phishing attacks and its vectors
DESCRIPTION
Phishing attacks and its preventive measuresTRANSCRIPT
-
All Rights Reserved gaganjain.com 2015
PHISHING ATTACKS AND ITS SOLUTIONS GRIN Archive No: V295346
Phishing!
-
All rights reserved gaganjain.com 2015
Paper:
GAG
AN
JAIN
B S
ATIS
H
2
Contents
1.1 Introduction ............................................................................................. 3 2. PHISHING ATTACKS AND ITS VECTORS ...................................................... 5
2.1 PHISHING ATTACK ................................................................................. 5 2.2 TYPES OF ATTACKS FOR TYPES OF USERS! ............................................ 6 2.3 WHAT CAN AN ATTACKER GET FROM THESE ATTACKS? ...................... 8
3.HOW TO RESOLVE THESE ATTACKS .......................................................... 12 3.2 b) Social Engineering ........................................................................... 13 3.1 c) QR Code ........................................................................................... 16
4.REPORTS BY ANTIVIRUS GAINTS ............................................................... 18 AVAST REPORT : ........................................................................................ 19 TOP TEN TLDs PHISHING ORIGINATING FROM : ...................................... 20
Conclusion .................................................................................................... 22 References:................................................................................................... 22
-
All rights reserved gaganjain.com 2015
Paper:
GAG
AN
JAIN
B S
ATIS
H
3
1.1 Introduction
In todays world people are so interconnected that it is easy to communicate with the people who we dont get to meet every day. People are into these online Social networks, blogs, Websites and other media to communicate with people and share things with each other. But this all fun stuffs have a disadvantage which can cause a big situation. Just a matter of victims first and last name can be easy tools to hack into an individual in todays world. After all these fancy technologies the hackers also have become so sophisticated that they are bringing up tools which is an automated attacker scripts which hacks into the system with given credentials. Today we are going to talk about an attack like those which can exploit a users credentials by supplying him with a dummy page which looks the site
he wanted to login and after he enters his credentials the page is redirected to the original page so that the user thinks It reloaded but in reality weve stolen your username and password.
-
All rights reserved gaganjain.com 2015
Paper:
GAG
AN
JAIN
B S
ATIS
H
4
PHISHING ATTACKS AND ITS VECTORS
Prepared by
GAGAN JAIN B SATISH
-
All rights reserved gaganjain.com 2015
Paper:
GAG
AN
JAIN
B S
ATIS
H
5
2. PHISHING ATTACKS AND ITS VECTORS
2.1 PHISHING ATTACK A Phishing attack is a type of hacking technique where an attacker fools the victim into entering his credentials into a fake/dummy page which looks like a real login page of that website. Phishing attack is a easiest way of hacking into a victim. There are many kinds of scenarios where a phishing attacks are used. Main areas of phishing happen on:
- Social Networking sites - Bank - Company - Job banks
- Gaming Sites
What exactly happens in a Phishing attack??
ATTACKER EMAIL
VICTIM
Clicks on
the Link
in the
email
FAKE PAGE
Redirects to
Original Page ORIGINAL
PAGE
-
All rights reserved gaganjain.com 2015
Paper:
GAG
AN
JAIN
B S
ATIS
H
6
This is a common attack scenario of a phishing attack. This attack shows how
a common email phishing attack is happened.
2.2 TYPES OF ATTACKS FOR TYPES OF USERS!
Phishing attacks are not only performed by only spoofing a email address.
The victim can be attacked locally. There are types of attacks for different
cases :
- Victim at an Unknown or remote location This can be achieved by sending mail or a text so that the victim is redirected to the fake page where he can enter his credentials.
This is an type of attack where an attack tries to send a mail pretending to be
from a company or a organization or a website. In this attack where an
attacker creates an email template which looks like a real email and it has a
link which redirects the victim to the fake page where the victim enters his
username and password. After clicking the login button the page reloads and
it redirects to the original page it looks like the page just reloaded. Now the
-
All rights reserved gaganjain.com 2015
Paper:
GAG
AN
JAIN
B S
ATIS
H
7
attacker has a txt file in his server where the fake page is hosted where the
victims credentials are stored.
