 Good morning everybody. Welcome to the first session of day nine. I am very pleased today to introduce to you our speaker Mr. Joe Varghese who is a co-founder of Palladian, one of the first Indian security companies founded in the year 2000. This company is headquartered in Mumbai with branches in over 10 different countries. They've provide security advisory services, they manage security operations of several banks and financial institutions both in India and in the Middle East. They've also launched many security products. This session will focus on monitoring, phishing and other attacks which Palladian provides 24 by 7 from their SOC. The SOC is Security Operations Center based in Bangalore. The company itself is based in Mumbai. One of the founders of this company, and it's a company that's been doing pretty well. One of the founders is Mr. Rajat Mohanthi who obtained his BTEC from IIT Kharagpur. One of the key investors of this company is Mr. Raghavan who is also a co-founder of Infosys. So with this brief introduction over to Mr. Joe Varghese. Good morning everyone. So today we will look at phishing, phishing attacks. So phishing is essentially a social engineering attack which exploits the inability of the user to differentiate between the original website and the fake one. So even as we speak today, hundreds of banking, hundreds of customers of large banks are unknowingly revealing their user ID and passwords on the fake websites which look exactly like the original net banking site and those user IDs and passwords are being used for committing fraud. During the course of the presentation, we will look at the phishing threat. We'll essentially look at what is a phishing attack and how do fissures successfully lure users to their website and are able to steal the user IDs and passwords. We will also look at how the industry has learned to counter the threat. We will look at, just like any other attack, we will look at the three aspects. How do you prevent phishing attacks? You cannot really prevent. You can minimize damage caused by a phishing attack. How do you detect such attacks? If you are a large bank, one of your concerns is to identify early if a phishing attack is in progress and if your users are being targeted. And lastly, if a bank detects a phishing attack is in progress, how do you respond? What are the remedial measures that we can take once we know that a phishing attack is in progress? First, let us see how a fissure operates. How is a fissure able to set up a website and get the customers to come and give away the user names and passwords? If you look at the fissures, you know, models of operation, the steps are very, very simple. First is, set up a fake website, a website which looks exactly like the online SBI or the ICICI online. Then, lure the users. The users are not aware of this website. So, fissure has to reach out to the users either via an email or a link so that they can click on the link and land up on the fake website. Once he lands up on the fake website, the fissure has to ensure that the site looks pretty authentic and very, very similar to the original one so that the user will unknowingly give away his internet banking ID and password. Once that is done, the fissure can use the same details on the original website and do a money transfer or any other transaction that he wants to do. So, as I said, the first step is to set up a fake website. And setting up a fake website is essentially about copying the login page and hosting it. So, in simple terms, it is a copy paste. So, the first thing that the fissure will try to do is to ensure that the URL of the fake website is very similar to the original one. That is the first step because if you are a customer of State Bank of India, you already know that the original URL is online, sbi.com. So, if the fissure URL is very different, you are going to get suspicious. You may not want to click on that link or even if you click, you may not give away username and password. So, the first task of the fissure is to make the URL as close to the original as possible. There are several tricks that they use. Some of them are, you know, just to make it like a typo error. For example, if you want to target a city bank, the city bank original URL is CITI. They would put in a CITY. And if the user is not very alert, he would not notice. And the city bank with a hyphen between the city and the bank may look very similar, but fundamentally it has no relationship to the original domain. Now, these are some of the information which a normal user may not have. He may not really understand the difference between a city bank continuous and a city hyphen bank.com. So, that is essentially where fishing is. Fishing is, as I said earlier, this is a social engineering attack. It is exploiting the vulnerability that the user awareness regarding IT, domains, URLs, etcetera is very low. So, again, you know, trying to confuse the user with, you know, subdomains. For example, wwonlinesbi.com is the original SBI net banking site. The fisher can go and register a domain called online.com and then create a subdomain SBI. So, it will read SBI.online.com. And I am sure many users will have difficulty differentiating between wwonline SBI and SBI.online. The user could even assume that SBI has probably done some tweaking that and this is really authentic because the name SBI is part of the URL. Then, of course, we can have these obscure domains. In the DNS world, we have the global top level domains which are the .com.net. We also have country specific domains, the TK, the NU, the .IN. And there are so many country specific domains, very obscure ones which you can go and register that you can even get a wwonline SBI.NU. And if the user is not very alert and is not giving much attention to the entire domain, he could easily get mistaken thinking that online SBI is part of the URL. So, it should be the authentic one. And sometimes they will send email links or post a link on a popular website. The link would be exactly the same online SBI.com. But the reference would be to the fisher's domain. So, that again is another trick that the user, the fisher's use to give a impression to the end customer that he is clicking on the exactly the same URL. Now, the website, the URL has been registered, the website contents has been copied. Now, this information has to go to the user. So, the most common method that the fisher uses is to send an email to the bank's customer. And many times it is probably an email blast where he sends this mail to millions of email IDs. He would not know which email IDs are correct. He would not even know which of these email IDs belong to SBI's customers or city bank customers. But he sends it to hundreds and thousands of Gmail and Yahoo's and the read-if mail using probably an automated program. All of these mails would look very identical and they will all contain the link to the fishing site. Now, even if the user gets the mail, every user is not going to click on every mail he receives. So, there has to be some incentive for the user to click on the mail. So, they use some of those tricks. Sometimes they will put, you know, something like a reward. You know, the bank is offering a reward for a survey. Why don't you click and, you know, complete the survey? The first step of the survey obviously would be to give your username and password so that they will say that the bank knows that you are the authentic customer. Sometimes they will try to scare the customer. They will say that your account is going to be suspended. Hence, you