Weitere ähnliche Inhalte
Ähnlich wie Cscu module 10 social engineering and identity theft (20)
Mehr von Alireza Ghahrood (20)
Kürzlich hochgeladen (20)
Cscu module 10 social engineering and identity theft
- 1. 1 Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Social Engineering and
SimplifyingSecurity.
IdentityTheft
Module 10
- 2. 11:16:54 ,05/16/2011AMPDT
2
C O P YR I G H T© BY EC-COUNCIL
A LLR I G H TS RESERVED. R E P R O D U CTION IS STRICTLYP R O H I B I TE D .
Oakland PoliceShut Down BayArea‐Wide Identity TheftOperation
OAKLAND ‐‐ Calling it the biggestthey have seen,Oaklandpolice said Monday that an identity theft operation that
manufacturedphony checks,IDs and credit cardshas been shutdown.
Officials said there arepotentially thousandsof victims all over the BayArea and in other statesand the possibilityof an
untold amount of monetary loss.
Police ChiefAnthony Batts said breaking up the operation is particularly important to law enforcementbecauseidentity theft
"puts fearin everyone," includinghimself.
Theoperation, which Officer Holly Joshicalled a "one‐stop shop" for identity theft,was run out of a Haywardapartment in
the 21000 block of Foothill Boulevard,where residentMishel Caviness‐Williams, 40,was arrested last week as she left the
apartment.She had $4,000in cash on her,police said.
http://www.mercurynews.com
- 3. May 23,2011
Suffolk police areseekingassistancelocating a woman who allegedlytook an elderly man’sdebit card and used it on several
occasions. Police have five felony warrantson file forLavonda“Goosie”Moore, 37,for credit cardtheft,credit cardfraud,
criminally receivingmoney,third offense petit larcenyand identity theft.
Police say Moore took a debit cardfrom the victim on Hill Street on May 15 and used it on multiple occasions at anATM andat
retail stores.Therealso is a warranton file for Moore for third offense petit larceny in an unrelatedcase.
Moore’s last known address is the 600 block of BrookAvenue.Anyone who has information on Moore’s location is askedto call
CrimeLineat 1‐888‐LOCK‐U‐UP.Callers to Crime Lineneverhave to give their names or appear in court,and may be eligible for a
rewardof up to$.1,000
http://www.suffolknewsherald.com
3
C O P YR I G H T© BY EC-COUNCIL
A LLR I G H TS RESERVED. R E P R O D U CTION IS STRICTLYP R O H I B I TE D .
WomanSoughtin
Theft
- 6. MODULE
IOBJECT VW
Ehat t
So d
6
C O P YR I G H T© BY EC-COUNCIL
A LLR I G H TS RESERVED. R E P R O D U CTION IS STRICTLYP R O H I B I TE D .
- 7. Identity Theft
W ha t to Do if
Identity Is Stole n
Victim of Ident ity Theft
Reporting
Identity Theft
Prot ection from
Identity The ft
U
L
E
F
How to FLind if You Are a
O
W
Soc ia l
Engine ering
7
C O P YR I G H T© BY EC-COUNCIL
A LLR I G H TS RESERVED. R E P R O D U CTION IS STRICTLYP R O H I B I TE D .
- 8. Criminal
charges
Legal
issues
It leads to denial
employment, heal
carefacilities,mo
bank accountsand
cards,etc.
of
th
rtgage,
credit
Financial
losses
Identity
TheftEffects
crime offender wrongfullyobtains
the intended victim's personalidentifyinginformation,such as date of birth, Social Security
WHAT IS
IDENTITY
THEFT?
8
C O P YR I G H T© BY EC-COUNCIL
A LLR I G H TS RESERVED. R E P R O D U CTION IS STRICTLYP R O H I B I TE D .
- 9. Personal Information that Can be
Stolen
Names
Address
Mother’s
maidenname
Telephone
numbers
Passportnumbers
Birthcertificates
Creditcard/Bank
account numbers
Drivinglicense
numbers
Socialsecurity
numbers
Date ofbirth
9
C O P YR I G H T© BY EC-COUNCIL
A LLR I G H TS RESERVED. R E P R O D U CTION IS STRICTLYP R O H I B I TE D .
- 10. STEAL IDENTITY?