-
All rights reserved gaganjain.com 2015
Paper:
GAG
AN
JAIN
B S
ATIS
H
8
- Victim on a Local Network This is a case where the victim is in the same network as of the attacker. The attacker injects the network access points for the ARP table and spoofs the table for victims IP address. This attack is also called as ARP Poisoning attack. Here what happens the attackers scans the access point and get the list of all the devices connected to the same access
point as he is connected. Then the attacker asses the victims machines MAC address and IP address and he spoof the victims machine IP. Now he poisons the ARP table in the Access point so that whatever request the victim send to the access point the attacker is responding to it, so he can redirect the victims machine to his local server. This attack is called as MITM (MAN IN THE MIDDLE) attack. The Victim is redirected to the attackers local server or machine and the landed
on the fake page which looks like the same page which the victim requested, which basically works the same way to all the phishing attacks.
2.3 WHAT CAN AN ATTACKER GET FROM THESE ATTACKS?
An attacker can possibly gain admin rights i.e., attacker can access your email
ID, Username, Passwords, Credit card numbers, SSN, SIN, anything that a
victim uses on the internet to identify himself and to purchase something.
This is a very high level threat and easy to deploy if you know standard HTML,
PHP and Web hosting.
In a Simple way an attacker can gain everything from you.
Here are 3 examples where a victim account is compromised and sensitive
data has been stolen.
-
All rights reserved gaganjain.com 2015
Paper:
GAG
AN
JAIN
B S
ATIS
H
9
FACEBOOK:
This is a fake email that looks just like an original email.
-
All rights reserved gaganjain.com 2015
Paper:
GAG
AN
JAIN
B S
ATIS
H
1
0
FACEBOOK PHISHING PAGE:
GMAIL:
https://blog.fierydragonlord.com/uploads/gmail-phishing/fake-gmail-login.png
-
All rights reserved gaganjain.com 2015
Paper:
GAG
AN
JAIN
B S
ATIS
H
1
1
RBC BANK PHISING PAGE:
https://blog.fierydragonlord.com/uploads/gmail-phishing/fake-gmail-login.png
https://blog.fierydragonlord.com/uploads/gmail-phishing/fake-gmail-login.png
-
All rights reserved gaganjain.com 2015
Paper:
GAG
AN
JAIN
B S
ATIS
H
1
2
3.HOW TO RESOLVE THESE ATTACKS
3.1 a)MAIL
1. Guard against spam. Be especially cautious of emails that:
* Come from unrecognized senders.
* Ask you to confirm personal or financial information over the Internet
and/or make urgent requests for this information.
* Arent personalized.
* Try to upset you into acting quickly by threatening you with frightening
information.
2. Communicate personal information only via phone or secure web sites.
In fact:
When conducting online transactions, look for a sign that the site is secure
such as a lock icon on the browsers status bar or a https: URL whereby the
s stands for secure rather than a http: Also, beware of phone phishing
schemes. Do not divulge personal information over the phone unless you
initiate the call. Be cautious of emails that ask you to call a phone number to
update your account information as well.
3. Do not click on links, download files or open attachments in emails from
unknown senders. It is best to open attachments only when you are
expecting them and know what they contain, even if you know the sender.
4. Never email personal or financial information, even if you are close with
the recipient. You never know who may gain access to your email account, or
to the persons account to whom you are emailing.
5. Beware of links in emails that ask for personal information, even if the
email appears to come from an enterprise you do business with. Phishing
web sites often copy the entire look of a legitimate web site, making it
appear authentic. To be safe, call the legitimate enterprise first to see if they
-
All rights reserved gaganjain.com 2015
Paper:
GAG
AN
JAIN
B S
ATIS
H
1
3
really sent that email to you. After all, businesses should not request
personal information to be sent via email.
