Phishing: Don t Phall Phor It Part 1

Transcription

1 Phishing: Don t Phall Phor It Part 1 Software Training Services Welcome to Part 1 of the online course: Phishing: Don t Fall for it! 1

2 Objectives Definition of Phishing State of Phishing Today Recognizing Phishing/Phishing Tricks Examples Best Practices What to do if you get hooked Summary This course is the first of a two-part series on Phishing. All of the objectives listed will be covered in the complete course. In part 1, the following topics will be discussed: Define phishing and distinguish it from spam Provide phishing statistics to give some insight into the state of phishing today Show how to recognize phishing and expose some phishing tricks And Provide some examples of phishing and point out how to identify these as phishing scams You will want to make sure you watch Part 2 of the presentation in order to complete this course. 2

3 Disclaimer: Many of the links in this presentation are not authentic web addresses, but are intended to illustrate hostile activity. DO NOT type these into your browser, unless they are provided in the Resources section. 3

4 Here s Phil the Phisher. 4

5 Web Address Definition Located in the top portion of the screen Begins with http or https The unique address of the web page Throughout this course we will refer to a web address. It s important that you understand what a web address is, and where to find it. The web address is located in the top portion of the screen and will normally begin with http or https. It is the unique address of the web page. 5

6 Web Address Example In this example, the web address is 6

7 Phishing Defined It s NOT what you do with a worm and a hook on a sunny afternoon Let s start with a definition of phishing. Contrary to what it sounds like, it s NOT what you do with a worm and a hook on a sunny afternoon. 7

8 A Definition of Phishing: The process by which someone obtains private information - often authenticating credentials - through deceptive or illicit means in order to falsely assume another person s identity. Phishing is the process by which someone obtains private information, often authenticating credentials, through deceptive or illicit means. They use this information for the purpose of identify theft 8

9 Phishing Defined Use spoofed s to lead the recipient to counterfeit websites Tricked into divulging credit card information, personal information, account usernames and passwords, social security numbers, etc. Phishing involves the use of spoofed s to lead the victim to counterfeit websites The phisher makes the message appear to come from a legitimate source such as Paypal, E-bay, the victim s bank, credit union, etc. Once at the website, they are tricked into divulging credit card information, personal information, account usernames and passwords, social security numbers, etc. Frequently, people will use the same username and password for multiple (or all) sites so phishers will try to get a username and Password and then try to re-use it on other popular websites to gain access to multiple additional accounts 9

10 Identity Theft Defined A crime in which an imposter obtains key pieces of personal information in order to impersonate someone else: Social Security number Driver's license numbers Identity Theft is a crime in which an imposter obtains key pieces of personal information, such as social security number and drivers license number, in order to impersonate someone else. 10

11 Identity Theft Defined Information can be used to carry out transaction in the name of the victim: Obtain credit Purchase merchandise and services Provides the thief with false credentials Can create a criminal record for the victim Leave outstanding arrest warrants for the person whose identity has been stolen Once the thief has this personal information, one way they may use it is to obtain credit and purchase merchandise and services under the victim s identity. In addition, the thief may also use the information for the purpose of providing them with false credentials. In this manner, they can create a criminal record for the victim resulting in outstanding arrest warrants for the person whose identity has been stolen, as the thief commits crimes under the assumed identity. 11

12 The State of Phishing Today Anti-Phishing Working Group : 5.7 billion Number of phishing s sent each month 9,715 Number of unique phishing websites in January ,877 - Number of unique phishing reports received in January ,000+ sites for 2005 YTD 5 days - Average time online for a site Let s take a look at some of the statistics from the Anti-Phishing Working Group which provides us with a good view of the state of phishing today. 5.7 billion that s the number of phishing s sent each month! Just for the month of January 2006 there were 9,715 unique phishing websites. Those are fake websites set up by phishers to lure unsuspecting users into entering their personal information. It might also surprise you to know that the majority of these fake web sites are originating in the United States. 17,877 is the number of unique phishing reports received for the month of January in 2006 There were more than 16,000 phishing sites for the entire year in days is the average time online for a phishing site. That means it is taking an average of 5 days before the web site is discovered and taken down. Frequently, the phisher just moves the page to another site Keep in mind that these numbers continue to increase the situation is getting worse, not better. 12

