 (Anti-Phishing Working Group) January 2006 (Anti-Phishing Working Group)
7,4847,484 - Number of phishing Web sites found in - Number of phishing Web sites found in January 2006 (Anti-Phishing Working Group) January 2006 (Anti-Phishing Working Group)
1717
Sonic Wall IQ test Sonic Wall IQ test
Example of phish email explanationExample of phish email explanation– The SonicWALL Phishing IQ Test Copyright The SonicWALL Phishing IQ Test Copyright
2006 SonicWALL Inc.doc2006 SonicWALL Inc.doc
1818
The SonicWALL Phishing IQ Test Copyright 2006 SonicWALL Inc. All trademarks are property of their respective owners.
Anti-Phishing PhilAnti-Phishing Phil
1919
Figure 1: Anti-Phishing Phil game screen. Phil, the small fish near the top of the screen, is asked to examine the URL next to the worm he is about to eat and determine whether it is associated with a legitimate web site or a phishing site. Phil’s father (lower right corner) offers some advice. The game is available at: http://cups.cs.cmu.edu/antiphishing_phil/
Spoof an emailSpoof an email1. Open a command shell.1. Open a command shell.
Start | Run Start | Run
cmdcmd
2. Telnet to the mail server on port 2. Telnet to the mail server on port 25.25.
C:> telnet mail.nku.edu 25C:> telnet mail.nku.edu 25
3. Identify by saying HELO3. Identify by saying HELO
HELOHELO
4. Enter the spoofed sender and the 4. Enter the spoofed sender and the recipient of the email. “partner” is recipient of the email. “partner” is your lab partner’s email address. your lab partner’s email address. “you” is your email address.“you” is your email address.
MAIL FROM: [email protected] FROM: [email protected]
RCPT TO: [email protected] TO: [email protected]
5. Use the DATA 5. Use the DATA command to send command to send the message.the message.
Subject: Test Subject: Test
Write some Write some messagemessage
to you from your to you from your partner.partner.
6. Enter a period on a 6. Enter a period on a separate line to send separate line to send the email and “QUIT” the email and “QUIT” to terminate telnet.to terminate telnet.
..
QUITQUIT
2020
Phroogle Phroogle Shopping Shopping
This lab illustrates a potential phishing This lab illustrates a potential phishing manipulation of a shop-bot like Google manipulation of a shop-bot like Google Shopping, which used to be name Froogle, or Shopping, which used to be name Froogle, or Yahoo Shopping. This lab is based on a case Yahoo Shopping. This lab is based on a case study found in Jakobsson and Myers’ fake study found in Jakobsson and Myers’ fake shopping phishing site named Phroogleshopping phishing site named Phroogle
Jakobsson, Markus and Myers, Stephen, (2007), Jakobsson, Markus and Myers, Stephen, (2007), Phishing and Countermeasures, Wiley-Phishing and Countermeasures, Wiley-Interscience, New Jersey.Interscience, New Jersey.
2121
2222
ConclusionConclusionPhishing is a serious security threat Phishing is a serious security threat that deserves attention in both that deserves attention in both computing literacy and security computing literacy and security curriculum.curriculum.
Anti-Phishing is one aspect of security Anti-Phishing is one aspect of security educationeducation
RecommendationRecommendation
Practice Security DailyPractice Security Daily– intertwine security awareness throughout the intertwine security awareness throughout the
computing curriculumcomputing curriculum– use lab activities to influence student thinking use lab activities to influence student thinking
about securityabout security
2323