phishing into the future starr alexander sugato bose annie chanchaisri philip fort david salley...
Post on 18-Dec-2015
220 Views
Preview:
TRANSCRIPT
Phishing into the Phishing into the FutureFuture
Starr Alexander Sugato Bose Annie Chanchaisri Philip Fort David Salley Allen Walker Thomas Witnauer
What is Phishing?What is Phishing?
Originates in the analogy that internet scammers
use e-mail lures to fish for passwords and
financial data from the sea of internet users.
What is Phishing?What is Phishing?
Web page code is copied from a major site
Replica page, that appears to be part of the companies’ site, is set up
A fake e-mail is sent out with a link to this site
Sends financial data or password to scammer
Leaves user on a company web site
The HistoryThe History
A form of social engineering attack
Term was coined in 1996 by hackers
May have been used even earlier in “2600” (hacker newsletter)
Earliest citation:
“It used to be that you could make a fake account on AOL so long as you had a credit
card generator. However, AOL became smart. Now they verify every card with a bank after it is typed in. Does anyone know of a way to get
an account other than phishing?”
- mk590, “AOL for free?”, alt.2600, January
28, 1996.
The HistoryThe History
Phishing is not a new concept
A type of scam that has been around for years
Predates computers
Called social engineering
The HistoryThe History
Underlying concept of spoofing users into revealing sensitive information is not new
Password capturing via fake login prompts is a basic hacker trick for years
Hackers did it over the phone for years
PhishingPhishing
Phone PhreakingPhone Phreaking
First form of hacking
Used a “blue box” that emitted tones that allowed a hacker to control phone switches
Made long distance calls billed to someone else’s account
Possibly the origin of the “PH” in phishing
Navigating the Frontier: Where Frauds Are Navigating the Frontier: Where Frauds Are
1. Online Investment Newsletters
2. Online Bulletin Boards
3. Email Spams
Country of OriginCountry of Origin
Company % of Attacks
United States 32.07%
Republic of Korea 15.39%
France 6.55%
China 6.40%
United Kingdom 4.06%
Germany 3.85%
Spain 3.81%
Japan 3.05%
Italy 2.48%
* by message count
- CipherTrust, 2004
Top 10 Tricks Used in Top 10 Tricks Used in PhishingPhishing
1. Mimic Reputable Companies2. Use Different Reply Address From the Claimed Sender3. Create a Plausible Premise4. Require a Quick Response5. Promise Security and/or Privacy6. Collect Information in the E-mail7. Link to Web Sites That Gather Information8. Fake a Secure Connection9. Process Submitted Information Immediately10. Buy Time to Access Accounts
- MailFrontier, Inc. 2004
Other Forms of HackingOther Forms of Hacking
Slamming Switching a customer from one long distance
carrier to another without permission
Web Cramming A person or business accepts an offer for a
free website, only to be charged a monthly fee on their phone bill
Identity Theft The use of personal authentication information
(i.e. name, social security, etc.) to commit fraud by opening credit card accounts, ordering checks, etc.
Consumer ConfidenceConsumer Confidence
28% of consumers identified fraudulent e-mails as legitimate according to a study by Mail Frontier Inc.
50% of consumers thought a legitimate Federal Trade Commission e-mail was fraudulent
20% of consumers identified a legitimate PayPal “payment received” e-mail as fraud
31% fell for a fraudulent PayPal e-mail that had been reported about widely.
Consumer ConfidenceConsumer Confidence
These statistics indicate the success rate of phishing to fool people
It is inhibiting the effectiveness of e-mail as a form of communication to the consumer
If consumers cannot correctly identify a legitimate e-mail, they may ignore all business related e-mails
Many fraudulent websites are hosted through international computers
15% in Republic of Korea, 6% in China, and 6% in France
Criminals may be located in different location than the computer
Consumer ConfidenceConsumer Confidence
International locations make it more difficult to shut down due to time zone and language barriers
Average life span of fraudulent websites is 2.25 days
Phishing is the fastest growing scam according to Barbara Span of First Data
Phishing has gone from no complaints a year ago to #4 of the list with the National Consumer League
Percentage of Corporate Phishing Percentage of Corporate Phishing VictimsVictims
Company % of Attacks
Citibank 54.16%
Smith Barney 13.48%
Suntrust 10.02%
PayPal 7.57%
Wells Fargo 5.42%
HSBC 5.07%
eBay 4.15%
USBank 0.11%
CitizensBank 0.014%
- CipherTrust, 2004
Software SolutionsSoftware Solutions
1. Symantec The Online Fraud Management Solution
2. SMS based security SSL/TLS channel
Existing Federal LawsExisting Federal Laws
No Existing Law solely devoted to Phishing.
Existing federal laws do criminalize phishing - but mainly after a consumer has already been defrauded.
Such laws include the laws against wire fraud, identity theft, credit card fraud, computer fraud, CAN SPAM Act, and a number of trade laws.
The Identity Theft Penalty Enhancement Act, (ITPEA) establishes a new crime of "aggravated identity theft“. Convictions for aggravated identity theft - including phishing -- would carry a mandatory two-year prison sentence.
The Anti-Phishing ActThe Anti-Phishing Act
Bill introduced to senate by Senator Patrick Leahy on July 9, 2004.
It targets the entire scam, all the way from sending the e-mail to creating fraudulent sites.
It averts free speech issues by exempting parodies and political speech (via email or on websites) from its reach.
It stipulates that the perpetrator must have the specific criminal purpose of committing a crime of fraud or identity theft.
Strengths of the ActStrengths of the Act
It criminalizes the bait - not just successful phishing.
It makes it illegal to knowingly send out spoofed email that links to sham websites, with the intention of committing a crime.
It criminalizes the operation of the sham websites that are the locus of the wrongdoing.
If the bill were to become law, then each and every element of the scam would become a felony subject to five years in prison and/or a fine up to $250,000.
Tips to Protect Yourself from Phishing Tips to Protect Yourself from Phishing ScamScam
1. Never Click on Hyperlinks within Emails2. Use Anti-Spam Filter Software3. Use Anti-Virus Software4. Use a Personal Firewall5. Keep Software Updated (Operating Systems &
Browsers6. Always Look for “https” and “padlock” on site that
request personal information
7. Keep Your Computer Clean From Spyware8. Educate Yourself on Fraudulent Activity on the
Internet9. Check Your Credit Report Immediately, for Free10. Seek Advice if you’re Unsure
What To Do If You Are A VictimWhat To Do If You Are A Victim
For financial concerns close accounts immediately and call your institution
For SSN concerns, again call your bank
Clear yourself of responsibility
Check your credit report
Contact FTC
MailFrontier Phishing IQ Test MailFrontier Phishing IQ Test IIII
http://survey.mailfrontier.com/survey/quiztest.html
Questions???Questions???
top related