6. Beware of pop-ups and follow these tips:
* Never enter personal information in a pop-up screen.
* Do not click on links in a pop-up screen.
* Do not copy web addresses into your browser from pop-ups.
* Legitimate enterprises should never ask you to submit personal
information in pop-up screens, so dont do it.
7. Protect your computer with a firewall, spam filters, anti-virus and anti-
spyware software. Do some research to ensure you are getting the most up-
to-date software, and update them all regularly to ensure that you are
blocking from new viruses and spyware.
8. Check your online accounts and bank statements regularly to ensure that
no unauthorized transactions have been made.(Identitytheftkiller.com,n.d)
3.2 b) Social Engineering
Introduction
Social engineering techniques are among the most powerful tools in the
hackers' toolbox. Generically, social engineering is the motivation of
someone ('the mark') to disclose personal or other important information
that the hacker can use to their own advantage (e.g., to steal an identity in
order to exploit financial information or extract an important password in
order to break into a server).
Just like the traditional grifters of the past, hackers use the general tendency
of people to want to 'be nice', 'stay out of trouble', and/or 'protect their own
-
All rights reserved gaganjain.com 2015
Paper:
GAG
AN
JAIN
B S
ATIS
H
1
4
assets' to motivate them to give out information and even feel good about
doing it.
Examples
Probably the most popular and well-known social engineering scam is known
as the '419 scam' (after the section of the Nigerian Penal Code that discusses
this sort of infraction) or, more generically, as an 'Advance Fee Fraud'. In this
scam, an important government official (or similar personage) has tragically
died, leaving behind a large sum of money. In exchange for your help in
moving the money from an unfriendly foreign country to a more friendly
bank account, you will be rewarded with a substantial reward (e.g., 20% of
60 million dollars). Who could resist doing good and being rewarded for your
good deed? This scam has been conducted via postal mail, fax, and telex in
addition to the far less expensive e-mail proliferation mechanism.
Surprisingly, the proffering of your bank account number is not usually the
way 419 scammers make money. Their income derives from the fees you
must pay to bribe certain officials, lubricate the liberation of the money from
a bank account, and so on. It is believed that no one has ever received money
in return for these investments. In fact, many folks have lost small fortunes (a
New Yorker article, from Fox News (with a reference to the pastor's wife who
killed him after losing their family savings), folks in Japan, and a BBC report of
a scammed Briton.
While most people these days have heard of the 419 scam and recognize it
by the telltale "too good to be true" litmus test, social engineers use other
motivations to extract folks' information:
"This email confirms you have paid $xxx for [some product]": Of course, you
never bought anything from the company and will give them information to
find the errant payment and refund your money. The scam is that they are
just collecting your credit information to make actual charges.
-
All rights reserved gaganjain.com 2015
Paper:
GAG
AN
JAIN
B S
ATIS
H
1
5
"Paypal (or someone) needs you to reconfirm your information": No they
don't. The web page is legitimate except for one little link that sends your
information to the scammer instead of to Paypal. Everything look legitimate
until that very last click.
"Your account at [xxx] has been suspended for ...": No it hasn't. But you'll
have to supply a goodly amount of personal information to get it back. Don't
do this!
CLICK HERE TO SEE THESE EMAILS :
http://web.stanford.edu/group/security/securecomputing/phishingexample.
html
Defence
Vigilance is the only defence against social engineering. Look for these
markers to know you're getting ready to divulge too much:
"Here's your big chance to play the new fantastic version of the [xxx] game!"
The link, of course, goes somewhere where they will extract some private
information (real name? a password that might work somewhere else? your
birthdate in order to prove you are 'old enough' to play, etc.). This really is
the #1 rule: Avoid clicking links people send you instead of using a search
engine to find the proper link.
Anything that sounds too good to be true probably is. It is unlikely that you
have won the Irish Sweepstakes, even if you elect to send in a $1,000 security
payment.
