Information Security Session October 24, 2005

1
Information Security SessionOctober 24, 2005

• Bill Eaheart
• Network Security Coordinator
• DePaul University

2
What is spam?

• Email advertising for some product or service
• Unsolicited Commercial Email (UCE)
• Electronic version of junk mail
• Not necessarily virus or malware

3
How do spammers get my email?

• Harvesting WebPages
• Harvesting Newsgroups
• Guessing
• Buying lists from other spammers or companies
• From a mailing list
• By people themselves
• Other ways

4
Can you limit the amount of spam?

• Don't give your email address out arbitrarily
• Check privacy policies
• Be aware of options selected by default.
• Use filters
• Don't follow links in spam messages
• Disable the automatic downloading of graphics in
  HTML mail
• Consider opening an additional email account.
• Don't spam other people

5
What is Phishing?

• Scam to steal valuable information Online Fraud
• Attacks use spoofed emails and fraudulent
  websites
• Designed to fool users into divulging personal
  data credit card numbers, user IDs, passwords
  and social security numbers.
• Hijack trusted brands of well-known banks,
  retailers and credit card companies
• Anti-Phishing Working Group Up to 5 success
  rate

6
Why is Phishing so popular?

• Effective Social Engineering
• Technique for manipulating people to disclose
  sensitive information
• People trust information in emails or websites
• Simple for people to disguise email addresses and
  location of websites

7
Gartner Study

• STAMFORD, Conn., June 23, 2005 Increasing
  reports of lost consumer data files and
  disclosures of unauthorized access to sensitive
  personal data are taking a toll on consumers'
  confidence in online commerce, according to
  Gartner Inc., the world's largest technology
  research and advisory firm. A Gartner survey of
  5,000 U.S. adults showed that phishing attacks
  grew at double-digit rates last year in the
  United States. In the twelve months ending in May
  2005, an estimated 73 million U.S. adults who use
  the Internet said they definitely, or think, they
  received an average of more than 50 phishing
  e-mails in the past year.
• 2.4 million online consumers report losing money
  directly because of the phishing attacks. Of
  these, approximately 1.2 million consumers lost
  929 million during the year preceding the
  survey. Survey participants indicated most of the
  money stolen was repaid by banks and credit
  cards.

8
How do I spot a Phishing scam?

• Attempt to grab your attention
• Suspicious email
• Can be difficult to tell without research
• Closely resembles website same graphics

9
Examples
10
Examples Bank of America Phish

• Target Bank of America customers
• Spoofed Sender Online Banking Noticelt5thvtc_at_alert
  .bankofamerica.comgt
• Goal Bank Username/Password and ATM card
  information
• Visible Link Sign in to Online Banking
• www.bankofamerica.com 171.159.193.173
• Phish site IP Address 216.119.179.191

11
Recommended Steps

• Use Caution/Common Sense - Be suspicious of
  emails asking for sensitive information
• Reputable organizations will not request
  information through email
• Never respond to an email for personal
  information
• Never follow the links in an email you suspect
  might be phishing
• Use a browser to type in the site mentioned in
  the e-mail
• Check to see if the site has an announcement
  about phishing attacks targeting it.
• Check to see if the privacy policy of the website
  has a policy about collecting private data.
• If you determine that a website is legitimate,
  make sure it encrypts your data by using SSL.

12
How do I report Phishing scams

• Federal Trade Commission
• http//www.consumer.gov/idtheft
• FBI's Internet Fraud Complaint Center
• http//www.ifccfbi.gov/index.asp
• Attacks targeting DePaul University
• abuse_at_depaul.edu

13
Additional Information

• If you think you are a victim to a phishing scam
  
• http//www.antiphishing.org/consumer_recs2.html
• Anti-Phishing Work group
• http//www.antiphishing.org/
• Microsoft Video Phishing and Identity Theft
• http//www.microsoft.com/athome/security/email/phi
  shing/video1.mspx

14
The End!

• Thank you
• Any questions
• weaheart_at_depaul.edu