email and web security

EMAIL AND WEB SECURITY

The first e-mail message was sent in 1971 by an engineer named Ray Tomlinson.

WHAT IS EMAIL?

• E-Mail Electronic mail

• A method of exchanging messages in digital

form.

• E-mail systems are based on a store-and-

forward method in which e-mail server accept,

forwards, delivers and stores messages on

behalf of users.

Users only need to connect to the internet

through a computer for the duration of message

submission or retrieval.

Email Service Providers

SECURITY FEATURES OF SOME EMAIL SERVICE PROVIDERS

FILTERS

MULTIPLE SIGN-IN With multiple sign-in, you can sign in to up to tenaccounts in the same web browser. If you sign outof any Google product from any of your accounts,you’ll be signed out of all your Google Accounts atonce.

Security issue: - If one account is compromised there is a threat toall the accounts.

AUTHORISING APPLICATIONS & SITES Activating this feature allows non-Google

websites and applications to access your account and sync with your data

Security issue: - Google doesn’t review or endorse any third-party websites, so make sure you trust the website and understand Google's privacy policy before approving

2-STEP VERIFICATION

It adds a layer of security to your Google

Account by requiring access to your phone -

as well as your username and password -

when you sign in

If someone steals or guesses your password,

that person can’t sign in to your account

because they don’t have your phone.

MAKE SURE YOU READ Terms of usage policy – outlines how you

are supposed to use Google’s platformMandatory to provide under Indian Cyber Law

(Sec. 79)

Privacy policy – outlines Information that Google collect and how they use it

Mandatory to provide under Indian Cyber Law (Sec.43A)

SIGN-IN SEAL

A sign-in seal is a secret message or photo that Yahoo! will display on this computer only.

Look for it every time you sign in, to make sure you're on a genuine Yahoo! site.

If the message, photo, or colors are different, you may have landed on a phishing site.

PHISHING - A PRACTICAL CASE STUDY

WHAT IS PHISHING? Phishing involves fraudulently acquiring

sensitive information (e.g. passwords, credit card details etc) by masquerading as a trusted entity.

THE SITES

www.noodlebank.com (i.e NOODLEBANK.com) www.nood1ebank.com (i.e NOOD1EBANK.com)

THE REAL SITE

THE SPOOFED EMAIL

THE SPOOFING

The link appears as

www.noodlebank.com (i.e NOODLEBANK.com)

But actually it links to

www.nood1ebank.com (i.e NOOD1EBANK.com)

THE FAKE SITE

THE “STEAL”

• When Debasis entered his username-

password at the spoofed website, the

username-password was sent across to the

criminal carrying out the phishing attack.

MORE EXAMPLES…

• In this case study, the user was enticed with a misleading URL. Such urls can be created easily using simple html code such as:

<a href=http://www.nood1ebank.com>

http://www.noodlebank.com</a>

• This link displays the correct url but on clicking takes the user to the spoofed url.

USING A URL WITH AN IP ADDRESS

http://www.NOODLEBANK.com@67.19.217.53

This url does not lead to noodlebank.com, it leads to the website on the IP address 67.19.217.53

USING A SPLIT DOMAIN NAME

http://www.NOODLEBANK.com.securitycheck.secure-login.nood1ebank.com/login.asp

This url does not lead to noodlebank.com, it leads to the spoofed website.

USING AN OBFUSCATED URL

http://www.NOODLEBANK.com%00@%36%37%2e%31%39%2e%32%31%37%2e%35%33

This url does not lead to noodlebank.com, it leads to the website on the IP address 67.19.217.53

HEX TO ASCII CONVERTER

http://www.dolcevie.com/js/converter.html

TEST

www.phish-no-phish.com

SENDING FAKE EMAILS http://mailz.funmaza.co.uk/ http://deadfake.com/Send.aspx

UNDERSTANDING FAKE MAIL

E-mail headers analysis –Email header is the information that travels with every email, containing details about the sender, route and receiver.

ANALYZING HEADERS

To see the g-mail header click on the

arrow button next to the “Reply” option

click on “show original”

Header of the mail sent by using “fakemailer

Analyse Message ID

Email Bombing

Email Bombing

EMAIL FRAUDS

Bogus offers Vigra @ 80% discount price

Requests for help email promising treasure

Lottery scams

Confidence trick

Get-rich-quick schemes

Money mules

AVOIDING EMAIL FRAUD

Keep one's email address as secret as possible

Use a spam filter

Notice the several spelling errors in the body of

the "official looking" email

Ignore unsolicited emails of all types, simply

deleting them

Don’t be greedy, since greed is often the

element that allows one to be "hooked"

Email -sagar.rahurkar@iqspl.com

Phone : 09623444448

No FB pings please…!