Phishing and Social Engineering

Agenda
What is Phishing?
Whats at Stake Techniques Human Tendencies Common Targets How it Works

Warning Signs of an Attack Phishing Activity Statistics Protection Methods Conclusion

Phishing
Most commonly used Social Engineering technique. Masquerading as a trustworthy person or a business in an electronic communication in order to obtain personal data and use it for own benefit Personal data is the object of interest: credit card numbers, bank accounts details, passwords, pin numbers, etc.

Whats at Stake
Information Privacy Confidentiality Provision of Services Availability Data Manipulation Integrity Company/Personal Reputation Personal Accountability

Techniques
Pretexting: Attacker creates a scenario to persuade the victim to release information and is usually done over the phone. Offering help if a problem occurs, then making the problem occur, thereby manipulating the victim to call them for help. Phishing: An e-mail/Web site sent to a victim to give an illusion that it is a legitimate e-mail/Web site. Sending an e-mail as a virus attachment. Phone Phishing: Uses a rogue interactive voice response system to recreate a legitimate sounding copy of a bank or other institutions system. Trojan Horse: Used to spread malicious software to users through persuading e-mails asking them to download an attachment which is in fact a virus or a worm.

Human Tendencies
Authority: Comply with a request from someone of authority. Liking: Comply with a request from someone we like. Reciprocation: Comply with a request when we are promised or given something of value. Consistency: Comply after we have committed to a specific action. Social Validation: Comply by doing something in line with what others are doing. Scarcity: Comply when we believe the object sought is in short supply.
The Art of Deception, Kevin Mitnick & William Simon

Common Targets
Unaware of value of information: Secretaries, telephone operators, admin assistants, security guards. Special Privileges: Help desk or technical support, system admins, computer operators. Manufacturer/Vendor: Computer hardware/software manufactures, voice mail system vendors. Special departments: Accounting, Human Resources, Health Care.
The Art of Deception, Kevin Mitnick & William Simon

How it works
Hacker sends a fake or spoofed e-mail that appears to be from a trusted company. The e-mail usually instructs the user to login to verify information and contains a link The link in the e-mail directs the users Web browser to a fake Web site operated by the hacker. The fake Web site looks exactly like the companys Web site and requires a user to login. Any information that a user enters into the fake Website is immediately delivered to the hacker.

4 3 2 1

Warning Signs of an Attack

Refusal to give contact number Promise of rewards Out of ordinary request Claim of authority Stresses urgency Threatens negative consequences of noncooperation Shows discomfort when questioned Name dropping Flattering compliments Flirting

The Art of Deception, Kevin Mitnick & William Simon

Example of a potential threat

Recent Social Engineering test conducted by Information Protection management Division 1 2 3 1 1 3 3 4 5 # Red flags

Recognize a Phishing attempt

1 2 3 4

Unknown Sender. (Mahamud,, Barjas J) Be alert to Personal /Sensitive Information subjects. (Aramco Proxy) Promise of rewards. (find it useful) Prompting user to take action. (use the below link)

Never click on the links. (www.proxyanywhere.com/proxyunlocker)

Be Aware!
Actual Phishing Attack Received by Saudi Aramco

1 2 3 4

5
6 7 5 2 4
Note: This phishing attack was reported and blocked immediately. This early detection protected Saudi Aramco. Please immediately report any suspicious emails to anti-spam@aramco.com or contact your CSL, or call 904

# Red flags

Recognize a Phishing attempt

1 2 3

E-mail address looks suspicious. (info@admin.it) Stresses urgency (Account Expire, Reply to message immediately) Use of generic e-mail text. (Dear Webmail Account User).

4
5 6 7

Claim of authority (Webmail admin, System Administrator)

Threatens negative consequences of non-cooperation (becomes too large.unable)(unable to receive new email)

Prompting user to take action (reset your account, you must reply, activate your account)
Prompting user to provide information (user name, password)

Phishing Attack Prevention

Dont click on links within e-mails asking for your personal or financial information. Contact the organization using a phone number you know to be genuine, or open a new browser and type in the company's official Web site address. Use anti-virus software, personal firewall, and keep them up to date. Report any phishing or suspicious activities Attach phishing e-mails or Web sites and send them to the Anti Spam Group (antispam@aramco.com)

Conclusion
Phishing is a threat. Phishing targets people: the strongest line of defense, but also the weakest link. IT security awareness, education and training plays a major role in defense of Phishing attacks. Use sound judgment when you deal with information at all times. Support Phishing detection by being aware and reporting it.

Thank you