CSCD 303 Essential Computer Security Fall 2017

Transcription

1 CSCD 303 Essential Computer Security Fall 2017 Lecture 11a - Social Engineering1 Phishing Reading: Chapter 6

2 Overview Social Engineering Defined Humans as vulnerabilities Phishing What is it? What does it accomplish How to recognize it? Solutions to Phishing

3 Social Engineering Social Engineering Manipulating or tricking people into divulging private information as opposed to using technical hacking techniques Or, getting them to use unauthorized devices to compromise themselves Using people as vulnerabilities into systems

4 Test Case of Human Vulnerabilities June 2011, Bloomberg published the results of a test conducted by the U.S. Depart. of Homeland Security To assess the government s vulnerability to unauthorized system access, DHS dropped disks and USB drives in parking lots of government agencies and private contractors What do you think happened?

5 Test Case of Human Vulnerabilities Results 60 % of workers who found devices plugged them into their office computers When device was imprinted with an official logo, number of installations on office machines skyrocketed to 90 %

6 The Individual User Users Represent the largest installed base Completely lack standards Cannot be controlled centrally (or otherwise) Are only predictable in their unpredictability Cannot be redesigned Are all of us!!!

7 What Exactly is Phishing? Define Phishing

8 Phishing Scams Defined Phishing is a type of deception designed to steal your personal data, such as credit card numbers, passwords, account data, or other information Con artists might send millions of fraudulent messages that appear to come from Web sites you trust Like your bank or credit card company, and request that you provide personal information.

9 More Phishing Definitions Spear Phishing a phishing scam that targets a specific audience Example: Kansas Statue University and is sent to K-State addresses Scareware - Tries to trick you into responding by using shock, anxiety or threats Reply with your password now or we ll shut down your account tomorrow

10 Spear-Phishing: Improved Target Selection Socially aware attacks Mine social relationships from public data Phishing appears to arrive from someone known Use spoofed identity of trusted organization to gain trust Urge victims to update or validate their account Threaten to terminate the account if the victims not reply Use gift or bonus as a bait Context-aware attacks Your bid on ebay has won! The books on your Amazon wish list are on sale!

11 Phishing Becoming more Sophisticed Targeting Your Organization Spear-phishing targets specific groups or individuals Type 1 Uses info about your organization General Patton is retiring next week, click here to say whether you can attend his retirement party

12 Phishing Targeting Your Organization Around 40% of people in experiments at CMU would fall for s like this (control condition)

13 Phishing Increasing in Sophistication Targeting You Specifically Type 2 Uses info specifically about you Social Phishing Might use information from social networking sites, corporate directories, or publicly available data Ex. Fake from friends or co-workers Ex. Fake videos of you and your friends

14 Phishing Increasing in Sophistication Targeting You Specifically Here s a video I took of your poster presentation.

15 Another Example:

16 But wait WHOIS : Location: Korea, Republic Of Even bigger problem: I don t have an account with US Bank!

17 Spear Phishing Example KSU.edu 17

18 Spear Phishing Example KSU.edu 18

19 Scareware Example 19

20 Scareware Example 20

21 Another Scareware Example 21

22 Another Scareware Example 22

23 Spear phishing scam received by K-Staters, January 2010 If you clicked on the link 23

24 Malicious link in scam took you to an exact replica of K-State s single sign-on web page, hosted on a server in the Netherlands, that steals ID and password if they enter it and click Sign in Clicking on Sign in then took user to K-State s home page Note the URL flushandfloose.nl, which is obviously not k-state.edu 24

25 Fake SSO web page site not secure (http, not https) and hosted in the Netherlands (.nl) Real SSO web page note https 25

26 Fake SSO web page Real SSO web page Use the eid verification badge to validate 26

27 Result of clicking on eid verification badge on the fake SSO web site, or any site that is not authorized to use the eid and password 27