need to immediately reauthenticate yourself, give your ID password so that we know that you are the original customer and your account, you know, need not be suspended and be kept active. So, this again, there is no proof to this mail. But the logo will be same exactly like the original SBI or the city bank. Only thing is once you fill up this form, this will go to the fisher and not to the original bank. And again, sometimes, you know, they try to reassure the, you know, user, you know, by giving some symbols. For example, you know, many of the users probably who read Internet forums believe that if there is a lock symbol, that means the site is secure. But the lock has to come at the right place. The lock on a web page is just an image. It has to come in the, you know, in the browser bar, which will indicate that, you know, we are really on an HTTPS website or an SSL website, which is a case with most net banking URLs. So, I would like to summarize, you know, the fisher's modus operandi. They register a fake website. They try to choose a URL which looks exactly like the original. They copy the contents of the login page and paste it on their website. So, it is essentially a one or two page website. That is all that the fisher needs. Once it is ready, he sends this information out as email to the, you know, to the bank's customers. And, you know, he will keep enough incentives for the customer to click. Either he will, you know, positive incentives, or maybe, you know, something to scare the customer. The customer will come, click on the link, reveal his ID password, and then the ID and password is with the fisher. He can come to the original bank site and come with the fraud. When the fisher, you know, when the customer comes and gives his user ID and password on the phishing site, obviously, the fisher is not able to show him his account balance because he doesn't have it. So, probably he will give a message, you know, like the server is busy right now. We will, you know, please try again later because his objective was just to steal the ID and password and he has already got it. So, this is how the fisher operates. Now, there are some, you know, variants or some other attacks which the attackers use essentially to steal the ID and password. One of the, you know, one of the common ones is, you know, is using a key logger. Key logger is, you know, a piece of malware which, you know, can come into your PC if you, you know, if you visit unauthentic site like a crimeware site or a porn website, you know, that get installed. So, the key logger essentially keeps all the keystrokes that you are entering and the attacker is only interested in the keystrokes that you entered immediately after typing the URL of a net banking website. So, keyloggers are again one more, you know, method by which phishing happens or a stealing of, you know, username and password happens. Screen grabbers, sometimes, you know, as you would know if you are a net banking user that, you know, many of the banks provide you with virtual keyboards. So, a key logger may not work, but a screen grabber will work. So, all of these programs sometimes come in as, you know, Trojan host programs, you know, which are, which are programs which are resident on your computer, but they are not doing anything harmful. You know, if it does anything harmful, probably your antivirus will catch it. So, these programs generally remain in the background doing specific functions and if it is written by a fisher, they are specific, they will be intelligent enough to switch on the keylogger the moment you type the URL of a banking site. So, phishing has been hugely successful for the attackers. Palladian service is a lot of banking customers in India and the Middle East and we know that as a fact that many customers of ours who are banks are deeply disturbed by the number of phishing attacks because it basically puts the banks authenticity in question. Customers do not know that the bank cannot put an end to phishing attacks because bank is no control over the phishing, but still the customer will interpret if a phishing attack happens on an SBI or a bank of Baroda customers think that maybe the bank security controls are poor, which is not the case, but that is the customer's impression. Now, there is, in the recent times there has been variants of phishing, you know, some, one of it is called phishing attack. In the, probably you can call it as voice phishing. So, where the phisher does not send an email, instead he will send you an SMS or call you on the phone and he will tell you that I am calling from the bank and we have a system maintenance and you know somehow we lost your password. Can you please tell me your ID and the password? So, essentially the objective is the same to steal your banking ID and password. There is also another variant called a farming attack. Farming is a bit more technical in nature. The farming is essentially the URL remains the same, but the IP address to which the URL resolves is modified. So, technically we call it as a DNS poisoning, wherein the online SBI.com is the same URL which comes on your browser, but you would not be going to the IP address of SBI's original net banking site, but to the address of the server hosted by the phisher. So, that is, so those are variants. If I were to summarize the attack, it is essentially about taking the user to a fake website and forcing him to reveal his ID password, so that the attacker can use it to commit fraud. Now, let us look at what are the defenses. So, phishing is not new. So, in India, you know, we have been seeing phishing attacks on banking sites right from 2003. So, it is more than 10, 11 years, but it still continues because the user's awareness has not grown much and we have a lot of, you know, banking users who are not from an IT background. So, it becomes very, very difficult to really educate the customer, you know, how to differentiate between the original net banking site and the fake one. So, what are we, what is the industry doing about it, what are the banks and service providers like us, how are we helping customers to defend. So, like in any other security attack, we have three different levels. One is protection, the second is detection, and the third is response. Now, what I mean by protection is the bank knows that phishing attack is something that they cannot prevent because user sitting in a remote location, maybe not even in India, maybe in Russia or China, putting up a website and sending out an email to Gmail, IDs of all the customers, state bank of India, nor bank of Baroda or ICICI has any control over it. They cannot, they cannot, you know, they cannot do anything to prevent the phisher from putting up a fake website. So, what are the other measures, what are the other measures that the SBIs and ICICI has taken to minimize the damage even if a phishing happens. That is what we are looking at in protection. In detection, we will look at how, how can you detect a phishing site as soon as it is hosted or as early as possible. But I would like to say that if the phisher is smart, he can set up a phishing website which cannot be detected technically, that is possible. Third, if we detect a phishing site, how do you respond? What is the right response to it? A phishing site can be detected using some technical methods which I will share with you. A phishing site can also be detected by an alert customer who finds out a phishing website and informs the bank saying that look, I found a website which looks exactly similar to city bank but I know it is not