Presentation is loading. Please wait.

Presentation is loading. Please wait.

Fall 2011. 2 Phishing - attempt to acquire sensitive information, like bank account information or an account password, by posing as a legitimate entity.

Similar presentations


Presentation on theme: "Fall 2011. 2 Phishing - attempt to acquire sensitive information, like bank account information or an account password, by posing as a legitimate entity."— Presentation transcript:

1 Fall 2011

2 2

3 Phishing - attempt to acquire sensitive information, like bank account information or an account password, by posing as a legitimate entity in an electronic communication Spear phishing – a phishing scam that targets a specific audience Scareware - tries to trick you into responding by using shock, anxiety or threats (“reply with your password now or we’ll shut down your email account tomorrow”) Social engineering - manipulating or tricking people into divulging private information (as opposed to using technical hacking techniques) 3

4 4 Sends email: “There is a problem with your eBuy account” User clicks on email link to www.ebuj.com. password? User thinks it is ebuy.com, enters eBuy username and password. Password sent to bad guy

5 Email Phishing e-mails can appear to come from legitimate institutions such as your bank, e-commerce site, credit card company, etc., but they really come from a criminal trying to steal information Web Site If you follow a link from an email or from an untrustworthy web site, it may take you to a site clone that records your information before logging you into the real site IM With IM phishing, you will get an IM from someone claiming to be support for your IM provider, asking you for account information 5

6 Federal Trade Commission (FTC) tracks and reports on identity theft Affects more than 10 million people every year Annual cost to the economy of $50 billion. The Anti-Phishing Working Group Reports that the frequency of phishing attacks increases 24% every month. 6

7 7

8 8

9 9

10 10

11 A statement that there is a problem with the recipient’s account at a financial institution or other business. The email asks the recipient to visit a web site to correct the problem, using a deceptive link in the email. A statement that the recipient’s account is at risk, and offering to enroll the recipient in an anti-fraud program. 11

12 A fictitious invoice for merchandise, often offensive merchandise, that the recipient did not order, with a link to “cancel” the fake order. A fraudulent notice of an undesirable change made to the user’s account, with a link to “dispute” the unauthorized change. A claim that a new service is being rolled out at a financial institution, and offering the recipient, as a current member, a limited-time opportunity to get the service for free. 12

13 13

14 14

15 15 Credit: Collin Jackson

16 16 Phishing Email sent portraying Bank of America, Military Bank Entices the user to complete a survey and receive a $20 or $25 credit

17 Spear phishing scam received by Kansas State University in January 2010 17

18 The malicious link in the scam email took you to an exact replicaof Kansas State’s single sign-on web page, hosted on a server in the Netherlands,that will steal their eID and password if they enter it and click “Sign in”. 18

19 Generic Greeting Fake Sender’s Address False Sense of Urgency Fake Web Links. Deceptive Web Links. Email is requiring that you follow a link to sign up for a great deal, or to log in and verify your account status, or encourages you to view/read an attachment. Misspellings and Bad Grammar 19

20 Characteristics of scam email Poor grammar and spelling The “Reply-to:” or “From:” address is unfamiliar Uses unfamiliar or inappropriate terms (like “send your account information to the MAIL CONTROL UNIT”) It asks for private information like a password or account number, or tries to get you to click on a link that takes you to a web form that asks for the info The message contains a link where the displayed address differs from the actual web address Does not provide explicit contact information (name, address, and phone #, or a website) for you to verify the communication. Good example is spear phishing scam that tries to steal your password and is signed only by “Webmail administrator” 20

21 Create a bank page advertising an interest rate slightly higher than any real bank; ask users for their credentials to initiate money transfer Some victims provided their bank account numbers to “Flintstone National Bank” of “Bedrock, Colorado” Exploit social network Spoof an email from a Facebook or MySpace friend In a West Point experiment, 80% of cadets were deceived into following an embedded link regarding their grade report from a fictitious colonel 21

22 Reconstructed the social network by crawling sites like Facebook, MySpace, LinkedIn, Friendster Sent 921 Indiana University students a spoofed email that appeared to come from their friend Email redirected to a spoofed site inviting the user to enter his/her secure university credentials Domain name clearly distinct from indiana.edu 72% of students entered their real credentials into the spoofed site (most within first 12 hrs) Males more likely to do this if email is from a female 22

23 DON’T CLICK THE LINK Type the site name in your browser (such as www.paypal.com) Never send sensitive account information by e- mail Account numbers, SSN, passwords Never give any password out to anyone Verify any person who contacts you (phone or email). If someone calls you on a sensitive topic, thank them, hang up and call them back using a number that you know is correct, like from your credit card or statement. 23


Download ppt "Fall 2011. 2 Phishing - attempt to acquire sensitive information, like bank account information or an account password, by posing as a legitimate entity."

Similar presentations


Ads by Google