Cscu module 10 social engineering and identity theft

1 Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Social Engineering and
Identity Theft
Simplifying Security.
Module 10

OAKLAND ‐‐ Calling it the biggest they have seen, Oakland police said Monday that an identity theft operation that
manufactured phony checks, IDs and credit cards has been shut down.
Officials said there are potentially thousands of victims all over the Bay Area and in other states and the possibility of an
untold amount of monetary loss.
Police Chief Anthony Batts said breaking up the operation is particularly important to law enforcement because identity theft
"puts fear in everyone," including himself.
The operation, which Officer Holly Joshi called a "one‐stop shop" for identity theft, was run out of a Hayward apartment in
the 21000 block of Foothill Boulevard, where resident Mishel Caviness‐Williams, 40, was arrested last week as she left the
apartment. She had $4,000 in cash on her, police said.
Oakland Police Shut Down Bay Area‐Wide Identity Theft Operation
http://www.mercurynews.com
05/16/2011, 11:16:54 AM PDT

Suffolk police are seeking assistance locating a woman who allegedly took an elderly man’s debit card and used it on several
occasions. Police have five felony warrants on file for Lavonda “Goosie” Moore, 37, for credit card theft, credit card fraud,
criminally receiving money, third offense petit larceny and identity theft.
Police say Moore took a debit card from the victim on Hill Street on May 15 and used it on multiple occasions at an ATM and at
retail stores. There also is a warrant on file for Moore for third offense petit larceny in an unrelated case.
Moore’s last known address is the 600 block of Brook Avenue. Anyone who has information on Moore’s location is asked to call
Crime Line at 1‐888‐LOCK‐U‐UP. Callers to Crime Line never have to give their names or appear in court, and may be eligible for a
reward of up to $1,000.
Woman Sought in
Theft
http://www.suffolknewsherald.com
May 23, 2011

Identity Theft Statistics 2011
75%
11.1
Million
4.8%
13%
Adults Victims of
Identity Theft
$54 billion
The Total Fraud Amount
Percent of Population
Victimized by Identity
Fraud
Victim Who Knew
Crimes Were Committed
Fraud Attacks on Existing
Credit card Accounts
http://www.spendonlife.com

Consumer Complaint
Scenario
“I lost my purse in 2006. But surprisingly I got notices of bounced checks in 2007.
About a year later, I received information that someone using my identity had bought
a car. In 2008, I came to know that someone is using my Social Security Number for a
number of years. A person got arrested and produced my SSN on his arrest sheet.
I can’t get credit because of this situation. I was denied a mortgage, employment,
credit cards and medical care for my children.”
http://www.networkworld.com

Module Objectives
What is Identity Theft?
Personal Information that Can be
Stolen
How do Attackers Steal Identity?
What do Attackers do with Stolen
Identity?
Examples of Identity Theft
How to Find if You are a Victim of
Identity Theft?
What to do if Identity is Stolen?
Reporting Identity Theft
Prosecuting Identity Theft
Guidelines for Identity Theft
Protection
Guidelines for Protection from
Computer Based Identity Theft
IP Address Hiding Tools

Identity Theft
What to Do if
Identity Is Stolen
How to Find if You Are a
Victim of Identity Theft
Reporting
Identity Theft
Protection from
Identity Theft
Module Flow
Social
Engineering

Criminal
charges
Legal
issues
It leads to denial of
employment, health
care facilities, mortgage,
bank accounts and credit
cards, etc.
Financial
losses
Identity
Theft Effects
Identity theft or ID fraud refers to a crime where an offender wrongfully obtains key pieces of
the intended victim's personal identifying information, such as date of birth, Social Security
number, driver's license number, etc., and makes gain by using that personal data
What is Identity Theft?

