Great Deal! Get Instant $10 FREE in Account on First Order + 10% Cashback on Every Order Order Now

Instructions Phishing Ed Moore Lecture Outline Faculty of Arts | Department of Security Studies and Criminology 2 What is phishing? Types of phishing Common Techniques Spear phishing Prevention What...

1 answer below »
Ed Moore
Lecture Outline
Faculty of Arts | Department of Security Studies and Criminology
What is phishing?
Types of phishing
Common Techniques
Spear phishing
What is phishing
What is Phishing?
Phishing is a cyber attack where an attacker tries to trick a user to provide details or access using a fake form of communication.
The term phishing (pronounced “fishing”) comes from the analogy of an angler throwing a baited hook out there (the phishing email) and hoping you bite
Phishing almost always includes a degree of fraud
Often comes in the form of emails or websites
May appear to come from legitimate companies or trusted individuals
Often take advantage of natural disasters, epidemics, political or other events
What is Phishing?
Phishing can be
oken down to two general categories:
Hand-over information
This is where an attacker will try to trick the user into handing over information to the attacker. This often includes things like usernames, passwords, credit card information.
Typically the information is then used to access more detailed and important information.
Malware download
This is where an attacker will try to get a user to click on a link to download malware
to their system. This will then give the attacker access to the system and thus
information stored on it.
These are often in the form of keyloggers which will send the keystrokes
(including passwords) to the attacker.
Forms of phishing
Vishing – Voice phishing is when an attacker contacts the victim over the phone to try to elicit information
Smishing – SMS phishing, contact via SMS or DM
Common to see these emails with fake unsubscribe links
Clone Phishing – Cloned copy of a legitimate email or website with malicious links or attachments in place of legitimate ones
Whaling – When an attacker goes after a high profile target
Forms of phishing
Email Spoofing
When setting up your email account on a program, you can set your name, this is what is used when you send mail
This field (ie the sender name) cannot be trusted
The field can also be programmatically set when a program sends mail
Attackers often try to impersonate known individuals or companies
Forms of phishing
Mass Targeting
Attackers send phishing emails to groups of people based common interests
This is often targeting customers of a business
Accuracy is less important
Quantity over quality
Sending phishing emails is very cheap, a low success rate is still acceptable
Typically a spam email costs less than 0.00001c
Response rates are estimated to be around XXXXXXXXXX%
Researchers estimate that spammers can make $7,000/day
or $2,000,000/yea
Forms of phishing
URL Phishing
There are various techniques used within URL phishing that are worth mentioning
Hidden Links
When an email prompts you to “click here”, “Download now” or “subscribe”
URL Shorteners
A URL shortener is a service that allows you to take a long, unmemorable, messy URL and shorten it to something easier to manage
These are also frequently used for phishing emails as you can never tell
where they end up
Misspelt URLs
Intentionally using misspelt URLs in the hope that victims won’t notice instead of
Have you tried
Use of alternative domains
Forms of phishing
URL Phishing
There are various techniques used within URL phishing that are worth mentioning
Homographic Attacks
The use of intentionally misleading characters to make it look like it’s a legitimate domain vs
Forms of phishing
Subdomain phishing
Exploits users who don’t fully understand the difference between a domain name and a subdomain
Companies own domain for example
Attacker could buy another domain like
Then creates a subdomain for it
Forms of phishing
Website Spoofing
Website spoofing is a common technique where an attacker will clone a website and redirect login details to their own serve
This is usually easy to perform and can be difficult to detect
Best way to not fall for this is to avoid entirely
Common Techniques
Baiting Techniques
Timely call for action
“Urgent” or time sensitive emails put pressure on potential victims to click on links without checking it properly
Seemingly legitimate email addresses
Inclusion of logos to seem more legitimate
Baiting Techniques
Work Environment
Phishing emails sent to targets in a work environment differ to those targeting individuals. They generally attempt to blend in with work emails, this makes them more successful
Attachments (such as “invoice”, “meeting minutes”, etc)
Third party providers (Microsoft, Google, etc)
Emails from managers
Emails from “IT support”
Other colleagues
If a colleague has fallen for a phishing scam, one of
the first things an attacker will do is to secure thei
foothold inside the company. This means getting
more people infected
Emails sent from a colleague are much harder to
detect for phishing as they’re coming from a
legitimate source
Baiting Techniques
Personal Environment
Whereas personal phishing emails target you at an more personal level
Weight loss
Win an iPad
Social Media accounts
Credit card company
Threats or blackmail emails
Takes advantage on going crisis
Spear Phishing
Spear Phishing
Spear Phishing is when a phishing attack is targeted at a single or small group of people
It’s largely different because it often involves research steps, rather than being board and generic
Often pulls information from social media platforms to use as an entrance and legitimise the phishing email
Think of the information you provide on LinkedIn
ent Jo
Previous employment
Plausible connections
Have you admitted to using a service publicly
Think about complaints on social media
Liked services on social media
Spear Phishing
Many of the most successful data
eaches in recent years started with a spear phishing attack
Spear phishing is the leading cause of data
Spear phishing attacks are “blended” or “multi-vector” threats
They combine various malicious techniques to create a very dangerous threat
Email Spoofing
Dynamic URLs
Zero-day vulnerabilities in
Unlike traditional phishing emails which are often poorly written,
spear phishing emails are usually well crafted
The average impact of a successful spear phishing attack to a business is
Spam filters
The only way to stop spam entirely is make it not profitable for the attackers
If we reduce the success rate of the emails then it becomes less profitable
Our best defence against phishing and spam is spam filters
The large majority of spam emails are filtered out by spam filters
Up to 99% of spam emails are filtered out before a user sees them
… Think about what your spam folder looks like
Spam filters often don’t work on spear phishing emails as they’re
specially crafted for the target
Mimecast is a service that redirects all links received in emails through their service. The service scans the page for malicious code and can help prevent employees clicking on malicious links.
This software attempts to save employees before the malicious code is executed.
modusCloud is a service that attempts to detect malicious links based on their URL. It looks for things like ‘I’ (uppercase i) instead of ‘l’ (lowercase L). It would detect something like as malicious as it is likely an attempt to direct a user towards a malicious website
Swordphish is able to extract features from millions of domains, to distinguish between good and bad, without looking further requiring support in an external environment. Swordphish is extremely fast with a time of 10 milliseconds per search and a measured accuracy of 95% in classifying URLs
User Training
People are the weakest link in IT security
Training users to detect phishing/spam emails is the most important part
No legitimate company should ever ask for your password, bank account numbers or other information in an email
Don’t click links from people you don’t know or that look suspicious
Look out for weird capitalisation or misspelt URLs
Phishing emails often have poor grammar, spelling and structure - look out fo
No software is perfect and phishing emails (particularly spear phishing) will
eventually reach users – prepare for it!
User Training
People are the weakest link in IT security
Look for the “HTTPS”, phishing websites often don’t use it
“HTTPS & SSL doesn't mean "trust this." It means "this is private." You may be having a private conversation with Satan.” - Scott Hanselman
If you receive a phishing email from someone you know they have probably been compromised
Don’t click the link but report it to your IT admins
If it’s personal - Tell the person
Using a password manager can help
2FA helps a lot
Provide a way for employees to check the validity of an email or phone call
Remember that employees are outcome driven
The end
Resource List
Answered Same Day Aug 17, 2021 PICT3011 Macquaire University


Dilpreet answered on Aug 18 2021
119 Votes
Table of Contents
Leading Factors behind Rising Phishing Attacks    3
Indicators of Phishing Emails    3
Commenting on the Statement    3
Replying to Nathaniel Thomas    3
Replying to Melissa Camp    3
References    4
Leading Factors behind Rising Phishing Attacks
With increasing dependency of individuals and businesses on internet has led to rise in the number of phishing attacks in the recent times. Moreover, the predictable patterns followed by individuals while performing online activities have also been determined as one of the primary factors behind the rising number of phishing attacks (Gupta, Arachchilage & Psannis, 2018). Excessive usage of digital platforms for the purpose of conducting B2B or B2C or C2C communication are also responsible for the increasing number of phishing attacks.
Indicators of...

Answer To This Question Is Available To Download

Related Questions & Answers

More Questions »

Submit New Assignment

Copy and Paste Your Assignment Here