Phishing attacks and its vectors

PHISHING ATTACKS AND ITS SOLUTIONS GRIN Archive No: V295346

All Rights Reserved © gaganjain.com 2015

Phishing!

Contents1.1 Introduction.................................32. PHISHING ATTACKS AND ITS VECTORS..............52.1 PHISHING ATTACK.............................52.2 TYPES OF ATTACKS FOR TYPES OF USERS!........62.3 WHAT CAN AN ATTACKER GET FROM THESE ATTACKS? 8

3.HOW TO RESOLVE THESE ATTACKS..................123.2 b) Social Engineering......................133.1 c) QR Code.................................17

4.REPORTS BY ANTIVIRUS GAINTS...................19AVAST REPORT :.................................20TOP TEN TLD’s PHISHING ORIGINATING FROM :......21

Conclusion......................................22References:.....................................23

All rights reserved © gaganjain.com 2015

Paper: GAGAN

JAI

N B SA

TISH

2

1.1 Introduction In today’s world people are so interconnected that it is easy to communicate with the people who we don’t get to meet every day. People are into these online Social networks, blogs, Websites and other media to communicate with people and share things with each other. But this all fun stuffs have a disadvantage which can cause a big situation. Just amatter of victims first and last name can be easy tools to hack into an individual in today’s world. After all these fancy technologies the hackers also have become so sophisticated that they are bringing up tools which is an automated attacker scripts which hacks into the system with given credentials.

Today we are going to talk about an attack like those which can exploit a user’s credentials by supplying him with a dummy page which looks the sitehe wanted to login and after he enters his credentials the page is redirected to the original page so that the user thinks It reloaded but in reality we’ve stolen your username and password.


Paper: GAGAN

JAI

N B SA

TISH

3

PHISHING ATTACKS AND ITS VECTORS

Prepared by

GAGAN JAIN B [email protected]


Paper: GAGAN

JAI

N B SA

TISH

4

2. PHISHING ATTACKS AND ITS VECTORS

2.1 PHISHING ATTACK

A Phishing attack is a type of hacking technique where an attacker fools the victim into entering hiscredentials into a fake/dummy page which looks like a real login page of that website.Phishing attack is a easiest way of hacking into a victim. There are many kinds of scenarios where a phishing attacks are used. Main areas of phishing happen on:- Social Networking sites- Bank - Company- Job banks- Gaming Sites

What exactly happens in a Phishing attack??


Paper: GAGAN

JAI

N B SA

TISH

5

ATTACKER EMAIL VICTIM

Clicks on the Link in the email

FAKE PAGERedirects to Original Page

ORIGINAL PAGE

This is a common attack scenario of a phishing attack. This attack shows how a common email phishing attack is happened. 2.2 TYPES OF ATTACKS FOR TYPES OF USERS! Phishing attacks are not only performed by only spoofing a email address. The victim can be attackedlocally. There are types of attacks for different cases :- Victim at an Unknown or remote locationThis can be achieved by sending mail or a text so that the victim is redirected to the fake page where he can enter his credentials.


Paper: GAGAN

JAI

N B SA

TISH

6

This is an type of attack where an attack tries to send a mail pretending to be from a company or a organization or a website. In this attack where an attacker creates an email template which looks like a real email and it has a link which redirects the victim to the fake page where the victim enters his username and password. After clicking the login button the page reloads and it redirects to the original page it looks like the page just reloaded. Now the attacker has a txt file in his server where the fake page is hosted where the victim’s credentials are stored.


Paper: GAGAN

JAI

N B SA

TISH

7


Paper: GAGAN

JAI

N B SA

TISH

8

- Victim on a Local NetworkThis is a case where the victim is in the same network as of the attacker. The attacker injects the network access points for the ARP table and spoofs the table for victims IP address. This attack is also called as ARP Poisoning attack. Here what happens the attackers scans the access point and get the list of all the devices connected to the same access point as he is connected. Then the attacker asses the victim’s machines MAC addressand IP address and he spoof the victims machine IP. Now he poisons the ARP table in the Access point so that whatever request the victim send to the access point the attacker is responding to it, so he can redirect the victim’s machine to his local server.

This attack is called as MITM (MAN IN THE MIDDLE) attack. The Victim is redirected to the attacker’s local server or machine and the landed on the fake page which looks like the same page which the victim requested, which basically works the same way to all the phishingattacks.

