SlideShare une entreprise Scribd logo

Phishing-Updated

Télécharger en tant que PPT, PDF
Jayaseelan Vejayon
Jayaseelan Vejayon
TechnologieDivertissement et humour
1  sur  52
PHISHING ATTACKS: How Vulnerable Are We? by Jayaseelan Vejayon MCP, CNE6, CEH
• What is phishing? • The statistics… • How is it done? • How to avoid? The main objective of this seminar presentation is to create awareness about phishing Agenda
So…what is phishing? • It is a crime, and it is committed by fraudsters who can persuade victims to respond to a “legitimate-looking” email or click on a seemingly safe link. • To do that, the attackers create emails to play on human emotions, it is a con - it is a type of deception. http://www.livehacking.com/tag/phishing/
Although phishing is a modern crime for the Internet age the forces behind it; manipulation, deceit and persuasion – are not. We can relate these forces/tricks back to our epics… and even children story tales!
Why phish, bad guy??? • It is designed to steal your valuable personal data – credit card numbers – passwords – account data – other important personal information
Your data can be sold for money! The value of US credit cards are: Visa: $2 MasterCard: $3 American Express: $5 Discover: $6 The value of UK credit cards are: Visa: $4 MasterCard: $4 American Express: $6 Discover: $6 The value of EU credit cards are: Visa: $6 MasterCard: $6 American Express: $8 Discover: $8 The value of Canadian credit cards are: Visa: $3 MasterCard: $3 American Express: $6 Discover: $6
What is the value?? Rank Last Goods and services Current Previous Prices 1 2 Bank accounts 22% 21% $10-1000 2 1 Credit cards 13% 22% $0.40-$20 3 7 Full identity 9% 6% $1-15 4 N/R Online auction site accounts 7% N/A $1-8 5 8 Scams 7% 6% $2.50/wk - $50/wk (hosting); $25 design 6 4 Mailers 6% 8% $1-10 7 5 Email Addresses 5% 6% $0.83-$10/MB 8 3 Email Passwords 5% 8% $4-30 9 N/R Drop (request or offer) 5% N/A 10-50% of drop amount 10 6 Proxies 5% 6% $1.50-$30 http://www.symantec.com/threatreport/topic.jsp?id=fraud_activity_trends&aid=underground_economy_servers
• Internet users are heavily relying on webmail and social networking sites – by using phishing attacks to obtain access to Facebook or Gmail, successful attacks could open the doors to many other avenues – if an email account is hacked by information used during a phishing attack then the attacker can reset passwords for other important accounts too Why is it easy to be done?
Source: Wikipedia
 Phreaking + Fishing = Phishing - Phreaking = making phone calls for free back in 70’s - Fishing = Use bait to lure the target  Phishing in 1995 Target: AOL users Purpose: getting account passwords for free time Threat level: low Techniques: Similar names ( www.ao1.com for www.aol.com ), social engineering The history
 Phishing in 2001 Target: Ebayers and major banks Purpose: getting credit card numbers, accounts Threat level: medium Techniques: Same in 1995, keylogger  Phishing in 2007 Target: Paypal, banks, ebay Purpose: bank accounts Threat level: high Techniques: browser vulnerabilities, link obfuscation The history (cont’d)
• 2,000,000 emails are sent • 5% get to the end user – 100,000 (APWG) • 5% click on the phishing link – 5,000 (APWG) • 2% enter data into the phishing site –100 (Gartner) • $1,200 from each person who enters data (FTC) • Potential reward: $120,000 A bad day phishin’, beats a good day workin’ In 2005 David Levi made over $360,000 from 160 people using an eBay Phishing scam APWG: Anti-Phishing Working Group; FTC: Federal Trade Commission
• Led by two brothers – Guy Levi, 22, and the ringleader, David Levi, 28 • Complaints were received from eBay users who had paid for laptops and Rolex watches that never arrived • Lett, the computer expert in the gang used a software tool of the spam trade called Atomic Harvester to sweep the internet, gathering around 6,000 email addresses. He wrote to more than 2,000 of these addresses, purporting to be eBay. The David Levi eBay Phishing Scam (2005)
The Levis and Lett wanted the usernames and passwords of highly-rated eBay sellers. Anyone trading on eBay has a feedback score and a percentage feedback rating. If a seller has positive feedback rated at, say, 98%, a bidder will trust the seller to deliver. So Lett hijacked such accounts. First he changed the passwords, to lock out the real account holders; then he and the Levis started selling. Those who fell for their ads for high-value items like Sony Vaio laptops and Rolex Daytona watches – using text and images lifted from legitimate ads – would be contacted by email and persuaded to pay off-line. Police located 160 people who paid money to David Levi’s gang; there may have been others. The police had evidence of almost £200,000 in criminal gains but they suspect that the total figure was more than twice as much.Source: Out-Law Magazine Winter 2005 Issue 13
RSA’s figure on phishing attacks (Q1, 2012) • The news is not good • Attacks rose again (for the 4th time) • 19% increase compared to the second half of 2011 • The estimated worldwide financial losses – US$687 million The Statistics
UK US Canada Brazil South Africa Canada affected by a significant increase in phishing by nearly 400% in the Q1, 2012 Top 5 countries targeted
Canada’s economic health during that period was good and this only shows that fraudsters follow the money!!! The Statistics
Google: Internet is a dangerous place • June 2012 finding – Google detects 9,500 new malicious websites every day – Some are innocent websites that have been hacked to serve up malware – Others are built specially for the purpose of distributing malware – Google displays over 300,000 download warnings every day via its download protection service that is built-in to Chrome.
• The number of phishing sites has peaked in 2012 with over 300,000 new phishing sites found per month. • Approximately 12-14 million Google Search queries per day result in a web browser showing a warning advising users not to visit a currently compromised site. Google: Internet is a dangerous place
A tank full of phish http://www.phishtank.com/
Worldwide Losses – 1H 2012
Most Targeted Industry Sectors 3rd Quarter ’12 Chart – APWG Report
Most Targeted Industry Sectors 4th Quarter ’12 Chart – APWG Report
https://www.antiphishing.my/statistics/ Antiphishing.my is a portal that provides information related to phishing sites targeting Internet users in Malaysia. https://www.antiphishing.my/statistics/
Don't fall prey to online banking scams The Star Online Date: 19 February 2011 PETALING JAYA: Internet users must ensure they install all necessary updates and use a reputable anti-virus software so they don't fall prey to online banking scams. HSBC Bank Malaysia Berhad general manager for personal financial services, Lim Eng Seong, said the number of Malaysians opting for online banking was increasing. "Most banks offer safety advice on the login page of their e-banking websites to warn users about the existence of such scams,"he said. Whenever there is a report of a scam, the bank immediately contacts Cyber Security Malaysia's Computer Emergency Response Team (CERT) to remove the phishing website. "For phishing websites operating from outside the country, we seek the assistance of the country's local CERT team to shut down the website,"he said. Travel agent Safura Mokhtar, 41, recently became a victim of a phishing scam. She lost RM4,600 but the local bank refused to offer her a refund although she was quick to report the incident. She had received an e-mail, claiming to be from the bank, in November last year. "The e-mail stated that I needed to log in immediately to update my contact information for security purposes,"said Safura who unsuspectingly clicked on the link provided. "I am new to online banking and I was not aware that such scams existed,"said Safura who later received a text message from the bank informing her that money had been transferred out of her account. She received a letter from the bank a week later informing her that they could not compensate her for her losses. She was then referred to the Financial Mediation Bureau (FMB) which told her investigations would take up to six months. "Cases of online banking scams in Malaysia have been increasing since the first such case was registered in 2005,"said FMB CEO John Thomas. Statistics from FMB showed that the number of cases had increased from only 46 in 2008 to 163 in 2010. On the chances of victims getting their money back, Thomas said that of the 163 cases last year, only 51 victims managed to get part or all of their money back. A check with Bank Negara showed that as of December last year, there were 9.8 million e-banking account holders in the country.