Any time you get a solicitation in email that you did not request even from
a trusted friend should be discarded immediately. No reputable company
works this way. Email with misspelled, mispunctuated, or bizarrely formatted
text is almost surely a scam. If something feels like it requires action, confirm
via telephone with someone you know (or at least can verify, e.g., by calling
http://web.stanford.edu/group/security/securecomputing/phishingexample.htmlhttp://web.stanford.edu/group/security/securecomputing/phishingexample.html
-
All rights reserved gaganjain.com 2015
Paper:
GAG
AN
JAIN
B S
ATIS
H
1
6
the corporate headquarters) before you send money. A recent scam asks for
money because your best friend (or aunt or grandmother or ...) is caught in
Europe (or some faraway place) and can't return until they pay bail, or a fee,
or some other money-requirement. You, the trustworthy friend or relative
can help them! Call them at home to make sure they're not there before
sending money.
Any time you are getting ready to feel good about giving away some money
or information, think twice: Why am I really doing this? Do I know who is on
the other end of my bequest? "Hey, John, please remind me of the
combination to get into the machine room." Who is really asking?
Keywords to avoid: verify, account, won, lottery, respond [now, quickly], or
you will suffer [some horrible thing] See these? Click delete.
Vishing: These same pitches and scams work in airports, for panhandlers,
and all sorts of non-computer scammers, too, by the way. They even work
when people call you on the phone! "Hey, Jill, this is Ralph over in accounting.
I've forgotten [xxx], can you help me out?" Look up their number and call
them back.
SMSiShing: Same idea for text messages are you phone. Don't believe a bank
will text you; call them on an independently verified number.
With eyes wide open, the Internet can be a happy and safe place for many
sorts of transactions.(Stanford, May 2014)
3.1 c) QR Code
-
All rights reserved gaganjain.com 2015
Paper:
GAG
AN
JAIN
B S
ATIS
H
1
7
WHAT is QR CODE?
The QR in the name stands for quick response, expressing the development
concept for the code, whose focus was placed on high-speed reading. When
it was announced, however, even Hara, one of the original developers of the
code, could not be sure whether it would actually be accepted as a two-
dimensional code to replace barcodes.
Example :
Nowadays QR codes are pretty famous and
people use these QR codes to generate their Identity proof and exchange
them also. This is Actually pretty cool!!. Lets say I join a company and the
company gives my visiting card with a QR code printed on it!!! Thats pretty
cool!! Anyways so as I was explaining that QR codes can be used to generate
a QR CODE for my Facebook profile so that new friends can add me easier.
Now one day as I was going by I saw a QR code stuck up on a pole in the
street I walk up to see what was it all about I see a party night poster next to
it and it points to QR code to get invited to the party. JUST POINT YOUR
DEVICE TO THIS QR CODE AND GET INIVITED VIA FB EVENTS
-
All rights reserved gaganjain.com 2015
Paper:
GAG
AN
JAIN
B S
ATIS
H
1
8
So I thought this was interesting why would someone wants to get invited to
the party who they dont even know? So I decided to look for myself and
scanned the code.
As I scan this Code it redirects me to FACEBOOK LOGIN page. Intern its also
converted to a mobile site. NICEEEEEEE!! Then I glazed up the URL I see :
http://Facibok.me/login.php
This is some new level of hacking. This must have hacked atleast 200 peoples
facebook accounts.
