Presentation is loading. Please wait.

Presentation is loading. Please wait.

Social Engineering in Security

Published byJonas Poole Modified over 6 years ago

Similar presentations

Presentation on theme: "Social Engineering in Security"— Presentation transcript:

1 Social Engineering in Security
Dr. Neminath Hubballi IIT Indore IIT Indore © Neminah Hubballi

2 What is Social Engineering
How many of you have received s of this type

3 What is Social Engineering ?
Social engineering is an art of manoeuvring or fooling people to gain useful information which can be used to compromise systems Deception Tricking someone to do the things that you want him/her to do Why Social engineering attack Economical It works irrespective of security mechanism in place

4 A Quote from Kevin Mitnick
“You could spend a fortune purchasing technology and services from every exhibitor, speaker and sponsor at the RSA Conference, and your network infrastructure could still remain vulnerable to old-fashioned manipulation.”

5 Elicitation People like to talk to those who speak nicely
Reveal more than necessary Elicitation means Praise the target Deliberate false statement Artificial ignorance Expressing mutual interest Bracketing

6 Why Elicitation Works People want to be polite
People want to show their skills People expect to be praised

7 Phishing Attacks Phishing is a form of social engineering attack
Not all social engineering attacks are phishing attacks ! Mimic the communication and appearance of another legitimate communications and companies The first Phishing incident appeared in 1995 Attractive targets include Financial institutions Gaming industry Social media Security companies IIT Indore © Neminah Hubballi

8 Phishing Attacks It is made-up of Phreaking + Fishing = Phishing
Phreaking = making phone calls for free back in 70’s Fishing = Attract the fish to bite There are lot of fishes in pond Lure them to come and bite Those who bite become victims Courtesy: Google Images IIT Indore © Neminah Hubballi

9 Phishing Information Flow
Three components Mail sender: sends large volume of fraudulent s Collector: collect sensitive information from users Casher: use the collected sensitive information to en-cash Courtesy: Junxiao Shi and Sara Saleem IIT Indore © Neminah Hubballi

10 Sending large spam emails
How is Phishing Done Sending large spam s

11 Phishing Forms Misspelled URLs
Creating anchor text and HTML redirection <a href = "anchor text" > Link Text </a> Link Text Getting valid certificates to illegal sites Certifying agency not being alert Sometimes users overlook security certificate warnings Offering cheap products Creating Fake URLs and send it IIT Indore © Neminah Hubballi

12 Types of Phishing Attacks
Clone Phishing: Phisher creates a clone Done by getting contents and addresses of recipients and sender Spear Phishing: Targeting a specific group of users All users of that group have something in common Targeting all faculty members of SGSITS Phone Phishing: Call up someone and say you are from bank Ask for password saying you need to do maintenance Use of VOIP is easy Whaling Senior executives are targeted

13 Phishing Attack Success
Send 100,000 s Get a response rate of 1%. That’s 1,000 people that respond! That’s 1,000 bank accounts or credit cards that could be drained or used illegally. If each account is drained by 500, that is 1/2 a million rupees!

14 Email Spoofing for Phishing
An concealing its true source Ex. when it is actually coming from somewhere else Send an saying your bank account needs to be verified urgently When the user believes Send her credit card number Gives her password Sending spoofed is very easy There are so many spoof mail generators IIT Indore © Neminah Hubballi

15 Sample IIT Indore © Neminah Hubballi

16 Case Study of Email Password Reset Attack

17 Phishing Today Use bots to perform large scale activity Phishing Kits
Relays for sending spam and phishing s Phishing Kits Ready to use Contain clones of many banks and other websites s JPEG images-Complete is an image Suspicious parts of URL may have same color as background Use font differences The substitution of uppercase “i” for lowercase “L”, and Number zero for uppercase “O”. Use of first 4 digits of credit card number – which is not unique to customer IIT Indore © Neminah Hubballi

18 Phishing Today Uncommon encoding mechanisms Cross site scripting
Accept user input and lack of sanity check Vulnerable Fake banner advertisements IIT Indore © Neminah Hubballi

19 Phishing Today Dynamic code Numbers (IP address ) in urls
Phishing s contain links to sites whose contents change When came in midnight it was ok but next day when you clicked its vulnerable Numbers (IP address ) in urls Use of targeted Gather enough information about user from social networking sites Send a targeted using the knowledge of previous step Unsuspecting user clicks on link Attacker takes control of recipient machine (backdoor, trojan) Steal / harvest credentials IIT Indore © Neminah Hubballi

20 Social Networks Social engineering through social networks
Sextortion Showing attractive or scary messages

21 Waterholing Attack Exploit a vulnerability in a well-known website
Install a malicious software there Mitigation Beef up the security Install anomaly detection / intrusion detection system

22 Shoulder Surfing Seeing from behind

23 Dumpster Driving

24 How to Protect Yourself
Be careful about online transactions Never click on something sent by somebody whom you do not know Use anti-virus software

25 Enterprise Level Protection
Collecting data from users About s received Websites links Why any one should give you such data Her interest also included Incentives Analyzing spam s for keywords “click on the link bellow” “enter user name password here” “account will be deleted” etc. Personalization of s Every should quote some secrete that proves the idntity Ex: Phrase as Dear Dr. Neminath Instead of Dear Customer Referring to timing of previous IIT Indore © Neminah Hubballi

