Azure Monitor & Application Insight to monitor Infrastructure & Application
Something in the library smells phishy
1. Something In the Library Smells Phishy
Presented by Nicholas Davis, CISSP, CISA
2. OverviewOverview
Phishing Background
Threat to IT on campus
Phishing education
Tricks employed
Sample phishing emails unique to UW-
Madison
Spotting the phish, after the click
10 quick tests for the audience!
Q&A
03/18/14 UNIVERSITY OF WISCONSIN 2
3. Phishing DefinedPhishing Defined
Phishing is the act of attempting to
acquire information such as usernames,
passwords, and credit card details (and
sometimes, indirectly, money) by
masquerading as a trustworthy entity in
an electronic communication, usually
email.
03/18/14 UNIVERSITY OF WISCONSIN 3
4. Why Phishing Is Such a ThreatWhy Phishing Is Such a Threat
UW-Madison IT infrastructure is
designed to protect the campus
computing assets with many technical
controls
However, this persuades hackers to
pursue access via alternate means, often
choosing to exploit the human factor
03/18/14 UNIVERSITY OF WISCONSIN 4
5. Your Password Is the Key to theYour Password Is the Key to the
KingdomKingdom
If an attacker can
persuade you to give
them your
password, they can
evade all the
controls put in place
to protect sensitive
systems
03/18/14 UNIVERSITY OF WISCONSIN 5
7. I am Too Smart to Fall For aI am Too Smart to Fall For a
Trick Like PhishingTrick Like Phishing
Most large organizations have a
phishing participation rate of around
10%
This rises when the population become
the subjects of Spear Phishing, which is
phishing email designed specifically for
the recipient
03/18/14 UNIVERSITY OF WISCONSIN 7
8. Phishing Relies Upon SocialPhishing Relies Upon Social
EngineeringEngineering
The practice of deceiving someone,
either in person, over the phone, or
using a computer, with the express
intent of breaching some level of
security either personal or professional.
Social engineering techniques are
considered con games which are
performed by con artists. The targets of
social engineering may never realize
they have been victimized.
03/18/14 UNIVERSITY OF WISCONSIN 8
9. Tricks Used By Expert PhishersTricks Used By Expert Phishers
Socially Aware: Mining of information
about the target from publicly available
resources, such as Facebook, property
records, or even CCAP
Context Aware: Make reference to an
activity you are likely to engage in, such
as Amazon.com, or UPS package receipt
03/18/14 UNIVERSITY OF WISCONSIN 9
10. Specific Examples of ComplexSpecific Examples of Complex
Phishing AttemptsPhishing Attempts
Baiting: Placing a USB flash drive or CD,
with malware on it, in a public place
03/18/14 UNIVERSITY OF WISCONSIN 10
11. Specific Examples of ComplexSpecific Examples of Complex
Phishing AttemptsPhishing Attempts
QR Code Curiosity: Embedding
malicious code within a QR code, on a
printout posted to a community bulletin
board
03/18/14 UNIVERSITY OF WISCONSIN 11
12. Specific Examples of ComplexSpecific Examples of Complex
Phishing AttemptsPhishing Attempts
Out of Office, Out of Control: Taking
advantage of an autoresponder,
leveraging specific knowledge to exploit
co-workers
03/18/14 UNIVERSITY OF WISCONSIN 12
13. What Would Happen If YouWhat Would Happen If You
Received This Email?Received This Email?
03/18/14 UNIVERSITY OF WISCONSIN 13
14. What Would Happen If YouWhat Would Happen If You
Received This Email?Received This Email?
03/18/14 UNIVERSITY OF WISCONSIN 14
15. Tips To Spot Social EngeeringTips To Spot Social Engeering
Within a Phishing AttemptWithin a Phishing Attempt
Asks you to verify a sensitive piece of
information
A sense of urgency is implied in the message
An overt or implied threat may be present
Flattery is used to get you to drop your guard
Use, and sometimes overuse of organizational
knowledge in employed
A bribe or reward for your “help” may be
offered
03/18/14 UNIVERSITY OF WISCONSIN 15
16. Spotting the Phish After theSpotting the Phish After the
ClickClick
Website address looks odd or incorrect
IP address shows in address bar
Multiple pop-ups appear on top of
legitimate website window
Website contains spelling or grammar
errors
No SSL lock is present on what should
be a secure site
03/18/14 UNIVERSITY OF WISCONSIN 16
17. Can You Spot the Issue HereCan You Spot the Issue Here
03/18/14 UNIVERSITY OF WISCONSIN 17
18. Combat Phishing AttemptsCombat Phishing Attempts
Never give away personal information,
especially username and password
Don’t let curiosity get the best of you
Look for the tell-tail signs we have
discussed today
There are no situations which justify
exceptions
If something sounds too good to be
true…
03/18/14 UNIVERSITY OF WISCONSIN 18
20. DiscussionDiscussion
• Odd use of the English language
• Email references a service which you
may never have heard of, and do not use
• There is a sense of urgency in the email
• There is a direct threat of implications, if
you do not act immediately
03/18/14 UNIVERSITY OF WISCONSIN 20
21. What Do You Think?What Do You Think?
Can You Spot the Phish?Can You Spot the Phish?
