1
00:00:00,480 --> 00:00:09,920
Fishing as a type of attack that typically attempts to trick the victim into clicking on a link or executing

2
00:00:09,920 --> 00:00:18,170
malware in some way it can be an attempt to compromise a device to steal sensitive information passwords

3
00:00:18,170 --> 00:00:25,610
usernames pins credit card numbers as well as try to gain access to online accounts pretty much all

4
00:00:25,610 --> 00:00:32,060
of the things you don't want to happen can happen through phishing attacks and phishing is one of the

5
00:00:32,060 --> 00:00:39,830
most successful and common types of attacks because it is easy to perform cheat to set up and it yields

6
00:00:39,980 --> 00:00:42,300
good returns for the attackers.

7
00:00:42,320 --> 00:00:50,210
So you really have to watch for it and working for big corporations even with repeated security trained

8
00:00:50,210 --> 00:00:52,310
to wind people up no matter what.

9
00:00:52,310 --> 00:01:00,200
The company I've consulted to about 30 percent or so of people continue to be fooled and click on things

10
00:01:00,200 --> 00:01:01,110
that they shouldn't.

11
00:01:01,340 --> 00:01:09,180
And funnily enough some countries are worse clickers and some are better clickers on a consistent basis.

12
00:01:09,260 --> 00:01:15,980
But no matter what people just seem to not be able to be trained out of not clicking on the things that

13
00:01:15,980 --> 00:01:17,660
they shouldn't click on.

14
00:01:17,930 --> 00:01:26,900
Phishing is typically carried out by sending fake e-mails or instant messages as well that direct the

15
00:01:26,900 --> 00:01:33,610
victim to a fake site that often resembles the legitimate site.

16
00:01:33,620 --> 00:01:36,030
It is a form of social engineering.

17
00:01:36,170 --> 00:01:44,810
Or in other words it's an attack against human weaknesses and it relies also on the lack of defenses

18
00:01:44,810 --> 00:01:50,060
that web technologies inherently have in order to do the attack.

19
00:01:50,060 --> 00:01:56,990
So for example e-mail does not authenticate or digitally sign the sender.

20
00:01:57,080 --> 00:02:04,070
So there's no guarantee of who it's come from if there was then this problem would be reduced because

21
00:02:04,070 --> 00:02:08,720
e-mails can be easily spoofed or they've come from a legitimate source.

22
00:02:08,810 --> 00:02:16,280
Phishing attacks take advantage of that trust that you believe it's come from that person or at least

23
00:02:16,280 --> 00:02:17,700
it can do.

24
00:02:17,900 --> 00:02:21,170
Generally phishing attacks are done on mass.

25
00:02:21,170 --> 00:02:29,750
They send out thousands or millions of e-mails and those e-mail addresses have been harvested from the

26
00:02:29,750 --> 00:02:37,400
internet or sometimes they've been harvested through hacking Web sites sometimes from the fact that

27
00:02:37,430 --> 00:02:41,720
people publicly disclose them on forums or other things like that.

28
00:02:41,990 --> 00:02:45,590
And even from guessing at what the address is.

29
00:02:45,770 --> 00:02:52,280
So if you for example had you know John at a domain name and don't John Hotmail or something or this

30
00:02:52,280 --> 00:02:58,280
would be an usable account because of the amount of spam and phishing emails that it would get because

31
00:02:58,280 --> 00:03:05,930
spammers target common names in combination with domain names you do also get mass e-mail attacks on

32
00:03:05,930 --> 00:03:07,790
certain businesses as well.

33
00:03:08,090 --> 00:03:17,100
But if it is a specific and targeted attack we call that spearfishing if you're targeted individually.

34
00:03:17,240 --> 00:03:23,810
Let's look at some techniques used to perform phishing attacks in order to try and convince people to

35
00:03:23,930 --> 00:03:25,260
click on them.

36
00:03:25,280 --> 00:03:30,100
So the big war that they use is what's called Link manipulation.

37
00:03:30,110 --> 00:03:36,550
This is a simple phishing e-mail that you can see here in front of you that put together.

38
00:03:36,740 --> 00:03:43,130
I've sent it to a ghost mail account to illustrate the technique that used the ghost mail service is

39
00:03:43,130 --> 00:03:49,910
no longer available actually but that's not important as it's serving here as an example only the examples

40
00:03:49,910 --> 00:03:57,790
our show can apply at all email services here I'm faking links to Google and to Microsoft.

