SlideShare ist ein Scribd-Unternehmen logo

White Paper: Social Engineering and Cyber Attacks: The Psychology of Deception

E
EMC

Social engineering relies on manipulating human psychology rather than technology. It works by exploiting human trust and emotions like fear, curiosity, and greed. Cybercriminals use social engineering tactics like phishing emails that appear to come from trusted sources to trick victims into revealing passwords and other sensitive information or downloading malware. While technology security measures are important, social engineering targets the human link. Education and awareness training to help users identify social engineering scams can help reduce the success of these attacks.

Technologie
1 von 8
Downloaden Sie, um offline zu lesen
SOCIAL ENGINEERING AND CYBER ATTACKS The Psychology of Deception White Paper Kevin Mitnick, reformed computer hacker-turned security consultant and author, popularized the term “social engineering,” maintaining that it was much easier to deceive a user into giving up a password to get into a system than to hack into it. Today, social engineering is at the core of increasingly aggressive – and successful – schemes to manipulate online users into disclosing crucial information or installing malware. Digital “cons” such as phishing emails, are a primary tool of the social engineer that target – and exploit – humans as the weakest link in the security chain. In this white paper, we explore the psychology of social engineering and why it works, provide examples of the latest cyber attacks that rely on social engineering, and examine how education and awareness are crucial as part of the first line of defense in diminishing the impact of social engineering-based cyber attacks. The Psychology of Social Engineering Social engineering is not a new concept. Today’s online social engineer is nothing more than a con man who uses digital methods – such as email – to swindle people out of passwords or to trick them into clicking on a malicious link that downloads malware onto their computers or networks. Social engineering tactics tap into strong human emotions such as fear, curiosity, even greed as motivators to bypass even the most iron-clad security measures and gain access to systems to steal identities, funds, information, and corporate and government secrets. And, while there is no “technology” at play – social engineering uses no software or “hacking” technology – don’t be fooled: social engineering tactics are sophisticated and rooted in the fundamentals of complex human psychology. In fact, we can draw on these fundamentals to gain a better understanding of how social engineering works, beginning with the psychology of persuasion. Because persuasion is such a pervasive component of our society, it is easy to overlook how external influences affect our behavior. One only needs to consider how the constant barrage of persuasive messaging in consumer marketing and television commercials, for example, fuels our decisions on which products to purchase. In social psychology, there are two alternative routes of persuasion that can be employed when attempting to elicit a response from another: a central route to persuasion and a peripheral route to persuasion1 . 1 The Social Engineering of Internet Fraud, Jonathan Rusch, US Department of Justice
PAGE 2 –– A central route to persuasion involves being persuaded by an argument or the content contained within a message. The recipient to listens carefully and thinks about the message itself. –– A peripheral route to persuasion, in contrast, relies on superficial cues to persuade, for instance, the apparent credibility of the source (a television commercial delivered by an actor in a doctor’s lab coat), or a memorable tagline or phrase2 . Cybercriminals rely on peripheral routes in order to persuade a victim into providing the response they seek. Social engineering tactics use the superficial cues to exploit trust, pique human interest, and evoke a strong emotion such as fear, curiosity, or excitement that hinders the victim’s ability to think logically, and elicits an immediate response. Beyond persuasion, attitudes and beliefs play an equally important role in online social engineering. Attitudes and beliefs reveal trends as to the psychological motivation behind a victim’s responses – and ultimately drive the type of tactics a social engineer uses for a particular audience. For instance, consumers have attitudes and beliefs that are different from employees. Each is driven by different motivators. The social engineer must assess his audience’s attitudes and beliefs accurately and customize his tactics in order to maximize impact. Often, criminals do extensive research on a victim or a business prior to an attack to gather the most relevant information that will ensure a response. Today’s trends in social networking, job sites and other online sources reveal a astonishing amount of personal and corporate information that a criminal can piece together to create a profile – and a targeted ruse – for a successful phishing campaign. Perhaps one of the most prevalent – and damaging – beliefs of typical online users is thinking that they have nothing worth stealing. This popular misconception is one that the social engineer counts on. Some studies3 have shown that honesty is the characteristic associated most often with providing an accurate message. Just as the superficial cue of an actor dressed in a doctor’s lab coat in a television commercial, for example, sends a message of perceived credibility, an email that’s addressed from a friend or legitimate business signals trust. Reasonable efforts to scrutinize the message will be dismissed when the source of the message is assumed to be trustworthy. A standard social engineering practice is to make a message appear as though it originated from a legitimate person or entity. By hijacking email accounts and sending out phony messages to the victim’s contact list, criminals can make victims think that these emails are from the actual email account owner. Friends and associates trust the source, open the malicious links, and download malware to their computers. Today, with the enormous popularity and growing use of social networking, social engineers have extended this tactic to social networking sites. When users on a social networking site receive a message from someone within their network with instructions to view a file or video, those users are more likely to respond to the request since it appears to have come from a trusted source. 2 “Social Psychology,” Brehm, Kassin, and Fein, 2002 3 “Source Attributions and Persuasion: Perceived Honesty as a Determinant of Message Scrutiny,” Joseph R. Priester and Richard E. Petty, Personality and Social Psychology Bulletin, Vol. 21, No. 6
PAGE 3 Figure 1: Screenshot of Fake IRS Message Designed to Induce Fear The Emotional Side of Online Social Engineering Cybercriminals have begun to recognize the value of enterprise credentials and proprietary information beyond identity theft. Today, as functionality and technology move to new channels, so does fraud – and the types of online social engineering are evolving to meet these new opportunities. The use of social engineering to commit fraud is successful because it preys not on technology, but on the inherent weaknesses of the human component. By manipulating the human victim with messages that exploit his trust, pique his interests and desires, and evoke a range of strong human emotions, social engineers increase the likelihood of obtaining the response they seek – circumventing otherwise effective technology-based security measures such as firewalls, encryption, anti-virus, spam filters, and strong authentication. In the following examples, we examine some of the most common attacks that rely on social engineering tactics – and the very “human” responses they invoke: Fear or anxiety The earliest phishing attacks attempted to create fear or anxiety in their victims as a way to get them to divulge their personal details. Perhaps the most common method – still used today in many different forms – is to imply that there is something wrong with the user’s bank, credit card, or retail account. The urgent message in this scam states either that unusual activity has been detected in the account, or that a failure to confirm account information will result in the account being closed. The resulting fear or anxiety compels the victim to click the link contained within the email, which, of course, directs the victim to a fraudulent site and requests that the victim input account information, passwords, and other credentials in order to remediate the artificial “problem.” This information is then used by the social engineer to access the victim’s account – and funds – directly. Designed to trigger anxiety in the hearts of its U.S. victims, a spam email entitled “Fraud Application” attempted to trick victims into believing that the U.S. Internal Revenue Service had sent them a notice about unreported income (see Figure 1). The victims who fell for this scam unknowingly downloaded a Trojan executable onto their computer which was capable of capturing anything the user typed, including credentials to online accounts.
PAGE 4 A similar scam targeted citizens of the UK, and was sent to English residents as a message from HMRC (see Figure 2). These types of scams are not just limited to consumers. A common attack targeting employees within an organization alleges to be from the U.S. Tax Court inquiring about a notice of deficiency4 . When the intended victims clicked on the link within the email, a Trojan equipped with a key logger was downloaded to their computers, enabling the criminals to see – and steal – anything the users typed, including corporate credentials such as passwords to multiple, secured corporate systems. Trust Criminals are avid fans of social networking sites. They hijack user accounts to send phishing invites to an account holder’s entire contact list, post poisoned links to a variety of malicious sites, and send credible emails with malicious links – abusing the trust that friends normally share. Some creative criminals have tailored messages to appear to come from the social networking site itself, designed so that users will divulge their login credentials or download a Trojan (see Figures 3). 4 http://www.ustaxcourt.gov/ Figure 2: Screenshot of Fake HMRC Message Designed to Induce Fear Figure 3: Screenshot of Fake Facebook Update Message Designed to Abuse Trust Relationship
PAGE 5 Social networking sites are the least of one’s worries when you consider a spear phishing email sent to a contact list inside a military base. The message called readers to confirm their attendance of the General’s retirement party. The consequence of clicking the link? An immediate Trojan download that compromised the PC, the user’s data, and all future communications (see Figure 6). Spear phishing scams affect the corporate environment as well. Would you have opened and/or forwarded an email from human resources that contained employee salaries in a PDF file (see Figure 5)? The PDF attachment, of course, was the clever cloak of a Trojan horse. Human Interest Human interest stories invoke an emotional reaction because they are stories people can relate to. Often part of the evening news or magazine features, these stories present people or situations that drive our curiosity or desire for additional information. Not surprisingly, online social engineers use human interest stories to lure victims. One of the more successful scams was the (fake) story of Michael Jackson’s death that allegedly contained “secret” information for readers (see Figure 6). Notice that the link has an executable extension – yet another direct link to a Trojan download. Criminals also lure victims with interesting current-event stories featured on fraudulent websites that mimic the look of well-known entities. In Figure 7, a social engineer has replicated the CNN website which features a link to a video on Gaza City. Recipients of the original phishing email that led to this site who clicked to watch the video would have downloaded malware to their machines. Figure 4: Screenshot of Spear Phish- ing Message Designed to Abuse Trust Relationship Figure 5: Screenshot of Fake HR Message Designed to Abuse Trust Relationship at Work
PAGE 6 Reward Another popular scam among criminals is the tax reporting scam which targets victims on multiple levels and with multiple emotions. Tax reporting is a civic obligation; it is a must-do and is in the victim’s “best interest.” The promise of a tax refund is a monetary reward. And, of course, the message’s urgency evokes fear and anxiety. Tax reporting scams continuously are phishing taxpayer portals in almost every G8 country, targeting victims in countries including the U.S., UK, Australia, and South Africa. In an HMRC phishing scam, victims were lured into divulging their online banking credentials under the false pretense of being eligible for a tax refund. Victims who enter their details and click “Search” unknowingly send their credentials directly to the criminal’s drop server. While fake client details have been entered, the phishing page still indicates the supposed refund amount of $431.10GBP (see Figure 8). Figure 6: Screenshot of a Spam Message Designed to Lure Victims with Human Interest Story Figure 7: Screenshot of Fake Video Download Designed to Lure Victims with a Current Event Story
PAGE 7 Other spam messages linked with reward are designed to recruit money mules. In Figure 9, criminals looking to cash out money stolen from other victim’s bank or credit accounts in specific geographies targeted people in that country with phony job offers often titled “Money transfer agent” or “Transfer Manager.” Education and Awareness: The First Lines of Defense Consumer awareness of cyber threats has since grown considerably in recent years. Despite increased awareness, users still continue to fall victim to cyber attacks. In 2010, two out of ten consumers admitted to being the victim of a phishing attack5 . This increase can be attributed to the advanced tactics and clever social engineering schemes that criminals are using today. The number of phishing attacks is increasing as well. In 2010, RSA witnessed a 27 percent increase in global phishing attacks from the previous year. Figure 8: Screenshot of Fake HMRC Site Designed to Lure Victims with Tax Refund Figure 9: Screenshot of SPAM Email Designed to Lure Victims with a Job Offer (Mule recruitment) 5 RSA 2011 Workplace Security Report
RSA, the RSA logo, EMC2 , EMC and where information lives are registered trademarks or trademarks of EMC Corporation in the United States and other countries. All other trademarks used herein are the property of their respective owners. ©2011 EMC Corporation. All rights reserved. Published in the USA. SOCENG WP 0711 About RSA RSA is the premier provider of security, risk and compliance solutions, helping the world’s leading organizations succeed by solving their most complex and sensitive security challenges. These challenges include managing organizational risk, safeguarding mobile access and collaboration, proving compliance, and securing virtual and cloud environments. Combining business-critical controls in identity assurance, data loss prevention, encryption and tokenization, fraud protection and SIEM with industry leading eGRC capabilities and consulting services, RSA brings trust and visibility to millions of user identities, the transactions that they perform and the data that is generated. www.rsa.com As criminals experience diminished returns from traditional phishing however, they are changing their tactics in order to get a response, and have invoked different media – such as the phone versus Web in vishing attacks – as well as new channels, including mobile devices in smishing attacks. While a strong security posture certainly is critical in reducing the risks and costs of cyber attacks, social engineering tactics are designed to bypass the technical aspects of a security strategy and exploit the weakest link in an organization’s security – the human user. Training users with examples of what to look for in a social engineering scam is a good way to help users identify social engineering attacks. Training should include clues that warn of a spam email – for instance, poor spelling and grammar, typos, or threatening or other strong emotion-invoking messaging. Users of all levels need to be trained. Executives, in particular, tend to be easy or “soft” targets, often untrained and unaware of social engineering tactics, and more vulnerable to more sophisticated, targeted attacks because of the access that they have to highly sensitive corporate information and systems. One of the most effective methods of reducing the impact of social engineering-based cyber attacks is embedded training that actually “test” people in real-time with live examples of phishing – and micro video games that give people the opportunity to have fun as they “practice” identifying potential scams. In one case study that involved more than 500 employees of a large company over a period of one month, embedded training resulted in reducing the number of employees that fell for a social engineering attack by 50 percent6 . Regardless of the type of training, at a minimum, organizations need to establish best practices for avoiding processes that are abused by social engineering scams – and update these best practices as the social engineers adapt and evolve their tactics. In the end, user education and awareness are crucial and part of the first lines of defense in diminishing the impact of social engineering-based cyber attacks. 6 Wombat Security Technologies