28 Result of clicking on eid verification badge on a legitimate K-State web site that is authorized to use the eid and password for authentication 28

29 Real K-State Federal Credit Unionweb site Fake K-State Federal Credit Union web site used in spear phishing scam 29

30 History of Phishing Phreaking + Fishing = Phishing Phreaking = making phone calls for free back in 70 s Fishing = Use bait to lure the target Phishing in 1995 Target: AOL users Purpose: getting account passwords for free time Threat level: low Techniques: Similar names ( for ), social engineering Phishing in 2001 Target: Ebayers and major banks Purpose: Getting credit card numbers, accounts Threat level: medium Techniques: Same in 1995, keylogger Phishing in 2007 Target: Paypal, banks, ebay Purpose: bank accounts Threat level: high Techniques: browser vulnerabilities, link obfuscation

31 A bad day phishin, beats a good day workin Anti-phishing Working Group ishing.org/ 2,000,000 s are sent 5% get to the end user 100,000 (APWG) 5% click on the phishing link 5,000 (APWG) 2% enter data into the phishing site 100 (Gartner) $1,200 from each person who enters data (FTC) Potential reward: $120,000 In 2005, David Levi made over $360,000 from 160 people using an ebay Phishing scam

32 How Bad Is Phishing? Consumer Perspective Estimated ~0.5% of Internet users per year fall for phishing attacks Conservative $1B+ direct losses a year to consumers Bank accounts, credit card fraud Doesn t include time wasted on recovery of funds, restoring computers, emotional uncertainty Growth rate of phishing 30k+ reported unique s / month 45k+ reported unique sites / month Social networking sites now major targets

33 How Bad Is Phishing? Perspective of Corporations Direct damage Loss of sensitive customer data Loss of intellectual property

34 Why Do People Fall for Phishing? Phishing has been around for years How come people still fall for it?

35 Research on Phishing Carnegie Mellon University Interviewed 40 Internet users including 35 non-experts Conducted Mental models interviews Mental models included role play and open ended questions in 2006 Reference: J Downs, M. Holbrook, and L. Cranor Decision Strategies and Susceptibility to Phishing. In Proc. of the 2006 Symposium On Usable Privacy and Security

36 Research on Phishing Carnegie Mellon University Only 50% knew the meaning of the term Phishing 85% were aware of the lock icon Only 40% knew it was supposed to be there Only 35% had noticed the https and knew what it means Only 55% noticed an unexpected or strange URL Only 55% reported being cautious when asked for sensitive financial info Few reported being suspicious of being asked for passwords was in 2006 Do you think there would be the same stats today?

37 Research on Phishing Carnegie Mellon University Naïve Evaluation Strategies Most strategies didn't help people in identifying phishing This appears to be for me It's normal to hear from companies you do business with Reputable companies will send s Knowledge of some scams didn't help identify other scams

38 Determining Fraud and Protection Measures

39 Today's Solutions Not so Successful Anti-phishing filters that rely on blacklists and whitelists Usually not up to date and there are many false positives Training Websites and posters help some Spam Filters Don't tend to catch phishing, s look legitimate

40 More Successful Solutions Two Research Based Filters, CMU Pilfer Cantina Pilfer Looks at other features than text Number of domains linked to Links in to other than the main domain Cantina Uses Content based approach Creates a fingerprint of a web page Sends fingerprint to search engine Sees if web page is in search results If yes, then legitimate

41 Detecting Phishing Web Sites Industry uses blacklists to label phishing sites But blacklists slow to new attacks Idea: Use search engines Scammers often directly copy web pages But fake pages should have low PageRank on search engines Generate text-based fingerprint of web page keywords and send to a search engine Y. Zhang, S. Egelman, L. Cranor, and J. Hong Phinding Phish: Evaluating AntiPhishing Tools. In NDSS Y. Zhang, J. Hong, and L. Cranor. CANTINA: A content-based approach to detecting phishing web sites. In WWW G. Xiang and J. Hong. A Hybrid Phish Detection Approach by Identity Discovery and Keywords Retrieval. In WWW 2009.

