Phishing. Eugene Davis UAH Information Security Club April 11, 2013

Similar documents
Introduction to Penetration Testing: Part One. Eugene Davis UAH Information Security Club February 21, 2013

Cyber Security Guide for NHSmail

DoD Spear-Phishing Awareness Training. Joint Task Force - Global Network Operations

IT Security Protecting Ourselves From Phishing Attempts. Ray Copeland Chief Information Officer (CIO)

FAQ. Usually appear to be sent from official address

Online Threats. This include human using them!

HIPAA COW Healthcare IT Networking Group Co-Chairs. Scott Vaughan. Brad Candell. Sauk Prairie Healthcare. Group Health Cooperative of Eau Claire

Spam Protection Guide

CE Advanced Network Security Phishing I

Employee Security Awareness Training

PROTECTING YOUR BUSINESS ASSETS

How Enterprise Tackles Phishing. Nelson Yuen Technology Manager, Cybersecurity Microsoft Hong Kong

Phishing Read Behind The Lines

CHAPTER 8 SECURING INFORMATION SYSTEMS

Security and Privacy. Xin Liu Computer Science University of California, Davis. Introduction 1-1

Phishing in the Age of SaaS

Webomania Solutions Pvt. Ltd. 2017

Troubleshooting and Cyber Protection Josh Wheeler

Introduction. Logging in. WebQuarantine User Guide

Incident Play Book: Phishing

Security Awareness. Chapter 2 Personal Security

ELECTRONIC BANKING & ONLINE AUTHENTICATION

Deep Sea Phishing: Examples & Countermeasures

Security. The DynaSis Education Series for C-Level Executives

CompTIA Security+ Malware. Threats and Vulnerabilities Vulnerability Management

CTS2134 Introduction to Networking. Module 08: Network Security

Robust Defenses for Cross-Site Request Forgery Review

Security & Phishing

Personal Cybersecurity

How Cyber-Criminals Steal and Profit from your Data

3.5 SECURITY. How can you reduce the risk of getting a virus?

How Breaches Really Happen

SPOOFING. Information Security in Systems & Networks Public Development Program. Sanjay Goel University at Albany, SUNY Fall 2006

Robust Defenses for Cross-Site Request Forgery

Train employees to avoid inadvertent cyber security breaches

WHAT IS CORPORATE ACCOUNT TAKEOVER? HOW DOES IT HAPPEN?

Introduction. Logging in. WebMail User Guide

Create strong passwords

Quick recap on ing Security Recap on where to find things on Belvidere website & a look at the Belvidere Facebook page

SSAC Public Meeting Paris. 24 June 2008

Online Security and Safety Protect Your Computer - and Yourself!

South Central Power Stop Scams

Phishing. What do phishing s do?

P2_L12 Web Security Page 1

2 User Guide. Contents

NOT PROTECTIVELY MARKED PHISHING. July 2016

How to Conquer Targeted Threats: SANS Review of Agari Enterprise Protect

Phishing: What is it?

Bank of america report phishing

Governance Ideas Exchange

10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS

How to recognize phishing s

IMPORTANT SECURITY CHANGES LOGGING ON. We are replacing the existing enhanced authentication.

Fighting Phishing I: Get phish or die tryin.

Phishing Attacks. Mendel Rosenblum. CS142 Lecture Notes - Phishing Attack

Protecting from Attack in Office 365

Unique Phishing Attacks (2008 vs in thousands)

Target Breach Overview

Your security on click Jobs

Security Using Digital Signatures & Encryption

Does Windows 10 Have Privacy Issues? February 11, Joel Ewing

Machine-Powered Learning for People-Centered Security

Chapter 12. Information Security Management

The Cost of Phishing. Understanding the True Cost Dynamics Behind Phishing Attacks A CYVEILLANCE WHITE PAPER MAY 2015

CISNTWK-440. Chapter 4 Network Vulnerabilities and Attacks

SOCIAL NETWORKING'S EFFECT ON BUSINESS SECURITY CONTROLS

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 3 Protecting Systems

41% Opens. 73% Clicks. 35% Submits Sent

Office 365 Buyers Guide: Best Practices for Securing Office 365

Best Practices Guide to Electronic Banking

Staying Safe on the Internet. Mark Schulman

UNO IT NEWSLETTER. University of New Orleans Information Technology

A Review Paper on Network Security Attacks and Defences

INF3700 Informasjonsteknologi og samfunn. Application Security. Audun Jøsang University of Oslo Spring 2015

IT Security Update on Practical Risk Mitigation Strategies

Chapter 10: Security. 2. What are the two types of general threats to computer security? Give examples of each.

Cyber Security Guide. For Politicians and Political Parties

Introduction to Information Security Dr. Rick Jerz

Symantec Protection Suite Add-On for Hosted Security

CYBER SECURITY RESOURCE GUIDE. Cyber Fraud Overview. Best Practices and Resources. Quick Reference Guide for Employees. Cyber Security Checklist

Anatomy of Phishing Campaigns: A Gmail Perspective

Social Engineering (SE)

IT Security Update on Practical Risk Mitigation Strategies

Frauds & Scams. Why is the Internet so attractive to scam artists? 2006 Internet Fraud Trends. Fake Checks. Nigerian Scam

Secure web proxy resistant to probing attacks

But it Was Such a Little Phish February 2016 Webinar

Introduction to SSL. Copyright 2005 by Sericon Technology Inc.

WHITEPAPER. Protecting Against Account Takeover Based Attacks

Layer by Layer: Protecting from Attack in Office 365

IT & DATA SECURITY BREACH PREVENTION

Who We Are! Natalie Timpone

Basic Concepts in Intrusion Detection

New Zealand National Cyber Security Centre Incident Summary

Panda Security 2010 Page 1

Phishing: When is the Enemy

C1: Define Security Requirements

Online Scams. Ready to get started? Click on the green button to continue.