Travel agent Safura Mokhtar, 41, recently became a victim of a phishing scam. She lost RM4,600 but the local bank refused to offer her a refund although she was quick to report the incident. She had received an e-mail, claiming to be from the bank, in November last year. "The e-mail stated that I needed to log in immediately to update my contact information for security purposes,"said Safura who unsuspectingly clicked on the link provided. "I am new to online banking and I was not aware that such scams existed,"said Safura who later received a text message from the bank informing her that money had been transferred out of her account. She received a letter from the bank a week later informing her that they could not compensate her for her losses. She was then referred to the Financial Mediation Bureau (FMB) which told her investigations would take up to six months. "Cases of online banking scams in Malaysia have been increasing since the first such case was registered in 2005,"said FMB CEO John Thomas.
What Does a Phishing Scam Look Like? As scam artists become more sophisticated, so do their phishing e-mail messages and pop-up windows They often include official-looking logos from real organizations and other identifying information taken directly from legitimate Web sites
Some Examples …
Page accessed on 16 June 2013
A good phish targets weaknesses and lapses in human nature. For example, we often click “OK” without reading a warning. A phish needs YOUR HELP in order to succeed. Phishing is often conducted by organized crime. Phishing groups are dynamic and can be in any country. They often use people in multiple countries simultaneously. Credit and debit card users are the primary targets of phishers right now (going for fast cash). Phishing can come in more than one form: email, instant messages, pop-up, online postings, and telephone. Phishing Quick Facts https://www.hvfcu.org/eservices/safe-computing/phishing/phishing-quick-facts
A phish NEVER includes a real email address for the phisher, so it is pointless to reply to one. A phish has a hook (Trust us. Here’s why.), a required action (Here’s what we want you to do.), and a push (Hurry, act now!). Most servers that host phish sites are legitimate servers that have been compromised. Phishers must use the site’s URL or IP address in the phish. Some servers that host phish sites are fraudulently registered. Phishers can use any URL and try to make it similar to the victim site. https://www.hvfcu.org/eservices/safe-computing/phishing/phishing-quick-facts Phishing Quick Facts
• Social-aware attacks  Mine social relationships from public data  Phishing email appears to arrive from someone known to the victim  Use spoofed identity of trusted organization to gain trust  Urge victims to update or validate their account  Threaten to terminate the account if the victims not reply  Use gift or bonus as a bait  Security promises • Context-aware attacks  “Your bid on eBay has won!”  “The books on your Amazon wish list are on sale!” Spear-Phishing: Improved Target Selection
• Employ visual elements from target site • DNS Tricks: –www.ebay.com.kr –www.ebay.com@192.168.0.5 –www.gooogle.com • Certificates –Phishers can acquire certificates for domains they own –Certificate authorities make mistakes Phishing Techniques
How is it done? Some live examples… Cloning a Website •Manually create a website with logos and themes of the legitimate website •Automatically create website using tools – i.e BackTrack Social Engineering tools Live Demo
How is it done? Some live examples… DNS tricks – www.ebay.com.kr – www.ebay.com@192.168.0.5 – www.gooogle.com Anything between http:// and @ will be processed by the browser as input for username and password. If the username and password are not required, the browser discards those and the page will appear as usual.
How is it done? Some live examples… To access a website, we can use: •Domain name (www.google.com.my) •IP address (74.125.135.94) •IP address decimal value (1249740638) Now, I can use http://www.cimbclicks.com.my@1249740638 to provide a link which looks legit but actually diverting you to another site.
How is it done? Some live examples… Text and Link •Click here to CIMBClicks’ site •CIMBClicks •http://www.cimbclicks.com.my
How is it done? Some live examples… Spoof the email account Email spoofing is the creation of email messages with a forged sender address - something which is simple to do because the core SMTP protocols do no authentication. It is commonly used in spam and phishing emails to hide the origin of the email message (Wikipedia) •Eg. Deadfake (http://deadfake.com/Send.aspx)
How is it done? Some live examples… Email Message From: jayaseelan.vejayon@qiup.edu.my Subject: URGENT: Change Your Password Message Dear Colleagues, There is a security breach in our environment. Please change your password immediately! Please click on the link below and follow the instructions on the screen. http://mail.quip.com.my Failing to change your password by COB today will cause your account to be suspended.
Here are a few phrases to look for "Verify your account."Businesses should not ask you to send passwords, login names, Social Security numbers, or other personal information through e-mail. If you receive an e-mail from anyone asking you to update your credit card information, do not respond: this is a phishing scam. "If you don't respond within 48 hours, your account will be closed."These messages convey a sense of urgency so that you'll respond immediately without thinking. Phishing e-mail might even claim that your response is required because your account might have been compromised. How to tell if an e-mail message is fraudulent
"Dear Valued Customer."Phishing e-mail messages are usually sent out in bulk and often do not contain your first or last name. "Click the link below to gain access to your account."HTML- formatted messages can contain links or forms that you can fill out just as you'd fill out a form on a Web site. The links that you are urged to click may contain all or part of a real company's name and are usually “masked”, meaning that the link you see does not take you to that address but somewhere different, usually a phony Web site.
Con artists also use Uniform Resource Locators (URLs) that resemble the name of a well-known company but are slightly altered by adding, omitting, or transposing letters. For example, the URL "www.microsoft.com" could appear instead as: •www.micosoft.com •www.mircosoft.com •www.verify-microsoft.com
Never respond to an email asking for personal information Always check the site to see if it is secure. Call the phone number if necessary Never click on the link on the email. Retype the address in a new window Keep your browser updated Keep antivirus definitions updated Use a firewall Don’t ignore browser warnings. Since legitimate sites can be hacked and modified to contain malware, don’t visit a website if a browser warning is shown, no matter how well-known the website is to you. P.S: Always shred your documents before discarding them. How do I avoid from becoming a victim …
“It’s hard for criminals to duplicate my institution’s website, so if it looks good, it must be the real site.” The Truth: Many fake sites look identical to the original site. “If I see a lock anywhere on the page, I know it is a secure website.” The Truth: The lock or key that signifies a secure site must appear on the body or chrome of the browser, not as a picture on a webpage. “I can tell by the poor grammar if it is a phish." The Truth: Fake sites often have perfect grammar and spelling. Don’t fall for the Myths … https://www.hvfcu.org/eservices/safe-computing/phishing/phishing-quick-facts
DontPhishMe is an initiative of MyCERT, CyberSecurity Malaysia, to provide a security mechanism in preventing online banking phishing threat specifically for local Malaysian banks. DontPhishMe is an addon to Firefox that alerts you if an online banking web page that you visit appears to be asking for your personal or financial information under false pretenses. This type of attack, known as phishing or spoofing, is becoming more sophisticated, widespread and dangerous. That’s why it’s important to browse safely with DontPhishMe. DontPhishMe will automatically warn you when you encounter a page that’s trying to trick you into disclosing personal information. Get this add-on for Mozilla Firefox and Google Chrome.
Cyber999 Help Centre Cyber999 is a service provided for Internet users to report or escalate computer security incidents. Computer security incidents may be reported to Cyber999 via the following ways: SMS: CYBER999 REPORT <EMAIL> <COMPLAINT> to 15888 TELEPHONE: Office Hours: 1-300-88-2999 24x7 (Emergency): +6019 - 266 5850 Calls to MyCERT and the Cyber999 Hotline are monitored during the business hours (9:00 AM – 6:00 PM) WEB REPORTING: http://www.mycert.org.my EMAIL: cyber999 [at] cybersecurity.my
Thank You Jayaseelan Vejayon Assistant Director & Head Information & Communications Technology Division Quest International University Perak jayaseelan.vejayon@qiup.edu.my http://jayitsecurity.blogspot.com Don’t be a phishing victim…it is NO “PHUN” Think before your click!

