Chapter 4: Phishing and

Identity Theft

Phishing and Identity Theft: Introduction, methods of phishing,

phishing, phishing techniques, spear phishing, types of phishing
scams, phishing toolkits and spy phishing, counter measures,
Identity Theft
Introduction
Phishing is a one of the methods towards enticing netizens to reveal their personal
information that can be used for identity theft.
• ID theft involves unauthorized access to personal data.
• Section 66C of the IT Act states that “whosoever fraudulently dishonestly make
use of the electronics signature, password or any unique identification features of
any other person→ shall be punished with imprisonment of three years. And shall
also be liable for fine which extend to one lakh rupees.”
• Section 66D of the IT Act states that “whoever, by means for any
communication device or computer resource cheats by personation, shall be
punished with imprisonment of either description for a term which may extend up
to three years and also liable for fine up to which extend to one lakh rupees.”
• Phishing is a social engineering tactics to trick users into revealing confidential
information
 Statistics about Phishing
Phishing map available on www.avira.com
• Virtual lab monitors the evolution of E-mail Phishing across the globe.
• The graphical illustrations available on www.m86security.com
→ Monitors origin from where Phishing E-mail are sent.
→Facebook, HSBC (Holdings plc is a British multinational universal bank and financial services holding
company), PayPal and Bank of America →targeted organization.
→US, India and China are → Targeted Countries.
3. Phishing attacks are monitored on a daily basis and displayed on www.phishtank.com
4. According to May 2009 Phishing Monthly Report compiled by Symantec Security Response Anti -Fraud
Team → Total 3,650 non-English Phishing websites were recorded in the month of May 2009.
→ Phishing URLs are categorized based on the top-level domains (TLDs). The most used TLD in Phishing
websites during the month of May 2009 were ".com, ".net and ".org" comprising 50%, 9% and 5%,
respectively. Phishing Activity Trends Report of Q4-2009 published by Anti-Phishing Working Group
(APWG,) states the Phishing attack trends and statistics for the quarter. It is important to note that:
Financial organizations, payment services and auction websites are ranked as the most targeted industry.
Port 80 [HTTP] is found to be the most popular port in use followed by Port 443 [SHTTP] and Port 8080
(WEB SERVER) among all the phishing attacks.
 APWG (Anti-Phishing Working
Group)
• www. antiphishing.org, is an international consortium, founded in 2003 by David Jevans
• to bring security products and services companies, law enforcement agencies, government agencies,
trade association, regional international treaty organizations and communications companies together,
who are affected by Phishing attacks.
• APWG has more than 3,200+ members from more than 1,700 organizations and agencies across the
globe.
• To name a few, member organizations are leading security companies such as BitDefender, Symantec,
McAfee, VeriSign and IronKey.
• ING Group, VISA, Mastercard and the American Bankers Association are the members from financial
industry.
• APWG is focused on eliminating identity theft that results from the growing attacks/scams of Phishing
and E-Mail Spoofing.
• APWG provides a platform to discuss Phishing issues, define the scope Phishing problem in terms of
costs and share information about best practices to these attacks/scams
 Phishing
Wikipedia:
• It is the criminally fraudulent process of attempting to acquire sensitive information such as usernames,
passwords and credit card details by masquerading as a trustworthy entity in an electronic communication
Webopedia:
• It is an act of sending an E-Mail to a user falsely claiming to be an established legitimate enterprise in an attempt
to scam the user into surrendering private information that will be used for ID theft. • The E-Mail directs the user to
visit a website where they are asked to update personal information, such as passwords and credit card, social
security and bank account numbers that the legitimate organization already has. • The website, however, is bogus
and set up only to steal the user's information
Tech Encyclopedia:
It is a scam to steal valuable information such as credit card and social security numbers (SSN), user IDs and
passwords. • It is also known as "brand Spoofing." • An official-looking E-Mail is sent to potential victims pretending
to be from their bank or retail establishment. • E-Mails can be sent to people on selected lists or any list, expecting
that some percentage of recipients will actually have an account with the organization. • Is a type of deception
designed to steal your identity. • Here the phisher tries to get the user to disclose the personal information→ such
as credit card numbers, passwords, account data or other information’s. • Email is the popular medium of Phishing
attack and such E-Mails are also called as Spams; however not all E-mails are spam E-Mails. • Types of E-Mails →
Spam E-Mails and hoax E-Mails
 Spam E-Mails and hoax E-Mails
• Spam E-Mails → Junk E-Mails
• Identical messages sent to numerous recipients.
• Grown since 1990, → Botnet network of virus infected computers are used to send 80% of spam emails.
• Types→
1. Unsolicited bulk E-Mails (UBE)→ email sent to large quantities
2. Unsolicited Commercial E-Mail (UCE)→ for commercial purpose such as advertising.
SPAMBOTS (UBE)
• Automated computer program and/or a script developed, mostly into “C” programing language to send
Spam mails.
• SPAMBOTS gather the E-Mail addresses from the internet to build mailing list.
