cscu module 10 social engineering and identity theft.pdf
TRANSCRIPT
-
8/19/2019 CSCU Module 10 Social Engineering and Identity Theft.pdf
1/42
1 Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited.
Social Engineering andIdentity Theft
Simplifying Security.
Module 10
-
8/19/2019 CSCU Module 10 Social Engineering and Identity Theft.pdf
2/42
2 Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited.
OAKLAND ‐‐ Calling it the biggest they have seen, Oakland police said Monday that an identity theft operation that
manufactured phony checks, IDs and credit cards has been shut down.
Officials said there are potentially thousands of victims all over the Bay Area and in other states and the possibility of an
untold amount of monetary loss.
Police Chief Anthony Batts said breaking up the operation is particularly important to law enforcement because identity theft
"puts fear in everyone," including himself.
The operation, which Officer Holly Joshi called a "one‐stop shop" for identity theft, was run out of a Hayward apartment in the 21000 block of Foothill Boulevard, where resident Mishel Caviness‐Williams, 40, was arrested last week as she left the
apartment. She had $4,000 in cash on her, police said.
Oakland Police Shut Down Bay Area‐Wide Identity Theft Operation
http://www.mercurynews.com
05/16/2011, 11:16:54 AM PDT
-
8/19/2019 CSCU Module 10 Social Engineering and Identity Theft.pdf
3/42
3 Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited.
Suffolk police are seeking assistance locating a woman who allegedly took an elderly man’s debit card and used it on several
occasions. Police have five felony warrants on file for Lavonda “Goosie” Moore, 37, for credit card theft, credit card fraud,
criminally receiving money, third offense petit larceny and identity theft.
Police say Moore took a debit card from the victim on Hill Street on May 15 and used it on multiple occasions at an ATM and at
retail stores.
There
also
is
a warrant
on
file
for
Moore
for
third
offense
petit
larceny
in
an
unrelated
case.
Moore’s last known address is the 600 block of Brook Avenue. Anyone who has information on Moore’s location is asked to call
Crime Line at 1‐888‐LOCK‐U‐UP. Callers to Crime Line never have to give their names or appear in court, and may be eligible for a
reward of up to $1,000.
Woman Sought in
Theft
http://www.suffolknewsherald.com
May 23, 2011
-
8/19/2019 CSCU Module 10 Social Engineering and Identity Theft.pdf
4/42
4 Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited.
Identity Theft Statistics 2011
75%
11.1
Million
4.8%
13%
Adults Victims of
Identity Theft
$54 billion
The Total Fraud Amount
Percent of Population
Victimized by Identity
Fraud
Victim Who Knew
Crimes Were Committed
Fraud Attacks on Existing
Credit card
Accounts
http://www.spendonlife.com
-
8/19/2019 CSCU Module 10 Social Engineering and Identity Theft.pdf
5/42
Consumer Complaint
Scenario
“I lost my purse in 2006. But surprisingly I got notices of bounced checks in 2007.
About a year later, I received information that someone using my identity had bought
a car. In 2008, I came to know that someone is using my Social Security Number for a
number of
years.
A
person
got
arrested
and
produced
my
SSN
on
his
arrest
sheet.
I can’t get credit because of this situation. I was denied a mortgage, employment,
credit cards and medical care for my children.”
http://www.networkworld.com
-
8/19/2019 CSCU Module 10 Social Engineering and Identity Theft.pdf
6/42
6 Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited.
Module Objectives
What is Identity Theft?
Personal Information that Can be
Stolen
How do
Attackers
Steal
Identity?
What do Attackers do with Stolen
Identity?
Examples of Identity Theft
How to
Find
if
You
are
a Victim
of
Identity Theft?
What to do if Identity is Stolen?
Reporting Identity Theft
Prosecuting Identity
Theft
Guidelines for Identity Theft
Protection
Guidelines for Protection from
Computer Based Identity Theft
IP Address Hiding Tools
-
8/19/2019 CSCU Module 10 Social Engineering and Identity Theft.pdf
7/42
7 Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited.
Identity Theft
What to Do if
Identity Is Stolen
How to Find if You Are a
Victim of Identity Theft
Reporting
Identity Theft
Protection from
Identity Theft
Module Flow
Social
Engineering
-
8/19/2019 CSCU Module 10 Social Engineering and Identity Theft.pdf
8/42
8 Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited.
Criminal
charges
Legal
issues
It leads to denial of
employment, health
care facilities, mortgage,
bank
accounts
and
credit
cards, etc.
