Digitale Identitäten - Wer bin ich im Netz?

1. 00:00We now want to look at ourselves in the context of identity theft. to take a closer look at the social engineering attacks.
2. 00:11Well, the idea is to exploit human weaknesses, to gain human trust, to provide a particular occasion, to provoke a very specific reaction.
3. 00:27So for example, under a false identity is sent in the network a mail, and now the attacker is exploiting - he has chosen this false identity exactly so, that, for example, it's an acquaintance of the one he's attacking,
4. 00:47that it's what gives us some kind of basic trust, and he knows, aha, that's him, and I can tell him that and that.
5. 00:54Or comes with a story, also typically again the stolen identity of a poor person or a needy person
6. 01:03or in the accident context or whatever, and then initiate helpfulness, supposed helpfulness,
7. 01:12because it's not about this injured party, with a stolen identity is an attacker behind it.
8. 01:19Fear, respect, trust, helpfulness, these are reaction patterns, that are trying to provoke, or better yet, initiate,
9. 01:29so that the user does something he might not do otherwise, for example, publishes information such as identity data, or access to a protected system.
10. 01:42"I want to help you install this, all you have to do now is say the password." or "all you have to do is open that and the system."
11. 01:56On the Internet it works well and very extensively with such phishing attacks.
12. 02:03This phishing is an attack technique, to access sensitive information.
13. 02:11Typical procedure: There is a - very widely spread - fraudulent e-mail sent.
14. 02:18So is sent for example in the name of a bank or a company, an agency, and now they're saying,
15. 02:29to do things anyway, please log in. or send us the information, we need to update something.
16. 02:37The trick is that the user knows this bank, the company, the authority, and believes he has faith and then just does what they do without thinking about it.
17. 02:48That a hacker is capable in the name of a bank to send a mail or an authority, it works very easily, these are the so-called spoofing attacks.
18. 02:58So on the Internet, it's very easy to forge identities, for example in the e-mail system.
19. 03:05That's why it's so important to look closely. that there will be no abuse.
20. 03:13The hacker could, of course, also be a in the name of a stolen identity.
21. 03:19Well, and the idea is that this trust in this bank or this agency is then used to initiate a particular reaction,
22. 03:32so for example, that the data returns that it clicks somewhere on a link and then lands on a website with fraudulent software
23. 03:43or that he's even installing malware because he's being told you, to update please click there now.
24. 03:50Well, that's a typical story, that happens during phishing.
25. 03:54Now, if we look at this in the picture, is an attacker who can give the user, the victim, a phishing mail like that.
26. 04:03And the phishing mail says we need to introduce a new system at the bank, please go to the website and log in.
27. 04:17But what happens in this phishing mail, the link is not at all the link to the right bank, but this is the link to something that looks exactly like the bank.
28. 04:28You can see it from the URL, it doesn't say bank, It says hank here.
29. 04:33So if you don't look closely, you'd think it was the bank.de address.
30. 04:39So, and on this website the user is now asked to log in, looks just like the page you have here at the right bank to log in to,
31. 04:48but the data is not entered into the banking system. and are used for authentication there to be recognized as a user,
32. 04:56but the data is forwarded directly to the attacker, who thus comes into possession of username and password.
33. 05:05Then, on the second try, you'll end up right at the bank, I asked you to log in there again,
34. 05:12and then, of course, you have a guess, or something else.
35. 05:17So the attacker's server sends this e-mail with a fake sender, that is, from the bank,
36. 05:25the user now visits this alleged bank, but in reality it's the hacker's side,
37. 05:31and the idea is that the hacker should be able to as similar as possible to the correct bank page, so that he can then access these data
38. 05:42and they don't end up in the banking system now, but on the attacker's server.
39. 05:47Let's take a look at an example, is a phishing mail that is intended to initiate the recipient, to reveal his account details and then manipulate anything.
40. 06:01It starts by sending an e-mail with a fake sender, in this case, the sender PayPal, and the message says so, please, come on - it looks very similar, the website - do something on this page.
41. 06:19So if you look closely, you can see that this is not the PayPal site at all, looks the same, but it's not called "account holder@paypal", It's called paypla.com.
42. 06:36That's a page, that's a URL the hacker got, PayPal has nothing against it, has nothing to do with PayPal,
43. 06:44the one who got it, then he built a page, which looks exactly like PayPal and has now sent this email to the user, "Go to this page, here's the link."