Personal Information that Can be
Stolen
Names
Mother’s
maiden name
Telephone
numbers
Passport numbers
Credit card/Bank
account numbers
Social security
numbers
Driving license
numbers
Birth certificates Address
Date of birth

How do Attackers Steal Identity?
Hacking Theft of Personal Stuff
PhishingSocial Engineering
Fraudster pretend to be a
financial institution and
send spam/ pop‐up
messages to trick the user
to reveal personal
information
Fraudsters may steal
wallets and purses, mails
including bank and credit
card statements, pre‐
approved credit offers, and
new checks or tax
information
Attackers may hack the
computer systems to
steal confidential
personal information
It is an act of manipulating
people trust to perform
certain actions or divulging
private information, without
using technical cracking
methods

Identity?
Credit Card
Fraud
Phone or Utilities
Fraud
Other Fraud
They may open a new
phone or wireless account
in the user’s name, or run
up charges on his/her
existing account
They may use user’s name
to get utility services such
as electricity, heating, or
cable TV
They may get a job using
legitimate user’s Social
Security number
They may give legitimate
user’s information to police
during an arrest and if they
do not turn up for their
court date, a warrant for
arrest is issued on
legitimate user’s name
They may open new
credit card accounts in
the name of the user and
do not pay the bills

Identity?
Bank/Finance
Fraud
Government
Documents Fraud
They may create counterfeit checks
using victim’s name or account number
They may open a bank account in
victim’s name and issue the checks
They may clone an ATM or debit card
and make electronic withdrawals on
victim’s name
They may take a loan on victims’ name
They may get a driving license or
official ID card issued on legitimate
user’s name but with their photo
They may use victim’s name and
Social Security number to get
government benefits
They may file a fraudulent tax return
using legitimate user information

Same Name: TRENT CHARLES ARSENAUL
Original Identity Theft
Identity Theft Example

Identity Theft
What to Do if
Identity Is Stolen
Social
Engineering
Reporting
Identity Theft
Protection from
Identity Theft
Module Flow

Social
Engineering
Types of Social
Engineering
Social Engineers
Attempt to Gather
Social Engineering
Sensitive information
such as credit card
details, social security
number, etc.
Passwords
Other personal
information
Human based social
engineering
Computer based
social engineering
Social engineering is the
art of convincing people
to reveal confidential
information
It is the trick used to gain
sensitive information by
exploiting the basic
human nature

Social Engineering Example
Hi, we are from CONSESCO
Software. We are hiring new
people for our software development
team. We got your contact number
from popular job portals.
Please provide details of your job profile,
current project information,
social security number, and your
residential address.

Criminal as Phone Banker
Hi, I am Mike calling from CITI Bank.
Due to increasing threat perception, we
are updating our systems with new
security features. Can you provide me
your personal details to verify that you
are real Stella.
Thanks Mike, Here are my details. Do you
need anything else?

Authority Support Example
Hi, I am John Brown. I'm with the
external auditors Arthur Sanderson. We've
been told by corporate to do a surprise
inspection of your disaster recovery
procedures.
Your department has 10 minutes to show
me how you would recover from a
website crash.

Technical Support Example
A man calls a company’s help desk and says
he has forgotten his password. He adds
that if he misses the deadline on a big
advertising project, his boss might fire him.
The help desk worker feels sorry for him
and quickly resets the password,
unwittingly giving the attacker clear
entrance into the corporate
network

Human-Based Social Engineering
Eavesdropping Shoulder surfing Dumpster diving
 Eavesdropping is
unauthorized listening of
conversations or reading
of messages
 It is interception of any
form of communication
such as audio, video, or
written
 Shoulder surfing is the
procedure where the
attackers look over the
user’s shoulder to gain
critical information such as
passwords, personal
identification number,
account numbers, credit
card information, etc.
 Attacker may also watch the
user from a distance using
binoculars in order to get
the pieces of information
 Dumpster diving includes
searching for sensitive
information at the target
company’s trash bins,
printer trash bins, user
desk for sticky notes, etc.
 It involves collection of
phone bills, contact
information, financial
information, operations
related information, etc.

