Presentation is loading. Please wait.

Presentation is loading. Please wait.

An Evaluation of Traditional Phishing Vs Mobile Vishing https://imgur.com/gallery/6TL9R Jamie Burkinshaw Ethical Hacking 4 - 2013/14.

Published byJustin Barber Modified over 8 years ago

Similar presentations

Presentation on theme: "An Evaluation of Traditional Phishing Vs Mobile Vishing https://imgur.com/gallery/6TL9R Jamie Burkinshaw Ethical Hacking 4 - 2013/14."— Presentation transcript:

1

2 An Evaluation of Traditional Phishing Vs Mobile Vishing https://imgur.com/gallery/6TL9R Jamie Burkinshaw Ethical Hacking 4 - 2013/14

3 Abstract Aspects of traditional email phishing were identified including, HTML email generation and website cloning. A phishing email was examined and weaknesses were found. These weaknesses were addressed and an email was generated with a higher likely success rate. A Website was cloned and compared against the original and was found to be identical. This means that if a cognitive bias could be triggered in the target to make them access the website it is unlikely they would realise it was fake. Aspects of Vishing were also identified including interactive voice response systems and dual-tone multi-frequency signals. Methods of carrying out a vishing attack were also examined such as manually deciphering the tones by ear; creating a piece of computer software to perform the task or creating an application for a mobile device. The latter is the method that was attempted in this investigation. The application created was intended to play recorded messages to a target that had called and record the dual tone multi frequency (DTMF) tones used to respond. The application was a success and DTMF tones were decoded. A conclusion was drawn that even though traditional phishing is easier and quicker, it is so well known that more and more people are becoming aware of how to spot fake emails meaning that with enough time to set up the attack, Vishing could be a more effective solution in a penetration testing environment.

4 Aims The aims of this investigation are as follows: To investigate traditional phishing methods. To investigate vishing methods. To attempt to create an application capable of aiding a vishing attack.

5 Introduction Social Engineering defined as “the act of manipulating a person to take an action that may or may not be in the “target’s” best interest. This may include obtaining information, gaining access, or getting the target to take certain action.”(Hadnagy, 2011) Triggering cognitive biases in targets by causing them to feel strong positive or negative emotions can allow their credentials to be gained. Social engineering is a big threat to businesses. Over half of companies surveyed by Checkpoint had suffered a social engineering attacks resulting in a loss of between $25,000 and $100,000. Phishing emails are the most common source of attack.

6 Phishing “An e-mail fraud method in which the perpetrator sends out legitimate-looking email in an attempt to gather personal and financial information from recipients”(Rouse, M. 2007) Traditional: Send the same email to many people requesting they respond with their detail. Spear: Targeting a specific individual, more likely to succeed Online tools can be used to generate HTML emails to mimic those sent by organisations. SET can be used to generate exact copies of websites. Combining the two can be used to carry out a spear-phishing attack.

7 Credentials Harvested

8 Vishing Voice-Phishing “The act of using the telephone in an attempt to scam the user into surrendering private information that will be used for identity theft”(Webopedia, 2014) DTMF Tones: Dual Tone Multi Frequency tones produced each time a button is pushed on a telephone keypad IVR System: Interactive Voice Response system. Used by organisations to manage conversations without using an operator. Manually decode DTMF tones by ear, use PC software or use a specially designed mobile application

9 App Development 1 Aims for the app: – To intercept an incoming phone call from a target. – To play recorded messages to the target, mimicking and IVR system. – To record the responses to the messages. To prove the app is effective the operator should be able to: – Export recorded sound to a PC – Analyse the sounds of the key presses by the target – Attempt to discern which keys the target entered. App will be developed for Android and tested on a Samsung Galaxy SIII

10 App Development 2 MediaPlayer class used to play messages through speakerphone: AudioManager audioManager = AudioManager)getSystemService(Context.AUDIO_SERVICE); Context appContext = getApplicationContext(); MediaPlayer player = MediaPlayer.create(appContext, R.raw.welcome); audioManager.setSpeakerphoneOn(true); player.start();

11 App Development 3 Broadcast receiver used to launch app when a phone call is going to be received. Registered in manifest:.incoming class told what to do when the broadcast is received Intent i = new Intent(context, MainActivity.class); i.addFlags(Intent.FLAG_ACTIVITY_NEW_TASK); context.startActivity(i);

12 App Development 4 Button created to answer phone on button press Intent a = new Intent(Intent.ACTION_ANSWER); startActivity(a); Permission MODIFY_PHONE_STATE is "Not for use by third- party applications“(Android, 2014) To allow this piece of the application to be fully functional the device used must be using Android version 2.2 or earlier.

13 App Development 5 Record phonecall audio from microphone: final MediaRecorder audioRecorder = new MediaRecorder(); audioRecorder.setAudioSource(MediaRecorder.AudioSource.MIC); audioRecorder.setOutputFormat(MediaRecorder.OutputFormat.DEFAULT); audioRecorder.setAudioEncoder(MediaRecorder.AudioEncoder.DEFAULT); audioRecorder.setOutputFile("/storage/extSdCard/recording.mp3"); Set input source as phone microphone Set output source and encoding to default Set output file path to SD card Permissions required:

14 App Testing Willing and informed volunteer acted as caller and entered random numbers when prompted. Caller reported that messages played were perfectly audible. Messages and corresponding DTMF tones were successfully recorded.

