CSCU Module 10 Social Engineering and Identity Theft.pdf

8/19/2019 CSCU Module 10 Social Engineering and Identity Theft.pdf

1/42

1 Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited.

Social Engineering andIdentity Theft

Simplifying Security.

Module 10


2/42


OAKLAND ‐‐ Calling it the biggest they have seen, Oakland police said Monday that an identity theft operation that

manufactured phony checks, IDs and credit cards has been shut down.

Officials said there are potentially thousands of victims all over the Bay Area and in other states and the possibility of an

untold amount of monetary loss.

Police Chief Anthony Batts said breaking up the operation is particularly important to law enforcement because identity theft

"puts fear in everyone," including himself.

The operation, which Officer Holly Joshi called a "one‐stop shop" for identity theft, was run out of a Hayward apartment in the 21000 block of Foothill Boulevard, where resident Mishel Caviness‐Williams, 40, was arrested last week as she left the

apartment. She had $4,000 in cash on her, police said.

Oakland Police Shut Down Bay Area‐Wide Identity Theft Operation

http://www.mercurynews.com

05/16/2011, 11:16:54 AM PDT


3/42


Suffolk police are seeking assistance locating a woman who allegedly took an elderly man’s debit card and used it on several

occasions. Police have five felony warrants on file for Lavonda “Goosie” Moore, 37, for credit card theft, credit card fraud,

criminally receiving money, third offense petit larceny and identity theft.

Police say Moore took a debit card from the victim on Hill Street on May 15 and used it on multiple occasions at an ATM and at

retail stores.

There

also

is

a warrant

on

file

for

Moore

for

third

offense

petit

larceny

in

an

unrelated

case.

Moore’s last known address is the 600 block of Brook Avenue. Anyone who has information on Moore’s location is asked to call

Crime Line at 1‐888‐LOCK‐U‐UP. Callers to Crime Line never have to give their names or appear in court, and may be eligible for a

reward of up to $1,000.

Woman Sought in

Theft

http://www.suffolknewsherald.com

May 23, 2011


4/42


Identity Theft Statistics 2011

75%

11.1

Million

4.8%

13%

Adults Victims of

Identity Theft

$54 billion

The Total Fraud Amount

Percent of Population

Victimized by Identity

Fraud

Victim Who Knew

Crimes Were Committed

Fraud Attacks on Existing

Credit card

Accounts

http://www.spendonlife.com


5/42

Consumer Complaint

Scenario

“I lost my purse in 2006. But surprisingly I got notices of bounced checks in 2007.

About a year later, I received information that someone using my identity had bought

a car. In 2008, I came to know that someone is using my Social Security Number for a

number of

years.

A

person

got

arrested

and

produced

my

SSN

on

his

arrest

sheet.

I can’t get credit because of this situation. I was denied a mortgage, employment,

credit cards and medical care for my children.”

http://www.networkworld.com


6/42


Module Objectives

What is Identity Theft?

Personal Information that Can be

Stolen

How do

Attackers

Steal

Identity?

What do Attackers do with Stolen

Identity?

Examples of Identity Theft

How to

Find

if

You

are

a Victim

of

Identity Theft?

What to do if Identity is Stolen?

Reporting Identity Theft

Prosecuting Identity

Theft

Guidelines for Identity Theft

Protection

Guidelines for Protection from

Computer Based Identity Theft

IP Address Hiding Tools


7/42


Identity Theft

What to Do if

Identity Is Stolen

How to Find if You Are a

Victim of Identity Theft

Reporting

Identity Theft

Protection from

Identity Theft

Module Flow

Social

Engineering


8/42


Criminal

charges

Legal

issues

It leads to denial of

employment, health

care facilities, mortgage,

bank

accounts

and

credit

cards, etc.

Financial

losses

Identity

Theft Effects

Identity theft or ID fraud refers to a crime where an offender wrongfully obtains key pieces of

the intended victim's personal identifying information, such as date of birth, Social Security

number, driver's license number, etc., and makes gain by using that personal data

What is Identity Theft?


9/42


Personal Information that Can be

Stolen

Names

Mother’s maiden name

Telephonenumbers

Passport numbers

Credit card/Bank

account numbers

Social security

numbers

Driving license numbers

Birth certificates Address

Date of birth


10/42


How do Attackers Steal Identity?

