Professional Documents
Culture Documents
Phishing and Social Engineering
Phishing and Social Engineering
Agenda
What is Phishing?
Whats at Stake Techniques Human Tendencies Common Targets How it Works
Phishing
Most commonly used Social Engineering technique. Masquerading as a trustworthy person or a business in an electronic communication in order to obtain personal data and use it for own benefit Personal data is the object of interest: credit card numbers, bank accounts details, passwords, pin numbers, etc.
Whats at Stake
Information Privacy Confidentiality Provision of Services Availability Data Manipulation Integrity Company/Personal Reputation Personal Accountability
Techniques
Pretexting: Attacker creates a scenario to persuade the victim to release information and is usually done over the phone. Offering help if a problem occurs, then making the problem occur, thereby manipulating the victim to call them for help. Phishing: An e-mail/Web site sent to a victim to give an illusion that it is a legitimate e-mail/Web site. Sending an e-mail as a virus attachment. Phone Phishing: Uses a rogue interactive voice response system to recreate a legitimate sounding copy of a bank or other institutions system. Trojan Horse: Used to spread malicious software to users through persuading e-mails asking them to download an attachment which is in fact a virus or a worm.
Human Tendencies
Authority: Comply with a request from someone of authority. Liking: Comply with a request from someone we like. Reciprocation: Comply with a request when we are promised or given something of value. Consistency: Comply after we have committed to a specific action. Social Validation: Comply by doing something in line with what others are doing. Scarcity: Comply when we believe the object sought is in short supply.
The Art of Deception, Kevin Mitnick & William Simon
Common Targets
Unaware of value of information: Secretaries, telephone operators, admin assistants, security guards. Special Privileges: Help desk or technical support, system admins, computer operators. Manufacturer/Vendor: Computer hardware/software manufactures, voice mail system vendors. Special departments: Accounting, Human Resources, Health Care.
The Art of Deception, Kevin Mitnick & William Simon
How it works
Hacker sends a fake or spoofed e-mail that appears to be from a trusted company. The e-mail usually instructs the user to login to verify information and contains a link The link in the e-mail directs the users Web browser to a fake Web site operated by the hacker. The fake Web site looks exactly like the companys Web site and requires a user to login. Any information that a user enters into the fake Website is immediately delivered to the hacker.
4 3 2 1
Unknown Sender. (Mahamud,, Barjas J) Be alert to Personal /Sensitive Information subjects. (Aramco Proxy) Promise of rewards. (find it useful) Prompting user to take action. (use the below link)
Be Aware!
Actual Phishing Attack Received by Saudi Aramco
1 2 3 4
5
6 7 5 2 4
Note: This phishing attack was reported and blocked immediately. This early detection protected Saudi Aramco. Please immediately report any suspicious emails to anti-spam@aramco.com or contact your CSL, or call 904
# Red flags
1 2 3
E-mail address looks suspicious. (info@admin.it) Stresses urgency (Account Expire, Reply to message immediately) Use of generic e-mail text. (Dear Webmail Account User).
4
5 6 7
Prompting user to take action (reset your account, you must reply, activate your account)
Prompting user to provide information (user name, password)
Conclusion
Phishing is a threat. Phishing targets people: the strongest line of defense, but also the weakest link. IT security awareness, education and training plays a major role in defense of Phishing attacks. Use sound judgment when you deal with information at all times. Support Phishing detection by being aware and reporting it.
Thank you