15 Results Attempted to decode first tones by ear: 50% Success rate for 20 minutes work. Attempted to decode second set using DTMF Decoder software: 100% Success rate for 2 minutes work. Number GuessActual Number 1st33 2nd66 3rd85 4th12 Number GuessActual Number 1st55 2 nd 11 3rd77 4th44

16 Statistics Demopoulos Associates found that of 100 users over half (53%) had heard of phishing Study conducted 9 years ago which means that has likely risen Study conducted during the course of the investigation shown that of 26 participants: – 20 had heard of phishing 14 could define it – 5 had heard of vishing 4 could define it

17 Conclusion Phishing is now a household term and as shown by the survey results it is becoming increasingly well known. Because of this it may be less likely to succeed as targets will be more vigilant against any suspicious emails. Vishing could be a more successful method as it is not as well known. Targets may believe that their information is safe when entered into a phone. Could be especially useful in penetration testing where more time can be taken to set up the attack.

Download ppt "An Evaluation of Traditional Phishing Vs Mobile Vishing https://imgur.com/gallery/6TL9R Jamie Burkinshaw Ethical Hacking 4 - 2013/14."

Similar presentations

Aspire Vertical Markets Law Office. Law Office Solutions.

Aspire Vertical Markets Law Office. Law Office Solutions.
Aspire Vertical Markets Executive Suite Solution.

Aspire Vertical Markets Executive Suite Solution.
INTERACTIVE VOICE RESPONSE SYSTEM (IVRS)

INTERACTIVE VOICE RESPONSE SYSTEM (IVRS)
Introduction to Intellicaller for Channel Partners/Clients Confidential. © 2009-2010 Zeal Web Technologies. Please destroy if you are not the intended.

Introduction to Intellicaller for Channel Partners/Clients Confidential. © Zeal Web Technologies. Please destroy if you are not the intended.
Roman Schlegel City University of Hong Kong Kehuan Zhang Xiaoyong Zhou Mehool Intwala Apu Kapadia XiaoFeng Wang Indiana University Bloomington NDSS SYMPOSIUM.

Roman Schlegel City University of Hong Kong Kehuan Zhang Xiaoyong Zhou Mehool Intwala Apu Kapadia XiaoFeng Wang Indiana University Bloomington NDSS SYMPOSIUM.
What is Multimedia Includes: Sound Animation Video and Graphics.

What is Multimedia Includes: Sound Animation Video and Graphics.
BEWARE! IDENTITY THEFT CARL JOHNSON FINANCIAL LITERACY JENKS HIGH CSHOOL.

BEWARE! IDENTITY THEFT CARL JOHNSON FINANCIAL LITERACY JENKS HIGH CSHOOL.
The Most Critical Risk Control: Human Behavior Lynn Goodendorf Director, Information Security Atlanta ISACA Chapter Meeting June 20, 2014.

The Most Critical Risk Control: Human Behavior Lynn Goodendorf Director, Information Security Atlanta ISACA Chapter Meeting June 20, 2014.
David Abarca, Instructor Del Mar College Computer Corner Phishing, Pharming, Spear-Phishing, and now…. Vishing.

David Abarca, Instructor Del Mar College Computer Corner Phishing, Pharming, Spear-Phishing, and now…. Vishing.
NCS welcome all participants on behalf of Quick Heal Anti Virus and Fortinet Firewall solution.

NCS welcome all participants on behalf of Quick Heal Anti Virus and Fortinet Firewall solution.
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.

Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
PASSWORD MANAGER Why you need one 1. WHAT IS A PASSWORD MANAGER? A modern Password Manager is a browser extension (Chrome, Internet Explorer, Firefox,

PASSWORD MANAGER Why you need one 1. WHAT IS A PASSWORD MANAGER? A modern Password Manager is a browser extension (Chrome, Internet Explorer, Firefox,
IVR Solution. What is this IVR? Interactive Voice Response (IVR) system helps to migrate from the traditional human-perplexed interactions To Efficient.

IVR Solution. What is this IVR? Interactive Voice Response (IVR) system helps to migrate from the traditional human-perplexed interactions To Efficient.
CS371m - Mobile Computing Audio.

CS371m - Mobile Computing Audio.
William Enck, Machigar Ongtang, and Patrick McDaniel.

William Enck, Machigar Ongtang, and Patrick McDaniel.
Android Security What is out there? Waqar Aziz. Android Market Share - I 2.

Android Security What is out there? Waqar Aziz. Android Market Share - I 2.
Security Liaisons Information Presentation. Introduction  What’s the big deal with computer security? Don’t we have an IT security department to take.

Security Liaisons Information Presentation. Introduction  What’s the big deal with computer security? Don’t we have an IT security department to take.
Cyber Crimes.

Cyber Crimes.
DTMF & Universal User Key Input Skip Cave InterVoice-Brite Inc.

DTMF & Universal User Key Input Skip Cave InterVoice-Brite Inc.
Lesson 2- Protecting Yourself Online. Determine the strength of passwords Evaluate online threats Protect against malware/hacking Protect against identity.

Lesson 2- Protecting Yourself Online. Determine the strength of passwords Evaluate online threats Protect against malware/hacking Protect against identity.

Similar presentations

Ads by Google