an original city bank. So, sometimes the customers also detect a phishing site and report it to the bank. So, we will look at that. How do you detect? And third is, how do we respond? If I am the bank, what is the next steps I should do if I detect a phishing site? So, first let us look at what are the protection mechanisms which the, you know, which banks have adopted. These are special security measures which banks have put in place over the last 10 years, specifically to prevent these kind of attacks. And as we go through these protection mechanisms, you might wonder that why all banks have not adopted all of these measures. This is because, you know, security and user convenience are at many times, you know, at on opposite sides. The number of additional security controls you put, it becomes more and more inconvenient for the user to use net banking. And many banks, even though they are aware that such additional measures are, you know, good for security, will not implement it because they do not want to, you know, simply put off their users, you know, from visiting net banking side because banks have started net banking to reduce the cost per transaction. So, that they do not, people do not queue up at the ATMs, people do not, you know, queue up at the branches and they can do money transfer, they can order a checkbook, all those from their net banking. So, banks are equally concerned about user convenience as about security. So, that is why many of the protection mechanisms that I am going to share with you today may not be used by your bank. It is not because the bank is not aware of it or is not, you know, knowing that this is required for security. It is simply because the bank has decided that there has to be a balance between security and convenience. So, these are some of the, you know, protection mechanisms that have, you know, that have, that are widely used. We will go through each one of them in little bit of detail. First is secure login. So, the Fisher is attacking the login page specifically. So, the banks have decided that the login page has to be more secure. There are multiple steps that the banks have taken to ensure that, you know, login is secure and even if the Fisher is putting up a fake login page, it is difficult for him to do a login on the original net banking site. The second level is transaction level authentication. So, the, here, here what we are doing is, even if the Fisher is able to break the additional mechanisms we have put in the login page, he should not be able to do a transaction, specifically a money transfer. So, some banks have decided that we will not put too many controls on the login page, but we will put a lot of controls on the transaction page. So, the user wants to do a transaction. We will put an SMS-based one-time password or we will put a 24-hour cooling period, etc. before a transaction can be done. The third is personalizing user communication. So, that is another mechanism. As I said, this is, this attack is essentially a social engineering attack, where the user's lack of knowledge is being, you know, exploited. So, banks have tried to, you know, make the users aware by personalizing the communication with them. Their SMS, their mails, you know, etc. will contain some details, which the bank knows, but the fissure will not know. Usage of virtual keyboards and then user awareness. So, we look at some of these steps, some of these steps in a little bit of detail. First is the two-factor authentication. So, if you look at the normal login, the normal net banking login has only one level of password. So, you have an ID which is shared by the bank and you have a password. And if you are a net banking user, you will know that many times we do not change our passwords, even though the bank gives us a facility to change the password. We do not, we do not change it because, you know, as an end user, I have several passwords to remember, not just net banking. In my office, I have a Windows password. For my Gmail, I have another password. I have to remember the pin of my ATM. So, definitely these are all passwords and pins which we, which we generally do not change. So, the fissure also knows that, the bank also knows that. So, a normal net banking login page will only ask you for an ID and a password. And the password is fairly static. You probably would not change your net banking password for five or six years. So, that is, that is, that makes things very easy for the fissure. Because if he puts up a fake page and you give away your username and password, the fissure can use that ID and password maybe two days from now, five days from now or even one year from now. It will still be valid. So, what the banks have done is that, you know, they have kept two levels of login password. So, your static password still remains. And the second is, you have a dynamic password. So, what, you know, what they have done, you login with your ID and the password. Immediately, you do not get your home page or the account balance page. The bank will stop you at the second page and will SMS a password to you, which is valid only for maybe 30 seconds or 60 seconds. And will ask you to enter that into the website, only then the transaction, the login transaction completes and you can get to your home page. So, let me just show you how the bank does that. So, this is how Citibank India does it. So, you have a login page. So, you give your user ID and password. This is fairly static. You do not change this password very often, maybe four years together. And you login, when you click on the login button, you do not entirely logged in. The bank will stop you and say that OTP, OTP is one time password. Your OTP has been delivered to your mobile number. So, the bank generates a one time password and sends it to you. And this comes not through the internet. It comes on your mobile. So, that is what we call it comes on a separate channel. And now you receive it in your mobile and that you know six digit or eight digit number you enter it here. Once you enter it, then your login is complete. Now, suppose you are a fisher. Now, you put up a fishing website. Now, on that fishing website, I am just going a slide back, you get these two. This ID and the password you have stolen. And now the fisher comes to the original city bank site and tries to enter it. He cannot now complete the login because he will also be asked to enter this four or five digit number. But that number has come to your mobile number, not to the fisher's mobile number. So, essentially now the common you know fishing attack has been prevented because the fisher is not able to do a login because the bank has introduced a one time password. Now, this is where when once bank started doing this, that is when fisher started also to modify their attack and started doing wishing attack. Now, the fisher will get this login ID password and he knows that the sms has gone to the user. He might call the user saying I am from the bank and tell the user can you please forward the sms you just received to my mobile number. So, that is also as banks get smarter, fishers also get smarter. So, but this OTP method, this method of sending a password through a mobile as a second factor for authentication is a very good step. It really increases the security of the login process of net banking. Now, sometimes you know as you know sms are not always reaching on time. Sometimes you may be in a remote location where mobile tower is less. You may be travelling outside of the country and you do not have a roaming facility. Then it could mean