Hacking Theft of Personal Stuff

PhishingSocial Engineering

Fraudster pretend to be a

financial institution and

send spam/ pop‐up

messages to trick the user

to reveal

personal

information

Fraudsters may steal

wallets and purses, mails

including bank and credit

card statements, pre‐

approved credit

offers,

and

new checks or tax

information

Attackers may hack the

computer systems to

steal confidential

personal

information

It is an act of manipulating

people trust to perform

certain actions or divulging

private information, without

using technical

cracking

methods


11/42



Identity?

Credit Card

Fraud

Phone or Utilities

FraudOther Fraud

They may open a new

phone or wireless account

in the user’s name, or run

up charges on his/her

existing account

They may use user’s name

to get

utility

services

such

as electricity, heating, or

cable TV

They may get a job using

legitimate user’s Social

Security number

They may give legitimate

user’s information to police

during an arrest and if they

do not turn up for their court date, a warrant for

arrest is issued on

legitimate user’s name

They may open new

credit card accounts in

the name of the user and

do not pay the bills


12/42

12Copyright

©

by

EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.


Identity?

Bank/Finance

Fraud

Government

Documents Fraud

They may create counterfeit checks

using victim’s name or account number

They may

open

a bank

account

in

victim’s name and issue the checks

They may clone an ATM or debit card

and make electronic withdrawals on

victim’s name

They may take a loan on victims’ name

They may get a driving license or

official ID card issued on legitimate

user’s

name

but

with

their

photoThey may use victim’s name and

Social Security number to get

government benefits

They may file a fraudulent tax return

using legitimate user information


13/42

13Copyright

©

by

EC-Council


Same Name: TRENT CHARLES ARSENAUL

Original Identity Theft

Identity Theft Example


14/42

14Copyright

©

by

EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited.

Identity Theft

What to Do if

Identity Is Stolen



Social

Engineering

Reporting

Identity Theft

Protection from

Identity Theft

Module Flow


15/42

15Copyright

©

by


Social

Engineering

Types of Social

Engineering

Social Engineers

Attempt to Gather

Social Engineering

Sensitive information

such as credit card

details, social security

number, etc.

Passwords

Other personal

information

Human based social

engineering

Computer based

social engineering

Social engineering is the

art of convincing people

to reveal confidential

information

It is

the

trick

used

to

gain

sensitive information by

exploiting the basic

human nature


16/42

16Copyright

©

by


Social Engineering Example

Hi, we are from CONSESCO

Software. We are hiring new

people for our software development

team. We got your contact number

from popular job portals.

Please

provide

details

of

your

job

profile,current project information,

social security number, and your

residential address.


17/42

17Copyright

©

by EC-Council


Criminal as Phone Banker

Hi, I am Mike calling from CITI Bank.

Due to

increasing

threat

perception,

we

are updating our systems with new

security features. Can you provide me

your personal details to verify that you

are real Stella.

Thanks Mike,

Here

are

my

details.

Do

you

need anything else?


18/42

18Copyright

©

by EC-Council


Authority Support Example

Hi, I am John Brown. I'm with the external auditors Arthur Sanderson. We've

been told by corporate to do a surprise

inspection of your disaster recovery

procedures.

Your department

has

10

minutes

to

show

me how you would recover from a

website crash.


19/42

19Copyright

©

by EC-Council


Technical Support Example

A

man

calls

a

company’s

help

desk

and

says

he has forgotten his password. He adds

that if he misses the deadline on a big

advertising project, his boss might fire him.

The help desk worker feels sorry for him

and quickly resets the password,

unwittingly giving

the

attacker

clear

entrance into the corporate

network


20/42

20Copyright

©

by EC-Council


Human-Based Social Engineering

Eavesdropping Shoulder surfing Dumpster diving

Eavesdropping is

unauthorized listening

of

conversations or reading

of messages

It is interception of any

form of communication

such as audio, video, or

written

Shoulder surfing is the

procedure where the

attackers look

over

the

user’s shoulder to gain

critical information such as

passwords, personal

identification number,

account numbers, credit

card

information,

etc. Attacker may also watch the

user from a distance using

binoculars in order to get

the pieces of information

Dumpster diving includes

searching

for

sensitive

information at the target

company’s trash bins,

printer trash bins, user

desk for sticky notes, etc.

It involves collection of

phone

bills,

contact

information, financial

information, operations

related information, etc.


