An Evaluation of Traditional Phishing Vs Mobile Vishing https://imgur.com/gallery/6TL9R Jamie Burkinshaw Ethical Hacking 4 - 2013/14.

Slides:

Advertisements

Similar presentations

Aspire Vertical Markets Law Office. Law Office Solutions.

Advertisements

Aspire Vertical Markets Executive Suite Solution.

INTERACTIVE VOICE RESPONSE SYSTEM (IVRS)

Introduction to Intellicaller for Channel Partners/Clients Confidential. © Zeal Web Technologies. Please destroy if you are not the intended.

Roman Schlegel City University of Hong Kong Kehuan Zhang Xiaoyong Zhou Mehool Intwala Apu Kapadia XiaoFeng Wang Indiana University Bloomington NDSS SYMPOSIUM.

What is Multimedia Includes: Sound Animation Video and Graphics.

BEWARE! IDENTITY THEFT CARL JOHNSON FINANCIAL LITERACY JENKS HIGH CSHOOL.

The Most Critical Risk Control: Human Behavior Lynn Goodendorf Director, Information Security Atlanta ISACA Chapter Meeting June 20, 2014.

David Abarca, Instructor Del Mar College Computer Corner Phishing, Pharming, Spear-Phishing, and now…. Vishing.

NCS welcome all participants on behalf of Quick Heal Anti Virus and Fortinet Firewall solution.

Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.

PASSWORD MANAGER Why you need one 1. WHAT IS A PASSWORD MANAGER? A modern Password Manager is a browser extension (Chrome, Internet Explorer, Firefox,

IVR Solution. What is this IVR? Interactive Voice Response (IVR) system helps to migrate from the traditional human-perplexed interactions To Efficient.

CS371m - Mobile Computing Audio.

William Enck, Machigar Ongtang, and Patrick McDaniel.

Android Security What is out there? Waqar Aziz. Android Market Share - I 2.

Security Liaisons Information Presentation. Introduction  What’s the big deal with computer security? Don’t we have an IT security department to take.

DTMF & Universal User Key Input Skip Cave InterVoice-Brite Inc.

Lesson 2- Protecting Yourself Online. Determine the strength of passwords Evaluate online threats Protect against malware/hacking Protect against identity.

IT security By Tilly Gerlack.

Denial of Service Bryan Oemler Web Enhanced Information Management March 22 nd, 2011.

Area Of Study 2 Information And Communications Technology(ICT)

Aspire Vertical Markets Healthcare Solutions (Doctor’s office and Clinics)

Understanding Technology Crime Investigation for Managers.

Testing & modeling users. The aims Describe how to do user testing. Discuss the differences between user testing, usability testing and research experiments.

About Phishing Phishing is a criminal activity using social engineering techniques.criminalsocial engineering Phishers attempt to fraudulently acquire.

Phishing Internet scams. Phishing phishing is an attempt to criminally and fraudulently acquire sensitive information, such as usernames, passwords and.

MAC OS – Unit A Page: 2-3, 4-5 Investigating Types of Computer Examining Computer Systems.

Introduction to Neural Networks and Example Applications in HCI Nick Gentile.

Topic 5: Basic Security.

Student Name USN NO Guide Name H.O.D Name Name Of The College & Dept.

321 Phishing Vishing SMiShing Social Engineering Techniques.

Computer crimes.

© Copyright 2009 SSLPost 01. © Copyright 2009 SSLPost 02 a recipient is sent an encrypted that contains data specific to that recipient the data.

Ethics Unit 1. What does ethical mean? Following rules or doing the right thing.

ONLINE SAFETY AND SECURITY Computer Basics 1.5. INFAMOUS CYBER ATTACKS IN 2014 Sony Pictures: Attackers stole just about everything in the corporate network,

Introduction: Introduction: As technology advances, we have cheaper and easier ways to stay connected to the world around us. We are able to order almost.

Do you know who you’re dealing with? Social Engineering: Minimise the risk of becoming a victim.

Loftus & Palmer Cognitive Psychology The Core Studies.

Animation The rapid display of a sequence of images of 2-D or 3-D artwork/model positions, in order to create an illusion of movement.

Android and IOS Permissions Why are they here and what do they want from me?