that you cannot do net banking sitting in a US or Europe because you got an India mobile number. So, some banks have said that we will not use a mobile and send you a one-time password. We will give you a token. So, what I have shown on the side is a hardware token. Every net banking customer gets a hardware token. So, this hardware token is a random number generator. You know this this generates a random number every 30 seconds. The bank knows which customer has been given which token. So, the bank knows exactly what is the number that is displayed on your token compared to that on another user's token. So, so essentially it is again a second factor. So, we have a dynamic password. Now, for banks who have done this again they are susceptible to phishing attack. Fisher will put up the website. He will ask the user to enter the ID, the password which is a static one and also the number that has got displayed on his token. This bank can be still susceptible to phishing. If Fisher is able to use these IDs within the 30 seconds. So, many fishers you know are not in a position to do that. But these days we have a variation called you know real-time phishing or man in the middle phishing where the fishers immediately use the ID and password including the dynamic password which they have received you know from the user. To summarize this control which banks have put the login has been made more secure. They have in addition to a static password which generally the customers do not change for years. The bank has introduced a second level of password. The second level of password can be a one-time password delivered to you over SMS which is valid for maybe 30 or 60 seconds or it could be a hardware token which continuously generates unique random numbers every 30 seconds and this is a token that the bank has given to the net banking customer. So, these are two methods by which many of the banks have improved the security of the login. But it is not to say that fishers have not found out ways as I said fishers have found out ways like phishing and real-time usage of these IDs to counter this control which the banks have put. Now we come to the transaction level authentication. So, as I said you know all banks have not put this this you know additional level of passwords at the login page. A classic example is the state bank of India. State Bank of India has chosen to keep the login page to just have a login ID and password no additional SMS or no hardware token as of now. Now in a transaction level authentication the bank assumes that a fisher may have actually stolen your password but the bank wants to limit the damage a fisher who has stolen your password and completed the login may be able to see your account details your account number the balance in the account they will be but the bank wants to ensure that they cannot do a transaction. So, there are a couple of methods by which banks have done it for example ICICI has a separate login password and a transaction password. So, it is not the same. So, the fisher has to you know probably break the login password he cannot do a transaction unless he gets the transaction password also. So, in some cases what the fisher does is that in the phishing page he will ask not just for the login password but for the transaction password as well. So, that is what the fisher will do if we put a control like this. The other way that some banks have done they do not have a static transaction password for every transaction you do to complete that transaction the bank will send you a transaction password only to be used for that transaction only valid for 30 or 60 seconds. So, if you see state bank of India has chosen to do that for every transaction every third party transaction that you do for example if I am paying my mobile bill through the net banking online SBI net banking I land up on the S bank you know state bank of India page you know all the payment details are there I say that I want to pay 975 rupees to reliance everything is done when I click okay state bank will send me a password on to my mobile this is called the transaction password and unless I enter that password you know this transaction is not complete. So, a fisher may have stolen my online SBI user ID and password but if you really wants to make any payment to a vendor using this online SBA password it is not possible because this transaction will get complete only after entering the additional password which I have got on my mobile which the fisher is not having. So, this is the way in which you can secure a transaction. So, transaction authentication yeah of course there are it is good because you know it has got strong authentication it is difficult to you know intercept because it is happening over mobile but of course there are some disadvantages as well you know some users some some users do not like to wait you know to get the mobile SMS and then enter it on the on the net banking page as I said additional security many times means lesser user convenience. So, users dislike you know more password. So, to that extent the transaction authentication is a good good step to increase security as well as a bang is concerned but it comes at a cost many users may just stop or reduce the online transactions they do because they might think that this is just too cumbersome it is it is more easy to write a check or to just do a cash transaction. Now we come to another method by which you know so this is the first method for minimizing impact of phishing secure login second is to secure leave the login page as such let the fisher take away the password but secure the transaction. The third is personalizing the website. Now as I said the fundamental problem in phishing is that the end user is not able to differentiate between the original online SBI and the fake online SBI. There are several technical methods to do that we can educate the user on the exact URL we can educate the user to look for the HTTPS we can educate the user to look for the lock symbol etc but as I said 90 95 percent of the bank's customers are not tech savvy users they are businessmen they are the other people who really don't if I can say don't really care about these things they want to do a transaction as fast as possible and they've been told internet is the method and they go for net banking. Now in personalizing the website what what the banks have tried to do is bank wants to enable the user to identify that yes I am on the authentic ICICI or HDFC or SBI and not on the fake one. There are several solutions usually one of the most popular solution which many banks have adopted even in India is that when the when the customer registers for the you know when the customer registers for the net banking you not only ask him to choose a user ID and password but you also ask him to choose a favorite image or a you know or a favorite phrase and you display it on the on the net banking website so that the customer knows that for example you know if the customer has chosen Sachin Tendulkar as his favorite image every time he logs in the bank will the bank will just ask him for the user ID first not the password once the user ID is entered he will display the favorite image which he had chosen so if you had chosen Sachin Tendulkar Sachin Tendulkar will come if you had if you had put up your puppies photo as your favorite image your puppies photo will come now the fisher does not know what is the favorite image you had chosen now unless since he doesn't know that he is not able to display that so all you tell your user is give your ID click ok