Sunday, March 12, 2017

Phishing


What feel when you here Phishing ?


"You can fool some of the people all of the time, and all of the people some of the time, but you cannot fool all of the people all of the time."

–Abraham Lincoln-

The term “Phishing” basically referred to "account theft using instant messaging." Nowadays, phishing occurs through email. Phishing can be defined as an act of sending an email to the user in order to steal his personal information such as bank account details, credit card information etc.Such emails may direct the user to click on a link which is a website where they are said to update their personal information like passwords, credit card details, social security number or bank account number. This type of bogus website is specifically designed for information theft.





Types of Pishing


 Deceptive Phishing

A phisher sends bulk email with a message. Users are influenced to click on a link.

Examples: An email stating that there is a problem with recipient’s account at financial institutions and requests the recipient to click on a website link to update his details. A statement may be sent to the recipient stating that his account is at risk and offering to enroll him to an anti-fraud program. In any of the case, the website collects the user’s confidential information. In most of these cases, the phisher does not directly cause any economic damage, but sells the illegally obtained information on a secondary market.

Malware-based Phishing
Malware-based phishing involves running malicious software on the user’s machine. The malware can be introduced as an email attachment or as a downloadable file exploiting security vulnerabilities. This is a particular threat for small and medium businesses (SMBs) who fails to update their their software applications.

 Keyloggers and Screenloggers

Keyloggers and screenloggers are varieties of malware that track input from the keyboard and send relevant information to the hacker via the Internet. They can embed themselves into the user’s browsers as small utility programs.


 Session Hijacking

Session Hijacking is a kind of phishing attack where user’s activities are monitored clearly until they log into a target account like the bank account and establish their credentials. At that point, the malicious software takes control and can undertake unauthorized actions, such as transferring funds, without the knowledge of the user.


 Web Trojans

Web Trojans pop up when the users attempt to log in to an important website or performing any transaction. These web trojans are invisible to the users. They collect user's credentials locally and transmit them to the phisher.

 Hosts File Poisoning

When a user types a URL of a website it is first translated into an IP address before it's transmitted over the Internet. The majority of user’s PCs running a Microsoft Windows operating system first look up these "host names" in their "hosts" file before undertaking a Domain Name System (DNS) lookup. Phishers steal information by "poisoning" the hosts file. They transmit a bogus address, taking the user unwittingly to a fake "look alike" website.

 System Reconfiguration Attacks

This is a kind of phishing attack where the settings on a user's PC are modified with bad intentions. For example: URLs in a favorites file might be modified to direct users to bogus websites that look alike. For example: a financial institution's website URL may be changed from "bankofxyz.com" to "bancofxyz.com".


What is Data Theft

Malicious code running on a user’s computer, can directly steal confidential information stored on the computer. This information can include activation keys to software, passwords, sensitive and personal email and any other data that is stored on the victim's computer.In addition, confidential memos, design documents or billing info can be publicly leaked, causing embarrassment or financial damage to the organization. This data can also be leaked to competitors.

 DNS-Based Phishing

Domain Name System (DNS)-based phishing or hosts file modification is called Pharming. The requests for URLs or name service return a bogus address and subsequent communications are directed to a fake site when the hackers tamper a company’s host files or domain name. As a result, users remain unaware about the fraud website controlled by hackers.

 Content-Injection Phishing

Content-injection phishing means inserting malicious content into a legitimate website. The malicious content can redirect to other websites or may install malware on a user’s computer and also insert a frame of content that will redirect data to the phishing server.


 Man-in-the-Middle Phishing

Man-in-the-Middle Phishing is hard to detect than many other forms of phishing. In these attacks hackers sit between the user and the website or the system. They record the information being entered by the user but continue to pass the user on to the next steps so that user transactions are not affected and the user remains unaware. Later, they sell or use the information which may be credentials, credit card details, and bank account details.

Search Engine Phishing

Phishers develop e-commerce websites with attractive offers. Later these sites are indexed legitimately with different search engines. When users search for products or services, these sites are shown by the search engine and are fooled into giving up their information. For example, scammers have set up false banking sites that offer lower credit costs or better interest rates than other banks. Victims are often encouraged to transfer account details. In this way, they are deceived into giving up their details.

several ways to recognize pisihing E-mails


1. Legit companies don’t request your sensitive information via email


Chances are if you receive an unsolicited email from an institution that provides a link or attachment and asks you to provide sensitive information, it’s a scam. Most companies will not send you an email asking for passwords, credit card information, credit scores, or tax numbers, nor will they send you a link from which you need to login.



