Something in the library smells phishy

Something In the Library Smells Phishy
Presented by Nicholas Davis, CISSP, CISA

OverviewOverview
Phishing Background
Threat to IT on campus
Phishing education
Tricks employed
Sample phishing emails unique to UW-
Madison
Spotting the phish, after the click
10 quick tests for the audience!
Q&A
03/18/14 UNIVERSITY OF WISCONSIN 2

Phishing DefinedPhishing Defined
Phishing is the act of attempting to
acquire information such as usernames,
passwords, and credit card details (and
sometimes, indirectly, money) by
masquerading as a trustworthy entity in
an electronic communication, usually
email.

Why Phishing Is Such a ThreatWhy Phishing Is Such a Threat
UW-Madison IT infrastructure is
designed to protect the campus
computing assets with many technical
controls
However, this persuades hackers to
pursue access via alternate means, often
choosing to exploit the human factor

Your Password Is the Key to theYour Password Is the Key to the
KingdomKingdom
If an attacker can
persuade you to give
them your
password, they can
evade all the
controls put in place
to protect sensitive
systems

UW-Madison’s ProprietaryUW-Madison’s Proprietary
Research Interests PhishersResearch Interests Phishers
Consider the value
of UW-Madison’s
intellectual
property

I am Too Smart to Fall For aI am Too Smart to Fall For a
Trick Like PhishingTrick Like Phishing
Most large organizations have a
phishing participation rate of around
10%
This rises when the population become
the subjects of Spear Phishing, which is
phishing email designed specifically for
the recipient

Phishing Relies Upon SocialPhishing Relies Upon Social
EngineeringEngineering
The practice of deceiving someone,
either in person, over the phone, or
using a computer, with the express
intent of breaching some level of
security either personal or professional.
Social engineering techniques are
considered con games which are
performed by con artists. The targets of
social engineering may never realize
they have been victimized.

Tricks Used By Expert PhishersTricks Used By Expert Phishers
Socially Aware: Mining of information
about the target from publicly available
resources, such as Facebook, property
records, or even CCAP
Context Aware: Make reference to an
activity you are likely to engage in, such
as Amazon.com, or UPS package receipt

Specific Examples of ComplexSpecific Examples of Complex
Phishing AttemptsPhishing Attempts
Baiting: Placing a USB flash drive or CD,
with malware on it, in a public place

QR Code Curiosity: Embedding
malicious code within a QR code, on a
printout posted to a community bulletin
board

Out of Office, Out of Control: Taking
advantage of an autoresponder,
leveraging specific knowledge to exploit
co-workers

What Would Happen If YouWhat Would Happen If You
Received This Email?Received This Email?

Tips To Spot Social EngeeringTips To Spot Social Engeering
Within a Phishing AttemptWithin a Phishing Attempt
Asks you to verify a sensitive piece of
information
A sense of urgency is implied in the message
An overt or implied threat may be present
Flattery is used to get you to drop your guard
Use, and sometimes overuse of organizational
knowledge in employed
A bribe or reward for your “help” may be
offered

Spotting the Phish After theSpotting the Phish After the
ClickClick
Website address looks odd or incorrect
IP address shows in address bar
Multiple pop-ups appear on top of
legitimate website window
Website contains spelling or grammar
errors
No SSL lock is present on what should
be a secure site

Can You Spot the Issue HereCan You Spot the Issue Here

Combat Phishing AttemptsCombat Phishing Attempts
Never give away personal information,
especially username and password
Don’t let curiosity get the best of you
Look for the tell-tail signs we have
discussed today
There are no situations which justify
exceptions
If something sounds too good to be
true…

What Do You Think?What Do You Think?
Can You Spot the Phish?Can You Spot the Phish?
Subject: Faculty and staff email Notification
Date: February 21, 2014
Dear user,
We currently upgraded to 4GB space. Please log-in to
your account in order to validate E-space. Your account
is still open for you to send and receive e-mail. Click on
faculty and staff email upgrade <http://bad URL> to
confirm details and upgrade. Note that failure to
upgrade with this notification would lead to dismissal of
your user account.Protecting your email account and
improving the quality of your email is our primary
concern.
This has become necessary to serve you better.
Copyright ©2014 IT Help desk.

DiscussionDiscussion
• Odd use of the English language
• Email references a service which you
may never have heard of, and do not use
• There is a sense of urgency in the email
• There is a direct threat of implications, if
you do not act immediately

Subject: Secure Account Notification
Blackboard
Secure Account Notification
A suspicious activity has been detected. For your safety,
your account access has been suspended.
Please re-activate your account immediately by clicking
on the "Re-Activate My Account" link provided below:
<Re-Activate My Account>
We are sorry for any inconveniences caused as your
safety is important to us.
Thank you,
Blackboard System Notifications.

• A punishment has been specified for
previous actions, making you feel
guilty
• A sense of urgency of action on your
part is asked for
• A context aware attack is used,
referencing Blackboard, a commonly
used software package, in higher
education

Subject: Web!User
Dear Web!User,
We are under urgent upgrade service you are require to
upgrade account by via hxxp://servacc.0ad.info/
System Administrator
Web! Techs.

• Poor English grammar usage
• Sense of urgency implied
• Refers to you by some odd generic
name “web user”

Subject: Apple Customer Alert!
Dear Apple Customer,
Please confirm your identity today or your account will
be Disabled due to concerns we have for the safety and
integrity of the Apple Community.
To confirm your identity, we recommend Click here
Regards,
Apple Customer Service.

