Detecting Phishing Attacks: Theory, Cues, and Practice CSU PDI Steve Lovaas January 8, 2010
Overview What is phishing Overview of the problem Evolution of the attacks How to tackle the problem Awareness & Attitude Clues Practice
What is “Phishing”? From: Directeur de la recherche technique, Université de la Sorbonne To: Steve Lovas Subject: Pressant! Veuillez taper votre mot de passe:
Official Definitions Social engineering: the act of manipulating people into performing actions or divulging confidential information. Phishing: social engineering in the form of fraudulent/deceptive , typically requesting personal/financial information or access credentials
Practical Definitions Trying to trick you into doing something Exploiting established trust or trusting nature Hoping you won’t pay adequate attention “Please send me your username, password, bank account number, credit card number, and SSN…”
Phishing Factors Deceptive , usually broadly distributed Addresses, subject, attachments, and message text can all utilized to deceive… – “Spoof” of a familiar source – “Reply-to” that is different than “From” – Emotional appeals – Current social issues, breaking news – Appeal to entertainment, profit, etc. – Money for nothing (too good to be true) – DIRE CONSEQUENCES IN ALL CAPS – Spelling errors – Bad grammar Technical cues Contextual cues Linguistic (syntactical) cues
Recent Evolution of Tactics Spearphishing – From a carefully chosen source you should know – Targeted specifically at members of an organization – Graphics, style, tone carefully chosen to look right – Becoming more common More, better graphics – More visual content = more likely to trust – Media-rich content plays to our habits, tendencies – Eventual inclusion of audio, video?
So What’s Going On? SenderMessageChannel Encoding Decoding by many different receivers Smells like phish Tendency to trust Empathy Technical understanding Culture Social norms Previous experience with sender
How to Tackle the Problem? Technical defenses Technical/social environment Social norms User education/awareness User attitude
Protection Points SenderMessageChannel Encoding Decoding by many different receivers Smells like phish Tendency to trust Empathy Technical understanding Culture Social norms Previous experience with sender Anti-virus, Anti-spam Digital signatures Individual education Building organizational norms Highlighting Current Attacks
Focus on Awareness & Attitude Awareness (our focus here today) – Knowledge of the problem – Knowledge of the tactics – Ability to recognize attacks (cues) Attitude (WHY you’re here today) – Inclination to act – Tendencies to trust or be suspicious – Default behaviors Of course our ultimate goal is behavior (don’t fall victim)… but we can hope to achieve that by working on:
Clues/Cues in the Message What are some features of messages that can clue you in to a phishing attack? Things that make you go “hmm…”
Some “mailbox capacity Account” (?) Impersonal greeting Grammar! NEVER do this! Bates?? We don’t have anything called “Webmail Helpdesk” Expires in 4
From: Sent: Thursday, December 11, :00 AM To: Samaniego,Rosalie Subject: Electronic Tax Document Signup For Colorado State University This has been sent by Colorado State University / ECSI asking for your consent to receive notification of your 1098-T tax form electronically. If you would like to receive notification electronically please give your consent by following the link below, logging in, and following the instructions. If you would like to receive a paper copy of your 1098-T form, do nothing. The benefits to receiving electronic notification are: * Online delivery provides access to the form 1098-T earlier than the traditional mailing process. * Online delivery eliminates the chance that the 1098-T will get lost, misdirected or delayed during delivery, or misplaced once the student receives it. * Signing up for online delivery is easy and secure. * Students can receive their 1098-T form even while traveling or on assignment away from their home address. To give consent to receive your notification electronically, log in to the SECURE website below using the given information: Step 1: Website: School Code: JW Account : (your Social Security Number or Student ID) Password : Step 2: Under Account Tools: Click "Signup for Electronic Tax Documents" Step 3: Read information, check the consent box, verify your address, and click the submit button. Thank you for your response. ECSI's 1098-T Project Manager, Mike Trombetta ECSI: Service Never Rests 181 Montour Run Road | Coraopolis, PA v | f | More Practice Who is ecsi.net? Request for financial transaction Sent to a real user, but no personalized greeting, generic message Apparently wants my SSN?? Use a password in the ? No mention of anyone from CSU
Summary NEVER send your username/password in – or your CC#, SSN, etc. Avoid clicking URLs directly from an If it claims to be from ACNS, look for a digital signature If an looks suspicious, ask your IT person Listen to the little voice in your head!