Your SlideShare is downloading. ×
0
Email phishing and countermeasures
Email phishing and countermeasures
Email phishing and countermeasures
Email phishing and countermeasures
Email phishing and countermeasures
Email phishing and countermeasures
Email phishing and countermeasures
Email phishing and countermeasures
Email phishing and countermeasures
Email phishing and countermeasures
Email phishing and countermeasures
Email phishing and countermeasures
Email phishing and countermeasures
Email phishing and countermeasures
Email phishing and countermeasures
Email phishing and countermeasures
Email phishing and countermeasures
Email phishing and countermeasures
Email phishing and countermeasures
Email phishing and countermeasures
Email phishing and countermeasures
Email phishing and countermeasures
Email phishing and countermeasures
Email phishing and countermeasures
Email phishing and countermeasures
Email phishing and countermeasures
Email phishing and countermeasures
Email phishing and countermeasures
Email phishing and countermeasures
Email phishing and countermeasures
Email phishing and countermeasures
Email phishing and countermeasures
Email phishing and countermeasures
Email phishing and countermeasures
Email phishing and countermeasures
Email phishing and countermeasures
Email phishing and countermeasures
Email phishing and countermeasures
Email phishing and countermeasures
Email phishing and countermeasures
Email phishing and countermeasures
Email phishing and countermeasures
Email phishing and countermeasures
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Email phishing and countermeasures

2,954

Published on

Protection against email phishing, identity theft and associated countermeasures.

Protection against email phishing, identity theft and associated countermeasures.