Empfohlen

Social engineering: A Human Hacking Framework
Social engineering: A Human Hacking FrameworkSocial engineering: A Human Hacking Framework
Social engineering: A Human Hacking FrameworkJahangirnagar University
 
Insiders Guide to Social Engineering - End-Users are the Weakest Link
Insiders Guide to Social Engineering - End-Users are the Weakest LinkInsiders Guide to Social Engineering - End-Users are the Weakest Link
Insiders Guide to Social Engineering - End-Users are the Weakest LinkRichard Common
 
An Approach to Detect and Avoid Social Engineering and Phasing Attack in Soci...
An Approach to Detect and Avoid Social Engineering and Phasing Attack in Soci...An Approach to Detect and Avoid Social Engineering and Phasing Attack in Soci...
An Approach to Detect and Avoid Social Engineering and Phasing Attack in Soci...IJASRD Journal
 
Case Study On Social Engineering Techniques for Persuasion Full Text
Case Study On Social Engineering Techniques for Persuasion Full Text Case Study On Social Engineering Techniques for Persuasion Full Text
Case Study On Social Engineering Techniques for Persuasion Full Text graphhoc
 
McGregor Watkins
McGregor WatkinsMcGregor Watkins
McGregor WatkinsKnight Center
 
Data security concepts chapter 2
Data security concepts chapter 2Data security concepts chapter 2
Data security concepts chapter 2Nickkisha Farrell
 
An Introduction to E-Mail Security and Fraud
An Introduction to E-Mail Security and FraudAn Introduction to E-Mail Security and Fraud
An Introduction to E-Mail Security and FraudDR.P.S.JAGADEESH KUMAR
 
A criminological psychology based digital forensic investigative framework
A criminological psychology based digital forensic investigative frameworkA criminological psychology based digital forensic investigative framework
A criminological psychology based digital forensic investigative frameworkSameer Dasaka
 

Empfohlen

Social engineering: A Human Hacking Framework
Social engineering: A Human Hacking FrameworkSocial engineering: A Human Hacking Framework
Social engineering: A Human Hacking FrameworkJahangirnagar University
 
Insiders Guide to Social Engineering - End-Users are the Weakest Link
Insiders Guide to Social Engineering - End-Users are the Weakest LinkInsiders Guide to Social Engineering - End-Users are the Weakest Link
Insiders Guide to Social Engineering - End-Users are the Weakest LinkRichard Common
 
An Approach to Detect and Avoid Social Engineering and Phasing Attack in Soci...
An Approach to Detect and Avoid Social Engineering and Phasing Attack in Soci...An Approach to Detect and Avoid Social Engineering and Phasing Attack in Soci...
An Approach to Detect and Avoid Social Engineering and Phasing Attack in Soci...IJASRD Journal
 