13 Identity Theft Statistics From FTC Identity Theft Survey Report 2003: 9.9 million Number of victims $47.6 billion Loss to businesses $5 billion Total loss to victims 2 10,000 hours Range of time spent by victims on resolving the problem (Average was 600 hours) You might be wondering how does this affect me? Well, phishing is used for the purpose of identity theft and the statistics on identity theft are overwhelming: There were 9.9 million victims of identity theft in 2003 The loss to businesses was $47.6 billion and the total loss to victims was $5 billion The amount of time spent by victims on resolving the problem ranges from 2 hours to 10,000 hours with an average of 600 hours. Keep in mind, some of the victims are still clearing records over 10 years since the initial theft as the imposter continues to open accounts in their name. 13

14 The State of Phishing Today Why Phishing Works study found: People do not know how to scrutinize web addresses Even when presented with a choice between a valid and a hoax site, the hoax was selected 40% of the time Spam VS. Phishing Spam Selling Phishing - Stealing A study was conducted to determine why phishing scams are successful and the results showed that people don t know how to scrutinize a web address to determine if it is valid or not. Even when people were presented with a choice between a valid and a hoax site, the hoax was selected 40% of the time. You might be asking, is there a difference between spam and phishing? Are they the same thing? Well, they are not the same thing and it s important to differentiate between the two. Spam is selling someone is trying to sell you a product Viagra, low mortgage rates, Vitamins, etc Phishing is actually stealing they are trying to steal your identity by tricking you into divulging personal information 14

15 Recognizing Phishing Look for the following three components: Build credibility (sounds good) Spoof a real company You may or may not be a member or have an account Create a reason to act Urgency, plausible premise, requires quick response A call to action Click a link or button Subtle changes to web address Actual web address with changed link properties Not going where you think you are going! There are some standard items to look for in an to help you identify it as a phishing scam. Most phishing s will have 3 components: First, they will try to build credibility by spoofing a real company. Typically, the phisher will use very popular and well-known businesses, such as e-bay, paypal, Amazon, or major banks. Second, they will express a sense of urgency to get you to take immediate action. They may try to scare you into believing that someone may have tried to access your account and they need you to verify your account information immediately. Finally, there is a call to action a very quick and convenient method for you to provide the requested information by completing a form or clicking a link. They may even make it look as though you are clicking a valid web address. When in fact, they have modified the link properties so that you are NOT actually going where you think they are. 15

16 Recognizing Phishing Exercise caution when: Notified of internal accounting errors, requesting your cooperation Warnings of your account being closed if action is not taken Requests to update your account or profile Apparent notices from your ISP informing you of problems generated by your PC You should exercise caution any time you are notified of warnings such as internal accounting errors or threats that your account is going to be closed unless you take immediate action. Some other popular ploys include requests to update your account or profile, and notices that seem to come from your Internet Service Provider informing you of problems that have been generated by your pc. All of these are tricks of the phisher to scare you into taking immediate action. By placing urgency on the request they are hoping to increase their chances that you will respond immediately without thinking about the possible consequences. 16

17 For Example Take this example which appears to be coming from Paypal. This request informs the recipient that they have recently enhanced their web site and therefore, they are updating their account information and noticed some discrepancies in the client s account. Notice the simple link to click on in order to be taken to a web page where the account information can be entered. This does contain some tell-tale signs that it is a phishing scheme. Let s take a closer look. 17

18 First, notice the generic Dear paypal customer If this were a legitimate message, the would be personalized to include the account holder s name. In addition, take a look at the improper Grammar used the first sentence includes the phrase to verify that the informations you have provided are accurate. Then, the poorly worded note Unable to do so may result to abnormal account behavior during transactions. Sometimes, poor grammar and misspellings are a good indication of a phishing scheme, but they are not always present. Let s click on the link and see where it takes us that will provide us with additional clues as to the legitimacy of the message 18

19 Takes you to Let s analyze this web page. ANYTIME you enter personal information on the web, you should always verify that the site is secure by looking for https in the web address and a Lock icon in the lower right both should be present. You can see by this example, http is used and not https and there is no lock icon in the lower right. The Secure Log In and lock symbol used towards the top of the page are being used to fool you into believing the web page is secure, when in fact it is not. The lock icon should be located in the status bar at the bottom of the page. 19

20 This is an example of valid, secure web site. Notice the https web address and lock icon are both present. This is the legitimate web site for paypal. 20