we will display Sachin Tendulkar if Sachin Tendulkar doesn't come please don't enter the password that is what we're going to say so we have taken away or the banks have literally taken away the complexity of looking at the URL the SSL and everything by just putting this making it much more easier for the non-technical bank user to understand whether he's on an authentic site or he's on the fake website of course the smart fisher will sometimes put up the same site he will not show the image instead of that he will say that my image server is having a problem please proceed they also do that so I'm just saying that but this is one mechanism by which the banks have tried to reduce the complexity in the user in understanding whether he's on an original site or on a fake website so as I said this is a good alert mechanism this is very effective but again this is depending on the users awareness and alertness you know sometimes the users in a hurry you know will not even notice the image then the whole point is lost and now we come to the email communication so as I said earlier the Fisher puts up a fake website on a fake URL and he sends an email to the customer so as I said the Fisher will be sending out thousands and hundreds and thousands of emails because he doesn't know exactly what is the email address of SBI's customer so he will try to send it to 100,000 emails so that at least thousand land up in SBI customers even if he lands up in one of the mailboxes of SBI's customer he doesn't know the name of the customer he doesn't know anything he just is trying to publish his fake website so many times what you know banks do when banks send you a mail many times they address you as dear customer they don't really tell you a name and they don't provide any details in the mail which are specific to you so what many banks have started doing after fishing attacks have become popular is that they have started putting some details about the customer in all their mail they will not address you as dear customer they'll say dear Abhishek and then they will say that this pertains to your account whose ATM card numbers last four digits are this one so every time you receive an email from the bank you know that the bank knows you by name and the bank is going to provide some details which only SBI knows and nobody else so now if you get a mail from the Fisher he doesn't know your name he doesn't know the last four digits of your ATM number so his mail if you read carefully is going to be very generic and if you are an alert customer you will realize that this definitely is not from SBI because every time SBI sends me an email they are going to address me by name and is going to have the number so this is a simple mechanism which we have which many banks have adopted so that they increase the awareness of the user and making it less likely for the user to click on a fishing mail this is a very effective thing this is a very very effective mechanism virtual keyboards not a solution for fishing virtual keyboards is a solution for you know key loggers if somebody has put a key logger and if you want to you know one of the biggest threats probably in India is shared computers cyber cafes where you go and do your net banking transaction you have no idea if the cyber cafe owner or the previous person who was sitting in that same computer before you has put a key logger and everything you type in is going to get recorded so for those things you put up you know the bank has provided the facility of a virtual keyboard so normal keyboard is you know you enter your password by clicking the you know key buttons the virtual keyboard is you know something like this you the bank presents your keyboard on screen you you click on the buttons on the virtual keyboard and that is when the you know password gets entered please remember this is not against fishing there are many fishing sites which provide you virtual keyboards because the attacker is not really bothered how you are entering the password he just wants the correct password so to that extent the the the virtual keyboards are a defense for key loggers now the last we come to building user awareness you know as I said this fishing the whole attack is against users lack of awareness or less awareness or less technical skills so all banks have invested in building user awareness and many of these measures have been taken on their website itself on the net banking website so the bank tries to educate the user saying that this is fishing this is the fishing FAQ this is where you report fishing if you detect one all I mean if you are an if you are an alert or observant a net banking user you would have seen a lot of fishing you know messages on your on the website and this is the best if an as I said this is this is really addressing the root cause of user awareness now if you if you look at online SBI so online SBI if you want to do transaction you go to the online SBI.com you click on the login button near to personal banking SBI does not give you the login page unless they have told you what fishing is so the moment you click on this this is what you get so before that SBI tells you that you know these are the fishing this is what a common fishing attack is and this is what you have to do only after you read and click on continue to log in then only you get your login page there's a very good measure there's a very good measure where the bank is you know educating the user to you know to at least be aware that you know these things happen and even on the login page you know what I have circled the about fishing report fishing all those links are there to enable an alert user but for those of you who have you know who are very conversant with fishing you can know that the attacker also can mimic all these three pages you can have a login page you can also give you fishing awareness before landing you on the fake SBI page it's all possible but I'm saying continuously the banks are now educating the users about the fishing threat because there's a lot of you know as I said all of these technical controls that we talked about earlier like putting a one-time password on SMS giving you a hardware token stopping you at the middle of the transaction and sending you an SMS all of these are very good technical controls but they come at a cost of high amount of inconvenience for the end user and banks fundamentally don't want to create any inconvenience for the user and they want more and more users to come to net banking so that is why awareness becomes very very critical there are some banks who take it a bit overboard you know they try to scare the user you know by by saying that you know beware of fraudsters and all that on the login page yeah of course different banks have different philosophies guiding philosophies when they when they do user awareness but yeah some things work sometimes you want to educate them sometimes you want to scare them so that they are more careful with their user IDs and password but but in summary you know user awareness is a critical component of any banks anti-fishing you know technique so user awareness yes you know it has got a long-lasting effect it improves the company image and and if you see when fishing was at its peak I still remember some of the large private sector banks like ICICI had a full page advertisements on leading a dailies like Times of India where they were educating the users on what is fishing and what you should not do and what you should do how you should reach out to the bank if you think you've got fished so that the bank and