Financial
losses
Identity
Theft Effects
Identity theft or ID fraud refers to a crime where an offender wrongfully obtains key pieces of
the intended victim's personal identifying information, such as date of birth, Social Security
number, driver's license number, etc., and makes gain by using that personal data
What is Identity Theft?
-
8/19/2019 CSCU Module 10 Social Engineering and Identity Theft.pdf
9/42
9 Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited.
Personal Information that Can be
Stolen
Names
Mother’s maiden name
Telephonenumbers
Passport numbers
Credit card/Bank
account numbers
Social security
numbers
Driving license numbers
Birth certificates Address
Date of birth
-
8/19/2019 CSCU Module 10 Social Engineering and Identity Theft.pdf
10/42
10 Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited.
How do Attackers Steal Identity?
Hacking Theft of Personal Stuff
PhishingSocial Engineering
Fraudster pretend to be a
financial institution and
send spam/ pop‐up
messages to trick the user
to reveal
personal
information
Fraudsters may steal
wallets and purses, mails
including bank and credit
card statements, pre‐
approved credit
offers,
and
new checks or tax
information
Attackers may hack the
computer systems to
steal confidential
personal
information
It is an act of manipulating
people trust to perform
certain actions or divulging
private information, without
using technical
cracking
methods
-
8/19/2019 CSCU Module 10 Social Engineering and Identity Theft.pdf
11/42
11 Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited.
What do Attackers do with Stolen
Identity?
Credit Card
Fraud
Phone or Utilities
FraudOther Fraud
They may open a new
phone or wireless account
in the user’s name, or run
up charges on his/her
existing account
They may use user’s name
to get
utility
services
such
as electricity, heating, or
cable TV
They may get a job using
legitimate user’s Social
Security number
They may give legitimate
user’s information to police
during an arrest and if they
do not turn up for their court date, a warrant for
arrest is issued on
legitimate user’s name
They may open new
credit card accounts in
the name of the user and
do not pay the bills
-
8/19/2019 CSCU Module 10 Social Engineering and Identity Theft.pdf
12/42
12Copyright
©
by
EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
What do Attackers do with Stolen
Identity?
Bank/Finance
Fraud
Government
Documents Fraud
They may create counterfeit checks
using victim’s name or account number
They may
open
a bank
account
in
victim’s name and issue the checks
They may clone an ATM or debit card
and make electronic withdrawals on
victim’s name
They may take a loan on victims’ name
They may get a driving license or
official ID card issued on legitimate
user’s
name
but
with
their
photoThey may use victim’s name and
Social Security number to get
government benefits
They may file a fraudulent tax return
using legitimate user information
-
8/19/2019 CSCU Module 10 Social Engineering and Identity Theft.pdf
13/42
13Copyright
©
by
EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Same Name: TRENT CHARLES ARSENAUL
Original Identity Theft
Identity Theft Example
-
8/19/2019 CSCU Module 10 Social Engineering and Identity Theft.pdf
14/42
14Copyright
©
by
EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited.
Identity Theft
What to Do if
Identity Is Stolen
How to Find if You Are a
Victim of Identity Theft
Social
Engineering
Reporting
Identity Theft
Protection from
Identity Theft
Module Flow
-
8/19/2019 CSCU Module 10 Social Engineering and Identity Theft.pdf
15/42
15Copyright
©
by
EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited.
Social
Engineering
Types of Social
Engineering
Social Engineers
Attempt to Gather
Social Engineering
Sensitive information
such as credit card
details, social security
number, etc.
Passwords
Other personal
information
Human based social
engineering
Computer based
social engineering
Social engineering is the
art of convincing people
to reveal confidential
information
It is
the
trick
used
to
gain
sensitive information by
exploiting the basic
human nature
-
8/19/2019 CSCU Module 10 Social Engineering and Identity Theft.pdf
16/42
16Copyright
©
by
EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited.
Social Engineering Example
Hi, we are from CONSESCO
Software. We are hiring new
people for our software development
team. We got your contact number
from popular job portals.
Please
provide
details
of
your
job
profile,current project information,
social security number, and your
residential address.
-
8/19/2019 CSCU Module 10 Social Engineering and Identity Theft.pdf
17/42
17Copyright
©
by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Criminal as Phone Banker
Hi, I am Mike calling from CITI Bank.
Due to
increasing
threat
perception,
we
are updating our systems with new
security features. Can you provide me
your personal details to verify that you
are real Stella.
Thanks Mike,
Here
are
my
details.
Do
you
need anything else?