21/42

21Copyright

©

by EC-Council


Spam

Email

Instant

Chat

Messenger

Chain

Letters

Hoax

Letters

Pop‐up

Windows

Windows that suddenly pop up

while surfing

the

Internet

and

ask for users’ information to

login or sign‐in

Hoax letters are emails that issue

warnings to the user on new

viruses, Trojans, or worms that

may harm the user’s system

Chain letters are emails that offer

free gifts such

as

money

and

software on the condition that the

user has to forward the mail to the

said number of persons

Gathering personal information

by chatting with a selected online

user to get information such as

birth dates and maiden names

Irrelevant, unwanted, and

unsolicited email to

collect

the

financial information, social

security numbers, and network

information

Computer-Based Social Engineering


22/42

22Copyright

©

by EC-Council


Computer-Based Social Engineering:

PhishingAn illegitimate email falsely claiming to be from a legitimate site attempts to acquire the user’s

personal or account information

Phishing emails or pop‐ups redirect users to fake webpages of mimicking trustworthy sites that ask

them to submit their personal information

Fake Bank Webpage


23/42


Phony Security Alerts

Phony Security Alerts are the emails or

pop‐up windows that seem to be from

a reputed hardware or software

manufacturers like Microsoft, Dell, etc.,

It warns/alerts

the

user

that

the

system is infected and thus will

provide with an attachment or a link in

order to patch the system

Scammers suggest the user to

download and

install

those

patches

The trap is that the file contains

malicious programs that may infect the

user system


24/42


Computer-Based Social Engineering through

Social Networking WebsitesComputer‐based social engineering is carried out through social networking websites such as Orkut, Facebook,

MySpace, LinkedIn, Twitter, etc.

Attackers use these social networking websites to exploit users’ personal information


25/42


Identity Theft

What to Do if

Identity Is Stolen



Reporting

Identity Theft

Protection from

Identity Theft

Module Flow

Social

Engineering


26/42


How to Find if You are a Victim

of Identity Theft?Bill collection agencies contact you for overdue debts you never incurred

You receive bills, invoices, or receipts addressed to you for goods or services

you haven’t asked for

You no longer receive your credit card or bank statements

You notice that some of your mail seems to be missing

Your request for mortgage or any other loan is rejected citing your bad credit

history despite you having a good credit record


27/42


How to Find if You are a Victim

of Identity Theft?

You get something in

the mail about an

apartment you never

rented, a house

you

never bought, or a job

you never held

You lose important

documents such as

your passport

or

driving license

You identify

irregularities in

your credit

card

and bank

statements

You are denied for

social benefits

citing that you are

already claiming

You receive

credit card

statement with

new account


28/42


Identity Theft

What to Do if

Identity Is Stolen



Reporting

Identity Theft

Protection from

Identity Theft

Module Flow

Social

Engineering


29/42

29 Copyright © by EC-CouncilAll

Rights

Reserved.

Reproduction

is

Strictly

Prohibited.

What to do if Identity is Stolen?

Contact the credit reporting agencies

http://www.experian.com

http://wwwc.equifax.com

http://www.transunion.com

Immediately inform credit bureaus

and establish fraud alerts

Request for a credit report Review the credit reports and alert

the credit agencies

Freeze the credit reports with credit

reporting agenciesContact all of your creditors and

notify them of the fraudulent activity

Change all the passwords of online

accounts

Close the accounts that you know or

believe have been tampered with or

opened fraudulently


30/42


Rights

Reserved.

Reproduction

is

Strictly

Prohibited.

What to Do if Identity Is Stolen?

File a report with the

local police or the police

in the community where

the identity theft took

place

File a complaint with

identity theft and

cybercrime reporting

agencies such as the

FTC

Take advice from police

and reporting agencies

about how to protect

yourself from further

identity compromise

Ask the credit card

company about new

account numbers

Tell the debt collectors

that you are a victim of

fraud and are not

responsible for the

unpaid bill

Ask the bank to report the

fraud to a consumer

reporting agency such as

ChexSystems that

compiles

reports on checking

accounts


31/42


Rights

Reserved.

Reproduction

is

Strictly

Prohibited.

Identity Theft

What to Do if

Identity Is Stolen



Reporting

Identity Theft

Protection from

Identity Theft

Module Flow

Social

Engineering


32/42


Rights

Reserved.

Reproduction

is

Strictly

Prohibited.

Federal Trade Commission

The Federal Trade Commission, the nation's consumer protection agency, collects

complaints about companies, business practices, and identity theft

http://www.ftc.gov


33/42


Rights

Reserved.

Reproduction

is

Strictly

Prohibited.

econsumer.gov

http://www.econsumer.gov

econsumer.gov is

a portal

for

you

as a consumer to report complaints about online

and related transactions with foreign companies


34/42


Rights

Reserved.

Reproduction

is

Strictly

Prohibited.

Internet Crime Complaint Center

http://www.ic3.gov

The Internet Crime Complaint

Center’s (IC3)

mission

is

to

serve

as

a vehicle to receive, develop, and refer

criminal complaints regarding the

rapidly expanding arena of cyber

crime

The Internet Crime Complaint Center

(IC3) is a partnership between the

Federal Bureau

of

Investigation

(FBI),

the National White Collar Crime

Center (NW3C), and the Bureau of

Justice Assistance (BJA)


35/42


Rights

Reserved.

Reproduction

is

Strictly

Prohibited.

Prosecuting Identity Theft

Begin the process by

contacting the bureaus,

banks, or any other

organizations who

may

be involved

File a formal complaint

with the organization

and with the police

department

Regularly update

yourself regarding

the investigation

process to

ensure

that the case is

being dealt with

properly

Obtain a copy of the

police complaint to

prove to the

organizations that

you have filed an

identity theft

complaint

File a complaint with

the Federal Trade

Commission and

complete affidavits

to prove your

innocence on the

claims of identity

theft and fraudulent

activity

Contact the District

Attorney's office for

further prosecuting

the individuals

who

may be involved in

the identity theft


36/42


Rights

Reserved.

Reproduction

is

Strictly

Prohibited.

Identity Theft

What to Do if

Identity Is Stolen



Reporting

Identity Theft

IP Hiding Tools

Module Flow

Social

Engineering


37/42


Rights

Reserved.

Reproduction

is

Strictly

Prohibited.

Hiding IP Address Using Quick Hide IP

Tool

http://www.quick ‐hide‐ip.com

Quick Hide IP hides your internet identity so you can surf the web while hiding you real IP and location

It redirects the Internet traffic through anonymous proxies

Quick Hide IP. Websites you are visiting see the IP address of the proxy server instead of your own IP address


38/42


Rights

Reserved.

Reproduction

is

Strictly

Prohibited.

UltraSurf http://www.ultrareach.com

Hide The IPhttp://www.hide

‐the

‐ip.com

Hide My IPhttp://www.hide‐my ‐ip.com

Hide IP NG http://www.hide‐ip‐soft.com

IP Hider

http://www.iphider.org

TORhttp://www.torproject.org

Anti Trackshttp://www.giantmatrix.com

Anonymizer Universal

http://www.anonymizer.com

IP Address Hiding Tools


39/42


Rights

Reserved.

Reproduction

is

Strictly

Prohibited.

Module Summary

Identity theft is the process of using someone else’s personal information for the

personal gain of the offender

Criminals look

through

trash

for

bills

or

other

paper

with

personal

information

on

it

Criminals call the victim impersonating a government official or other legitimate

business people and request personal information

Keep the computer operating system and other applications up to date

Do not

reply

to

unsolicited

email

that

asks

for

personal

information

Use strong passwords for all financial accounts

Review bank/credit card statements/credit reports regularly


40/42


Rights

Reserved.

Reproduction

is

Strictly

Prohibited.

Keep your Social Security card, passport, license, and other valuable

personal information hidden and locked up

Ensure that your name is not present in the marketers’ hit lists

Shred papers with personal information instead of throwing them away

Never give away social security information or private contact information

on the phone – unless YOU initiated the phone call

Confirm who you are dealing with, i.e., a legitimate representative or a

legitimate

organization over

the

phone

Carry only necessary credit cards

Cancel cards seldom used

Review credit reports regularly

Identity Theft Protection Checklist


41/42

41 Copyright © by EC-Council

All Rights

Reserved.

Reproduction

is

Strictly

Prohibited.

Do not reply to unsolicited email requests for personal information

Do not give personal information over the phone

Review bank/credit card statements regularly

Do not carry your Social Security card in your wallet

Shred credit card offers and “convenience checks” that are not useful

Do not store any financial information on the system and use strong

passwords for all financial accounts

Check the telephone and cell phone bills for calls you did not make

Read before

you

click,

stop

pre

‐approved

credit

offers,

and

read

website

privacy policies

Identity Theft Protection Checklist


42/42

42 Copyright © by EC-Council

All Rights

Reserved.

Reproduction

is

Strictly

Prohibited.

Install antivirus software and scan the system regularly

Enable firewall protection

Check for website policies before you enter

Keep the computer operating system and other applications up to date

Be careful while opening email attachments

Clear the browser history, logs, and recently opened files every time

Check for secured websites while transmitting sensitive information

Computer Based Identity Theft Protection

Checklist