hey please use writer 62922 - as this is a weekly task would like the same writerin the files sent one will be the 4 questions and the other will be a response you need to reply to as question 4 states will be sending the second screenshot soon will also send lecture notesalso you can send the response for the first 3 questions any time before the due date
Instructions Phishing Ed Moore Lecture Outline Faculty of Arts | Department of Security Studies and Criminology 2 What is phishing? Types of phishing Common Techniques Spear phishing Prevention What is phishing 3 What is Phishing? Phishing is a cyber attack where an attacker tries to trick a user to provide details or access using a fake form of communication. The term phishing (pronounced “fishing”) comes from the analogy of an angler throwing a baited hook out there (the phishing email) and hoping you bite Phishing almost always includes a degree of fraud Often comes in the form of emails or websites May appear to come from legitimate companies or trusted individuals Often take advantage of natural disasters, epidemics, political or other events 4 What is Phishing? Phishing can be broken down to two general categories: Hand-over information This is where an attacker will try to trick the user into handing over information to the attacker. This often includes things like usernames, passwords, credit card information. Typically the information is then used to access more detailed and important information. Malware download This is where an attacker will try to get a user to click on a link to download malware to their system. This will then give the attacker access to the system and thus information stored on it. These are often in the form of keyloggers which will send the keystrokes (including passwords) to the attacker. 5 Forms of phishing Vishing – Voice phishing is when an attacker contacts the victim over the phone to try to elicit information Smishing – SMS phishing, contact via SMS or DM Common to see these emails with fake unsubscribe links Clone Phishing – Cloned copy of a legitimate email or website with malicious links or attachments in place of legitimate ones Whaling – When an attacker goes after a high profile target 6 Forms of phishing Email Spoofing When setting up your email account on a program, you can set your name, this is what is used when you send mail This field (ie the sender name) cannot be trusted The field can also be programmatically set when a program sends mail Attackers often try to impersonate known individuals or companies 7 Forms of phishing Mass Targeting Attackers send phishing emails to groups of people based common interests This is often targeting customers of a business Accuracy is less important Quantity over quality Sending phishing emails is very cheap, a low success rate is still acceptable Typically a spam email costs less than 0.00001c Response rates are estimated to be around 0.000008% Researchers estimate that spammers can make $7,000/day or $2,000,000/year 8 Forms of phishing URL Phishing There are various techniques used within URL phishing that are worth mentioning Hidden Links When an email prompts you to “click here”, “Download now” or “subscribe” URL Shorteners A URL shortener is a service that allows you to take a long, unmemorable, messy URL and shorten it to something easier to manage These are also frequently used for phishing emails as you can never tell where they end up Misspelt URLs Intentionally using misspelt URLs in the hope that victims won’t notice citiibank.com instead of citibank.com Have you tried gooogle.com? Use of alternative domains citibank.xyz 9 Forms of phishing URL Phishing There are various techniques used within URL phishing that are worth mentioning Homographic Attacks The use of intentionally misleading characters to make it look like it’s a legitimate domain arnazon.com vs amazon.com 10 Forms of phishing Subdomain phishing Exploits users who don’t fully understand the difference between a domain name and a subdomain Companies own domain amazon.com for example Attacker could buy another domain like techsupport.com Then creates a subdomain for it amazon.techsupport.com 11 Forms of phishing Website Spoofing Website spoofing is a common technique where an attacker will clone a website and redirect login details to their own server This is usually easy to perform and can be difficult to detect Best way to not fall for this is to avoid entirely 12 Common Techniques 13 Baiting Techniques Timely call for action “Urgent” or time sensitive emails put pressure on potential victims to click on links without checking it properly Seemingly legitimate email addresses Inclusion of logos to seem more legitimate 14 Baiting Techniques Work Environment Phishing emails sent to targets in a work environment differ to those targeting individuals. They generally attempt to blend in with work emails, this makes them more successful Attachments (such as “invoice”, “meeting minutes”, etc) Third party providers (Microsoft, Google, etc) Emails from managers The CEO Emails from “IT support” Other colleagues If a colleague has fallen for a phishing scam, one of the first things an attacker will do is to secure