21 Https Secure Site Internet Explorer Lock icon: Displayed in lower right Mozilla FireFox Lock icon: Displayed in lower left Netscape Lock icon: Displayed in lower left Throughout this presentation we will use Internet Explorer as the browser. However, you may be using another browser, such as Mozilla FireFox or Netscape. Therefore, on this slide we have provided a sample of the lock icon from all three of these browsers so you are aware of what to look for. Also keep in mind that unlike Internet Explorer where the lock icon is displayed in the lower right, both Mozilla and Netscape display the lock icon in the lower left. This lock icon is not just a picture. You can click the icon or or double-click (depending upon your browser) and examine the security information displayed about the web site. 21

22 Recognizing Phishing The actual domain comes JUST BEFORE the domain suffix Example: Uakron = domain.edu = suffix Suffixes:.com = Commercial business.edu = Educational institutions.gov = Government.org = Non-Profit organizations.mil = Military.net = Network organizations You ll need to understand how to identify domains and suffixes in the web address so keep in mind the following: To help clarify, the actual domain comes just BEFORE the domain suffix. So, for Uakron is the domain and.edu is the suffix. It s helpful to know some common suffixes such as:.com for commercial institutions. Businesses such as ebay, paypal, starbucks, lands end, etc would all use the suffix of.com.edu is for educational institutions, such as The University of Akron.gov is used for government entitities. For example, the United States Postal Service is usps.gov the FBI is fbi.gov.org is used by non-profit organizations, such as the Red Cross, the American Cancer Society, etc..mil is used by military organizations The marines are USmc.mil, the army is army.mil.net is for network organizations and is typically used for Internet Service Providers It helps to be able to identify the domain and suffix in order to determine if a web site is legitimate. 22

23 Recognizing Phishing Look for the following (examples of fraudulent links): Anything after a slash is a subdirectory of the website Let s take a look at what we learned about domains and suffixes and apply it to these web address examples: In the first example ebay.signon.com you see the ebay and immediately assume it is legitimate it s NOT. For the legitimate ebay site, ebay is the domain and in this example signon is the domain, making it invalid. Banesand Noble.com they want you to think it s Barnes and Noble.com they re hoping you glance at it quickly and ignore the missing r. The next one is a good one You might be thinking, this is ebay because it s ebay.com The fact is, whenever there is symbol everything to the left is ignored and the actual address is to the right so, this is really xyz.com and NOT ebay The last one xyz.com/paypal-login.html - Again, you might be thinking it s paypal when in fact anything after the slash is a subdirectory of the website - Therefore, the true domain is xyz and the suffix is.com 23

24 Phishing Tricks Credible-looking web address sign Uses everything to the right of Everything to the left of is forgotten usb/upd.pl Long status line Web address is so long it cannot be completely displayed in the status bar (combine sign) Here s some more credible-looking examples: The first one has the number which is the IP address. Think of the IP address as being similar to a phone number. Sometimes, phishers use the IP address in place of the web address in order to fool you. Any time you see a series of numbers such as this in the web address it should be an indication that the web site it not legitimate. The next one uses symbol the part looks real - too bad it s to the LEFT of symbol. Remember, everything to the left of is ignored. Another trick is to use a very long web address. I ll point out in a minute how you can move your mouse over the link and see the actual web address it points to in the status bar at the bottom of the page. Phishers will make the address so long that when you hover over it the full address it will not be displayed you only see part of the name and it s the part they want you to see. They frequently combine this with symbol so they can put anything they want in front of symbol and none of it is real. We will show you an example of a long web address on the next slide. 24

25 In this example, the phisher is pretty good at disguising the url If we place the mouse over the link labeled internal/loginupdate.html the status bar at the bottom of the screen will display internal/login/update/accounts, etc However, the actual url is really quite long as you can see from the address displayed in the light grey box. What this phisher did was combine a long address with symbol to confuse the recipient. Scan the long address and look for symbol we ve highlighted the text in red to help make it stand out for you. Remember, everything to the left of is ignored, everything to the right is the real address. Therefore, the real address is 25

26 Part 1 Conclusion To advance to Part 2 click the link below: Phishing: Don t Phall Phor It Part 2 Questions? pstrain@uakron.edu AppSupport@uakron.edu This concludes Part 1 of Phising, Don t Phall Phor it! Please don t forget to watch Part 2 of this course. It contains valuable information on advanced phishing tricks and provides advice on what to do should you become a victim of phishing. In addition, many valuable resources are provided in Part 2. Should you have any questions, you may direct them to either pstrain@uakron.edu or AppSupport@uakron.edu 26