change your password or block your account and everything so user awareness as a long-lasting effect and definitely gives the impression to the customer that you are a responsible bank because because you are you are concerned about user security because this if you lose money through a fishing attack technically speaking the bank is not responsible because this is as good as you handing over your user ID and password to the customer on a written piece of paper and then coming back to the bank and saying I lost 50,000 because the fisher logged in most of the banks will effectively tell you that you handed it over willingly we had always warned you that this kind of attack takes place and you should be alert but you know you chose otherwise so many times the you know customers lose money and the bank may not be in a you know very obliging when you when you go back and say that I want to recover my money which I lost in fishing because the bank rightfully thinks that you are the user who is responsible to keep your ID and password safely so to summarize on the protection mechanisms you know which banks have commonly adopted secure the login you know just don't depend only on static password use dynamic passwords also you know if you if you can't lock your login page you know improve the security of your transaction personalize your website with images use virtual keyboards continuously provide users with you know awareness you know session so these are all measures as I said to increase the protection this again will not prevent a fisher sitting in a remote location to launch an attack it only makes it more difficult for the fisher to finally steal some money from the accounts that he fished that is all this cannot as you see none of these measures are talking about preventing somebody from putting up a fake website or registering a fake domain none of these measures because all those are things which are outside of the control of the online SBIs and the ICIC now we come to detection so so as I said because we know how the fisher operates we can design mechanisms to detect him at different stages so before I get into detection I would like to tell you that all these detection mechanisms detect the mistakes made by the fisher if the fisher is really smart he can put up a website without any detection at all that is theoretically possible we still in real life because we do fishing detection for many of the banks we see fishers who are really smart who set up websites which are not at all detected unless we know that a fraud has happened when we go to the end customer of the bank and ask him what did he do we realize there was a fishing site hosted in China or Russia a very smart way that none it was impossible to detect its existence so now when we talk about detection it is important to just revisit quickly what the fisher does so that we identify mistakes or I know things that he will do wrong so that we can catch him so as I said he will register a fake domain name which will a domain which will sound very similar to online SBIs or an ICIC online or Citibank online then he will set up a website which looks exactly like the original then he will send an email and then he will collect the user ID password so of course one of the effective things that you can do if you are an online SBI is to look out for people registering the SBI name you can look out for people who register similar sounding name SBI bank is nothing to do with SBI but if somebody registers it you can be no sometimes people register domains just for the purpose of you know cyber squatting they register so that they can sell it to the original bank at a higher higher you know value at a later point of time there is a chance that fishers also will register domains so it is a good idea for the bank to monitor for similar sounding domains you know where SBI within a double eye or SBI online SBI with a hyphen between online and SBI all those things are similar sounding domain but monitoring domains is not an easy mechanism all the top level domains do not provide you that facility that is one the second is if you look at country specific domains the Indian register if somebody is registering a dot in domain it is even more difficult to to proactively search for what are the domain names which contain the you know SBI word in it is very difficult so again you remember that registering a domain name is not a prerequisite for a phishing attack attacker can host a phishing site entirely on his home PC without any domain name and just on a raw IP address it's absolutely possible it just that they don't normally do it because as an SBI customer I am not normal to doing the giving away my user ID and password on a site which has got only IP address that's the only reason they don't do it but technically it is possible to have a phishing site just on an IP address without any domain associated to it so so if you you can search for similar sounding domains you know there are several facilities there are free services like who is where you can search there are paid services because phishing is a big attack there are many service providers who you who offer this is a service like mark monitor you know fraud watch there are several companies who give this so you can you can subscribe to them if you're a bank and they will alert you when somebody with a similar sounding to your federal bank or your you know Punjab National Bank somebody registers a name they will they will alert you and if you want to really search for the Indian registry for the websites registered in the dot in domain you can go to registry dot in and then you can search but you don't have a wild card search here you really have to be imaginative and find out which are the names which are similar sounding to SBI or state bank and then search it manually one after the other but you can do it technically speaking so one way is to look at searching for domain names because you believe that one of the first steps that the attacker is going to do is to register a similar sounding one so if you catch him at this stage maybe you can stop him before he proceeds to putting up the website the second is analyze these server logs online SBI has a website or you can call the net banking website which generates logs for people who you know visiting the website if you have ever been fished or if you have ever had the opportunity to analyze a fishing attack you would notice what the fisher does he puts up a fake fishing site he will he will take your user ID and password when you click ok he will give you sometimes a message saying the server is busy click again when you click again his job is done he's already stolen your online SBI password when you click on that page he will redirect you to the original website and there you're going to give the original username and password and your login happens so if you're a user you you think that nothing is gone wrong probably I gave my you know username password first time or maybe server was busy so what I'm trying to say is most of the fishing sites once the fish is done they redirect the customer's browser to the original banking site to reduce the suspicion on the customer side because if after giving away your username password on a fishing site if you if you always get it is busy or it crashes or gives an error the user might call up the bank and say that why is your net banking not working the the telephone operator will ask him where did he log in then he will give the URL then he will realize fishing has happened he will alert the bank the account