2. Legit companies call you by your name


Phishing emails typically use generic salutations such as “Dear valued member,” “Dear account holder,or “Dear customer. If a company you deal with required information about your account, the email would call you by name and probably direct you to contact them via phone.





3. Legit companies have domain emails

Don’t just check the name of the person sending you the email. Check their email address by hovering your mouse over the ‘from’ address. Make sure no alterations (like additional numbers or letters) have been made. Check out the difference between these two email addresses as an example of altered emails: michelle@paypal.com michelle@paypal23.com Just remember, this isn’t a foolproof method. Sometimes companies make use of unique or varied domains to send emails, and some smaller companies use third party email providers.





4. Legit companies know how to spell

An email from a legitimate organization should be well written. Little known fact – there’s actually a purpose behind bad syntax. Hackers generally aren’t stupid. They prey on the uneducated because they are easier targets.



5. Legit companies don’t force you to their website

Sometimes phishing emails are coded entirely as a hyperlink. Therefore, clicking accidentally or deliberately anywhere in the email will open a fake web page, or download spam onto your computer.



6. Legit companies don’t send unsolicited attachments

Unsolicited emails that contain attachments of hackers. Typically, authentic institutions don’t randomly send you emails with attachments, but instead direct you to download documents or files on their own website.



7. Legit company links match legitimate URLs

Just because a link says it’s going to send you to one place, doesn’t mean it’s going to. Double check URLs. If the link in the text isn't identical to the URL displayed as the cursor hovers over the link, that's a sure sign you will be taken to a site you don’t want to visit. If a hyperlink’s URL doesn’t seem correct, or doesn’t match the context of the email, don’t trust it. Ensure additional security by hovering your mouse over embedded links (without clicking!) and ensure the link begins with https://.

How we prevent ourself??


  • Be alert for spam messages. 
  • Do not reply to emails that request financial information, even if it appears to be from a trusted source. 
  • Do not reply to emails from unrecognized senders. 
  • Phishing attempts are not likely to be personalized. 
  • Do not open any links in suspicious emails, instant messages, or chat-room messages. 




  • Only communicate personal information over the phone or through a secure website. 
  • Secure websites are indicated by a lock on the browser's status bar or the prefix "Https://" instead of Http://. 
  • It is safe to give personal information on the phone only if you initiate the call to a secure phone number. For example, it is best to call a number located on your bank statement rather than a number that you were asked to call in an email. 





  • Never use email to share personal information. 
  • Even if you know the recipient of an email, unauthorized individuals may be able to gain access to your or the recipient's email account. 
  • Individuals with advanced technical skills can intercept your email. 




  • Avoid using email on public computers. 
  • Information from an email is temporarily stored on a computer's local disk and can be retrieved by another user if it is not properly deleted. 




  • Do not click anything in pop-up windows. 
  • If your browser has a pop-up blocker, enable it. 
  • Do not copy any website addresses from a pop-up window into your browser. 
  • A legitimate enterprise will never ask you for your information in a pop-up window. 


  • Use security programs to protect your computer. 
  • Use a spam filter, anti-spyware program, anti-virus program, and a firewall. These can be obtained from a software retailer or on the Internet. 


  • Check your credit report and financial statements regularly. 
  • Make sure that no unauthorized transactions have been made and that all items on your credit report are correct. 





as i know these are the things you should have to know,mmmm when some one asked you "do you know how to create phishing site??",he he now on wards you can say yup,because now i am going tooooooooooo ........πŸ˜‰



Creating Pishing site

  • First of all you have to select web site which have login page(sign in).


  • Then click sign in button and go to sign in page,in there you can see login form😊,right click the page and hit save as.
  • When saving, select the type as ‘Web Page, complete’, so that the web content referred in the web page (like images, CSS, javascript files) also will be downloaded.




  • Once you save the login page, you will see the html file which contains the login page and the web resources are stored in a folder in the same location.
  • now you can create a folder and put those two files to it. 



  • If you open the downloaded HTML file in the browser, you will see the same login page of mydeal.lk website where you will not notice any difference unless you check the web URL.



