Users who open the email and click on the fake link will be asked to log in.. Types of phishing attacks e Email phishing: Hackers will send emails to users in the name of a reputable uni
Trang 1VIETNAM NATIONAL UNIVERSITY, HANOI INTERNATIONAL SCHOOL DAI HOC QUOC GIA HA NO}
KHOA QUOC TE VNU -INTERNATIONAL SCHOOL
PRINCIPLES OF INFORMATION SECURITY
REPORT Topic: what is fake attack? Preventation?
Lecturer
Nguyén Van Tanh
Hanoi - 2023
Trang 2I Fake attacks
1 Definition
Phishing is a form of cyber attack in which an attacker masquerades as a reputable unit to
trick users into providing them with personal information
Usually, hackers will pretend to be banks, online transaction websites, e-wallets, credit card
companies to trick users into sharing sensitive information such as login accounts &
passwords, transaction passwords, credit cards and other valuable information
This attack method is usually carried out by hackers via email and text messages Users who
open the email and click on the fake link will be asked to log in If you get hooked, hackers
will get the information immediately
Phishing was first known in 1987 The origin of the word Phishing is a combination of two
words: fishing for information and phreaking (a scam using someone else's phone without
paying a fee ) Due to the similarity between "fishing" and "fishing for user information", the
term Phishing was born
PHISHING
Trang 3
2 Types of phishing attacks
e Email phishing:
Hackers will send emails to users in the name of a reputable unit/organization, luring users to click on a link that leads to a fake website and "get hooked" The fake emails are often very similar to the original email, with only a few small details, making many users confused and become victims of the attack One of the basic techniques in Phishing attacks is email
spoofing Hackers will send emails to users in the name of a reputable unit/organization, luring users to click on a link that leads to a fake website and "get hooked" The fake emails are often very similar to the original email, with only a few small details, making many users confused and become victims of the attack To make the email content as real as possible, attackers always try to "disguise" with many factors:
+ Sender's address (For example, if the correct address is sales.company A@gmail.com, the fake address can be can be sale.companyA@gmail.com)
+ Design pop-up windows exactly like the original (both in color, font, .)
+ Using the technique of forging links (links) to trick users (eg: the text is
vietcombank.com.vn, but when clicked, it redirects to vietconbank.com.vn)
+Use brand images of organizations in fake emails to increase credibility
e Spear phishing
Spear Phishing is a method by which cybercriminals use targeting techniques to trick you into believing that you have received a legitimate email from a known audience, asking you for your information The email can be from a person or any organization you know In most cases, cybercriminals will track your activities on the Internet, especially on social networks When they receive any information from you on any website, they will have a chance to extract information from you
For example: You post an update stating you bought the phone from Lazada on any social networking site You then receive an email from Lazada saying that your card is blocked and that you need to verify your account before making any further purchases Since the email ID looks like Lazada, you are willing to provide the information the scammers ask for
e Vishing
Vishing 1s short for "voice phishing," which involves defrauding people over the phone, enticing them to divulge sensitive information In this definition of vishing, the attacker attempts to grab the victim's data and use it for their own benefit-typically, to gain a financial
Trang 4advantage The main reason why vishing attacks are done is to get sensitive financial
information or personal data of the person answering the phone During a face-to-face
interaction, you can present visible, authentic evidence, such as an identification badge,
driver's license, or access card Over the phone, methods of verifying a caller's identity are limited to what they say
For example: Fraudsters employ a variety of tactics to gain access to victims' phone numbers One method is to obtain sensitive information through massive data leaks, which are
frequently available on the dark web, as well as social media and employment sites It is much simpler to acquire people's confidence in these situations since the criminal will have access to information such as the victim's name, title, and company Sending text messages to random numbers is another prevalent strategy The messages frequently instruct the recipient
to contact the "business" or include a response choice, such as "send 'STOP' if you no longer wish to receive this message." Once the individual answers, the criminal has proof that the number is in use and is thus a prospective target
e Smishing
Smishing is a form of phishing in which an attacker uses a compelling text message to trick targeted recipients into clicking a link and sending the attacker private information or
downloading malicious programs to a smartphone Most smishing attacks work like email phishing The attacker sends a message enticing the user to click a link or asks for a reply that contains the targeted user’s private data The information an attacker wants can be anything, including:
+ Online account credentials
+ Private information that could be used in identity theft
+ Financial data that can be used to sell on darknet markets or for online fraud
Smishers use a variety of ways to trick users into sending private information They may use basic information about the target (such as name and address) from public online tools to fool the target into thinking the message is coming from a trusted source The smisher may use your name and location to address you directly These details make the message more
compelling The message then displays a link pointing to an attacker-controlled server The link may lead to a credential phishing site or malware designed to compromise the phone itself The malware can then be used to snoop the user’s smartphone data or send sensitive data silently to an attacker-controlled server For example: A more common smishing attack uses brand names with links purported to be to the brand’s site Usually, an attacker will tell
Trang 5the user that they’ve won money or provide a malicious link purported to be for tracking packages, as in the following example
e Angler Phishing
A relatively new attack vector, social media offers several ways for criminals to trick people Fake URLs; cloned websites, posts, and tweets; and instant messaging (which is essentially the same as smishing) can all be used to persuade people to divulge sensitive information or download malware
Alternatively, criminals can use the data that people willingly post on social media to create highly targeted attacks
As this example demonstrates, angler phishing is often made possible due to the number of people containing organizations directly on social media with complaints
Stephanie Finally here, cold as ice Might as well have not brought it at all
Never ordering from G@dominos again
Domino's Pizza
⁄ @sreese25 Sounds like we Gropped the ball and I'd like to help make this right! Can you pis follow/DM store info, your name, phone &
email?