2.3 WHAT CAN AN ATTACKER GET FROM THESE ATTACKS?

An attacker can possibly gain admin rights i.e., attacker can access your email ID, Username, Passwords, Credit card numbers, SSN, SIN, anything All rights reserved © gaganjain.com 2015

Paper: GAGAN

JAI

N B SA

TISH

9

that a victim uses on the internet to identify himself and to purchase something. This is a very high level threat and easy to deploy if you know standard HTML, PHP and Web hosting.

In a Simple way an attacker can gain everything fromyou. Here are 3 examples where a victim account is compromised and sensitive data has been stolen.FACEBOOK:


Paper: GAGAN

JAI

N B SA

TISH

10

This is a fake email that looks just like an original email.

FACEBOOK PHISHING PAGE:

GMAIL:


Paper: GAGAN

JAI

N B SA

TISH

11

https://blog.fierydragonlord.com/uploads/gmail-phishing/fake-gmail-login.png

RBC BANK PHISING PAGE:


Paper: GAGAN

JAI

N B SA

TISH

12



Paper: GAGAN

JAI

N B SA

TISH

13



3.HOW TO RESOLVE THESE ATTACKS3.1 a)MAIL1. Guard against spam. Be especially cautious of emails that:* Come from unrecognized senders.* Ask you to confirm personal or financial information over the Internet and/or make urgent requests for this information.* Aren’t personalized.* Try to upset you into acting quickly by threatening you with frightening information.

2. Communicate personal information only via phone or secure web sites. In fact:When conducting online transactions, look for a signthat the site is secure such as a lock icon on the browser’s status bar or a “https:” URL whereby the “s” stands for “secure” rather than a “http:” Also, beware of phone phishing schemes. Do not divulge personal information over the phone unless you initiate the call. Be cautious of emails that ask you to call a phone number to update your account information as well.


Paper: GAGAN

JAI

N B SA

TISH

14

3. Do not click on links, download files or open attachments in emails from unknown senders. It is best to open attachments only when you are expectingthem and know what they contain, even if you know the sender.4. Never email personal or financial information, even if you are close with the recipient. You never know who may gain access to your email account, or to the person’s account to whom you are emailing.5. Beware of links in emails that ask for personal information, even if the email appears to come from an enterprise you do business with. Phishing web sites often copy the entire look of a legitimate website, making it appear authentic. To be safe, call the legitimate enterprise first to see if they really sent that email to you. After all, businessesshould not request personal information to be sent via email.6. Beware of pop-ups and follow these tips:* Never enter personal information in a pop-up screen. * Do not click on links in a pop-up screen.* Do not copy web addresses into your browser from pop-ups.


Paper: GAGAN

JAI

N B SA

TISH

15

* Legitimate enterprises should never ask you to submit personal information in pop-up screens, so don’t do it.7. Protect your computer with a firewall, spam filters, anti-virus and anti-spyware software. Do some research to ensure you are getting the most up-to-date software, and update them all regularly to ensure that you are blocking from new viruses and spyware.8. Check your online accounts and bank statements regularly to ensure that no unauthorized transactions have been made.”(Identitytheftkiller.com,n.d)

3.2 b) Social EngineeringIntroduction“Social engineering techniques are among the most powerful tools in the hackers' toolbox. Generically,social engineering is the motivation of someone ('the mark') to disclose personal or other importantinformation that the hacker can use to their own advantage (e.g., to steal an identity in order to exploit financial information or extract an important password in order to break into a server).


Paper: GAGAN

JAI

N B SA

TISH

16

Just like the traditional grifters of the past, hackers use the general tendency of people to want to 'be nice', 'stay out of trouble', and/or 'protecttheir own assets' to motivate them to give out information – and even feel good about doing it.