  • Now open the login page (html file) and locate where the HTML form is that contains the username and password text boxes. (If the source code is not formatted, you can use an IDE and format the code).

  • Here we simply modify the action of the HTML form and change to a new PHP file which we create. Here I give the file name as login.php. 




  • I created the file with  name login.php and the following content.write code for storing the credentials in to the credentials.text file.After storing the credentials it redirects the browser to the mydeal voucher page.



  • finally you have these files in your folder.



  • Now we have to host these files like 000webhosting site.In there we have to create account using your gmail and then create your own site giving any name and add this all files in  to  public.html folder.After clicking that link you can launch phishing web site.



  • This is the link which you can send to the victim.




  • Now you can send a phishing email using this link. Actually I did this to my some colleges and they entered their emails and password to without any knowledge of phishing emails.

  • Here is the email which i sent to the my victim.I got the screen shot from it.πŸ˜‰







  • This is the phishing web site which I created and which my victim logged in.





  • when you log in to that site you will redirect to the original gift voucher page in mydeal.lk






  • when some one login to that site that credential file fill with username and password






This is kind of effort to make you aware of how to create a phishing site & how to identify a phishing site.It would be grate full if you would not misuse this information.This blog was done for the support of my assignment & I would like to convey my regards to Mr.Tharindu Edirisinghe who instructed me to make the effort a success.




Much appreciate your feedback as a comment.πŸ‘©




Thank you!!😊😊

Best Regards,

Pamoda P. Perea






at 5 comments:

Thursday, March 9, 2017

BYOD

Hi Let's know about
 BYOD



What is BYOD?

Bring your own device (BYOD),also called bring your own technology (BYOT), bring your own phone (BYOP), and bring your own Personal Computer (BYOPC).This mean giving permission to bring their own devices(smartphones,laptops,tablets,usb drivers) to work place.

Actually BYOD come up with IT Consumerization(blending of personal and business use of technology devices and applications).surely we can classify two types of BYOD.

   a) Companies buy mobile devices for employees.

b) Employee can use their own mobile devices.

For a example, if the company is providing the device (type b), it probably will block installations of things: Games, for example. Also, the company may use secret software to see what you have been doing on the device: keylogger for example. Of course, they will allow private use of the devices but that will be a little tricky method taken by the company.

According to BYOD,CISCO create brand name Borderless network to identify set of hardware and software technologies which allow anyone,anytime,anywhere,on any device to connect organization network.

 BYOD Policy?

If you awilling to use this concept you should have BYOD policy otherwise your company might be in big trouble in secure hand. To convey this BYOD in correct path we have to implement rules and regulation like this.

 #1 Educate the Employees

If you have already implemented BYOD, You need to tell them how to keep the device protected with latest updates and patches for the operating system and hardware they are using on their mobile devices. You need to tell them about possibility of data leaks and how it can affect to the company. You need to make it clear that privacy of organization’s data cannot be compromised.

#2 One Platforms to Allow

You cannot let users to select any platform. If your organizations cannot run on any specific operating system such as the iOS, you have to tell your employees about that.

In a better method, you can give them a list of two-three platforms that are acceptable. That would bring in good consistency so that you do not have to hire additional IT people to troubleshoot the devices.

#3 Non-Disclosure Agreement

Make the employees sign with CA (confidentiality agreement) where they cannot share company data with any third party. Make them aware of social engineering and teach them methods to keep the data under lock.

#4 Logging & Responsibility

Logging the events can help you identify if any employee has been engaging in illegal activities such as downloading pirated movies. In this case, you also need to tell the employees that they will not allowed to do those kind of things.

#5 Tracking and Remote Deletion of Data

Another important aspect when creating a good BYOD policy, tracking the mobile device is more for the safety of the organization’s data and NOT to know what the employee is up to. This is helpful when:
   1. An employee loses the device.

2. An employee leaves the job.



And also we can do:

1. Registering the MAC addresses of devices – This helps in blocking illegal connections to the corporate network

2. Auditing the Network Check the network for any possible vulnerabilities and keep a check on the number of devices connecting to it.

3. Create a company cloud - so that users who are working remotely can store things to the common shared space instead of plugging into your network again and again. That will reduce the chances of a security breach.


