1

© 2014 Solutionary, Inc. November 18, 2014ActiveGuard® U.S. Patent Nos 6,988,208; 7,168,093; 7,370,359; 7,424,743; 7,673,049: 7,954,159; 8,261,347

Hacking the Person: Social Engineering and Phishing Attacks

Jon-Louis Heimerl

What do I know?

2

2

3

Hello. Help Desk. Jim Stanton speaking.

Ray? You sound like crap, man.

No problem. What do you want for a temporary password?

4

3

5

6

4

7

8

5

Social Engineering

• The art of social deception and manipulation.

9

Most important skill forSocial Engineering

10

6

11

12

7

13

What do you want to attack?

14

Vs.

8

15

16

9

17

18

10

How Successful?

19

Social Engineering Success Rate

Success

Failed

How Often?

20

SE & Phishing

SE&P

SE&P

NONE

11

21

Advanced Persistent Threat?

22

ReconnaissanceSocial Engineering – malicious intelligence

Phishing – email with malicious links – CLICK ME!

Active Attacks

Remote Control

Attack Expansion/Elevation

Define Target

Exfiltrate Data

Per

sist

ent

Co

mp

rom

ise

12

23

+ =Social Media BMW

Gary

24

13

25

Gary

26

14

27

28

15

29

30

16

31

Which Subject Line is More Intriguing?

General Specific

Ebola Warning! Health Alert: Ebola Quarantine issued in Pittsburgh!

Go Back to School Now! NOTICE: Lynn Heimerl Academic Suspension

Lower Health Insurance Rates Final Notice: Solutionary Open Enrollment ending for JonHeimerl

Dangerous Drug Side Effects WARNING: Aventis warns of fatal LASIX side effects

Refinance Now – Lower HARP rates!

WellsFargo offering specialrefinance rates in Pittsburgh

32

17

Phishing Email?

33

34

18

35 http://chase.com.ealertsonline.com/update/3393328410575c1867da2dfde44ce78a/Home.php?login.psp?

36

http://chase.com.ealertsonline.com/update/3393328410575c1867d

a2dfde44ce78a/Home.php?login.psp?

http://chase.com.ealertsonline.com

19

37

38

20

39

40

www.urlvoid.com www.ipvoid.com

21

TANSTAAFL

41

• You are not related to a Nigerian Prince.

• No one is sending you money (or gold, etc.)

• Your bank/credit card did not send you a link to “login here”.

• You did not win a jackpot/sweepstakes, et al.

• You are not getting a car at 50% off MSRP.

• The IRS did not send an audit notice by email.

• You do not have outstanding warrants.

42

22

- TRAIN -

Don’t think “Awareness”

Think “Change Habits”

43

44

23

Being a Little Paranoid is Good

45

What is your security posture?

46

24

47

Hacking the Person: Social Engineering and Phishing Attacks

Jon HeimerlSenior Security Strategistjonheimerl@solutionary.com

www.solutionary.com

@solutionary@jonheimerl

© 2014 Solutionary, Inc. November 18, 2014ActiveGuard® U.S. Patent Nos 6,988,208; 7,168,093; 7,370,359; 7,424,743; 7,673,049: 7,954,159; 8,261,347

Thank You!