Recommandé

Phishing
PhishingPhishing
Phishing
Jayaseelan Vejayon
 
Intro phishing
Intro phishingIntro phishing
Intro phishing
Sayali Dayama
 
Phishing
PhishingPhishing
Phishing
Syahida
 
ICT-phishing
ICT-phishingICT-phishing
ICT-phishing
MH BS
 
Phishing
PhishingPhishing
Phishing
Kiran Patil
 
Anti phishing
Anti phishingAnti phishing
Anti phishing
Shethwala Ridhvesh
 
Strategies to handle Phishing attacks
Strategies to handle Phishing attacksStrategies to handle Phishing attacks
Strategies to handle Phishing attacks
Sreejith.D. Menon
 
Phishing attacks, Types Of Phishing Attacks, How To Avoid Phishing Attacks
Phishing attacks, Types Of Phishing Attacks, How To Avoid Phishing Attacks Phishing attacks, Types Of Phishing Attacks, How To Avoid Phishing Attacks
Phishing attacks, Types Of Phishing Attacks, How To Avoid Phishing Attacks
Er. Rahul Jain
 

Recommandé

Phishing
PhishingPhishing
Phishing
Jayaseelan Vejayon
 
Intro phishing
Intro phishingIntro phishing
Intro phishing
Sayali Dayama
 
Phishing
PhishingPhishing
Phishing
Syahida
 
ICT-phishing
ICT-phishingICT-phishing
ICT-phishing
MH BS
 
Phishing
PhishingPhishing
Phishing
Kiran Patil
 
Anti phishing
Anti phishingAnti phishing
Anti phishing
Shethwala Ridhvesh
 
Strategies to handle Phishing attacks
Strategies to handle Phishing attacksStrategies to handle Phishing attacks
Strategies to handle Phishing attacks
Sreejith.D. Menon
 
Phishing attacks, Types Of Phishing Attacks, How To Avoid Phishing Attacks
Phishing attacks, Types Of Phishing Attacks, How To Avoid Phishing Attacks Phishing attacks, Types Of Phishing Attacks, How To Avoid Phishing Attacks
Phishing attacks, Types Of Phishing Attacks, How To Avoid Phishing Attacks
Er. Rahul Jain
 