Case Study On Social Engineering Techniques for Persuasion Full Text
Case Study On Social Engineering Techniques for Persuasion Full Text Case Study On Social Engineering Techniques for Persuasion Full Text
Case Study On Social Engineering Techniques for Persuasion Full Text graphhoc
 
McGregor Watkins
McGregor WatkinsMcGregor Watkins
McGregor WatkinsKnight Center
 
Data security concepts chapter 2
Data security concepts chapter 2Data security concepts chapter 2
Data security concepts chapter 2Nickkisha Farrell
 
An Introduction to E-Mail Security and Fraud
An Introduction to E-Mail Security and FraudAn Introduction to E-Mail Security and Fraud
An Introduction to E-Mail Security and FraudDR.P.S.JAGADEESH KUMAR
 
A criminological psychology based digital forensic investigative framework
A criminological psychology based digital forensic investigative frameworkA criminological psychology based digital forensic investigative framework
A criminological psychology based digital forensic investigative frameworkSameer Dasaka
 
Puna 2015
Puna 2015Puna 2015
Puna 2015Salaj Goyal
 
An Indistinguishability Model for Evaluating Diverse Classes of Phishing Atta...
An Indistinguishability Model for Evaluating Diverse Classes of Phishing Atta...An Indistinguishability Model for Evaluating Diverse Classes of Phishing Atta...
An Indistinguishability Model for Evaluating Diverse Classes of Phishing Atta...CSCJournals
 
Cyber bullying
Cyber bullyingCyber bullying
Cyber bullyingRayyanbitw
 
Phishing website method
Phishing website methodPhishing website method
Phishing website methodarelyf_7
 
10 IJAERS-JUN-2015-42-Social Engineering on Social Networking sites
10 IJAERS-JUN-2015-42-Social Engineering on Social Networking sites10 IJAERS-JUN-2015-42-Social Engineering on Social Networking sites
10 IJAERS-JUN-2015-42-Social Engineering on Social Networking sitesPuneeth Puni
 
Social Networking Threats
Social Networking ThreatsSocial Networking Threats
Social Networking Threatsejhilbert
 
PHISHING MITIGATION TECHNIQUES: A LITERATURE SURVEY
PHISHING MITIGATION TECHNIQUES: A LITERATURE SURVEYPHISHING MITIGATION TECHNIQUES: A LITERATURE SURVEY
PHISHING MITIGATION TECHNIQUES: A LITERATURE SURVEYIJNSA Journal
 
ethical hacking report
ethical hacking report ethical hacking report
ethical hacking reportAkhilesh Patel
 
ASA style sample
ASA style sampleASA style sample
ASA style sampleMarie Fincher
 
Pavlos_Isaris_final_report
Pavlos_Isaris_final_reportPavlos_Isaris_final_report
Pavlos_Isaris_final_reportPavlos Isaris
 
CyberTerrorismACaseOfAliceInWonderland
CyberTerrorismACaseOfAliceInWonderlandCyberTerrorismACaseOfAliceInWonderland
CyberTerrorismACaseOfAliceInWonderlandEnrique J Cordero
 
Mobile security hakin9_Revista
Mobile security hakin9_RevistaMobile security hakin9_Revista
Mobile security hakin9_Revistathe_ro0t
 
Social Network Privacy, Security and Identity:One
Social Network Privacy, Security and Identity:OneSocial Network Privacy, Security and Identity:One
Social Network Privacy, Security and Identity:OneInflection Point Global
 
How to Prevent ID Theft
How to Prevent ID TheftHow to Prevent ID Theft
How to Prevent ID Thefthewie
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hackingUmang Patel
 
CERT STRATEGY TO DEAL WITH PHISHING ATTACKS
CERT STRATEGY TO DEAL WITH PHISHING ATTACKSCERT STRATEGY TO DEAL WITH PHISHING ATTACKS
CERT STRATEGY TO DEAL WITH PHISHING ATTACKScsandit
 
14 cyber threats
14 cyber threats14 cyber threats
14 cyber threatsmahesh43211
 
Fortified Health Security - Horizon Report 2016
Fortified Health Security - Horizon Report 2016Fortified Health Security - Horizon Report 2016
Fortified Health Security - Horizon Report 2016Dan L. Dodson
 
Watchguard - How Cloud‐based Security Delivers   Up‐to‐the‐Minute Network Pro...
Watchguard - How Cloud‐based Security Delivers   Up‐to‐the‐Minute Network Pro...Watchguard - How Cloud‐based Security Delivers   Up‐to‐the‐Minute Network Pro...
Watchguard - How Cloud‐based Security Delivers   Up‐to‐the‐Minute Network Pro...INSPIRIT BRASIL
 
ITE516 A3
ITE516 A3ITE516 A3
ITE516 A3Jon Newson
 
Attacking the cloud with social engineering
Attacking the cloud with social engineeringAttacking the cloud with social engineering
Attacking the cloud with social engineeringPeter Wood
 
Day1
Day1Day1
Day1Jai4uk
 

Weitere ähnliche Inhalte

Was ist angesagt?

An Indistinguishability Model for Evaluating Diverse Classes of Phishing Atta...
An Indistinguishability Model for Evaluating Diverse Classes of Phishing Atta...An Indistinguishability Model for Evaluating Diverse Classes of Phishing Atta...
An Indistinguishability Model for Evaluating Diverse Classes of Phishing Atta...CSCJournals
 
Cyber bullying
Cyber bullyingCyber bullying
Cyber bullyingRayyanbitw
 
Phishing website method
Phishing website methodPhishing website method
Phishing website methodarelyf_7
 
10 IJAERS-JUN-2015-42-Social Engineering on Social Networking sites
10 IJAERS-JUN-2015-42-Social Engineering on Social Networking sites10 IJAERS-JUN-2015-42-Social Engineering on Social Networking sites
10 IJAERS-JUN-2015-42-Social Engineering on Social Networking sitesPuneeth Puni
 
Social Networking Threats
Social Networking ThreatsSocial Networking Threats
Social Networking Threatsejhilbert
 
PHISHING MITIGATION TECHNIQUES: A LITERATURE SURVEY
PHISHING MITIGATION TECHNIQUES: A LITERATURE SURVEYPHISHING MITIGATION TECHNIQUES: A LITERATURE SURVEY
PHISHING MITIGATION TECHNIQUES: A LITERATURE SURVEYIJNSA Journal
 
ethical hacking report
ethical hacking report ethical hacking report
ethical hacking reportAkhilesh Patel
 
Pavlos_Isaris_final_report
Pavlos_Isaris_final_reportPavlos_Isaris_final_report
Pavlos_Isaris_final_reportPavlos Isaris
 
CyberTerrorismACaseOfAliceInWonderland
CyberTerrorismACaseOfAliceInWonderlandCyberTerrorismACaseOfAliceInWonderland
CyberTerrorismACaseOfAliceInWonderlandEnrique J Cordero
 
Mobile security hakin9_Revista
Mobile security hakin9_RevistaMobile security hakin9_Revista
Mobile security hakin9_Revistathe_ro0t
 
Social Network Privacy, Security and Identity:One
Social Network Privacy, Security and Identity:OneSocial Network Privacy, Security and Identity:One
Social Network Privacy, Security and Identity:OneInflection Point Global
 
How to Prevent ID Theft
How to Prevent ID TheftHow to Prevent ID Theft
How to Prevent ID Thefthewie
 
CERT STRATEGY TO DEAL WITH PHISHING ATTACKS
CERT STRATEGY TO DEAL WITH PHISHING ATTACKSCERT STRATEGY TO DEAL WITH PHISHING ATTACKS
CERT STRATEGY TO DEAL WITH PHISHING ATTACKScsandit
 
14 cyber threats
14 cyber threats14 cyber threats
14 cyber threatsmahesh43211
 
Fortified Health Security - Horizon Report 2016
Fortified Health Security - Horizon Report 2016Fortified Health Security - Horizon Report 2016
Fortified Health Security - Horizon Report 2016Dan L. Dodson
 
Watchguard - How Cloud‐based Security Delivers   Up‐to‐the‐Minute Network Pro...
Watchguard - How Cloud‐based Security Delivers   Up‐to‐the‐Minute Network Pro...Watchguard - How Cloud‐based Security Delivers   Up‐to‐the‐Minute Network Pro...
Watchguard - How Cloud‐based Security Delivers   Up‐to‐the‐Minute Network Pro...INSPIRIT BRASIL
 

Was ist angesagt? (20)

Puna 2015
Puna 2015Puna 2015
Puna 2015
 
An Indistinguishability Model for Evaluating Diverse Classes of Phishing Atta...
An Indistinguishability Model for Evaluating Diverse Classes of Phishing Atta...An Indistinguishability Model for Evaluating Diverse Classes of Phishing Atta...
An Indistinguishability Model for Evaluating Diverse Classes of Phishing Atta...
 
