US-CERT Cyber Security Tip ST04-014 -- Avoiding Social Engineering and Phishing Attacks

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

                        National Cyber Alert System
                        Cyber Security Tip ST04-014
              
Avoiding Social Engineering and Phishing Attacks

   Do not give sensitive information to anyone unless you are sure that
   they are indeed who they claim to be and that they should have access
   to the information.

What is a social engineering attack?

   To  launch  a  social  engineering  attack,  an  attacker  uses  human
   interaction  (social skills) to obtain or compromise information about
   an  organization  or  its  computer  systems.  An  attacker  may  seem
   unassuming  and  respectable,  possibly claiming to be a new employee,
   repair  person, or researcher and even offering credentials to support
   that  identity. However, by asking questions, he or she may be able to
   piece  together  enough  information  to  infiltrate an organization's
   network.  If an attacker is not able to gather enough information from
   one  source,  he  or  she  may  contact another source within the same
   organization  and rely on the information from the first source to add
   to his or her credibility.

What is a phishing attack?

   Phishing  is  a form of social engineering. Phishing attacks use email
   or   malicious   web  sites  to  solicit  personal,  often  financial,
   information.  Attackers  may  send  email  seemingly  from a reputable
   credit  card  company  or  financial institution that requests account
   information,  often  suggesting  that  there  is a problem. When users
   respond  with  the requested information, attackers can use it to gain
   access to the accounts.

How do you avoid being a victim?

     * Be  suspicious  of  unsolicited  phone  calls,  visits,  or  email
       messages from individuals asking about employees or other internal
       information.  If  an  unknown  individual  claims  to  be  from  a
       legitimate  organization,  try  to  verify  his  or  her  identity
       directly with the company.
     * Do  not  provide  personal  information  or information about your
       organization,  including its structure or networks, unless you are
       certain of a person's authority to have the information.
     * Do  not  reveal personal or financial information in email, and do
       not  respond  to  email  solicitations  for this information. This
       includes following links sent in email.
     * Don't send sensitive information over the Internet before checking
       a  web  site's  security  policy  or looking for evidence that the
       information  is  being  encrypted (see Protecting Your Privacy and
       Understanding Web Site Certificates for more information).
     * Pay  attention  to  the URL of a web site. Malicious web sites may
       look  identical  to  a  legitimate  site,  but  the  URL may use a
       variation in spelling or a different domain (e.g., .com vs. .net).
     * If  you  are unsure whether an email request is legitimate, try to
       verify  it  by contacting the company directly. Do not use contact
       information  provided  on  a  web  site  connected to the request;
       instead,   check  previous  statements  for  contact  information.
       Information  about known phishing attacks is also available online
       from    groups   such   as   the   Anti-Phishing   Working   Group
       (http://www.antiphishing.org/phishing_archive.html).
     * Install  and  maintain  anti-virus  software, firewalls, and email
       filters   to  reduce  some  of  this  traffic  (see  Understanding
       Firewalls,  Understanding  Anti-Virus  Software, and Reducing Spam
       for more information).

What do you do if you think you are a victim?

     * If you believe you might have revealed sensitive information about
       your  organization, report it to the appropriate people within the
       organization,  including network administrators. They can be alert
       for any suspicious or unusual activity.
     * If you believe your financial accounts may be compromised, contact
       your financial institution immediately and close any accounts that
       may  have been compromised. Watch for any unexplainable charges to
       your  account (see Preventing and Responding to Identity Theft for
       more information).
     * Consider  reporting  the  attack  to the police, and file a report
       with the Federal Trade Commission (http://www.ftc.gov/).
     _________________________________________________________________

   Author: Mindi McDowell
     _________________________________________________________________

Produced 2007 by US-CERT, a government organization.

    Note: This tip was previously published and is being re-distributed 
    to increase awareness. 
  
    Terms of use
 
    <http://www.us-cert.gov/legal.html>
  
    This document can also be found at
 
    <http://www.us-cert.gov/cas/tips/ST04-014.html>
 

    For instructions on subscribing to or unsubscribing from this
    mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
     
     
     

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iQEVAwUBRp9k5vRFkHkM87XOAQL4bAf/QrdRKgj6nbUXJKf0PSH2L2MHruDeD8++
gVMVDGB2zvCiR5OrNbJ/I4AlfbSCIpigoL3jyoID15aPtZfeRzozc+MvOJsh6LW9
jH2TUCZjct2Md7EeGLPTemzydzYTUlzWj+YHs7T1qtQThq82jSiegFwCO8gnGzkH
ItDwogX7B/hu15R8kLcM+j4fLYXvpaPIe8CsAW5xa7oA48FNy++Y3+SLm3H1M129
GSNHpRPzpg6/Z0GCdp0187gie17pWBGy0aYL+qxHFMpVFnZWZKXetAYYmTpcPprj
fbbzMu5bfxeBmFKcDs/UEZzvsBEGENcG9C5E/UVNVI4UYYgBfit7kw==
=7EFh
-----END PGP SIGNATURE-----

[Index of Archives]     [Fedora Announce]     [Linux Crypto]     [Kernel]     [Netfilter]     [Bugtraq]     [USB]     [Fedora Security]

  Powered by Linux