What is Phishing? - New Franklin R

advertisement
Let’s Go Phishing!
www.more.net | University of Missouri
Copyright ©2005 MOREnet and The Curators of the University of Missouri
Objectives
• Phishing defined
• Recognizing a phishing attack
• Protecting your identity
www.more.net | University of Missouri
Copyright ©2005 MOREnet and The Curators of the University of Missouri
What is phishing?
Phishing attacks use both social engineering and technical
subterfuge to steal consumers' personal identity data and
financial account credentials. Social-engineering schemes
use “spoofed” e-mails to lead consumers to counterfeit
websites designed to trick recipients into divulging financial
data such as credit card numbers, account usernames,
passwords and social security numbers. Hijacking brand
names of banks, e-retailers and credit card companies,
phishers often convince recipients to respond. Technical
subterfuge schemes plant crimeware onto PCs to steal
credentials directly, often using Trojan keylogger spyware.
Source: http://www.antiphishing.org/
www.more.net | University of Missouri
Copyright ©2005 MOREnet and The Curators of the University of Missouri
Wow! OK, so what does that mean?
• Spoofed e-mail
• Social engineering
• Crimeware
• Keylogger
• Spyware
www.more.net | University of Missouri
Copyright ©2005 MOREnet and The Curators of the University of Missouri
Anti-Phishing Working Group
In October 2005,
– 15,820 phishing e-mail messages
reported to the APWG.
– 4367 unique phishing sites identified.
– 96 brand names were hi-jacked.
– Average time a site stayed on-line was
5.5 days.
www.more.net | University of Missouri
Copyright ©2005 MOREnet and The Curators of the University of Missouri
Statistics
43 percent of adults have received a
phishing contact.
Five percent of those adults gave their
personal information.
www.informationweek.com/story/showArticle.jhtml?articleID=163101877&tid=13692
www.more.net | University of Missouri
Copyright ©2005 MOREnet and The Curators of the University of Missouri
Questions?
www.more.net | University of Missouri
Copyright ©2005 MOREnet and The Curators of the University of Missouri
How many of you have seen a phishing
e-mail?

Yes! I have seen one (or two or
three).
x
No, I have no idea what you are
talking about .
www.more.net | University of Missouri
Copyright ©2005 MOREnet and The Curators of the University of Missouri
www.more.net | University of Missouri
Copyright ©2005 MOREnet and The Curators of the University of Missouri
Headers from e-mail:
Return-Path: <root@gangdeok.es.kr>
X-Original-To: security@more.net
Delivered-To: security@more.net
Received: from nook.more.net (nook.more.net [207.160.130.11])
by vortex.more.net (Postfix) with ESMTP id 1FC8DC088D
for <security@more.net>; Thu, 23 Jun 2005 06:52:31 -0500 (CDT)
Received: from localhost (localhost.more.net [127.0.0.1])
by nook.more.net (Postfix) with ESMTP id EF4D8CFE8B
for <security@more.net>; Thu, 23 Jun 2005 06:52:30 -0500 (CDT)
Received: from nook.more.net ([127.0.0.1])
by localhost (nook.more.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP
id 14184-12 for <security@more.net>; Thu, 23 Jun 2005 06:52:30 -0500 (CDT)
Received: from gangdeok.es.kr (unknown [211.248.95.131])
by nook.more.net (Postfix) with ESMTP id EF879CFE83
for <security@more.net>; Thu, 23 Jun 2005 06:52:29 -0500 (CDT)
Received: from gangdeok.es.kr (gangdeok.es.kr [127.0.0.1])
by gangdeok.es.kr (8.12.9/8.12.9) with ESMTP id j5NBeEKw000369
for <security@more.net>; Thu, 23 Jun 2005 20:40:14 +0900
Received: (from root@localhost)
by gangdeok.es.kr (8.12.9/8.12.9/Submit) id j5NBeDiu000367
for security@more.net; Thu, 23 Jun 2005 20:40:13 +0900
Date: Thu, 23 Jun 2005 20:40:13 +0900
To: security@more.net
Subject: Secure your ACCOUNT
Message-ID: <1119526813.4865.qmail@southtrust.com>
From: "secure@southtrust.com" <secure@southtrust.com>
Content-Type: text/html
X-Virus-Scanned: amavisd-new at more.net
www.more.net | University of Missouri
Copyright ©2005 MOREnet and The Curators of the University of Missouri
Questions?