Subject: Secure Account Notification
Date: February 20, 2014
Blackboard
Secure Account Notification
A suspicious activity has been detected. For your safety,
your account access has been suspended.
Please re-activate your account immediately by clicking
on the "Re-Activate My Account" link provided below:
<Re-Activate My Account>
We are sorry for any inconveniences caused as your
safety is important to us.
Thank you,
Blackboard System Notifications.
03/18/14 UNIVERSITY OF WISCONSIN 21
22. DiscussionDiscussion
• A punishment has been specified for
previous actions, making you feel
guilty
• A sense of urgency of action on your
part is asked for
• A context aware attack is used,
referencing Blackboard, a commonly
used software package, in higher
education
03/18/14 UNIVERSITY OF WISCONSIN 22
23. What Do You Think?What Do You Think?
Can You Spot the Phish?Can You Spot the Phish?
Subject: Web!User
Date: February 19, 2014
Dear Web!User,
We are under urgent upgrade service you are require to
upgrade account by via hxxp://servacc.0ad.info/
System Administrator
Web! Techs.
03/18/14 UNIVERSITY OF WISCONSIN 23
24. DiscussionDiscussion
• Poor English grammar usage
• Sense of urgency implied
• Refers to you by some odd generic
name “web user”
03/18/14 UNIVERSITY OF WISCONSIN 24
25. What Do You Think?What Do You Think?
Can You Spot the Phish?Can You Spot the Phish?
Subject: Apple Customer Alert!
Date: February 18, 2014
Dear Apple Customer,
Please confirm your identity today or your account will
be Disabled due to concerns we have for the safety and
integrity of the Apple Community.
To confirm your identity, we recommend Click here
Regards,
Apple Customer Service.
03/18/14 UNIVERSITY OF WISCONSIN 25
26. DiscussionDiscussion
• Sense of urgency contained in email
• You have been made to feel guilty
• Context aware reference for all Apple
users
• Threat of account disabling if you do
not act
03/18/14 UNIVERSITY OF WISCONSIN 26
27. What Do You Think?What Do You Think?
Can You Spot the Phish?Can You Spot the Phish?
Subject: RE: Faculty Staff & Employee Mailbox Upgrade
Date: January 21, 2014
Dear Faculty Staff & Employee Email Subscribers
Welcome to 2014 Academic Season
Your Email Account have been put on-hold by our
server,you can no longer
send or receive emails,to avoid this kindly click on the
link UPGRADE to submit your
old account for New to enable you to send and receive
emails
Thank You
ITS Service Provider Team
03/18/14 UNIVERSITY OF WISCONSIN 27
28. DiscussionDiscussion
• Socially aware email appears to be
familiar with your association with
the university as a faculty or staff
member
• Odd use of English language
• Sense of moderate urgency implied
03/18/14 UNIVERSITY OF WISCONSIN 28
29. What Do You Think?What Do You Think?
Can You Spot the Phish?Can You Spot the Phish?
Subject: ACH Notification
Date: October 9, 2013
Attached is a summary of Origination activity
for 10/09/2013
If you need assistance please contact us via e-
mail during regular business hours.
Thank you for your cooperation.
03/18/14 UNIVERSITY OF WISCONSIN 29
30. DiscussionDiscussion
• References commonly known “ACH”
term, which is familiar to people who
deal with accounts payable and
accounts receivable
• Plays on your sense of curiosity, to
learn more….(What account is this?
How much do I owe?)
• Email is intentionally vague
03/18/14 UNIVERSITY OF WISCONSIN 30
31. What Do You Think?What Do You Think?
Can You Spot the Phish?Can You Spot the Phish?
Subject: Court attendance notification #ID608
Date: January 9, 2014
From: Illegal software
Sent: Thursday, January 09, 2014 1:18 AM
Subject: Court attendance notification #ID608
Warrant to appear,
Please be informed that you are expected
in the Court of Georgia on February 2nd, 2014 at 9:30 a.m.
where the hearing of your case of illegal software use will take place.