ExamplesProbably the most popular and well-known social engineering scam is known as the '419 scam' (after the section of the Nigerian Penal Code that discusses this sort of infraction) or, more generically, as an 'Advance Fee Fraud'. In this scam, an important government official (or similar personage) has tragically died, leaving behind a large sum of money. In exchange for your help in moving the money from an unfriendly foreign country to a more friendly bank account, you will be rewarded with a substantial reward (e.g., 20% of 60 million dollars). Who could resist doing good and being rewarded for your good deed? This scam has been conducted via postal mail, fax, and telex in addition to the far less expensive e-mail proliferation mechanism.Surprisingly, the proffering of your bank account number is not usually the way 419 scammers make money. Their income derives from the fees you must


Paper: GAGAN

JAI

N B SA

TISH

17

pay to bribe certain officials, lubricate the liberation of the money from a bank account, and so on. It is believed that no one has ever received money in return for these investments. In fact, manyfolks have lost small fortunes (a New Yorker article, from Fox News (with a reference to the pastor's wife who killed him after losing their family savings), folks in Japan, and a BBC report ofa scammed Briton.While most people these days have heard of the 419 scam and recognize it by the telltale "too good to be true" litmus test, social engineers use other motivations to extract folks' information:"This email confirms you have paid $xxx for [some product]": Of course, you never bought anything fromthe company and will give them information to find the errant payment and refund your money. The scam is that they are just collecting your credit information to make actual charges."Paypal (or someone) needs you to reconfirm your information": No they don't. The web page is legitimate except for one little link that sends your information to the scammer instead of to Paypal. Everything look legitimate until that very last click.


Paper: GAGAN

JAI

N B SA

TISH

18

"Your account at [xxx] has been suspended for ...": No it hasn't. But you'll have to supply a goodly amount of personal information to get it back. Don'tdo this!

CLICK HERE TO SEE THESE EMAILS :http://web.stanford.edu/group/security/securecomputing/phishingexample.htmlDefenceVigilance is the only defence against social engineering. Look for these markers to know you're getting ready to divulge too much:"Here's your big chance to play the new fantastic version of the [xxx] game!" The link, of course, goes somewhere where they will extract some private information (real name? a password that might work somewhere else? your birthdate in order to prove youare 'old enough' to play, etc.). This really is the #1 rule: Avoid clicking links people send you instead of using a search engine to find the proper link.Anything that sounds too good to be true probably is. It is unlikely that you have won the Irish Sweepstakes, even if you elect to send in a $1,000 security payment.


Paper: GAGAN

JAI

N B SA

TISH

19

http://web.stanford.edu/group/security/securecomputing/phishingexample.html

http://web.stanford.edu/group/security/securecomputing/phishingexample.html

Any time you get a solicitation in email that you did not request – even from a trusted friend – should be discarded immediately. No reputable company works this way. Email with misspelled, mispunctuated, or bizarrely formatted text is almostsurely a scam. If something feels like it requires action, confirm via telephone with someone you know (or at least can verify, e.g., by calling the corporate headquarters) before you send money. A recent scam asks for money because your best friend (or aunt or grandmother or ...) is caught in Europe (or some faraway place) and can't return until they pay bail, or a fee, or some other money-requirement.You, the trustworthy friend or relative can help them! Call them at home to make sure they're not there before sending money.Any time you are getting ready to feel good about giving away some money or information, think twice: Why am I really doing this? Do I know who is on the other end of my bequest? "Hey, John, please remind me of the combination to get into the machine room."Who is really asking?Keywords to avoid: verify, account, won, lottery, respond [now, quickly], or you will suffer [some horrible thing] See these? Click delete.


Paper: GAGAN

JAI

N B SA

TISH

20

Vishing: These same pitches and scams work in airports, for panhandlers, and all sorts of non-computer scammers, too, by the way. They even work when people call you on the phone! "Hey, Jill, this is Ralph over in accounting. I've forgotten [xxx], can you help me out?" Look up their number and call them back.SMSiShing: Same idea for text messages are you phone. Don't believe a bank will text you; call themon an independently verified number. With eyes wide open, the Internet can be a happy andsafe place for many sorts of transactions.”(Stanford, May 2014)

3.1 c) QR CodeWHAT is QR CODE?The QR in the name stands for quick response, expressing the development concept for the code, whose focus was placed on high-speed reading. When it was announced, however, even Hara, one of the original developers of the code, could not be sure


Paper: GAGAN

JAI

N B SA

TISH

21

whether it would actually be accepted as a two-dimensional code to replace barcodes.Example :

Nowadays QR codes are pretty famous and people use these QR codes to generate their Identity proof andexchange them also. This is Actually pretty cool!!. Lets say I join a company and the company gives my visiting card with a QR code printed on it!!! That’spretty cool!! Anyways so as I was explaining that QRcodes can be used to generate a QR CODE for my Facebook profile so that new friends can add me easier.

