CYBER

AWA R E N E S S
2021

B Y
AY O K U N L E O L A N I Y I
 PHISHING

BUSINESS EMAIL COMPROMISE

PASSWORDS & AUTHENTICATION

SQL INJECTION

TOPICS CYBER SQUATTING

CROSS SITE SCRIPTING

HANDLING SENSITIVE INFORMATION

SESSION FIXATION
PHISHING
• What is phishing
• How Phishing works
• Protecting against phishing
• Features of a phishing mails
• How to detect a phishing mail
• Impact of phishing
W H AT I S P H I S H I N G
• It is an attempt to deceive users in order to steal sensitive information from them via emails,
telephone or text messages
• Phishing is a form of social engineering which is an act deception or taking advantage of a user’s
innocence(trust) to convince them to reveal sensitive information
TYPES
• Smishing
• Vishing
• Spear Phishing
• Whaling
I N F O TA R G E T E D
HOW PHISHING WORKS
• Send Email to users
• Steal data by persuading user to:
 Send them information directly
 Click on a link, visit spoofed site, then enter username and password •
 Download an email attachment which executes malware •
 Visit a malicious website hosting an exploit kit that executes malwar
PHISHING METHODS
PHISHING DELIVERY
• Phishing As A Service
• Phishing Kits
HOW TO IDENTIFY A PHISHING MAIL
• The message is sent from a public and suspicious domain (
pwftg0wqjgx68vgnliizqq3ryd201ti.50611061@intel.com)
• Poor Grammar
• Suspicious attachments
• Sense of urgency
BUSINESS EMAIL COMPROMISE
• Business email compromise (BEC) is a type of email cyber crime scam in which an attacker
targets a business to defraud the company. Business email compromise is a large and growing
problem that targets organizations of all sizes across every industry around the world. BEC scams
have exposed organizations to billions of dollars in potential losses.
• Email account compromise (EAC), or email account takeover, is a related threat that is
accelerating in an era of cloud-based infrastructure. EAC is often associated with BEC because
compromised accounts are used in a growing number of BEC-like scams (though EAC is also the
basis of other kinds of cyber attacks).
• BEC and EAC are difficult to detect and prevent, especially with legacy tools, point products and
native cloud platform defenses.
TYPES
• CEO Fraud: Here the attackers position themselves as the CEO or executive of a company and typically email an
individual within the finance department, requesting funds to be transferred to an account controlled by the attacker.
• Account Compromise: An employee’s email account is hacked and is used to request payments to vendors. Payments are
then sent to fraudulent bank accounts owned by the attacker.
• False Invoice Scheme: Attackers commonly target foreign suppliers through this tactic. The scammer acts as if they are the
supplier and request fund transfers to fraudulent accounts.
• Attorney Impersonation: This is when an attacker impersonates a lawyer or legal representative. Lower-level employees
are commonly targeted through these types of attacks where one wouldn’t have the knowledge to question the validity of
the request.
• Data Theft: These types of attacks typically target HR employees in an attempt to obtain personal or sensitive information
about individuals within the company such as CEOs and executives. This data can then be leveraged for future attacks such
as CEO Fraud.
H O W B E C AT TA C K S W O R K
• In a BEC scam, the attacker poses as someone the recipient should trust—typically a colleague, boss or vendor. The sender asks the
recipient to make a wire transfer, divert payroll, change banking details for future payments and so on.
• BEC attacks are difficult to detect because they don’t use malware or malicious URLs that can be analyzed with standard cyber defenses.
Instead, BEC attacks rely instead on impersonation and other social engineering techniques to trick people interacting on the attacker’s
behalf.
• Because of their targeted nature and use of social engineering, manually investigating and remediating these attacks is difficult and time
consuming.
• BEC scams use a variety of impersonation techniques, such as domain spoofing and lookalike domains. These attacks are effective because
domain misuse is a complex problem. Stopping domain spoofing is hard enough—anticipating every potential lookalike domain is even
harder. And that difficulty only multiplies with every domain of an outside partner that could be used in a BEC attack to exploit users’ trust.