41
00:03:57,830 --> 00:04:04,690
So if we just zoom in here so the first thing that they use is subdomains and misspelt the mains.

42
00:04:04,970 --> 00:04:10,760
And if you look at these three examples here so you can see here that this

43
00:04:13,340 --> 00:04:14,560
is the real domain.

44
00:04:14,630 --> 00:04:21,350
And this is the domain it's trying to convince you that it's actually from a slightly different technique

45
00:04:21,350 --> 00:04:22,950
being used here.

46
00:04:22,970 --> 00:04:30,190
So that is obviously the real domain and then this is used in some directories.

47
00:04:31,360 --> 00:04:35,650
In order to look like Google this one's using a subdomain.

48
00:04:35,650 --> 00:04:37,590
This one's use in subdirectories.

49
00:04:37,990 --> 00:04:41,650
And this one Microsoft can you notice what's wrong with that one.

50
00:04:41,680 --> 00:04:50,990
You probably can because we're zoomed in which is here you've got an all in and instead of an M let's

51
00:04:50,990 --> 00:04:53,110
have a look at some other examples.

52
00:04:53,390 --> 00:04:55,260
So these are live fishing links.

53
00:04:55,260 --> 00:05:01,170
That's all right now attempting to convince people to click on them so you can see here this is.

54
00:05:01,330 --> 00:05:09,440
This is actually an Australian bank and it's attempting to convince people that you know this is the

55
00:05:09,440 --> 00:05:17,480
domain when in actual fact we can see here that this is the real domain.

56
00:05:17,660 --> 00:05:20,410
Let's see if there's any other clever ones or.

57
00:05:20,750 --> 00:05:22,130
Well I'm not really that clever.

58
00:05:22,130 --> 00:05:24,620
But let's see if we can find any other examples.

59
00:05:24,860 --> 00:05:28,890
So you can see here here's another Pay-Pal the code.

60
00:05:28,970 --> 00:05:30,000
OK.

61
00:05:30,290 --> 00:05:35,340
So the real domain real of mine is this.

62
00:05:35,440 --> 00:05:40,360
So it may be tricky to understand as I've gone through this with which are the real domains.

63
00:05:40,360 --> 00:05:47,950
Depending on on your experience so the real domain is the one that is to the left of the high level

64
00:05:47,950 --> 00:05:56,590
domain that's the high level domain and has no sloshed to the left of it.

65
00:05:56,670 --> 00:06:02,700
High level domains are you know things like dot com dot net org.

66
00:06:03,020 --> 00:06:11,580
But in my example here that isn't the Gitmo because it has a slash to the left of it which means it

67
00:06:11,580 --> 00:06:17,500
is a directory real domain is the one to the left of the high level domain.

68
00:06:18,880 --> 00:06:26,910
And has no slash to the left so that has a slash to the left so it must be this in the next sort of

69
00:06:26,920 --> 00:06:34,030
technique of link manipulation is what's called the N home a graphic attack idea and it's the internationalized

70
00:06:34,300 --> 00:06:36,250
domain name standard.

71
00:06:36,250 --> 00:06:40,110
They can see a couple of obvious ones but again they're not always obvious.

72
00:06:40,150 --> 00:06:44,140
You can see here we've got some zeros instead of O's.

73
00:06:44,290 --> 00:06:46,790
We've gone L instead of a one.

74
00:06:47,050 --> 00:06:54,040
But let me tell you if the font is different these can be almost impossible to see the difference.

75
00:06:54,040 --> 00:07:00,910
Obviously this can be used in combination with subdomains and misspelling in order to create further

76
00:07:00,910 --> 00:07:01,830
confusion.

77
00:07:01,980 --> 00:07:04,650
And another one is hidden you Charles.

78
00:07:04,750 --> 00:07:12,550
So using Hastey IMAO tags to hide the real you RL So you can see hey we've got click here so you don't

79
00:07:12,550 --> 00:07:17,920
know what's behind it but if you look down there at the bottom you can see that it's going to Google

80
00:07:17,920 --> 00:07:25,990
dot com dot Station X dot net and this one we can see is actually going to Google dot com dot Station

81
00:07:25,990 --> 00:07:31,660
X dot net so not at all going to where alleges to go to click.

