COUNTERING PHISHING ATTACKS : COUNTERING PHISHING ATTACKS SEMINAR GUIDE
Prof. M.S. Bewoor
Computer Department Presented By:
Pratik Sabherwal
Roll No-5
BE Computers-I
Basic Phishing Attack : Basic Phishing Attack Victim receives email seemingly from an institution
Often reports a problem with victim’s account
Email demands immediate action
Victim led to a website that mimics that of the institution
Prompted to enter account information, passwords, personal information, etc.
Two variations:
Passive: Attacker collects victim’s information for later exploitation
Active: Attacker relays victim’s information to the real institution and plunders the account in real time
A Recent Email… : A Recent Email… Images from Anti-Phishing Working Group’s Phishing Archive
Slide4 : Images from Anti-Phishing Working Group’s Phishing Archive
The next page requests: : The next page requests: Name
Address
Telephone
Credit Card Number, Expiration Date, Security Code
PIN
Account Number
Personal ID
Password
Slide6 : Images from Anti-Phishing Working Group’s Phishing Archive
But wait… : But wait… WHO IS 210.104.211.21???
Location: Republic of Korea Images from Anti-Phishing Working Group’s Phishing Archive
Current Phishing Techniques : Current Phishing Techniques BOTS/BOTNETS
PHISHING KITS
TECHNICAL DECEIT
SESSION HIJACKING
MALWARE
Technical Deceit : Technical Deceit Basic URL Obfuscation
Use of JPEG images
HTML Redirection
Similar Domain names
Browser Spoofing Vulnerabilities
International Domain Name Abuse(IDNA)
Malware : Malware Electronic Surveillance
Password Harvesters
Self Contained Scam Pages & Dialog boxes
Current Approaches : Current Approaches Awareness & Education
Web Browser Toolbars
Current Approaches : Current Approaches Strong Authentication & Authorization
Virus, Spyware & Spamware Prevention
Case In Point – Yahoo!Mail : Case In Point – Yahoo!Mail
Design Principles : Design Principles Sidestep the arms race
Incremental solutions provoke adaptations
Provide mutual authentication
Phishing exploits two authentication failures:
Server to User and User to Server
Reduce reliance on users
Users are unsuited to authenticating others or themselves to others
We cannot rely on perfect user behavior
Avoid dependence on browser interface
Readily spoofed and distrusted by users
Slide16 : Present Scenario Working Of Websites
Slide17 : Present Scenario Working Of Websites
Slide18 : A Digital Certificate
Slide19 : Authenticity Of Certification Authority
Slide20 : Overview Of SSL/TLS SSL is a separate protocol layer just for security
Slide21 : Overview Of SSL/TLS: Working Message Exchange Sequence
The Proposed Solution� Overview : The Proposed Solution Overview Mobile device stores a public key of server and private key of user.
To access the site, the mobile device uses the private key to authenticate to the server.
Server refuses access unless client can provide user’s password and the mobile device authenticates properly.
Basic Setup : Basic Setup
Security Analysis : Security Analysis Hijack Account Setup
Theft of the device
Malware on the Device
Malware on Computer
Implementation: �Minimal infrastructure : Implementation: Minimal infrastructure Mobile device: Nokia Smartphone
Coded in C/C++ for portability to other cellphones, PDAs, etc.
Server changes are minimal for IIS, Apache and Apache-SSL
Minimal PHP scripts needed.
Minimal Database changes required
CONCLUSIONS : CONCLUSIONS Phishing is a growing problem, and attacks will only become more sophisticated
We should avoid relying on perfect user behavior
Instead, we use cryptographic techniques to protect even fallible users
Our implementation demonstrates the feasibility of foolproof phishing prevention
A Vote of thanks to all my friends & teachers!!! : A Vote of thanks to all my friends & teachers!!!