Old but a New Age Weapon

PHISHING

Author: Avinash Singh E-mail: avinas546@gmail.com SNL: http://www.facebook.com/avinash546

AUTHOR BIOGRAPHY:
Avinash is Technical Evangelist. Educational Qualification: B.Tech from Punjab Technical University He holds the following certifications in the field of Ethical Hacking & Information Security Appin Certified Ethical Hacker (ACEH), Certified Penetration Testing Expert (CPTE). He has also done training in the field of Network Security, which includes IDS (Intrusion Detection Systems), Firewalls and Honeypot Technology. He is also trained in other fields such as Linux, Microsoft Certified IT Professional (MCITP), Firewall and CISCO Certified Network Associate. He is also the admin and lead author at TechSpectrum.in (Blog). He has a total experience of around 2 year in the field of Training and Security, and has successfully conducted more than 60 workshops and training programmes till now all over india covering more than 2500+ students.

*****************************************************************

ARTICLE:
Phishing In simple words, phishing is a fraudulent attempt to steal your login credentials or any of your private information and it is growing rapidly. Look at the following examples: Mail 1: Dear Customer We need to verify your bank credentials please click on the following and verify your credentials on the page that follows. The link is www.c1tibank.com. Regards Citibank Team Mail 2 Hey Friend

I just added some new cool pics of mine, hope you like it, please click on the link below and enjoyyyy. http://www.0rkut.com C ya Many a times you get these kind of mails and mostly without thinking much we click on the link which takes us to a login page whether it be a page of your bank ,your email provider or your favourite social networking website. You put your credentials there and error occurs or simply you cant login in one go. Have you ever realised what happened in the background, your id and password was sent to some other place or you can say it has been revealed i.e HACKED. Now, you must be wondering what is all this or how all this is happening??? Here is the answer, take a close look at the address provided in both the mails above, in Mail 1 it is www.c1tibank.com instead of www.citibank.com. Just in place of I there it is written 1. In Mail 2, the link provided is http://www.0rkut.com , there is a 0 (zero) in place of o. This means that these are not the links of your bank of your social networking website but the thing is that it takes you to a webpage that looks exactly similar to the original one, this is the fake page that has been designed by some attacker to steal your login credentials or your private information. These fake pages can ask you for various types of information like your personal information, credit card numbers etc and are really convincing and make you reveal your personal info. Most of the times you cant really make out the difference between the fake page and the original page by simply looking at it. When you put your login credentials on that page and submit it, what happens in the background is that your login credentials have been mailed to an email id of the attacker or it has been stored at some place on the web as specified by the attacker and you are simply redirected to the original page of the legitimate website. This is PHISHING. Just like the conventional fishing, the attacker makes a fake webpage that acts a food to the fish and waits for the fish ( victim ) to fall into the trap. Phishing messages ot emails looks like they have come from a legitimate company and can easily be sent through spoofed email ( emails not originating from the real sender, but by using the sender id ). The reason most people fell into this trap is that they are not aware of it. They simply fall into the trap and loose their confidentiality on the internet later on which can be used in numerous ways by the attacker to cause you harm. The best way you can be protected from phishing is to have a awareness about it and learning it. Social Engineering The most common way of doing phishing is social engineering that is to make a person reveal his secret or personal information by tricking them through a talk or any other social way. The attackers generally copy the contents of the emails of the original website and simply replace the original links with the links of their fake webpages.

Phishing Not only Emails If you are thinking that phishing can be done only through e-mails then probably you are mistaken. Phishing can be done through the following ways also : Chats Instant messages Calls Fake banner ads Fake browser tools Free job search sites etc. Sometimes, your phone rings and the person on the other side says that he is speaking from your bank and something has happened through your account details or they are not able to verify and say that your account may be cancelled if early response is not made prompting you to immediately verify it on phone or via a message and no body wants to loose money, so you simply fall into the trap. Some calls thank the victim for the purchase they never made, or lottery scams are very common now a days , an e-mail saying that you have won a lottery worth millions and to deposit a fixed amount of money in an account to claim the won money. So phishing messages are designed in such a manner that they prompt you for immediate action. Desktop Phishing?? The DNS ( Domain Name System ) contains the IPs address mapped with the website name ( Domain Name ) for all the websites on the internet, whenever we try to open a website we type the name of the website, the request goes to the DNS server where the mapped IP address is found and the a response is generated and we can view the webpage. But before going to the DNS server, in a windows system a host file (Windows/System32/drivers/etc/hosts file , this file controls the internet browsing in your PC )is consulted first which is located in the Windows drive. The files contains mapping of IP address and Domain Names. For example : 122.78.56.123 127.0.0.1 www.google.com localhost

If an entry is made into the host file such that the IP of the yahoo.com is written and the domain name is specified as www.google.com. Then everytime you try to open www.google.com, the page of yahoo will be displayed as the IP address of yahoo is given with that name. This can be used for phishing, if a phisher page of facebook is to be made , an entry has to be made in the host file which will contain the IP address of the fake page and the domain name entry as www.facebook.com. Next time, when the user will type the address of facebook in the address bar the fake page will come up. The point here to be noted is that the URL has no tampering so it becomes more difficult to identify the phisher page. This type of phishing can also be detected by some methods which are described afterwards in the article. The host file can be modified easily through a batch program, so the attacker just sends a batch file to the victim, and as the victim executes it, the attackers job is done.

