180 likes | 353 Views
Office Technology Conference Karen McDowell, Ph.D., GCIH 10 June 2009. Phishing: Don’t Take the Bait!. What is Phishing?. Phishing aka fraudulent email – the phisher (attacker) sends email falsely claiming to be an established legitimate operation
E N D
Office Technology Conference Karen McDowell, Ph.D., GCIH 10 June 2009 Phishing: Don’t Take the Bait!
What is Phishing? • Phishing aka fraudulent email – the phisher (attacker) sends email falsely claiming to be an established legitimate operation • Phisher attempts to bait (trick) you into surrendering private information that s/he will use to steal your identity, empty your bank account, or charge items to your credit cards
Phishing at UVa - 2009 • If you clicked on this, you went to the Real Address: http://www.virginia.vbedu.net/info/v/
Expired Visa Card Phishing Scam • Email appears to come from Visa & claims that the recipient's account has expired • Renew it immediately or account will be closed • Innocent person clicks and enters PI… • Internet criminals now have PI and all account details • Criminals wire transfer funds out of account • Sell person’s PI to other criminals OUCH! SANS Institute Security Newsletter for Computer Users Volume 6, Number 5 May 2009
Spear Phishing • Spear Phishing is any highly targeted phishing attack in which your first name or first and last name may appear in email • Sender may appear to be your HR or IT person or even a higher authority!
World’s Oldest Con Game • Spear phishers often customize emails with information they've found on Web sites, blogs, or social networking sites • Fake social networking login pages lure people into sites, where they're used to entering personal information • No reputable online entity (bank, credit card company, UVa, etc.) will send you a request for personally identifiable information (PI)
FaceBook Login Phishing • Tricks recipients into providing their FaceBook login details to Internet criminals • Clicking on the link will take you to a bogus website designed to look like a genuine FaceBook login page • Bogus sites feature domain names such as "fbstarter.com" and "fbaction.net" • Purpose of such attacks is generally identify theft and to spread spam OUCH! SANS Institute Security Newsletter for Computer Users Volume 6, Number 6 June 2009
Why Does Phishing Work So Well? • Relative success of spear phishing relies upon the details used – • Apparent source - known and trusted individual • Information in the message supports its validity • Request seems to have a logical basis • Phishing is also successful, because • We don’t pay attention to visual cues • We are vulnerable to manipulation • Sometimes we are in a hurry
Phishing Headlines • Breaking News Headlines! • Cute videos your friend sends you like “Barbie Turns 50” • Chain letters of any kind • Forward this to at least 10 people to save a life • Bring good luck in 7 days if only you pass it on! • Easy money $$$ of any kind • Lose weight fast! • Burn Those Abs!!
Time-Honored Phishing Scams • Online games - If you want to play games, buy a CD/DVD from a reputable dealer • Playing on your heartstrings – Fake charities • Weather alert software – • Work-at-home and earn a fortune! • You have a virus, and we can help you!* • Remember: If it’s free, the price is hidden *Installs rogue anti-virus software
Brand New Phishing Scams • Shipping update for your Amazon.com order 245-78546321-658742 • CNN News Air France Flight 447 Tragedy • CNN News David Carradine Dead • Click on these messages arriving by email or Twitter, and attackers install rogue anti-spyware • Attempt to force-submit your credit card • Damages your computer’s operating system <blog-trendmicro.com> 6/4/2009
UVa Alerts Email - Legitimate • “Your UVA Alerts account will expire in 30 days. Go to www.virginia.edu/uvaalerts to extend your service.” • It’s possible an attacker could infiltrate the server and send these alerts • Verify that your account is up for renewal • Look closely at the email message • Check the suspicious email page http://itc.virginia.edu/security/phishing/
Don’t Click = 100% Win for You • Webpage below identifies phishing email currently circulating at UVa • http://itc.virginia.edu/security/phishing/ • What my mother taught me still works • Don’t take candy from strangers, and • If in doubt – don’t! • Don’t click, that is…