PRESENTATION ON

PHISHING
Submitted By :

Prateek Vinod Chadha-9103439 Samarth Jain-9103445 Ayush Dargar-9103450 Hemant Khandelwal-9103453 Nitesh Sahni-9103456

Cyber Crime
Intentional use of information technology by cyber terrorists for producing destructive and harmful effects to tangible and intangible property of others is called cyber crime.
Cyber terrorists usually use the computer as a tool,

target, or both for their unlawful act either to gain information which can result in heavy loss/damage to the owner of that intangible sensitive information.

 Internet is one of the means by which the offenders can

gain such price sensitive information of companies, firms, individuals, banks, intellectual property crimes (such as stealing new product plans, its description, market program plans, list of customers etc.), selling illegal articles, pornography etc.
this is done through many methods such as internet

phishing, spoofing, pharming, wire transfer etc. and use it to their own advantage without the consent of the individual.

What is Phishing ?
Phishing is an attempt to gain personal or financial information from an individual.

or in another words is the act of sending an E-mail that falsely claims to be from a bank or other E-commerce enterprise.

Recognize Phishing Scams and Fraudulent E-mails

Phishing is a type of deception designed to steal your valuable personal data, such as credit card numbers, passwords, account data, or other information

How Is It Done?
Using e-mail messages which completely resembles the original mail messages of customers, hackers can ask for verification of certain information, like account numbers or passwords etc. here customer might not have knowledge that the e-mail messages are deceiving and would fail to identify the originality of the messages, this results in huge financial loss when the hackers use that information for fraudulent acts like withdrawing money from customers account without him having knowledge of it.

Spear-Phishing: Improved Target Selection

Socially aware attacks

Urge victims to update or validate their account Use gift or bonus as a bait Security promises
Context-aware attacks

Your bid on eBay has won! The books on your Amazon wish list are on sale!

How To Tell If An E-mail Message is Fraudulent

Here are a few phrases to look for if you think an e-mail message is a phishing scam. "Verify your account."Businesses should not ask you to send passwords, login names, Social Security numbers, or other personal information through e-mail. If you receive an e-mail from anyone asking you to update your credit card information, do not respond: this is a phishing scam.

"If you don't respond within 48 hours, your account will be closed."These messages convey a sense of urgency so that you'll respond immediately without thinking. Phishing e-mail might even claim that your response is required because your account might have been compromised.

How To Tell If An E-mail Message is Fraudulent (contd)

"Dear Valued Customer."Phishing e-mail messages are usually sent out in bulk and often do not contain your first or last name.

"Click the link below to gain access to your account."HTML-formatted messages can contain links or forms that you can fill out just as you'd fill out a form on a Web site. The links that you are urged to click may contain all or part of a real company's name and are usually "masked," meaning that the link you see does not take you to that address but somewhere different, usually a phony Web site.
Notice in the following example that resting the mouse pointer on the link reveals the real Web address, as shown in the box with the yellow background. The string of cryptic numbers looks nothing like the company's Web address, which is a suspicious sign.
QuickTime and a TIFF (Uncompressed) decompressor are needed to see this picture.

Example of masked URL address

How To Tell If An E-mail Message is Fraudulent (contd)

Con artists also use Uniform Resource Locators (URLs) that resemble the name of a well-known company but are slightly altered by adding, omitting, or transposing letters. For example, the URL "www.microsoft.com" could appear instead as: www.micosoft.com www.mircosoft.com www.verify-microsoft.com

Example of Phishing
From: Customer Support [mailto:support@citibank.com] Sent: Thursday, October 07, 2004 7:53 PM To: Eilts Subject: NOTE! Citibank account suspend in process Dear Customer: Recently there have been a large number of cyber attacks pointing our database servers. In order to safeguard your account, we require you to sign on immediately. This personal check is requested of you as a precautionary measure and to ensure yourselves that everything is normal with your balance and personal information. This process is mandatory, and if you did not sign on within the nearest time your account may be subject to temporary suspension. Please make sure you have your Citibank(R) debit card number and your User ID and Password at hand. Please use our secure counter server to indicate that you have signed on, please click the link bellow: http://211.158.34.249/citifi/. Note that we have no particular indications that your details have been compromised in any way. Thank you for your prompt attention to this matter and thank you for using Citibank(R) Regards, Citibank(R) Card Department (C)2004 Citibank. Citibank, N.A., Citibank, F.S.B., Citibank (West), FSB. Member FDIC.Citibank and Arc
Barbara J. Fullerton & Sabrina I. Pacifici

Phishing used almost for financial fraud !

8th October 2009

The Largest International Phishing Case Ever Conducted The criminals used phishing to get access to hundreds of bank accounts, stealing $1.5 million.

US and Egyptian authorities have charged 100 people ( 53 defendants from California, Nevada and North Carolina 47 Authorities in Egypt charged.

Facebook Phishing
ITGN345 Sec.01 Dear Info. Sec. Students,

There are 4 students got zero (0/10) in the assignment mark because of plagiarism. Some students copied and pasted from each other. Others copied from the internet. For this reason some of you will find his/her mark is low. 10 marks were lost which affects your final grade. However, all of you passed except those students because they didnt fill up this form . Please add me on my facebook and send me your details with full name and ID number mobiles phones that I can contact you Full name Date of Birth Drivers License Number Current and previous addresses & Employers Mothers Maiden Name.
Good Luck & Regards, Dr. Mathew Nicho

Phishing Harms Firms

Harmful at many levels Threatens effective communication Undermines goodwill and trust Customers Direct harm from stolen IDs, passwords Could perceive business as not taking adequate steps to protect users Diminishes value of brand Could affect shareholders Possibility of liability for failure to exercise due diligence in protecting trademark
Based in part on material that is copyright 2004 Don Holden, CISSP Used with permission (and thanks).

If You were Phished

Immediately cancel your account or change your

password. Report the company, right away Review your statements and comments overtime. And Remember be AWARE!

PHISHING
How To Protect Yourself

Dr. Harold L. Bud Cothern

Additional Credits: Educause/SonicWall, Hendra Harianto Tuty, Microsoft Corporation, some images from AntiPhishing Workgroups Phishing Archive,Carnegie Mellon CyLab

Your Organization / Bank / University WILL NEVER ASK YOU FOR YOUR PASSWORDS !!

Dont put your Sensitive DATA into your E-mail

Never Trust TinyURL.com links !!

Never Enter your CREDIT CARD if the website doesnt start with https:// or doesnt have the security locker SSL

Only shop with vendors you trust to avoid to be an victim .

Use Internet VISA CARD.

Install the Microsoft Phishing Filter Using

Internet Explorer 7 or Windows Live Toolbar

Phishing Filter (http://www.microsoft.com/athome/security/online/phishin g_filter.mspx) helps protect you from Web fraud and the risks of personal data theft by warning or blocking you from reported phishing Web sites. Install up-to-date antivirus and antispyware software. Some phishing e-mail contains malicious or unwanted software (like keyloggers) that can track your activities or simply slow your computer. Numerous antivirus programs exist as well as comprehensive computer maintenance services like Norton Utilities. To help prevent spyware or other unwanted software, download Windows Defender.

Thank You

For Your