Phishing & Pharming

Devendra Yadav31/05/2007

Introduction11

Phishing Techniques22

Pharming Techniques33

Phishing Statistical Highlights44

Phishing/Pharming Demo55

In Computing both Phishing and Pharming are criminal activity

Both Phishing and Pharming are methods used to steal personal information over the Internet

User Id/Password Credit Card Number PIN

Phishing is typically carried out using email or an instant message, and often directs users to give details at a website

Pharming is a hacker's attack aiming to redirect a website's traffic to another (bogus) website.

Pharming is more dangerous than Phishing

In Phishing incorrect client request is sent and if user is little bit intelligent he/she can identify it very easily

In Pharming correct Client request is sent and that get redirected to wrong server. So identifying it is difficult for intelligent users also

12

43

Hacker Creates Fake website

Send link of website to user using mail/instant messaging

User opens link provided by Hacker

User start sending/receiving information from Fake website

Hacker 1

Fake website

24

3

User

Technique -1 Link manipulationIn this technique hackers manipulate links in such manner that it’s difficult for user to identify whether is page is served form correct website or fake website. Few of such techniques are 1. Misspelled URLs e.g. http://www.0rkut.com

2. Sub domains e.g. http://www.yourbank.com.example.com/ 3. Using “@” e.g. http://www.google.com@members.tripod.com/

Technique -2 Website forgeryIn this technique hackers alter the address bar 1. Hiding Address bar 2. Altering the content of Address bar using scripts 3. putting image with legitimate URL over address bar

In Pharming attackers try to redirect the user’s requests (web traffic) to a bogus website, for doing this commonly used techniques are:

◦ Altering Host File Host File location

%windir%/system32/drivers/etc/hosts (Windows) /etc/hosts (Unix) Sample Host file

◦ Hijacking DNS Server/Local Network Router

Web ServerIP : 64.233.187.99

google.com

64.233.187.99

64.233.187.99

google.com1

2

3

4 2

IP add. is not specified in Host file

IP add. is specified in Host file

DNS & Host File

Number of unique phishing reports received in April: 23656 Number of unique phishing sites received in April: 55643 Number of brands hijacked by phishing campaigns in April: 172 Country hosting the most phishing websites in April: United States No hostname just IP address: 6 % Percentage of sites not using port 80: 1.5 % Average time online for site: 3.8

days Longest time online for site: 27 days

Source: APWG(http://www.antiphishing.org)

Source: APWG(http://www.antiphishing.org)

1. United State 28.44%2. France 26.9%3. Republic of Korea 21.05%,4. Romania 2.04%5. China 1.9%6. Germany 1.9%7. Russia 1.75%8. United Kingdom 1.46%9. Turkey 1.46%,10. Netherlands 1.17%.

Source: APWG(http://www.antiphishing.org)

Live Phishing URLs http://website.lineone.net/~farrago/cia/phish/ebay2.htm http://www.popsite-almere.nl/fotos/nieuws/data/

www.anz.com/anzbank/ANZ/Bankmain.htm http://posssit.freehostia.com/bancoposta.online.it/bpol/

poste//login-privati1.html http://www.safe-surf.org/cgi-bin/cgiproxy/nph-proxy.pl/

000100A/http/www.myspace.com/ http://halifax-online-co-uk.idiotica.co.uk/_mem_/

formslogin.asp/ http://session-7393533.nationalcity.com.userpro.tw/

corporate/onlineservices/TreasuryMgmt/

Thank You !