By by  Y.MADHU KEERTHANA (084A1A0459)  RAHIM BASHA (084A1A0441)  G.BABJI REDDY (084A1A0416)  V.REVATHI (084A1A0456 ) UNDER THE GUIDENCE OF….... Mr.T.E.ARAVINDAN,

Phishing and Internet Scams. Definitions and recent statistics Why is it dangerous? Phishing techniques and identifiers Examples of phishing and scam.

Unit 1 Understanding computer systems: How legal, ethical, safety and security issues affect how computers should be used OCR Cambridge Nationals in ICT.

REVISING STUDYING SOCIETY Learning objective: To independently answer short mark exam questions. Starter: Splat! Work on your own to write as many definitions.

CNP Fraud. Occurs when a fraudster falsifies an application to acquire a credit card using an individual’s personal information. (Eg: postal intercept)

Agenda Spoofing Types of Spoofing o IP Spoofing o URL spoofing o Referrer spoofing o Caller ID spoofing o Address Spoofing.

Security Risks Todays Lesson Security Risks Security Precautions

Explaining Bitcoins will be the easy part: Borne Attacks and How You Can Defend Against Them Karsten Chearis Sales Engineer.

Aria Telecom Solutions Pvt. Ltd. (Interactive Voice Response System)

IT Security Awareness Day October 19, 2016

Explaining Bitcoins will be the easy part: Borne Attacks and How You Can Defend Against Them Michael Burke.

Information Security and Privacy Pertaining to Phishing and Internet Scams Brian Corl COSC 316 Information Security and Privacy.

Materials and Methods (Continued)

Systems Analysis and Design

Explaining Bitcoins will be the easy part: Borne Attacks and How You Can Defend Against Them David Hood Director of Technology Marketing.

Explaining Bitcoins will be the easy part: Borne Attacks and How You Can Defend Against Them Michael Bird Team Lead, Account Executive.

Phishing is a form of social engineering that attempts to steal sensitive information.

Explaining Bitcoins will be the easy part: Borne Attacks and How You Can Defend Against Them Michael Vanderhoff.

Presented by Security Management Partners Waltham, MA

Year 10 ICT ECDL/ICDL IT Security.

Explaining Bitcoins will be the easy part: Borne Attacks and How You Can Defend Against Them Matthew Gardiner Product Marketing.

Cybersecurity Awareness

Explaining Bitcoins will be the easy part: Borne Attacks and How You Can Defend Against Them Andrew Cotton.

Explaining Bitcoins will be the easy part: Borne Attacks and How You Can Defend Against Them Matthew Gardiner Product Marketing.

Progress leisure OCR GCSE ICT.

Keeping your data, money & reputation safe

Unit 1 Fundamentals of IT

Presentation transcript:

An Evaluation of Traditional Phishing Vs Mobile Vishing Jamie Burkinshaw Ethical Hacking /14

Abstract Aspects of traditional phishing were identified including, HTML generation and website cloning. A phishing was examined and weaknesses were found. These weaknesses were addressed and an was generated with a higher likely success rate. A Website was cloned and compared against the original and was found to be identical. This means that if a cognitive bias could be triggered in the target to make them access the website it is unlikely they would realise it was fake. Aspects of Vishing were also identified including interactive voice response systems and dual-tone multi-frequency signals. Methods of carrying out a vishing attack were also examined such as manually deciphering the tones by ear; creating a piece of computer software to perform the task or creating an application for a mobile device. The latter is the method that was attempted in this investigation. The application created was intended to play recorded messages to a target that had called and record the dual tone multi frequency (DTMF) tones used to respond. The application was a success and DTMF tones were decoded. A conclusion was drawn that even though traditional phishing is easier and quicker, it is so well known that more and more people are becoming aware of how to spot fake s meaning that with enough time to set up the attack, Vishing could be a more effective solution in a penetration testing environment.

Aims The aims of this investigation are as follows: To investigate traditional phishing methods. To investigate vishing methods. To attempt to create an application capable of aiding a vishing attack.