+ Hide conversation
|
’ 4 Reply 4 Retweet we Favorite FS Butter
am ®
Organizations often use these as an opportunity to mitigate the damage — usually by giving the individual a refund
However, scammers are adept at hijacking responses and asking the customer to provide their personal details They are seemingly doing this to facilitate some form of compensation, but
it is instead done to compromise their accounts
e Whaling
Whaling attacks are even more targeted, taking aim at senior executives Although the end goal of whaling is the same as any other kind of phishing attack, the technique tends to be a lot subtler
Tricks such as fake links and malicious URLs aren’t helpful in this instance, as criminals are
attempting to imitate senior staff
Trang 6Whaling emails also commonly use the pretext of a busy CEO who wants an employee to do
them a favor
Jim Stapleton (URGENT)
Jim, | am currently stuck in a meeting, but we need to do a wire transfer as soon as possible for a
payment Laura wants us to get done today
Can you get that done this morning? Let me know and | will get you the info you need Thanks
David
Emails such as the above might not be as sophisticated as spear phishing emails, but they play on employees’ willingness to follow instructions from their boss
Recipients might suspect that something is amiss but are too afraid to confront the sender to suggest that they are being unprofessional
e Business email compromise (BEC)
Aside from mass-distributed general phishing campaigns, criminals target key individuals in finance and accounting departments via business email compromise (BEC) scams and CEO email fraud By impersonating financial officers and CEOs, these criminals attempt to trick victims into initiating money transfers into unauthorized accounts
Typically, attackers compromise the email account of a senior executive or financial officer
by exploiting an existing infection or via a spear phishing attack The attacker lurks and monitors the executive's email activity for a period of time to learn about processes and procedures within the company The actual attack takes the form of a false email that looks like it has come from the compromised executive’s account being sent to someone who is a regular recipient The email appears to be important and urgent, and it requests that the
recipient send a wire transfer to an external or unfamiliar bank account The money
ultimately lands in the attacker’s bank account
3 Affect
Trang 74
For individuals, this includes unauthorized purchases, the stealing of funds, or
identify theft
Moreover, phishing is often used to gain a foothold in corporate or governmental networks as a part of a larger attack, such as an advanced persistent threat (APT) event In this latter scenario, employees are compromised in order to bypass security perimeters, distribute malware inside a closed environment, or gain privileged access
to secured data
An organization succumbing to such an attack typically sustains severe financial
losses in addition to declining market share, reputation, and consumer trust
Depending on scope, a phishing attempt might escalate into a security incident from which a business will have a difficult time recovering
Example
The following illustrates a common phishing scam attempt:
A spoofed email ostensibly from myuniversity.edu is mass-distributed to as many faculty members as possible
The email claims that the user’s password 1s about to expire Instructions are given to
go to myuniversity.edu/renewal to renew their password within 24 hours
Trang 8Google IEW ¬
MyUniversity 12:18 PM (50 minutes ago) ˆ
Dear network user, This email is meant to inform you that your MyUniversity network password will expire in 24 hours
Please follow the link below to update your password myuniversity.edu/renewal
ee Thank you
MyUniversity Network Security Staff
MY UNIVERSITY
Several things can occur by clicking the link For example:
e@ The user is redirected to myuniversity.edurenewal.com, a bogus page appearing exactly like the real renewal page, where both new and existing passwords are
requested The attacker, monitoring the page, hijacks the original password to gain access to secured areas on the university network
e@ The user is sent to the actual password renewal page However, while being
redirected, a malicious script activates in the background to hijack the user’s session cookie This results in a reflected XSS attack, giving the perpetrator privileged access
to the university network
Il Prevention
1 For individuals
Trang 9- Beware of emails that tend to urge you to enter sensitive information No matter how appealing the call-to-action is, it's still worth checking it out For example, you just shop online, suddenly there is an email from the bank to offer you a refund, just enter the card information used to pay Believe it ?!
- Do not click on any links sent via email if you are not 100% sure it is safe
- Never send confidential information via email
- Do not respond to scam emails Fraudsters often send you a phone number for you to call them for business purposes They use Voice over Internet Protocol technology With this technology, their calls can never be traced
- Use Firewall and anti-virus software Remember to always update to the latest versions of
these software
TOF’
WHAT YOU NEED TO KNOW
Passwords Financial Info Identity Money
+ Urgency D(010/00-103)/
- Desire to please - Complacency
+ Greed OTL
1 out of 10!
+ Spelling &
Grammar Errors
+ Sender Address + Attachments + Things That Sound om BT cS
Too Good to be True + Login Pages
Report phishing emails to spam@stanford.edu
- Training for employees to increase their knowledge of safe internet use
Trang 10- Regularly organize training sessions, rehearse fake situations
- Use the G-suite service for business, do not use the free Gmail service because it is easy to
be spoofed
- Implement SPAM filter to prevent spam, phishing
- Always update software and applications to avoid security holes that can be exploited by attackers
- Proactively secure sensitive and important information
-Two-factor authentication (2FA) is the most effective method for countering phishing
attacks
3 Useful tools to help prevent Phishing
- SpoofGuard: is a browser plugin compatible with Microsoft Internet Explorer SpoofGuard places an “alert” in the browser toolbar It will turn from green to red if you accidentally go
to a phishing site If you try to enter sensitive information into a form from a fake site, SpoofGuard will save your data and warn you
- Anti-phishing Domain Advisor: essentially a toolbar (toolbar) to help warn of phishing websites, based on data from Panda Security company
- Netcraft Anti-phishing Extension: Netcraft is a reputable unit that provides security services including many services Among them, Netcraft's anti-Phishing extension is highly
appreciated with many smart warning features