• In EAC, the attacker gains control of a legitimate email account, allowing them to launch similar BEC-style. But in these cases, the attacker
isn’t just trying to pose as someone—for all practical purposes, the attacker is that person.
• Because BEC and EAC focus on human frailty rather than technical vulnerabilities, they require a people-centric defense that can prevent,
detect, and respond to a wide range of BEC and EAC techniques.
PHASES OF BEC
PHASE 1 – Email List Targeting
The attackers begin by building a targeted list of emails. Common tactics include mining LinkedIn profiles, sifting through
business email databases, or even going through various websites in search of contact information.
PHASE 2 – Launch Attack
Attackers begin rolling out their BEC attacks by sending out mass emails. It’s difficult to identify malicious intent at this stage
since attackers will utilize tactics such as spoofing, look-alike domains, and fake email names.
PHASE 3 – Social Engineering
At this stage attackers will impersonate individuals within a company such as CEOs or other individuals within finance
departments. It’s common to see emails that request urgent responses.
PHASE 4 – Financial Gain
If attackers can successfully build trust with an individual, this is typically the phase where financial gain or data breach is made.
PROTECTION AGAINST BEC
• Train your users to look for these signs that the email may not be what it seems:
• High-level executives asking for unusual information: How many CEOs actually want to review W2 and tax information for individual
employees? While most of us will naturally respond promptly to an email from the C-suite, it's worth pausing to consider whether the email request
makes sense. A CFO might ask for aggregated compensation data or a special report, but individual employee data is less likely.
• Requests to not communicate with others: Impostor emails often ask the recipient to keep the request confidential or only communicate with the
sender via email.
• Requests that bypass normal channels: Most organizations have accounting systems through which bills and payments must be processed, no
matter how urgent the request. When these channels are bypassed by an email directly from an executive requesting, for example, that an urgent
wire transfer be completed ASAP, the recipient should be suspicious.
• Language issues and unusual date formats: Some lure emails have flawless grammar, and some CEOs write emails in broken English. But the
presence of European date formats (day month year) or sentence construction that suggests an email was written by a non-native speaker are
common in many of these attacks.
• Email domains and “Reply To” addresses that do not match sender’s addresses: Business Email Compromise emails often user spoofed and
lookalike sender addresses that are easy to miss if the recipient isn’t paying attention. (yourc0mpany.com instead of yourcompa
PA S S W O R D S & A U T H E N T I C AT I O N
• A very simple but often overlooked element that can help your company's security is password
security.
• Often commonly used passwords will be guessed by malicious actors in the hope of gaining
access to your accounts.
• Using simple passwords or having recognizable password patterns for employees can make it
simple for cyber-criminals to access a large range of accounts.
• Once this information is stolen it can be made public or sold for profit on the deep web.
A U T H E N T I C AT I O N
• What you know – Password , PIN
• What you are – biometrics (thumbprint , DNA, retinal scan, etc)
• What you have – Card , token ,
PA S S W O R D S T R E N G T H DEMO
• Hashing
• Pass tap with wireshark
WA Y O U T
• Implementing randomized passwords can make it much more difficult for malicious actors to
gain access to a range of accounts.
• Other steps, such as two-factor authentication, provide extra layers of security which protect the
integrity of the account.
SQL INJECTION
• SQL injection is a web security vulnerability that allows an attacker to interfere with the
queries that an application makes to its database. It generally allows an attacker to view
data that they are not normally able to retrieve. This might include data belonging to
other users, or any other data that the application itself is able to access. In many cases,
an attacker can modify or delete this data, causing persistent changes to the
application's content or behavior.