will be freeze money cannot be moved so what the fisher does after the fishing happens he will redirect the user to the original net banking site now this is where the logs of the net banking server of online SBI can be of help to us you are monitoring the logs of the original online SBI .com's web server you always have a field in the web server logs called the referrer field in the referrer field the web server captures which site has redirected you here that is what it captures for example if you are trying to book your ticket on IRCTC and you do the payment through online SBI the referrer will be IRCTC.co.it or if you are buying something on flip cart and you want to do payment through SBI's online banking and you click on that and you come on the login page of online SBI the referrer will be flip cart.com so if you if you are monitoring your net banking logs and you are looking at the referrer field what normally comes will be the IRCTC is the flip cards and all that if a fisher is redirecting you after the fish has happened to the original net banking site you will see the fishers or the fishing website in the referrer so if you are very alert and you are monitoring the web server logs and specifically the field the referrer field you will note suspicious referrers flip cart and IRCTC are not suspicious but something online high fun SBI is definitely suspicious so one of the methods by which banks detect fishing attack is in progress is by monitoring the logs of their own net banking website and looking at the referrer column in the net banking web server logs the referrer contains who redirected you to this site normally it is the the banking sites the advertisement sites the read-ifs etc if it is a suspicious URL definitely it is something that the bank will take notice and try to detect so so the referrer monitoring is one of the methods by which the bank can proactively detect the existence of a fishing site so the referrer comes not just when the redirection happens sometimes fishers you know don't copy the entire contents of the of the website into their page they will only keep the text portion some of the images if the images are highs you know are a big size they will host a fishing website but they will link the images to the original banking site because if they are hosting the hosting the fishing website on their home PC on a slow link they don't want to waste their link downloading online as the sbi logo the sbi logo on the fishing page can can load from the original sbi so in that case also we will get the referrer as the fishers website so to summarize if the bank is monitoring the original net banking site the referrer field and the fisher redirects to the original site after the fish you can detect the fisher in near real time the first visit by the first customer on the fishing website you would have caught the fisher and the fishing website the other mechanism is to set up you know a kind of a web beacon or something hidden as I said how will the fisher create a login page which looks exactly like city bank or looks exactly like online sbi the simplest method of course is to load the original on your browser click on view source code do a copy and do a paste that is the simplest there's nothing more simpler than that and of course fishers are not interested in working hard to create the same page so what do you do if you are the bank you put a small javascript onto the original web page the javascript is does nothing as long as it is running under the original domain or under the original url ww online sbi.com suppose it gets copied by the fisher into the fishing website and let's call the fishing website as online sbi.com what the javascript does it sends when it when the page loads the javascript detects that now I am running under the domain ww online sbi.com which is not the right one he will send an email to the all the sbi's net banking team saying that I the javascript is now running on online sbi.com sbi can immediately detect that online sbi one is a fishing site or somebody has copied and you know doing something suspicious so one of the methods by which you can detect a fishing site is by incorporating a small code into your original page assume that the fisher will copy the entire code when constructing the new page so this javascript also gets copied and when the fisher hosts it and when the customers start going to this page this javascript will trigger a mail to the original net banking team of sbi saying I am now running under a new url as I said if the fisher is alert he will examine the code of the original page and he will remove all these scripts before he copies it that is very much possible but if he is not alert and if he is copying the entire source code the bank has a good chance of catching the fisher the moment he hosts it or the moment the first customer comes and visits the site the third no method as I said the fisher will create a fake website and he will send out mails to hundreds and thousands of users the fisher has no means of knowing the original email addresses of all the sbi's users so what he does he takes out you know he just sends it to a random you know email IDs of gmail hot mail relative etc but one thing the user will take care the from address he will try to put a fake one which looks like it has come from sbi that is definitely a measure which the fisher will take now since and he will put a from address like user at sbi.co.n or contact us at sbi.onlinesbi.com he will put an original sbi domain name in the email address now since the fisher does not know all the correct email IDs many of the emails will bounce back suppose he sends it to Suresh Kumar at gmail and Suresh Kumar at gmail doesn't exist the mail will bounce back when the mail bounces back it won't go to the fisher it will go to where the from address belongs so if he has put a fake from address like contact us at sbi.co.n you will get a bounced mail in the contact us at sbi.co.n mail box normally there should not be too many bounced mails in that mailbox because that is used by sbi to send mails to the original customers whose email IDs they know so if the state bank or any bank is tracking bounced mails and their contents there is a high chance that they will detect a phishing attack in progress because the fisher will definitely keep an sbi mail ID as the from address and the fisher is surely not going to get all the two addresses right there will be a hundreds of wrong two addresses all that will bounce the bounce mails will come to the original sbi mailbox and if sbi is looking at carefully the mails the bounced mails and their contents they are definitely likely to find a phishing attack in progress by just tracking bounce mails and there are you know the fisher also knows this so what the fisher will do he will keep a mail address of sbi for which there is no valid mail box I will give you an example he knows contact us at sbi.co.in access but contact us one at sbi.co.in does not exist so what he will do he will keep instead of keeping contact us because he knows it can get bounced and go into a mail box he will keep contact us one so what will happen the mail will bounce back from gmail it will come to sbi's mail box sbi mailbox will say that mailbox doesn't exist that is called a double bounced mail the mail bounces both from the two address side and the from address side normally the bank any any bank will discard such mails but if the bank is very alert they will know double bounced mails also should not be discarded they need to be examined because we could