cscd 303penguin.ewu.edu/cscd303/coursenotes/cscd303-lecture7... · 2019-10-14 · cantina pilfer...
Post on 03-Jun-2020
1 Views
Preview:
TRANSCRIPT
CSCD 303Essential Computer SecurityFall 2019
Lecture 7 - Social Engineering1
- PhishingReading: Chapter 6
2
Overview
• Social Engineering
– Defined
• Humans as vulnerabilities
• Phishing
– What is it?
– What does it accomplish
– How to recognize it?
– Solutions to Phishing
3
Social Engineering
Social Engineering – Manipulating or tricking people into
divulging private information as opposed to using technical hacking techniques
– Or, getting them to use unauthorized devices to compromise themselves
– Using people as vulnerabilities into systems
4
Test Case of Human Vulnerabilities
June 2011, Bloomberg published results of a test conducted by U.S. Depart. of Homeland Security
To assess government’s vulnerability to unauthorized system access,
DHS dropped disks and USB drives in parking lots of government agencies and private contractors
What do you think happened?
5
Test Case of Human Vulnerabilities
Results 60 % of workers who found devices plugged
them into their office computers When device was imprinted with an official logo,
number of installations on office machines skyrocketed to 90 %
http://www.crn.com/blogs-op-ed/channel-voices/232200743/how-to-manage-the-weak-link-in-cybersecurity-humans.htm
6
The Individual User
Users…• Represent the largest installed base• Completely lack standards• Cannot be controlled centrally (or
otherwise)• Are only predictable in their
unpredictability• Cannot be redesigned• Basically, all of us !!!
7
What Exactly is Phishing?
Define Phishing
8
Phishing Scams Defined
• Phishing is a type of deception designed to steal your personal data - credit cards, passwords, account data, or other information
• Con artists might send millions of fraudulent e-mail messages that appear to come from Web sites you trust
• Your bank or credit card company, and request that you provide personal information.
9
More Phishing Definitions
Spear Phishing – a phishing scam that targets a specific audience
– Example: Kansas Statue University and is sent to K-State email addresses
Scareware - Tries to trick you into responding by using shock, anxiety or threats
– “Reply with your password now or we’ll shut down your email account tomorrow”
10
Socially aware attacks Mine social relationships from public data Phishing email appears to arrive from someone known Use spoofed identity of trusted organization to gain trust Urge victims to update or validate their account Threaten to terminate account if victims do not reply Use gift or bonus as a bait
Context-aware attacks “Your bid on eBay has won!” “The books on your Amazon wish list are on sale!”
Spear-Phishing: Improved Target Selection
11
General Patton is retiring next week, click here to say whether you can attend his retirement party
Phishing Becoming more SophisticatedTargeting Your Organization
Spear-phishing targets specific groups or
individuals
Type 1 – Uses info about your organization
12
Phishing Targeting Your Organization
Around 40% of people in experiments at CMU
would fall for emails like this (control condition)
13
Phishing Increasing in SophisticationTargeting You Specifically
Type 2 – Uses info specifically about you
Social Phishing• Might use information from social networking sites,
corporate directories, or publicly available data
• Ex. Fake email from friends or co-workers• Ex. Fake videos of you and your friends
14
Phishing Increasing in SophisticationTargeting You Specifically
Here’s a video I took of yourposter presentation.
15
Another Example:
What is wrong with this email, looks legitimate, right?
16
But wait…
WHOIS 210.104.211.21:
Location: Korea, Republic Of
Even bigger problem:
I don’t have an account with US Bank!