Hacking Theft of PersonalStuff
So
HOW DO
eAerinTg TACKERPShishin
Fraudsterpretend to be a
financial institutionand
send spam/pop‐up
messages to trick theuser
to reveal personal
information
Fraudsters may steal
wallets and purses, mails
including bank and credit
card statements, pre‐
approved credit offers,and
new checks or tax
information
Attackers may hackthe
computer systems to
steal confidential
personalinformation
It is an act ofmanipulating
people trust toperform
certain actions or divulging
private information, without
using technicalcracking
methods
10
C O P YR I G H T© BY EC-COUNCIL
A LLR I G H TS RESERVED. R E P R O D U CTION IS STRICTLYP R O H I B I TE D .
- 11. 11 Copyright © by EC-Council
erved. Reproduction is StrictlyProhibited.AllRights Res
Whatdo Attackers do with Stolen
Identity?
Cre dit Card
Fraud
Phone or Utilit ies
Fraud
Ot her Fraud
They may open a new
phone or wirelessaccount
in the user’sname, or run
up charges on his/her
existing account
They may use user’sname
to get utility services such
as electricity,heating, or
cable TV
They may get a jobusing
legitimate user ’sSocial
Security number
They may give legitimate
user ’sinformation topolice
during an arrest and ifthey
do not turn up for their
court date, a warrant for
arrest is issued on
legitimate user’sname
They may open new
credit card accounts in
the name of the userand
do not pay thebills
- 12. 12 Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Whatdo Attackers do with Stolen
Identity?
Bank/Finance
Fraud
Government
DocumentsFraud
They may createcounterfeit checks
using victim’sname or accountnumber
They may open a bank account in
victim’sname and issue the checks
They may clone an ATM ordebit card
and make electronic withdrawals on
victim’sname
They may takea loan on victims’name
They may get a driving license or
official ID card issued onlegitimate
user’sname but with their photo
They may use victim’snameand
Social Security number to get
government benefits
They may file a fraudulent taxreturn
using legitimate userinformation
- 13. 13 Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Same Name: TRENTCHARLESARSENAUL
Original IdentityTheft
IDENTITY
THEFT
EXAMPLE
- 14. Identity Theft
W ha t to Do if
Identity Is Stole n
Victim of Ident ity Theft
Soc ia l
Engine ering
Reporting
Identity Theft
Prot ection from
Identity The ft
U
L
E
F
How to FLind if You Are a
O
W
14
C O P YR I G H T© BY EC-COUNCIL
A LLR I G H TS RESERVED. R E P R O D U CTION IS STRICTLYP R O H I B I TE D .
- 15. Soc ia l
Engineering
Type s of Social
Engine ering
Social Engine ers
At tempt to Gather
SOCIAL
ENGINEERING
Sensitive information
such as credit card
details, socialsecurity
number,etc.
Passwords
Otherpersonal
information
Human basedsocial
engineering
Computer based
socialengineering
Social engineering isthe
art of convincingpeople
to revealconfidential
information
It is the trick used to gain
sensitive information by
exploiting the basic
human nature
15
C O P YR I G H T© BY EC-COUNCIL
A LLR I G H TS RESERVED. R E P R O D U CTION IS STRICTLYP R O H I B I TE D .
- 16. SOCIAL
ENGINEERING
EXAMPLE
Hi, we are fromCONSESCO
Software. We are hiring new
people for our softwaredevelopment
team. We got your contactnumber
from popular job portals.
Please provide details of your jobprofile,
current project information,
social security number,and your
residentialaddress.
16
C O P YR I G H T© BY EC-COUNCIL
A LLR I G H TS RESERVED. R E P R O D U CTION IS STRICTLYP R O H I B I TE D .
- 17. CRIMINAL AS
PHONE BANKER
Hi, I am Mike callingfrom CITI Bank
Due to increasing threatperception,we
areupdating our systems with new
security features.Can you provide me
your personaldetailsto verifythatyou
arerealStella.
ThanksMike, Herearemydetails. Doyou
need anythingelse?
17
C O P YR I G H T© BY EC-COUNCIL
A LLR I G H TS RESERVED. R E P R O D U CTION IS STRICTLYP R O H I B I TE D .
- 18. AUTHORITY
SUPPORT
EXAMPLE
Hi, I am JohnBrown. I'm with the
external auditorsArthur Sanderson. We've
been told by corporate to do asurprise
inspection of your disaster recovery
procedures.
