Fishing = Phishing

Anti-Phishing and Online Detection

By

V. Vinod Kumar
[09BK1A0557] CSE Department St. Peters Engg college

What is Phishing?????
The word Phishing emerged in 1990s.

Phishing is a new word produced from `fishing', it refers to the act that the attacker allure users to visit a faked Web site by sending them faked e-mails (or instant messages) Phishing is a type of deception designed to steal your valuable personal data, such as credit card numbers, passwords, account data, or other information. Phishing is part of Social Engineering.

Why they Phish?

Phishing is about playing the odds Simple to do and high gain for little work No real knowledge necessary 4.5 people out 10 fall for it.(ZDNet)
Most Phishing is for financial gain Some do it to spread malicious programs that in turn carry out other attacks

History of Phishing
Phreaking + Fishing = Phishing Phreaking = making phone calls for free back in 70s Fishing = Use bait to lure the target Phishing in 1995 Target: AOL users Purpose: getting account passwords for free time Threat level: low Techniques: Similar names (www.ao1.com for www.aol.com ), social engineering

Phishing in 2001

Target: Ebayers and major banks

Purpose: getting credit card numbers, accounts Threat level: medium Techniques: Same in 1995, keylogger

Phishing in 2007

Target: Paypal, banks, ebay Purpose: bank accounts Threat level: high Techniques: browser vulnerabilities, link obfuscation

How they Phish?

Web based attacks (XSS, Droppers, Malware, Fake sites,
Forums, Compromised sites, Social Media).

Email Programs / Open Relays Tor for anonymity Crazy Browser

Web Based Phishing Attacks

Attackers use Forums: Posting malicious URLs, XSS Fake domains: PayPal vs. PayPaI <= I not L

Compromised Sites: hosting malicious software

URL Shorting services: Hides real URL Droppers: malicious code on sites that drop malware upon visiting a site.

The Procedure of Phishing Attacks

Phishing attacks are performed with the following four steps: 1) Phishers set up a counterfeited website which looks exactly like the legitimate website. 2) Send large amount of spoofed e-mails to target users in the name of those legitimate companies and organizations. 3) Receivers receive the e-mail, open it, click the spoofed hyperlink in the email, and input the required information. 4) Phishers steal the personal information and perform their fraud activities.

Approaches to Prevent Phishing Attacks

There are several (technical or non-technical) ways to prevent phishing attacks:

1) Educate users to understand how phishing attacks work and be alert when
phishing-alike e-mails are received;

2) Use legal methods to punish phishing attackers; 3) Use technical methods to stop phishing attackers. In this paper, we only
focus on the third one.

Existing System
1) Detect and block the phishing Web sites in time

2) Enhance the security of the web sites

3) Block the phishing e-mails by various spam filters 4) Install online anti-phishing software in users computers

Proposed System
i) Classification of the hyperlinks in the phishing e-mails
ii) Link guard algorithm iii) Link guard implemented client iv) Feasibility study

How to Detect Phishing?

Bad grammar Generic Salutations Account Information Requests / Threats from companies you dont use. Mail Headers Hovering over links / Long URL Service Unknown senders

How to Avoid Phishing

Dont Click The Link
Type the site name in your browser (such as www.paypal.com)

Never send sensitive account information by e-mail

Account numbers, SSN, passwords

Never give any password out to anyone Verify any person who contacts you (phone or email).
If someone calls you on a sensitive topic, thank them, hang up and call them back using a number that you know is correct, like from your credit card or statement.

Architecture of LinkGuard

The Link Guard algorithm

LinkGuard works by analyzing the differences between the visual link and the actual link. It also calculates the similarities of a URI with a known trusted site. The following terminologies are used in the algorithm v_link: visual link; a_link: actual_link; v_dns: visual DNS name; a_dns: actual DNS name; sender_dns: senders DNS name. int LinkGuard(v_link, a_link}

Working is as follows
v_dns = GetDNSName(v_link); a_dns = GetDNSName(a_link); if ((v_dns and a_dns are not empty) and (v_dns != a_dns)) return PHISHING; if (a_dns is dotted decimal) return POSSIBLE_PHISHING; if(a_link or v_link is encoded) { v_link2 = decode (v_link); a_link2 = decode (a_link); return LinkGuard(v_link2, a_link2); } if(v_dns is NULL) return AnalyzeDNS(a_link); } if (actual_dns in blacklist) return PHISHING; if (actual_dns in whitelist return NOTPHISHING; return PatternMatching(actual_link)

Statistical Info

Example of Phishing
From: Customer Support [mailto:support@citibank.com] Sent: Thursday, October 07, 2004 7:53 PM To: Eilts Subject: NOTE! Citibank account suspend in process Dear Customer: Recently there have been a large number of cyber attacks pointing our database servers. In order to safeguard your account, we require you to sign on immediately. This personal check is requested of you as a precautionary measure and to ensure yourselves that everything is normal with your balance and personal information. This process is mandatory, and if you did not sign on within the nearest time your account may be subject to temporary suspension. Please make sure you have your Citibank(R) debit card number and your User ID and Password at hand. Please use our secure counter server to indicate that you have signed on, please click the link bellow: http://211.158.34.249/citifi/. Note that we have no particular indications that your details have been compromised in any way. Thank you for your prompt attention to this matter and thank you for using Citibank(R) Regards, Citibank(R) Card Department (C)2004 Citibank. Citibank, N.A., Citibank, F.S.B., Citibank (West), FSB. Member FDIC.Citibank and Arc

Conclusion
Phishing has becoming a serious network security problem, causing financial lose of billions of dollars to both consumers and e-commerce companies. Fundamentally, phishing has made e-commerce distrusted and less attractive to normal consumers.

We have discussed the characteristics of the hyperlinks that were embedded in phishing e-mails.
We have implemented LinkGuard for Windows XP. Our experiment showed that LinkGuard is light-weighted and can detect up to 96% unknown phishing attacks in real-time.

Any Queries ????