Cyber bullying
Cyber bullyingCyber bullying
Cyber bullying
 
Phishing website method
Phishing website methodPhishing website method
Phishing website method
 
10 IJAERS-JUN-2015-42-Social Engineering on Social Networking sites
10 IJAERS-JUN-2015-42-Social Engineering on Social Networking sites10 IJAERS-JUN-2015-42-Social Engineering on Social Networking sites
10 IJAERS-JUN-2015-42-Social Engineering on Social Networking sites
 
Social Networking Threats
Social Networking ThreatsSocial Networking Threats
Social Networking Threats
 
PHISHING MITIGATION TECHNIQUES: A LITERATURE SURVEY
PHISHING MITIGATION TECHNIQUES: A LITERATURE SURVEYPHISHING MITIGATION TECHNIQUES: A LITERATURE SURVEY
PHISHING MITIGATION TECHNIQUES: A LITERATURE SURVEY
 
ethical hacking report
ethical hacking report ethical hacking report
ethical hacking report
 
ASA style sample
ASA style sampleASA style sample
ASA style sample
 
Pavlos_Isaris_final_report
Pavlos_Isaris_final_reportPavlos_Isaris_final_report
Pavlos_Isaris_final_report
 
CyberTerrorismACaseOfAliceInWonderland
CyberTerrorismACaseOfAliceInWonderlandCyberTerrorismACaseOfAliceInWonderland
CyberTerrorismACaseOfAliceInWonderland
 
Mobile security hakin9_Revista
Mobile security hakin9_RevistaMobile security hakin9_Revista
Mobile security hakin9_Revista
 
Social Network Privacy, Security and Identity:One
Social Network Privacy, Security and Identity:OneSocial Network Privacy, Security and Identity:One
Social Network Privacy, Security and Identity:One
 
How to Prevent ID Theft
How to Prevent ID TheftHow to Prevent ID Theft
How to Prevent ID Theft
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hacking
 
CERT STRATEGY TO DEAL WITH PHISHING ATTACKS
CERT STRATEGY TO DEAL WITH PHISHING ATTACKSCERT STRATEGY TO DEAL WITH PHISHING ATTACKS
CERT STRATEGY TO DEAL WITH PHISHING ATTACKS
 
14 cyber threats
14 cyber threats14 cyber threats
14 cyber threats
 
Fortified Health Security - Horizon Report 2016
Fortified Health Security - Horizon Report 2016Fortified Health Security - Horizon Report 2016
Fortified Health Security - Horizon Report 2016
 
Watchguard - How Cloud‐based Security Delivers   Up‐to‐the‐Minute Network Pro...
Watchguard - How Cloud‐based Security Delivers   Up‐to‐the‐Minute Network Pro...Watchguard - How Cloud‐based Security Delivers   Up‐to‐the‐Minute Network Pro...
Watchguard - How Cloud‐based Security Delivers   Up‐to‐the‐Minute Network Pro...
 
ITE516 A3
ITE516 A3ITE516 A3
ITE516 A3
 

Andere mochten auch

Attacking the cloud with social engineering
Attacking the cloud with social engineeringAttacking the cloud with social engineering
Attacking the cloud with social engineeringPeter Wood
 
A deception framework for survivability against next generation
A deception framework for survivability against next generationA deception framework for survivability against next generation
A deception framework for survivability against next generationRuchika Mehresh
 
UW School of Medicine Social Engineering and Phishing Awareness
UW School of Medicine Social Engineering and Phishing AwarenessUW School of Medicine Social Engineering and Phishing Awareness
UW School of Medicine Social Engineering and Phishing AwarenessNicholas Davis
 
Social engineering and Phishing
Social engineering and PhishingSocial engineering and Phishing
Social engineering and Phishingthecorrosiveone
 
PHISHING MAIL BY SAIKIRAN PANJALA
PHISHING MAIL BY SAIKIRAN PANJALAPHISHING MAIL BY SAIKIRAN PANJALA
PHISHING MAIL BY SAIKIRAN PANJALASaikiran Panjala
 
Phishing techniques
Phishing techniquesPhishing techniques
Phishing techniquesSushil Kumar
 
Phishing exposed
Phishing exposedPhishing exposed
Phishing exposedtamfin
 
Ict Phishing (Present)
Ict Phishing (Present)Ict Phishing (Present)
Ict Phishing (Present)aleeya91
 
DefCamp 2013 - Night talks - Hacking, phreaking, carding & social engineering...
DefCamp 2013 - Night talks - Hacking, phreaking, carding & social engineering...DefCamp 2013 - Night talks - Hacking, phreaking, carding & social engineering...
DefCamp 2013 - Night talks - Hacking, phreaking, carding & social engineering...DefCamp
 
Phishing: Swiming with the sharks
Phishing: Swiming with the sharksPhishing: Swiming with the sharks
Phishing: Swiming with the sharksNalneesh Gaur
 
The Art of Human Hacking : Social Engineering
The Art of Human Hacking : Social Engineering The Art of Human Hacking : Social Engineering
The Art of Human Hacking : Social Engineering OWASP Foundation
 
Practical Phishing Automation with PhishLulz - KiwiCon X
Practical Phishing Automation with PhishLulz - KiwiCon XPractical Phishing Automation with PhishLulz - KiwiCon X
Practical Phishing Automation with PhishLulz - KiwiCon XMichele Orru
 
Geovon TECH621 Presentation
Geovon TECH621 PresentationGeovon TECH621 Presentation
Geovon TECH621 PresentationGeovon
 
Social engineering-Attack of the Human Behavior
Social engineering-Attack of the Human BehaviorSocial engineering-Attack of the Human Behavior
Social engineering-Attack of the Human BehaviorJames Krusic
 
Social engineering
Social engineeringSocial engineering
Social engineeringVishal Kumar
 
Social Engineering: "The Cyber-Con"
Social Engineering: "The Cyber-Con"Social Engineering: "The Cyber-Con"
Social Engineering: "The Cyber-Con"abercius24
 

Andere mochten auch (20)

Attacking the cloud with social engineering
Attacking the cloud with social engineeringAttacking the cloud with social engineering
Attacking the cloud with social engineering
 
Day1
Day1Day1
Day1
 
A deception framework for survivability against next generation
A deception framework for survivability against next generationA deception framework for survivability against next generation
A deception framework for survivability against next generation
 
UW School of Medicine Social Engineering and Phishing Awareness
UW School of Medicine Social Engineering and Phishing AwarenessUW School of Medicine Social Engineering and Phishing Awareness
UW School of Medicine Social Engineering and Phishing Awareness
 
Social engineering and Phishing
Social engineering and PhishingSocial engineering and Phishing
Social engineering and Phishing
 
Comm pp
Comm ppComm pp
Comm pp
 
PHISHING MAIL BY SAIKIRAN PANJALA
PHISHING MAIL BY SAIKIRAN PANJALAPHISHING MAIL BY SAIKIRAN PANJALA
PHISHING MAIL BY SAIKIRAN PANJALA
 
Phishing techniques
Phishing techniquesPhishing techniques
Phishing techniques
 
Phishing exposed
Phishing exposedPhishing exposed
Phishing exposed
 
Ict Phishing (Present)
Ict Phishing (Present)Ict Phishing (Present)
Ict Phishing (Present)
 
DefCamp 2013 - Night talks - Hacking, phreaking, carding & social engineering...
DefCamp 2013 - Night talks - Hacking, phreaking, carding & social engineering...DefCamp 2013 - Night talks - Hacking, phreaking, carding & social engineering...
DefCamp 2013 - Night talks - Hacking, phreaking, carding & social engineering...
 
