internet safety presentation
Post on 12-May-2015
475 Views
Preview:
TRANSCRIPT
Freud and Phishing:The Psychology Behind Internet
Scams
JC Lamkin, CNA, PMPGypsy Lane Technologies
Philadelphia, PA 19144(215) 843-1039
Jc.lamkin@gltMYpc.comhttp://www.gltMYpc.com
Twitter.com/TechCrusader
What is Phishing?
Making Money with Phish
2,000,000 emails are sent 5% get to the end user – 100,000 (APWG)
5% click on the phishing link – 5,000 (APWG)
2% enter data into the phishing site – 100 (Gartner)
$1,200 from each person who enters data (FTC)
Our potential reward: $120,000
How Much Information?
4.1 million – The number of credit card numbers discovered in ONE phishing blind drop a 4 month period
A typical day Information for 13,677 accounts 3,356 credit cards 255 PayPal account logins 1,038 eBay account logins 93 Bank of America online banking account logins 2,609 Hotmail email account logins
Source: Washingtonpost.com (Security Fix: Brian Krebs)
Phish and Spam are Different
Email Characteristics Spam Phishing
How does the email enter your inbox?
Back door – needs a disguise to get past filters
Front door – must look like something users want
What does the email appear to be delivering?
Something you didn’t ask for, but still might want
Information that you should receive
The effectiveness of the email is based on?
What the receiver desiresEstablishing credibility with
the receiver
What’s the most important attribute of the email?
Productcredibility
Brandcredibility
What happens if a user acts on the email offer?
Might actually get the product offered
Lose company, financial, or personal information
What’s the real purpose? Selling Stealing
Psychology: Phish ≠ Spam
People treat spam and phish differently
1. Take a Phishing Email and place it in an end users “spam” folder.
10% of the time the user removes the phishing email from the spam folder and places it in their inbox.
2. Take a Phishing Email and place it in an end-users “phish” folder
The user removes the phishing email from the phish folder less than 0.5% of the time.
The Tricks of the Trade
Fear – You’re Being Naughty
“…payments or donations for obscene or certain sexually oriented goods or services.”
“…your account…limited for: xxxcambabes.com cam shows.”
Fear – Account Takeover
“…someone had used your
account to make fake
bids…”
“You must verify …”
“…no choice but to suspend your account.”
Fear – Service Deactivation # 1
“…service(s)…will be
deactivated…”
Fear – Service Deactivation # 2
“…service(s)…will be
deactivated…”
Fear – Service Deactivation # 3
“…service(s)…will be
deactivated…”
Fun – eBay Lottery
Fun – eBay Conference
Fun – eBay Anniversary
LEGIT
Fun – Take a Survey
Fun – Take a Survey
LEGIT
Confusion – Account Change
Confusion – Did I Buy This?
Assistance – My Refund?
Assistance – We’re Here to Help
Assistance –Fraud Detection
Assistance – Buy Safely
LEGIT
Poll-time Possibilities
LEGIT??...Only for Poll Workers
Compassion – No Scruples
Other Email Tricks
Multi-Stage Attacks Email 1 – “We’ll be updating all our accounts this
weekend” Email 2 – “We discovered a problem with your
account” Multi-channel Attacks
Email contains both Phishing URL Phishing phone number (typically VOIP based)
The Domain Name Game
citibank-validate.info earthlink-reactivation.net services-bankofamerica.com sales-aol.net secure-ebay.com msn-reactivation.net secure-usbank.info service-visa.net verification-e-gold.com customer-verification.com banking-account-renewal.com
Phishers SSL Certificate
>> citibanhk.de <<
Duplicated Registrar Info
>> credltlyonaisse.com <<
Registering a Cyrillic “a”
>> paypal.com <<
Hall of FameHall of Fame
Web Site Tricks
We arrive at the website. Is something phishy?
Web Site Tricks
There is no address bar!
Web Site Tricks
Now there’s two!
More Web Site Tricks
Search Engine Listings Common URL misspellings
www.mailfrontier.com
www.mailfronteir.com
www.malefrontier.com
Tips on Protecting Yourself from Phishing
Protect Yourself
Know your senders Is this someone I do business with? Is this something I was told I’d receive? Look for other ways to respond
Protect Yourself
Stay on guard Look for clues – improve your PhishingIQ Don’t be afraid to ask Know how your system is updated Protect your system Check your records Check your sources, snopes.com
Not Just a Consumer Issue
Operations Microsoft Updates, RSA SecurID
Corporate credit cards American Express, Visa, MasterCard
Purchasing and Payments Ebay, PayPal
Network Services Verizon, Earthlink
Web Services DNS Name Registration, Hosting Companies
Protect Your Brand
Cut-and-Paste links, minimize links Use personal information where possible Provide non-email ways to verify Use standard company domain names Identify your partners Set and follow standard communication
practices
Phishing - Don’t Take the Bait
Preemptive Phishing is different than spam – think Virus
Technology Its more than a consumer issue Multi-faceted solution – No silver bullet
Psychology Educate your customers/employees/yourself Improve their PhishingIQ Email is still Good! Really it is!
JC Lamkin, CNA, PMPGypsy Lane Technologies
Philadelphia, PA 19144(215) 843-1039
Jc.lamkin@gltMYpc.comhttp://www.gltMYpc.com
Twitter.com/TechCrusaderSpecial thanks to infosecurity.com
Freud and Phishing:The Psychology Behind
Internet Scams
top related