www.more.net | University of Missouri
Copyright ©2005 MOREnet and The Curators of the University of Missouri
HTML of message:
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD><TITLE>SouthTrust Online Banking</TITLE>
<META http-equiv=Content-Type content="text/html; charset=windows-1252"><LINK
href="https://southtrustonlinebanking.com/retail/css/stylesheet.css"
rel=stylesheet>
<META content="MSHTML 6.00.2800.1458" name=GENERATOR></HEAD>
<BODY style="BACKGROUND-COLOR: rgb(255,255,255)" leftMargin=0 topMargin=0
marginwidth="0" marginheight="0">
<FORM name=frmLogin onsubmit="return handleLogin();" action=login.php
method=post>
<TABLE style="WIDTH: 793px; HEIGHT: 784px" cellSpacing=0 cellPadding=0 width=793
border=0>
<TBODY>
www.more.net | University of Missouri
Copyright ©2005 MOREnet and The Curators of the University of Missouri
What you see on the screen:
Login to your SouthTrust Online Banking with your
SouthTrust username and password.
Confirm your identity as a card memeber of
SouthTrust.
View your transaction history and report
suspicious activity or any unauthorized change.
https://southtrustonlinebanking.com/retail/
www.more.net | University of Missouri
Copyright ©2005 MOREnet and The Curators of the University of Missouri
What the HTML really does:
<U>Login to your SouthTrust Online Banking with
your SouthTrust username and password.</U></P>
<P>    <U>Confirm your identity as a card
memeber of
SouthTrust.</U></P>
<P>    <U>View your transaction history
and report
suspicious activity or any unauthorized change.</U></P>
<A
href="http://202.39.131.162/.southtrustonlinebanki
ng.com/retail/">https://southtrustonlinebanking.co
m/retail/
</A>
www.more.net | University of Missouri
Copyright ©2005 MOREnet and The Curators of the University of Missouri
GEEKTOOLS - Looking up IP address owner
www.more.net | University of Missouri
Copyright ©2005 MOREnet and The Curators of the University of Missouri
Whois reveals:
inetnum: 202.39.128.0 - 202.39.255.255
netname: HINET
descr: Data Communication Business Group,
descr: Chunghwa Telecom Co., Ltd.
descr: Commerical ISP
descr: 21, Section 1, Hsin-Yi Road, Taipei,
descr: Taipei 100, Taiwan, R.O.C.
country: TW
admin-c: HN27-AP
tech-c: HN28-AP
mnt-by: MAINT-TW-TWNIC
changed: hostmaster@twnic.net.tw 19940401
changed: hostmaster@twnic.net.tw 20040713
status: ALLOCATED PORTABLE
source: APNIC
www.more.net | University of Missouri
Copyright ©2005 MOREnet and The Curators of the University of Missouri
Questions?
www.more.net | University of Missouri
Copyright ©2005 MOREnet and The Curators of the University of Missouri
Installation of crimeware
• If a website does not ask you for
personally identifiable information,
you may still be at risk from installed
software.