42 Human Training Following slides provide common advice for identifying phishing or fraudulent s...

43 Human Training How To Tell If An Message is Fraudulent Look at few phrases to look for if you think an message is phishing scam "Verify your account" Businesses should not ask you to send passwords, login names, Social Security numbers, or other personal information through If you receive an from anyone asking you to update your credit card information, do not respond: This is a phishing scam "If you don't respond within 48 hours, your account will be closed."these messages convey a sense of urgency so that you'll respond immediately without thinking

44 Human Training How To Tell If An Message is Fraudulent "Dear Valued Customer." Phishing messages are usually sent out in bulk and often do not contain your first or last name "Click the link below to gain access to your account." HTML-formatted messages can contain links or forms that you can fill out just as you'd fill out a form on a Web site The links that you are urged to click may contain all or part of a real company's name and are usually "masked," meaning that the link you see does not take you to that address but somewhere different, usually a phony Web site. Resting mouse pointer on link reveals the real Web address String of cryptic numbers looks nothing like the company's Web address, which is a suspicious sign.

45 Human Training How To Tell If An Message is Fraudulent Con artists also use Uniform Resource Locators (URLs) that resemble the name of a well-known company but are slightly altered by adding, omitting, or transposing letters. For example, the URL " could appear instead as:

46 Human Training How To Tell If An Message is Fraudulent Never respond to an asking for personal information Always check the site to see if it is secure. Call the phone number if necessary Never click on the link on the . Retype the address in a new window Keep your browser updated Keep antivirus definitions updated Use a firewall P.S: Always shred your home documents before discarding them.

47 Human Training Anti-Phishing Games Ok, traditional training doesn't work but.. People like to play games Teach using a game Results have shown that More people willing to play game than read People are better at identifying phishing after playing the game Best known is Anti-phishing Phil from CMU

48 Anti-Phishing Phil A micro-game to teach people not to fall for phish PhishGuru about , this game about web browser Also based on learning science principles You will get to Try the game! S. Sheng et al. Anti-Phishing Phil: The Design and Evaluation of a Game That Teaches People Not to Fall for Phish. In SOUPS 2007, Pittsburgh, PA, 2007.

49 Anti-Phishing Phil

50

51

52 Evaluation of PhishGuru Is embedded training effective? Study 1: Lab study, 30 participants Study 2: Lab study, 42 participants Study 3: Field trial at company, ~300 participants Study 4: Field trial at CMU, ~500 participants Studies showed significant decrease in falling for phish and ability to retain what they learned P. Kumaraguru et al. Protecting People from Phishing: The Design and Evaluation of an Embedded Training System. CHI P. Kumaraguru et al. Getting Users to Pay Attention to Anti-Phishing Education: Evaluation of Retention and Transfer. ecrime 2007.

53 Anti-Phishing Phil: Study Novices showed most improvement in false negatives (calling phish legitimate)

54 Anti-Phishing Phil: Study 2 Improvement all around for false positives

55 Summary Wikipedia has a nice page on phishing Phishing continues to plague Internet Seriously affects consumers, businesses, governments Criminals getting more sophisticated End-users can be trained, but only if done right PhishGuru embedded training uses simulated phishing Anti-Phishing Phil and Anti-Phishing Phyllis micro-games Phishing at HoaxSlayer Nice set of fishing examples with explanations Can try PhishGuru, Phil, and Phyllis at:

56 The End New Assignment is up!!!

57

58

59 Social Engineering Social Engineering Manipulating or tricking people into divulging private information as opposed to using technical hacking techniques Or, getting them to use unauthorized devices to compromise themselves Using people as vulnerabilities into systems 3

