1 / 35

New Internet Financial Fraud Trend ---Fighting the Phishing Scam

New Internet Financial Fraud Trend ---Fighting the Phishing Scam. CNCERT/CC APCERT. Jan. 2005 APAN www.cert.org.cn. Abstract :. Overview of Phishing Phishing analyses Prevention CNCERT/CC activities in Anti-phishing. Overview of Phishing. What is Phishing?.

amina
Download Presentation

New Internet Financial Fraud Trend ---Fighting the Phishing Scam

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. New Internet Financial Fraud Trend ---Fighting the Phishing Scam CNCERT/CC APCERT Jan. 2005 APAN www.cert.org.cn

  2. Abstract: • Overview of Phishing • Phishing analyses • Prevention • CNCERT/CC activities in Anti-phishing

  3. Overview of Phishing What is Phishing? • -- Phishing attacks use 'spoofed' e-mails and fake websites designed to bamboozle recipients into revealing confidential information with economic value such as credit card numbers, account usernames and passwords, social security numbers, etc.

  4. Overview of Phishing Phishing is Epidemic: • --7 of 10 people, who received phishing E-mail, are spoofed • --15% are tricked into providing personal information

  5. Overview of Phishing • Statistics Till the end of 2004, CNCERT/CC received 230 Phishing report from over 33 worldwide financial and security organization.

  6. Overview of Phishing • Statistics Oct. 2004

  7. Dec. 2004

  8. Overview of Phishing • Oct. Vs Dec. • it appears to be on the decline with 29% of the total the number of sites hosted in the US decreasing during October. China, Korea, and Russia are next on the list with 16%, 9%. • United States continues to be the top location geographic location for hosting Phishing sites with more than 32%. Other top countries are, in order: China 12%, Korea 11%, Japan 2.8%, Germany 2.7%, France 2.7%, Brazil 2.7%, Romania 2.2%, Canada 2.1%, and India 2.1%.

  9. Overview of Phishing • Statistics

  10. Overview of Phishing • Damage --Average economic loss of $115 per adult duped. (E-Trust) --$500 million lost due to Phishing in U.S. (APWG) --A Phishing site had been visited 98 time in 48 hour (98 different IPs) 49 person/day*10*15%*$115=$8452.5/case

  11. Overview of Phishing • Number of active phishing sites reported in December: 1707 • Average monthly growth rate in phishing sites July through December: 24% • Number of brands hijacked by phishing campaigns in December: 55 • Number of brands comprising the top 80% of phishing campaigns in December: 7 • Country hosting the most phishing websites in December: United States • Contain some form of target name in URL: 24% • No hostname just IP address: 63% • Percentage of sites not using port 80: 13.1% • Average time online for site: 5.9 days • Longest time online for site: 30 days

  12. Phishing analyses • How it works Spoofed E-mail

  13. Phishing analyses • How it works Fake Web Site

  14. Phishing analyses • Tech in Phishing Fake log in window pop-up

  15. Phishing analyses • Tech in Phishing Fake log in window pop-up The Site look like the normal Bank site, however, it host in different location. Most of the host was intruded, and the site was planted in by Hacker. It also contain malicious code sometimes.

  16. Phishing analyses • Tech in Phishing Hide the fake URL by cover the address bar

  17. Phishing analyses • Tech in Phishing IP Filter $file_ip = fopen("ip.txt", "r"); while (! feof($file_ip)): $line = fgets($file_ip, 100); $line = trim($line); $flood_ip = ereg($ip, $line); if ($flood_ip): $file = "$folder/bad.txt"; $need_to_add_ip = 0; else: $file = "$folder/good.txt"; $need_to_add_ip = 1; endif; endwhile; fclose($file_ip); if ($need_to_add_ip == 1): $add_ip = fopen("ip.txt", "a+"); $success_ip =fwrite($add_ip, "$ip"); fclose($add_ip); endif;

  18. Phishing analyses • Tech in Phishing IP Filter The same IP may not visit the site twice. The IP, which provided the bad information, is baned……..

  19. Phishing analyses • Tech in Phishing unconventional port Pid Process Port Proto Path 436 svchost -> 135 TCP C:\WINNT\system32\svchost.exe 492 msdtc -> 1025 TCP C:\WINNT\system32\msdtc.exe 912 MSTask -> 1026 TCP C:\WINNT\system32\MSTask.exe 792 sqlservr ->1433 TCP d:\PROGRA~1\MICROS~1\MSSQL\binn\sqlservr.exe 896 r_server -> 4899 TCP C:\WINNT\System32\r_server.exe 964 http -> 5121 TCP c:\winnt\system32\http.exe 964 http -> 5125 TCP c:\winnt\system32\http.exe 964 http -> 5180 TCP c:\winnt\system32\http.exe 996 web -> 6121 TCP c:\winnt\system32\web.exe 996 web -> 6125 TCP c:\winnt\system32\web.exe 996 web -> 6180 TCP c:\winnt\system32\web.exe

  20. Prevention • Whose responsibility? --Bank or Financial organization --Internet User or IDC --CERTs --Internet Banking Customer

  21. Prevention • Whose responsibility? --Bank or Financial organization The organization that provide internet dealing or banking service have the responsibility to ensure that their website is uneasy to be imitated or mimic. Also, responsible to provide the security awareness education.

  22. Prevention • Whose responsibility? --Internet User or IDC Every internet users is responsible to protect themselves. Most of host was intrude because of un-patch or unprotected system. Therefore, users should frequently update their system and install the firewall, anti-virus, and other protection before they connect to the internet.

  23. Prevention • Whose responsibility? --CERTs Up to now, there are many people and countris affacted by the Phishing incident. Fighting with Phishing needs somebody’s to coordinate. They are CERTs.

  24. Prevention • Whose responsibility? --Internet Banking Customer User needs to aware how to protect themselve and how to distinguish Phishing site.

  25. Prevention • How to prevent E-mail: Make sure the e-mail is from the Bank….. - Check the ‘from IP’

  26. Prevention • How to prevent Host IP: Confirm the IP location by visiting www.whois.net - the website will able to provide the host info

  27. Prevention • How to prevent Direct contact: Double confirm the info in the mail by calling the bank directly.

  28. Prevention • How to prevent Stop spoofed mail (for bank) Sender ID: Support by Microsoft, E-trust, Hotmail, Sendmail, etc IIM (Identify Internet Mail) : Cisco and IETF (Internet Engineering Task Force)

  29. CNCERT/CC activities in Anti-phishing • Bank, Financial organization or other national CERT CNCERT receive report and investigate the info of the host, such as the location, owner, ISP.

  30. CNCERT/CC activities in Anti-phishing • Host owner CNCERT/CC’s certain branch convince them to take the site down, provide the data, tech support and security consultant. *CERT is not police, and host owner is also a victim. CERT may only convince host owner to cooperate.

  31. CNCERT/CC activities in Anti-phishing • ISP Ask for help, and assist ISP to do investigation in certain case.

  32. CNCERT/CC activities in Anti-phishing • Public Awareness education and consultant

  33. Conclusion • Aware the security always • Protect your system • Help people to investigate the incident • Tell people about network security • Report the incident to ISP or CERT • Consult the CERT about security

  34. Question?

  35. Thank you E-mail:larryliu@cert.org.cn

More Related