2. May 2006 – Veterans Administration
laptop with personal information on
26.5M veterans is stolen. “Total
losses could top $500M.” – VA
Secretary Nicholson
Jan 2007- Hackers stole data from at
least 45.7 million credit and debit cards
at retailer T.J.Maxx – total costs could
exceed $1.0B
May 2006 – CIO, CSO fired Ohio
University 137,000 student
accounts compromised
5. Can you spot a “Social Engineer”?
Phishing is Social Engineering
6. Social Engineering
What is Social Engineering?
“An attempt to influence a person into granting
unauthorized access, unauthorized use or
unauthorized disclosure of an information system,
network or data. Modifying system configuration.”
“How to blunt the socially engineered hack” by Michael Casper
(http://www.computerworld.com/cwi/community/story/0,3201,NAV6
5-663_STO65473,00.html)
7. Social Engineering
… 70 percent of those asked said they would
reveal their computer passwords for a …
Schrage, Michael. 2005. Retrieved from
http://www.technologyreview.com/articles/05/03/issue/review_password.asp?p=1
Bar of chocolate
8. Social Engineering
Methods of Social Engineering
Information Gathering
Information Planting
Email Scams
Masquerading
Dumpster-diving
Help desk/Support areas
Receptionist/Administrative areas
Launching attack
9. Vulnerability in People
Cause: A large growing population of internet
illiterate users are using internet email and
other user friendly applications.
Threat: Illiteracy in how the internet works and
its threats allows miscreants to attack a
network or person through social engineering.
This is the fastest growing method of hacking
we have seen.
Human nature is that people are trusting, even
those things which may be false.
10. Social Engineering – Information
Gathering
Scenario #1 – YOU: How many of you have
provided personal information online or over the
phone to a vendor or service?
Personal Information May Include
Social Security Number (or just the last 4 digits)
First, Middle, Last names – Maiden Name
Mothers Maiden Name
Address, Phone Number
Email Address?
Credit Card Number – CVV2 Code
ATM PIN Code
Passwords you may use elsewhere
11. Social Engineering – Information
Gathering
Scenario #1 - YOU: Was that information sent
securely? Will it be shared with someone else?
Was it compromised?
Scenario #2 – SOMEONE ELSE: Have you
ever asked for personal information and been
offered that information freely or without much
effort?
12. Social Engineering – Information
Gathering
Example: How many of you would provide
personal information to someone who called you
on the phone? Over the Internet?
Social Engineering is an art, basically the art of
listening and lying at the same time, while
seemingly having a typical conversation.
Read More: The Art of Deception – Kevin Mitnick
13. Social Engineering – Information
Planting
Scenario: You come back from lunch to find a
Post-it note on your desk asking you to change a
user password to something written on the Post-
it Note.
14. ID Theft– New Way
Phishing / Pharming
Hijack/Skimming
15. On 7 October 2001. “Singer Britney Spears Killed in Car Accident”.
Due to a bug in CNN’s software, when people at the spoofed site clicked on
the “E-mail This” link, the real CNN system distributed a real CNN e-mail to
recipients with a link to the spoofed page.
With each click at the bogus site, the real site’s tally of most popular stories
was incremented for the bogus story.
Allegedly this hoax was started by a researcher who sent the spoofed story to
three users of AOL’s Instant Messenger chat software.
Within 12 hours more than 150,000 people had viewed the spoofed page.
Social Engineering Example
17. What is Phishing?
“Fishing for personal information”
Use “spoofed” e-mails and fraudulent
websites designed to fool recipients into
divulging personal financial data such as
credit card numbers, account usernames and
passwords, social security numbers, etc.
Anti-Phishing Working Group
http://www.antiphishing.org/
18. Surge in phishing
Based on the survey, 57 million Americans have
been, or think they have been, the victim of a
phishing attack.
30 million were positive, Out of that pool, 11
million fell for the scams or about 19% of those
attacked.
Almost 2 million, or about 3% of those attacked,
reported that they'd actually divulged sensitive
information eg. credit-card numbers, bank
accounts, passwords, etc.
Phishers have a one in 700 chance of getting
caught.
*Gartner Group
21. This is a Very
Common Tactic used
to Social Engineer
personal information.
