“ PHISHING ”

A Technical Seminar Report

Submitted in Partial Fulfillment of the Requirements
For the award of the Degree of
Bachelor of Technology in
Electronics & Computer Engineering (ECM)
By
B.Sai rohith
18311A19A0
Under the Guidance / Supervision of

ASSISTANT PROFESSOR

Department of Electronics & Computer Engineering

Sreenidhi Institute of Science & Technology (Autonomous)
OCTOBER – 2018
 DEPARTMENT OF ELECTRONICS & COMPUTER ENGINEERING

SREENIDHI INSTITUTE OF SCIENCE & TECHNOLOGY

(AUTONOMOUS)

CERTIFICATE

This is to certify that the Technical Seminar work entitled “ Phishing ”, submitted by B.Sai rohith
bearing Roll No: 18311A19A0, towards partial fulfilment for the award of Bachelor’s Degree in
Electronics &Computer Engineering from Sreenidhi Institute of Science & Technology, Ghatkesar,
Hyderabad, is a record of bonafide work done by him/ her. The results embodied in the work are
not submitted to any other University or Institute for award of any degree or diploma.

ASST.PROFESSOR HOD H&S

 DECLARATION

This is to certify that the work reported in the present Technical Seminar titled “ PHISHING” is a
record work done by me in the Department of Electronics and Computer Engineering, Sreenidhi
Institute of Science and Technology, Yamnampet, Ghatkesar.

The report is based on the project work done entirely by me and not copied from any other source.
.

B.Sai rohith
(18311A19A0)
 INDEX
CONTENT PAGE NO:
1. ABSTRACT 1
2. INTRODUCTION 2
3. EVOLUTION OF PHISHING 3

4. COMMON TYPES OF PHISHING 4

5. METHODS OF PHISHING 5
6. SPHERE PHISHING 5-6

7. CLONE PHISHING 6-7

8. WHALING 7-8

9. LINK MANIPULATION 9-¹0

10. FILTER EVASION 10

11. WEBSITE FORGERY 11-12

12. COVERT EVASION 12-13

13. SOCIAL ENGINEERING 14

14. VOICE PHISING 15
15. OTHER WAYS OF PHISHING 15
16. TARGETS OF PHISHING 16
17. CONCLUSION 17
 ABSTRACT

Phishing is a kind of attack in which criminals use spoofed emails and fraudulent web sites
to trick people into giving up personal information. This thesis looks at the phishing problem holis-
tically by examining various stakeholders and their countermeasures, and by surveying experts’
opinions about the current and future threats and the kinds of countermeasures that should be put
in place. It composed of four studies.
In the first study, we conducted semi-structured interviews with 31 anti-phishing experts from
academia, law enforcement, and industry. We surveyed experts’ opinions about the current and
future of phishing threats and the kind of countermeasures that should be put in place. Our analysis
led to eight key findings and 18 recommendations to improve phishing countermeasures. In the
second study, we study the effectiveness of popular phishing tools that are used by major web
browsers. We used fresh phish that were less than 30 minutes old to conduct two tests on eight
anti-phishing toolbars. We found blacklists were ineffective when protecting users initially. The
tools that uses heuristics to complement blacklists caught significantly more phish than blacklist-
only tools with very low false positives. In the third study, we describe the design and evaluation
of Anti-Phishing Phil, an online game that teaches users good habits to help them avoid phishing
attacks. We used learning science principles to design and iteratively refine the game. We evaluated
Anti-Phishing Phil through laboratory and real-world experiments. These experiments showed that
people trained with Anti-Phishing Phil were much better at detecting phishing websites, and they
retain knowledge after one week. In the fourth and final study we present our results of a roleplay
survey instrument administered to 1001 online survey respondents to study both the relationship
between demographics and phishing susceptibility, and the effectiveness of several anti-phishing

educational materials .
 INTRODUCTION

Chances are good that at some point you’ve received a suspicious email urging you to click on a link
or open an attachment. This email was most likely an example of the cybercrime known as phishing.
This article serves as an introduction to phishing: what it means, how it affects individuals and
organizations, and how security awareness and training tools can be used to reduce the threat of these
attacks.