• Payload : xxx' OR 1=1

PREVENTION
• Honestly , end users are helpless in this case
• It’s more of a technical issue and that is within the purview of the SDLC
C Y B E R S Q U AT T I N G
• The term cybersquatting refers to the unauthorized registration and use of Internet domain
names that are identical or similar to trademarks, service marks, company names, or personal
names. Cybersquatting registrants obtain and use the domain name with the bad faith intent to
profit from the goodwill of the actual trademark owner. Both the federal government and the
Internet Corporation for Assigned Names and Numbers have taken action to protect the owners of
trademarks and businesses against cybersquatting abuses.
HIGHLIGHTS OF
C Y B E R S Q U AT T I N G
• Register similar domains
• Archive.org
• Download website
CROSS SITE SCRIPTING
• Cross-site scripting (also known as XSS) is a web security vulnerability that allows an
attacker to compromise the interactions that users have with a vulnerable application.
• It allows an attacker to circumvent the same origin policy, which is designed to
segregate different websites from each other.
• Cross-site scripting vulnerabilities normally allow an attacker to masquerade as a victim
user, to carry out any actions that the user is able to perform, and to access any of the
user's data.
• If the victim user has privileged access within the application, then the attacker might be
able to gain full control over all of the application's functionality and data.
DEMO
• Demo
 M I T I G AT I O N S T O X S S
End users are helpless, it ‘s purely technical

•Filter input on arrival. At the point where user input is received, filter as strictly as possible based on what is
expected or valid input.

•Encode data on output. At the point where user-controllable data is output in HTTP responses, encode the
output to prevent it from being interpreted as active content. Depending on the output context, this might
require applying combinations of HTML, URL, JavaScript, and CSS encoding.

•Use appropriate response headers. To prevent XSS in HTTP responses that aren't intended to contain any
HTML or JavaScript, you can use the Content-Type and X-Content-Type-Options headers to ensure that
browsers interpret the responses in the way you intend.

•Content Security Policy. As a last line of defense, you can use Content Security Policy (CSP) to reduce the
severity of any XSS vulnerabilities that still occur.
HANDLING PII
• PII : Personally Identifiable Info
•  PII is data which can be used to identify, locate, or contact an individual and includes
information like name, date of birth, place of residence, credit card information, phone number,
race, gender, criminal record, age, and medical records.
• Every organization stores and uses PII, be it information on their employees or customers.
• Even schools and universities will store the PII of their students, while hospitals will store patient
data.
VA L U E O F P I I
• The PII your company stores is highly attractive to would-be attackers who can sell PII on the
black market at a handsome price. PII can be used for any number of criminal activities including
identity theft, fraud, and social engineering attacks.
• It goes without saying that it is absolutely vital that individuals and companies protect their PII.
• Failure to secure PII leaves your company open to highly targeted social engineering attacks,
heavy regulatory fines, and loss of customer trust and loyalty.
PROTECTING PII
1. Identify the PII your company stores
2. Find all the places PII is stored
3. Classify PII in terms of sensitivity
4. Delete old PII you no longer need
5. Establish an acceptable usage policy
6. Encrypt PII
7. Eliminate any permission errors
8. Develop an employee education policy around the importance of protecting PII
9. Create a standardized procedure for departing employees
10.Establish an accessible line of communication for employees to report suspicious behavior
S E S S I O N F I X AT I O N
• Session Fixation is an attack that permits an attacker to hijack a valid user session.
The attack explores a limitation in the way the web application manages the session ID,
more specifically the vulnerable web application.

•  When authenticating a user, it doesn’t assign a new session ID, making it possible to use
an existent session ID. The attack consists of obtaining a valid session ID (e.g. by
connecting to the application), inducing a user to authenticate himself with that session
ID, and then hijacking the user-validated session by the knowledge of the used session
ID. The attacker has to provide a legitimate Web application session ID and try to make
the victim’s browser use it.
F I X I N G F I X AT I O N
• End users should always log out of applications that are no longer in use
• They should also note that ‘log-out’ is different from ‘Cancel’
• Developers should manage session parameters well