Spam
Email
Instant
Chat
Messenger
Chain
Letters
Hoax
Letters
Pop‐up
Windows
Windows that suddenly pop up
while surfing the Internet and
ask for users’ information to
login or sign‐in
Hoax letters are emails that issue
warnings to the user on new
viruses, Trojans, or worms that
may harm the user’s system
Chain letters are emails that offer
free gifts such as money and
software on the condition that the
user has to forward the mail to the
said number of persons
Gathering personal information
by chatting with a selected online
user to get information such as
birth dates and maiden names
Irrelevant, unwanted, and
unsolicited email to collect the
financial information, social
security numbers, and network
information
Computer-Based Social Engineering

Computer-Based Social Engineering:
Phishing
An illegitimate email falsely claiming to be from a legitimate site attempts to acquire the user’s
personal or account information
Phishing emails or pop‐ups redirect users to fake webpages of mimicking trustworthy sites that ask
them to submit their personal information
Fake Bank Webpage

Phony Security Alerts
Phony Security Alerts are the emails or
pop‐up windows that seem to be from
a reputed hardware or software
manufacturers like Microsoft, Dell, etc.,
It warns/alerts the user that the
system is infected and thus will
provide with an attachment or a link in
order to patch the system
Scammers suggest the user to
download and install those patches
The trap is that the file contains
malicious programs that may infect the
user system

Computer-Based Social Engineering through
Social NetworkingWebsites
Computer‐based social engineering is carried out through social networking websites such as Orkut, Facebook,
MySpace, LinkedIn, Twitter, etc.
Attackers use these social networking websites to exploit users’ personal information

Identity Theft
What to Do if
Identity Is Stolen
Reporting
Identity Theft
Protection from
Identity Theft
Module Flow
Social
Engineering

How to Find if You are a Victim
of Identity Theft?
Bill collection agencies contact you for overdue debts you never incurred
You receive bills, invoices, or receipts addressed to you for goods or services
you haven’t asked for
You no longer receive your credit card or bank statements
You notice that some of your mail seems to be missing
Your request for mortgage or any other loan is rejected citing your bad credit
history despite you having a good credit record

How to Find if You are a Victim
of Identity Theft?
You get something in
the mail about an
apartment you never
rented, a house you
never bought, or a job
you never held
You lose important
documents such as
your passport or
driving license
You identify
irregularities in
your credit card
and bank
statements
You are denied for
social benefits
citing that you are
already claiming
You receive
credit card
statement with
new account

Identity Theft
What to Do if
Identity Is Stolen
Reporting
Identity Theft
Protection from
Identity Theft
Module Flow
Social
Engineering

What to do if Identity is Stolen?
Contact the credit reporting agencies
 http://www.experian.com
 http://wwwc.equifax.com
 http://www.transunion.com
Immediately inform credit bureaus
and establish fraud alerts
Request for a credit report Review the credit reports and alert
the credit agencies
Freeze the credit reports with credit
reporting agencies
Contact all of your creditors and
notify them of the fraudulent activity
Change all the passwords of online
accounts
Close the accounts that you know or
believe have been tampered with or
opened fraudulently

What to Do if Identity Is Stolen?
File a report with the
local police or the police
in the community where
the identity theft took
place
File a complaint with
identity theft and
cybercrime reporting
agencies such as the
FTC
Take advice from police
and reporting agencies
about how to protect
yourself from further
identity compromise
Ask the credit card
company about new
account numbers
Tell the debt collectors
that you are a victim of
fraud and are not
responsible for the
unpaid bill
Ask the bank to report the
fraud to a consumer
reporting agency such as
ChexSystems that compiles
reports on checking
accounts

Identity Theft
What to Do if
Identity Is Stolen
Reporting
Identity Theft
Protection from
Identity Theft
Module Flow
Social
Engineering

Federal Trade Commission
The Federal Trade Commission, the nation's consumer protection agency, collects
complaints about companies, business practices, and identity theft
http://www.ftc.gov

econsumer.gov
http://www.econsumer.gov
econsumer.gov is a portal for you
as a consumer to report complaints about online
and related transactions with foreign companies

