Social Engineering in Security

Slides:



Advertisements
Similar presentations
What is Bad ? Spam, Phishing, Scam, Hoax and Malware distributed via
Advertisements

1 Identity Theft and Phishing: What You Need to Know.
Hacker’s tricks for online users to reveal their sensitive information such as credit card, bank account, and social security. Phishing s are designed.
1 Identity Theft: What You Need to Know. 2 Identity Theft Identity theft is a crime of stealing key pieces of someone’s identifying information, such.
Phishing and Pharming New Identity Theft Threats Presentation by Jason Guthrie.
Phishing Attacks Dr. Neminath Hubballi. Outline  Motivation  Introduction  Forms and means of Phishing Attacks  Phishing today  Staying safe  Server.
Bsharah Presentation Threats to Information Security Protecting Your Personal Information from Phishing Scams.
Phishing (pronounced “fishing”) is the process of sending messages to lure Internet users into revealing personal information such as credit card.
Internet Phishing Not the kind of Fishing you are used to.
Phishing – Read Behind The Lines Veljko Pejović
BTT12OI.  Do you know someone who has been scammed? What happened?  Been tricked into sending someone else money (not who they thought they were) 
Social Engineering Training. Why Social Engineering Training? The Department of Energy (DOE) authorized the Red Team to perform vulnerability assessments.
PHISHING AND SPAM INTRODUCTION There’s a good chance that in the past week you have received at least one that pretends to be from your bank,
Matthew Hardaway CSCI101 Thursday 3:30pm.  Fishing (Encyclopedia Britannica): ◦ Sport of catching fish—freshwater or saltwater— typically with rod, line,
Adam Soph, Alexandra Smith, Landon Peterson. Phishing is a way of attempting to acquire information such as usernames, passwords, and credit card details.
Phishing, Spoofing, Spamming and Security How To Protect Yourself Additional Credits: Educause/SonicWall, Hendra Harianto Tuty, Microsoft Corporation,
Web Spoofing Steve Newell Mike Falcon Computer Security CIS 4360.
BTT12OI.  Do you know someone who has been scammed online? What happened?  Been tricked into sending someone else money (not who they thought they were)
CCT355H5 F Presentation: Phishing November Jennifer Li.
Phishing Internet scams. Phishing phishing is an attempt to criminally and fraudulently acquire sensitive information, such as usernames, passwords and.
Phishing: Trends and Countermeasures Blaine Wilson.
How Phishing Works Prof. Vipul Chudasama.
Inappropriate Content Hackers Phishers Scammers Child Abusers Bullies.
Any criminal action perpetrated primarily through the use of a computer.
FLTCYBERCOM / C10F    U.S. FLEET CYBER COMMAND / U.S. TENTH FLEET    1 Overall Classification of this Briefing is UNCLASSIFIED//FOUO Phishing.
Safe Computing Practices. What is behind a cyber attack? 1.
Phishing and Internet Scams. Definitions and recent statistics Why is it dangerous? Phishing techniques and identifiers Examples of phishing and scam.
Cyber security. Malicious Code Social Engineering Detect and prevent.
Fall Phishing - attempt to acquire sensitive information, like bank account information or an account password, by posing as a legitimate entity.
Objectives Define phishing and identify various types of phishing scams Recognize common baiting tactics used in phishing scams Examine real phishing messages.
Social Engineering: The Human Element of Computer Security
Social Engineering Dr. X.
Scams & Schemes Common Sense Media.
Done by… Hanoof Al-Khaldi Information Assurance
PHISHING Hi, The comms team asked if I could refresh everyone about Phishing after a fairly successful phishing circulated last week that led to.
Learn how to protect yourself against common attacks
IT Security  .
Unit 4 IT Security.
Social Engineering Charniece Craven COSC 316.
Don’t get phished!, recognize the bait
How to use the internet safely and How to protect my personal data?
ISYM 540 Current Topics in Information System Management
How to use the internet safely and How to protect my personal data?
Lesson 3 Safe Computing.
Overview 1. Phishing Scams
Information Security and Privacy Pertaining to Phishing and Internet Scams Brian Corl COSC 316 Information Security and Privacy.
Phishing, what you should know
Information Security 101 Richard Davis, Rob Laltrello.
Phishing is a form of social engineering that attempts to steal sensitive information.
Phishing Attacks Dr. Neminath Hubballi.
Protect Your Computer Against Harmful Attacks!
Lesson 2- Protecting Yourself Online
Cybersecurity Awareness
Spear Phishing Ways to Minimize its Risks
Information Security Session October 24, 2005
Social Engineering No class today! Dr. X.
Tom Chothia Computer Security
HOW DO I KEEP MY COMPUTER SAFE?
9 ways to avoid viruses and spyware
Security Hardening through Awareness August 2018
Computer Security By: Muhammed Anwar.
What is Phishing? Pronounced “Fishing”
Lesson 2- Protecting Yourself Online
Spear Phishing Awareness
Identity Theft By Omer Ersen.
Week 7 - Wednesday CS363.
Cybersecurity Simplified: Phishing
Founded in 2002, Credit Abuse Resistance Education (CARE) educates high school and college students on the responsible use of credit and other fundamentals.
Presentation transcript:

Social Engineering in Security Dr. Neminath Hubballi IIT Indore IIT Indore © Neminah Hubballi

What is Social Engineering How many of you have received emails of this type

What is Social Engineering ? Social engineering is an art of manoeuvring or fooling people to gain useful information which can be used to compromise systems Deception Tricking someone to do the things that you want him/her to do Why Social engineering attack Economical It works irrespective of security mechanism in place

A Quote from Kevin Mitnick “You could spend a fortune purchasing technology and services from every exhibitor, speaker and sponsor at the RSA Conference, and your network infrastructure could still remain vulnerable to old-fashioned manipulation.”