Published in: Business, Technology
1 Comment
4 Likes
Statistics
Notes
  • free free download this latest version 100% working.
    download link- http://gg.gg/hqcf
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Views
Total Views
2,954
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
0
Comments
1
Likes
4
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Email Phishing and Countermeasures Email Security jorge.sebastiao@its.ws
  • 2. May 2006 – Veterans Administration laptop with personal information on 26.5M veterans is stolen. “Total losses could top $500M.” – VA Secretary Nicholson Jan 2007- Hackers stole data from at least 45.7 million credit and debit cards at retailer T.J.Maxx – total costs could exceed $1.0B May 2006 – CIO, CSO fired Ohio University 137,000 student accounts compromised
  • 3. Why Does This Happen? Firewall IDS Anti-Virus Attack
  • 4. ATM is also a type of Phishing
  • 5. Can you spot a “Social Engineer”? Phishing is Social Engineering
  • 6. Social Engineering What is Social Engineering? “An attempt to influence a person into granting unauthorized access, unauthorized use or unauthorized disclosure of an information system, network or data. Modifying system configuration.” “How to blunt the socially engineered hack” by Michael Casper (http://www.computerworld.com/cwi/community/story/0,3201,NAV6 5-663_STO65473,00.html)
  • 7. Social Engineering … 70 percent of those asked said they would reveal their computer passwords for a … Schrage, Michael. 2005. Retrieved from http://www.technologyreview.com/articles/05/03/issue/review_password.asp?p=1 Bar of chocolate
  • 8. Social Engineering Methods of Social Engineering Information Gathering Information Planting Email Scams Masquerading Dumpster-diving Help desk/Support areas Receptionist/Administrative areas Launching attack
  • 9. Vulnerability in People Cause: A large growing population of internet illiterate users are using internet email and other user friendly applications. Threat: Illiteracy in how the internet works and its threats allows miscreants to attack a network or person through social engineering. This is the fastest growing method of hacking we have seen. Human nature is that people are trusting, even those things which may be false.
  • 10. Social Engineering – Information Gathering Scenario #1 – YOU: How many of you have provided personal information online or over the phone to a vendor or service? Personal Information May Include Social Security Number (or just the last 4 digits) First, Middle, Last names – Maiden Name Mothers Maiden Name Address, Phone Number Email Address? Credit Card Number – CVV2 Code ATM PIN Code Passwords you may use elsewhere
  • 11. Social Engineering – Information Gathering Scenario #1 - YOU: Was that information sent securely? Will it be shared with someone else? Was it compromised? Scenario #2 – SOMEONE ELSE: Have you ever asked for personal information and been offered that information freely or without much effort?
  • 12. Social Engineering – Information Gathering Example: How many of you would provide personal information to someone who called you on the phone? Over the Internet? Social Engineering is an art, basically the art of listening and lying at the same time, while seemingly having a typical conversation. Read More: The Art of Deception – Kevin Mitnick
  • 13. Social Engineering – Information Planting Scenario: You come back from lunch to find a Post-it note on your desk asking you to change a user password to something written on the Post- it Note.
  • 14. ID Theft– New Way Phishing / Pharming Hijack/Skimming
  • 15. On 7 October 2001. “Singer Britney Spears Killed in Car Accident”. Due to a bug in CNN’s software, when people at the spoofed site clicked on the “E-mail This” link, the real CNN system distributed a real CNN e-mail to recipients with a link to the spoofed page. With each click at the bogus site, the real site’s tally of most popular stories was incremented for the bogus story. Allegedly this hoax was started by a researcher who sent the spoofed story to three users of AOL’s Instant Messenger chat software. Within 12 hours more than 150,000 people had viewed the spoofed page. Social Engineering Example
  • 16. Social Engineering Phishing
  • 17. What is Phishing? “Fishing for personal information” Use “spoofed” e-mails and fraudulent websites designed to fool recipients into divulging personal financial data such as credit card numbers, account usernames and passwords, social security numbers, etc. Anti-Phishing Working Group http://www.antiphishing.org/
  • 18. Surge in phishing Based on the survey, 57 million Americans have been, or think they have been, the victim of a phishing attack. 30 million were positive, Out of that pool, 11 million fell for the scams or about 19% of those attacked. Almost 2 million, or about 3% of those attacked, reported that they'd actually divulged sensitive information eg. credit-card numbers, bank accounts, passwords, etc. Phishers have a one in 700 chance of getting caught. *Gartner Group
  • 19. Social Engineering
  • 20. Phishing New Threat
  • 21. This is a Very Common Tactic used to Social Engineer personal information. Lets walk through a specific case Email Scams
  • 22. Click on the Link and you get sent to the EBay Security Update Page… Or do you… Click Here and it takes you to Official EBay Help Not a Secure Website LETS SCROLL DOWN Email Scams
  • 23. As we Scroll Down the Page we find out that it needs a lot of personal information to verify who you are. NEVER Give this Out to Anyone Online Just in case you mistyped your password above OK.. I can see how Ebay Might need this info… right ??? LETS SCROLL DOWN Just in case you thought this might be a scam… Email Scams
  • 24. CVV2 Code and PIN Number to your bank account. Can’t Use the CreditCard Online without this!! If we clone your card, we might need this as well. Email Scams
  • 25. Lets take a look at the email again… How many of you receive emails like this on a regular basis? Does it look Legit? Would it have fooled you? In this case, the whole message was actually an Image with the Image linked to the malicious site, while the link in the image shows up as something legitimate. Email Scams
  • 26. What Companies are Doing AMERICAN EXPRESS - How to Contact American Express about Fraudulent E-Mails If you receive an e-mail that you believe could be fraudulent, immediately forward it to emailhoax@service.americanexpress.com. Please do not forward the e-mail as an attachment. Please note that any submissions to this email address will result in an auto- generated reply to notify you that we have received your e-mail. If we find it to be fraudulent, we will immediately take appropriate action. For consumers requiring additional assistance, please contact us at Contact American Express http://www10.americanexpress.com/sif/cda/page/0,1641,21372,00. asp
  • 27. How to Detect Deception Publish your mail server addresses (to thwart spoofing) Educate customers (and employees) Establish online communication protocols Create a response plan now Proactively monitor for phishers and fraud Make yourself a difficult target http://www.cio.com/archive/090104/phish.html
  • 28. Prevent Phishing from Fraud Watch Never click on hyperlinks Use Anti-SPAM filters Use Anti-Virus Software Use personal firewalls Keep all software updated Always look for https and sites that ask for “personal information” Keep computer clean from Spyware Know Fraudulent activity on the Internet Check your credit report immediately for free! If unsure, ask!
  • 29. First Phishing – Now Ransomware  New generation of attack use of the internet attack for extortion "Ransomware".  Follow-up to: phishing, pharming attacks  It starts with hijacking or stealing user files, encrypting them (so the user loses access to vital information), then demanding payment in exchange for the decryption key.  So far theses attacks are quite rare but it brings a new dimension to the usage of the internet and a new generation of attacks.
  • 30. Phishing – Variations  “Phishing”= social engineering – Who: Online scammers, posing as legitimate companies or your new best friend – Why: They want your sensitive information (credit-card, billing- routing, and Social Security numbers, among others)  “Pharming”= being diverted to a fake/spoofed website  “Spear phishing”= spoofed email that targets emails stolen from a company or organization
  • 31. Phishing and Business Risks Privacy Legislative violations Financial loss Intellectual capital Litigation Public Image/Trust Business Risks
  • 32. Credit Cards for Sale
  • 33. 36 Vendor Solutions abound Anti-spam Antivirus/ Anti-worm Anti-phishing Policy-based controls
  • 34. 37 1st Gen: “Look for stuff…” Subject contains “Viagra” 2nd Gen: “Look smarter” Text has “Viagra” & “Unsubscribe” 3rd Gen: “Go for Buzzwords” Bayesian Filter and Neural Nets 4th Gen: “Mix a Cocktail” You can’t fool all of the filters all of the time But threats get more sophisticated
  • 35. 38 Tradeoffs false positives vs false negatives Catch more emails, more false positives Catch less emails, fewer false positives FP FN
  • 36. 39 User Awareness to Avoid Phishing Caution: African shares $10 million… Banks never ask for account info, in an e-mail Don’t click on links suspicious e-mails Report suspicious e-mails D-E-L-E-T-E
  • 37. Banking Technical Solutions
  • 38. Anti-Phishing Laws -Identity Theft Penalty Enhancement Act -Aggregated Identity Theft - Defined as using a stolen identity to commit other crimes. -Mandatory sentencing of 2 years. Anti-Phishing Act of 2005 -Prohibits the use of a website/email to coerce others to divulge their personal information. -Penalties: 5 years, $250,000 fine. Effectiveness: Professionals vs. Amateurs
  • 39. • FTC Identity Theft Website www.consumer.gov/idtheft • Anti-Phishing Working Group www.antiphishing.org • End ID Theft www.endidtheft.com Resources
  • 40. Questions

×