Phishing
PhishingPhishing
Phishing
Arpit Patel
 
PHISHING attack
PHISHING attack PHISHING attack
PHISHING attack
Shubh Thakkar
 
PHISHING PROJECT REPORT
PHISHING PROJECT REPORTPHISHING PROJECT REPORT
PHISHING PROJECT REPORT
vineetkathan
 
Phishing attack, with SSL Encryption and HTTPS Working
Phishing attack, with SSL Encryption and HTTPS WorkingPhishing attack, with SSL Encryption and HTTPS Working
Phishing attack, with SSL Encryption and HTTPS Working
Sachin Saini
 
Phishing technology
Phishing technologyPhishing technology
Phishing technology
harpinderkaur123
 
Phishing
PhishingPhishing
Phishing
Syeda Javeria
 
Phishing: Swiming with the sharks
Phishing: Swiming with the sharksPhishing: Swiming with the sharks
Phishing: Swiming with the sharks
Nalneesh Gaur
 
Seminaar Report of Phishing VIII Sem
Seminaar Report of Phishing VIII SemSeminaar Report of Phishing VIII Sem
Seminaar Report of Phishing VIII Sem
Narendra Singh
 
Phishing--The Entire Story of a Dark World
Phishing--The Entire Story of a Dark WorldPhishing--The Entire Story of a Dark World
Phishing--The Entire Story of a Dark World
Avishek Datta
 
Phishing attack till now
Phishing attack till nowPhishing attack till now
Phishing attack till now
elakkiya poongunran
 
Phishing technology
Phishing technologyPhishing technology
Phishing technology
Preeti Papneja
 
Phishing attack
Phishing attackPhishing attack
Phishing attack
Raghav Chhabra
 
A presentation on Phishing
A presentation on PhishingA presentation on Phishing
A presentation on Phishing
Creative Technology
 
Phishing
PhishingPhishing
Phishing
oitaoming
 
Phishing exposed
Phishing exposedPhishing exposed
Phishing exposed
tamfin
 
Ict Phishing (Present)
Ict Phishing (Present)Ict Phishing (Present)
Ict Phishing (Present)
aleeya91
 
P H I S H I N G
P H I S H I N GP H I S H I N G
P H I S H I N G
temi
 
Phishing attacks ppt
Phishing attacks pptPhishing attacks ppt
Phishing attacks ppt
Aryan Ragu
 
Phishing
PhishingPhishing
Phishing
Esraa Yaseen
 
Phishing
PhishingPhishing
Phishing
Sagar Rai
 
The Web, The User and the Library (and why to get in between)
The Web, The User and the Library (and why to get in between)The Web, The User and the Library (and why to get in between)
The Web, The User and the Library (and why to get in between)
Guus van den Brekel
 
TYPES OF HACKING
TYPES OF HACKINGTYPES OF HACKING
TYPES OF HACKING
SHERALI445
 

Contenu connexe

Tendances

PHISHING PROJECT REPORT
PHISHING PROJECT REPORTPHISHING PROJECT REPORT
PHISHING PROJECT REPORT
vineetkathan
 
Phishing exposed
Phishing exposedPhishing exposed
Phishing exposed
tamfin
 
Ict Phishing (Present)
Ict Phishing (Present)Ict Phishing (Present)
Ict Phishing (Present)
aleeya91
 
P H I S H I N G
P H I S H I N GP H I S H I N G
P H I S H I N G
temi
 
Phishing attacks ppt
Phishing attacks pptPhishing attacks ppt
Phishing attacks ppt
Aryan Ragu
 

Tendances (20)

Phishing
PhishingPhishing
Phishing
 
PHISHING attack
PHISHING attack PHISHING attack
PHISHING attack
 
PHISHING PROJECT REPORT
PHISHING PROJECT REPORTPHISHING PROJECT REPORT
PHISHING PROJECT REPORT
 
Phishing attack, with SSL Encryption and HTTPS Working
Phishing attack, with SSL Encryption and HTTPS WorkingPhishing attack, with SSL Encryption and HTTPS Working
Phishing attack, with SSL Encryption and HTTPS Working
 
Phishing technology
Phishing technologyPhishing technology
Phishing technology
 
Phishing
PhishingPhishing
Phishing
 
Phishing: Swiming with the sharks
Phishing: Swiming with the sharksPhishing: Swiming with the sharks
Phishing: Swiming with the sharks
 
Seminaar Report of Phishing VIII Sem
Seminaar Report of Phishing VIII SemSeminaar Report of Phishing VIII Sem
Seminaar Report of Phishing VIII Sem
 
Phishing--The Entire Story of a Dark World
Phishing--The Entire Story of a Dark WorldPhishing--The Entire Story of a Dark World
Phishing--The Entire Story of a Dark World
 
Phishing attack till now
Phishing attack till nowPhishing attack till now
Phishing attack till now
 
Phishing technology
Phishing technologyPhishing technology
Phishing technology
 
Phishing attack
Phishing attackPhishing attack
Phishing attack
 
A presentation on Phishing
A presentation on PhishingA presentation on Phishing
A presentation on Phishing
 
Phishing
PhishingPhishing
Phishing
 
Phishing exposed
Phishing exposedPhishing exposed
Phishing exposed
 
Ict Phishing (Present)
Ict Phishing (Present)Ict Phishing (Present)
Ict Phishing (Present)
 
P H I S H I N G
P H I S H I N GP H I S H I N G
P H I S H I N G
 
Phishing attacks ppt
Phishing attacks pptPhishing attacks ppt
Phishing attacks ppt
 
Phishing
PhishingPhishing
Phishing
 
Phishing
PhishingPhishing
Phishing
 

En vedette

Phishing As Tragedy of the Commons
Phishing As Tragedy of the CommonsPhishing As Tragedy of the Commons
Phishing As Tragedy of the Commons
amiable_indian
 
El Information Security Forum
El Information Security ForumEl Information Security Forum
El Information Security Forum
Conferencias FIST
 