Phishing: Swiming with the sharks
Phishing: Swiming with the sharksPhishing: Swiming with the sharks
Phishing: Swiming with the sharks
 
Social engineering
Social engineeringSocial engineering
Social engineering
 
The Art of Human Hacking : Social Engineering
The Art of Human Hacking : Social Engineering The Art of Human Hacking : Social Engineering
The Art of Human Hacking : Social Engineering
 
Intro phishing
Intro phishingIntro phishing
Intro phishing
 
Practical Phishing Automation with PhishLulz - KiwiCon X
Practical Phishing Automation with PhishLulz - KiwiCon XPractical Phishing Automation with PhishLulz - KiwiCon X
Practical Phishing Automation with PhishLulz - KiwiCon X
 
Geovon TECH621 Presentation
Geovon TECH621 PresentationGeovon TECH621 Presentation
Geovon TECH621 Presentation
 
Social engineering-Attack of the Human Behavior
Social engineering-Attack of the Human BehaviorSocial engineering-Attack of the Human Behavior
Social engineering-Attack of the Human Behavior
 
Social engineering
Social engineeringSocial engineering
Social engineering
 
Social Engineering: "The Cyber-Con"
Social Engineering: "The Cyber-Con"Social Engineering: "The Cyber-Con"
Social Engineering: "The Cyber-Con"
 

Ähnlich wie White Paper: Social Engineering and Cyber Attacks: The Psychology of Deception

Social engineering presentation
Social engineering presentationSocial engineering presentation
Social engineering presentationpooja_doshi
 
Edu 03 assingment
Edu 03 assingmentEdu 03 assingment
Edu 03 assingmentAswani34
 
Uk computer emergency response team (cert) introduction to social engineering
Uk computer emergency response team (cert) introduction to social engineeringUk computer emergency response team (cert) introduction to social engineering
Uk computer emergency response team (cert) introduction to social engineeringPublicLeaks
 
Uk computer emergency response team (cert) introduction to social engineering
Uk computer emergency response team (cert) introduction to social engineeringUk computer emergency response team (cert) introduction to social engineering
Uk computer emergency response team (cert) introduction to social engineeringPublicLeaker
 
A COMPREHENSIVE SURVEY OF PHISHING ATTACKS AND DEFENCES: HUMAN FACTORS, TRAIN...
A COMPREHENSIVE SURVEY OF PHISHING ATTACKS AND DEFENCES: HUMAN FACTORS, TRAIN...A COMPREHENSIVE SURVEY OF PHISHING ATTACKS AND DEFENCES: HUMAN FACTORS, TRAIN...
A COMPREHENSIVE SURVEY OF PHISHING ATTACKS AND DEFENCES: HUMAN FACTORS, TRAIN...IJNSA Journal
 
Social engineering
Social engineeringSocial engineering
Social engineeringlokenra
 
Learn About Social Engineering Services - Aardwolf Security
Learn About Social Engineering Services - Aardwolf SecurityLearn About Social Engineering Services - Aardwolf Security
Learn About Social Engineering Services - Aardwolf SecurityAardwolf Security
 
E Mail Phishing Prevention and Detection
E Mail Phishing Prevention and DetectionE Mail Phishing Prevention and Detection
E Mail Phishing Prevention and Detectionijtsrd
 
Airport IT&T 2013 John McCarthy
Airport IT&T 2013 John McCarthyAirport IT&T 2013 John McCarthy
Airport IT&T 2013 John McCarthyRussell Publishing
 
Social media privacy threats that you need to keep an eye on in 2021
Social media privacy threats that you need to keep an eye on in 2021Social media privacy threats that you need to keep an eye on in 2021
Social media privacy threats that you need to keep an eye on in 2021Impulse Digital
 
Combating Phishing Attacks
Combating Phishing AttacksCombating Phishing Attacks
Combating Phishing AttacksRapid7
 
How to Make People Click on a Dangerous Link Despite their Security Awareness
How to Make People Click on a Dangerous Link Despite their Security Awareness How to Make People Click on a Dangerous Link Despite their Security Awareness
How to Make People Click on a Dangerous Link Despite their Security Awareness mark-smith
 
Email phishing: Text classification using natural language processing
Email phishing: Text classification using natural language processingEmail phishing: Text classification using natural language processing
Email phishing: Text classification using natural language processingCSITiaesprime
 
A FRAMEWORK FOR SECURING EMAIL ENTRANCES AND MITIGATING PHISHING IMPERSONATIO...
A FRAMEWORK FOR SECURING EMAIL ENTRANCES AND MITIGATING PHISHING IMPERSONATIO...A FRAMEWORK FOR SECURING EMAIL ENTRANCES AND MITIGATING PHISHING IMPERSONATIO...
A FRAMEWORK FOR SECURING EMAIL ENTRANCES AND MITIGATING PHISHING IMPERSONATIO...IJNSA Journal
 
Cyber security.docx
Cyber security.docxCyber security.docx
Cyber security.docxsaivarun91
 
social engineering attacks.docx
social engineering attacks.docxsocial engineering attacks.docx
social engineering attacks.docxMehwishAnsari11
 
Running Head CYBERSECURITY1CYBERSECURITY 15.docx
Running Head CYBERSECURITY1CYBERSECURITY 15.docxRunning Head CYBERSECURITY1CYBERSECURITY 15.docx
Running Head CYBERSECURITY1CYBERSECURITY 15.docxtodd271
 

Ähnlich wie White Paper: Social Engineering and Cyber Attacks: The Psychology of Deception (20)

Social engineering presentation
Social engineering presentationSocial engineering presentation
Social engineering presentation
 
Amir bouker
Amir bouker Amir bouker
Amir bouker
 
Edu 03 assingment
Edu 03 assingmentEdu 03 assingment
Edu 03 assingment
 
Uk computer emergency response team (cert) introduction to social engineering
Uk computer emergency response team (cert) introduction to social engineeringUk computer emergency response team (cert) introduction to social engineering
Uk computer emergency response team (cert) introduction to social engineering
 
Uk computer emergency response team (cert) introduction to social engineering
Uk computer emergency response team (cert) introduction to social engineeringUk computer emergency response team (cert) introduction to social engineering
Uk computer emergency response team (cert) introduction to social engineering
 
Social engineering
Social engineeringSocial engineering
Social engineering
 
A COMPREHENSIVE SURVEY OF PHISHING ATTACKS AND DEFENCES: HUMAN FACTORS, TRAIN...
A COMPREHENSIVE SURVEY OF PHISHING ATTACKS AND DEFENCES: HUMAN FACTORS, TRAIN...A COMPREHENSIVE SURVEY OF PHISHING ATTACKS AND DEFENCES: HUMAN FACTORS, TRAIN...
A COMPREHENSIVE SURVEY OF PHISHING ATTACKS AND DEFENCES: HUMAN FACTORS, TRAIN...
 
Social engineering
Social engineeringSocial engineering
Social engineering
 
Learn About Social Engineering Services - Aardwolf Security
Learn About Social Engineering Services - Aardwolf SecurityLearn About Social Engineering Services - Aardwolf Security
Learn About Social Engineering Services - Aardwolf Security
 
Social Engineering
Social EngineeringSocial Engineering
Social Engineering
 
E Mail Phishing Prevention and Detection
E Mail Phishing Prevention and DetectionE Mail Phishing Prevention and Detection
E Mail Phishing Prevention and Detection
 
Airport IT&T 2013 John McCarthy
Airport IT&T 2013 John McCarthyAirport IT&T 2013 John McCarthy
Airport IT&T 2013 John McCarthy
 
Social media privacy threats that you need to keep an eye on in 2021
Social media privacy threats that you need to keep an eye on in 2021Social media privacy threats that you need to keep an eye on in 2021
Social media privacy threats that you need to keep an eye on in 2021
 
Combating Phishing Attacks
Combating Phishing AttacksCombating Phishing Attacks
Combating Phishing Attacks
 
How to Make People Click on a Dangerous Link Despite their Security Awareness
How to Make People Click on a Dangerous Link Despite their Security Awareness How to Make People Click on a Dangerous Link Despite their Security Awareness
How to Make People Click on a Dangerous Link Despite their Security Awareness
 
Email phishing: Text classification using natural language processing
Email phishing: Text classification using natural language processingEmail phishing: Text classification using natural language processing
Email phishing: Text classification using natural language processing
 
A FRAMEWORK FOR SECURING EMAIL ENTRANCES AND MITIGATING PHISHING IMPERSONATIO...
A FRAMEWORK FOR SECURING EMAIL ENTRANCES AND MITIGATING PHISHING IMPERSONATIO...A FRAMEWORK FOR SECURING EMAIL ENTRANCES AND MITIGATING PHISHING IMPERSONATIO...
A FRAMEWORK FOR SECURING EMAIL ENTRANCES AND MITIGATING PHISHING IMPERSONATIO...
 
