Don’t be phooled by phishing - American University of Beirut

Download Report

Transcript Don’t be phooled by phishing - American University of Beirut 

Office of
Information Technology
“Lkout”
Initiative
Phishing, what
you should
know
Important Note
The information published hereafter
is just a collection of selected IT
industry best practices and tips that
might assist you in improving the
security levels against computer
related threats while exercising your
computing activities.
The information published hereafter
is not meant in any way to provide
a comprehensive solution nor to
ensure full protection against
computer related threats.
2
Office of
Information Technology
What is Phishing?
> Phishing is a form of
social engineering that
is executed via
electronic means and
can lead to identity
theft and fraud.
3
Office of
Information Technology
Social Engineering
> A social engineer is a
polite cracker!!
> A social engineer is a
person who will deceive or
con others into divulging
information that they
wouldn’t normally share
(credit card numbers,
bank account information,
passwords…etc.).
> He/she will build
inappropriate trust
relationship with insiders.
Office of
Information Technology
4
Social Engineering
> He/she may seem:
 Unassuming and respectable
 Possibly claiming to be a new
employee, repair person, or
researcher and even offering
credentials to support that identity.
> Social Engineers use these techniques:
 Appeal to vanity
 Appeal to authority
 Appeal to old-fashioned
eavesdropping
5
Office of
Information Technology
Social Engineering
> Human Based:
 In Person.
 Third-party authorization: The social
engineer obtains the name of
someone who has the authority to
grant access to information.
 Impersonation: A social engineer
might impersonate any character
and use certain privileges.
6
Office of
Information Technology
Social Engineering
> Electronic Based:
 Targeted e-mail
messages
 Spam, chain letters
and hoaxes
 E-mail attachments
 Pop windows
 Spoofed Websites
 Instant Messaging
and Chat rooms
 Cell phone text
messages (SMS)
(details in slides ahead)
Office of
Information Technology
7
Phishing: Real Life Example 1 - AUB
From: Unauthenticated AUBnet User [mailto:[email protected]]
Sent: Thursday, May 15, 2008 10:44 AM
To: undisclosed-recipients:
Subject: Dear Staff/Students, Please Confirm Your Account Immediately!!!
Dear Staff/Student,
To complete and validate your aub.edu.lb account, you must reply to this email
immediately and enter your password here (*********)
Failure to do this will immediately render your Email Address deactivated from
our database as this is part of our security measures to serve you better.
Thank you for being a part of AMERICAN UNIVERISTY OF BEIRUT COMMUNITY!
AMERICAN UNIVERISTY OF BEIRUT SUPPORT TEAM
>From address: [email protected]
Reply to: [email protected]
8
Office of
Information Technology
Phishing: Real Life Example 1 - AUB
9
Office of
Information Technology
Phishing: Real Life Example 2 - AUB
10
Office of
Information Technology
Phishing: Real Life Example 2 - AUB
11
Office of
Information Technology
Phishing: Real Life Example 3 Common Tricks
Same
old story,
but
a different
version
12
Office of
Information Technology
Phishing: Real Life Example 4 Silly Reasoning
Yeah,
right
From: MICROSOFT LOTTERY INC & WINDOWS LIVE [[email protected]]
Sent: Tuesday, July 22, 2008 10:28 PM
Subject:
M ICROSOFT LOTTERY INC & WINDOWS LIVE.
WINNING NOTIFICATION
This is to inform you that you have won a prize money of One Million Great Britain Pound
Sterlings(£1,000,000.00) for the month of ju ly 2008 Lottery pro motion wh ich is organized by
MICROSOFT LOTTERY INC & WINDOWS LIVE.
MICROSOFT WINDOWS co llects all the email addresses of people that are active online,
among the millions that subscribed to INTERNET we only select five people every Month
as our winners through electronic balloting System without the winner applying,we
congratulate you for being one of the people selected.
Contact him, p lease provide him with your batch number BATCH:
YM 09102XM and your reference nu mber REF NO: YM35447XM
Claims Requirements:
1.Name in fu ll----------- 2.Address--------------------------3.Nationality------------- 4.Age-------------------------------5.Sex --------------------- 6.Occupation-----------------------7.Phone/Fax-------------- 8.Present Country-------------------(CONTACT EVENT MANA GER).
Claims Agent: Sir Lenon Drill
Contact Email:[email protected] k
Your Sincerely
Mrs. Lane Watts.
Copyright © 2008 Microsoft Award Pro mo. All Rights Reserved.
Office of
Information Technology
13
Phishing: Real Life Example 5 Fake Sites
This one is
Easy!
This is not
eBay site
but a fake
One.
14
Office of
Information Technology
Phishing: Real Life Example 6 Tricky URLs
15
Office of
Information Technology
Phishing: Real Life Example 6 Tricky URLs
16
Office of
Information Technology
Phishing: Real Life Example 7 Spyware
17
Office of
Information Technology
How to Avoid Becoming a Phishing
Victim?
IMPORTANT NOTICE - EMAIL ALERT
•Rule 1: NEVER provide your PASSWORD to
anyone
•Rule 2: AUB staff will NEVER request your
PASSWORD via email
You may have read or heard of fraudulent e-mails
that encourage recipients to provide their personal
details such as user names and passwords. At
AUB, we will never request your password via email. If you receive such an e-mail request, please
delete it immediately.
18
Office of
Information Technology
How to Avoid Becoming a Phishing
Victim?
 Phishers’ emails are typically
NOT personalized, while
valid messages from your
bank or e-commerce
company generally are.
 Phishers typically include
upsetting (usually a threat)
information to get people to
react immediately (i.e.,
claiming they will shut off
your account).
19
Office of
Information Technology
How to Avoid Becoming a Phishing
Victim?
 Phishers typically include exciting (but
false) statements in their e-mails or pop
ups to entice people to access their
web sites, i.e. claiming that you have
won a prize, lottery or inherited wealth.
 Never respond to requests for personal
or confidential information via email.
When in doubt:
 Call the institution that claims to have