Now one day as I was going by I saw a QR code stuck up on a pole in the street I walk up to see what wasAll rights reserved © gaganjain.com 2015

Paper: GAGAN

JAI

N B SA

TISH

22

it all about I see a party night poster next to it and it points to QR code to get invited to the party. “ JUST POINT YOUR DEVICE TO THIS QR CODE AND GET INIVITED VIA FB EVENTS “So I thought this was interesting why would someone wants to get invited to the party who they don’t even know? So I decided to look for myself and scanned the code.As I scan this Code it redirects me to FACEBOOK LOGIN page. Intern its also converted to a mobile site. NICEEEEEEE!! Then I glazed up the URL I see :http://Facibok.me/login.phpThis is some new level of hacking. This must have hacked atleast 200 peoples facebook accounts.


Paper: GAGAN

JAI

N B SA

TISH

23

http://Facibok.me/login.php

4.REPORTS BY ANTIVIRUS GAINTSAccording to the APWG’s Global Phishing report:


Paper: GAGAN

JAI

N B SA

TISH

24

http://docs.apwg.org/reports/APWG_Global_Phishing_Report_1H_2014.pdf

AVAST REPORT :


Paper: GAGAN

JAI

N B SA

TISH

25



https://encrypted-tbn2.gstatic.com/images?q=tbn:ANd9GcRGKZ8EXRxTdywoLiMY6_iJv1yGobB1vCZaQVGp9DCYB57Cxi4lOQ

TOP TEN TLD’s PHISHING ORIGINATING FROM :


Paper: GAGAN

JAI

N B SA

TISH

26




These are the Top 10 domain TLD’s ( Eg: .com , .in ,.org , .edu ). These are the domain TLD’s you shouldlookout for :



Paper: GAGAN

JAI

N B SA

TISH

27

ConclusionPhishing attacks are evolving day by day and the scams are becoming even more realistic. So the usershave to become more technologically educated how to use things and how to use them securely. Online world is a bigger world than you think. So you are a unique on your own there. Each users have their own pattern of using Internet. So your Identity is your secret. Never trust anybody online , never show up your identity to unknown sources.

Almost forgot! To check your email or your username you use frequently has been hacked??? Visit this site:https://haveibeenpwned.com


Paper: GAGAN

JAI

N B SA

TISH

28

https://haveibeenpwned.com/

References:

1.Phishing & Social Engineering. (2014, May 25). Retrieved March 28, 2015, from http://web.stanford.edu/group/security/securecomputing/phishing.html

2. Aaron,, G. (2014). Global Phishing Survey 1H2014:Trends and Domain Name Use. Global Phishing Survey: Trends and Domain Name Use in 1H2014, 1, 36-36. Retrieved March 28, 2015, from http://docs.apwg.org/reports/APWG_Global_Phishing_Report_1H_2014.pdf

3. Are You Phishing For Trouble? These 8 Ways To Prevent "Phishing Scams" Will Keep You From Getting Wet. (n.d.). Retrieved March 28, 2015, from http://www.identitytheftkiller.com/prevent-phishing-scams.php


Paper: GAGAN

JAI

N B SA

TISH

29

http://www.identitytheftkiller.com/prevent-phishing-scams.php

http://www.identitytheftkiller.com/prevent-phishing-scams.php



http://web.stanford.edu/group/security/securecomputing/phishing.html

http://web.stanford.edu/group/security/securecomputing/phishing.html

4. HOREJSI, J. (2014, April 14). Avast blog » Email with subject “FW:Bank docs” leads to information theft. Retrieved March 28, 2015, from https://blog.avast.com/2014/04/01/email-with-subject-fwbank-docs-leads-to-information-theft/

5. GMAIL PHISHING. (n.d.). Retrieved March 28, 2015,from https://blog.fierydragonlord.com/uploads/gmail-phishing/fake-gmail-login.png


Paper: GAGAN

JAI

N B SA

TISH

30



https://blog.avast.com/2014/04/01/email-with-subject-fwbank-docs-leads-to-information-theft/

https://blog.avast.com/2014/04/01/email-with-subject-fwbank-docs-leads-to-information-theft/

Phishing attacks and its vectors

Documents

Transcript of Phishing attacks and its vectors