Gone Phishing: Tips, Tricks and Lessons Learned in the ... · Cybersecurity Webinar Series...
Transcript of Gone Phishing: Tips, Tricks and Lessons Learned in the ... · Cybersecurity Webinar Series...
© 2019 Jack Henry & Associates, Inc.®1 © 2019 Jack Henry & Associates, Inc.®
Gone Phishing: Tips, Tricks and Lessons Learned in
the Battle of Social Engineering
Moderator: Sebastian Fazzino
Director, Sales Operations
Gladiator & Financial Crimes Solutions
Presenter: Keith Haskett
CEO
Rebyc Security
© 2020 Jack Henry & Associates, Inc.®2
Cybersecurity Webinar Series
• Multi-part, educational series
• Proactive Cybersecurity: Staying Ahead of Threats
1. Assessing Your Biggest Security Risks Before It Is Too Late – October 29th
2. Machine Learning and the Latest Protection methods – December 12th
3. Cyber Threats and Trends for 2020 – January 14th
4. Ransomware is alive and well: are you? – February 12th
5. Gone Phishing: Tips, Tricks and Lessons Learned in the Battle of Social
Engineering – March 18th
6. Unleashing the true value of GRC - April 29th
© 2020 Jack Henry & Associates, Inc.®3
© 2020 Jack Henry & Associates, Inc.®4
Today’s ATTACK PLAN:
Phishing Types
• Spear
• Romance
• BEC
• Whitepages
• Hunter.IO
Tools of the Trade
• Site Cloning
• GoPhish
Exploit Gathered
Creds
• Email Guidance
• Password Policies
• Multifactor
Phishing Defense
Social Eng& Physical Security
• IOT
• Dumpster Diving
• Social Media
© 2020 Jack Henry & Associates, Inc.®5
Phishing
Types
© 2020 Jack Henry & Associates, Inc.®6
Romance Fraud
• Use fake identities to build online
relationships with victims
• Use sites Tinder, Bumble &
Match.com
• $362M in loses - 2018
© 2020 Jack Henry & Associates, Inc.®7
Spear Phishing
• Target specific individual, group or
business with malicious intent.
• Doesn’t differentiate – Senior
Leaders and entry level employees
• Financial Institutions are some of
the most heavily targeted
• Email looked like it came from her Asst.
• Asked to wire $388K
• Bookkeeper didn’t think anything
suspicious – Wired the funds.
© 2020 Jack Henry & Associates, Inc.®8
Business Email Compromise• Can take on many forms – Spear,
Romance Fraud, Wire Fraud, etc.
• Take over accounts, spoof accounts
or access and listen.
• Use details gained against their
marks.
© 2020 Jack Henry & Associates, Inc.®9
Social
Eng &
Physical
Security
© 2020 Jack Henry & Associates, Inc.®10
Internet of Things (IOT)
© 2020 Jack Henry & Associates, Inc.®11
Internet of Things (IOT)
© 2020 Jack Henry & Associates, Inc.®12
Other Social Engineering and Physical Security
• Vishing
• Unauthorized Vendors Onsite
• USB Devices
• Password Security
• Shoulder Surfing
• Document Shredding – Dumpster Diving
• Doors, Windows, and Access Points
• Badge Cloning
© 2020 Jack Henry & Associates, Inc.®13
Attackers Love
Social Media Too
© 2020 Jack Henry & Associates, Inc.®14
Tools of
the Trade
© 2020 Jack Henry & Associates, Inc.®15
• Search Full Names, Phone
Numbers, Reverse Number
Lookup
• Search Business Associates,
Previous Addresses, Email
Addresses
• Unlimited Searches for 4.95/Month
• Background Checks for 19.95 per
Person
© 2020 Jack Henry & Associates, Inc.®16
• List of Email Addresses
Found in Previous Breaches
• Many Employees Re-Use
Passwords
• Many Employees Use Work
Resources for non-work
items
• Extremely Valuable for
Credential Stuffing Attacks
© 2020 Jack Henry & Associates, Inc.®17
• $9/Month Cost
• Continuously Scanning Entire
Internet
• IoT, ICS, Routers, Switches,
• Search by Company, IP
Ranges, Name
© 2020 Jack Henry & Associates, Inc.®18
Gathering Email
Addresses - Simply
© 2020 Jack Henry & Associates, Inc.®19
Exploit
Gathered
Creds
© 2020 Jack Henry & Associates, Inc.®20
Got 12 Dollars?
Become a Company!
© 2020 Jack Henry & Associates, Inc.®21
Import Most sites
With a Click!
© 2020 Jack Henry & Associates, Inc.®22
Looks Legit To Me!
© 2020 Jack Henry & Associates, Inc.®23
© 2020 Jack Henry & Associates, Inc.®24
How are We Doing?
Submitted Data
205
Emails Sent
4086
Emails Opened
1036
Clicked Link
372
© 2020 Jack Henry & Associates, Inc.®25
Phishing
Defense
© 2020 Jack Henry & Associates, Inc.®26
Why Security
Solutions Fail?• Improperly Configured Spam Filtering / Web
Filtering Solutions
• Lack of multi-factor authentication for ALL accounts
• Lack of security coverage enterprise-wide
• Accessing external resources (Gmail/Dropbox)
• Utilizing corporate resources at home or while traveling
© 2020 Jack Henry & Associates, Inc.®27
How You Can Stay Safe• Check to see if your email has been compromised
• Use SEPARATE & UNIQUE passwords for ALL accounts
• Do NOT use work email for non-work purposes
• Use One-Time email addresses when signing up
• Avoid public Wi-Fi – Use VPN when connected
• Don’t click on links from strangers
• Use common sense & Multi-factor Authentication
© 2020 Jack Henry & Associates, Inc.®28
What We See Working
• User Awareness Training (Often!)
• Credential Theft Protection
• Machine Learning / AI Solutions
• Robust and tuned spam and web filtering
• Protect against current attacks?
• Allow access to new web sites? Unclassified
web sites?
• Always-On VPN
© 2020 Jack Henry & Associates, Inc.®29
© 2020 Jack Henry & Associates, Inc.®30
Thank you for your t ime