60 Test Case of Human Vulnerabilities June 2011, Bloomberg published the results of a test conducted by the U.S. Depart. of Homeland Security To assess the government s vulnerability to unauthorized system access, DHS dropped disks and USB drives in parking lots of government agencies and private contractors What do you think happened? 4

61 Test Case of Human Vulnerabilities Results 60 % of workers who found devices plugged them into their office computers When device was imprinted with an official logo, number of installations on office machines skyrocketed to 90 % cybersecurity-humans.htm

62 The Individual User Users Represent the largest installed base Completely lack standards Cannot be controlled centrally (or otherwise) Are only predictable in their unpredictability Cannot be redesigned Are all of us!!! 6

63 What Exactly is Phishing? Define Phishing 7

64 Phishing Scams Defined Phishing is a type of deception designed to steal your personal data, such as credit card numbers, passwords, account data, or other information Con artists might send millions of fraudulent messages that appear to come from Web sites you trust Like your bank or credit card company, and request that you provide personal information. 8 8

65 More Phishing Definitions Spear Phishing a phishing scam that targets a specific audience Example: Kansas Statue University and is sent to K-State addresses Scareware - Tries to trick you into responding by using shock, anxiety or threats Reply with your password now or we ll shut down your account tomorrow 9

66 Spear-Phishing: Improved Target Selection Socially aware attacks Mine social relationships from public data Phishing appears to arrive from someone known Use spoofed identity of trusted organization to gain trust Urge victims to update or validate their account Threaten to terminate the account if the victims not reply Use gift or bonus as a bait Context-aware attacks Your bid on ebay has won! The books on your Amazon wish list are on sale! 10 10

67 Phishing Becoming more Sophisticed Targeting Your Organization Spear-phishing targets specific groups or individuals Type 1 Uses info about your organization General Patton is retiring next week, click here to say whether you can attend his retirement party 11

68 Phishing Targeting Your Organization Around 40% of people in experiments at CMU would fall for s like this (control condition) 12

69 Phishing Increasing in Sophistication Targeting You Specifically Type 2 Uses info specifically about you Social Phishing Might use information from social networking sites, corporate directories, or publicly available data Ex. Fake from friends or co-workers Ex. Fake videos of you and your friends 13

70 Phishing Increasing in Sophistication Targeting You Specifically Click to add an outline Here s a video I took of your poster presentation. 14

71 Another Example: 15 15

72 But wait WHOIS : Location: Korea, Republic Of Even bigger problem: I don t have an account with US Bank! 16 Images from Anti-Phishing Working Group s Phishing Archive 16

73 Spear Phishing Example KSU.edu

74 Spear Phishing Example KSU.edu

75 Scareware Example 19 19

76 Scareware Example 20 20

77 Another Scareware Example 21 21

78 Another Scareware Example 22 22

79 Spear phishing scam received by K-Staters, January 2010 If you clicked on the link 23 23

80 Malicious link in scam took you to an exact replica of K-State s single sign-on web page, hosted on a server in the Netherlands, that steals ID and password if they enter it and click Sign in Clicking on Sign in then took user to K-State s home page Note the URL flushandfloose.nl, which is obviously not k-state.edu 24 24

81 Fake SSO web page site not secure (http, not https) and hosted in the Netherlands (.nl) Real SSO web page note https 25 25

82 Fake SSO web page Real SSO web page Use the eid verification badge to validate 26 26

83 Result of clicking on eid verification badge on the fake SSO web site, or any site that is not authorized to use the eid and password

84 Result of clicking on eid verification badge on a legitimate K-State web site that is authorized to use the eid and password for authentication

85 Real K-State Federal Credit Unionweb site Fake K-State Federal Credit Union web site used in spear phishing scam 29 29

