social engineering

Social Engineeringand Phishing Scams

Avoiding Social Engineering

Online

Harold Giddings

Giddings Computer Services

Security II: Turn off the Message Bar and run code safely

Overview

• What is social engineering

• What is phishing

• What types of phishing are there

• What do social engineers do

• How do you protect yourself

Feel free to ask questions


What Is Social Engineering?

•Manipulation

•Method to gain information

•The Art of Deception


What Is Phishing?

• A fake website, email, or sms used to obtain information

• A method to obtain information

• A form of deception

• Used to commit ID theft (financial or social)


What Do Social Engineers Do | Tools Used•Manipulation

•Theft

•Information

•Corporate Spies

•Social Engineer Toolkit

•Caller ID Spoofing

•SMS Spoofing

•Modified Web Servers

•TinyURL Services

•Fake IDS


Email Phishing

An email from Wachovia, Wonder whats up with my account

Be aware of emails like this, banks will never ask for your login details online. If concerned call your bank and NEVER respond to such emails

“Your account access will remain limited until the issue has been resolved please login to your account by clicking on the link below”Note: A good tip off (but not always accurate) is to see if it was marked as

spam, usually these users use unverified smtp servers that will be marked as spam, use a more secure email service like Google’s Gmail service.


Website Phishing

What is wrong with this picture?

It appears to be the paypal login page…….right?

Above you see the paypal login page, but look at the blown up image to right right and you’ll notice that the address bar does not read paypal.com

This is a fake paypal spoof or clone (phish) that appears to be paypal in order to steal your money and account details


IM Phishing

Fake IM’s can link you to phished websites to gain your login info

1

2

The user send the victim a fake IM, telling him he uploaded some photos online

The victim, concerned checks out the site, thinking he needs to login to the (fake) site to see the images, gives the social engineer his login details


TinyURL

URL shorteners like Tinyurl.com can be useful to make long urls shorter for you to send in emails or im’s.

But they can also be useful to Social Enginners and Phishers

This site makes long urls short

Ex: http://google.com/long_address_that_is_long is changed to http://tinyurl.com/shorter_url

But that means the phisher can make a suspisous url look safe

Ex: 489.45.145.156/facebook.php look like http://tinyurl.com/my_new_fb_pics


Phishing For More

Fake or Phished websites can include java or browser exploits that give the social engineer full access to your pc

To the right is an attacker using an iPhone 4 to make a fake facebook login page, shown above.

Instead of taking the users login info, he uses a java exploit to access the entire machine


The Java Applet

Some phished WebPages will use java applications to allow them FULL access to your computer

Sometimes they are persistent, that’s a sign of an exploited java app

1

2

Does the publisher match the site? Does the From address?

Does the site have a good reason to run java?

Ask yourself questions before doing something to save yourself trouble


Call Spoofing

Some social engineers will call you using fake information trying to verify your account information

Using free software or cheap online services anyone can fake their caller id

1

2

Never talk about personally identifiable information unless you are sure you know who your talking to, preferably only if you called them.

If you have an iPhone use apps like unhide to show the true caller id of the user

Ask yourself if you know the person, if they sound right.


Resources

http://www.secmaniac.com/

http://www.offensive-security.com/

http://www.backtrack-linux.org/

http://www.hak5.org

http://www.remote-exploit.org

http://www.metasploit.com

http://www.exploit-db.com/

http://www.social-engineer.org/

http://www.darkreading.com/

http://www.spoofcard.com

social engineering

Technology

message bar

fake information

address bar

fake site

resources http

social engineers

email phishing

fake website