You may obtain protection of a lawyer, if necessary.
Please bring your identity documents to the Court on the named day.
Attendance is compulsory.
The detailed plaint note is attached to this letter, please download and
read it thoroughly.
Court clerk,
LANE Pruitt
03/18/14 UNIVERSITY OF WISCONSIN 31
32. DiscussionDiscussion
• Context issues: You don’t live in
Goergia and have not been there
recently (warning sign)
• You are made to feel guilty for some
previous action which you supposedly
engaged in
• A sense of urgency is implied
• The email may appeal to your sense
of curiosity
03/18/14 UNIVERSITY OF WISCONSIN 32
33. What Do You Think?What Do You Think?
Can You Spot the Phish?Can You Spot the Phish?
Subject: Scanned Image from a HP Digital Device
Date: June 19, 2013
Please open the attached document. This document
was digitally sent to you using an HP Digital
Sending device.
To view this document you need to use the Adobe
Acrobat Reader.
03/18/14 UNIVERSITY OF WISCONSIN 33
34. DiscussionDiscussion
• Lots of context aware references in
this email….Almost all of us use HP
printers and Adobe Acrobat reader,
on our computer. Do not let your
guard down simply because of some
familiar references
• This email appeals to your curiosity
to see what is in the attachment…
Don’t fall for it!
03/18/14 UNIVERSITY OF WISCONSIN 34
36. DiscussionDiscussion
• Context aware attack, for those who
have a Chase credit card. An immediate
red flag for those who do not
• A punishment has been applied, which
will harm your ability to engage in credit
card transactions, instilling a sense of
fear
• The email is so vague, it makes you
curious to learn more by clicking on a
link
03/18/14 UNIVERSITY OF WISCONSIN 36
37. What Do You Think?What Do You Think?
Can You Spot the Phish?Can You Spot the Phish?
Subject: Microsoft Security Update
Date: August 10, 2012
Dear Window Users,
You have a urgent windows security alert. A deadly virus that
can replicate itself was detected yesterday on one of our
servers. You are to download the latest windows defender from
the below link to prevent your hard drive from getting
damanged. CLICK HERE to log in with your email and
download the updated version.
Windows Security Team
03/18/14 UNIVERSITY OF WISCONSIN 37
38. DiscussionDiscussion
• A sense of urgency is explicit in this
email
• A sense of guilt, for some action you did,
is present
• Context aware for Microsoft users…For
others, the Microsoft reference should
be a red flag
• Requires you to click on something to fix
the problem. Note, in reality, most such
maintenance is performed by your
network administrator and should not
require action on your part.
03/18/14 UNIVERSITY OF WISCONSIN 38
39. What Do You Think?What Do You Think?
Can You Spot the Phish?Can You Spot the Phish?
Subject: Photos
Date: August 13, 2012
Hi, as promised your photos -
hxxp://127.0.0.1/badstuff.htm
03/18/14 UNIVERSITY OF WISCONSIN 39
40. DiscussionDiscussion
• Context aware. At some point, most
of us have received links to pictures,
sent by friends, through email, so are
fooled into thinking that this email
could apply to you
• The email is intentionally vague,
making you curious to learn more…
Don’t fall for the click!
03/18/14 UNIVERSITY OF WISCONSIN 40
41. What Do You Think?What Do You Think?
Can You Spot the Phish?Can You Spot the Phish?
Subject: NetTeller Watch Notice
Date: July 2, 2012
The following ACH batch has been initiated:
Confirmation number: 0829703846
Category: MONTHLY PAYROLL
Effective Date: 7/03/12
Debits: $.00 Credits: $40,866.29
Class Code: PPD
Offset Account: CHECKING
For details, please log in to your NetTeller account.
Click here to access NetTeller account
NOTE: Some web browsers do not open a new window when the above link is
clicked. If you find that a new window did not open, please check the
other open browsers on your computer.
03/18/14 UNIVERSITY OF WISCONSIN 41
42. DiscussionDiscussion
• Appeals to human nature of wanting
to believe we can get something for
nothing…In this case $40,866.29, to
be specific
• Since you were not expecting a
windfall of money, this email appeals
to your sense if curiosity, to click and
learn what it is all about
• You don’t have a Net Teller account,
so this should be a red flag.
03/18/14 UNIVERSITY OF WISCONSIN 42
43. Curiosity Killed the Cat!Curiosity Killed the Cat!
Lack of Curiosity Killed the Phish!Lack of Curiosity Killed the Phish!
Nicholas Davis
ndavis1@wisc.edu
03/18/14 UNIVERSITY OF WISCONSIN 43