Title: Freud and Phishing: The Psychology Behind Internet Scams
1Freud and PhishingThe Psychology Behind
Internet Scams
- JC Lamkin, CNA, PMP
- Gypsy Lane Technologies
- Philadelphia, PA 19144
- (215) 843-1039
- Jc.lamkin_at_gltMYpc.com
- http//www.gltMYpc.com
- Twitter.com/TechCrusader
2What is Phishing?
3Making Money with Phish
- 2,000,000 emails are sent
- 5 get to the end user 100,000 (APWG)
- 5 click on the phishing link 5,000 (APWG)
- 2 enter data into the phishing site 100
(Gartner) - 1,200 from each person who enters data (FTC)
- Our potential reward 120,000
4How Much Information?
- 4.1 million The number of credit card numbers
discovered in ONE phishing blind drop a 4 month
period - A typical day
- Information for 13,677 accounts
- 3,356 credit cards
- 255 PayPal account logins
- 1,038 eBay account logins
- 93 Bank of America online banking account logins
- 2,609 Hotmail email account logins
Source Washingtonpost.com (Security Fix Brian
Krebs)
5Phish and Spam are Different
6Psychology Phish ? Spam
- People treat spam and phish differently
- Take a Phishing Email and place it in an end
users spam folder. - 10 of the time the user removes the phishing
email from the spam folder and places it in their
inbox. - Take a Phishing Email and place it in an
end-users phish folder - The user removes the phishing email from the
phish folder less than 0.5 of the time.
7The Tricks of the Trade
8Fear Youre Being Naughty
payments or donations for obscene or certain
sexually oriented goods or services.
your accountlimited for xxxcambabes.com cam
shows.
9Fear Account Takeover
someone had used your account to make fake
bids
You must verify
no choice but to suspend your account.
10Fear Service Deactivation 1
service(s)will be deactivated
11Fear Service Deactivation 2
service(s)will be deactivated
12Fear Service Deactivation 3
service(s)will be deactivated
13Fun eBay Lottery
14Fun eBay Conference
15Fun eBay Anniversary
LEGIT
16Fun Take a Survey
17Fun Take a Survey
LEGIT
18Confusion Account Change
19Confusion Did I Buy This?
20Assistance My Refund?
21Assistance Were Here to Help
22Assistance Fraud Detection
23Assistance Buy Safely
LEGIT
24Poll-time Possibilities
LEGIT?? ...Only for Poll Workers
25Compassion No Scruples
26Other Email Tricks
- Multi-Stage Attacks
- Email 1 Well be updating all our accounts
this weekend - Email 2 We discovered a problem with your
account - Multi-channel Attacks
- Email contains both
- Phishing URL
- Phishing phone number (typically VOIP based)
27The Domain Name Game
- citibank-validate.info
- earthlink-reactivation.net
- services-bankofamerica.com
- sales-aol.net
- secure-ebay.com
- msn-reactivation.net
- secure-usbank.info
- service-visa.net
- verification-e-gold.com
- customer-verification.com
- banking-account-renewal.com
Hall of Fame
- Phishers SSL Certificate
- citibanhk.de
- Duplicated Registrar Info
- credltlyonaisse.com
- Registering a Cyrillic a
- paypal.com
28Web Site Tricks
We arrive at the website. Is something phishy?
29Web Site Tricks
There is no address bar!
30Web Site Tricks
Now theres two!
31More Web Site Tricks
- Search Engine Listings
- Common URL misspellings
- www.mailfrontier.com
- www.mailfronteir.com
- www.malefrontier.com
32Tips on Protecting Yourself from Phishing
33Protect Yourself
- Know your senders
- Is this someone I do business with?
- Is this something I was told Id receive?
- Look for other ways to respond
34Protect Yourself
- Stay on guard
- Look for clues improve your PhishingIQ
- Dont be afraid to ask
- Know how your system is updated
- Protect your system
- Check your records
- Check your sources, snopes.com
35Not Just a Consumer Issue
- Operations
- Microsoft Updates, RSA SecurID
- Corporate credit cards
- American Express, Visa, MasterCard
- Purchasing and Payments
- Ebay, PayPal
- Network Services
- Verizon, Earthlink
- Web Services
- DNS Name Registration, Hosting Companies
36Protect Your Brand
- Cut-and-Paste links, minimize links
- Use personal information where possible
- Provide non-email ways to verify
- Use standard company domain names
- Identify your partners
- Set and follow standard communication practices
37Phishing - Dont Take the Bait
- Preemptive
- Phishing is different than spam think Virus
- Technology
- Its more than a consumer issue
- Multi-faceted solution No silver bullet
- Psychology
- Educate your customers/employees/yourself
- Improve their PhishingIQ
- Email is still Good! Really it is!
38Freud and PhishingThe Psychology Behind
Internet Scams
- JC Lamkin, CNA, PMP
- Gypsy Lane Technologies
- Philadelphia, PA 19144
- (215) 843-1039
- Jc.lamkin_at_gltMYpc.com
- http//www.gltMYpc.com
- Twitter.com/TechCrusader
- Special thanks to infosecurity.com