Elicitation People like to talk to those who speak nicely Reveal more than necessary Elicitation means Praise the target Deliberate false statement Artificial ignorance Expressing mutual interest Bracketing

Why Elicitation Works People want to be polite People want to show their skills People expect to be praised

Phishing Attacks Phishing is a form of social engineering attack Not all social engineering attacks are phishing attacks ! Mimic the communication and appearance of another legitimate communications and companies The first Phishing incident appeared in 1995 Attractive targets include Financial institutions Gaming industry Social media Security companies IIT Indore © Neminah Hubballi

Phishing Attacks It is made-up of Phreaking + Fishing = Phishing Phreaking = making phone calls for free back in 70’s Fishing = Attract the fish to bite There are lot of fishes in pond Lure them to come and bite Those who bite become victims Courtesy: Google Images IIT Indore © Neminah Hubballi

Phishing Information Flow Three components Mail sender: sends large volume of fraudulent emails Collector: collect sensitive information from users Casher: use the collected sensitive information to en-cash Courtesy: Junxiao Shi and Sara Saleem IIT Indore © Neminah Hubballi

Sending large spam emails How is Phishing Done Sending large spam emails

Phishing Forms Misspelled URLs www.sbibank.statebank.com www.micosoft.com www.mircosoft.com 
 Creating anchor text and HTML redirection <a href = "anchor text" > Link Text </a> Link Text Getting valid certificates to illegal sites Certifying agency not being alert Sometimes users overlook security certificate warnings Offering cheap products Creating Fake URLs and send it IIT Indore © Neminah Hubballi

Types of Phishing Attacks Clone Phishing: Phisher creates a clone email Done by getting contents and addresses of recipients and sender Spear Phishing: Targeting a specific group of users All users of that group have something in common Targeting all faculty members of SGSITS Phone Phishing: Call up someone and say you are from bank Ask for password saying you need to do maintenance Use of VOIP is easy Whaling Senior executives are targeted

Phishing Attack Success Send 100,000 e-mails Get a response rate of 1%. That’s 1,000 people that respond! That’s 1,000 bank accounts or credit cards that could be drained or used illegally. If each account is drained by 500, that is 1/2 a million rupees!

Email Spoofing for Phishing An email concealing its true source Ex. customercare@sbi.com when it is actually coming from somewhere else Send an email saying your bank account needs to be verified urgently When the user believes Send her credit card number Gives her password Sending spoofed email is very easy There are so many spoof mail generators IIT Indore © Neminah Hubballi

Sample Email IIT Indore © Neminah Hubballi

Case Study of Email Password Reset Attack

Phishing Today Use bots to perform large scale activity Phishing Kits Relays for sending spam and phishing emails Phishing Kits Ready to use Contain clones of many banks and other websites Emails JPEG images-Complete email is an image Suspicious parts of URL may have same color as background Use font differences The substitution of uppercase “i” for lowercase “L”, and Number zero for uppercase “O”. Use of first 4 digits of credit card number – which is not unique to customer IIT Indore © Neminah Hubballi

Phishing Today Uncommon encoding mechanisms Cross site scripting Accept user input and lack of sanity check Vulnerable Fake banner advertisements IIT Indore © Neminah Hubballi

Phishing Today Dynamic code Numbers (IP address ) in urls Phishing emails contain links to sites whose contents change When email came in midnight it was ok but next day when you clicked its vulnerable Numbers (IP address ) in urls Use of targeted email Gather enough information about user from social networking sites Send a targeted email using the knowledge of previous step Unsuspecting user clicks on link Attacker takes control of recipient machine (backdoor, trojan) Steal / harvest credentials IIT Indore © Neminah Hubballi

Social Networks Social engineering through social networks Sextortion Showing attractive or scary messages

Waterholing Attack Exploit a vulnerability in a well-known website Install a malicious software there Mitigation Beef up the security Install anomaly detection / intrusion detection system

Shoulder Surfing Seeing from behind

Dumpster Driving

How to Protect Yourself Be careful about online transactions Never click on something sent by somebody whom you do not know Use anti-virus software

Enterprise Level Protection Collecting data from users About emails received Websites links Why any one should give you such data Her interest also included Incentives Analyzing spam emails for keywords “click on the link bellow” “enter user name password here” “account will be deleted” etc. Personalization of emails Every email should quote some secrete that proves the idntity Ex: Phrase as Dear Dr. Neminath Instead of Dear Customer Referring to timing of previous email IIT Indore © Neminah Hubballi

What Banks are Doing to Protect from Phishing Banks and their customers lose crores of rupees every year They hire professional security agencies who constantly monitor the web for phishing sites Regularly alert the users “to be alert” and not to fall fray Use best state of the art security software and hardware White list and blacklist of phishing sites IIT Indore © Neminah Hubballi

Money Laundering Phishing allows you to make money Many banks do not allow money transfer to foreign banks just like that But how to stay undetected Launder money How to launder money Offer jobs to needy people Ask them to open accounts in the same bank Put money into their account Ask them to take small commission and transfer the rest to their account in Nigeria IIT Indore © Neminah Hubballi

Thanks for your time

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.