• These are called as web crawlers, as they gather E-mail addresses from numerous websites, chatroom
conversations, newsgroups and special interest group (SIG) postings.
• → It scans for two things a) hyperlinks b) E-Mail addresses.
• The term SPAMBOT is also sometimes Used with reference to a program designed to prevent spam to
reach the subscribers of an Internet service provider (ISP).
• Such programs are called E-Mail blockers and/or filters.
 Tactics used by Phishers to attack the
common people using E-Mails asking for
valuable information about himself/herself or
to verify the details
1. Names of legitimate organizations: Instead of creating a phony company from scratch, the phisher micht use a legitimate
company's name and incorporate the look and feel of its website (i.e., including the color scheme and graphics) into the
Spam E-Mail.
2. From a real employee: Real name of an official, who actually works for the organization, will appear in the "from" line or the
text of the message (or both). This way, if a user contacts the organization to confirm whether "Rajeev Arora" truly is "Vice
President of Marketing" then the user gets a positive response and feels assured.
3. URLs that look right:
• The E-Mail might contain a URL (i.e., weblink) which seems to be legitimate website wherein user can enter the information
the phisher would like to steal.
• However, in reality the website will be a quickly cobbled copycat -a spoofed" website that looks like the real thing, that is,
legitimate website. In some cases, the link might lead to selected pages of a legitimate website- such as the real company's
actual privacy policy or legal disclaimer.
4. Urgent messages:
• Creating a fear to trigger a response is very common in Phishing attacks – the EMails warn that failure to respond will result in
no longer having access to the account or E-Mails might claim that organization has detected suspicious activity in the users'
account or that organization is implementing new privacy software for ID theft solution
Here are a few examples of phrases used to
entice the user to take the action.
1. Verify your account:
• The organization will never ask the user to send passwords, login names, permanent account numbers (PANs) or
SSNs and other personal information through E-Mail. • For example, if you receive an E-Mail message from Microsoft
asking you to update your credit card Information, do not respond without any confirmation with Microsoft
authorities- this is a perfect example of Phishing attack.
2. You have won the lottery:
• The lottery scam is a common Phishing scam known as advanced fee fraud. One of the most common forms of
advanced fee fraud is a message that claims that you have won a large sum of money, or that a person will pay you a
large sum of money for little or no work your part. • The lottery scam often includes references to big companies, for
example, Microsoft. • There is no Microsoft lottery. It is observed that most of the phished E-Mails display the
agencies/companies situated in Great Britain and hence it is extremely important for netizens to confirm/verify the
authenticity of such E-Mails before sending any response. If " any-Mail is received displaying "You have won the lottery
in Great Britain," confirm it on www.gamblingcommission.gov.uk • If any E-Mail is received displaying your selection for
any job into Great Britain, confirm/verify the details of the organization on www.companieshouse.gov.uk or on
http://www.upmystreet. com/local/uk.html.
3. If you don’t respond within 48 hours, your account will be closed
• These messages convey a sense of urgency so that you will respond immediately without thinking. A Phishing E-Mail
message might even claim that your response is required because your account might have been compromised
Let us understand the ways to reduce the
amount of Spam E-Mails we receive
1. Share personal Email address with limited people and/or on public websites-the more exposed to the public, the more
Spam E-Mails will be received.
2. Never reply or open any Spam E-Mails. Any spam E-Mails that are opened or replied to inform the phishers not only
about your existence but also about validity of your E-Mail address.
3. Disguise the E-Mail address on public website or groups by spelling out the sign "@” and the DOT for example,
RajeevATgmailDOTcom. This usually prohibits phishers to catch valid E-Mail addresses while gathering E-Mail addresses
through programs.
4Use alternate E-Mail addresses to register for any personal or shopping website. Never ever use business E-Mail
addresses for these sites but rather use E-mail addresses that are free from Yahoo, Hotmail or Gmail.
5. Do not forward any E-Mails from unknown recipients.
6.Make a habit to preview an E-Mail (an option available in an E-Mail program) before opening it.
7. Never use E-Mail address as the screen name in chat groups or rooms.
8. Never respond to a Spam E-Mail asking to remove your E-Mail address from the mailing distribution list. More often it
confirms to the phishers that your E-Mail address is active.
Hoax Mails
• These are deliberate attempt to deceive or trick a user into believing or
accepting that something 1s real. when the hoaxer (the person or group
creating the hoax) knows it is false.
• Hoax E-Mails may or may not be Spam E-Mails.
• www.breakthechain.org: This website contains a huge database of chain E-
Mails.
• www.hoaxbusters.org: excellent website containing a large database of
common Internet hoaxes.
• It contains information about all the scams.
• I maintained by Computer Incident Advisory Capability, Which is the
division of US department of energy. Eg., “Breaking news”→ Info→” Barack
Obama refused to be the president of the US → E-mail Signature as CN