ArticlesBlog

From phishing scams to identity theft, are you safe from cybercrime? Webinar

From phishing scams to identity theft, are you safe from cybercrime? Webinar


– [Sam] Hello, and welcome to this
Deakin University Alumni webinar, presented by Damien Manuel. Sam Johnston here from the
Deakin Alumni Relations team. It’s great to have you with us. I’d like to start by acknowledging the
traditional owners of the land from which we’re broadcasting today,
the Wurundjeri people of the Kulin nations, and to pay our respects to
their elders, past, present, and emerging. Today, we’re broadcasting
from Deakin’s Burwood Campus. And our webinar topic is,
“From Phishing Scams to Identity Theft, Are You Safe from Cybercrime?” To watch past webinar and seminar
recordings, visit the Webinars and Resources page on the Deakin
Alumni website. Today’s webinar will be recorded and
posted online, and will be available in approximately three weeks under the
Faculty of Science, Engineering and Built Environment section of the page. Damien Manuel’s interest in security
was sparked at the age of 11, when he was part of a hacker collective. He is now a director of Deakin’s Centre
for Cyber Security Research and Innovation, and holds a range of
senior positions on boards of national and international security and IT groups. Damien also mentors entrepreneurs through
CyRise, Australia’s only cybersecurity startup accelerator, and has
established information technology community resource centers to improve
literacy and skills in Kenya, Laos, Uganda, and Cambodia. Damien joins us today from overseas. Thank you so much for making time for us
today, Damien, and for getting up so early. Over to you. – [Damien] Thank you, Sam. It’s great to be here to give a
presentation on cybercrime and some of the things that are happening. I’m dialing in from Lithuania,
where I’m actually investigating and sort of working with the government here around
misinformation campaigns that they suffer from Russia. As we go into the next slide,
I’ve just got a brief agenda to give you a bit of a rundown of some of the things
that we’ll cover during the talk. We’ll look at human behavior
and critical thinking. I’ll cover who these hackers are and sort
of the different motivations that drive them. We’ll talk about some of the common
attacks and some of the common scams that are used as well. And we’ll also spend some time thinking
about how to be a hacker and the kind of mindset that hackers have. We’ll also briefly cover why data is
considered the new oil and how information is gaining greater and greater importance. I’ll also cover a couple of tips
about staying safe online. As we go to the next slide,
the first thing that we’re going to do, though, is we’re going to play a little
bit of a quick game and I want you to play along sort of from a true and false
perspective and record down which answers you’re getting right and wrong. And we’re going to ask
a number of questions. And really, I want you to think about
whether those questions are true or false. And then we’ll have a little bit of poll
as we go through [inaudible] to respond online. And then we can talk about why
some of these things are true and why some are false as well. The first question, the Great Wall
is visible from space. So we’ll pop up a poll now. And if you can select true or false,
we’ll give you a couple of seconds to submit your responses. And then, hopefully, that’s enough time
for most of you to select either true or false. The Great Wall of China is visible from
space, and we’ll see what the results are. And so we’ve got a mixture. Forty percent of you are saying true
and 60% are saying false. Okay, we’ll move on to the next question. And the next question is, Mount Everest is
the tallest mountain from the base to the summit. Again, we’ll do a quick poll. Mount Everest is the tallest mountain
from the base to the summit. Again, select true or false. And we’ll have a look now to see
what the results are. And as you can see, we’ve got about 52%
saying true and 48% saying false. And we’ll have a look
at the next question. And the next question in, giraffes are
mammals that can’t jump because they’re such a large animal. Very awkward with their big necks. Giraffes are mammals that can’t jump. If you can select true or false. And we’ll have a look at what the
responses are now. Okay, so we’ve got 33% saying true, that
giraffe are mammals that can’t jump, and 67% saying that that’s false. The next question is, eggplant,
okra, and tomatoes are all fruit. So eggplant, okra,
and tomatoes are fruits. So, true or false? Okay, and we’ll have look
at what the results are. Okay, so 58% of you saying that it’s true,
42% of you are saying that that’s not true. We’ll look at the next question now. Diamonds have formed from the
metamorphism of coal. So it’s the compression of coal carbon
to create diamonds. Again, true or false? Diamonds are formed from the metamorphism
of coal, which is pressure on carbon to create a diamond, true or false? And we’ll have a look at what
that response is. Okay, so 79% of you say that’s true,
21% have responded as false. Okay, we’ll go to the next question now. Seasons are caused by Earth’s
distance from the Sun. So the earth has an elliptical orbit,
it’s around the sun. It’s not a perfect circular orbit. So, the question is, seasons are caused
by Earth’s distance from the Sun. Is that true or false? And we’ll have a look
at the responses now. Okay, so 62% of you are saying that
that’s true, and 38% of you are saying that’s false. Okay, we’ll move on to the answers. That way you can see what was actually
true and what was false. The Great Wall is visible from space
is actually false. If we have a look at that one,
Mount Everest is the tallest mountain from the base to the summit. That one’s false as well. Giraffes are mammals that can’t jump. That one’s false. Eggplant, okra, and tomato is a fruit. That one’s actually true. Diamonds are formed from the metamorphism
of coal, which is actually false. And seasons are caused by Earth’s distance
from the Sun, which surprisingly is false as well. So, have a think about the questions and
how you’ve answered those questions, and how many of those that you’ve got correct,
whether you got all six correct, or whether you got none correct,
or whether you got a mixture. And we’ll have a look at some of the
reasons as to why some of them are true and some of them are incorrect. On the next slide, I’m going
to how you an image. And this is an image taken from the
International Space Station using a camera with a telephoto lens. A telephoto lens is a zoom lens. And we’re going to clear up the screen now
a little bit because a little bit of haze from the clouds. And then so as we do that,
you’ll see the arrows where I’ve got indicated where the Great Wall
of China is actually located. As you can see that it’s clearly
not visible from space, particularly with the human eye. You’d need to have an apparatus
that can zoom in. And even when you do zoom in, it’s very,
very difficult to even actually see where the location of the Great Wall is. On the next slide, I’m going to show you
the facts around the tallest mountains from base to summit. The key here is that Everest is the
tallest from an altitude perspective, but we manipulated the question to talk
about the height of the mountain from the base of the mountain to the summit. And Everest is not the highest
from the base to the summit. Mauna Kea is actually the highest
from the base to the summit. However, most of that mountain is actually
submerged below sea level. Technically, from an altitude perspective,
Everest is the highest, but, technically, from the measurement
of the base of the mountain to its peak, Mauna Kea is the highest that’s based in
the Pacific, with Kilimanjaro coming in second, and Everest coming in third. The next slide, we’ll look
at mammals that can’t jump. And the only mammals that can’t jump
are elephants, sloths, hippos, and rhinos as well. What’s interesting is, in the current
digital age that we live in, if you have a image with a statement,
research has shown that people are more likely to believe that statement if it’s
got an image that accompanies with it. One of the things that we were looking
to do was to manipulate you into thinking that because you’ve got an image
of a giraffe and they are long and lanky, that the statement that they can’t jump is
actually correct when, in fact, it’s actually false. On the next slide, I’ve got an explanation
for you around diamonds. Diamonds are not actually
formed from coal. Diamonds are actually formed from carbon,
which is what everybody is taught. However, we make the linkage between
carbon and coal in our minds. Diamonds are actually found in vertical
pipes, which are formed from volcanic eruptions,
and the carbon that they’re actually formed from is dated as being older than
land plants and when animals first appeared on the earth. Coal is also found in a horizontal
sedimentary block, which, again, is further evidence that diamonds are not
formed from coal, rather they’re formed from volcanic pipes,
sort of from high pressure of carbon in the center of the Earth. Now, on the next slide,
we often think that seasons are caused by the elliptical nature of the earth
going around the sun. However, it’s got nothing to do with that
elliptical orbit, it’s actually got to do with the tilt of the axis of the earth. So, what’s quite interesting is, when
the earth is closest to the sun, in the Northern Hemisphere,
it’s actually winter. It’s counterintuitive, so really,
seasons are caused by that axial tilt that you can see on the screen. And it really has nothing to do with the
distance that the earth is to the sun. What’s quite interesting around that
exercise is, you can see that a lot of information can be manipulated and
people can be convinced of selecting different answers and reasons based
on things that are learned, assumptions at school, or are a
learnt social sort of common sort of practice where we might think that
something is true when in fact, the science behind it actually
proves that it’s false. What’s interesting from looking at the
numbers is that in general, as we moved through that exercise, we moved
from a state where 79% of people believe something is true, in particular,
diamonds were from coal, when in fact, that’s actually incorrect. And, in some cases, 60% of you believed
that yes, the Great Wall is not visible from space, which is correct. What’s interesting, the highest one that
scored was that giraffes are the only mammals that can’t jump. Most of you said that that was actually
false, which was quite, quite good. What drives, sort of, human behavior
in, sort of, the digital age is, really we’re living in an environment now
where we’re dependent on digital technology,
we’re connected to each other across social media
and different platforms. And we really haven’t evolved as a species
to deal with the consequences of being continuously connected
