Real World Social Engineering Examples: Phishing

From Learn to be a true Social Engineer

"In the field of computer security, phishing is the criminally fraudulent process of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication" ^[1]. This is of use to a social engineer, as this is a way to utilizing a trusted pretext to obtain information or a tool that can be utilized to obtain the final target information.^[2]

Protection from phishing messages

Stereotypically phishing messages have been associated with poor English and frequent misspellings. This is not the case in modern phishing, as they are typically very realistic replicas. The best defense against phishing messages is to not follow links embedded in messages which are sent to you, or utilize log in fields embedded within the messages themselves. Instead, manually type in the trusted entities address into your browser from what you know the address to be (not just copying it from the message, or utilize a previously saved bookmark.^[3]

URL and Email Manipulation

One reason why phishing schemes work so well is that people tend to trust messages that appear to come from an important entity or look important. The attacker can easily manipulate a URL to look very close, fooling the victim to click on it. For example a URL like (http://www.company.com) looks almost identical to (http://www.cornpany.com) if the font is right and the reader scans over it. By purchasing a domain that closely resembles the legitimate URL, the attacker sets up an email account and spoofs the website, requiring very little time and effort. This seemingly simple process fools many people into clicking the link and then being hacked.



In just over 9 months the number of reported phishing attacks has more than doubled.

Spear Phishing

Due to the success of phishing attacks, malicious phishers have developed spear phishing. Instead of sending out thousands of e-mails randomly hoping a few victims will bite, spear phishers target select groups of people with something in common and usually higher profile. The e-mails usually are sent from organizations or individuals the potential victims would normally get e-mails from, making them even more deceptive.

Penetration Testers and Social Engineers

Phishing is a well used attack vector for penetration testers. Using all of the methods mentioned above, but without malicious intent, penetration testers will employ these methods to show a company how devastating these attacks can be. Many companies will spend thousands of dollars on IDS systems, firewalls and other protection devices to monitor the network, but one skilled phishing attack can lead to total devastation in a company without having to hack one thing.

Examples

Banking

• Chase^[4]
• Wachovia^[5]
• PayPal^[6]
• PayPal^[7]

Education

• University of Texas at Dallas^[8]
• University of Northorn Iowa^[9]
• MIT^[10]
• Northwestern University^[11]
• University of California^[12]

Misc

• Ebay^[13]
• Ebay^[14]
• Facebook^[15]

Real World Phishing Attacks

• Phishing a SCADA System^[16]
• World Cup 2010 Phishing^[17]
• Gmail Account Phishing^[18]
• Westfield Bank^[19]
• Facebook Friend Phishing^[20]
• LinkedIn^[21]
• AOL Member Directory^[22]
• Scam Baiting^[23]

References

1. ↑ http://en.wikipedia.org/wiki/Phishing
2. ↑ http://www.webopedia.com/TERM/P/phishing.html
3. ↑ http://www.social-engineer.org/wiki/archives/Phishing/Phishing-HowToAvoidBeingCaughtByScammers.html
4. ↑ http://www.social-engineer.org/wiki/archives/Phishing/Phishing-Chase.html
5. ↑ http://www.social-engineer.org/wiki/archives/Phishing/Phishing-Wachovia.html
6. ↑ http://www.social-engineer.org/wiki/archives/Phishing/Phishing-PayPal.html
7. ↑ http://www.social-engineer.org/wiki/archives/Phishing/Phishing-PayPal2.html
8. ↑ http://www.social-engineer.org/wiki/archives/Phishing/Phishing-UnivOfTexas.html
9. ↑ http://www.social-engineer.org/wiki/archives/Phishing/Phishing-UnivOfNorthornIowa.html
10. ↑ http://www.social-engineer.org/wiki/archives/Phishing/Phishing-MIT.html
11. ↑ http://www.social-engineer.org/wiki/archives/Phishing/Phishing-NothwesternU.html
12. ↑ http://www.social-engineer.org/wiki/archives/Phishing/Phishing-UnivOfCali.html
13. ↑ http://www.social-engineer.org/wiki/archives/Phishing/Phishing-eBay.html
14. ↑ http://www.social-engineer.org/wiki/archives/Phishing/Phishing-eBay2.html
15. ↑ http://www.social-engineer.org/wiki/archives/Phishing/Phishing-facebook.html
16. ↑ http://www.social-engineer.org/wiki/archives/Phishing/Phishing-SCADA.html
17. ↑ http://www.social-engineer.org/wiki/archives/Phishing/Phishing-WorldCup.html
18. ↑ http://www.social-engineer.org/wiki/archives/Phishing/Phishing-Gmail.html
19. ↑ http://www.social-engineer.org/wiki/archives/Phishing/Phishing-WestfieldBank.html
20. ↑ http://www.social-engineer.org/wiki/archives/Phishing/Phishing-facebook2.html
21. ↑ http://www.social-engineer.org/wiki/archives/Phishing/Phishing-LinkedIn.html
22. ↑ http://www.social-engineer.org/wiki/archives/Phishing/Phishing-AOL.html
23. ↑ http://www.social-engineer.org/wiki/archives/Phishing/Phishing-ScamBaiting.html