Images from Anti-Phishing Working Group’s Phishing Archive
17 17
Spear PhishingExampleKSU.edu
18 18
Spear PhishingExampleKSU.edu
19 19
ScarewareExample
20 20
ScarewareExample
21 21
Another Scareware Example
22 22
Another Scareware Example
23 23
Spear phishing scam received by K-Staters,January 2010If you clicked on the link…
24 24
Malicious link in scam email took you to an exact replica of K-State’s single sign-on web page, hosted on a server in the Netherlands,that steals ID and password if they enter it and click “Sign in”Clicking on “Sign in” then took user to K-State’s home pageNote the URL – flushandfloose.nl, which is obviously not k-state.edu
25 25
Real SSOweb page –note “https”
Fake SSOweb page –site not secure (http,not https) andhosted in theNetherlands(.nl)
26 26
Real SSOweb page –Use the eIDverificationbadge tovalidate
Fake SSOweb page
27 27
Result of clicking on eID verification badge on the fake SSO web site, or any site that is not authorized to use the eID and password
28 28
Result of clicking on eID verification badge on a legitimate K-State web site that is authorized to use the eID and password for authentication
29 29
Real K-State Federal Credit Unionweb site
Fake K-State Federal Credit Union web site used in spear phishing scam
30
Phreaking + Fishing = Phishing- Phreaking = making phone calls for free back in 70’s- Fishing = Use bait to lure the target
Phishing in 1995Target: AOL usersPurpose: getting account passwords for free timeThreat level: lowTechniques: Similar names ( www.ao1.com for www.aol.com ), social engineering
Phishing in 2001Target: Ebayers and major banksPurpose: Getting credit card numbers, accountsThreat level: mediumTechniques: Same in 1995, keylogger
Phishing in 2007Target: Paypal, banks, ebayPurpose: bank accountsThreat level: highTechniques: browser vulnerabilities, link obfuscation
History of Phishing
31
• 2,000,000 emails are sent• 5% get to the end user – 100,000 (APWG)• 5% click on the phishing link – 5,000 (APWG)• 2% enter data into the phishing site –100 (Gartner)• $1,200 from each person who enters data (FTC)• Potential reward: $120,000
A bad day phishin’, beats a good day workin’
In 2005, David Levi made over $360,000 from 160 people using an eBay Phishing scam
Anti-phishing Working Grouphttp://www.antiphishing.org/
32
How Bad Is Phishing?Consumer Perspective Estimated ~0.5% of Internet users per year fall for phishing attacks Conservative $1B+ direct losses a year to consumers Bank accounts, credit card fraud Doesn’t include time wasted on recovery of funds, restoring computers, emotional uncertainty Growth rate of phishing 30k+ reported unique emails / month 45k+ reported unique sites / month Social networking sites now major targets
33
Social Media Phishing
Social Media Phishing When attackers use social networking sites like
Facebook, Twitter, and Instagram instead of email to obtain personal information or embed malicious links
Use social media to impersonate people known by the target
Create fake customer service accounts leading them to further compromise
Scams – Fake contests
https://inspiredelearning.com/blog/social-phishing/
34
How Bad Is Phishing?Perspective of Corporations
Direct damage Loss of sensitive customer data Loss of intellectual property
35
2018 Phishing Trends Intelligence Report Industry shift shows signs of switching from
primarily targeting individuals to targeting organizations
One-third of all phishing sites observed by end of 2017 were located on HTTPS domains
Attacks against targets in United States continues to grow, now accounting for more than 86% of all phishing attacks
https://info.phishlabs.com/hubfs/2018%20PTI%20Report/PhishLabs%20Trend%20Report_2018-digital.pdf
36
Why Do People Fall for Phishing?
Phishing has been around for years How come people still fall for it?
37
Research on PhishingCarnegie Mellon University Interviewed 40 Internet users including 35 non-
experts Conducted Mental models interviews
– Mental models included email role play and open ended questions … in 2006
Reference: J Downs, M. Holbrook, and L. CranorDecision Strategies and Susceptibility to Phishing.In Proc. of the 2006 Symposium On Usable Privacy and Security
38
Research on PhishingCarnegie Mellon University
Only 50% knew the meaning of term Phishing 85% were aware of lock icon Only 40% knew it was supposed to be there Only 35% had noticed https + knew what it means Only 55% noticed an unexpected or strange URL Only 55% reported being cautious when asked for sensitive financial info
Few reported being suspicious of being asked for passwords … was in 2006
Do you think there would be the same stats today?
39
Research on PhishingCarnegie Mellon University
Naïve Evaluation StrategiesMost strategies didn't help people in identifying
phishing
“ This email appears to be for me”
“ It's normal to hear from companies you do
business with”
“ Reputable companies will send emails” Knowledge of some scams didn't help identify other
scams
40
Determining Email Fraud and Protection Measures
41
Today's SolutionsNot so Successful Anti-phishing filters that rely on blacklists
and whitelists Usually not up to date and there are many false
positives Training
Websites and posters help some Spam Filters
Don't tend to catch phishing, emails look legitimate
42
More Successful Solutions Two Research Based Filters, CMU
Pilfer Cantina
Pilfer – Looks at other features than email textNumber of domains linked to emailLinks in email to other than the main domain
Cantina – Uses Content based approachCreates a fingerprint of a web pageSends fingerprint to search engineSees if web page is in search results
• If yes, then legitimate
43
Detecting Phishing Web Sites Industry uses blacklists to label phishing sites But blacklists slow to new attacks Idea: Use search engines Scammers often directly copy web pages But fake pages should have low PageRank on search engines Generate text-based “fingerprint” of web page keywords and send to a search engine
Y. Zhang, S. Egelman, L. Cranor, and J. Hong Phinding Phish: Evaluating Anti-Phishing Tools. In NDSS 2007.
Y. Zhang, J. Hong, and L. Cranor. CANTINA: A content-based approach to detecting phishing web sites. In WWW 2007.
G. Xiang and J. Hong. A Hybrid Phish Detection Approach by Identity Discovery and Keywords Retrieval. In WWW 2009.
44
Human Training
Following slides provide common advice for identifying phishing or fraudulent emails ...