Difference between phishing and desktop phishing In phishing an e-mail containing the link has to be sent whereas in desktop phishing a batch file does the job. In phishing the victim has to be convinced about the legitimacy of the organisation or the website where as in desktop phishing execution of the batch file matters. In phishing the domain name of the fake page and the original page are different where as in case of desktop phishing there is no difference in the domain name of the fake and original page. This is also the main drawback of normal phishing. Tab Napping Tab Napping is Tab+Kidnapping. All the browsers are vulnerable to this. Suppose you are browsing the internet in your favourite browser with multiple tabs open, in one of the tabs you have your favourite social networking website open and your accessing multiple tabs, after that when you browse to your social networking websites tab you find that the session has expired and it requires you to login again and and you enter your credentials and successfully redirected to your homepage or the inbox. This seems normal and doesnt matters but actually something happened in the background when you were switching between the tabs, while you were browsing one of the pages in the opened tabs has changed your social networking sites tab to the look alike login page of that social networking website, you innocently put your password over there and it gets kidnapped any you get tabnapped. But in reality your session never expired and you wont to come to as after putting your password your inbox or the home page is in front of you. How to be protected from tab napping? If you really think that your session has expired out or if there is any such notification, close that tab and open the URL in a new tab or simply type the URL manually in the same tab. Browser addons are also available but 100% percent dependency cant be assured but atleast something is better than nothing. The browsers can only alert you sometimes and afterwards the decision yours. Whats the DAMAGE?? 1. Not able to access the e-mail account or other online accounts. 2. Financial loss. 3. Identity theft. The attackers can use the identity information to create fake accounts in the name of victim or could destroy credit or the end result could be a destroyed life. It is estimated that between May 2004 and May 2005, approximately 1.2 million computer users in the United States suffered losses caused by Phishing, totaling approximately US$929 million How to detect phishing ?? Unsolicited Request: In the examples above, the mail from a bank is there but the fact is that no financial organisation or bank asks for your login credentials or your information on calls or e-mails. If you feel so that the information is required visit the bank or the organisation personally.

Dear Customer , no financial organisation or legitimate company addresses you by this, they have your name in their records and will address you by the same. Verify your account These are the favourite words of the attacker in a phishing message. If you missed the above two points, be alert on reading these words atleast. Click on the link below If you find these words in the message be alarmed, never click on the link or check it properly otherwise. These links will probably take you to a fake page of the real legitimate company. The phishing message generally contains many mistakes whether it is the language or the grammar. Last but not the least trust your instincts, if you are feeling that the message then it probably is. If you have a account with the bank or any legitimate organisation then you must be knowing the website of it, so there is simply no need to click on the link in the phishing message, simply open the website of the concerned organisation manually by typing the address. Watch out for the URL ( Uniform Resource Locator ), in simple words it means the text that appears in the address bar of your browser or the address of any website. Like in the above examples at the beginning, the change or the tampering in the URL is visible , they are tampered so as to look like the web address of the real company. Below is an example: http://www.google.com http://www.g00gle.com How to protect yourself ?? Now as you know what are the signs of phishing you can take some protective measures to protect yourself from it. 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. Never respond to such mails. Never give or punch your password on the telephone. Inform the concerned organisation. Check the URL, Do not panic when you receive such messages. Never provide your password on any unsolicited request over the internet or telephone oe any other medium. If you have doubts contact the organisation personally. Never click on links provided in the mail, open the webpages manually. Review your account statements periodically to make sure that all the charges are genuine. If any popus seeks your personal information, it may be a phisher. Updated antivirus software, link scanner, spyware program is of great help. Be cautious when you download attachments irrespective of the sender. Real Address Fake Address

13. Never run any type of script in your address bar while you are signed in with your account. 14. Use different passwords for different sites, in today world of technology it may be hard but it helps a lot in protecting your information from phishers. 15. It is well said that a little info is not dangerous, be aware and updated about phishing attacks. 16. Never be taken away by money offers as in lottery scam or for a survey or it may be a product you never purchased, greed doesnt pays. 17. Logout everytime after accessing your bank info or any other website that is related to your private info. Do not just close the browser specially at public terminals. 18. Two Factor authentication such as a combination of a software password and an ATM card number can help you increase your security. 19. If any of your accounts have been compromised, shut down them at once. 20. If you even suspect that your password has gone to wrong hands, change it immediately. 21. Trust your Instincts. 22. Review the SSL certificate of the website on which you are providing your personal or any other private info. Every legitimate or original company has a SSL certificate so as to transmit the data securely over the internet. Every genuine login page opens with https instead of http, s in https is for secure. For example : https://www.gmail.com https://www.citibank.com When you open a original page, you can see a golden lock either at the address bar or near the bottom right corner of the browser which is absent in case of fake webpages. You can also look for a verisign certified logo on the website link, it is organisation that provide security certificates to the websites of various organizations. Also , if while opening a webpage you receive a certificate error then there is a probability of the website bring not real, a fake certificate may have been generated for the legitimate webpage. Anti-phishing websites There are various websites available on the internet that help you fight phishing and protect you from it. These websites maintain a collection of database of phishing website, you can report a phishing webpage if you discover any to these websites also. These sites also help you in determining whether a given webpage is a real or a fake one, you simply have to provide a URL you want to check. Some of these websites also teach you to discriminate between a phishing page and the real one. Following are some of the website : www.antiphishing.org www.phish-no-phish.com Anti-phishing softwares

Anti-phishing softwares help you to detect phishing webpages and e-mails by scanning them and looking for the phishing content. The attackers now a days are aware of this fact and instead of sending text they are sending the e-mails in the form of images to make things difficult for these softwares. Phishing pages can also be detected by the web browsers, web browsers now a days have the capability to detect and report possible phishing pages to the user. Some of the browsers may require extra plugins like that of an antivirus for detecting this.