Embed Size (px)
Citation preview
PRESENTED BY
• Phishing basics
• Introduction
• Flow of information in phishing attak
• Phishing attacks
• Common procedure of phishing attack
• Approaches to prevent phishing attack
• Proposed system
• Flow chart
• Conclusion
• Reference
• What is phishing?
• Why it is called phishing?
• Pronounced as „Fishing‟.
• The word has its Origin from two words
“Password Harvesting” or fishing for Passwords
• Also known as "brand spoofing“.
Phishing is a kind of online security attack where the attacker creates a replica of an existing web page to fool users in order to hack their personal, financial, or password data.
Phishing often directs users to enter details in a fake website who’s URL, look and feel are almost identical to the legitimate one.
The current Anti-Phishing system has failed to prevent Phishing completely.
An Anti-Phishing algorithm is proposed which is termed as “Phish-Secure”.
Phish-Secure utilize a three factor authentication system which successfully detects and prevents all Phishing attacks.
1. A deceptive message is sent from the Phishers to the
user.
2. A user provides confidential information to a Phishing
server (normally after some interaction with the server).
3. The Phishers obtains the confidential information from the
server.
4. The confidential information is used to impersonate the
user.
5. The Phishers obtains illicit monetary gain.
Phishing by URL Obfuscation For example, the customer may follow a link to
http://www.mybank.com.ch/ instead of the original link
http://www.mybank.com/ .
This is a fake website for Facebook which looks like same as that of legitimate website.
www.sanagustinturismo.co/Facebook/
Pharming Pharming is a hacker's attack aiming to redirect a website's
traffic to another bogus website.
Pharming can be conducted by either DNS Poisoning or HOSTS file Modification.
DNS poisoning
Attacker hacks into the DNS server and changes the IP address for www.targetsite.com to IP of www.targetsite1.com (Fake page).
So if the user enter the URL in address bar, the computer queries the DNS server for the IP address of www.targetsite.com
Since the DNS server has already been poisoned by the attacker, it returns the IP address of www.targetsite1.com (fake page).
The user will believe it is original website but it is phishing page.
HOSTS file Modification.
This method is local DNS poisoning.
The host file contains Domain Name and IP address associated with them. Your host file will be in this path:
It will change the fields of hosts so that original website will point to some other fake page.
Other types of pharming attacks involve Trojan horses, worms or other technologies that attack the browser address bar, thus redirecting you to a fraudulent website when you type in a legitimate address.
Man-in-the-middle Attacks In this type of attack, the attacker situates themselves
between the customer and the real web-based application, and proxies all communications between the systems.
In this the hacker must re-direct the user to his proxy server instead of the real server. This may be carried out through a
DNS Cache Poisoning
URL Obfuscation
Phishing attacks are performed with the following steps:
1) Phishers set up a fake Web site which looks exactly like the legitimate Web site, which includes setting up the web server
and create the web pages similar to the destination Website .
2) User receives the e-mail, opens it, click the spoofed
hyperlink in the e-mail, and input the required information.
There are several technical and non-technical ways to prevent Phishing attacks:
Educate users to understand how Phishing attacks work and to be alert when Phishing-alike e-mails are received.
Use technical methods to stop Phishing attackers.
In this, we only focus on the technical aspect.
Technical approaches to prevent “Phishing” attack.
Detect and block Phishing in time Detect the Phishing Web sites in time, we can block the sites and prevent
Phishing attacks.
DNS Scan The web master of a legal web site periodically scans the root DNS for
suspicious sites. (e.g. www.icci.com vs. www.icici.com)
Enhance the security of the web sites The business websites can take new methods to guarantee the security of
users personal information.
One method to enhance the security is to use hardware devices.
For example, the Barclays bank provides a hand-held card reader to the users.
Use the biometrics characteristic (e.g. voice, fingerprint, iris, etc.) for user authentication.
Install online anti-Phishing software in user’s computers Install anti-Phishing tools in their computers .
The anti-Phishing tools are categorized as:
blacklist/White list based.
A. Image Similarity Detection: Image similarity detection is done which helps in finding out which
page the user tends to visit, then it is checked for Phishing.
For this purpose a system captures the image of a webpage in a particular resolution in the required format. This image is termed as Visual image.
If the attacker is going to create a Phishing site he is going to use the replica of the original webpage in order to fool the users.
Phish-Secure make a comparison to find out the similarity between the visited page and the page in the database.
Table of Sample Database Structure
The similarity is obtained in means of percentage, if the percentage ofsimilarity (PS) is greater than 99 % then Phish-Secure concludes whichwebsite the user is tending to visit.
B. Factor 1: URL Verification. When the user visits any site the Phish-Secure immediately grabs the URL
of the visited page. If the visited page URL is encoded Phish-Secure decodes it.
Then a comparison is made between the actual URL and the visual URL if they are same further verification is carried out. On the other hand if they are different Phish-Secure identifies the particular website as Phishing.
C. Factor 2: Black Listing (Based On IP): When the user visits a webpage Phish-Secure grabs the destination IP
which gives information about to which IP address the user is getting connected, this is referred as V_IP (Visual IP).
If an attacker web server IP address has already been found guilty the particular IP is blacklisted.
Phish-Secure check this Blacklist with the V_IP and will warn the user. On the other hand if the V_IP is not found in Blacklist further verification is done in the following step.
D. Factor 3: Layer 3’s Destination Address
Verification: Phish-Secure grabs the actual list of IP address of the provider
which he tends to connect.
Phish-Secure gets the list of IP address which is referred to as actual IP [ ] and is checked with the V_IP (i.e.) the IP address to
which the user is getting connected.
If these two IP address are same Phish-Secure identifies the particular site as genuine and returns a message as authenticated. On the other hand if there is a mismatch in the above verification Phish-Secure identifies the site as Phishing and warns the user.
Phishing has becoming a serious online security threat which causes loss of sensitive data. which in turn causes loss in billions of dollars to both consumers and e-commerce companies.
In this ‘Phish-Secure’, an anti-phishing algorithm has been designed.
Phish-Secure is capable of detecting both known and unknown Phishing attacks. Phish-Secure will verify whether the user is connected to the website which he actually tends to connect.
Since this is based on the verification of the destination servers IP address the probability of Phishing attack is drastically reduced.