86 History of Phishing Phreaking + Fishing = Phishing Phreaking = making phone calls for free back in 70 s Fishing = Use bait to lure the target Phishing in 1995 Target: AOL users Purpose: getting account passwords for free time Threat level: low Techniques: Similar names ( for ), social engineering Phishing in 2001 Target: Ebayers and major banks Purpose: Getting credit card numbers, accounts Threat level: medium Techniques: Same in 1995, keylogger Phishing in 2007 Target: Paypal, banks, ebay Purpose: bank accounts Threat level: high Techniques: browser vulnerabilities, link obfuscation 30 30

87 A bad day phishin, beats a good day workin Anti-phishing Working Group ishing.org/ 2,000,000 s are sent 5% get to the end user 100,000 (APWG) 5% click on the phishing link 5,000 (APWG) 2% enter data into the phishing site 100 (Gartner) $1,200 from each person who enters data (FTC) Potential reward: $120,000 In 2005, David Levi made over $360,000 from 160 people using an ebay Phishing scam 31 31

88 How Bad Is Phishing? Consumer Perspective Estimated ~0.5% of Internet users per year fall for phishing attacks Conservative $1B+ direct losses a year to consumers Bank accounts, credit card fraud Doesn t include time wasted on recovery of funds, restoring computers, emotional uncertainty Growth rate of phishing 30k+ reported unique s / month 45k+ reported unique sites / month Social networking sites now major targets billion

89 How Bad Is Phishing? Perspective of Corporations Direct damage Loss of sensitive customer data Loss of intellectual property billion

90 Why Do People Fall for Phishing? Phishing has been around for years How come people still fall for it? 34

91 Research on Phishing Carnegie Mellon University Interviewed 40 Internet users including 35 non-experts Conducted Mental models interviews Mental models included role play and open ended questions in 2006 Reference: J Downs, M. Holbrook, and L. Cranor Decision Strategies and Susceptibility to Phishing. In Proc. of the 2006 Symposium On Usable Privacy and Security 35

92 Research on Phishing Carnegie Mellon University Only 50% knew the meaning of the term Phishing 85% were aware of the lock icon Only 40% knew it was supposed to be there Only 35% had noticed the https and knew what it means Only 55% noticed an unexpected or strange URL Only 55% reported being cautious when asked for sensitive financial info Few reported being suspicious of being asked for passwords was in 2006 Do you think there would be the same stats today? 36

93 Research on Phishing Carnegie Mellon University Naïve Evaluation Strategies Most strategies didn't help people in identifying phishing This appears to be for me It's normal to hear from companies you do business with Reputable companies will send s Knowledge of some scams didn't help identify other scams 37

94 Determining Fraud and Protection Measures 38

95 Today's Solutions Not so Successful Anti-phishing filters that rely on blacklists and whitelists Usually not up to date and there are many false positives Training Websites and posters help some Spam Filters Don't tend to catch phishing, s look legitimate 39

96 More Successful Solutions Two Research Based Filters, CMU Pilfer Cantina Pilfer Looks at other features than text Number of domains linked to Links in to other than the main domain Cantina Uses Content based approach Creates a fingerprint of a web page Sends fingerprint to search engine Sees if web page is in search results 40 If yes, then legitimate

97 Detecting Phishing Web Sites Industry uses blacklists to label phishing sites But blacklists slow to new attacks Idea: Use search engines Scammers often directly copy web pages But fake pages should have low PageRank on search engines Generate text-based fingerprint of web page keywords and send to a search engine Y. Zhang, S. Egelman, L. Cranor, and J. Hong Phinding Phish: Evaluating AntiPhishing Tools. In NDSS Y. Zhang, J. Hong, and L. Cranor. CANTINA: A content-based approach to detecting phishing web sites. In WWW G. Xiang and J. Hong. A Hybrid Phish Detection Approach by 41 Identity Discovery and Keywords Retrieval. In WWW 2009.