Yourdepartment has 10minutes to show
me how you would recover froma
website crash.
18
C O P YR I G H T© BY EC-COUNCIL
A LLR I G H TS RESERVED. R E P R O D U CTION IS STRICTLYP R O H I B I TE D .
- 19. TECHNICAL
SUPPORT
EXAMPLE
A man calls a company’s help desk and s
he has forgotten his password. He add
that if he misses the deadline on a big
advertising project, his boss might firehim.
Thehelp desk worker feels sorry forhim
and quickly resets the password,
unwittingly giving the attacker clear
entrance into thecorporate
network
19
C O P YR I G H T© BY EC-COUNCIL
A LLR I G H TS RESERVED. R E P R O D U CTION IS STRICTLYP R O H I B I TE D .
- 20. Human-Based Social Engineering
Eavesdropping Shouldersurfing Dumpster diving
Eavesdropping is
unauthorized listening of
conversations or reading
of messages
It is interception of any
form of communication
such as audio, video, or
written
Shoulder surfing is the
procedure where the
attackerslook over the
user ’sshoulder to gain
critical information such as
passwords, personal
identification number,
account numbers, credit
card information, etc.
Attackermay also watch the
user from a distance using
binoculars in order to get
the pieces of information
20
C O P YR I G H T© BY EC-COUNCIL
A LLR I G H TS RESERVED. R E P R O D U CTION IS STRICTLYP R O H I B I TE D .
Dumpster divingincludes
searching for sensitive
information at the target
company’strash bins,
printer trash bins, user
desk for sticky notes,etc.
It involves collection of
phone bills, contact
information, financial
information, operations
related information,etc.
- 21. Spam
Email
Instant
Chat
Messenger
Chain
Letters
Hoax
Letters
Pop‐up
Windows
Windows that suddenly popup
while surfing the Internet and
ask for users’information to
login or sign‐in
Hoax lettersare emails thatissue
warnings to the user on new
viruses, Trojans,or worms that
may harm the user’ssystem
Chain letters are emails that offer
freegifts such as money and
software on the condition that the
user has to forwardthe mail to the
said number ofpersons
Gathering personal information
by chatting with a selectedonline
user to get information such as
birth dates and maidennames
Irrelevant, unwanted,and
unsolicited email to collectthe
financial information, social
security numbers, andnetwork
information
Computer-Based Social Engineering
22
C O P YR I G H T© BY EC-COUNCIL
A LLR I G H TS RESERVED. R E P R O D U CTION IS STRICTLYP R O H I B I TE D .
- 22. 2
COMPUTER-BASED
SOCIAL
An illegitimateemail cElaimNing tGo beINromEa leEiti RateIsiNeattGemp: iretheuser’s
personal or accountinformation
Phishing emails orpop‐upsredirectuPserHs to fIakSewHebpIagNesofGmimicking trustworthysites that ask
themtosubmit theirpersonalinformation
FakeBankWebpage
2
C O P YR I G H T© BY EC-COUNCIL
A LLR I G H TS RESERVED. R E P R O D U CTION IS STRICTLYP R O H I B I TE D .
- 23. 23 Copyright © by EC-Coun
All Rights Reserved. Reproduction is Strictly Prohibit
PHONY
SECURITY
ALERTS
Phony SecurityAlerts are the emails or
pop‐up windows that seem to befrom
a reputed hardware or software
manufacturers like Microsoft, Dell,etc.,
It warns/alerts the user that the
system is infected and thus will
provide with an attachmentor a link in
order to patch thesystem
Scammers suggest the user to
download and installthose patches
The trap is that the file contains
maliciousprograms thatmay infect the
user system
cil
ed.
- 24. 24 Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Computer-Based Social Engineering through
Social NetworkingWebsites
social networking websites
exploitusers’personalinformation
- 25. 25 Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Identity Theft
W ha t to Do if
Identity Is Stole n
Victim of Ident ity Theft
Reporting
Identity Theft
Prot ection from
Identity The ft
U
L
E
F
How to FLind if You Are a
O
W
Soc ia l
Engine ering
- 26. 26 Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
How toFind if Youare aVictim
ofIdentity Theft?