82
00:07:31,750 --> 00:07:35,780
You see don't go to Google at all.

83
00:07:35,800 --> 00:07:39,180
Obviously I could this could have been you know an attack site.

84
00:07:39,380 --> 00:07:44,050
So the way these were these hidden your rails is essentially it's just hatched him out.

85
00:07:44,080 --> 00:07:46,850
It's really really not complicated at all.

86
00:07:47,160 --> 00:07:55,210
And so you can see here these this is the rule haste here now here and that has created these links.

87
00:07:55,200 --> 00:07:56,300
I sent an e-mail.

88
00:07:56,310 --> 00:08:00,940
E-mail is a made up of hasty mail nowadays anyway.

89
00:08:00,960 --> 00:08:07,780
This is text in and hasty email and the email client rende the hasty e-mail just like browsers render

90
00:08:07,790 --> 00:08:08,700
hastier mail.

91
00:08:08,860 --> 00:08:18,290
So you can see here what I have is I've represented Google dot com as what you can see in the e-mail.

92
00:08:18,460 --> 00:08:22,470
But actually the real link is here.

93
00:08:22,720 --> 00:08:29,590
And of course if we you know use all of these in combination you know this is why people click on the

94
00:08:29,590 --> 00:08:32,210
links because they can be fooled.

95
00:08:32,210 --> 00:08:35,980
It's it's easy to see why people get fooled.

96
00:08:35,980 --> 00:08:41,650
I mean there's all sorts of nonsense in here that you're a lay person is just not going to understand

97
00:08:41,650 --> 00:08:45,480
them they are going to click on them and go back to the e-mail.

98
00:08:45,610 --> 00:08:52,220
If we hover over the mail we can right click and copy link location.

99
00:08:52,400 --> 00:09:00,730
Depending on your browser that may reveal the correct you R-AL but not always.

100
00:09:00,860 --> 00:09:08,690
Javascript could hide the link pending on your email client and also as I showed here you can hover

101
00:09:08,690 --> 00:09:16,140
over and you can see in the bottom left the real domain that isn't always going to be the case either.

102
00:09:16,190 --> 00:09:21,410
Depending on your email client and javascript that may also be faked as well.

103
00:09:21,470 --> 00:09:23,730
So it is pretty tricky.

104
00:09:23,780 --> 00:09:27,770
You can look at the hastier mail like here.

105
00:09:27,840 --> 00:09:33,070
So my email client will like to see the law hastier e-mail and then you can go through and see what's

106
00:09:33,070 --> 00:09:33,510
there.

107
00:09:33,640 --> 00:09:35,230
But some won't.

108
00:09:35,230 --> 00:09:40,660
I mean this goes for mail for example does not let me look at the wrong e-mail.

109
00:09:40,870 --> 00:09:45,730
So I have to hover over it to see where it is going to take me to.

110
00:09:45,790 --> 00:09:54,730
Good providers and this can be both a good and a bad thing will notice these types of things and will

111
00:09:54,730 --> 00:09:55,930
change them.

112
00:09:55,960 --> 00:10:04,000
So Thunderbird for example and these wouldn't come through like this and it would change them so that

113
00:10:04,000 --> 00:10:06,050
you can actually see where it's going to.

114
00:10:06,180 --> 00:10:10,220
But that defense mechanism could be bypassed as well.

115
00:10:10,240 --> 00:10:18,910
So you know it's not foolproof but go smell and this example was able to receive these and make them

116
00:10:19,030 --> 00:10:26,090
look like this without me going too much effort to try to bypass any phishing protection that it has.

117
00:10:26,160 --> 00:10:29,860
All the new RL manipulation is also covert.

118
00:10:29,890 --> 00:10:36,490
You are redirects that use lunar abilities such as cross-site scripting and cross-site request forgery.

119
00:10:36,600 --> 00:10:40,790
Now they can be using in combination with manipulation.

120
00:10:40,900 --> 00:10:48,290
So it is possible that you might get sent a link to a real site.

121
00:10:48,640 --> 00:10:57,640
And the real site is being manipulated to attack you in some way so that attacker can or possibly has

122
00:10:57,640 --> 00:11:05,800
found a flaw in the real site and is using a technique like open redirect or as I've just mentioned

123
00:11:05,800 --> 00:11:11,880
the cross-site scripting and the cross-site requests forgery vulnerabilities in order to attack you.