98 Human Training Following slides provide common advice for identifying phishing or fraudulent s... 42

99 Human Training How To Tell If An Message is Fraudulent Look at few phrases to look for if you think an message is phishing scam "Verify your account" Businesses should not ask you to send passwords, login names, Social Security numbers, or other personal information through If you receive an from anyone asking you to update your credit card information, do not respond: This is a phishing scam "If you don't respond within 48 hours, your account will be closed."these messages convey a sense of urgency so that you'll respond immediately without thinking 43 43

100 Human Training How To Tell If An Message is Fraudulent "Dear Valued Customer." Phishing messages are usually sent out in bulk and often do not contain your first or last name "Click the link below to gain access to your account." HTML-formatted messages can contain links or forms that you can fill out just as you'd fill out a form on a Web site The links that you are urged to click may contain all or part of a real company's name and are usually "masked," meaning that the link you see does not take you to that address but somewhere different, usually a phony Web site. Resting mouse pointer on link reveals the real Web address String of cryptic numbers looks nothing like the company's Web address, which is a suspicious sign

101 Human Training How To Tell If An Message is Fraudulent Con artists also use Uniform Resource Locators (URLs) that resemble the name of a well-known company but are slightly altered by adding, omitting, or transposing letters. For example, the URL " could appear instead as:

102 Human Training How To Tell If An Message is Fraudulent Never respond to an asking for personal information Always check the site to see if it is secure. Call the phone number if necessary Never click on the link on the . Retype the address in a new window Keep your browser updated Keep antivirus definitions updated Use a firewall P.S: Always shred your home documents before discarding them

103 Human Training Anti-Phishing Games Ok, traditional training doesn't work but.. People like to play games Teach using a game Results have shown that More people willing to play game than read People are better at identifying phishing after playing the game Best known is Anti-phishing Phil from CMU 47

104 Anti-Phishing Phil A micro-game to teach people not to fall for phish PhishGuru about , this game about web browser Also based on learning science principles You will get to Try the game! S. Sheng et al. Anti-Phishing Phil: The Design and Evaluation of a Game That Teaches People Not to Fall for Phish. In SOUPS 2007, Pittsburgh, PA, S. Sheng, B. Magnien, P. Kumaraguru, A. Acquisti, L. Cranor, J. Hong, and E. Nunge. Anti-Phishing Phil: The Design and Evaluation of a Game That Teaches People Not to Fall for Phish. In Proceedings of the 2007 Symposium On Usable Privacy and Security, Pittsburgh, PA, July 18-20, 2007.

105 Anti-Phishing Phil Click to add an outline 49

106 Click to add title 50

107 51

108 Evaluation of PhishGuru Is embedded training effective? Study 1: Lab study, 30 participants Study 2: Lab study, 42 participants Study 3: Field trial at company, ~300 participants Study 4: Field trial at CMU, ~500 participants Studies showed significant decrease in falling for phish and ability to retain what they learned P. Kumaraguru et al. Protecting People from Phishing: The Design and Evaluation of an Embedded Training System. CHI P. Kumaraguru et al. Getting Users to Pay Attention to Anti-Phishing Education: Evaluation of Retention and Transfer. ecrime P. Kumaraguru et al. Protecting People from Phishing: The Design and Evaluation of an Embedded Training System. CHI P. Kumaraguru et al. Getting Users to Pay Attention to Anti-Phishing Education: Evaluation of Retention and Transfer. ecrime 2007.

109 Anti-Phishing Phil: Study Novices showed most improvement in false negatives (calling phish legitimate) 53

110 Anti-Phishing Phil: Study 2 54 Improvement all around for false positives

111 Summary Wikipedia has a nice page on phishing Phishing continues to plague Internet Seriously affects consumers, businesses, governments Criminals getting more sophisticated End-users can be trained, but only if done right PhishGuru embedded training uses simulated phishing Anti-Phishing Phil and Anti-Phishing Phyllis micro-games Phishing at HoaxSlayer Nice set of fishing examples with explanations Can try PhishGuru, Phil, and Phyllis at: 55

112