UW School of Medicine Social Engineering and Phishing Awareness

Free Powerpoint Templates
Page 1
Phishing and
Social Engineering
Awareness
-
Nicholas Davis
CISA, CISSP
Security Architect
UW-Madison, Division of
Information Technology
-
9 – 26 - 2013

Page 2
Introduction
• Background
• Phishing and Social Engineering
• History
• Types
• Examples
• Detecting Fraudulent Email
• Defending Against Phishing Attacks
• Measured Phishing Awareness at
DoIT
• Samples and Participation Rates
• Question and Answer Session

Page 3
Social Engineering
The art of manipulating people
into performing actions or
divulging confidential information
It is typically trickery or deception
for the purpose of information
gathering, fraud, or computer
system access

Page 4
Phishing
• Deception
• Email
• Websites
• Facebook status updates
• Tweets
• Phishing, in the context of the
healthcare working environment is
extremely dangerous

Page 5
Phishing 1995
• Target AOL users
• Account passwords=free online
time
• Threat level: low
• Techniques: similar names,
such as www.ao1.com for
www.aol.com

Page 6
Phishling 2001
Target: Ebay and major banks
Credit card numbers and account
numbers = money
Threat level: medium
Techniques: Same in 1995

Page 7
Phishing 2007
Targets are Paypal, banks, ebay
Purpose to steal bank accounts
Threat level is high
Techniques: browser
vulnerabilities, link obfuscation

Page 8
Phishing in 2013
• Identity Information
• Personal Harm
• Blackmail

Page 9
Looking In the Mirror
• Which types of sensitive information
do you have access to?
• What about others who share the
computer network with you?
• Think about the implications
associated that data being stolen
and exploited!

Page 10
What Phishing Looks Like
• As scam artists become more
sophisticated, so do their phishing e-
mail messages and pop-up windows.
• They often include official-looking
logos from real organizations and
other identifying information taken
directly from legitimate Web sites.

Page 11
Techniques For Phishing
• Employ visual elements from target site
• DNS Tricks:
• www.ebay.com.kr
• www.ebay.com@192.168.0.5
• www.gooogle.com
• Unicode attacks
• JavaScript Attacks
• Spoofed SSL lock Certificates
• Phishers can acquire certificates for domains
they own
• Certificate authorities make mistakes

Page 12
Social Engineering
Techniques
• Socially aware attacks
• Mine social relationships from public
data
• Phishing email appears to arrive from
someone known to the victim
• Use spoofed identity of trusted
organization to gain trust
• Urge victims to update or validate
their account
• Threaten to terminate the account if
the victims not reply
• Use gift or bonus as a bait
• Security promises

Page 13
Remember These
Social Engineering
Techniques
Often employed in Phishing seem more real,
urgent or to lower your guard of trust
Threats – Do this or else!
Authority – I have the authority to ask this
Promises – If you do this, you will get $$$
Praise – You deserve this

Page 14
Other Phishing Techniques
Socially aware attacks
Mine social relationships from public
data
Phishing email appears to arrive from
someone known to the victim
Use spoofed identity of trusted
organization to gain trust
Urge victims to update or validate their
account
Threaten to terminate the account if
the victims not reply
Use gift or bonus as a bait
Security promises

Page 15
Let’s Talk About Facebook
• So important, it gets its own slide!
• Essentially unauthenticated – discussion
• Three friends and you’re out! -
discussion
• Privacy settings mean nothing –
discussion
• Treasure Trove of identity information
• Games as information harvesters

Page 16
Socially Aware

Page 17
Context Aware
“Your bid on eBay has won!”
“The books on your Amazon wish list
are on sale!”

Page 18
Seems Suspicious

Page 19
Social Engineering
Methods
419 Scam
Nigerian Email
Spanish Prisoner

Page 20
Too Good to be True

Page 21
Detecting
Fraudulent Email
Information requested is inappropriate for the
channel of communication:
"Verify your account."nobody should not ask
you to send passwords, login names, Social
Security numbers, or other personal
information through e-mail.
Urgency and potential penalty or loss are
implied:
"If you don't respond within 48 hours, your
account will be closed.”

Page 22
Detecting Fraudulent
Email
"Dear Valued Customer."Phishing e-mail
messages are usually sent out in bulk and often
do not contain your first or last name.

Page 23
Dectecting Fraudulent
Email
"Click the link below to gain
access to your account.“
This is an example or URL
Masking (hiding the web address)
URL alteration
www.micosoft.com
www.mircosoft.com
www.verify-microsoft.com

Page 24
How to Defend Against
Phishing Attacks
•Never respond to an email asking for
personal information
• Always check the site to see if it is secure
(SSL lock)
• Look for misspellings or errors in grammar
• Never click on the link on the email. Enter
the web address manually
• Keep your browser updated
• Keep antivirus definitions updated
• Use a firewall
• When in doubt, ask your Network
Administrator for their opinion

Page 25
A Note on Spear Phishing
• Designed especially for you
• Includes your name
• May reference an environment
or issue you are aware of and
familiar with
• Asks for special treatment, with
justification for the request

Page 26
Don’t Touch That QR Code
Curiousity Is Dangerous

Page 27
Other Techniques
An ocean of Phishing techniques
•Clone Phishing - Discussion
•Whaling - Discussion
•Filter Evasion - Discussion
•Phone Phishing - Discussion
•Tabnabbing - Discussion
•Evil Twins - Discussion

Page 28
Social Engineering
Trojans

Page 29
Baiting
Hey, look! A free USB drive!
I wonder what is on this confidential CD which I
found in the bathroom?
These are vectors for malware!
Play on your curiousity or desire to get
something for nothing
Don’t be a piggy!

Page 30
Out of Office
Out of Control
Using the Out of Office responder
in a responsible manner

Page 31
Phishing Awareness at DoIT
DoIT staff undergo formal Security
Awareness training every year
Reading is one thing, experiencing is
another
We wanted some real measurements
Purchased a product which enabled us
to run measured phishing campaigns
Eight campaigns over the past year,
from simple to complex

Page 32
Fidlety - Simple

Page 33
Liked-In – A Little Harder

Page 34
Faceblock Friends - Tricky

Page 35
A Coupon From
The Home Despot

Page 36
A New Kitchen At Work

Page 37
Dr. Jekyll – Or Mr. Hyde?
The Crown Jewel!

Page 38
Results
Average industry end user
“participation rate” is 14%
Can you guess what our
participation rate was?
The more familiar the subject
matter, the more likely people are
to let their guard down

Page 39
Summary
Technology does not provide all the
answers
Think of Phishing every time you open
an email
Remember, Social Engineering happens
everywhere, not just at St. Elsewhere

Page 40
Questions and
Discussion
Nicholas Davis
ndavis1@wisc.edu
facebook.com/nicholas.a.davis

UW School of Medicine Social Engineering and Phishing Awareness

More Related Content

What's hot

Viewers also liked

Similar to UW School of Medicine Social Engineering and Phishing Awareness

More from Nicholas Davis

Recently uploaded

UW School of Medicine Social Engineering and Phishing Awareness