Social engineering and phishing scams manipulate users into providing sensitive information. Social engineers use deception through media like emails, websites, instant messages, or phone calls that appear legitimate but lead to fake sites seeking login or financial details. Users should be cautious of unsolicited messages and verify a site's authenticity by checking URLs and other details. Techniques like URL shorteners, phone number spoofing, and browser exploits can trick users, so vigilance is important when online or on calls. Resources are available to help learn about and mitigate these risks.

1. Harold
WiFiAwareness
Social Engineering
and Phishing Scams
Avoiding Social Engineering
Online

2. Overview
• What is social engineering
• What is phishing
• What types of phishing are there
• What do social engineers do
• How do you protect yourself
Feel free to ask questions
Security II: Turn off the Message Bar and run code safely

3. What Is Social Engineering?
•Manipulation
•Method to gain information
•The Art of Deception
Security II: Turn off the Message Bar and run code safely

4. What Is Phishing?
• A fake website, email, or sms used to obtain information
• A method to obtain information
• A form of deception
• Used to commit ID theft (financial or social)
Security II: Turn off the Message Bar and run code safely

5. What Do Social Engineers Do | Tools Used
•Manipulation •Social Engineer Toolkit
•Caller ID Spoofing
•Theft
•SMS Spoofing
•Information •Modified Web Servers
•TinyURL Services
•Corporate Spies
•Fake IDS
Security II: Turn off the Message Bar and run code safely

6. Email Phishing
An email from Wachovia,
Wonder whats up with my
account
Be aware of emails like this, banks will never ask for your login “Your account access will
details online. If concerned call your bank and NEVER respond to remain limited until the issue
such emails has been resolved please
login to your account by
Note: A good tip off (but not always accurate) is to see if it was marked as clicking on the link below”
spam, usually these users use unverified smtp servers that will be marked as
spam, use a more secure email service like Google’s Gmail service.
Security II: Turn off the Message Bar and run code safely

7. Website Phishing
What is wrong with this
picture?
It appears to be the paypal
login page…….right?
Above you see the paypal login page, but look at the blown
up image to right right and you’ll notice that the address bar
does not read paypal.com
This is a fake paypal spoof or clone (phish) that appears to
be paypal in order to steal your money and account details
Security II: Turn off the Message Bar and run code safely

8. IM Phishing
Fake IM’s can link you to
phished websites to gain
your login info
1 The user send the victim a fake IM, telling him he uploaded
some photos online
2 The victim, concerned checks out the site, thinking he needs
to login to the (fake) site to see the images, gives the social
engineer his login details
Security II: Turn off the Message Bar and run code safely

9. TinyURL
URL shorteners like
Tinyurl.com can be useful
to make long urls shorter
for you to send in emails or
im’s.
But they can also be useful
to Social Enginners and
Phishers
This site makes long urls short
Ex: http://google.com/long_address_that_is_long is changed to http://tinyurl.com/shorter_url
But that means the phisher can make a suspisous url look safe
Ex: 489.45.145.156/facebook.php look like http://tinyurl.com/my_new_fb_pics
Security II: Turn off the Message Bar and run code safely

10. Phishing For More
Fake or Phished websites
can include java or browser
exploits that give the social
engineer full access to your
pc
To the right is an attacker using an iPhone 4 to
make a fake facebook login page, shown above.
Instead of taking the users login info, he uses a
java exploit to access the entire machine
Security II: Turn off the Message Bar and run code safely

11. The Java Applet
Some phished WebPages will
use java applications to allow
them FULL access to your
computer
Sometimes they are
persistent, that’s a sign of an
exploited java app
1 Does the publisher match the site? Does the From address? Ask yourself questions
before doing something to
Does the site have a good reason to run java? save yourself trouble
2
Security II: Turn off the Message Bar and run code safely

12. Call Spoofing
Some social engineers will call
you using fake information
trying to verify your account
information
Using free software or cheap
online services anyone can
fake their caller id
1 Never talk about personally identifiable information unless you are
Ask yourself if you know
sure you know who your talking to, preferably only if you called the person, if they sound
them. right.
2 If you have an iPhone use apps like unhide to show the true caller id
of the user
Security II: Turn off the Message Bar and run code safely

13. Resources
http://www.secmaniac.com/
http://www.offensive-security.com/
http://www.backtrack-linux.org/
http://www.hak5.org
http://www.remote-exploit.org
http://www.metasploit.com
http://www.exploit-db.com/
http://www.social-engineer.org/
http://www.darkreading.com/
http://www.spoofcard.com
Security II: Turn off the Message Bar and run code safely