2010: A Web Hacking Odyssey - Top Ten Hacks of the Year
2010: A Web Hacking Odyssey - Top Ten Hacks of the Year2010: A Web Hacking Odyssey - Top Ten Hacks of the Year
2010: A Web Hacking Odyssey - Top Ten Hacks of the Year
Jeremiah Grossman
 
Offensive cyber security: Smashing the stack with Python
Offensive cyber security: Smashing the stack with PythonOffensive cyber security: Smashing the stack with Python
Offensive cyber security: Smashing the stack with Python
Malachi Jones
 
Embedded Systems Security
Embedded Systems Security Embedded Systems Security
Embedded Systems Security
Malachi Jones
 
100+ Growth Hacks & What Is Growth Hacking?
100+ Growth Hacks & What Is Growth Hacking?100+ Growth Hacks & What Is Growth Hacking?
100+ Growth Hacks & What Is Growth Hacking?
Casey Armstrong
 

En vedette (20)

The Web, The User and the Library (and why to get in between)
The Web, The User and the Library (and why to get in between)The Web, The User and the Library (and why to get in between)
The Web, The User and the Library (and why to get in between)
 
TYPES OF HACKING
TYPES OF HACKINGTYPES OF HACKING
TYPES OF HACKING
 
Google as a Hacking Tool
Google as a Hacking ToolGoogle as a Hacking Tool
Google as a Hacking Tool
 
Phishing As Tragedy of the Commons
Phishing As Tragedy of the CommonsPhishing As Tragedy of the Commons
Phishing As Tragedy of the Commons
 
Circular Economy - And Open Source + Hacking As Paths To It
Circular Economy - And Open Source + Hacking As Paths To It Circular Economy - And Open Source + Hacking As Paths To It
Circular Economy - And Open Source + Hacking As Paths To It
 
El Information Security Forum
El Information Security ForumEl Information Security Forum
El Information Security Forum
 
Google hacking 2015
Google hacking 2015Google hacking 2015
Google hacking 2015
 
Google Hacking Basics
Google Hacking BasicsGoogle Hacking Basics
Google Hacking Basics
 
How To Be A Hacker
How To Be A HackerHow To Be A Hacker
How To Be A Hacker
 
Hacking For Innovation Delhi
Hacking For Innovation DelhiHacking For Innovation Delhi
Hacking For Innovation Delhi
 
Athens Bullseye Meetup #1
Athens Bullseye Meetup #1Athens Bullseye Meetup #1
Athens Bullseye Meetup #1
 
2010: A Web Hacking Odyssey - Top Ten Hacks of the Year
2010: A Web Hacking Odyssey - Top Ten Hacks of the Year2010: A Web Hacking Odyssey - Top Ten Hacks of the Year
2010: A Web Hacking Odyssey - Top Ten Hacks of the Year
 
Hacking For Innovation
Hacking For InnovationHacking For Innovation
Hacking For Innovation
 
Offensive cyber security: Smashing the stack with Python
Offensive cyber security: Smashing the stack with PythonOffensive cyber security: Smashing the stack with Python
Offensive cyber security: Smashing the stack with Python
 
Top Ten Web Hacking Techniques (2008)
Top Ten Web Hacking Techniques (2008)Top Ten Web Hacking Techniques (2008)
Top Ten Web Hacking Techniques (2008)
 
Computer hacking
Computer hackingComputer hacking
Computer hacking
 
Introduction to Unity3D Game Engine
Introduction to Unity3D Game EngineIntroduction to Unity3D Game Engine
Introduction to Unity3D Game Engine
 
Embedded Systems Security
Embedded Systems Security Embedded Systems Security
Embedded Systems Security
 
100+ Growth Hacks & What Is Growth Hacking?
100+ Growth Hacks & What Is Growth Hacking?100+ Growth Hacks & What Is Growth Hacking?
100+ Growth Hacks & What Is Growth Hacking?
 
Grow Hack Athens Pt.1: Growth Hacking For Web Apps
Grow Hack Athens Pt.1: Growth Hacking For Web AppsGrow Hack Athens Pt.1: Growth Hacking For Web Apps
Grow Hack Athens Pt.1: Growth Hacking For Web Apps
 

Similaire à Phishing-Updated

Running head HOW TO AVOID INTERNET SCAMS AT THE WORKPLACE 1 .docx
Running head HOW TO AVOID INTERNET SCAMS AT THE WORKPLACE 1 .docxRunning head HOW TO AVOID INTERNET SCAMS AT THE WORKPLACE 1 .docx
Running head HOW TO AVOID INTERNET SCAMS AT THE WORKPLACE 1 .docx
wlynn1
 
CYBER CRIMEThe crime which is performed through internet is called .pdf
CYBER CRIMEThe crime which is performed through internet is called .pdfCYBER CRIMEThe crime which is performed through internet is called .pdf
CYBER CRIMEThe crime which is performed through internet is called .pdf
annaielectronicsvill
 
PhishingandPharming
PhishingandPharmingPhishingandPharming
PhishingandPharming
Dawn Hicks
 

Similaire à Phishing-Updated (20)

Phising
PhisingPhising
Phising
 
Internet Fraud
Internet FraudInternet Fraud
Internet Fraud
 
123.pptx
123.pptx123.pptx
123.pptx
 
Features of-scam
Features of-scamFeatures of-scam
Features of-scam
 
Cyber Fraud
Cyber Fraud Cyber Fraud
Cyber Fraud
 
Online Scams and Frauds
Online Scams and FraudsOnline Scams and Frauds
Online Scams and Frauds
 
Phish Phry- Analysis paper
Phish Phry- Analysis paper Phish Phry- Analysis paper
Phish Phry- Analysis paper
 
Running head HOW TO AVOID INTERNET SCAMS AT THE WORKPLACE 1 .docx
Running head HOW TO AVOID INTERNET SCAMS AT THE WORKPLACE 1 .docxRunning head HOW TO AVOID INTERNET SCAMS AT THE WORKPLACE 1 .docx
Running head HOW TO AVOID INTERNET SCAMS AT THE WORKPLACE 1 .docx
 
2.Cyber law and Crime.pptx
2.Cyber law and Crime.pptx2.Cyber law and Crime.pptx
2.Cyber law and Crime.pptx
 
Driving Payment Innovation - Know Your Enemy
Driving Payment Innovation - Know Your EnemyDriving Payment Innovation - Know Your Enemy
Driving Payment Innovation - Know Your Enemy
 
Cyber crime
Cyber crime Cyber crime
Cyber crime
 
IB Fraud
IB FraudIB Fraud
IB Fraud
 
Phishing technology
Phishing technologyPhishing technology
Phishing technology
 
Phishing technology
Phishing technologyPhishing technology
Phishing technology
 
CYBER CRIMEThe crime which is performed through internet is called .pdf
CYBER CRIMEThe crime which is performed through internet is called .pdfCYBER CRIMEThe crime which is performed through internet is called .pdf
CYBER CRIMEThe crime which is performed through internet is called .pdf
 
Phishing Technology
Phishing TechnologyPhishing Technology
Phishing Technology
 
Cyber Security Motivation
Cyber Security MotivationCyber Security Motivation
Cyber Security Motivation
 
PhishingandPharming
PhishingandPharmingPhishingandPharming
PhishingandPharming
 
Cyber crime in Pakistan
Cyber crime in PakistanCyber crime in Pakistan
Cyber crime in Pakistan
 
Identity theft 10 mar15
Identity theft 10 mar15Identity theft 10 mar15
Identity theft 10 mar15
 

Dernier

Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 

Dernier (20)

Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024
 

Phishing-Updated

  • 1. PHISHING ATTACKS: How Vulnerable Are We? by Jayaseelan Vejayon MCP, CNE6, CEH
  • 2. • What is phishing? • The statistics… • How is it done? • How to avoid? The main objective of this seminar presentation is to create awareness about phishing Agenda
  • 3. So…what is phishing? • It is a crime, and it is committed by fraudsters who can persuade victims to respond to a “legitimate-looking” email or click on a seemingly safe link. • To do that, the attackers create emails to play on human emotions, it is a con - it is a type of deception. http://www.livehacking.com/tag/phishing/
  • 4. Although phishing is a modern crime for the Internet age the forces behind it; manipulation, deceit and persuasion – are not. We can relate these forces/tricks back to our epics… and even children story tales!
  • 5. Why phish, bad guy??? • It is designed to steal your valuable personal data – credit card numbers – passwords – account data – other important personal information
  • 6. Your data can be sold for money! The value of US credit cards are: Visa: $2 MasterCard: $3 American Express: $5 Discover: $6 The value of UK credit cards are: Visa: $4 MasterCard: $4 American Express: $6 Discover: $6 The value of EU credit cards are: Visa: $6 MasterCard: $6 American Express: $8 Discover: $8 The value of Canadian credit cards are: Visa: $3 MasterCard: $3 American Express: $6 Discover: $6
  • 7. What is the value?? Rank Last Goods and services Current Previous Prices 1 2 Bank accounts 22% 21% $10-1000 2 1 Credit cards 13% 22% $0.40-$20 3 7 Full identity 9% 6% $1-15 4 N/R Online auction site accounts 7% N/A $1-8 5 8 Scams 7% 6% $2.50/wk - $50/wk (hosting); $25 design 6 4 Mailers 6% 8% $1-10 7 5 Email Addresses 5% 6% $0.83-$10/MB 8 3 Email Passwords 5% 8% $4-30 9 N/R Drop (request or offer) 5% N/A 10-50% of drop amount 10 6 Proxies 5% 6% $1.50-$30 http://www.symantec.com/threatreport/topic.jsp?id=fraud_activity_trends&aid=underground_economy_servers
  • 8. • Internet users are heavily relying on webmail and social networking sites – by using phishing attacks to obtain access to Facebook or Gmail, successful attacks could open the doors to many other avenues – if an email account is hacked by information used during a phishing attack then the attacker can reset passwords for other important accounts too Why is it easy to be done?
  • 10.  Phreaking + Fishing = Phishing - Phreaking = making phone calls for free back in 70’s - Fishing = Use bait to lure the target  Phishing in 1995 Target: AOL users Purpose: getting account passwords for free time Threat level: low Techniques: Similar names ( www.ao1.com for www.aol.com ), social engineering The history
  • 11.  Phishing in 2001 Target: Ebayers and major banks Purpose: getting credit card numbers, accounts Threat level: medium Techniques: Same in 1995, keylogger  Phishing in 2007 Target: Paypal, banks, ebay Purpose: bank accounts Threat level: high Techniques: browser vulnerabilities, link obfuscation The history (cont’d)
  • 12. • 2,000,000 emails are sent • 5% get to the end user – 100,000 (APWG) • 5% click on the phishing link – 5,000 (APWG) • 2% enter data into the phishing site –100 (Gartner) • $1,200 from each person who enters data (FTC) • Potential reward: $120,000 A bad day phishin’, beats a good day workin’ In 2005 David Levi made over $360,000 from 160 people using an eBay Phishing scam APWG: Anti-Phishing Working Group; FTC: Federal Trade Commission
  • 13. • Led by two brothers – Guy Levi, 22, and the ringleader, David Levi, 28 • Complaints were received from eBay users who had paid for laptops and Rolex watches that never arrived • Lett, the computer expert in the gang used a software tool of the spam trade called Atomic Harvester to sweep the internet, gathering around 6,000 email addresses. He wrote to more than 2,000 of these addresses, purporting to be eBay. The David Levi eBay Phishing Scam (2005)
  • 14. The Levis and Lett wanted the usernames and passwords of highly-rated eBay sellers. Anyone trading on eBay has a feedback score and a percentage feedback rating. If a seller has positive feedback rated at, say, 98%, a bidder will trust the seller to deliver. So Lett hijacked such accounts. First he changed the passwords, to lock out the real account holders; then he and the Levis started selling. Those who fell for their ads for high-value items like Sony Vaio laptops and Rolex Daytona watches – using text and images lifted from legitimate ads – would be contacted by email and persuaded to pay off-line. Police located 160 people who paid money to David Levi’s gang; there may have been others. The police had evidence of almost £200,000 in criminal gains but they suspect that the total figure was more than twice as much.Source: Out-Law Magazine Winter 2005 Issue 13
  • 15. RSA’s figure on phishing attacks (Q1, 2012) • The news is not good • Attacks rose again (for the 4th time) • 19% increase compared to the second half of 2011 • The estimated worldwide financial losses – US$687 million The Statistics
  • 16. UK US Canada Brazil South Africa Canada affected by a significant increase in phishing by nearly 400% in the Q1, 2012 Top 5 countries targeted
  • 17. Canada’s economic health during that period was good and this only shows that fraudsters follow the money!!! The Statistics
  • 18. Google: Internet is a dangerous place • June 2012 finding – Google detects 9,500 new malicious websites every day – Some are innocent websites that have been hacked to serve up malware – Others are built specially for the purpose of distributing malware – Google displays over 300,000 download warnings every day via its download protection service that is built-in to Chrome.
  • 19. • The number of phishing sites has peaked in 2012 with over 300,000 new phishing sites found per month. • Approximately 12-14 million Google Search queries per day result in a web browser showing a warning advising users not to visit a currently compromised site. Google: Internet is a dangerous place
  • 20. A tank full of phish http://www.phishtank.com/
  • 22. Most Targeted Industry Sectors 3rd Quarter ’12 Chart – APWG Report
  • 23. Most Targeted Industry Sectors 4th Quarter ’12 Chart – APWG Report
  • 24. https://www.antiphishing.my/statistics/ Antiphishing.my is a portal that provides information related to phishing sites targeting Internet users in Malaysia. https://www.antiphishing.my/statistics/
  • 25.
  • 26. Don't fall prey to online banking scams The Star Online Date: 19 February 2011 PETALING JAYA: Internet users must ensure they install all necessary updates and use a reputable anti-virus software so they don't fall prey to online banking scams. HSBC Bank Malaysia Berhad general manager for personal financial services, Lim Eng Seong, said the number of Malaysians opting for online banking was increasing. "Most banks offer safety advice on the login page of their e-banking websites to warn users about the existence of such scams,"he said. Whenever there is a report of a scam, the bank immediately contacts Cyber Security Malaysia's Computer Emergency Response Team (CERT) to remove the phishing website. "For phishing websites operating from outside the country, we seek the assistance of the country's local CERT team to shut down the website,"he said. Travel agent Safura Mokhtar, 41, recently became a victim of a phishing scam. She lost RM4,600 but the local bank refused to offer her a refund although she was quick to report the incident. She had received an e-mail, claiming to be from the bank, in November last year. "The e-mail stated that I needed to log in immediately to update my contact information for security purposes,"said Safura who unsuspectingly clicked on the link provided. "I am new to online banking and I was not aware that such scams existed,"said Safura who later received a text message from the bank informing her that money had been transferred out of her account. She received a letter from the bank a week later informing her that they could not compensate her for her losses. She was then referred to the Financial Mediation Bureau (FMB) which told her investigations would take up to six months. "Cases of online banking scams in Malaysia have been increasing since the first such case was registered in 2005,"said FMB CEO John Thomas. Statistics from FMB showed that the number of cases had increased from only 46 in 2008 to 163 in 2010. On the chances of victims getting their money back, Thomas said that of the 163 cases last year, only 51 victims managed to get part or all of their money back. A check with Bank Negara showed that as of December last year, there were 9.8 million e-banking account holders in the country.