potentially detect a phishing may phishing attack in progress so if you are examining your bounced mails and your double bounced mails there is a high chance that you will detect a phishing attack in progress so that summarizes the you know method for detection the three no key methods one is examine the domain registrations look for similar sounding domains because that could be the fissures first step second examine the web server logs of your original net banking server because if the fissure is referring the customer after the fish has happened to the original site you will get the url in the referer put a web put a small javascript in your original page so so that if the fissure is copying the contents this javascript will alert you that I am running on a new site and I'm running on a new site and not on the original that is another mechanism the last is examine the mailbox you know the critical mailboxes you know where you use for customer communication for the single bounce and double bounce now as a palladium as a service provider we provide these four steps examining the logs putting a javascript examining the domain registration and examining the bounced mails we do it as a service for many of the large banks in India and we are able to detect maybe around 75 to 80 percent of all phishing attacks as I said a smart fisher will can put up a phishing website without falling into any of these detection mechanisms he can put up a url which is you know which is similar to sbi but put up in a country which is not cannot be monitored he can smartly get the get the user ID but not redirect to the original website while copying the contents he can be careful he can remove the javascript which detects where he is running all those things they can do so detection is always on a best effort but like with any attacks the attackers are more focused on you know getting the things done very fast because and hosting multiple sites so they will obviously make one or two of these mistakes which allow us to detect know the phishing attacks now that is about detection now we come to the last portion which is about how do you respond how do you as a bank respond if a live phishing attack is detected if a customer reports or service provider you're monitoring service provider like palladium reports that sir there are three phishing sites targeting sbi right now what is that the bank know will do the first thing that the bank does is to of course deactivate the phishing website now deactivating the phishing website is sometimes in the industry we call it takedown it's called a site takedown now this phishing website you know takedown if for example the phishing website is hosted in a in a data center like the reliance data center or a net magic data center you have to call up the data center provider and you have to tell them that I am calling from state bank this is my original website on one of your servers you know there is a similar looking website and they are propagating it to my customers so kindly disable it now this is easier to say than to take action sometimes what fishers do they will you know they will put up these websites this this phishing websites on other websites which are which have been you know compromised for example for example last Christmas Christmas we had a phishing website hosted in in Korea in one of the Korean church websites it was it belonged to a church and all the church administrators were on a long vacation from December to January new year the phishing website was hosted on that on that church web server on a link on the church web server there was no way to contact the administrator to bring it down so so even though takedown looks a simple you know mechanism it's not that easy because fishers have also realized which are those servers where they can host whose administrators are very difficult to contact to delete or disable those you know web pages that is one the other mechanism that we can do sometimes you know where we where we take the help of you know a body like the certain you know wherein we tell the cert that the bank contact certain and says the you know the phishing website is hosted one of the steps of course which is cert can enable is if you are a bank in India and 90% of the bank's customers are in India and if this site is hosted in an outside country maybe on our on our border routers you know the you know the the international gateways which take our traffic to the outside world this site can be blocked maybe that's one more thing that we can do to takedown the first step with the bank takes initiate takedown or disabling because the more time the phishing site is alive the more number of customers are likely to go and give away their passwords so the first action is to takedown second is feeding dummy data at the phishing site that is something that we can do proactively the fisher is collecting the user IDs and passwords and one of the things the bank does if it cannot take down the website is to feed dummy data the dummy data can be done proactively by the bank or with the assistance of service providers like us for example we know that all SBI net banking user IDs are alpha and numeric and all SBI net banking passwords have a maximum length of 14 characters we will have automated scripts to pump in multiple user IDs and passwords which are just fictitious from multiple IP addresses so what happens the phishing site is up some of the customers are also unknowingly giving away their ID and password but we are basically confusing the fisher because we are feeding a lot of data so we're just making it more difficult for the fisher to identify the correct user ID password compared to the you know the fake one that is the other step the last step that the bank does is to disable account of phished users you know so one of the one of the things that the bank will alert immediately their call centers and every place is in case a user calls up saying that I have been phished immediately take down his ID and password to communicate to the net banking team and disable the account so that even if the user ID password has been stolen the the attacker cannot feel money from the from the account so these are some of the response mechanism that the bank takes when a phishing site has been detected so let me summarize you know what we have seen so as I said phishing is a social engineering attack it basically targets the lack of awareness of the user or is inability to differentiate the original from the fake since the bank has no control over how a phishing site gets hosted the banks have put certain protection mechanism to minimize the damage even if a fish happens so the two-factor authentication multiple passwords personalizing the website increasing user awareness are measures which many of the banks in India and abroad have taken technically it is possible to detect early detect early the existence of a phishing website we can look at DNS registration we can look at web javascripts you can look at examining the logs of the original net banking server we can also look at examining bounce maids having said that it is possible for a smart fisher to put up a site without getting detected if you get a phishing site the things that the bank does to respond to minimize the damage caused by a phishing site is first of course try to bring it down so that nobody can access the phishing site feed dummy data so that you know the fisher is a little bit confused and he has to search through a large log of ID passport to get the original one and also disable the phished accounts