Email Phishing and
Countermeasures
Email Security
jorge.sebastiao@its.ws
May 2006 – Veterans Administration
laptop with personal information on
26.5M veterans is stolen. “Total
losses could top $...
Why Does This Happen?
Firewall IDS Anti-Virus
Attack
ATM is also a type of Phishing
Can you spot a “Social Engineer”?
Phishing is Social Engineering
Social Engineering
What is Social Engineering?
“An attempt to influence a person into granting
unauthorized access, unauth...
Social Engineering
… 70 percent of those asked said they would
reveal their computer passwords for a …
Schrage, Michael. 2...
Social Engineering
Methods of Social Engineering
Information Gathering
Information Planting
Email Scams
Masquerading
Dumps...
Vulnerability in People
Cause: A large growing population of internet
illiterate users are using internet email and
other ...
Social Engineering – Information
Gathering
Scenario #1 – YOU: How many of you have
provided personal information online or...
Social Engineering – Information
Gathering
Scenario #1 - YOU: Was that information sent
securely? Will it be shared with s...
Social Engineering – Information
Gathering
Example: How many of you would provide
personal information to someone who call...
Social Engineering – Information
Planting
Scenario: You come back from lunch to find a
Post-it note on your desk asking yo...
ID Theft– New Way
Phishing / Pharming
Hijack/Skimming
On 7 October 2001. “Singer Britney Spears Killed in Car Accident”.
Due to a bug in CNN’s software, when people at the spoo...
Social Engineering Phishing
What is Phishing?
“Fishing for personal information”
Use “spoofed” e-mails and fraudulent
websites designed to fool recipi...
Surge in phishing
Based on the survey, 57 million Americans have
been, or think they have been, the victim of a
phishing a...
Social Engineering
Phishing New Threat
This is a Very
Common Tactic used
to Social Engineer
personal information.
Lets walk through a
specific case
Email
Scams
Click on the Link and
you get sent to the
EBay Security
Update Page…
Or do you…
Click Here and it takes
you to Official EB...
As we Scroll Down
the Page we find out
that it needs a lot of
personal information
to verify who you are.
NEVER Give this ...
CVV2 Code and PIN
Number to your bank
account.
Can’t Use the CreditCard
Online without this!!
If we clone your card, we
mi...
Lets take a look at
the email again…
How many of you
receive emails like
this on a regular
basis?
Does it look Legit?
Woul...
What Companies are Doing
AMERICAN EXPRESS - How to Contact American Express
about Fraudulent E-Mails
If you receive an e-m...
How to Detect Deception
Publish your mail server addresses (to thwart spoofing)
Educate customers (and employees)
Establis...
Prevent Phishing from Fraud Watch
Never click on hyperlinks
Use Anti-SPAM filters
Use Anti-Virus Software
Use personal fir...
First Phishing –
Now Ransomware
 New generation of attack use of the internet
attack for extortion "Ransomware".
 Follow...
Phishing – Variations
 “Phishing”= social engineering
– Who: Online scammers, posing as legitimate companies or your
new ...
Phishing and Business Risks
Privacy
Legislative
violations
Financial
loss
Intellectual
capital
Litigation
Public
Image/Tru...
Credit Cards for Sale
36
Vendor Solutions abound
Anti-spam
Antivirus/
Anti-worm
Anti-phishing
Policy-based
controls
37
1st Gen:
“Look for stuff…”
Subject contains
“Viagra”
2nd Gen:
“Look smarter”
Text has “Viagra”
& “Unsubscribe”
3rd Gen:...
38
Tradeoffs false positives vs false negatives
Catch more
emails, more
false positives
Catch less
emails, fewer
false pos...
39
User Awareness to Avoid Phishing
Caution: African shares $10 million…
Banks never ask for account info, in an e-mail
Do...
Banking Technical Solutions
Anti-Phishing Laws
-Identity Theft Penalty Enhancement Act
-Aggregated Identity Theft - Defined as using a
stolen identity...
• FTC Identity Theft Website
www.consumer.gov/idtheft
• Anti-Phishing Working Group
www.antiphishing.org
• End ID Theft
ww...
Questions
Email phishing and countermeasures
Email phishing and countermeasures
Email phishing and countermeasures
Upcoming SlideShare
Loading in...5
×

Email phishing and countermeasures

3,029

Published on

Protection against email phishing, identity theft and associated countermeasures.