Why we use BYOD concept?


 1. BOYD Increases Productivity.

In my opinion every business owner wants to increase their productivity, and with BYOD, that is possible.

If you allow your employees to use their personal devices for work - then you're giving them the flexibility to work on their own timeframe. Also, by allowing employees to bring their own devices, they can easily organize and answer important business e-mails wherever they are. At the same time, they have the freedom to still be connected with their personal life via social media networks. As a result of they love to do their job in every minutes without wasting. Finally it reached workers satisfaction and high productivity.

2. BOYD connects all age groups

In a business culture there is no pointing arguing ages, the person who can come excellent ideas and activities they approve he is a good guy.
In BYOD offer to younger generation and older employees to establish a connection using mobile devices, and it is a opportunity to exposed to new gadgets to improve their productivity. Not only that dis abled people also can connect through this and support to income.

3. Lower IT Spending

With implementation of BYOD, The Consumerization of IT is becoming popular in large corporations and government agencies. By allowing employees to bring their devices to work, company expenditures are decreased. Aside from additional expenses, worker delays and hardware maintenance delays are now limited. 

4. Lower Security Risk

All-important company information will be stored up in the cloud. This means that the employee’s device is just a tool to access information. In an event that the device is stolen, all the company needs to do is remove the device's access. Problem solved.

5. Work Anywhere

BOYD promotes the use of personal device usage. This encourages employees to do some of the required tasks at home, and they can continue working on a tablet or smartphone on their way to work. This also improves office communication as emails can be quickly answered, presentation drafted, and documents reviewed quickly. It is clear that a BYODculture greatly enhances employee productivity and connectivity.

6. Cost Saving

With a BYOD program on an enterprise wireless network, businesses can transfer operating costs to the user. Companies can save a lot of money all of the costs for the mobile devices, services, and other associated expenses.


 Drawbacks

Costs for the employee –

Employees may not like to purchase highly recommended mobile devices for sometimes, because they have to bring those devises day today, and have to pay more attention to those devises. Not only that when it come up with hardware failure or software failure employees should have to repair those things, otherwise there is no pointing coming next day to the office without empty hand. Finally they may not in happy engaging these kind of concepts.

Security –

Companies all spend a very large amount of money on their security systems. Employees however are unlikely to have this level of security. 

Quality Security –

Viruses and Spyware can cause untold damage to your business. So before setting BYOD up, research the security options available and see if they will cover what you need.

Agreements –

Make sure your employees know exactly where they stand. Ensure there are agreements in place before any policy is introduced detailing who is responsible for what costs and what happens if any employee leaves the company.

3 companies showing Success of BYOD

  • Intel
  • SAP
  • Blackstone




What is MDM?

Cisco devices support Mobile Device Management (MDM) features to secure, monitor and manage mobile devices including corporate -owned devices and employed owned devices.

Critical MDM functions for a BYOD Network

Data Encryption - The devices which supported to encryption it allows to connect network and access cooperate content.

PIN enforcement - Using password policy to make password and it reduce the probability of brute force attacks.

Data wipe - lost or stolen devices data can remotely wipe by authorized access.

Data Loss Prevention (DLP) - Avoid authorized users to leak critical information to outside world, avoiding doing careless or malicious things with this important data.

Jailbreak/Root detection - this mean bypass the management of a device, identify those bypasses and get immediately action for avoid connecting network or corporate assets.

Mmmmm finally I think you have  got an idea about what is BYOD and kindly give me your feedback on my article. Highly appreciate if you can share your knowledge with me.

 Hope to see you soon.......😊

 Thanks!
Best Regards,
Pamoda P. Perera
at No comments:

Wellcome

Hi πŸ˜‰,



I'm Pamoda Perera;3rd year student of SLIIT Malabe following Cyber Security.

Cyber security is the body of technologies, processes and practices designed to protect networks, computers, programs and data from attack, damage or unauthorized access.

I'm really interested on this subject & One of the most problematic elements of cyber security is the quickly and constantly evolving nature of security risks. 

Also I would like to take this opportunity to thank my family members, my lecturers & my friends for supporting my studies.

And I anticipate to write a new chapter in this subject.
keep in touch! πŸ’—

Best Regards,
Pamoda Perera




















at 2 comments:
Subscribe to: Posts (Atom)