26 What Banks are Doing to Protect from Phishing
Banks and their customers lose crores of rupees every year They hire professional security agencies who constantly monitor the web for phishing sites Regularly alert the users “to be alert” and not to fall fray Use best state of the art security software and hardware White list and blacklist of phishing sites IIT Indore © Neminah Hubballi

27 Money Laundering Phishing allows you to make money
Many banks do not allow money transfer to foreign banks just like that But how to stay undetected Launder money How to launder money Offer jobs to needy people Ask them to open accounts in the same bank Put money into their account Ask them to take small commission and transfer the rest to their account in Nigeria IIT Indore © Neminah Hubballi

28 Thanks for your time

Download ppt "Social Engineering in Security"

Similar presentations

What is Bad ? Spam, Phishing, Scam, Hoax and Malware distributed via

What is Bad ? Spam, Phishing, Scam, Hoax and Malware distributed via
1 Identity Theft and Phishing: What You Need to Know.

1 Identity Theft and Phishing: What You Need to Know.
Hacker’s tricks for online users to reveal their sensitive information such as credit card, bank account, and social security. Phishing emails are designed.

Hacker’s tricks for online users to reveal their sensitive information such as credit card, bank account, and social security. Phishing s are designed.
1 Identity Theft: What You Need to Know. 2 Identity Theft Identity theft is a crime of stealing key pieces of someone’s identifying information, such.

1 Identity Theft: What You Need to Know. 2 Identity Theft Identity theft is a crime of stealing key pieces of someone’s identifying information, such.
Phishing and Pharming New Identity Theft Threats Presentation by Jason Guthrie.

Phishing and Pharming New Identity Theft Threats Presentation by Jason Guthrie.
Phishing Attacks Dr. Neminath Hubballi. Outline  Motivation  Introduction  Forms and means of Phishing Attacks  Phishing today  Staying safe  Server.

Phishing Attacks Dr. Neminath Hubballi. Outline  Motivation  Introduction  Forms and means of Phishing Attacks  Phishing today  Staying safe  Server.
Bsharah Presentation Threats to Information Security Protecting Your Personal Information from Phishing Scams.

Bsharah Presentation Threats to Information Security Protecting Your Personal Information from Phishing Scams.
Phishing (pronounced “fishing”) is the process of sending e-mail messages to lure Internet users into revealing personal information such as credit card.

Phishing (pronounced “fishing”) is the process of sending messages to lure Internet users into revealing personal information such as credit card.
Internet Phishing Not the kind of Fishing you are used to.

Internet Phishing Not the kind of Fishing you are used to.
Phishing – Read Behind The Lines Veljko Pejović

Phishing – Read Behind The Lines Veljko Pejović
BTT12OI.  Do you know someone who has been scammed? What happened?  Been tricked into sending someone else money (not who they thought they were) 

BTT12OI.  Do you know someone who has been scammed? What happened?  Been tricked into sending someone else money (not who they thought they were) 
Social Engineering Training. Why Social Engineering Training? The Department of Energy (DOE) authorized the Red Team to perform vulnerability assessments.

Social Engineering Training. Why Social Engineering Training? The Department of Energy (DOE) authorized the Red Team to perform vulnerability assessments.
PHISHING AND SPAM EMAIL INTRODUCTION There’s a good chance that in the past week you have received at least one email that pretends to be from your bank,

PHISHING AND SPAM INTRODUCTION There’s a good chance that in the past week you have received at least one that pretends to be from your bank,
Matthew Hardaway CSCI101 Thursday 3:30pm.  Fishing (Encyclopedia Britannica): ◦ Sport of catching fish—freshwater or saltwater— typically with rod, line,

Matthew Hardaway CSCI101 Thursday 3:30pm.  Fishing (Encyclopedia Britannica): ◦ Sport of catching fish—freshwater or saltwater— typically with rod, line,
Adam Soph, Alexandra Smith, Landon Peterson. Phishing is a way of attempting to acquire information such as usernames, passwords, and credit card details.

Adam Soph, Alexandra Smith, Landon Peterson. Phishing is a way of attempting to acquire information such as usernames, passwords, and credit card details.
Phishing, Spoofing, Spamming and Security How To Protect Yourself Additional Credits: Educause/SonicWall, Hendra Harianto Tuty, Microsoft Corporation,

Phishing, Spoofing, Spamming and Security How To Protect Yourself Additional Credits: Educause/SonicWall, Hendra Harianto Tuty, Microsoft Corporation,
Web Spoofing Steve Newell Mike Falcon Computer Security CIS 4360.

Web Spoofing Steve Newell Mike Falcon Computer Security CIS 4360.
BTT12OI.  Do you know someone who has been scammed online? What happened?  Been tricked into sending someone else money (not who they thought they were)

BTT12OI.  Do you know someone who has been scammed online? What happened?  Been tricked into sending someone else money (not who they thought they were)
CCT355H5 F Presentation: Phishing November 22. 2012 Jennifer Li.

CCT355H5 F Presentation: Phishing November Jennifer Li.
Phishing Internet scams. Phishing phishing is an attempt to criminally and fraudulently acquire sensitive information, such as usernames, passwords and.

Phishing Internet scams. Phishing phishing is an attempt to criminally and fraudulently acquire sensitive information, such as usernames, passwords and.

Similar presentations

Ads by Google