Freud and Phishing:The Psychology Behind Internet

Scams

JC Lamkin, CNA, PMPGypsy Lane Technologies

Philadelphia, PA 19144(215) 843-1039

Jc.lamkin@gltMYpc.comhttp://www.gltMYpc.com

Twitter.com/TechCrusader

What is Phishing?

Making Money with Phish

2,000,000 emails are sent 5% get to the end user – 100,000 (APWG)

5% click on the phishing link – 5,000 (APWG)

2% enter data into the phishing site – 100 (Gartner)

$1,200 from each person who enters data (FTC)

Our potential reward: $120,000

How Much Information?

4.1 million – The number of credit card numbers discovered in ONE phishing blind drop a 4 month period

A typical day Information for 13,677 accounts 3,356 credit cards 255 PayPal account logins 1,038 eBay account logins 93 Bank of America online banking account logins 2,609 Hotmail email account logins

Source: Washingtonpost.com (Security Fix: Brian Krebs)

Phish and Spam are Different

Email Characteristics Spam Phishing

How does the email enter your inbox?

Back door – needs a disguise to get past filters

Front door – must look like something users want

What does the email appear to be delivering?

Something you didn’t ask for, but still might want

Information that you should receive

The effectiveness of the email is based on?

What the receiver desiresEstablishing credibility with

the receiver

What’s the most important attribute of the email?

Productcredibility

Brandcredibility

What happens if a user acts on the email offer?

Might actually get the product offered

Lose company, financial, or personal information

What’s the real purpose? Selling Stealing

Psychology: Phish ≠ Spam

People treat spam and phish differently

1. Take a Phishing Email and place it in an end users “spam” folder.

10% of the time the user removes the phishing email from the spam folder and places it in their inbox.

2. Take a Phishing Email and place it in an end-users “phish” folder

The user removes the phishing email from the phish folder less than 0.5% of the time.

The Tricks of the Trade

Fear – You’re Being Naughty

“…payments or donations for obscene or certain sexually oriented goods or services.”

“…your account…limited for: xxxcambabes.com cam shows.”

Fear – Account Takeover

“…someone had used your

account to make fake

bids…”

“You must verify …”

“…no choice but to suspend your account.”

Fear – Service Deactivation # 1

“…service(s)…will be

deactivated…”

Fear – Service Deactivation # 2

“…service(s)…will be

deactivated…”

Fear – Service Deactivation # 3

“…service(s)…will be

deactivated…”

Fun – eBay Lottery

Fun – eBay Conference

Fun – eBay Anniversary

LEGIT

Fun – Take a Survey

Fun – Take a Survey

LEGIT

Confusion – Account Change

Confusion – Did I Buy This?

Assistance – My Refund?

Assistance – We’re Here to Help

Assistance –Fraud Detection

Assistance – Buy Safely

LEGIT

Poll-time Possibilities

LEGIT??...Only for Poll Workers

Compassion – No Scruples

Other Email Tricks

Multi-Stage Attacks Email 1 – “We’ll be updating all our accounts this

weekend” Email 2 – “We discovered a problem with your

account” Multi-channel Attacks

Email contains both Phishing URL Phishing phone number (typically VOIP based)

The Domain Name Game

citibank-validate.info earthlink-reactivation.net services-bankofamerica.com sales-aol.net secure-ebay.com msn-reactivation.net secure-usbank.info service-visa.net verification-e-gold.com customer-verification.com banking-account-renewal.com

Phishers SSL Certificate

>> citibanhk.de <<

Duplicated Registrar Info

>> credltlyonaisse.com <<

Registering a Cyrillic “a”

>> paypal.com <<

Hall of FameHall of Fame

Web Site Tricks

We arrive at the website. Is something phishy?

Web Site Tricks

There is no address bar!

Web Site Tricks

Now there’s two!

More Web Site Tricks

Search Engine Listings Common URL misspellings

www.mailfrontier.com

www.mailfronteir.com

www.malefrontier.com

Tips on Protecting Yourself from Phishing

Protect Yourself

Know your senders Is this someone I do business with? Is this something I was told I’d receive? Look for other ways to respond

Protect Yourself

Stay on guard Look for clues – improve your PhishingIQ Don’t be afraid to ask Know how your system is updated Protect your system Check your records Check your sources, snopes.com

Not Just a Consumer Issue

Operations Microsoft Updates, RSA SecurID

Corporate credit cards American Express, Visa, MasterCard

Purchasing and Payments Ebay, PayPal

Network Services Verizon, Earthlink

Web Services DNS Name Registration, Hosting Companies

Protect Your Brand

Cut-and-Paste links, minimize links Use personal information where possible Provide non-email ways to verify Use standard company domain names Identify your partners Set and follow standard communication

practices

Phishing - Don’t Take the Bait

Preemptive Phishing is different than spam – think Virus

Technology Its more than a consumer issue Multi-faceted solution – No silver bullet

Psychology Educate your customers/employees/yourself Improve their PhishingIQ Email is still Good! Really it is!

JC Lamkin, CNA, PMPGypsy Lane Technologies

Philadelphia, PA 19144(215) 843-1039

Jc.lamkin@gltMYpc.comhttp://www.gltMYpc.com

Twitter.com/TechCrusaderSpecial thanks to infosecurity.com

Freud and Phishing:The Psychology Behind

Internet Scams