Phishing into the Phishing into the FutureFuture

Starr Alexander Sugato Bose Annie Chanchaisri Philip Fort David Salley Allen Walker Thomas Witnauer

What is Phishing?What is Phishing?

Originates in the analogy that internet scammers

use e-mail lures to fish for passwords and

financial data from the sea of internet users.

What is Phishing?What is Phishing?

Web page code is copied from a major site

Replica page, that appears to be part of the companies’ site, is set up

A fake e-mail is sent out with a link to this site

Sends financial data or password to scammer

Leaves user on a company web site

The HistoryThe History

A form of social engineering attack

Term was coined in 1996 by hackers

May have been used even earlier in “2600” (hacker newsletter)

Earliest citation:

“It used to be that you could make a fake account on AOL so long as you had a credit

card generator. However, AOL became smart. Now they verify every card with a bank after it is typed in. Does anyone know of a way to get

an account other than phishing?”

- mk590, “AOL for free?”, alt.2600, January

28, 1996.

The HistoryThe History

Phishing is not a new concept

A type of scam that has been around for years

Predates computers

Called social engineering

The HistoryThe History

Underlying concept of spoofing users into revealing sensitive information is not new

Password capturing via fake login prompts is a basic hacker trick for years

Hackers did it over the phone for years

PhishingPhishing

Phone PhreakingPhone Phreaking

First form of hacking

Used a “blue box” that emitted tones that allowed a hacker to control phone switches

Made long distance calls billed to someone else’s account

Possibly the origin of the “PH” in phishing

Navigating the Frontier: Where Frauds Are Navigating the Frontier: Where Frauds Are

1. Online Investment Newsletters

2. Online Bulletin Boards

3. Email Spams

Country of OriginCountry of Origin

Company % of Attacks

United States 32.07%

Republic of Korea 15.39%

France 6.55%

China 6.40%

United Kingdom 4.06%

Germany 3.85%

Spain 3.81%

Japan 3.05%

Italy 2.48%

* by message count

- CipherTrust, 2004

Top 10 Tricks Used in Top 10 Tricks Used in PhishingPhishing

1. Mimic Reputable Companies2. Use Different Reply Address From the Claimed Sender3. Create a Plausible Premise4. Require a Quick Response5. Promise Security and/or Privacy6. Collect Information in the E-mail7. Link to Web Sites That Gather Information8. Fake a Secure Connection9. Process Submitted Information Immediately10. Buy Time to Access Accounts

- MailFrontier, Inc. 2004

Other Forms of HackingOther Forms of Hacking

Slamming Switching a customer from one long distance

carrier to another without permission

Web Cramming A person or business accepts an offer for a

free website, only to be charged a monthly fee on their phone bill

Identity Theft The use of personal authentication information

(i.e. name, social security, etc.) to commit fraud by opening credit card accounts, ordering checks, etc.

Consumer ConfidenceConsumer Confidence

28% of consumers identified fraudulent e-mails as legitimate according to a study by Mail Frontier Inc.

50% of consumers thought a legitimate Federal Trade Commission e-mail was fraudulent

20% of consumers identified a legitimate PayPal “payment received” e-mail as fraud

31% fell for a fraudulent PayPal e-mail that had been reported about widely.

Consumer ConfidenceConsumer Confidence

These statistics indicate the success rate of phishing to fool people

It is inhibiting the effectiveness of e-mail as a form of communication to the consumer

If consumers cannot correctly identify a legitimate e-mail, they may ignore all business related e-mails

Many fraudulent websites are hosted through international computers

15% in Republic of Korea, 6% in China, and 6% in France

Criminals may be located in different location than the computer

Consumer ConfidenceConsumer Confidence

International locations make it more difficult to shut down due to time zone and language barriers

Average life span of fraudulent websites is 2.25 days

Phishing is the fastest growing scam according to Barbara Span of First Data

Phishing has gone from no complaints a year ago to #4 of the list with the National Consumer League

Percentage of Corporate Phishing Percentage of Corporate Phishing VictimsVictims

Company % of Attacks

Citibank 54.16%

Smith Barney 13.48%

Suntrust 10.02%

PayPal 7.57%

Wells Fargo 5.42%

HSBC 5.07%

eBay 4.15%

USBank 0.11%

CitizensBank 0.014%

- CipherTrust, 2004

Software SolutionsSoftware Solutions

1. Symantec The Online Fraud Management Solution

2. SMS based security SSL/TLS channel

Existing Federal LawsExisting Federal Laws

No Existing Law solely devoted to Phishing.

Existing federal laws do criminalize phishing - but mainly after a consumer has already been defrauded.

Such laws include the laws against wire fraud, identity theft, credit card fraud, computer fraud, CAN SPAM Act, and a number of trade laws.

The Identity Theft Penalty Enhancement Act, (ITPEA) establishes a new crime of "aggravated identity theft“. Convictions for aggravated identity theft - including phishing -- would carry a mandatory two-year prison sentence.

The Anti-Phishing ActThe Anti-Phishing Act

Bill introduced to senate by Senator Patrick Leahy on July 9, 2004.

It targets the entire scam, all the way from sending the e-mail to creating fraudulent sites.

It averts free speech issues by exempting parodies and political speech (via email or on websites) from its reach.

It stipulates that the perpetrator must have the specific criminal purpose of committing a crime of fraud or identity theft.

Strengths of the ActStrengths of the Act

It criminalizes the bait - not just successful phishing.

It makes it illegal to knowingly send out spoofed email that links to sham websites, with the intention of committing a crime.

It criminalizes the operation of the sham websites that are the locus of the wrongdoing.

If the bill were to become law, then each and every element of the scam would become a felony subject to five years in prison and/or a fine up to $250,000.

Tips to Protect Yourself from Phishing Tips to Protect Yourself from Phishing ScamScam

1. Never Click on Hyperlinks within Emails2. Use Anti-Spam Filter Software3. Use Anti-Virus Software4. Use a Personal Firewall5. Keep Software Updated (Operating Systems &

Browsers6. Always Look for “https” and “padlock” on site that

request personal information

7. Keep Your Computer Clean From Spyware8. Educate Yourself on Fraudulent Activity on the

Internet9. Check Your Credit Report Immediately, for Free10. Seek Advice if you’re Unsure

What To Do If You Are A VictimWhat To Do If You Are A Victim

For financial concerns close accounts immediately and call your institution

For SSN concerns, again call your bank

Clear yourself of responsibility

Check your credit report

Contact FTC

MailFrontier Phishing IQ Test MailFrontier Phishing IQ Test IIII

http://survey.mailfrontier.com/survey/quiztest.html

Questions???Questions???