sent you the email.
Login to their web site by typing their
address at the browser address bar.
20
Office of
Information Technology
How to Avoid Becoming a Phishing
Victim?
 If you suspect the message
might not be authentic, don't
use the links within the email to
get to a web page, the web
page can be spoofed.
 Never fill out forms in email
messages that ask for
confidential information, you
should only communicate
confidential information via a
secure website.
21
Office of
Information Technology
How to Avoid Becoming a Phishing
Victim?
 Always ensure that you're using a
secure website when submitting
credit card or other sensitive
information via your web
browser.
 Check the beginning of the Web
address in your browsers address
bar - it should be ‘https://’ rather
than just ‘http://’
 Look for the locked padlock icon
on your browser (IE;
Netscape/Mozilla)
22
Office of
Information Technology
How to Avoid Becoming a Phishing
Victim?
 Never continue to a secure web site that
has a problem with its security certificate.
 Internet browsers do present the user with
an error message (example: IE7 message
below).
23
Office of
Information Technology
How to Avoid Becoming a Phishing
Victim?
 Regularly check your bank, credit and
debit card statements to ensure that all
transactions are legitimate and if
anything is suspicious, contact your
bank and all card issuers
 Ensure that your browser and OS
software is up-to-date and that security
patches are applied (Example: MS
Outlook signatures of spam e-mails)
 Ensure antivirus and anti-spyware
software is installed and current.
24
Office of
Information Technology
How to Avoid Becoming a Phishing
Victim?
 Ensure that your browser phishing filter
is turned ON. Example: IE7 phishing filter
controls.
25
Office of
Information Technology
What to do if you Suspect a
Phishing e-mail?
1. Stop, never reply, or use any of the URL
links embedded in the body, or open
attachments, or fill in online forms
embedded in the e-mail body.
2. Report to IT: [email protected]
26
Office of
Information Technology
What to do if you Think you
were a Victim?
1. If you believe you might have
revealed sensitive AUB information or
might have revealed information that
could be used for identity theft or
fraud, contact [email protected].
27
Office of
Information Technology
Test your Phishing IQ
Check this Website:
http://survey.mailfrontier.com/survey/quiztest.html
28
Office of
Information Technology
Acknowledgements
>
Office of Information Technology
team
>
Work-Study students:
Marwa Abdul Baki
Donna Bazzi
>
Comic strips are reproduced with
permission. Please visit
www.securityCartoon.com for more
material.
>
www.CartoonStock.com
29
Office of
Information Technology