their foothold inside the company. This means getting more people infected Emails sent from a colleague are much harder to detect for phishing as they’re coming from a legitimate source 15 Baiting Techniques Personal Environment Whereas personal phishing emails target you at an more personal level Advertisements Weight loss Win an iPad Social Media accounts Credit card company Threats or blackmail emails Love Takes advantage on going crisis 16 Spear Phishing 17 Spear Phishing Spear Phishing is when a phishing attack is targeted at a single or small group of people It’s largely different because it often involves research steps, rather than being board and generic Often pulls information from social media platforms to use as an entrance and legitimise the phishing email Think of the information you provide on LinkedIn Current Job/position Previous employment Plausible connections Have you admitted to using a service publicly Think about complaints on social media Liked services on social media 18 Spear Phishing Many of the most successful data breaches in recent years started with a spear phishing attack Spear phishing is the leading cause of data breaches Spear phishing attacks are “blended” or “multi-vector” threats They combine various malicious techniques to create a very dangerous threat Email Spoofing Dynamic URLs Zero-day vulnerabilities in browsers Unlike traditional phishing emails which are often poorly written, spear phishing emails are usually well crafted The average impact of a successful spear phishing attack to a business is $1.6M 19 20 Prevention 21 Prevention Spam filters The only way to stop spam entirely is make it not profitable for the attackers If we reduce the success rate of the emails then it becomes less profitable Our best defence against phishing and spam is spam filters The large majority of spam emails are filtered out by spam filters Up to 99% of spam emails are filtered out before a user sees them … Think about what your spam folder looks like Spam filters often don’t work on spear phishing emails as they’re specially crafted for the target 22 Prevention Software Mimecast Mimecast is a service that redirects all links received in emails through their service. The service scans the page for malicious code and can help prevent employees clicking on malicious links. This software attempts to save employees before the malicious code is executed. modusCloud modusCloud is a service that attempts to detect malicious links based on their URL. It looks for things like ‘I’ (uppercase i) instead of ‘l’ (lowercase L). It would detect something like GOOGIE.com as malicious as it is likely an attempt to direct a user towards a malicious website Swordphish Swordphish is able to extract features from millions of domains, to distinguish between good and bad, without looking further requiring support in an external environment. Swordphish is extremely fast with a time of 10 milliseconds per search and a measured accuracy of 95% in classifying URLs 23 Prevention User Training People are the weakest link in IT security Training users to detect phishing/spam emails is the most important part No legitimate company should ever ask for your password, bank account numbers or other information in an email Don’t click links from people you don’t know or that look suspicious Look out for weird capitalisation or misspelt URLs Phishing emails often have poor grammar, spelling and structure - look out for this No software is perfect and phishing emails (particularly spear phishing) will eventually reach users – prepare for it! 24 Prevention User Training People are the weakest link in IT security Look for the “HTTPS”, phishing websites often don’t use it “HTTPS & SSL doesn't mean "trust this." It means "this is private." You may be having a private conversation with Satan.” - Scott Hanselman If you receive a phishing email from someone you know they have probably been compromised Don’t click the link but report it to your IT admins If it’s personal - Tell the person Using a password manager can help 2FA helps a lot Provide a way for employees to check the validity of an email or phone call Remember that employees are outcome driven 25 The end 26 Resource List https://www.sitepoint.com/spam-roi-profit-on-1-in-125m-response-rate/ https://www.forbes.com/2006/12/11/spam-security-email-tech-security-cz_bs_1212spam.html#1e6e35d04626 https://info.phishlabs.com/blog/phishing-number-1-data-breaches-lessons-verizon https://www.digitalinformationworld.com/2019/03/phishing-attacks-by-numbers.html https://www.cisco.com/c/en_au/products/security/email-security/what-is-phishing.html https://blog.syscloud.com/types-of-phishing/ https://www.csoonline.com/article/3077434/93-of-phishing-emails-are-now-ransomware.html https://digitalguardian.com/blog/what-is-spear-phishing-defining-and-differentiating-spear-phishing-and-phishing https://medium.com/@kratikal/humans-are-the-weakest-links-in-cyber-security-of-any-organisation-ac04c6e6e71 https://resources.infosecinstitute.com/category/enterprise/phishing/phishing-countermeasures/anti-phishing-hardware-software/ https://www.mimecast.com/the-state-of-email-security-2019/ https://www.fireeye.com