Freud and Phishing: The Psychology Behind Internet Scams JC Lamkin, CNA, PMP Gypsy Lane Technologies...
-
date post
20-Dec-2015 -
Category
Documents
-
view
218 -
download
0
Transcript of Freud and Phishing: The Psychology Behind Internet Scams JC Lamkin, CNA, PMP Gypsy Lane Technologies...
Freud and Phishing:The Psychology Behind Internet
Scams
JC Lamkin, CNA, PMPGypsy Lane Technologies
Philadelphia, PA 19144(215) 843-1039
[email protected]://www.gltMYpc.com
Twitter.com/TechCrusader
Making Money with Phish
2,000,000 emails are sent 5% get to the end user – 100,000 (APWG)
5% click on the phishing link – 5,000 (APWG)
2% enter data into the phishing site – 100 (Gartner)
$1,200 from each person who enters data (FTC)
Our potential reward: $120,000
How Much Information?
4.1 million – The number of credit card numbers discovered in ONE phishing blind drop a 4 month period
A typical day Information for 13,677 accounts 3,356 credit cards 255 PayPal account logins 1,038 eBay account logins 93 Bank of America online banking account logins 2,609 Hotmail email account logins
Source: Washingtonpost.com (Security Fix: Brian Krebs)
Phish and Spam are Different
Email Characteristics Spam Phishing
How does the email enter your inbox?
Back door – needs a disguise to get past filters
Front door – must look like something users want
What does the email appear to be delivering?
Something you didn’t ask for, but still might want
Information that you should receive
The effectiveness of the email is based on?
What the receiver desiresEstablishing credibility with
the receiver
What’s the most important attribute of the email?
Productcredibility
Brandcredibility
What happens if a user acts on the email offer?
Might actually get the product offered
Lose company, financial, or personal information
What’s the real purpose? Selling Stealing
Psychology: Phish ≠ Spam
People treat spam and phish differently
1. Take a Phishing Email and place it in an end users “spam” folder.
10% of the time the user removes the phishing email from the spam folder and places it in their inbox.
2. Take a Phishing Email and place it in an end-users “phish” folder
The user removes the phishing email from the phish folder less than 0.5% of the time.
Fear – You’re Being Naughty
“…payments or donations for obscene or certain sexually oriented goods or services.”
“…your account…limited for: xxxcambabes.com cam shows.”
Fear – Account Takeover
“…someone had used your
account to make fake
bids…”
“You must verify …”
“…no choice but to suspend your account.”
Other Email Tricks
Multi-Stage Attacks Email 1 – “We’ll be updating all our accounts this
weekend” Email 2 – “We discovered a problem with your
account” Multi-channel Attacks
Email contains both Phishing URL Phishing phone number (typically VOIP based)
The Domain Name Game
citibank-validate.info earthlink-reactivation.net services-bankofamerica.com sales-aol.net secure-ebay.com msn-reactivation.net secure-usbank.info service-visa.net verification-e-gold.com customer-verification.com banking-account-renewal.com
Phishers SSL Certificate
>> citibanhk.de <<
Duplicated Registrar Info
>> credltlyonaisse.com <<
Registering a Cyrillic “a”
>> paypal.com <<
Hall of FameHall of Fame
More Web Site Tricks
Search Engine Listings Common URL misspellings
www.mailfrontier.com
www.mailfronteir.com
www.malefrontier.com
Protect Yourself
Know your senders Is this someone I do business with? Is this something I was told I’d receive? Look for other ways to respond
Protect Yourself
Stay on guard Look for clues – improve your PhishingIQ Don’t be afraid to ask Know how your system is updated Protect your system Check your records Check your sources, snopes.com
Not Just a Consumer Issue
Operations Microsoft Updates, RSA SecurID
Corporate credit cards American Express, Visa, MasterCard
Purchasing and Payments Ebay, PayPal
Network Services Verizon, Earthlink
Web Services DNS Name Registration, Hosting Companies
Protect Your Brand
Cut-and-Paste links, minimize links Use personal information where possible Provide non-email ways to verify Use standard company domain names Identify your partners Set and follow standard communication
practices
Phishing - Don’t Take the Bait
Preemptive Phishing is different than spam – think Virus
Technology Its more than a consumer issue Multi-faceted solution – No silver bullet
Psychology Educate your customers/employees/yourself Improve their PhishingIQ Email is still Good! Really it is!
JC Lamkin, CNA, PMPGypsy Lane Technologies
Philadelphia, PA 19144(215) 843-1039
[email protected]://www.gltMYpc.com
Twitter.com/TechCrusaderSpecial thanks to infosecurity.com
Freud and Phishing:The Psychology Behind
Internet Scams