Presentation is loading. Please wait.

Presentation is loading. Please wait.

CMU Usable Privacy and Security Laboratory A Brief History of Semantic Attacks or How Not to Get Screwed Online Serge Egelman.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "CMU Usable Privacy and Security Laboratory A Brief History of Semantic Attacks or How Not to Get Screwed Online Serge Egelman."— Presentation transcript:

1 CMU Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ A Brief History of Semantic Attacks or How Not to Get Screwed Online Serge Egelman

2 CMU Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ Background Disinformation Disinformation Social Engineering Social Engineering Human, *not* technical problem Physical World Variants Physical World Variants

3 CMU Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ Types of Scams Phishing Phishing 419 Scam (“Nigerian Scam”) 419 Scam (“Nigerian Scam”) Check Fraud Check Fraud Overpayment Scam Overpayment Scam Pump-and-Dump Pump-and-Dump

4 CMU Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ Phishing Stealing personal information Stealing personal information Authentication information Social Security Numbers Account numbers Perpetrated via email Perpetrated via email “Account update” “Verify your information” Fake websites Fake websites Pharming Pharming

5 CMU Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ Phishing Statistics Countries of Origin Countries of Origin United States - 32.07% Republic of Korea - 15.39% France - 6.55% China - 6.40% United Kingdom - 4.06% Germany - 3.85% Spain - 3.81% Japan - 3.05% Italy - 2.48%

6 CMU Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/

7

8

9

10

11

12 Phishing Countermeasures Manual Manual Check URLs Examine certificates Never click Automated Automated Spam filters Challenge/response Browser plugins

13 CMU Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ Phishing Toolbars Clear Search Clear Search Scans email using heuristics

14 CMU Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ Phishing Toolbars Cloudmark Cloudmark Community ratings

15 CMU Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ Phishing Toolbars eBay Toolbar eBay Toolbar Community ratings

16 CMU Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ Phishing Toolbars SpoofGuard SpoofGuard URL analysis Password analysis Image analysis

17 CMU Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ Phishing Toolbars Trustbar (Mozilla) Trustbar (Mozilla) Analyzes known sites Analyzes certificate information

18 CMU Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ Phishing Toolbars Trustwatch Trustwatch Site ratings

19 CMU Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ But Do They Work? No No 25 Sites tested Cloudmark: 10 (40%) identified Netcraft: 19 (76%) identified Spoofguard: 10 (40%) identified Trustwatch: 9 (36%) identified Hardware Solutions Hardware Solutions Too costly Inconvenient

20 CMU Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ Trust Research User Studies User Studies Phishing Feeds Phishing Feeds User Training User Training Embedded training Games Detection Detection Email WWW IM

21 CMU Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/

22 419 Scam (“Nigerian Scam”) Businessman needs to launder money Businessman needs to launder money Make you rich Make you rich Requires upfront fees Requires upfront fees Sometimes more than money is lost Sometimes more than money is lost Often perpetrated from Nigeria Often perpetrated from Nigeria Though now all over the world

23 CMU Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/

24 Check Fraud Victim is selling something online Victim is selling something online Anxious buyer needs item immediately Anxious buyer needs item immediately Sends money order Buyer must ship item after receiving check Check is a forgery Check is a forgery But item is already sent Example Example P-P-P-Powerbook!

25 CMU Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ Overpayment Scam Check fraud variant Check fraud variant Money order is far larger than sale price Money order is far larger than sale price “Oversight” by buyer Buyer needs check for the difference Buyer needs check for the difference Original money order is forged Original money order is forged

26 CMU Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ Pump-and-Dump Scammer invests in penny stock Scammer invests in penny stock Sends messages hyping the stock Sends messages hyping the stock People invest People invest Value goes up Scammer “dumps” the stock

27 CMU Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ Questions?

Download ppt "CMU Usable Privacy and Security Laboratory A Brief History of Semantic Attacks or How Not to Get Screwed Online Serge Egelman."

Similar presentations

1 And Tips to Avoid Becoming a Victim Recent Cyber Crime Cases.

1 And Tips to Avoid Becoming a Victim Recent Cyber Crime Cases.
THE DHS PHISHING IQ TEST PART 2 LEGITIMATE EMAIL V PHISHING EMAIL How do you know if an email is legitimate, or is a phony, phishing email? Take the.