Getting over Ransomware - Plan your Strategy for more Advanced Threats

Security Protection

Trustwave SEG Cloud BEC Fraud Detection Basics

Transcription:

Phishing Eugene Davis UAH Information Security Club April 11, 2013

Overview A social engineering attack in which the attacker impersonates a trusted entity Attacker attempts to retrieve privileged information by exploiting that trust Commonly includes credit cards Also may include credentials like username or password Can in fact be any information the attacker needs Eugene Davis 2 of 24

Email Phishing Common form of phishing As easy as sending spam mail Since email has no inherent security, forging the headers to appear from the trusted entity is easy Oftentimes the attacker purports to be a bank, Paypal, Facebook or other common service Even bank employees have fallen for bank related phishing Eugene Davis 3 of 24

Email Phishing The increase of HTML email makes it even easier to phish Images embedded in an email avoid filters In some cases, might only be an image HTML code allows the attacker to make a link that appears legitimate but points elsewhere Since it looks attractive, people are often more trusting Eugene Davis 4 of 24

Website Forgery One of the common mechanisms to exploit a victim is to forge a website Make a site that looks like a legitimate site but is at a different (but similar) address http://faceb00k.com Anything the victim enters is compromised It may also deliver malware Eugene Davis 5 of 24

Phone Phishing Requires more effort than email phishing Likely to succeed if attacker has confidence Most people simply trust phones more than electronic means Studies have shown medical facilities will often reveal information to callers who sound legitimate Tends to target organizations rather than individuals Eugene Davis 6 of 24

Spear Phishing Targeted phishing Attackers learn details about victims to make themselves seem more trustworthy Generally target high profile individuals who make the extra effort worthwhile Increasing trend as people slowly become educated about phishing Eugene Davis 7 of 24

Evil Twin Creating a wireless access point that appears to be legitimate but can be spied on All data sent over the wireless network can then be read by attacker Includes credentials to common sites like Facebook In cases of truly foolish people, may even include banking passwords Eugene Davis 8 of 24

Defense - Training As usual, user education is key Users should be trained not to click on links in email Rather emails should refer them to a known trusted location This prevents the user from being sent to a fake site Users should not trust that unexpected emails are legitimate Eugene Davis 9 of 24

Defense - Training Verify incoming messages through alternate channels If called, call back to a known number (like from the phone book) to verify it is a legitimate call Emails always need to be verified by an alternate channel Perform random tests on employees to see if they fall for phishing Eugene Davis 10 of 24

Defenses - Policy Policies should exist as to what is sent or requested in emails Credentials should never be sent via email Links should never be sent By communicating what to expect in emails, user training is effective This means that I.T. must always follow its policy, or undo user training Eugene Davis 11 of 24

Defenses - Technology Filtering phishing attempts is a trade off between the false accept rate and insult (incorrect rejections) rate Filters on emails are a first defense, preventing obvious phishing attempts Scan content for suspicious messages Look for image-only emails Check for suspicious links Eugene Davis 12 of 24

Defenses - Technology Email signatures (using OpenPGP) give assurances as to the original sender Depends upon the sender not leaking their key Use caller I.D. to spot suspicious numbers This should only be a first line, an attacker can spoof this No technology works as well as good user education Eugene Davis 13 of 24

Case Study Health Survey First Email An organization sends out an email from a generic email address States that a health survey (one which will ask about personally identifiable information) will be sent to random people Provides contact information that can be used to verify the email in the form of a phone number Eugene Davis 14 of 24

Case Study Health Survey Second Email Later in the week, the second email is sent out This email is from a different domain (and user) than the first email It links to a survey form on an external site This external site has no well known affiliation with the original organization Uses HTML to provide a clickable link Eugene Davis 15 of 24

Case Study Health Survey Second Email This second email contains the original contact and phone number Also contains a new, organizational email This email does not appear on the organization website No further alternative channels were offered Eugene Davis 16 of 24

Case Study Health Survey What suggests this is a phishing attempt? Eugene Davis 17 of 24

Case Study Health Survey Phishing Attempt Attacker looking to gather personal information sends out the first email with a forged sender Provides contact information for someone known to be out of town Lowers defenses of people who might distrust a random email asking for this information Second email is from a legitimate account from a different domain First email may have even been legitimate Eugene Davis 18 of 24

Case Study Health Survey Phishing Attempt Link points to a malicious site Sends back survey results to the attacker Infects the victim with malware Because users are not trained to resist it, many of them respond and fill out the survey Attacker is able to identify individuals Finds out secrets that can be used to blackmail some users Eugene Davis 19 of 24

Case Study Health Survey Assume that the emails are legitimate. What problems does this suggest about the organizational policy? Eugene Davis 20 of 24

Case Study Health Survey Policy Defects The organization is training users to trust emails sent without verifying them The organization is training users to follow links in emails The organization should not have sent out an email warning about the survey An attacker may take advantage of the first email to send out a phishing email Eugene Davis 21 of 24

Summary Phishing is the attempt to trick users into giving away information Phishing is often done over email, sometimes with a website as well, but can also be done over phone The best defense against phishing is to have strong user education and have a strong policy in place for what to send in emails Eugene Davis 22 of 24

References Security Engineering by Ross Anderson Counterhack Reloaded by Ed Skoudis Eugene Davis 23 of 24

License This content is available under the Creative Commons Attribution NonCommercial ShareAlike 3.0 United States License Eugene Davis 24 of 24

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback