PHISHING IS EVOLVING!!! ARE YOU EVOLVING TOO???

ALAN YAU TI DUN

CISA CISM CGEIT CRISC CISSP CSXF COBIT 5 CCSK CPTC CPTE CNFE CDFE CIHE CISSO ITIL ENSA MCSA

ISACA MALAYSIA CERTIFICATION & PROFESIONAL DEVELOPMENT DIRECTOR

2016/17
ISACA MALAYSIA SPECIAL INTEREST GROUP 1 – CHAIRPERSON
ISACA MALAYSIA CYBERSECURITY NEXUS LIAISON OFFICER
CHIEF TECHNICAL OFFICER AT SYSARMY
MILE 2 CERTIFIED INSTRUCTOR
 PHISHING
1980s
A phishing technique was described in detail in a paper and presentation delivered to
the 1987 International HP Users Group, Interex.

1990
The term 'phishing' is said to have been coined by the well known spammer and
hacker in the mid-90s, Khan C Smith. The first recorded mention of the term is found
in the hacking tool AOHell (according to its creator), which included a function for
attempting to steal the passwords or financial details of America Online users.

Source : https://en.wikipedia.org/wiki/Phishing
CYBERSECURITY IMPACT TO YOUR BUSINESS

In response to an email from Fortune, Facebook

confirmed it was one of the victims of the fraud.
"Facebook recovered the bulk of the funds shortly
after the incident and has been cooperating with
law enforcement in its investigation," said a
company spokesperson.
In the course of the investigation that led to the
arrest of Rimasauskas, another source explained
the Justice Department also learned of another
prominent tech company that had been
victimized—Google. The search giant (“a
multinational technology company, specializing in
Internet-related services and products” in the words
of the indictment) became a target because, like
Facebook, it buys enormous amount of computer
servers from Quanta.
Google this week confirmed it had been targeted.
"We detected this fraud against our vendor
management team and promptly alerted the
authorities. We recouped the funds and we're
pleased this matter is resolved," said a Google
spokesperson.
http://fortune.com/2017/04/27/facebook-google-rimasauskas/
TYPICAL PHISHING FLOW
AWARENESS ABOUT PHISHING
WHAT IS PHISHING

Phishing is the attempt to obtain sensitive information such as usernames, passwords,

and credit card details (and, indirectly, money), often for malicious reasons, by disguising
as a trustworthy entity in an electronic communication.[1][2]

Phishing is typically carried out by email spoofing or instant messaging, and it often
directs users to enter personal information at a fake website, the look and feel of
which are almost identical to the legitimate one. Communications purporting to be
from social web sites, auction sites, banks, online payment processors or IT
administrators are often used to lure victims. Phishing emails may contain links to
websites that are infected with malware.

Phishing is an example of social engineering techniques used to deceive users, and

exploits weaknesses in current web security. Attempts to deal with the growing
number of reported phishing incidents include legislation, user training, public
awareness, and technical security measures. Many websites have now created
secondary tools for applications, like maps for games, but they should be clearly
marked as to who wrote them, and users should not use the same passwords
anywhere on the internet.
DECEPTIVE PHISHING
SPEAR PHISHING
CEO FRAUD
PHARMING
DROPBOX PHISHING
GOOGLE DOCS PHISHING
 WHY WORRY ABOUT PHISHING?
Majority of phishing email messages, websites, and phone calls are designed to steal
money. Cybercriminals can do this by installing malicious software on your computer or
stealing personal information off of your computer.
As an organization what you should worry if cybercriminals use social engineering to
convince you to install malicious software or hand over your company information or
worse is your critical cybersecurity assets record under false pretenses. They might
email you, call you on the phone, or convince you to handover your IT operation team
credential or privilege admin credential.
The attack frequently starts with a spear-phishing email to one or more users enabling
the attacker to get their code running on a computer inside the target network. Once
the attacker has their code running inside the enterprise, the first step is performing
reconnaissance to discover useful resources to escalate permissions, persist, and of
course, plunder information (often the “crown jewels” of an organization).
While the overall process detail varies, the overall theme remains:
oMalware Injection (Spear-Phish, Web Exploits, etc)
oReconnaissance (Internal)
oCredential Theft
oExploitation & Privilege Escalation
oData Access & Exfiltration
oPersistence (retaining access)