44. 06:55But he does not land at all, the user, as he imagines, on the PayPal page, but here he gets to the hacker's side,
45. 07:07This can be seen by looking very closely at the URL, - admittedly, paypla and paypal looks very similar and very small, and if you don't look there -
46. 07:20but you also often find small mistakes in the texts, so there's spelling mistakes. or that there's no personal address.
47. 07:31Your bank would send you an e-mail about this, with "Dear Mr. Meyer" or "Dear Ms. Müller".
48. 07:37Here it is "Dear Customer" or "Dear Customer", so these are such little clues that you have to look very closely, if this really is the PayPal site.
49. 07:47So, the e-mail now forwards that you are asked at PayPal, to enter data here, to log in or additional data for any interaction.
50. 08:01The user who hasn't looked there attentively, who thinks, Yes, I'm on the Papal side, PayPal I have an account,
51. 08:07and then enters the appropriate data here, so address, password and more,
52. 08:13but the data doesn't end up in the PayPal system, it does, which is now initiated in this phishing mail the user, the victim was filling out,
53. 08:26they go straight back to the hacker, who is now in possession of this password data and the sensitive identity data.
54. 08:36Now, if you look at the phishing attacks, of course it is, if I don't have a PayPal account and get an email like that,
55. 08:46then I wonder, and then I see relatively easily, it's none of my business.
56. 08:50So the traditional phishing attacks, which were easy to recognize because they were very widely spread.
57. 08:58and have tried to simply have a large number of users to induce this reaction,
58. 09:03had a chance, of course, only with a relatively small number of victims, that they fell for it, namely especially natural here in the example the PayPal customers.
59. 09:14That's why these phishing emails in a huge number.
60. 09:24Millions of times, and of course that means very few really individual information can be installed there,
61. 09:32but it just worked because there's still so many fell for it and it was worth it.
62. 09:40The problems for the attacker are, that this scam has, of course, become better known in the meantime.
63. 09:46The media have pointed this out, we point this out in all lectures,
64. 09:51so that the Internet users are sensitized already so a piece against this phishing scam.
65. 09:58Another point is problematic for the attacker, the mails reach many recipients, he sends them very broadly,
66. 10:09and there's a lot of people involved, where the content is not applicable to the people at all and, of course, can be seen through immediately.
67. 10:18So as I said, if you don't have an account with PayPal, then it is immediately clear that this mail and this hint is no good or just a spam mail or something.
68. 10:31That's why the attackers have now passed over, to write so-called personalized phishing mails.
69. 10:39It is no longer a question of addressing a large number of people here, but here it is now a matter of specifically telling people about this phishing scam to induce certain reactions.
70. 10:55This is the Spear Phishing, which differs from the normal phishing, of this widely diversified undertaking, the Spear Phishing needs more preparation.
71. 11:09And the preparation is this, that the attacker is collecting very personal identity information from his victim.
72. 11:18That he can just address it exactly, knows the family situation, maybe even that there was some accident or something,
73. 11:25which are when used in this mail, give the reader, the recipient the impression immediately,
74. 11:33That's a confidant, 'cause nobody else knows, that there was this accident, for example.
75. 11:39That is, in this preliminary phase will be very detailed, as private information about the victim as possible,
76. 11:47and the later use in such a phishing mail helps, that the person thinks gullibly, yeah, that's a message from the boss,
77. 11:59that's a message from him, that's a message from a friend, because the information used is correct.
78. 12:09So then this phishing mail with the corresponding pretended sender,
79. 12:15is also selected in this preliminary phase, to make it as effective as possible,
80. 12:20and it's a big chance the victim falls in, simply sender combined with the information,
81. 12:29and the mail has to come from him, and I trust him, I can tell him anything.
82. 12:35This means that the chances of success with this Spear Phishing are very high, but of course it's more costly for the attacker to prepare, especially because of this preliminary phase.
83. 12:52So, on the one hand, it's about collecting identity data, to induce certain reactions,
84. 12:57but very often this phishing is also the first phase of a further attack, for example, a break-in into a system or another,
85. 13:08and that's why there's a lot of investment here. in such personalized phishing emails.
86. 13:15That's why it's dangerous, and of course it's very targeted. with this effort on high-ranking targets,
87. 13:23Company bosses, politicians, high-ranking officials, celebrities, the military, Business, politics, finance,
88. 13:30to cause things to happen there, either to get information, sensitive information. or cause information to be divulged,
89. 13:44that access is created, that malware is loaded, that's the intent behind it.