-
8/19/2019 CSCU Module 10 Social Engineering and Identity Theft.pdf
18/42
18Copyright
©
by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Authority Support Example
Hi, I am John Brown. I'm with the external auditors Arthur Sanderson. We've
been told by corporate to do a surprise
inspection of your disaster recovery
procedures.
Your department
has
10
minutes
to
show
me how you would recover from a
website crash.
-
8/19/2019 CSCU Module 10 Social Engineering and Identity Theft.pdf
19/42
19Copyright
©
by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Technical Support Example
A
man
calls
a
company’s
help
desk
and
says
he has forgotten his password. He adds
that if he misses the deadline on a big
advertising project, his boss might fire him.
The help desk worker feels sorry for him
and quickly resets the password,
unwittingly giving
the
attacker
clear
entrance into the corporate
network
-
8/19/2019 CSCU Module 10 Social Engineering and Identity Theft.pdf
20/42
20Copyright
©
by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Human-Based Social Engineering
Eavesdropping Shoulder surfing Dumpster diving
Eavesdropping is
unauthorized listening
of
conversations or reading
of messages
It is interception of any
form of communication
such as audio, video, or
written
Shoulder surfing is the
procedure where the
attackers look
over
the
user’s shoulder to gain
critical information such as
passwords, personal
identification number,
account numbers, credit
card
information,
etc. Attacker may also watch the
user from a distance using
binoculars in order to get
the pieces of information
Dumpster diving includes
searching
for
sensitive
information at the target
company’s trash bins,
printer trash bins, user
desk for sticky notes, etc.
It involves collection of
phone
bills,
contact
information, financial
information, operations
related information, etc.
-
8/19/2019 CSCU Module 10 Social Engineering and Identity Theft.pdf
21/42
21Copyright
©
by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Spam
Email
Instant
Chat
Messenger
Chain
Letters
Hoax
Letters
Pop‐up
Windows
Windows that suddenly pop up
while surfing
the
Internet
and
ask for users’ information to
login or sign‐in
Hoax letters are emails that issue
warnings to the user on new
viruses, Trojans, or worms that
may harm the user’s system
Chain letters are emails that offer
free gifts such
as
money
and
software on the condition that the
user has to forward the mail to the
said number of persons
Gathering personal information
by chatting with a selected online
user to get information such as
birth dates and maiden names
Irrelevant, unwanted, and
unsolicited email to
collect
the
financial information, social
security numbers, and network
information
Computer-Based Social Engineering
-
8/19/2019 CSCU Module 10 Social Engineering and Identity Theft.pdf
22/42
22Copyright
©
by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Computer-Based Social Engineering:
PhishingAn illegitimate email falsely claiming to be from a legitimate site attempts to acquire the user’s
personal or account information
Phishing emails or pop‐ups redirect users to fake webpages of mimicking trustworthy sites that ask
them to submit their personal information
Fake Bank Webpage
-
8/19/2019 CSCU Module 10 Social Engineering and Identity Theft.pdf
23/42
23 Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited.
Phony Security Alerts
Phony Security Alerts are the emails or
pop‐up windows that seem to be from
a reputed hardware or software
manufacturers like Microsoft, Dell, etc.,
It warns/alerts
the
user
that
the
system is infected and thus will
provide with an attachment or a link in
order to patch the system
Scammers suggest the user to
download and
install
those
patches
The trap is that the file contains
malicious programs that may infect the
user system
-
8/19/2019 CSCU Module 10 Social Engineering and Identity Theft.pdf
24/42
24 Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited.
Computer-Based Social Engineering through
Social Networking WebsitesComputer‐based social engineering is carried out through social networking websites such as Orkut, Facebook,
MySpace, LinkedIn, Twitter, etc.
Attackers use these social networking websites to exploit users’ personal information
-
8/19/2019 CSCU Module 10 Social Engineering and Identity Theft.pdf
25/42
25 Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited.
Identity Theft
What to Do if
Identity Is Stolen
How to Find if You Are a
Victim of Identity Theft
Reporting
Identity Theft
Protection from
Identity Theft
Module Flow
Social
Engineering
-
8/19/2019 CSCU Module 10 Social Engineering and Identity Theft.pdf
26/42
26 Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited.
How to Find if You are a Victim
of Identity Theft?Bill collection agencies contact you for overdue debts you never incurred
You receive bills, invoices, or receipts addressed to you for goods or services
you haven’t asked for
You no longer receive your credit card or bank statements
You notice that some of your mail seems to be missing
Your request for mortgage or any other loan is rejected citing your bad credit
history despite you having a good credit record
-
8/19/2019 CSCU Module 10 Social Engineering and Identity Theft.pdf
27/42
27 Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited.