Cyber security.docx
Cyber security.docxCyber security.docx
Cyber security.docx
 
social engineering attacks.docx
social engineering attacks.docxsocial engineering attacks.docx
social engineering attacks.docx
 
Running Head CYBERSECURITY1CYBERSECURITY 15.docx
Running Head CYBERSECURITY1CYBERSECURITY 15.docxRunning Head CYBERSECURITY1CYBERSECURITY 15.docx
Running Head CYBERSECURITY1CYBERSECURITY 15.docx
 

Mehr von EMC

INDUSTRY-LEADING TECHNOLOGY FOR LONG TERM RETENTION OF BACKUPS IN THE CLOUD
INDUSTRY-LEADING TECHNOLOGY FOR LONG TERM RETENTION OF BACKUPS IN THE CLOUDINDUSTRY-LEADING TECHNOLOGY FOR LONG TERM RETENTION OF BACKUPS IN THE CLOUD
INDUSTRY-LEADING TECHNOLOGY FOR LONG TERM RETENTION OF BACKUPS IN THE CLOUDEMC
 
Cloud Foundry Summit Berlin Keynote
Cloud Foundry Summit Berlin Keynote Cloud Foundry Summit Berlin Keynote
Cloud Foundry Summit Berlin Keynote EMC
 
EMC GLOBAL DATA PROTECTION INDEX
EMC GLOBAL DATA PROTECTION INDEX EMC GLOBAL DATA PROTECTION INDEX
EMC GLOBAL DATA PROTECTION INDEX EMC
 
Transforming Desktop Virtualization with Citrix XenDesktop and EMC XtremIO
Transforming Desktop Virtualization with Citrix XenDesktop and EMC XtremIOTransforming Desktop Virtualization with Citrix XenDesktop and EMC XtremIO
Transforming Desktop Virtualization with Citrix XenDesktop and EMC XtremIOEMC
 
Citrix ready-webinar-xtremio
Citrix ready-webinar-xtremioCitrix ready-webinar-xtremio
Citrix ready-webinar-xtremioEMC
 
EMC FORUM RESEARCH GLOBAL RESULTS - 10,451 RESPONSES ACROSS 33 COUNTRIES
EMC FORUM RESEARCH GLOBAL RESULTS - 10,451 RESPONSES ACROSS 33 COUNTRIES EMC FORUM RESEARCH GLOBAL RESULTS - 10,451 RESPONSES ACROSS 33 COUNTRIES
EMC FORUM RESEARCH GLOBAL RESULTS - 10,451 RESPONSES ACROSS 33 COUNTRIES EMC
 
EMC with Mirantis Openstack
EMC with Mirantis OpenstackEMC with Mirantis Openstack
EMC with Mirantis OpenstackEMC
 
Modern infrastructure for business data lake
Modern infrastructure for business data lakeModern infrastructure for business data lake
Modern infrastructure for business data lakeEMC
 
Force Cyber Criminals to Shop Elsewhere
Force Cyber Criminals to Shop ElsewhereForce Cyber Criminals to Shop Elsewhere
Force Cyber Criminals to Shop ElsewhereEMC
 
Pivotal : Moments in Container History
Pivotal : Moments in Container History Pivotal : Moments in Container History
Pivotal : Moments in Container History EMC
 
Data Lake Protection - A Technical Review
Data Lake Protection - A Technical ReviewData Lake Protection - A Technical Review
Data Lake Protection - A Technical ReviewEMC
 
Mobile E-commerce: Friend or Foe
Mobile E-commerce: Friend or FoeMobile E-commerce: Friend or Foe
Mobile E-commerce: Friend or FoeEMC
 
Virtualization Myths Infographic
Virtualization Myths Infographic Virtualization Myths Infographic
Virtualization Myths Infographic EMC
 
Intelligence-Driven GRC for Security
Intelligence-Driven GRC for SecurityIntelligence-Driven GRC for Security
Intelligence-Driven GRC for SecurityEMC
 
The Trust Paradox: Access Management and Trust in an Insecure Age
The Trust Paradox: Access Management and Trust in an Insecure AgeThe Trust Paradox: Access Management and Trust in an Insecure Age
The Trust Paradox: Access Management and Trust in an Insecure AgeEMC
 
EMC Technology Day - SRM University 2015
EMC Technology Day - SRM University 2015EMC Technology Day - SRM University 2015
EMC Technology Day - SRM University 2015EMC
 
EMC Academic Summit 2015
EMC Academic Summit 2015EMC Academic Summit 2015
EMC Academic Summit 2015EMC
 
Data Science and Big Data Analytics Book from EMC Education Services
Data Science and Big Data Analytics Book from EMC Education ServicesData Science and Big Data Analytics Book from EMC Education Services
Data Science and Big Data Analytics Book from EMC Education ServicesEMC
 
Using EMC Symmetrix Storage in VMware vSphere Environments
Using EMC Symmetrix Storage in VMware vSphere EnvironmentsUsing EMC Symmetrix Storage in VMware vSphere Environments
Using EMC Symmetrix Storage in VMware vSphere EnvironmentsEMC
 
Using EMC VNX storage with VMware vSphereTechBook
Using EMC VNX storage with VMware vSphereTechBookUsing EMC VNX storage with VMware vSphereTechBook
Using EMC VNX storage with VMware vSphereTechBookEMC
 

Mehr von EMC (20)

INDUSTRY-LEADING TECHNOLOGY FOR LONG TERM RETENTION OF BACKUPS IN THE CLOUD
INDUSTRY-LEADING TECHNOLOGY FOR LONG TERM RETENTION OF BACKUPS IN THE CLOUDINDUSTRY-LEADING TECHNOLOGY FOR LONG TERM RETENTION OF BACKUPS IN THE CLOUD
INDUSTRY-LEADING TECHNOLOGY FOR LONG TERM RETENTION OF BACKUPS IN THE CLOUD
 
Cloud Foundry Summit Berlin Keynote
Cloud Foundry Summit Berlin Keynote Cloud Foundry Summit Berlin Keynote
Cloud Foundry Summit Berlin Keynote
 
EMC GLOBAL DATA PROTECTION INDEX
EMC GLOBAL DATA PROTECTION INDEX EMC GLOBAL DATA PROTECTION INDEX
EMC GLOBAL DATA PROTECTION INDEX
 
Transforming Desktop Virtualization with Citrix XenDesktop and EMC XtremIO
Transforming Desktop Virtualization with Citrix XenDesktop and EMC XtremIOTransforming Desktop Virtualization with Citrix XenDesktop and EMC XtremIO
Transforming Desktop Virtualization with Citrix XenDesktop and EMC XtremIO
 
Citrix ready-webinar-xtremio
Citrix ready-webinar-xtremioCitrix ready-webinar-xtremio
Citrix ready-webinar-xtremio
 
EMC FORUM RESEARCH GLOBAL RESULTS - 10,451 RESPONSES ACROSS 33 COUNTRIES
EMC FORUM RESEARCH GLOBAL RESULTS - 10,451 RESPONSES ACROSS 33 COUNTRIES EMC FORUM RESEARCH GLOBAL RESULTS - 10,451 RESPONSES ACROSS 33 COUNTRIES
EMC FORUM RESEARCH GLOBAL RESULTS - 10,451 RESPONSES ACROSS 33 COUNTRIES
 