90. 13:49But also professional attackers in international traffic, between states, activists, organized crime, so they use these methods.
91. 14:00That was the social engineering technique of phishing, there are more techniques, more methods.
92. 14:12here again human weakness, curiosity, greed is exploited by victims, where there are malignant secondary functions.
93. 14:24So USB sticks are given away with malware, Apps are offered for free, where malware is in the background.
94. 14:33There will be competitions, where the data will be collected. and then certain malware or other things on the victim's computer, on the victim's smartphone.
95. 14:51Another technique of social engineering is pretexting, so pretending to tell stories, to lie,
96. 14:58so "big accident, and we need help, and that hasn't and that hasn't, here's the donation number."
97. 15:04So the victim's supposed to be able to release information or be induced to donate.
98. 15:11by telling a story that's a lie, who, under false pretences of authority. or the pretence of an initiate.
99. 15:22Reverse social engineering is the term used to describe social engineering, when the attacker contacts victims seeking help,
100. 15:31so when you call for help on the net, support in that or that case, that then not willing helpers will come forward, but attackers will come forward, to gain trust here and then carry out certain activities.
101. 15:52How can you protect yourself, how can one protect oneself against such attacks of social engineering?
102. 15:57So first of all, you have to know, that this is a scam from hackers, from cyber criminals.
103. 16:04So, for example, education like here through our openHPI course, but also by occasional tests with phishing mails,
104. 16:14in a company, for example, "You, man, fell in here now, fortunately that was now
105. 16:21no real phishing, we used to do that. to check your sensitivity, please pay more attention."
106. 16:27One must and can protect oneself, by checking the identity more closely.
107. 16:32So who's that who's sending the mail, and in case of doubt. - Mistrust is well appropriate there - then simply for more information, for a passport.
108. 16:49Using secure authentication procedures of course is one way, Password authentication is not considered to be the safest way.
109. 17:01Trustworthy certificates help to recognize there, that is now a cyber criminal under a false identity. or is it really certain that there's a person there
110. 17:12Responsible handling of personal information, so not just in the social media there to tell everything, photos and whatever,
111. 17:20because of course for organizations to prepare of such a phishing attack that is a wonderful field, then to compile exactly the personal information,
112. 17:29which then exactly initiate the recipient of such a phishing mail, Yeah, that's gotta come from him, and I gotta do something right now.
113. 17:36So always being critical at all, what do I give out, what I put in the net, what remains then,
114. 17:43because once it's posted on the net, you can't bring that back.
115. 17:47You can delete it, but these backup systems can, maybe someone's seen this before, then the data's gone.
116. 17:54What Are Now Protective Measures Against Social Engineering Attacks and in particular against phishing as the most effective method of social engineering?
117. 18:04Thorough verification of the sender's address, so it's not enough to see the display name in your e-mail program, but please take a closer look at the sender's address.
118. 18:16When prompted to add sensitive data somewhere, like the bank,
119. 18:23first check with the service provider, is that really the case, do you need this data?
120. 18:29Then it comes out very often that the service provider does not know at all, that someone is trying to use phishing emails like this to access the data of this service.
121. 18:39When asked to follow a link, then you need to look closely at what the URL looks like.
122. 18:48So take a look at the browser address bar, is that now bank.de or is that hank.de.
123. 18:56Popular browsers are often already this far, that they warn against phishing websites.
124. 19:08we talked about it being a very common attack technique, especially to steal identity data, social engineering.
125. 19:18Social engineering is about an attacker manipulating the victim, to exploit his weaknesses, build trust, abuse trust, to grab him by curiosity or to grab greed,
126. 19:33just to get him to give out some information. or that he's going to a certain side that's gonna keep trying,
127. 19:42to get data or to sneak malware at him or cause him to store malicious software.
128. 19:52Frequent approach when we talk about these social engineering attacks, is sending fraudulent emails and sneaky calls, so this phishing.
129. 20:05A special form of this phishing is the Spear Phishing, personalized phishing, where the attacker has prepared very precisely,
130. 20:16what information he's playing with to get his victim to induce a particular reaction.
131. 20:22Much more elaborate, but of course also more effective than normal phishing.

To enable the transcript, please select a language in the video player settings menu.