• Sense of urgency contained in email
• You have been made to feel guilty
• Context aware reference for all Apple
users
• Threat of account disabling if you do
not act

Subject: RE: Faculty Staff & Employee Mailbox Upgrade
Date: January 21, 2014
Dear Faculty Staff & Employee Email Subscribers
Welcome to 2014 Academic Season
Your Email Account have been put on-hold by our
server,you can no longer
send or receive emails,to avoid this kindly click on the
link UPGRADE to submit your
old account for New to enable you to send and receive
emails
Thank You
ITS Service Provider Team

• Socially aware email appears to be
familiar with your association with
the university as a faculty or staff
member
• Odd use of English language
• Sense of moderate urgency implied

Subject: ACH Notification
Date: October 9, 2013
Attached is a summary of Origination activity
for 10/09/2013
If you need assistance please contact us via e-
mail during regular business hours.
Thank you for your cooperation.

• References commonly known “ACH”
term, which is familiar to people who
deal with accounts payable and
accounts receivable
• Plays on your sense of curiosity, to
learn more….(What account is this?
How much do I owe?)
• Email is intentionally vague

Subject: Court attendance notification #ID608
Date: January 9, 2014
From: Illegal software
Sent: Thursday, January 09, 2014 1:18 AM
Subject: Court attendance notification #ID608
Warrant to appear,
Please be informed that you are expected
in the Court of Georgia on February 2nd, 2014 at 9:30 a.m.
where the hearing of your case of illegal software use will take place.
You may obtain protection of a lawyer, if necessary.
Please bring your identity documents to the Court on the named day.
Attendance is compulsory.
The detailed plaint note is attached to this letter, please download and
read it thoroughly.
Court clerk,
LANE Pruitt

• Context issues: You don’t live in
Goergia and have not been there
recently (warning sign)
• You are made to feel guilty for some
previous action which you supposedly
engaged in
• A sense of urgency is implied
• The email may appeal to your sense
of curiosity

Subject: Scanned Image from a HP Digital Device
Date: June 19, 2013
Please open the attached document. This document
was digitally sent to you using an HP Digital
Sending device.
To view this document you need to use the Adobe
Acrobat Reader.

• Lots of context aware references in
this email….Almost all of us use HP
printers and Adobe Acrobat reader,
on our computer. Do not let your
guard down simply because of some
familiar references
• This email appeals to your curiosity
to see what is in the attachment…
Don’t fall for it!

Subject: Your account has been temporarily limited. ID K5008204
Date: September 1, 2012
Your account has been temporarily limited.
To remove the limitation from your account
please confirm your credit card details on file.
For confirmation, please click the link below:
Sign-on to Chase online account
Sincerely,
Cardmember Services
© 2012 JPMorgan Chase & Co.

• Context aware attack, for those who
have a Chase credit card. An immediate
red flag for those who do not
• A punishment has been applied, which
will harm your ability to engage in credit
card transactions, instilling a sense of
fear
• The email is so vague, it makes you
curious to learn more by clicking on a
link

Subject: Microsoft Security Update
Date: August 10, 2012
Dear Window Users,
You have a urgent windows security alert. A deadly virus that
can replicate itself was detected yesterday on one of our
servers. You are to download the latest windows defender from
the below link to prevent your hard drive from getting
damanged. CLICK HERE to log in with your email and
download the updated version.
Windows Security Team

• A sense of urgency is explicit in this
email
• A sense of guilt, for some action you did,
is present
• Context aware for Microsoft users…For
others, the Microsoft reference should
be a red flag
• Requires you to click on something to fix
the problem. Note, in reality, most such
maintenance is performed by your
network administrator and should not
require action on your part.

Subject: Photos
Date: August 13, 2012
Hi, as promised your photos -
hxxp://127.0.0.1/badstuff.htm

• Context aware. At some point, most
of us have received links to pictures,
sent by friends, through email, so are
fooled into thinking that this email
could apply to you
• The email is intentionally vague,
making you curious to learn more…
Don’t fall for the click!

Subject: NetTeller Watch Notice
Date: July 2, 2012
The following ACH batch has been initiated:
Confirmation number: 0829703846
Category: MONTHLY PAYROLL
Effective Date: 7/03/12
Debits: $.00 Credits: $40,866.29
Class Code: PPD
Offset Account: CHECKING
For details, please log in to your NetTeller account.
Click here to access NetTeller account
NOTE: Some web browsers do not open a new window when the above link is
clicked. If you find that a new window did not open, please check the
other open browsers on your computer.

• Appeals to human nature of wanting
to believe we can get something for
nothing…In this case $40,866.29, to
be specific
• Since you were not expecting a
windfall of money, this email appeals
to your sense if curiosity, to click and
learn what it is all about
• You don’t have a Net Teller account,
so this should be a red flag.

Curiosity Killed the Cat!Curiosity Killed the Cat!
Lack of Curiosity Killed the Phish!Lack of Curiosity Killed the Phish!
Nicholas Davis
ndavis1@wisc.edu

Something in the library smells phishy

Recommended

Recommended

More Related Content

Similar to Something in the library smells phishy

Similar to Something in the library smells phishy (20)

More from Nicholas Davis

More from Nicholas Davis (20)

Recently uploaded

Recently uploaded (20)

Something in the library smells phishy