Lets walk through a
specific case
Email
Scams
22. Click on the Link and
you get sent to the
EBay Security
Update Page…
Or do you…
Click Here and it takes
you to Official EBay
Help
Not a Secure Website
LETS SCROLL DOWN
Email
Scams
23. As we Scroll Down
the Page we find out
that it needs a lot of
personal information
to verify who you are.
NEVER Give this Out to Anyone
Online
Just in case you mistyped your
password above
OK.. I can see how Ebay
Might need this info… right
???
LETS SCROLL DOWN
Just in case you thought this
might be a scam…
Email
Scams
24. CVV2 Code and PIN
Number to your bank
account.
Can’t Use the CreditCard
Online without this!!
If we clone your card, we
might need this as well.
Email
Scams
25. Lets take a look at
the email again…
How many of you
receive emails like
this on a regular
basis?
Does it look Legit?
Would it have
fooled you?
In this case, the whole message was actually an Image with the Image linked to
the malicious site, while the link in the image shows up as something legitimate.
Email
Scams
26. What Companies are Doing
AMERICAN EXPRESS - How to Contact American Express
about Fraudulent E-Mails
If you receive an e-mail that you believe could be fraudulent,
immediately forward it to
emailhoax@service.americanexpress.com. Please do not
forward the e-mail as an attachment. Please note that any
submissions to this email address will result in an auto-
generated reply to notify you that we have received your e-mail.
If we find it to be fraudulent, we will immediately take
appropriate action. For consumers requiring additional
assistance, please contact us at Contact American Express
http://www10.americanexpress.com/sif/cda/page/0,1641,21372,00.
asp
29. How to Detect Deception
Publish your mail server addresses (to thwart spoofing)
Educate customers (and employees)
Establish online communication protocols
Create a response plan now
Proactively monitor for phishers and fraud
Make yourself a difficult target
http://www.cio.com/archive/090104/phish.html
30. Prevent Phishing from Fraud Watch
Never click on hyperlinks
Use Anti-SPAM filters
Use Anti-Virus Software
Use personal firewalls
Keep all software updated
Always look for https and
sites that ask for “personal
information”
Keep computer clean from
Spyware
Know Fraudulent activity on
the Internet
Check your credit report
immediately for free!
If unsure, ask!
32. First Phishing –
Now Ransomware
New generation of attack use of the internet
attack for extortion "Ransomware".
Follow-up to: phishing, pharming attacks
It starts with hijacking or stealing user files, encrypting them (so
the user loses access to vital information), then demanding
payment in exchange for the decryption key.
So far theses attacks are quite rare but it brings a new
dimension to the usage of the internet and a new generation of
attacks.
33. Phishing – Variations
“Phishing”= social engineering
– Who: Online scammers, posing as legitimate companies or your
new best friend
– Why: They want your sensitive information (credit-card, billing-
routing, and Social Security numbers, among others)
“Pharming”= being diverted to a fake/spoofed
website
“Spear phishing”= spoofed email that targets
emails stolen from a company or organization
34. Phishing and Business Risks
Privacy
Legislative
violations
Financial
loss
Intellectual
capital
Litigation
Public
Image/Trust
Business
Risks
37. 37
1st Gen:
“Look for stuff…”
Subject contains
“Viagra”
2nd Gen:
“Look smarter”
Text has “Viagra”
& “Unsubscribe”
3rd Gen:
“Go for Buzzwords”
Bayesian Filter
and Neural Nets
4th Gen:
“Mix a Cocktail”
You can’t fool all
of the filters all
of the time
But threats get more sophisticated
38. 38
Tradeoffs false positives vs false negatives
Catch more
emails, more
false positives
Catch less
emails, fewer
false positives
FP
FN
39. 39
User Awareness to Avoid Phishing
Caution: African shares $10 million…
Banks never ask for account info, in an e-mail
Don’t click on links suspicious e-mails
Report suspicious e-mails
D-E-L-E-T-E
41. Anti-Phishing Laws
-Identity Theft Penalty Enhancement Act
-Aggregated Identity Theft - Defined as using a
stolen identity to commit other crimes.
-Mandatory sentencing of 2 years.
Anti-Phishing Act of 2005
-Prohibits the use of a website/email to coerce
others to divulge their personal information.
-Penalties: 5 years, $250,000 fine.
Effectiveness: Professionals vs. Amateurs
42. • FTC Identity Theft Website
www.consumer.gov/idtheft
• Anti-Phishing Working Group
www.antiphishing.org
• End ID Theft
www.endidtheft.com
Resources