How to Find if You are a Victim
of Identity Theft?
You get something in
the mail about an
apartment you never
rented, a house
you
never bought, or a job
you never held
You lose important
documents such as
your passport
or
driving license
You identify
irregularities in
your credit
card
and bank
statements
You are denied for
social benefits
citing that you are
already claiming
You receive
credit card
statement with
new account
-
8/19/2019 CSCU Module 10 Social Engineering and Identity Theft.pdf
28/42
28 Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited.
Identity Theft
What to Do if
Identity Is Stolen
How to Find if You Are a
Victim of Identity Theft
Reporting
Identity Theft
Protection from
Identity Theft
Module Flow
Social
Engineering
-
8/19/2019 CSCU Module 10 Social Engineering and Identity Theft.pdf
29/42
29 Copyright © by EC-CouncilAll
Rights
Reserved.
Reproduction
is
Strictly
Prohibited.
What to do if Identity is Stolen?
Contact the credit reporting agencies
http://www.experian.com
http://wwwc.equifax.com
http://www.transunion.com
Immediately inform credit bureaus
and establish fraud alerts
Request for a credit report Review the credit reports and alert
the credit agencies
Freeze the credit reports with credit
reporting agenciesContact all of your creditors and
notify them of the fraudulent activity
Change all the passwords of online
accounts
Close the accounts that you know or
believe have been tampered with or
opened fraudulently
-
8/19/2019 CSCU Module 10 Social Engineering and Identity Theft.pdf
30/42
30 Copyright © by EC-CouncilAll
Rights
Reserved.
Reproduction
is
Strictly
Prohibited.
What to Do if Identity Is Stolen?
File a report with the
local police or the police
in the community where
the identity theft took
place
File a complaint with
identity theft and
cybercrime reporting
agencies such as the
FTC
Take advice from police
and reporting agencies
about how to protect
yourself from further
identity compromise
Ask the credit card
company about new
account numbers
Tell the debt collectors
that you are a victim of
fraud and are not
responsible for the
unpaid bill
Ask the bank to report the
fraud to a consumer
reporting agency such as
ChexSystems that
compiles
reports on checking
accounts
-
8/19/2019 CSCU Module 10 Social Engineering and Identity Theft.pdf
31/42
31 Copyright © by EC-CouncilAll
Rights
Reserved.
Reproduction
is
Strictly
Prohibited.
Identity Theft
What to Do if
Identity Is Stolen
How to Find if You Are a
Victim of Identity Theft
Reporting
Identity Theft
Protection from
Identity Theft
Module Flow
Social
Engineering
-
8/19/2019 CSCU Module 10 Social Engineering and Identity Theft.pdf
32/42
32 Copyright © by EC-CouncilAll
Rights
Reserved.
Reproduction
is
Strictly
Prohibited.
Federal Trade Commission
The Federal Trade Commission, the nation's consumer protection agency, collects
complaints about companies, business practices, and identity theft
http://www.ftc.gov
-
8/19/2019 CSCU Module 10 Social Engineering and Identity Theft.pdf
33/42
33 Copyright © by EC-CouncilAll
Rights
Reserved.
Reproduction
is
Strictly
Prohibited.
econsumer.gov
http://www.econsumer.gov
econsumer.gov is
a portal
for
you
as a consumer to report complaints about online
and related transactions with foreign companies
-
8/19/2019 CSCU Module 10 Social Engineering and Identity Theft.pdf
34/42
34 Copyright © by EC-CouncilAll
Rights
Reserved.
Reproduction
is
Strictly
Prohibited.
Internet Crime Complaint Center
http://www.ic3.gov
The Internet Crime Complaint
Center’s (IC3)
mission
is
to
serve
as
a vehicle to receive, develop, and refer
criminal complaints regarding the
rapidly expanding arena of cyber
crime
The Internet Crime Complaint Center
(IC3) is a partnership between the
Federal Bureau
of
Investigation
(FBI),
the National White Collar Crime
Center (NW3C), and the Bureau of
Justice Assistance (BJA)
-
8/19/2019 CSCU Module 10 Social Engineering and Identity Theft.pdf
35/42
35 Copyright © by EC-CouncilAll
Rights
Reserved.
Reproduction
is
Strictly
Prohibited.