Published in: Business, Technology
1 Comment
4 Likes
Statistics
Notes
  • free free download this latest version 100% working.
    download link- http://gg.gg/hqcf
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Views
Total Views
3,029
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
0
Comments
1
Likes
4
Embeds 0
No embeds

No notes for slide

Transcript of "Email phishing and countermeasures"

  1. 1. Email Phishing and Countermeasures Email Security jorge.sebastiao@its.ws
  2. 2. May 2006 – Veterans Administration laptop with personal information on 26.5M veterans is stolen. “Total losses could top $500M.” – VA Secretary Nicholson Jan 2007- Hackers stole data from at least 45.7 million credit and debit cards at retailer T.J.Maxx – total costs could exceed $1.0B May 2006 – CIO, CSO fired Ohio University 137,000 student accounts compromised
  3. 3. Why Does This Happen? Firewall IDS Anti-Virus Attack
  4. 4. ATM is also a type of Phishing
  5. 5. Can you spot a “Social Engineer”? Phishing is Social Engineering
  6. 6. Social Engineering What is Social Engineering? “An attempt to influence a person into granting unauthorized access, unauthorized use or unauthorized disclosure of an information system, network or data. Modifying system configuration.” “How to blunt the socially engineered hack” by Michael Casper (http://www.computerworld.com/cwi/community/story/0,3201,NAV6 5-663_STO65473,00.html)
  7. 7. Social Engineering … 70 percent of those asked said they would reveal their computer passwords for a … Schrage, Michael. 2005. Retrieved from http://www.technologyreview.com/articles/05/03/issue/review_password.asp?p=1 Bar of chocolate
  8. 8. Social Engineering Methods of Social Engineering Information Gathering Information Planting Email Scams Masquerading Dumpster-diving Help desk/Support areas Receptionist/Administrative areas Launching attack
  9. 9. Vulnerability in People Cause: A large growing population of internet illiterate users are using internet email and other user friendly applications. Threat: Illiteracy in how the internet works and its threats allows miscreants to attack a network or person through social engineering. This is the fastest growing method of hacking we have seen. Human nature is that people are trusting, even those things which may be false.
  10. 10. Social Engineering – Information Gathering Scenario #1 – YOU: How many of you have provided personal information online or over the phone to a vendor or service? Personal Information May Include Social Security Number (or just the last 4 digits) First, Middle, Last names – Maiden Name Mothers Maiden Name Address, Phone Number Email Address? Credit Card Number – CVV2 Code ATM PIN Code Passwords you may use elsewhere
  11. 11. Social Engineering – Information Gathering Scenario #1 - YOU: Was that information sent securely? Will it be shared with someone else? Was it compromised? Scenario #2 – SOMEONE ELSE: Have you ever asked for personal information and been offered that information freely or without much effort?
  12. 12. Social Engineering – Information Gathering Example: How many of you would provide personal information to someone who called you on the phone? Over the Internet? Social Engineering is an art, basically the art of listening and lying at the same time, while seemingly having a typical conversation. Read More: The Art of Deception – Kevin Mitnick
  13. 13. Social Engineering – Information Planting Scenario: You come back from lunch to find a Post-it note on your desk asking you to change a user password to something written on the Post- it Note.
  14. 14. ID Theft– New Way Phishing / Pharming Hijack/Skimming
  15. 15. On 7 October 2001. “Singer Britney Spears Killed in Car Accident”. Due to a bug in CNN’s software, when people at the spoofed site clicked on the “E-mail This” link, the real CNN system distributed a real CNN e-mail to recipients with a link to the spoofed page. With each click at the bogus site, the real site’s tally of most popular stories was incremented for the bogus story. Allegedly this hoax was started by a researcher who sent the spoofed story to three users of AOL’s Instant Messenger chat software. Within 12 hours more than 150,000 people had viewed the spoofed page. Social Engineering Example
  16. 16. Social Engineering Phishing
  17. 17. What is Phishing? “Fishing for personal information” Use “spoofed” e-mails and fraudulent websites designed to fool recipients into divulging personal financial data such as credit card numbers, account usernames and passwords, social security numbers, etc. Anti-Phishing Working Group http://www.antiphishing.org/
  18. 18. Surge in phishing Based on the survey, 57 million Americans have been, or think they have been, the victim of a phishing attack. 30 million were positive, Out of that pool, 11 million fell for the scams or about 19% of those attacked. Almost 2 million, or about 3% of those attacked, reported that they'd actually divulged sensitive information eg. credit-card numbers, bank accounts, passwords, etc. Phishers have a one in 700 chance of getting caught. *Gartner Group