First, we’ll explore the three primary types of phishing email examples and how social engineering is
the common thread with these types of attacks. Then, we’ll move on to what phishing can do, and
why cybercriminals invest time and effort in phishing attacks. We’ll also look at what could happen
if you were to fall for a phishing scam, either at work or in your personal life.

Finally, we’ll introduce some resources that will help you better understand the impact of phishing,
as well as anti-phishing training modules and phishing tests designed to help individuals recognize
and avoid attacks.

Phishing is when cybercriminals send malicious emails designed to trick people into falling for a
scam. The intent is often to get users to reveal financial information, system credentials, or other
sensitive data.

The term “phishing” came about in the mid-1990s, when hackers began using fraudulent emails to
“fish for” information from unsuspecting users. Since these early hackers were often referred to as
“phreaks,” the term became known as “phishing,” with a “ph.” Phishing emails try to lure you in and
get you to take the bait. And once you’re hooked, you’re in trouble.

Phishing is an example of social engineering: a collection of techniques scam artists use to

manipulate human psychology. Social engineering techniques include forgery, misdirection, and
lying, all of which can play a part in phishing attacks. On a basic level, phishing emails use social
engineering to encourage you to act without thinking things through.
 2.1 EVOLUTION OF PHISHING

In 2001, however, phishers turned their attention to online payment systems. Although the first attack,
which was on E-Gold in June 2001, was not considered to be successful, it planted an important seed.
In late 2003, phishers registered dozens of domains that looked like legitimate sites like eBay and
PayPal if you weren't paying attention. They used email worm programs to send out spoofed emails to
PayPal customers. Those customers were led to spoofed sites and asked to update their credit card
details and other identifying information.

By the beginning of 2004, phishers were riding a huge wave of success that included attacks on banking
sites and their customers. Popup windows were used to acquire sensitive information from victims.
Since that time, many other sophisticated methods have been developed. They all boil down to the
same basic concept, though, and it is safe to say that this concept has proved to be quite effective.

.
 2.2 COMMON TYPES OF PHISHING

• Spear Phishing.

• Session Hijacking.

• email /spam.

• Malware.

• Web based phishing.

• Link manipulation.

• Phishing through sms

• Phishing types

2.3 Spear phishing

Phishing attempts directed at specific individuals or companies have been termed spear phishing. In
contrast to bulk phishing, spear phishing attackers often gather and use personal information about
their target to increase their probability of success.

Threat Group-4127 (Fancy Bear) used spear phishing tactics to target email accounts linked to
Hillary Clinton's 2016 presidential campaign. They attacked more than 1,800 Google accounts and
implemented the accounts-google.com domain to threaten targeted users.[third-party source needed]

2.4 Clone phishing

Clone phishing is a type of phishing attack whereby a legitimate, and previously delivered, email
containing an attachment or link has had its content and recipient address(es) taken and used to create
an almost identical or cloned email. The attachment or link within the email is replaced with a
malicious version and then sent from an email address spoofed to appear to come from the original
sender. It may claim to be a resend of the original or an updated version to the original. This
technique could be used to pivot (indirectly) from a previously infected machine and gain a foothold
on another machine, by exploiting the social trust associated with the inferred connection.

2.5 Whaling
The term whaling has been coined for spear phishing attacks directed specifically at senior
executives and other high-profile targets.[15] In these cases, the content will be crafted to target an
upper manager and the person's role in the company.

2.5 Link manipulation

Most methods of phishing use some form of technical deception designed to make a link in an email
(and the spoofed website it leads to) appear to belong to the spoofed organization.Misspelled URLs
or the use of subdomains are common tricks used by phishers. In the following example URL,
http://www.yourbank.example.com/, it appears as though the URL will take you to the example
section of the yourbank website; actually this URL points to the "yourbank" (i.e. phishing) section of
the example website. Another common trick is to make the displayed text for a link (the text between
the <A> tags) suggest a reliable destination, when the link actually goes to the phishers' site. Many
desktop email clients and web browsers will show a link's target URL in the status bar while
hovering the mouse over it. This behavior, however, may in some circumstances be overridden by
the phisher. Equivalent mobile apps generally do not have this preview feature.

Internationalized domain names (IDN) can be exploited via IDN spoofing or homograph attacks, to
create web addresses visually identical to a legitimate site, that lead instead to malicious version.
Phishers have taken advantage of a similar risk, using open URL redirectors on the websites of
trusted organizations to disguise malicious URLs with a trusted domain.Even digital certificates do
not solve this problem because it is quite possible for a phisher to purchase a valid certificate and
subsequently change content to spoof a genuine website, or, to host the phish site without SSL at all.

2.6 Filter evasion

Phishers have sometimes used images instead of text to make it harder for anti-phishing filters to
detect the text commonly used in phishing emails. In response, more sophisticated anti-phishing
filters are able to recover hidden text in images using OCR (optical character recognition).

2.7 Website forgery

Some phishing scams use JavaScript commands in order to alter the address bar of the website they
lead to. This is done either by placing a picture of a legitimate URL over the address bar, or by
closing the original bar and opening up a new one with the legitimate URL.

An attacker can also potentially use flaws in a trusted website's own scripts against the victim. These
types of attacks (known as cross-site scripting) are particularly problematic, because they direct the
user to sign in at their bank or service's own web page, where everything from the web address to the
security certificates appears correct. In reality, the link to the website is crafted to carry out the
attack, making it very difficult to spot without specialist knowledge. Such a flaw was used in 2006
against PayPal.
To avoid anti-phishing techniques that scan websites for phishing-related text, phishers sometimes
use Flash-based websites (a technique known as phlashing). .

2.8 Covert redirect

Covert redirect is a subtle method to perform phishing attacks that makes links appear legitimate, but
actually redirect a victim to an attacker's website. The flaw is usually masqueraded under a log-in
popup based on an affected site's domain.It can affect OAuth 2.0 and OpenID based on well-known
exploit parameters as well. This often makes use of open redirect and XSS vulnerabilities in the
third-party application websites.Browshing is another way of redirecting users to phishing websites
covertly through malicious browser extensions.

Normal phishing attempts can be easy to spot because the malicious page's URL will usually be
different from the real site link. For covert redirect, an attacker could use a real website instead by
corrupting the site with a malicious login popup dialogue box. This makes covert redirect different
from others.

For example, suppose a victim clicks a malicious phishing link beginning with Facebook. A popup
window from Facebook will ask whether the victim would like to authorize the app. If the victim
chooses to authorize the app, a "token" will be sent to the attacker and the victim's personal sensitive
information could be exposed. These information may include the email address, birth date, contacts,
and work history.[33] In case the "token” has greater privilege, the attacker could obtain more
sensitive information including the mailbox, online presence, and friends list. Worse still, the attacker
may possibly control and operate the user’s account. Even if the victim does not choose to authorize
the app, he or she will still get redirected to a website controlled by the attacker. This could
potentially further compromise the victim.

This vulnerability was discovered by Wang Jing, a Mathematics Ph.D. student at School of Physical
and Mathematical Sciences in Nanyang Technological University in Singapore. Covert redirect is a
notable security flaw, though it is not a threat to the Internet worth significant attention.

2.9 Social engineering

Users can be encouraged to click on various kinds of unexpected content for a variety of technical
and social reasons. For example, a malicious attachment might masquerade as a benign linked
Google doc.
Alternatively users might be outraged by a fake news story, click a link and become infected.

2.10 Voice phishing

Not all phishing attacks require a fake website. Messages that claimed to be from a bank told users to
dial a phone number regarding problems with their bank accounts.Once the phone number (owned by
the phisher, and provided by a voice over IP service) was dialled, prompts told users to enter their
account numbers and PIN. Vishing (voice phishing) sometimes uses fake caller-ID data to give the
appearance that calls come from a trusted organization.

3.1 Other techniques

Another attack used successfully is to forward the client to a bank's legitimate website, then to place
a popup window requesting credentials on top of the page in a way that makes many users think the
bank is requesting this sensitive information.
Tabnabbing takes advantage of tabbed browsing, with multiple open tabs. This method silently
redirects the user to the affected site. This technique operates in reverse to most phishing techniques
in that it does not directly take the user to the fraudulent site, but instead loads the fake page in one of
the browser's open tabs.
Evil twins is a phishing technique that is hard to detect. A phisher creates a fake wireless network
that looks similar to a legitimate public network that may be found in public places such as airports,
hotels or coffee shops. Whenever someone logs on to the bogus network, fraudsters try to capture
their passwords and/or credit card information.

3.2 Targets of phishing

Think you’re safe from phishing because you don’t fit a specific profile? Think again. Phishing scams
target a broad range of businesses in many different industries. While Internet service providers might
be the most common targets, no one is actually safe.

Really, anyone can be a target of phishing, whether you’re an individual, a business, a nonprofit
organization, or a government agency. In addition, a number of individuals within businesses and
organizations can be targeted. According to a study by Cloudmark, the most commonly targeted
individuals targeted within C-level executives are:

CEOs (27%)

CFOs (17%)

Within general staff, the most commonly targeted areas are:

IT staff (44%)

Finance staff (43%)

 3.3 Conclusion

In this paper we have presented a number of real world examples of phishing attacks and the typical
activities performed by attackers during the full lifecycle of such incidents. All the information
provided was captured using high interaction research honeypots, once again proving that honeynet
technology can be a powerful tool in the areas of information assurance and forensic analysis. We
analysed multiple attacks against honeypots deployed by the German and UK Honeynet Projects. In
each incident phishers attacked and compromised the honeypot systems, but after the initial
compromise their actions differed and a number of techniques for staging phishing attacks were
observed:

Setting up phishing web sites targeting well known online brands.

Sending spam emails advertising phishing web sites.

Installing redirection services to deliver web traffic to existing phishing web sites.

Propagation of spam and phishing messages via botnets

This data has helped us to understand how phishers typically behave and some of the methods they
employ to lure and trick their victims. We have learned that phishing attacks can occur very rapidly,
with only limited elapsed time between the initial system intrusion and a phishing web site going
online with supporting spam messages to advertise the web site, and that this speed can make such
attacks hard to track and prevent. IP address blocks hosting home or small business DSL addresses
appear to be particularly popular for phishing attacks, presumably because the systems are often less
well managed and not always up to date with current security patches, and also because the attackers
are less likely to be traced than when targeting major corporate systems. Simultaneously attacking
many smaller organisations also makes incident response harder. We have observed that end users
regularly access phishing content, presumably through receiving spam messages, and a surprisingly
large number appear to be at risk from becoming victims of such attacks.

Research also suggests that phishing attacks are becoming more widespread and well organised. We
have observed pre-built archives of phishing web sites targeting major online brands being stored,
ready for deployment at short notice, suggesting the work of organised phishing groups. Such content
can be further propagated very quickly through established networks of port redirectors or botnets.
When coupled with evidence of mass scanning and hard coded IP addresses in web content and
scripts, this suggests that many instances of a particular phishing site may be active at any one time.
Web traffic has been observed arriving at a newly compromised server before the uploaded phishing

content was completed, and phishing spam sent from one compromised host does not always appear
to advertise the sending host, which again suggest it is likely that distributed and parallel phishing
operations are being performed by organised.

Research demonstrates a clear connection between spamming, botnets and phishing attacks, as well
as the use of intermediaries to conceal financial transfers. These observations, when combined with
quantitative data on mass vulnerability scanning and combined two-stage phishing networks,
demonstrate that the threat posed by phishers is real, their activities are organised, and the methods
they employ can sometimes be quite advanced. As the stakes become higher and the potential
rewards become greater, it is likely that further advancements in phishing techniques and an increase
in the number of phishing attacks will continue in the coming year. Reducing the number of
vulnerable PCs contributing to botnets, countering the increasing volume of spam email, preventing
organised criminal activity and educating Internet users about the potential risks from social
engineering all remain significant security challenges.