45
Look at few phrases to look for if you think an e-mail message is phishing scam
• "Verify your account" Businesses should not ask you to send passwords, login names, Social Security numbers, or other personal information through e-mail
– If you receive an e-mail from anyone asking you to update your credit card information, do not respond:
– This is a phishing scam
• "If you don't respond within 48 hours, your account will be closed."These messages convey urgency so that you'll respond immediately without thinking
Human TrainingHow To Tell If An E-mailMessage is Fraudulent
46
Human TrainingHow To Tell If An E-mailMessage is Fraudulent"Dear Valued Customer." Phishing e-mail messages are usually sent out in bulk and often do not contain your first or last name
"Click the link below to gain access to your account."• HTML-formatted messages can contain links or forms that you can fill out just as you'd fill out a form on a Web site
• Links that you are urged to click may contain all or part of a real company's name and are usually "masked," meaning that link you see does not take you to that address but somewhere different, usually a phony Web site.
•How do you discover the link is fake?• Resting mouse pointer on link reveals the real Web address• String of cryptic numbers looks nothing like the company's Web address, which is a suspicious sign.
47
Con artists also use Uniform Resource Locators (URLs) that resemble name of well-known company but are slightly altered by adding, omitting, or transposing letters
For example, URL "www.microsoft.com" could appear instead as:
www.micosoft.com www.mircosoft.com www.verify-microsoft.com
Human TrainingHow To Tell If An E-mailMessage is Fraudulent
48
• Never respond to an email asking for personal information • Always check site to see if it is secure. Call phone number if necessary• Never click on link in email. Retype address in a new window• Keep your browser updated• Keep antivirus definitions updated• Use a firewall
P.S: Always shred your home documents before discarding them.
Human TrainingHow To Tell If An E-mailMessage is Fraudulent
49
Human TrainingAnti-Phishing Games Ok, traditional training doesn't work but ..
People like to play gamesTeach using a game
Results have shown thatMore people willing to play game than read People are better at identifying phishing after
playing the game Best known is Anti-phishing Phil from CMU
http://cups.cs.cmu.edu/antiphishing_phil/
50
Anti-Phishing Phil
A micro-game to teach people not to fall for phish
PhishGuru about email, this game about web browser
Also based on learning science principles You will get to Try the game! Description of the game is in the paper below
S. Sheng et al. Anti-Phishing Phil: The Design and Evaluation of a Game That Teaches People Not to Fall for Phish. In SOUPS 2007, Pittsburgh, PA, 2007.
51
Anti-Phishing Phil
52
53
54
Evaluation of PhishGuru
Is embedded training effective? Study 1: Lab study, 30 participants Study 2: Lab study, 42 participants Study 3: Field trial at company, ~300 participants Study 4: Field trial at CMU, ~500 participants
Studies showed significant decrease in falling for phish and ability to retain what they learned
P. Kumaraguru et al. Protecting People from Phishing: The Design and Evaluation of an Embedded Training Email System. CHI 2007
P. Kumaraguru et al. Getting Users to Pay Attention to Anti-Phishing Education: Evaluation of Retention and Transfer. eCrime 2007
55
Anti-Phishing Phil: Study
Novices showed most improvement in false negatives (calling phish legitimate)
56
Anti-Phishing Phil: Study 2
Improvement all around for false positives (ignoring phishing )
57
Resources Wikipedia has a nice page on phishing
http://en.wikipedia.org/wiki/Phishing Phishing continues to plague Internet
Seriously affects consumers, businesses, governments
Criminals getting more sophisticated End-users can be trained, but only if done right
PhishGuru embedded training uses simulated phishing
Anti-Phishing Phil and Anti-Phishing Phyllis micro-games
Phishing at HoaxSlayerhttp://www.hoax-slayer.com/phisher-scams.html
Nice set of fishing examples with explanationshttp://www.hoax-slayer.com/phishing-scam-articles.shtml
Can read about Phishing Phil http:// www.wombatsecurity.com
58
Phishing Recources
DOD site on phishing https://public.cyber.mil/training/phishing-awareness/
PhishLabs Site https://www.phishlabs.com/
Infosec Institute Resources on Phishinghttps://resources.infosecinstitute.com/category/enterprise/phishing/phishing-countermeasures/top-16-anti-phishing-resources/#gref
59
The End
Get a chance to practice and play with Phishing awareness in the lab !!!
top related