  • 27. Travel agent Safura Mokhtar, 41, recently became a victim of a phishing scam. She lost RM4,600 but the local bank refused to offer her a refund although she was quick to report the incident. She had received an e-mail, claiming to be from the bank, in November last year. "The e-mail stated that I needed to log in immediately to update my contact information for security purposes,"said Safura who unsuspectingly clicked on the link provided. "I am new to online banking and I was not aware that such scams existed,"said Safura who later received a text message from the bank informing her that money had been transferred out of her account. She received a letter from the bank a week later informing her that they could not compensate her for her losses. She was then referred to the Financial Mediation Bureau (FMB) which told her investigations would take up to six months. "Cases of online banking scams in Malaysia have been increasing since the first such case was registered in 2005,"said FMB CEO John Thomas.
  • 28.
  • 29.
  • 30. What Does a Phishing Scam Look Like? As scam artists become more sophisticated, so do their phishing e-mail messages and pop-up windows They often include official-looking logos from real organizations and other identifying information taken directly from legitimate Web sites
  • 32.
  • 33.
  • 34. Page accessed on 16 June 2013
  • 35. A good phish targets weaknesses and lapses in human nature. For example, we often click “OK” without reading a warning. A phish needs YOUR HELP in order to succeed. Phishing is often conducted by organized crime. Phishing groups are dynamic and can be in any country. They often use people in multiple countries simultaneously. Credit and debit card users are the primary targets of phishers right now (going for fast cash). Phishing can come in more than one form: email, instant messages, pop-up, online postings, and telephone. Phishing Quick Facts https://www.hvfcu.org/eservices/safe-computing/phishing/phishing-quick-facts
  • 36. A phish NEVER includes a real email address for the phisher, so it is pointless to reply to one. A phish has a hook (Trust us. Here’s why.), a required action (Here’s what we want you to do.), and a push (Hurry, act now!). Most servers that host phish sites are legitimate servers that have been compromised. Phishers must use the site’s URL or IP address in the phish. Some servers that host phish sites are fraudulently registered. Phishers can use any URL and try to make it similar to the victim site. https://www.hvfcu.org/eservices/safe-computing/phishing/phishing-quick-facts Phishing Quick Facts
  • 37. • Social-aware attacks  Mine social relationships from public data  Phishing email appears to arrive from someone known to the victim  Use spoofed identity of trusted organization to gain trust  Urge victims to update or validate their account  Threaten to terminate the account if the victims not reply  Use gift or bonus as a bait  Security promises • Context-aware attacks  “Your bid on eBay has won!”  “The books on your Amazon wish list are on sale!” Spear-Phishing: Improved Target Selection
  • 38. • Employ visual elements from target site • DNS Tricks: –www.ebay.com.kr –www.ebay.com@192.168.0.5 –www.gooogle.com • Certificates –Phishers can acquire certificates for domains they own –Certificate authorities make mistakes Phishing Techniques
  • 39. How is it done? Some live examples… Cloning a Website •Manually create a website with logos and themes of the legitimate website •Automatically create website using tools – i.e BackTrack Social Engineering tools Live Demo
  • 40. How is it done? Some live examples… DNS tricks – www.ebay.com.kr – www.ebay.com@192.168.0.5 – www.gooogle.com Anything between http:// and @ will be processed by the browser as input for username and password. If the username and password are not required, the browser discards those and the page will appear as usual.
  • 41. How is it done? Some live examples… To access a website, we can use: •Domain name (www.google.com.my) •IP address (74.125.135.94) •IP address decimal value (1249740638) Now, I can use http://www.cimbclicks.com.my@1249740638 to provide a link which looks legit but actually diverting you to another site.
  • 42. How is it done? Some live examples… Text and Link •Click here to CIMBClicks’ site •CIMBClicks •http://www.cimbclicks.com.my
  • 43. How is it done? Some live examples… Spoof the email account Email spoofing is the creation of email messages with a forged sender address - something which is simple to do because the core SMTP protocols do no authentication. It is commonly used in spam and phishing emails to hide the origin of the email message (Wikipedia) •Eg. Deadfake (http://deadfake.com/Send.aspx)
  • 44. How is it done? Some live examples… Email Message From: jayaseelan.vejayon@qiup.edu.my Subject: URGENT: Change Your Password Message Dear Colleagues, There is a security breach in our environment. Please change your password immediately! Please click on the link below and follow the instructions on the screen. http://mail.quip.com.my Failing to change your password by COB today will cause your account to be suspended.
  • 45. Here are a few phrases to look for "Verify your account."Businesses should not ask you to send passwords, login names, Social Security numbers, or other personal information through e-mail. If you receive an e-mail from anyone asking you to update your credit card information, do not respond: this is a phishing scam. "If you don't respond within 48 hours, your account will be closed."These messages convey a sense of urgency so that you'll respond immediately without thinking. Phishing e-mail might even claim that your response is required because your account might have been compromised. How to tell if an e-mail message is fraudulent
  • 46. "Dear Valued Customer."Phishing e-mail messages are usually sent out in bulk and often do not contain your first or last name. "Click the link below to gain access to your account."HTML- formatted messages can contain links or forms that you can fill out just as you'd fill out a form on a Web site. The links that you are urged to click may contain all or part of a real company's name and are usually “masked”, meaning that the link you see does not take you to that address but somewhere different, usually a phony Web site.
  • 47. Con artists also use Uniform Resource Locators (URLs) that resemble the name of a well-known company but are slightly altered by adding, omitting, or transposing letters. For example, the URL "www.microsoft.com" could appear instead as: •www.micosoft.com •www.mircosoft.com •www.verify-microsoft.com
  • 48. Never respond to an email asking for personal information Always check the site to see if it is secure. Call the phone number if necessary Never click on the link on the email. Retype the address in a new window Keep your browser updated Keep antivirus definitions updated Use a firewall Don’t ignore browser warnings. Since legitimate sites can be hacked and modified to contain malware, don’t visit a website if a browser warning is shown, no matter how well-known the website is to you. P.S: Always shred your documents before discarding them. How do I avoid from becoming a victim …
  • 49. “It’s hard for criminals to duplicate my institution’s website, so if it looks good, it must be the real site.” The Truth: Many fake sites look identical to the original site. “If I see a lock anywhere on the page, I know it is a secure website.” The Truth: The lock or key that signifies a secure site must appear on the body or chrome of the browser, not as a picture on a webpage. “I can tell by the poor grammar if it is a phish." The Truth: Fake sites often have perfect grammar and spelling. Don’t fall for the Myths … https://www.hvfcu.org/eservices/safe-computing/phishing/phishing-quick-facts
  • 50. DontPhishMe is an initiative of MyCERT, CyberSecurity Malaysia, to provide a security mechanism in preventing online banking phishing threat specifically for local Malaysian banks. DontPhishMe is an addon to Firefox that alerts you if an online banking web page that you visit appears to be asking for your personal or financial information under false pretenses. This type of attack, known as phishing or spoofing, is becoming more sophisticated, widespread and dangerous. That’s why it’s important to browse safely with DontPhishMe. DontPhishMe will automatically warn you when you encounter a page that’s trying to trick you into disclosing personal information. Get this add-on for Mozilla Firefox and Google Chrome.
  • 51. Cyber999 Help Centre Cyber999 is a service provided for Internet users to report or escalate computer security incidents. Computer security incidents may be reported to Cyber999 via the following ways: SMS: CYBER999 REPORT <EMAIL> <COMPLAINT> to 15888 TELEPHONE: Office Hours: 1-300-88-2999 24x7 (Emergency): +6019 - 266 5850 Calls to MyCERT and the Cyber999 Hotline are monitored during the business hours (9:00 AM – 6:00 PM) WEB REPORTING: http://www.mycert.org.my EMAIL: cyber999 [at] cybersecurity.my
  • 52. Thank You Jayaseelan Vejayon Assistant Director & Head Information & Communications Technology Division Quest International University Perak jayaseelan.vejayon@qiup.edu.my http://jayitsecurity.blogspot.com Don’t be a phishing victim…it is NO “PHUN” Think before your click!

Notes de l'éditeur

  1. - Social engineering is understood as the art of manipulating people into performing actions to reveal their confidential information