Introduction Social Engineering defined as “the act of manipulating a person to take an action that may or may not be in the “target’s” best interest. This may include obtaining information, gaining access, or getting the target to take certain action.”(Hadnagy, 2011) Triggering cognitive biases in targets by causing them to feel strong positive or negative emotions can allow their credentials to be gained. Social engineering is a big threat to businesses. Over half of companies surveyed by Checkpoint had suffered a social engineering attacks resulting in a loss of between $25,000 and $100,000. Phishing s are the most common source of attack.

Phishing “An fraud method in which the perpetrator sends out legitimate-looking in an attempt to gather personal and financial information from recipients”(Rouse, M. 2007) Traditional: Send the same to many people requesting they respond with their detail. Spear: Targeting a specific individual, more likely to succeed Online tools can be used to generate HTML s to mimic those sent by organisations. SET can be used to generate exact copies of websites. Combining the two can be used to carry out a spear-phishing attack.

Credentials Harvested

Vishing Voice-Phishing “The act of using the telephone in an attempt to scam the user into surrendering private information that will be used for identity theft”(Webopedia, 2014) DTMF Tones: Dual Tone Multi Frequency tones produced each time a button is pushed on a telephone keypad IVR System: Interactive Voice Response system. Used by organisations to manage conversations without using an operator. Manually decode DTMF tones by ear, use PC software or use a specially designed mobile application

App Development 1 Aims for the app: – To intercept an incoming phone call from a target. – To play recorded messages to the target, mimicking and IVR system. – To record the responses to the messages. To prove the app is effective the operator should be able to: – Export recorded sound to a PC – Analyse the sounds of the key presses by the target – Attempt to discern which keys the target entered. App will be developed for Android and tested on a Samsung Galaxy SIII

App Development 2 MediaPlayer class used to play messages through speakerphone: AudioManager audioManager = AudioManager)getSystemService(Context.AUDIO_SERVICE); Context appContext = getApplicationContext(); MediaPlayer player = MediaPlayer.create(appContext, R.raw.welcome); audioManager.setSpeakerphoneOn(true); player.start();

App Development 3 Broadcast receiver used to launch app when a phone call is going to be received. Registered in manifest:.incoming class told what to do when the broadcast is received Intent i = new Intent(context, MainActivity.class); i.addFlags(Intent.FLAG_ACTIVITY_NEW_TASK); context.startActivity(i);

App Development 4 Button created to answer phone on button press Intent a = new Intent(Intent.ACTION_ANSWER); startActivity(a); Permission MODIFY_PHONE_STATE is "Not for use by third- party applications“(Android, 2014) To allow this piece of the application to be fully functional the device used must be using Android version 2.2 or earlier.

App Development 5 Record phonecall audio from microphone: final MediaRecorder audioRecorder = new MediaRecorder(); audioRecorder.setAudioSource(MediaRecorder.AudioSource.MIC); audioRecorder.setOutputFormat(MediaRecorder.OutputFormat.DEFAULT); audioRecorder.setAudioEncoder(MediaRecorder.AudioEncoder.DEFAULT); audioRecorder.setOutputFile("/storage/extSdCard/recording.mp3"); Set input source as phone microphone Set output source and encoding to default Set output file path to SD card Permissions required:

App Testing Willing and informed volunteer acted as caller and entered random numbers when prompted. Caller reported that messages played were perfectly audible. Messages and corresponding DTMF tones were successfully recorded.

Results Attempted to decode first tones by ear: 50% Success rate for 20 minutes work. Attempted to decode second set using DTMF Decoder software: 100% Success rate for 2 minutes work. Number GuessActual Number 1st33 2nd66 3rd85 4th12 Number GuessActual Number 1st55 2 nd 11 3rd77 4th44

Statistics Demopoulos Associates found that of 100 users over half (53%) had heard of phishing Study conducted 9 years ago which means that has likely risen Study conducted during the course of the investigation shown that of 26 participants: – 20 had heard of phishing 14 could define it – 5 had heard of vishing 4 could define it

Conclusion Phishing is now a household term and as shown by the survey results it is becoming increasingly well known. Because of this it may be less likely to succeed as targets will be more vigilant against any suspicious s. Vishing could be a more successful method as it is not as well known. Targets may believe that their information is safe when entered into a phone. Could be especially useful in penetration testing where more time can be taken to set up the attack.