Internet Crime Complaint Center
http://www.ic3.gov
The Internet Crime Complaint
Center’s (IC3) mission is to serve as a
vehicle to receive, develop, and refer
criminal complaints regarding the
rapidly expanding arena of cyber
crime
The Internet Crime Complaint Center
(IC3) is a partnership between the
Federal Bureau of Investigation (FBI),
the National White Collar Crime
Center (NW3C), and the Bureau of
Justice Assistance (BJA)

Prosecuting Identity Theft
Begin the process by
contacting the bureaus,
banks, or any other
organizations who may
be involved
File a formal complaint
with the organization
and with the police
department
Regularly update
yourself regarding
the investigation
process to ensure
that the case is
being dealt with
properly
Obtain a copy of the
police complaint to
prove to the
organizations that
you have filed an
identity theft
complaint
File a complaint with
the Federal Trade
Commission and
complete affidavits
to prove your
innocence on the
claims of identity
theft and fraudulent
activity
Contact the District
Attorney's office for
further prosecuting
the individuals who
may be involved in
the identity theft

Identity Theft
What to Do if
Identity Is Stolen
Reporting
Identity Theft
IP Hiding Tools
Module Flow
Social
Engineering

Hiding IP Address Using Quick Hide IP
Tool
http://www.quick‐hide‐ip.com
Quick Hide IP hides your internet identity so you can surf the web while hiding you real IP and location
It redirects the Internet traffic through anonymous proxies
Quick Hide IP. Websites you are visiting see the IP address of the proxy server instead of your own IP address

UltraSurf
http://www.ultrareach.com
Hide The IP
http://www.hide‐the‐ip.com
Hide My IP
http://www.hide‐my‐ip.com
Hide IP NG
http://www.hide‐ip‐soft.com
IP Hider
http://www.iphider.org
TOR
http://www.torproject.org
Anti Tracks
http://www.giantmatrix.com
Anonymizer Universal
http://www.anonymizer.com
IP Address Hiding Tools

Module Summary
 Identity theft is the process of using someone else’s personal information for the
personal gain of the offender
 Criminals look through trash for bills or other paper with personal information on it
 Criminals call the victim impersonating a government official or other legitimate
business people and request personal information
 Keep the computer operating system and other applications up to date
 Do not reply to unsolicited email that asks for personal information
 Use strong passwords for all financial accounts
 Review bank/credit card statements/credit reports regularly

Keep your Social Security card, passport, license, and other valuable
personal information hidden and locked up
Ensure that your name is not present in the marketers’ hit lists
Shred papers with personal information instead of throwing them away
Never give away social security information or private contact information
on the phone – unless YOU initiated the phone call
Confirm who you are dealing with, i.e., a legitimate representative or a
legitimate organization over the phone
Carry only necessary credit cards
Cancel cards seldom used
Review credit reports regularly
Identity Theft Protection Checklist

Do not reply to unsolicited email requests for personal information
Do not give personal information over the phone
Review bank/credit card statements regularly
Do not carry your Social Security card in your wallet
Shred credit card offers and “convenience checks” that are not useful
Do not store any financial information on the system and use strong
passwords for all financial accounts
Check the telephone and cell phone bills for calls you did not make
Read before you click, stop pre‐approved credit offers, and read website
privacy policies
Identity Theft Protection Checklist

Install antivirus software and scan the system regularly
Enable firewall protection
Check for website policies before you enter
Keep the computer operating system and other applications up to date
Be careful while opening email attachments
Clear the browser history, logs, and recently opened files every time
Check for secured websites while transmitting sensitive information
Computer Based Identity Theft Protection
Checklist

Cscu module 10 social engineering and identity theft

Recommended

Recommended

More Related Content

Featured

Featured (20)

Cscu module 10 social engineering and identity theft