© 2019 Jack Henry & Associates, Inc.®1 © 2019 Jack Henry & Associates, Inc.®

Gone Phishing: Tips, Tricks and Lessons Learned in

the Battle of Social Engineering

Moderator: Sebastian Fazzino

Director, Sales Operations

Gladiator & Financial Crimes Solutions

Presenter: Keith Haskett

CEO

Rebyc Security

© 2020 Jack Henry & Associates, Inc.®2

Cybersecurity Webinar Series

• Multi-part, educational series

• Proactive Cybersecurity: Staying Ahead of Threats

1. Assessing Your Biggest Security Risks Before It Is Too Late – October 29th

2. Machine Learning and the Latest Protection methods – December 12th

3. Cyber Threats and Trends for 2020 – January 14th

4. Ransomware is alive and well: are you? – February 12th

5. Gone Phishing: Tips, Tricks and Lessons Learned in the Battle of Social

Engineering – March 18th

6. Unleashing the true value of GRC - April 29th

© 2020 Jack Henry & Associates, Inc.®3

© 2020 Jack Henry & Associates, Inc.®4

Today’s ATTACK PLAN:

Phishing Types

• Spear

• Romance

• BEC

• Whitepages

• Hunter.IO

Tools of the Trade

• Site Cloning

• GoPhish

Exploit Gathered

Creds

• Email Guidance

• Password Policies

• Multifactor

Phishing Defense

Social Eng& Physical Security

• IOT

• Dumpster Diving

• Social Media

© 2020 Jack Henry & Associates, Inc.®5

Phishing

Types

© 2020 Jack Henry & Associates, Inc.®6

Romance Fraud

• Use fake identities to build online

relationships with victims

• Use sites Tinder, Bumble &

Match.com

• $362M in loses - 2018

© 2020 Jack Henry & Associates, Inc.®7

Spear Phishing

• Target specific individual, group or

business with malicious intent.

• Doesn’t differentiate – Senior

Leaders and entry level employees

• Financial Institutions are some of

the most heavily targeted

• Email looked like it came from her Asst.

• Asked to wire $388K

• Bookkeeper didn’t think anything

suspicious – Wired the funds.

© 2020 Jack Henry & Associates, Inc.®8

Business Email Compromise• Can take on many forms – Spear,

Romance Fraud, Wire Fraud, etc.

• Take over accounts, spoof accounts

or access and listen.

• Use details gained against their

marks.

© 2020 Jack Henry & Associates, Inc.®9

Social

Eng &

Physical

Security

© 2020 Jack Henry & Associates, Inc.®10

Internet of Things (IOT)

© 2020 Jack Henry & Associates, Inc.®11

Internet of Things (IOT)

© 2020 Jack Henry & Associates, Inc.®12

Other Social Engineering and Physical Security

• Vishing

• Unauthorized Vendors Onsite

• USB Devices

• Password Security

• Shoulder Surfing

• Document Shredding – Dumpster Diving

• Doors, Windows, and Access Points

• Badge Cloning

© 2020 Jack Henry & Associates, Inc.®13

Attackers Love

Social Media Too

© 2020 Jack Henry & Associates, Inc.®14

Tools of

the Trade

© 2020 Jack Henry & Associates, Inc.®15

• Search Full Names, Phone

Numbers, Reverse Number

Lookup

• Search Business Associates,

Previous Addresses, Email

Addresses

• Unlimited Searches for 4.95/Month

• Background Checks for 19.95 per

Person

© 2020 Jack Henry & Associates, Inc.®16

• List of Email Addresses

Found in Previous Breaches

• Many Employees Re-Use

Passwords

• Many Employees Use Work

Resources for non-work

items

• Extremely Valuable for

Credential Stuffing Attacks

© 2020 Jack Henry & Associates, Inc.®17

• $9/Month Cost

• Continuously Scanning Entire

Internet

• IoT, ICS, Routers, Switches,

• Search by Company, IP

Ranges, Name

© 2020 Jack Henry & Associates, Inc.®18

Gathering Email

Addresses - Simply

© 2020 Jack Henry & Associates, Inc.®19

Exploit

Gathered

Creds

© 2020 Jack Henry & Associates, Inc.®20

Got 12 Dollars?

Become a Company!

© 2020 Jack Henry & Associates, Inc.®21

Import Most sites

With a Click!

© 2020 Jack Henry & Associates, Inc.®22

Looks Legit To Me!

© 2020 Jack Henry & Associates, Inc.®23

© 2020 Jack Henry & Associates, Inc.®24

How are We Doing?

Submitted Data

205

Emails Sent

4086

Emails Opened

1036

Clicked Link

372

© 2020 Jack Henry & Associates, Inc.®25

Phishing

Defense

© 2020 Jack Henry & Associates, Inc.®26

Why Security

Solutions Fail?• Improperly Configured Spam Filtering / Web

Filtering Solutions

• Lack of multi-factor authentication for ALL accounts

• Lack of security coverage enterprise-wide

• Accessing external resources (Gmail/Dropbox)

• Utilizing corporate resources at home or while traveling

© 2020 Jack Henry & Associates, Inc.®27

How You Can Stay Safe• Check to see if your email has been compromised

• Use SEPARATE & UNIQUE passwords for ALL accounts

• Do NOT use work email for non-work purposes

• Use One-Time email addresses when signing up

• Avoid public Wi-Fi – Use VPN when connected

• Don’t click on links from strangers

• Use common sense & Multi-factor Authentication

© 2020 Jack Henry & Associates, Inc.®28

What We See Working

• User Awareness Training (Often!)

• Credential Theft Protection

• Machine Learning / AI Solutions

• Robust and tuned spam and web filtering

• Protect against current attacks?

• Allow access to new web sites? Unclassified

web sites?

• Always-On VPN

© 2020 Jack Henry & Associates, Inc.®29

© 2020 Jack Henry & Associates, Inc.®30

Thank you for your t ime