Detecting Phishing Attacks: Theory, Cues, and Practice

1. Detecting Phishing Attacks:Theory, Cues, and Practice CSU PDI Steve Lovaas January 8, 2010

2. Overview • What is phishing • Overview of the problem • Evolution of the attacks • How to tackle the problem • Awareness & Attitude • Clues • Practice

3. What is “Phishing”? From: Directeur de la recherche technique, Université de la Sorbonne (Allez478345@gmail.de) To: Steve Lovas (steven.lovaas@colostate.edu) Subject: Pressant! Veuillez taper votre mot de passe:

4. Official Definitions • Social engineering: the act of manipulating people into performing actions or divulging confidential information. • Phishing: social engineering in the form of fraudulent/deceptive email, typically requesting personal/financial information or access credentials

5. Practical Definitions • Trying to trick you into doing something • Exploiting established trust or trusting nature • Hoping you won’t pay adequate attention • “Please send me your username, password, bank account number, credit card number, and SSN…”

6. Phishing Factors • Deceptive email, usually broadly distributed • Addresses, subject, attachments, and message text can all utilized to deceive… • “Spoof” of a familiar source • “Reply-to” that is different than “From” • Emotional appeals • Current social issues, breaking news • Appeal to entertainment, profit, etc. • Money for nothing (too good to be true) • DIRE CONSEQUENCES IN ALL CAPS • Spelling errors • Bad grammar Technical cues Contextual cues Linguistic (syntactical) cues

7. Recent Evolution of Tactics • Spearphishing • From a carefully chosen source you should know • Targeted specifically at members of an organization • Graphics, style, tone carefully chosen to look right • Becoming more common • More, better graphics • More visual content = more likely to trust • Media-rich content plays to our habits, tendencies • Eventual inclusion of audio, video?

8. So What’s Going On? Smells like phish Decoding by many different receivers Encoding Tendency to trust Sender Message Channel Culture Social norms Empathy Technical understanding Previous experience with sender

9. How to Tackle the Problem? • Technical defenses • Technical/social environment • Social norms • User education/awareness • User attitude

10. Protection Points Smells like phish Decoding by many different receivers Highlighting Current Attacks Anti-virus, Anti-spam Encoding Tendency to trust Sender Message Channel Building organizational norms Culture Social norms Empathy Digital signatures Technical understanding Previous experience with sender Individual education

11. Focus on Awareness & Attitude • Awareness (our focus here today) • Knowledge of the problem • Knowledge of the tactics • Ability to recognize attacks (cues) • Attitude (WHY you’re here today) • Inclination to act • Tendencies to trust or be suspicious • Default behaviors Of course our ultimate goal is behavior (don’t fall victim)… but we can hope to achieve that by working on:

12. Clues/Cues in the Message • What are some features of messages that can clue you in to a phishing attack? • Things that make you go “hmm…”

13. Some Practice @ulster.ac.uk “mailbox capacity Account” (?) Impersonal greeting Grammar! NEVER do this! Bates?? We don’t have anything called “Webmail Helpdesk” Expires in 4 days? @live.com

14. More Practice From: webmaster@ecsi.net [mailto:webmaster@ecsi.net] Sent: Thursday, December 11, 2008 10:00 AM To: Samaniego,Rosalie Subject: Electronic Tax Document Signup For Colorado State University This email has been sent by Colorado State University / ECSI asking for your consent to receive notification of your 1098-T tax form electronically. If you would like to receive notification electronically please give your consent by following the link below, logging in, and following the instructions. If you would like to receive a paper copy of your 1098-T form, do nothing. The benefits to receiving electronic notification are: * Online delivery provides access to the form 1098-T earlier than the traditional mailing process. * Online delivery eliminates the chance that the 1098-T will get lost, misdirected or delayed during delivery, or misplaced once the student receivesit. * Signing up for online delivery is easy and secure. * Students can receive their 1098-T form even while traveling or on assignment away from their home address. To give consent to receive your notification electronically, log in to the SECURE website below using the given information: Step 1: Website: https://www.ecsi.net/myacct School Code: JW Account : (your Social Security Number or Student ID) Password : 76954 Step 2: Under Account Tools: Click "Signup for Electronic Tax Documents" Step 3: Read information, check the consent box, verify your email address, and click the submit button. Thank you for your response. ECSI's 1098-T Project Manager, Mike Trombetta webmaster@ecsi.net ECSI: Service Never Rests 181 Montour Run Road | Coraopolis, PA 15108 v 866.428.1098 | f 866.291.5384 | www.ecsi.net Who is ecsi.net? Request for financial transaction Sent to a real user, but no personalized greeting, generic message Apparently wants my SSN?? Use a password in the email? No mention of anyone from CSU

15. Summary • NEVER send your username/password in email – or your CC#, SSN, etc. • Avoid clicking URLs directly from an email • If it claims to be from ACNS, look for a digital signature • If an email looks suspicious, ask your IT person • Listen to the little voice in your head!