THE DHS PHISHING IQ TEST PART 2 LEGITIMATE V PHISHING How do you know if an is legitimate, or is a phony, phishing ? Take the.
© 2005 Convio, Inc. NTEN Webinar: Protecting your organization and donors from online scams February 23, 2006.

© 2005 Convio, Inc. NTEN Webinar: Protecting your organization and donors from online scams February 23, 2006.
1 CANTINA : A Content-Based Approach to Detecting Phishing Web Sites WWW 2007 2008.09.09 Yue Zhang, Jason Hong, and Lorrie Cranor.

1 CANTINA : A Content-Based Approach to Detecting Phishing Web Sites WWW Yue Zhang, Jason Hong, and Lorrie Cranor.
C MU U sable P rivacy and S ecurity Laboratory Anti-Phishing Phil The Design and Evaluation of a Game That Teaches People Not to.

C MU U sable P rivacy and S ecurity Laboratory Anti-Phishing Phil The Design and Evaluation of a Game That Teaches People Not to.
Bsharah Presentation Threats to Information Security Protecting Your Personal Information from Phishing Scams.

Bsharah Presentation Threats to Information Security Protecting Your Personal Information from Phishing Scams.
Jason Rich CIS - 158 1.  The purpose of this project is to inform the audience about the act of phishing. Phishing is when fake websites are created.

Jason Rich CIS  The purpose of this project is to inform the audience about the act of phishing. Phishing is when fake websites are created.
Internet Phishing Not the kind of Fishing you are used to.

Internet Phishing Not the kind of Fishing you are used to.
Phishing into the Future Starr Alexander Sugato Bose Annie Chanchaisri Philip Fort David Salley Allen Walker Thomas Witnauer.

Phishing into the Future Starr Alexander Sugato Bose Annie Chanchaisri Philip Fort David Salley Allen Walker Thomas Witnauer.
Internet Security Awareness Presenter: Royce Wilkerson.

Internet Security Awareness Presenter: Royce Wilkerson.
CANTINA: A Content-Based Approach to Detecting Phishing Web Sites Yue Zhang University of Pittsburgh Jason I. Hong, Lorrie F. Cranor Carnegie Mellon University.

CANTINA: A Content-Based Approach to Detecting Phishing Web Sites Yue Zhang University of Pittsburgh Jason I. Hong, Lorrie F. Cranor Carnegie Mellon University.
User Interfaces and Algorithms for Fighting Phishing Jason I. Hong Carnegie Mellon University.

User Interfaces and Algorithms for Fighting Phishing Jason I. Hong Carnegie Mellon University.
1 Phishing the Open Net Lure 101 Zane Brys, Nicholas Bingell,and Omar Heniene.

1 Phishing the Open Net Lure 101 Zane Brys, Nicholas Bingell,and Omar Heniene.
CyLab Usable Privacy and Security Laboratory C yLab U sable P rivacy and S ecurity Laboratory Statistical.

CyLab Usable Privacy and Security Laboratory C yLab U sable P rivacy and S ecurity Laboratory Statistical.
Phishing – Read Behind The Lines Veljko Pejović

Phishing – Read Behind The Lines Veljko Pejović
Phishing, Pharming, and Spam Margaret StewartTuesday, Oct. 21, 2006.

Phishing, Pharming, and Spam Margaret StewartTuesday, Oct. 21, 2006.
Electronic Commerce. On-line ordering---an e-commerce application On-line ordering assumes that: A company publishes its catalog on the Internet; Customers.

Electronic Commerce. On-line ordering---an e-commerce application On-line ordering assumes that: A company publishes its catalog on the Internet; Customers.
Usable Privacy and Security Jason I. Hong Carnegie Mellon University.

Usable Privacy and Security Jason I. Hong Carnegie Mellon University.
Internet Fraud By: Noelle Woodman.

Internet Fraud By: Noelle Woodman.
Internet Scams and Money- Making Models. A way You can be scammed online.

Internet Scams and Money- Making Models. A way You can be scammed online.

Similar presentations

Ads by Google