EMC with Mirantis Openstack
EMC with Mirantis OpenstackEMC with Mirantis Openstack
EMC with Mirantis Openstack
 
Modern infrastructure for business data lake
Modern infrastructure for business data lakeModern infrastructure for business data lake
Modern infrastructure for business data lake
 
Force Cyber Criminals to Shop Elsewhere
Force Cyber Criminals to Shop ElsewhereForce Cyber Criminals to Shop Elsewhere
Force Cyber Criminals to Shop Elsewhere
 
Pivotal : Moments in Container History
Pivotal : Moments in Container History Pivotal : Moments in Container History
Pivotal : Moments in Container History
 
Data Lake Protection - A Technical Review
Data Lake Protection - A Technical ReviewData Lake Protection - A Technical Review
Data Lake Protection - A Technical Review
 
Mobile E-commerce: Friend or Foe
Mobile E-commerce: Friend or FoeMobile E-commerce: Friend or Foe
Mobile E-commerce: Friend or Foe
 
Virtualization Myths Infographic
Virtualization Myths Infographic Virtualization Myths Infographic
Virtualization Myths Infographic
 
Intelligence-Driven GRC for Security
Intelligence-Driven GRC for SecurityIntelligence-Driven GRC for Security
Intelligence-Driven GRC for Security
 
The Trust Paradox: Access Management and Trust in an Insecure Age
The Trust Paradox: Access Management and Trust in an Insecure AgeThe Trust Paradox: Access Management and Trust in an Insecure Age
The Trust Paradox: Access Management and Trust in an Insecure Age
 
EMC Technology Day - SRM University 2015
EMC Technology Day - SRM University 2015EMC Technology Day - SRM University 2015
EMC Technology Day - SRM University 2015
 
EMC Academic Summit 2015
EMC Academic Summit 2015EMC Academic Summit 2015
EMC Academic Summit 2015
 
Data Science and Big Data Analytics Book from EMC Education Services
Data Science and Big Data Analytics Book from EMC Education ServicesData Science and Big Data Analytics Book from EMC Education Services
Data Science and Big Data Analytics Book from EMC Education Services
 
Using EMC Symmetrix Storage in VMware vSphere Environments
Using EMC Symmetrix Storage in VMware vSphere EnvironmentsUsing EMC Symmetrix Storage in VMware vSphere Environments
Using EMC Symmetrix Storage in VMware vSphere Environments
 
Using EMC VNX storage with VMware vSphereTechBook
Using EMC VNX storage with VMware vSphereTechBookUsing EMC VNX storage with VMware vSphereTechBook
Using EMC VNX storage with VMware vSphereTechBook
 

Kürzlich hochgeladen

Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Bhuvaneswari Subramani
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxRemote DBA Services
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfOrbitshub
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWERMadyBayot
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024The Digital Insurer
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...Zilliz
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityWSO2
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Zilliz
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Victor Rentea
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusZilliz
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 

Kürzlich hochgeladen (20)

Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 

White Paper: Social Engineering and Cyber Attacks: The Psychology of Deception

  • 1. SOCIAL ENGINEERING AND CYBER ATTACKS The Psychology of Deception White Paper Kevin Mitnick, reformed computer hacker-turned security consultant and author, popularized the term “social engineering,” maintaining that it was much easier to deceive a user into giving up a password to get into a system than to hack into it. Today, social engineering is at the core of increasingly aggressive – and successful – schemes to manipulate online users into disclosing crucial information or installing malware. Digital “cons” such as phishing emails, are a primary tool of the social engineer that target – and exploit – humans as the weakest link in the security chain. In this white paper, we explore the psychology of social engineering and why it works, provide examples of the latest cyber attacks that rely on social engineering, and examine how education and awareness are crucial as part of the first line of defense in diminishing the impact of social engineering-based cyber attacks. The Psychology of Social Engineering Social engineering is not a new concept. Today’s online social engineer is nothing more than a con man who uses digital methods – such as email – to swindle people out of passwords or to trick them into clicking on a malicious link that downloads malware onto their computers or networks. Social engineering tactics tap into strong human emotions such as fear, curiosity, even greed as motivators to bypass even the most iron-clad security measures and gain access to systems to steal identities, funds, information, and corporate and government secrets. And, while there is no “technology” at play – social engineering uses no software or “hacking” technology – don’t be fooled: social engineering tactics are sophisticated and rooted in the fundamentals of complex human psychology. In fact, we can draw on these fundamentals to gain a better understanding of how social engineering works, beginning with the psychology of persuasion. Because persuasion is such a pervasive component of our society, it is easy to overlook how external influences affect our behavior. One only needs to consider how the constant barrage of persuasive messaging in consumer marketing and television commercials, for example, fuels our decisions on which products to purchase. In social psychology, there are two alternative routes of persuasion that can be employed when attempting to elicit a response from another: a central route to persuasion and a peripheral route to persuasion1 . 1 The Social Engineering of Internet Fraud, Jonathan Rusch, US Department of Justice
  • 2. PAGE 2 –– A central route to persuasion involves being persuaded by an argument or the content contained within a message. The recipient to listens carefully and thinks about the message itself. –– A peripheral route to persuasion, in contrast, relies on superficial cues to persuade, for instance, the apparent credibility of the source (a television commercial delivered by an actor in a doctor’s lab coat), or a memorable tagline or phrase2 . Cybercriminals rely on peripheral routes in order to persuade a victim into providing the response they seek. Social engineering tactics use the superficial cues to exploit trust, pique human interest, and evoke a strong emotion such as fear, curiosity, or excitement that hinders the victim’s ability to think logically, and elicits an immediate response. Beyond persuasion, attitudes and beliefs play an equally important role in online social engineering. Attitudes and beliefs reveal trends as to the psychological motivation behind a victim’s responses – and ultimately drive the type of tactics a social engineer uses for a particular audience. For instance, consumers have attitudes and beliefs that are different from employees. Each is driven by different motivators. The social engineer must assess his audience’s attitudes and beliefs accurately and customize his tactics in order to maximize impact. Often, criminals do extensive research on a victim or a business prior to an attack to gather the most relevant information that will ensure a response. Today’s trends in social networking, job sites and other online sources reveal a astonishing amount of personal and corporate information that a criminal can piece together to create a profile – and a targeted ruse – for a successful phishing campaign. Perhaps one of the most prevalent – and damaging – beliefs of typical online users is thinking that they have nothing worth stealing. This popular misconception is one that the social engineer counts on. Some studies3 have shown that honesty is the characteristic associated most often with providing an accurate message. Just as the superficial cue of an actor dressed in a doctor’s lab coat in a television commercial, for example, sends a message of perceived credibility, an email that’s addressed from a friend or legitimate business signals trust. Reasonable efforts to scrutinize the message will be dismissed when the source of the message is assumed to be trustworthy. A standard social engineering practice is to make a message appear as though it originated from a legitimate person or entity. By hijacking email accounts and sending out phony messages to the victim’s contact list, criminals can make victims think that these emails are from the actual email account owner. Friends and associates trust the source, open the malicious links, and download malware to their computers. Today, with the enormous popularity and growing use of social networking, social engineers have extended this tactic to social networking sites. When users on a social networking site receive a message from someone within their network with instructions to view a file or video, those users are more likely to respond to the request since it appears to have come from a trusted source. 2 “Social Psychology,” Brehm, Kassin, and Fein, 2002 3 “Source Attributions and Persuasion: Perceived Honesty as a Determinant of Message Scrutiny,” Joseph R. Priester and Richard E. Petty, Personality and Social Psychology Bulletin, Vol. 21, No. 6
  • 3. PAGE 3 Figure 1: Screenshot of Fake IRS Message Designed to Induce Fear The Emotional Side of Online Social Engineering Cybercriminals have begun to recognize the value of enterprise credentials and proprietary information beyond identity theft. Today, as functionality and technology move to new channels, so does fraud – and the types of online social engineering are evolving to meet these new opportunities. The use of social engineering to commit fraud is successful because it preys not on technology, but on the inherent weaknesses of the human component. By manipulating the human victim with messages that exploit his trust, pique his interests and desires, and evoke a range of strong human emotions, social engineers increase the likelihood of obtaining the response they seek – circumventing otherwise effective technology-based security measures such as firewalls, encryption, anti-virus, spam filters, and strong authentication. In the following examples, we examine some of the most common attacks that rely on social engineering tactics – and the very “human” responses they invoke: Fear or anxiety The earliest phishing attacks attempted to create fear or anxiety in their victims as a way to get them to divulge their personal details. Perhaps the most common method – still used today in many different forms – is to imply that there is something wrong with the user’s bank, credit card, or retail account. The urgent message in this scam states either that unusual activity has been detected in the account, or that a failure to confirm account information will result in the account being closed. The resulting fear or anxiety compels the victim to click the link contained within the email, which, of course, directs the victim to a fraudulent site and requests that the victim input account information, passwords, and other credentials in order to remediate the artificial “problem.” This information is then used by the social engineer to access the victim’s account – and funds – directly. Designed to trigger anxiety in the hearts of its U.S. victims, a spam email entitled “Fraud Application” attempted to trick victims into believing that the U.S. Internal Revenue Service had sent them a notice about unreported income (see Figure 1). The victims who fell for this scam unknowingly downloaded a Trojan executable onto their computer which was capable of capturing anything the user typed, including credentials to online accounts.
  • 4. PAGE 4 A similar scam targeted citizens of the UK, and was sent to English residents as a message from HMRC (see Figure 2). These types of scams are not just limited to consumers. A common attack targeting employees within an organization alleges to be from the U.S. Tax Court inquiring about a notice of deficiency4 . When the intended victims clicked on the link within the email, a Trojan equipped with a key logger was downloaded to their computers, enabling the criminals to see – and steal – anything the users typed, including corporate credentials such as passwords to multiple, secured corporate systems. Trust Criminals are avid fans of social networking sites. They hijack user accounts to send phishing invites to an account holder’s entire contact list, post poisoned links to a variety of malicious sites, and send credible emails with malicious links – abusing the trust that friends normally share. Some creative criminals have tailored messages to appear to come from the social networking site itself, designed so that users will divulge their login credentials or download a Trojan (see Figures 3). 4 http://www.ustaxcourt.gov/ Figure 2: Screenshot of Fake HMRC Message Designed to Induce Fear Figure 3: Screenshot of Fake Facebook Update Message Designed to Abuse Trust Relationship
  • 5. PAGE 5 Social networking sites are the least of one’s worries when you consider a spear phishing email sent to a contact list inside a military base. The message called readers to confirm their attendance of the General’s retirement party. The consequence of clicking the link? An immediate Trojan download that compromised the PC, the user’s data, and all future communications (see Figure 6). Spear phishing scams affect the corporate environment as well. Would you have opened and/or forwarded an email from human resources that contained employee salaries in a PDF file (see Figure 5)? The PDF attachment, of course, was the clever cloak of a Trojan horse. Human Interest Human interest stories invoke an emotional reaction because they are stories people can relate to. Often part of the evening news or magazine features, these stories present people or situations that drive our curiosity or desire for additional information. Not surprisingly, online social engineers use human interest stories to lure victims. One of the more successful scams was the (fake) story of Michael Jackson’s death that allegedly contained “secret” information for readers (see Figure 6). Notice that the link has an executable extension – yet another direct link to a Trojan download. Criminals also lure victims with interesting current-event stories featured on fraudulent websites that mimic the look of well-known entities. In Figure 7, a social engineer has replicated the CNN website which features a link to a video on Gaza City. Recipients of the original phishing email that led to this site who clicked to watch the video would have downloaded malware to their machines. Figure 4: Screenshot of Spear Phish- ing Message Designed to Abuse Trust Relationship Figure 5: Screenshot of Fake HR Message Designed to Abuse Trust Relationship at Work
  • 6. PAGE 6 Reward Another popular scam among criminals is the tax reporting scam which targets victims on multiple levels and with multiple emotions. Tax reporting is a civic obligation; it is a must-do and is in the victim’s “best interest.” The promise of a tax refund is a monetary reward. And, of course, the message’s urgency evokes fear and anxiety. Tax reporting scams continuously are phishing taxpayer portals in almost every G8 country, targeting victims in countries including the U.S., UK, Australia, and South Africa. In an HMRC phishing scam, victims were lured into divulging their online banking credentials under the false pretense of being eligible for a tax refund. Victims who enter their details and click “Search” unknowingly send their credentials directly to the criminal’s drop server. While fake client details have been entered, the phishing page still indicates the supposed refund amount of $431.10GBP (see Figure 8). Figure 6: Screenshot of a Spam Message Designed to Lure Victims with Human Interest Story Figure 7: Screenshot of Fake Video Download Designed to Lure Victims with a Current Event Story
  • 7. PAGE 7 Other spam messages linked with reward are designed to recruit money mules. In Figure 9, criminals looking to cash out money stolen from other victim’s bank or credit accounts in specific geographies targeted people in that country with phony job offers often titled “Money transfer agent” or “Transfer Manager.” Education and Awareness: The First Lines of Defense Consumer awareness of cyber threats has since grown considerably in recent years. Despite increased awareness, users still continue to fall victim to cyber attacks. In 2010, two out of ten consumers admitted to being the victim of a phishing attack5 . This increase can be attributed to the advanced tactics and clever social engineering schemes that criminals are using today. The number of phishing attacks is increasing as well. In 2010, RSA witnessed a 27 percent increase in global phishing attacks from the previous year. Figure 8: Screenshot of Fake HMRC Site Designed to Lure Victims with Tax Refund Figure 9: Screenshot of SPAM Email Designed to Lure Victims with a Job Offer (Mule recruitment) 5 RSA 2011 Workplace Security Report
  • 8. RSA, the RSA logo, EMC2 , EMC and where information lives are registered trademarks or trademarks of EMC Corporation in the United States and other countries. All other trademarks used herein are the property of their respective owners. ©2011 EMC Corporation. All rights reserved. Published in the USA. SOCENG WP 0711 About RSA RSA is the premier provider of security, risk and compliance solutions, helping the world’s leading organizations succeed by solving their most complex and sensitive security challenges. These challenges include managing organizational risk, safeguarding mobile access and collaboration, proving compliance, and securing virtual and cloud environments. Combining business-critical controls in identity assurance, data loss prevention, encryption and tokenization, fraud protection and SIEM with industry leading eGRC capabilities and consulting services, RSA brings trust and visibility to millions of user identities, the transactions that they perform and the data that is generated. www.rsa.com As criminals experience diminished returns from traditional phishing however, they are changing their tactics in order to get a response, and have invoked different media – such as the phone versus Web in vishing attacks – as well as new channels, including mobile devices in smishing attacks. While a strong security posture certainly is critical in reducing the risks and costs of cyber attacks, social engineering tactics are designed to bypass the technical aspects of a security strategy and exploit the weakest link in an organization’s security – the human user. Training users with examples of what to look for in a social engineering scam is a good way to help users identify social engineering attacks. Training should include clues that warn of a spam email – for instance, poor spelling and grammar, typos, or threatening or other strong emotion-invoking messaging. Users of all levels need to be trained. Executives, in particular, tend to be easy or “soft” targets, often untrained and unaware of social engineering tactics, and more vulnerable to more sophisticated, targeted attacks because of the access that they have to highly sensitive corporate information and systems. One of the most effective methods of reducing the impact of social engineering-based cyber attacks is embedded training that actually “test” people in real-time with live examples of phishing – and micro video games that give people the opportunity to have fun as they “practice” identifying potential scams. In one case study that involved more than 500 employees of a large company over a period of one month, embedded training resulted in reducing the number of employees that fell for a social engineering attack by 50 percent6 . Regardless of the type of training, at a minimum, organizations need to establish best practices for avoiding processes that are abused by social engineering scams – and update these best practices as the social engineers adapt and evolve their tactics. In the end, user education and awareness are crucial and part of the first lines of defense in diminishing the impact of social engineering-based cyber attacks. 6 Wombat Security Technologies