Prosecuting Identity Theft
Begin the process by
contacting the bureaus,
banks, or any other
organizations who
may
be involved
File a formal complaint
with the organization
and with the police
department
Regularly update
yourself regarding
the investigation
process to
ensure
that the case is
being dealt with
properly
Obtain a copy of the
police complaint to
prove to the
organizations that
you have filed an
identity theft
complaint
File a complaint with
the Federal Trade
Commission and
complete affidavits
to prove your
innocence on the
claims of identity
theft and fraudulent
activity
Contact the District
Attorney's office for
further prosecuting
the individuals
who
may be involved in
the identity theft
-
8/19/2019 CSCU Module 10 Social Engineering and Identity Theft.pdf
36/42
36 Copyright © by EC-CouncilAll
Rights
Reserved.
Reproduction
is
Strictly
Prohibited.
Identity Theft
What to Do if
Identity Is Stolen
How to Find if You Are a
Victim of Identity Theft
Reporting
Identity Theft
IP Hiding Tools
Module Flow
Social
Engineering
-
8/19/2019 CSCU Module 10 Social Engineering and Identity Theft.pdf
37/42
37 Copyright © by EC-CouncilAll
Rights
Reserved.
Reproduction
is
Strictly
Prohibited.
Hiding IP Address Using Quick Hide IP
Tool
http://www.quick ‐hide‐ip.com
Quick Hide IP hides your internet identity so you can surf the web while hiding you real IP and location
It redirects the Internet traffic through anonymous proxies
Quick Hide IP. Websites you are visiting see the IP address of the proxy server instead of your own IP address
-
8/19/2019 CSCU Module 10 Social Engineering and Identity Theft.pdf
38/42
38 Copyright © by EC-CouncilAll
Rights
Reserved.
Reproduction
is
Strictly
Prohibited.
UltraSurf http://www.ultrareach.com
Hide The IPhttp://www.hide
‐the
‐ip.com
Hide My IPhttp://www.hide‐my ‐ip.com
Hide IP NG http://www.hide‐ip‐soft.com
IP Hider
http://www.iphider.org
TORhttp://www.torproject.org
Anti Trackshttp://www.giantmatrix.com
Anonymizer Universal
http://www.anonymizer.com
IP Address Hiding Tools
-
8/19/2019 CSCU Module 10 Social Engineering and Identity Theft.pdf
39/42
39 Copyright © by EC-CouncilAll
Rights
Reserved.
Reproduction
is
Strictly
Prohibited.
Module Summary
Identity theft is the process of using someone else’s personal information for the
personal gain of the offender
Criminals look
through
trash
for
bills
or
other
paper
with
personal
information
on
it
Criminals call the victim impersonating a government official or other legitimate
business people and request personal information
Keep the computer operating system and other applications up to date
Do not
reply
to
unsolicited
email
that
asks
for
personal
information
Use strong passwords for all financial accounts
Review bank/credit card statements/credit reports regularly
-
8/19/2019 CSCU Module 10 Social Engineering and Identity Theft.pdf
40/42
40 Copyright © by EC-CouncilAll
Rights
Reserved.
Reproduction
is
Strictly
Prohibited.
Keep your Social Security card, passport, license, and other valuable
personal information hidden and locked up
Ensure that your name is not present in the marketers’ hit lists
Shred papers with personal information instead of throwing them away
Never give away social security information or private contact information
on the phone – unless YOU initiated the phone call
Confirm who you are dealing with, i.e., a legitimate representative or a
legitimate
organization over
the
phone
Carry only necessary credit cards
Cancel cards seldom used
Review credit reports regularly
Identity Theft Protection Checklist
-
8/19/2019 CSCU Module 10 Social Engineering and Identity Theft.pdf
41/42
41 Copyright © by EC-Council
All Rights
Reserved.
Reproduction
is
Strictly
Prohibited.
Do not reply to unsolicited email requests for personal information
Do not give personal information over the phone
Review bank/credit card statements regularly
Do not carry your Social Security card in your wallet
Shred credit card offers and “convenience checks” that are not useful
Do not store any financial information on the system and use strong
passwords for all financial accounts
Check the telephone and cell phone bills for calls you did not make
Read before
you
click,
stop
pre
‐approved
credit
offers,
and
read
website
privacy policies
Identity Theft Protection Checklist
-
8/19/2019 CSCU Module 10 Social Engineering and Identity Theft.pdf
42/42
42 Copyright © by EC-Council
All Rights
Reserved.
Reproduction
is
Strictly
Prohibited.
Install antivirus software and scan the system regularly
Enable firewall protection
Check for website policies before you enter
Keep the computer operating system and other applications up to date
Be careful while opening email attachments
Clear the browser history, logs, and recently opened files every time
Check for secured websites while transmitting sensitive information
Computer Based Identity Theft Protection
Checklist