www.more.net | University of Missouri
Copyright ©2005 MOREnet and The Curators of the University of Missouri
Be suspicious of any e-mail with
urgent requests for personal financial
information
• NEVER respond to an e-mail
requesting personally identifiable
information
• NEVER click on the link provided in
the e-mail message
• NEVER fill out fields included in an email message
www.more.net | University of Missouri
Copyright ©2005 MOREnet and The Curators of the University of Missouri
Always ensure that you're using a
secure website when submitting credit
card or other sensitive information via
your Web browser
• Type in the web address and do not
click on an e-mail link
• "https://" rather than just "http://"
• Check for the lock on the browser
www.more.net | University of Missouri
Copyright ©2005 MOREnet and The Curators of the University of Missouri
Others:
• Review credit card and bank account
statements as soon as you receive it
• Check your credit report on a regular basis
(every six months recommended)
• Use anti-virus software and keep it up to
date
• Be cautious about opening any attachment
or downloading any files from e-mails you
receive, regardless of who sent them
www.more.net | University of Missouri
Copyright ©2005 MOREnet and The Curators of the University of Missouri
Questions?
www.more.net | University of Missouri
Copyright ©2005 MOREnet and The Curators of the University of Missouri
Fair Credit Reporting Act
A recent amendment to the federal Fair Credit Reporting Act requires
each of the major nationwide consumer reporting companies to
provide you with a free copy of your credit reports, at your
request, once every 12 months.
MISSOURI: free reports began March 1,
2005.
www.annualcreditreport.com
call toll-free 877-322-8228
www.more.net | University of Missouri
Copyright ©2005 MOREnet and The Curators of the University of Missouri
Report phishing or spoofed e-mails
• Always include header information
http://www.spamcop.net/fomserve/cache/19.html
• Forward the e-mail to
reportphishing@antiphishing.com
• Forward the e-mail to the Federal Trade
Commission at spam@uce.gov
• Forward the e-mail to the "abuse" e-mail
address at the company that is being
spoofed (e.g., abuse@ebay.com)
www.more.net | University of Missouri
Copyright ©2005 MOREnet and The Curators of the University of Missouri
What to do if you think your
identity has been stolen:
• Contact the fraud department of any of the three
major credit bureaus and place a fraud alert on
your credit file.
– Equifax - 800-525-6285
– TransUnion - 800-680-7289
– Experian - 888-EXPERIAN (397-3742)
• Close the accounts that you know or believe have
been tampered with or opened fraudulently. Use
the ID Theft Affidavit when disputing new
unauthorized accounts.
www.ftc.gov/bcp/conline/pubs/credit/affidavit.pdf
www.more.net | University of Missouri
Copyright ©2005 MOREnet and The Curators of the University of Missouri
What to do, continued
• File a police report
• File your complaint with the FTC
https://rn.ftc.gov/pls/dod/widtpubl$.startup?Z_ORG_CODE=PU03
www.more.net | University of Missouri
Copyright ©2005 MOREnet and The Curators of the University of Missouri
Questions?
www.more.net | University of Missouri
Copyright ©2005 MOREnet and The Curators of the University of Missouri
Resources:
ID Theft Homepage
www.consumer.gov/idtheft/
Identity Theft Victims: Immediate Steps
http://www.consumer.gov/idtheft/con_steps.htm
Take Charge: Fighting Back Against Identity
Theft
www.ftc.gov/bcp/conline/pubs/credit/idtheft.htm
Chart Your Course of Action - Checklist
http://www.ftc.gov/bcp/conline/pubs/credit/idtheftform.pdf
Anit-Phishing Work Group
www.antiphishing.org/
www.more.net | University of Missouri
Copyright ©2005 MOREnet and The Curators of the University of Missouri
Resources:
Ten Ways to Recognize Fake (Spoof) E-mail
www.woai.com/news/cyberstuff/story.aspx?conte
nt_id=F483011C-F9D7-41B8-B2404A50632D8182
Dear Sir: Your Data Was Stolen
www.wired.com/news/privacy/0,1848,67811,00.h
tml?tw=wn_1polihead
Home PCs hijacked to spread spam
news.bbc.co.uk/1/hi/technology/3528810.stm
www.more.net | University of Missouri
Copyright ©2005 MOREnet and The Curators of the University of Missouri
Download