124
00:11:11,890 --> 00:11:13,180
So this has happened to pay.

125
00:11:13,200 --> 00:11:14,680
How many are there.

126
00:11:14,680 --> 00:11:22,180
So let me give you an example because this you know obviously won't be clear of a reflected cross-site

127
00:11:22,180 --> 00:11:26,860
scripting ability that could be used in a fishing attack.

128
00:11:26,860 --> 00:11:33,210
So I imagine you've been you know sent a link via whatever means.

129
00:11:33,280 --> 00:11:38,590
Now this was actually a cross-site scripting venerability F.A. for an application so I'm just using

130
00:11:38,630 --> 00:11:44,440
as an example so this is an example of the you are real.

131
00:11:44,500 --> 00:11:47,640
You then click on this you are el.

132
00:11:47,850 --> 00:11:57,810
This takes you to the Web site and then because I've inserted into that you are well a special script.

133
00:11:57,990 --> 00:12:03,680
When you enter your username and password I'm able to steal your username password.

134
00:12:03,690 --> 00:12:10,310
Now if you look here this is the crucial bit of code.

135
00:12:10,310 --> 00:12:16,320
So I've inserted my own little bit of code here.

136
00:12:16,370 --> 00:12:21,900
This is the reflected cross-site scripting vulnerability.

137
00:12:21,950 --> 00:12:32,150
That site should not let me put in my own scripts into Rails and process it because what that means

138
00:12:32,150 --> 00:12:39,880
is that I am then able to act as that Web site under the security context of that Web site.

139
00:12:39,890 --> 00:12:42,820
Which means I then have access to your cookies.

140
00:12:43,100 --> 00:12:49,640
And of course I can manipulate the web page so that you know that it's not the right log in screen and

141
00:12:49,640 --> 00:12:52,640
it's actually a fake log in screen that I've presented.

142
00:12:52,940 --> 00:12:59,720
And that's actually what I did with this particular vulnerability to demonstrate it to the people that

143
00:12:59,810 --> 00:13:02,490
own the application so they could fix it.

144
00:13:02,540 --> 00:13:05,890
So that was the actual You Arel vulnerability.

145
00:13:06,170 --> 00:13:16,170
And if you look here there inserting in a special what's called an eye frame in order to put up a fake

146
00:13:16,170 --> 00:13:21,130
log in screen and able to take the usernames and passwords.

147
00:13:21,480 --> 00:13:27,390
So that gives you an example where if there's vulnerabilities in the Web site these cross-site scripting

148
00:13:27,390 --> 00:13:33,570
vulnerabilities these open redirects then the phishing attacks can be even worse.

149
00:13:35,010 --> 00:13:42,840
And to finish upon phishing is a couple of variants of phishing and that is visioning and smashing.

150
00:13:43,160 --> 00:13:54,700
So wishing is phone or voice phishing and smooshing is SS phishing or sending text messages.

151
00:13:54,710 --> 00:14:01,340
So this is attempting to call or text you in an attempt to compromise your device in the same way as

152
00:14:01,460 --> 00:14:08,210
you do with phishing you know so steal sensitive information passwords usernames credit cards you know

153
00:14:08,300 --> 00:14:09,650
all the bad stuff.

154
00:14:09,650 --> 00:14:11,440
There are many examples.

155
00:14:11,460 --> 00:14:18,640
A common one being pretending to be from Microsoft telling you that you have a virus on your machine.

156
00:14:18,740 --> 00:14:24,440
Can they help please download and install this totally legitimate software which is then you know a

157
00:14:24,440 --> 00:14:26,570
trojan or something like that.

158
00:14:26,570 --> 00:14:34,160
Again my mother has had a couple of these calls from guys from India pretending to be from Microsoft.

159
00:14:34,160 --> 00:14:37,690
These calls do work on and off people.

160
00:14:37,700 --> 00:14:39,890
That's why they continue to do them.

161
00:14:39,920 --> 00:14:46,850
And actually if you look on YouTube you can actually see a lot of people pranking these people when

162
00:14:46,850 --> 00:14:48,590
they're being called by them.

163
00:14:48,920 --> 00:14:50,530
So those are quite funny to watch.

164
00:14:50,660 --> 00:14:57,320
So vision is phone based Condes smashing is text based Cohn's and that's phishing.