4.REPORTS BY ANTIVIRUS GAINTS
According to the APWGs Global Phishing report:
http://facibok.me/login.php
-
All rights reserved gaganjain.com 2015
Paper:
GAG
AN
JAIN
B S
ATIS
H
1
9
http://docs.apwg.org/reports/APWG_Global_Phishing_Report_1H_2014.pdf
AVAST REPORT :
http://docs.apwg.org/reports/APWG_Global_Phishing_Report_1H_2014.pdf
-
All rights reserved gaganjain.com 2015
Paper:
GAG
AN
JAIN
B S
ATIS
H
2
0
https://encrypted-
tbn2.gstatic.com/images?q=tbn:ANd9GcRGKZ8EXRxTdywoLiMY6_iJv1yGobB
1vCZaQVGp9DCYB57Cxi4lOQ
TOP TEN TLDs PHISHING ORIGINATING FROM :
https://encrypted-tbn2.gstatic.com/images?q=tbn:ANd9GcRGKZ8EXRxTdywoLiMY6_iJv1yGobB1vCZaQVGp9DCYB57Cxi4lOQhttps://encrypted-tbn2.gstatic.com/images?q=tbn:ANd9GcRGKZ8EXRxTdywoLiMY6_iJv1yGobB1vCZaQVGp9DCYB57Cxi4lOQhttps://encrypted-tbn2.gstatic.com/images?q=tbn:ANd9GcRGKZ8EXRxTdywoLiMY6_iJv1yGobB1vCZaQVGp9DCYB57Cxi4lOQ
-
All rights reserved gaganjain.com 2015
Paper:
GAG
AN
JAIN
B S
ATIS
H
2
1
These are the Top 10 domain TLDs ( Eg: .com , .in , .org , .edu ). These are
the domain TLDs you should lookout for :
http://docs.apwg.org/reports/APWG_Global_Phishing_Report_1H_2014.p
df
-
All rights reserved gaganjain.com 2015
Paper:
GAG
AN
JAIN
B S
ATIS
H
2
2
Conclusion
Phishing attacks are evolving day by day and the scams are becoming even
more realistic. So the users have to become more technologically educated
how to use things and how to use them securely.
Online world is a bigger world than you think. So you are a unique on your
own there. Each users have their own pattern of using Internet. So your
Identity is your secret. Never trust anybody online , never show up your
identity to unknown sources.
Almost forgot! To check your email or your username you use frequently has
been hacked???
Visit this site:
https://haveibeenpwned.com
References:
https://haveibeenpwned.com/
-
All rights reserved gaganjain.com 2015
Paper:
GAG
AN
JAIN
B S
ATIS
H
2
3
1.Phishing & Social Engineering. (2014, May 25). Retrieved March 28, 2015,
from
http://web.stanford.edu/group/security/securecomputing/phishing.html
2. Aaron,, G. (2014). Global Phishing Survey 1H2014: Trends and Domain
Name Use. Global Phishing Survey: Trends and Domain Name Use in 1H2014,
1, 36-36. Retrieved March 28, 2015, from
http://docs.apwg.org/reports/APWG_Global_Phishing_Report_1H_2014.pdf
3. Are You Phishing For Trouble? These 8 Ways To Prevent "Phishing Scams"
Will Keep You From Getting Wet. (n.d.). Retrieved March 28, 2015, from
http://www.identitytheftkiller.com/prevent-phishing-scams.php
4. HOREJSI, J. (2014, April 14). Avast blog Email with subject FW:Bank docs
leads to information theft. Retrieved March 28, 2015, from
https://blog.avast.com/2014/04/01/email-with-subject-fwbank-docs-leads-
to-information-theft/
5. GMAIL PHISHING. (n.d.). Retrieved March 28, 2015, from
https://blog.fierydragonlord.com/uploads/gmail-phishing/fake-gmail-
login.png
http://web.stanford.edu/group/security/securecomputing/phishing.htmlhttp://docs.apwg.org/reports/APWG_Global_Phishing_Report_1H_2014.pdfhttp://www.identitytheftkiller.com/prevent-phishing-scams.phphttps://blog.avast.com/2014/04/01/email-with-subject-fwbank-docs-leads-to-information-theft/https://blog.avast.com/2014/04/01/email-with-subject-fwbank-docs-leads-to-information-theft/https://blog.fierydragonlord.com/uploads/gmail-phishing/fake-gmail-login.pnghttps://blog.fierydragonlord.com/uploads/gmail-phishing/fake-gmail-login.png