  19. 19. Social Engineering
  20. 20. Phishing New Threat
  21. 21. This is a Very Common Tactic used to Social Engineer personal information. Lets walk through a specific case Email Scams
  22. 22. Click on the Link and you get sent to the EBay Security Update Page… Or do you… Click Here and it takes you to Official EBay Help Not a Secure Website LETS SCROLL DOWN Email Scams
  23. 23. As we Scroll Down the Page we find out that it needs a lot of personal information to verify who you are. NEVER Give this Out to Anyone Online Just in case you mistyped your password above OK.. I can see how Ebay Might need this info… right ??? LETS SCROLL DOWN Just in case you thought this might be a scam… Email Scams
  24. 24. CVV2 Code and PIN Number to your bank account. Can’t Use the CreditCard Online without this!! If we clone your card, we might need this as well. Email Scams
  25. 25. Lets take a look at the email again… How many of you receive emails like this on a regular basis? Does it look Legit? Would it have fooled you? In this case, the whole message was actually an Image with the Image linked to the malicious site, while the link in the image shows up as something legitimate. Email Scams
  26. 26. What Companies are Doing AMERICAN EXPRESS - How to Contact American Express about Fraudulent E-Mails If you receive an e-mail that you believe could be fraudulent, immediately forward it to emailhoax@service.americanexpress.com. Please do not forward the e-mail as an attachment. Please note that any submissions to this email address will result in an auto- generated reply to notify you that we have received your e-mail. If we find it to be fraudulent, we will immediately take appropriate action. For consumers requiring additional assistance, please contact us at Contact American Express http://www10.americanexpress.com/sif/cda/page/0,1641,21372,00. asp
  27. 27. How to Detect Deception Publish your mail server addresses (to thwart spoofing) Educate customers (and employees) Establish online communication protocols Create a response plan now Proactively monitor for phishers and fraud Make yourself a difficult target http://www.cio.com/archive/090104/phish.html
  28. 28. Prevent Phishing from Fraud Watch Never click on hyperlinks Use Anti-SPAM filters Use Anti-Virus Software Use personal firewalls Keep all software updated Always look for https and sites that ask for “personal information” Keep computer clean from Spyware Know Fraudulent activity on the Internet Check your credit report immediately for free! If unsure, ask!
  29. 29. First Phishing – Now Ransomware  New generation of attack use of the internet attack for extortion "Ransomware".  Follow-up to: phishing, pharming attacks  It starts with hijacking or stealing user files, encrypting them (so the user loses access to vital information), then demanding payment in exchange for the decryption key.  So far theses attacks are quite rare but it brings a new dimension to the usage of the internet and a new generation of attacks.
  30. 30. Phishing – Variations  “Phishing”= social engineering – Who: Online scammers, posing as legitimate companies or your new best friend – Why: They want your sensitive information (credit-card, billing- routing, and Social Security numbers, among others)  “Pharming”= being diverted to a fake/spoofed website  “Spear phishing”= spoofed email that targets emails stolen from a company or organization
  31. 31. Phishing and Business Risks Privacy Legislative violations Financial loss Intellectual capital Litigation Public Image/Trust Business Risks
  32. 32. Credit Cards for Sale
  33. 33. 36 Vendor Solutions abound Anti-spam Antivirus/ Anti-worm Anti-phishing Policy-based controls
  34. 34. 37 1st Gen: “Look for stuff…” Subject contains “Viagra” 2nd Gen: “Look smarter” Text has “Viagra” & “Unsubscribe” 3rd Gen: “Go for Buzzwords” Bayesian Filter and Neural Nets 4th Gen: “Mix a Cocktail” You can’t fool all of the filters all of the time But threats get more sophisticated
  35. 35. 38 Tradeoffs false positives vs false negatives Catch more emails, more false positives Catch less emails, fewer false positives FP FN
  36. 36. 39 User Awareness to Avoid Phishing Caution: African shares $10 million… Banks never ask for account info, in an e-mail Don’t click on links suspicious e-mails Report suspicious e-mails D-E-L-E-T-E
  37. 37. Banking Technical Solutions
  38. 38. Anti-Phishing Laws -Identity Theft Penalty Enhancement Act -Aggregated Identity Theft - Defined as using a stolen identity to commit other crimes. -Mandatory sentencing of 2 years. Anti-Phishing Act of 2005 -Prohibits the use of a website/email to coerce others to divulge their personal information. -Penalties: 5 years, $250,000 fine. Effectiveness: Professionals vs. Amateurs
  39. 39. • FTC Identity Theft Website www.consumer.gov/idtheft • Anti-Phishing Working Group www.antiphishing.org • End ID Theft www.endidtheft.com Resources
  40. 40. Questions

×