Scribd
Upload
40 views21 pages

Lecture 3-Social Engineering and Phishing Attacks-NPTEL

The document discusses social engineering and phishing attacks, detailing various types, methods, and their impact, particularly in India where phishing scams have resulted in significant financial losses. It outlines the stages of social engineering attacks, forms of phishing, and the importance of personal and enterprise-level defenses against such threats. Additionally, it highlights the role of banks in protecting customers from phishing attacks through monitoring and security measures.

Uploaded by

kalpanasbmjc
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
40 views21 pages

Lecture 3-Social Engineering and Phishing Attacks-NPTEL

The document discusses social engineering and phishing attacks, detailing various types, methods, and their impact, particularly in India where phishing scams have resulted in significant financial losses. It outlines the stages of social engineering attacks, forms of phishing, and the importance of personal and enterprise-level defenses against such threats. Additionally, it highlights the role of banks in protecting customers from phishing attacks through monitoring and security measures.

Uploaded by

kalpanasbmjc
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 21

Social Engineering

and Phishing
Attacks
DR. NEMINATH HUBBALLI

IIT INDORE © NEMINAH HUBBALLI


Outline
qSocial Engineering Attacks
qForms and means of Phishing Attacks
qPhishing today
qStaying safe
qPersonal level defense
qEnterprise level defense
qRole of banks and financial institutions

IIT INDORE © NEMINAH HUBBALLI


Case Study: Phone Phishing Experiment

50 users were contacted


Managed to get e-banking passwords

Source: Experimental Case Studies for


Investigating E-Banking Phishing
Intelligent Techniques and Attack Strategies

IIT INDORE © NEMINAH HUBBALLI


Social Engineering
q Is a method to stage a cyber attack through human interaction and
errors.
q Stages
1. Investigation: Preparing ground
2. Hook: Gain foothold
3. Play: Expand the foothold
4. Exit: Erase all traces

IIT INDORE © NEMINAH HUBBALLI


Social Engineering: Types
q Baiting: Make a false promise to trick the user to do something.
qEx: Leave a flash drive in a place

q Scareware: Falsely bombard the user with scary messages


qEx: Your account will be deleted if you do not verify

q Phishing: Trick the user to reveal sensitive information.


qEx: Collect user credentials through lookalike websites

IIT INDORE © NEMINAH HUBBALLI


Phishing Attacks in India and Globally
India lost around $53 million (about Rs 328 crore) due
to phishing scams with the country facing over 3,750 attacks
in July-September 2017
4th Largest target of phishing attacks in the world
7% of global phishing attacks are targeted in India
US tops the rank with 27% of phishing attacks

Courtesy: The Hindu Business http://www.thehindubusinessline.com/industry-and-economy/info-


tech/india-lost-53-m-to-phishing-attacks-in-q3/article5414170.ece

Indian Institute of Technology Indore

IIT INDORE © NEMINAH HUBBALLI


Phishing Attack
It is made-up of
◦ Phreaking + Fishing = Phishing
◦ Phreaking = making phone calls for free back in 70’s
◦ Fishing = Attract the fish to bite

There are lot of fishes in pond


Lure them to come and bite
Those who bite become victims

Courtesy: Google Images

IIT INDORE © NEMINAH HUBBALLI


Phishing Attack
qPhishing is a form of social engineering attack
qNot all social engineering attacks are phishing attacks !

qMimic the communication and appearance of another


legitimate communication and companies
qThe first fishing incident appeared in 1995
qAttractive targets include
qFinancial institutions
qGaming industry
qSocial media
qSecurity companies

IIT INDORE © NEMINAH HUBBALLI


Phishing Information Flow
Three components
◦ Mail sender: sends large
volume of fraudulent
emails
◦ Collector: collect sensitive
information from users
◦ Casher: use the collected
sensitive information to
en-cash

Courtesy: Junxiao Shi and Sara Saleem

IIT INDORE © NEMINAH HUBBALLI


Phishing Forms
qMisspelled URLs
q www.sbibank.statebank.com
q www.micosoft.com
q www.mircosoft.com

qCreating anchor text


q<a href = "anchor text" > Link Text </a>
qLink Text

qFake SSL lock


q Simply show it so that users feel secure

qGetting valid certificates to illegal sites


q Certifying agency not being alert

qSometimes users overlook security certificate warnings

IIT INDORE © NEMINAH HUBBALLI


Phishing Payload
q Keyloggers
q Spyware
q Screen Grabber
q Bot

IIT INDORE © NEMINAH HUBBALLI


Phishing Purpose
q Login credentials
q Banking credentials
q Credit card details
q Address and personal information
q Trade secretes
q DDoS agent
q Botnet growth
q Confidential documents

IIT INDORE © NEMINAH HUBBALLI


Types of Phishing
qClone Phishing:
qPhisher creates a clone email
qBy getting contents and addresses of recipients and sender

qSpear Phishing:
qTargeting a specific group of users
qAll users of that group have something in common
qTargeting all faculty members of IITI

qPhone Phishing:
qCall someone and say you are from bank
qAsk for password saying you need to do maintenance

IIT INDORE © NEMINAH HUBBALLI


Email Spoofing for Phishing
An email concealing its true source
Ex. customercare@sbi.com when it is actually
coming from somewhere else
Send an email saying your bank account needs to
be verified urgently
When the user believes
◦ Sends her credit card
◦ Gives her password
Sending spoofed email is very easy
◦ There are so many spoof mail generators
IIT INDORE © NEMINAH HUBBALLI
Sample Email

IIT INDORE © NEMINAH HUBBALLI


Phishing Today
qUse bots to perform large scale activity
qRelays for sending spam and phishing emails

qPhishing Kits
qReady to use
qContain clones of many banks and other websites

IIT INDORE © NEMINAH HUBBALLI


Phishing Today
Uncommon encoding mechanisms

Fake banner advertisements

IIT INDORE © NEMINAH HUBBALLI


q Phishing Today
qDynamic code
qPhishing emails contain links to sites whose contents change
qWhen email came in midnight it was ok but next day when you
clicked it is spreading malware

qNumbers (IP address ) in urls 20.100.23.45


qUse of targeted email
qGather enough information about user from social networking sites
qSend a targeted email using the knowledge of previous step
qUnsuspecting user clicks on link
qAttacker takes control of recipient machine (backdoor, trojan)
qSteal / harvest credentials

IIT INDORE © NEMINAH HUBBALLI


Personal Level Protection
qEmail Protection
qBlocking dangerous email attachments
qDisable HTML capability in all emails

qAwareness and education


qWeb browser toolbars
qConnect to a database of FQDN IP address mapping of Phishing sites

qMultifactor authentication

IIT INDORE © NEMINAH HUBBALLI


Enterprise Level Protection
qCollecting data from users
qAbout emails received
qWebsites links
qWhy any one should give you such data
qHer interest also included
qIncentives

qAnalyzing spam emails for keywords


q“click on the link bellow”
q“enter user name password here”
q“account will be deleted” etc.

qPersonalization of emails
qEvery email should quote some secrete that proves the identity
qEx: Phrase as Dear Dr. Neminath Instead of Dear Customer
qReferring to timing of previous email
IIT INDORE © NEMINAH HUBBALLI
What Banks are Doing to
Protect from Phishing
qBanks and their customers lose crores of rupees every year
qThey hire professional security agencies who constantly
monitor the web for phishing sites
qRegularly alert the users “to be alert” and not to fall fray
qUse best state of the art security software and hardware
qWhite list and blacklist of phishing sites

IIT INDORE © NEMINAH HUBBALLI

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy