第8单元:恶意软件和取证 8.1恶意软件和取证 网络钓鱼,Spearphishing,捕鲸,域欺骗,水坑,勒索软件...

原文链接: http://www.cnblogs.com/sec875/articles/10452730.html

关于此视频

在之前的单元中,我们讨论了社交工程的电话和面对面版本。现在我们可以介绍社交工程的电子邮件版本:网络钓鱼,鱼叉式网捕和捕鲸。当用户点击电子邮件中的链接,认为他们正在与PayPal或他们的银行等公司进行通信时,他们可能真的在攻击者制作的网站上,并且他们的凭据直接发送给攻击者。

此外,只需访问这些网站,他们就可以在他们的系统上安装恶意软件。目前最常见和不断上升的恶意软件形式是勒索软件。最近的一项研究发现,97%的网络钓鱼电子邮件都是为了提供勒索软件而设计的。

我们还将介绍其他一些旨在传播恶意软件的技术:域欺骗和水洞。

 

>> Email versions of social engineering include phishing, spear phishing and whaling.

Phishing involves sending out bait mostly through email to a large number of people.

Hoping some users will bite by sending usernames,
passwords and even credit card information.

When clicking a link in a phishing email the user is brought to a webpage that looks
and feels like a real banking site, the real PayPal site, the real EBay site,
the real Facebook site, the real LinkedIn site and much more.

Therefore the user feels safe and secure in entering sensitive information,
which goes directly to the attacker.

Furthermore simply visiting these sites could install malware on a victim machine.

I get these emails from time to time.

It goes something like this.

There's been a small change to your details that we want to verify.

Until you do, your account will be suspended because we suspect it was compromised.

Log in here to fix it.

This gets users to quickly click not realizing how contrived the scenario sounds.

On the site that the link brings them to there could be a drive by download exploit kit,
which collects information from a victim machine.

Finds vulnerabilities in operating systems, browsers and other software like video players,
determines the appropriate exploit, delivers the exploit and executes malware.

All of this happens automatically just by visiting a site.

Not applying operating system or software security updates leaves you very vulnerable
to exploit kits.

These exploit kits are usually hosted on a legitimate website that's been hacked
or are delivered through a legitimate website's 3rd party advertisements.

In another scenario the users could be asked to click on a link to view content
or install a program that will allow them to view content.

Clicking on these links installs malware.

There can be scareware, pop-up windows from the visited site asking users to click
to remove a virus or to scan for a virus.

Clicking these links actually installs the malware.

The pop-ups could have phone numbers for users to call
to continue the social engineering attack over the phone.

Victims then give the attackers their credit card numbers and allow the attackers
to remotely control their machines to fix the problems.

Phishing also involves email attachments that users are asked to open like a zip file,
which has three advantages for attackers.

It bundles multiple files into one, compresses them and can bypass malware scanners.

Alternatively an email attachment can be a Microsoft Word document
or an Excel spreadsheet with a macro.

Users are made to believe that the file is secure
and they can only view it by enabling macros.

Of course when a user clicks the button to enable macros,
that triggers the installation of malware.

In fact that's exactly how the 2015 Ukraine power grid hack started.

This is like a fisherman who casts his rod into the water hoping to lure some fish with bait.

As opposed to the fisherman who gets dinner, the fisher gets network access, PII,
personally identifiable information and is able to install malware
for subsequent damage and access.

Spear phishing takes phishing to a whole new level
by targeting specific users of a specific company.

Instead of just random email addresses that may or may not be valid.

When you go after the big fish of a company, like anyone that has a title beginning with a C
and ending with an O, that's taking spear phishing
to a whole new level and is called whaling.

So sending an email to random Gmail accounts; bob1@gmail.
com, bob2@gmail.
com,
bob3@gmail.
com would be considered phishing.

Sending emails to specific users of a company; alice@company.
org, eve@company.
org,
harry@company.
org would be considered spear phishing.

Finally sending emails to the big wigs at a company; ceo@company.
org,
theboss@company.
org, ciso@company.
org.

That would be considered whaling.

Farming is the hijacking of a legitimate website's IP address and or domain name.

It redirects unsuspecting users to a fake site and collects information that users enter
like passwords, banking information and other PII.

A watering hole is a computer attack strategy in which the victim is in a particular group.

Whether it's an organization, an industry or a region.

In this attack the hacker guesses or observes which websites the group often uses
and then the hacker infects one or more of those sites with malware.

Eventually some member of the targeted group gets infected.

Relying on websites that the group trusts makes the strategy efficient.

Even with groups that are resistant to the different forms of phishing.

The most common and rising form of malware today is ransomware.

A recent study by PhishMe found that 97% of phishing emails today are designed
to specifically deliver ransomware, which locks and encrypts a device until ransom fee is paid.

Scare tactics include threatening the users that if they don't pay by a certain amount
of time, files will start to be deleted.

The general recommendation is not to pay the ransom.

It encourages the adversaries to continue this type of extortion.

It funds their future activities and it doesn't even guarantee
that you will get a decryption key or even that the decryption key you get will work.

The best way to be safe is to not click on any unknown links and to keep a good set of backups
that you can bring back and restore from, instead of paying the ransom fee.

There are many ways to spot phishing emails and fake sites.

When you hover over a link you'll see the real web address you're being sent to.

This is impossible on mobile devices, so make it a practice to never click on the links,
but rather open up a new tab and go to the site manually.

A generic greeting instead of your actual name is another sign.

The email address can be spoofed to appear legitimate or can be noticeably off.

URL's that have the domain name, but in the wrong location, are also malicious.

HTTP instead of HTTPS is another indicator.

So is the fact that you're asked to fill
in way too much information that should not be required.

Phishing emails almost always have a desperate story that forces you to act urgently
and in some cases they actually threaten you.

The formatting and look of the email
or website including the quality of images is another giveaway.

Poor spelling and grammar are commonly found.

The email often has a generic signature without contact information.

Attachments and mentions of scripts are the icing on the cake.

转载于:https://www.cnblogs.com/sec875/articles/10452730.html

你可能感兴趣的:(第8单元:恶意软件和取证 8.1恶意软件和取证 网络钓鱼,Spearphishing,捕鲸,域欺骗,水坑,勒索软件...)