Billcollectionagenciescontactyou for overduedebtsyou neverincurred
Youreceivebills,invoices, or receiptsaddressedto you for goods or services
you haven’t askedfor
Youno longer receiveyour credit card or bankstatements
Younotice that some of your mailseems to be missing
Yourrequestfor mortgage or anyother loanis rejectedcitingyour badcredit
history despiteyou havinga good creditrecord
- 27. 27 Copyright © by EC-Council
erved. Reproduction is StrictlyProhibited.AllRights Res
How toFind if Youare aVictim
ofIdentity Theft?
Yougetsomething in
the mail about an
apartment you never
rented,a house you
neverbought, or ajob
you neverheld
Youlose important
documentssuchas
your passport or
drivinglicense
Youidentify
irregularitiesin
your creditcard
and bank
statements
Youaredeniedfor
social benefits
citing that youare
alreadyclaiming
Youreceive
creditcard
statementwith
newaccount
- 28. Identity Theft
W ha t to Do if
Identity Is Stole n
Victim of Ident ity Theft
Reporting
Identity Theft
Prot ection from
Identity The ft
U
L
E
F
How to FLind if You Are a
O
W
Soc ia l
Engine ering
28
C O P YR I G H T© BY EC-COUNCIL
A LLR I G H TS RESERVED. R E P R O D U CTION IS STRICTLYP R O H I B I TE D .
- 29. WHAT TO DO IF
IDENTITY IS
STOLEN?
Contactthecreditreportingagencies
http://www.experian.com
http://wwwc.equifax.com
http://www.transunion.com
Request fora creditreport
Immediately inform credit bureaus
and establish fraudalerts
Review the credit reports and alert
the creditagencies
29
C O P YR I G H T© BY EC-COUNCIL
A LLR I G H TS RESERVED. R E P R O D U CTION IS STRICTLYP R O H I B I TE D .
Freezethe credit reports with credit
reporting agencies
Contactall of your creditorsand
notify them of the fraudulentactivity
Change all the passwords ofonline
accounts
Close the accounts that you know or
believe have been tampered with or
opened fraudulently
- 30. 30 Copyright © by EC-Council
erved. Reproduction is StrictlyProhibited.AllRights Res
D
WHAT TO DO IF
I ENTITY I
SSTOLEN?
Fileareport with the
local police or thepolice
in the communitywhere
the identity theft took
place
Filea complaintwith
identity theft and
cybercrimereporting
agencies such as the
FTC
Takeadvice frompolice
and reportingagencies
about how to protect
yourself from further
identitycompromise
Ask the creditcard
company aboutnew
accountnumbers
Tellthe debtcollectors
that you are avictimof
fraud and are not
responsible forthe
unpaidbill
Ask the bank to report the
fraudto a consumer
reporting agency such as
ChexSystemsthatcompiles
reports on checking
accounts
- 31. Identity Theft
W ha t to Do if
Identity Is Stole n
Victim of Ident ity Theft
Reporting
Identity Theft
Prot ection from
Identity The ft
U
L
E
F
How to FLind if You Are a
O
W
Soc ia l
Engine ering
31
C O P YR I G H T© BY EC-COUNCIL
A LLR I G H TS RESERVED. R E P R O D U CTION IS STRICTLYP R O H I B I TE D .
- 32. FEDERALTRADE
COMMISSIONon, the nation's consumer pro ectionagency
,business practices,and identitytheft
http://www.ftc.gov
32
C O P YR I G H T© BY EC-COUNCIL
A LLR I G H TS RESERVED. R E P R O D U CTION IS STRICTLYP R O H I B I TE D .
- 33. econsumer.gov
33
C O P YR I G H T© BY EC-COUNCIL
A LLR I G H TS RESERVED. R E P R O D U CTION IS STRICTLYP R O H I B I TE D .
http://www.econsumer.gov
econsumer.gov is a portal foryou
as a consumer to report complaints about online
and related transactions with foreigncompanies
- 34. INTERNET CRIME
CO
CE
MPLAINT
NTER
http://www.ic3.gov
The Internet CrimeComplaint Center
’s(IC3) mission is to serve asa
vehicle to receive,develop, andrefer
criminal complaints regarding the
rapidly expanding arena of cyber
crime
The Internet Crime ComplaintCenter
(IC3) is a partnership between the
Federal Bureau of Investigation (FBI),
the National White Collar Crime
Center (NW3C), and the Bureau of
JusticeAssistance (BJA)
34
C O P YR I G H T© BY EC-COUNCIL
A LLR I G H TS RESERVED. R E P R O D U CTION IS STRICTLYP R O H I B I TE D .
