Phishing, what you should know

“Lkout” Initiative

2

Important Note

The information published hereafter is just a collection of selected IT industry best practices and tips that might assist you in improving the security levels against computer related threats while exercising your computing activities.

The information published hereafter is not meant in any way to provide a comprehensive solution nor to ensure full protection against computer related threats.

3

> Phishing is a form of social engineering that is executed via electronic means and can lead to identity theft and fraud.

What is Phishing?

4

Social Engineering

> A social engineer is a polite cracker!!

> A social engineer is a person who will deceive or con others into divulging information that they wouldn’t normally share (credit card numbers, bank account information, passwords…etc.).

> He/she will build inappropriate trust relationship with insiders.

5

Social Engineering

> He/she may seem: Unassuming and respectable Possibly claiming to be a new

employee, repair person, or researcher and even offering credentials to support that identity.

> Social Engineers use these techniques: Appeal to vanity Appeal to authority Appeal to old-fashioned

eavesdropping

6

Social Engineering

> Human Based: In Person. Third-party authorization: The

social engineer obtains the name of someone who has the authority to grant access to information.

Impersonation: A social engineer might impersonate any character and use certain privileges.

7

Social Engineering

> Electronic Based: Targeted e-mail

messages Spam, chain letters

and hoaxes E-mail attachments Pop windows Spoofed Websites Instant Messaging

and Chat rooms Cell phone text

messages (SMS) (details in slides ahead)

8

Phishing: Real Life Example 1 - AUB From: Unauthenticated AUBnet User [mailto:support2008@aub.edu.lb] Sent: Thursday, May 15, 2008 10:44 AM To: undisclosed-recipients: Subject: Dear Staff/Students, Please Confirm Your Account Immediately!!! Dear Staff/Student, To complete and validate your aub.edu.lb account, you must reply to this email immediately and enter your password here (*********) Failure to do this will immediately render your Email Address deactivated from our database as this is part of our security measures to serve you better. Thank you for being a part of AMERICAN UNIVERISTY OF BEIRUT COMMUNITY! AMERICAN UNIVERISTY OF BEIRUT SUPPORT TEAM >From address: support2008@aub.edu.lb Reply to: support_team@alumni.com

9

Phishing: Real Life Example 1 - AUB

10

Phishing: Real Life Example 2 - AUB

11

Phishing: Real Life Example 2 - AUB

12

Phishing: Real Life Example 3 - Common TricksSame old story, buta differentversion

13

Phishing: Real Life Example 4 - Silly ReasoningYeah, right

From: MICROSOFT LOTTERY INC & WINDOWS LIVE [prom@microsoft.co.uk] Sent: Tuesday, J uly 22, 2008 10:28 PM Subject:

MICROSOFT LOTTERY INC & WINDOWS LIVE. WINNING NOTIFICATION This is to inform you that you have won a prize money of One Million Great Britain Pound Sterlings(£1,000,000.00) for the month of ju ly 2008 Lottery promotion wh ich is organized by MICROSOFT LOTTERY INC & WINDOWS LIVE. MICROSOFT WINDOWS co llects all the email addresses of people that are active online, among the millions that subscribed to INTERNET we only select five people every Month as our winners through electronic balloting System without the winner applying,we congratulate you for being one of the people selected. Contact him, p lease provide him with your batch number BATCH: YM09102XM and your reference number REF NO: YM35447XM Claims Requirements: 1.Name in fu ll----------- 2.Address--------------------------- 3.Nationality------------- 4.Age-------------------------------- 5.Sex --------------------- 6.Occupation------------------------ 7.Phone/Fax-------------- 8.Present Country-------------------- (CONTACT EVENT MANAGER). Claims Agent: Sir Lenon Drill Contact Email:microsoft_claimsunits002@yahoo.com.hk Your Sincerely Mrs. Lane Watts. Copyright © 2008 Microsoft Award Promo. All Rights Reserved.

14

Phishing: Real Life Example 5 - Fake Sites

This one isEasy!

This is not eBay site but a fake One.

15

Phishing: Real Life Example 6 - Tricky URLs

16

Phishing: Real Life Example 6 - Tricky URLs

17

Phishing: Real Life Example 7 - Spyware

18

How to Avoid Becoming a Phishing Victim?

IMPORTANT NOTICE - EMAIL ALERT

•Rule 1: NEVER provide your PASSWORD to anyone

•Rule 2: AUB staff will NEVER request your PASSWORD via email

You may have read or heard of fraudulent e-mails that encourage recipients to provide their personal details such as user names and passwords. At AUB, we will never request your password via e-mail. If you receive such an e-mail request, please delete it immediately.

19

Phishers’ emails are typically NOT personalized, while valid messages from your bank or e-commerce company generally are.

Phishers typically include upsetting (usually a threat) information to get people to react immediately (i.e., claiming they will shut off your account).

How to Avoid Becoming a Phishing Victim?

Is it

that

urge

nt?

Is it

that

urge

nt?

20

Phishers typically include exciting (but false) statements in their e-mails or pop ups to entice people to access their web sites, i.e. claiming that you have won a prize, lottery or inherited wealth.

Never respond to requests for personal or confidential information via email. When in doubt: Call the institution that claims to have

sent you the email. Login to their web site by typing their

address at the browser address bar.

How to Avoid Becoming a Phishing Victim?

Does t

his so

und t

oo

Does t

his so

und t

oo

good

to be

true

?

good

to be

true

?

Who is

this

perso

n?

Who is

this

perso

n?

21

If you suspect the message might not be authentic, don't use the links within the email to get to a web page, the web page can be spoofed.

Never fill out forms in email messages that ask for confidential information, you should only communicate confidential information via a secure website.

How to Avoid Becoming a Phishing Victim?

22

How to Avoid Becoming a Phishing Victim?

Always ensure that you're using a secure website when submitting credit card or other sensitive information via your web browser. Check the beginning of the

Web address in your browsers address bar - it should be ‘https://’ rather than just ‘http://’

Look for the locked padlock icon on your browser (IE; Netscape/Mozilla)

23

How to Avoid Becoming a Phishing Victim?

Never continue to a secure web site that has a problem with its security certificate. Internet browsers do present the user

with an error message (example: IE7 message below).

24

Regularly check your bank, credit and debit card statements to ensure that all transactions are legitimate and if anything is suspicious, contact your bank and all card issuers

Ensure that your browser and OS software is up-to-date and that security patches are applied (Example: MS Outlook signatures of spam e-mails)

Ensure antivirus and anti-spyware software is installed and current.

How to Avoid Becoming a Phishing Victim?

25

Ensure that your browser phishing filter is turned ON. Example: IE7 phishing filter controls.

How to Avoid Becoming a Phishing Victim?

26

What to do if you Suspect a Phishing e-mail?

1. Stop, never reply, or use any of the URL links embedded in the body, or open attachments, or fill in online forms embedded in the e-mail body.

2. Report to CNS: spam@aub.edu.lb

27

What to do if you Think you were a Victim?

1.If you believe you might have revealed sensitive AUB information or might have revealed information that could be used for identity theft or fraud, contact auditor@aub.edu.lb.

28

Test your Phishing IQ

Check this Website:

http://survey.mailfrontier.com/survey/quiztest.html

29

Acknowledgements

> Computing and Networking Services team.

> Work-Study students:  Marwa Abdul Baki  Donna Bazzi

> Comic strips are reproduced with permission. Please visit www.securityCartoon.com for more material.

> www.CartoonStock.com