- 35. PROSECUTING
DI TYENTI
THEFBegin the process by
contacting thebureaus,
banks, or any other
organizations who may
be involved
File a formalcomplaint
with the organization
and with the police
department
Regularly update
yourselfregarding
the investigation
process to ensure
that the case is
being dealt with
properly
Obtain a copy of theTpolice complaintto
prove to the
organizations that
you have filed an
identity theft
complaint
File a complaintwith
the FederalTrade
Commission and
complete affidavits
to prove your
innocence on the
claims of identity
theft and fraudulent
activity
Contact the District
Attorney's officefor
further prosecuting
the individuals who
may be involved in
the identity theft
35
C O P YR I G H T© BY EC-COUNCIL
A LLR I G H TS RESERVED. R E P R O D U CTION IS STRICTLYP R O H I B I TE D .
- 36. Identity Theft
W ha t to Do if
Identity Is Stole n
Victim of Ident ity Theft
Reporting
Identity Theft
I P H iding Tools
U
L
E
F
How to FLind if You Are a
O
W
Soc ia l
Engine ering
36
C O P YR I G H T© BY EC-COUNCIL
A LLR I G H TS RESERVED. R E P R O D U CTION IS STRICTLYP R O H I B I TE D .
- 37. HIDING IP ADDRESS
USING QUICK HIDE IP
TOOL
http://www.quick‐hide‐ip.com
hides yourinternetidentity you can surfth hiding you realIP location
It redirects the Internet traffic through anonymousproxies
37
C O P YR I G H T© BY EC-COUNCIL
A LLR I G H TS RESERVED. R E P R O D U CTION IS STRICTLYP R O H I B I TE D .
- 38. http://www.ultrareach.com
IP ADDRESS
38
C O P YR I G H T© BY EC-COUNCIL
A LLR I G H TS RESERVED. R E P R O D U CTION IS STRICTLYP R O H I B I TE D .
HIDINGTOOHLideSIP
http://www.iphider.org
http://www.torproject.org
http://www.giantmatrix.com
http://www.anonymizer.com
- 39. MODULE
SUMMARY
39
C O P YR I G H T© BY EC-COUNCIL
A LLR I G H TS RESERVED. R E P R O D U CTION IS STRICTLYP R O H I B I TE D .
Identity theft is the process of using someone else’s personal information for the
personal gain of theoffender
Criminals look through trash for bills or other paper with personal information on it
Criminals callthe victim impersonating a government official or other legitimate
business people and request personal information
sona Do not reply to unsolicitedemail that asks for
Use strong passwords for allfinancialaccounts
Review bank/credit card statements/credit reports regularly
- 40. 40 Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Nevergive awaysocial security information or private contactinforma tion
Ensurethat your nameis not presentin the marketers’hit lists
Shred papers with personal information instead of throwing themaway
Confirm who you are dealing with, i.e.,a legitimate representative or a
legitimate organization over thephone
Carry only necessary creditcards
Cancelcardsseldom used
Review credit reports regularly
IDENTITYTHEFT
PROTECTION
on the phone – unless YOUinitiated theCphHonEecCallKLIST
Keep your Social Securitycard,passport, license, and other valuable
personal information hidden and locked up
- 41. 41 Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Do not carry your Social Securitycardin yourwallet
Do not reply to unsolicited email requests forpersonalinformation
Do not give personal information over thephone
Review bank/credit cardstatements regularly
Shred credit cardoffersand “conveniencechecks”that arenot useful
Do not storeany financial information on the system and use strong
passwords forall financialaccounts
Check the telephone and cell phone bills forcalls you did notmake
Read beforeyou click, stop pre‐approved credit offers,and readwebsite
privacypolicies
IDENTITYTHEFT
PROTECTION
CHECKLIST
- 42. 42 Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Computer Based Identity Theft Protection
Checklist
Keepthecomputeroperatingsystemand otherapplicationsup to date
Install antivirussoftwareandscanthesystemregularly
Enable firewallprotection
Checkforwebsite policies before you enter
Becarefulwhileopeningemailattachments
Clearthebrowserhistory,logs, and recentlyopenedfileseverytime
Checkforsecuredwebsiteswhiletransmittingsensitiveinformation