and using digital systems. As a result, we are susceptible
to manipulation. And we’re also susceptible
to intimidation. And that goes back to sort of our
primitive brain around fear response. It’s manipulation and the intimidation
that’s often used by cybercriminals to force people to make choices that we
wouldn’t otherwise normally make. Some of the manipulation techniques that
are used is the fear of missing out. Often, people will receive a message
saying that you need to action this immediately. If you don’t action this immediately,
there’ll be consequences. And they’ll also use the whole pressure of
everybody else is doing this so you should start doing this now. And often that’ll be a quote of, “79%
of people have benefited from this particular scheme. You need to get in now
to benefit from the scheme.” The other challenge that we have with the
online world is, we seem to be more trusting of people on the internet
than we really should be. And that’s a strange phenomenon. When we meet people face to face, we often
use body cues to determine whether that individual should be trusted or not. And that’s called micro-expressions
on people’s face. Often, within 10 seconds, we’ve made a
judgment call as to whether that individual is trustworthy or not. Unfortunately, when we deal with people on
the internet, we often can’t see them or the video that we’re looking at them
through is generally of a poorer quality, which doesn’t allow those
micro-expressions to come through. As a result, we tend to be more trusting
of people online than we really should be. The other thing that’s used by
cybercriminals is building rapport. They’ll try and build a rapport by talking
about the weather, talking about family and friends, asking questions about a
particular restaurant that you might have attended. They’ll do a lot of surveillance in terms
of particular individuals and where they frequent, and then they start
discussing about some of those sort of activities because they know some of
your hobbies or some of your interests. They do that as a way of building trust
and then use that as a mechanism to exploit you. The other aspect is putting forward a
scenario where they may provide some assistance to you and then use that as a
way to manipulate, to say, “Look, if I help you, I need you
to help me out as well.” And that’s something that
we see that’s quite common. At the end of the day,
who are these hackers? And so, on the next slide,
we’ve got the typical picture that the hacker is the individual with the hoodie
on, who often sits in a basement, in a dark room on a computer. But in reality, if we move to the next
slide, you’ll see that hackers are just like you and me. They could be anybody. There could be individuals that you work
with, they could be family members. A number of hackers that really cause a
lot of, I guess, problems are individuals who have day jobs. And hacking is really a sideline sort
of activity for them as well. On the next slide, what I’ve done is I’ve
listed some of the different hacker categories that you can see. We’ve got a range of different, I guess,
threats that we need to be aware of from an online perspective. You’ve got low-risk, sort of, what we
call in-the-field threat actors. These low-risk ones are what I term
creative exploiters. They tend to do things and break systems
more out of curiosity rather than being malicious. Some of the early inventors of Apple,
for example, I would put in the creative exploiters category,
where they were what they called phreakers or phone phreakers, where they
learn to manipulate the telephone system by using whistles to give free
long-distance telephone calls and things like that as well. So they weren’t really after data
to misuse that information, or just steal information,
or to hold individuals to ransom. They were just really curious about
exploiting systems for their own gain, or to understand how the systems really
sort of function and work. The next sort of low-risk hacker, I guess,
you’ve got what we term script kiddies. And it’s a bit of a derogatory term
that’s used in the industry. A script kiddie will typically be an
individual who has downloaded some tool or information off the internet. And they’re really just using that tool
without full understanding of how that tool functions. They often lack programming skills. And so a lot of the things that they tend
to really do is really defacing websites or being problematic. You could consider them, really,
as the vandals of the internet. Both the creative exploiters
and the script kiddies are put in the low-risk category. The next ones that you’ve probably heard
about in mainstream media is hacktivism. Hacktivism is politically motivated. It ranges and it changes depending on the
time or the political things that are occurring in society. One of the very sort of famous hacktivist
groups is a group called Anonymous. And it’s a loose collection of individuals
where you don’t necessarily have a defined leader. As a result, they tend to attack different
organizations or individuals based on what those individuals or organizations are
doing at a particular time. As an example, Australia went through a
period where we had a bit of a rough patch with Indonesia from a political
perspective. And hacktivists from Indonesia started
attacking Australian organizations. To get back at the government, they
thought they would attack any organization that had the word commonwealth,
national or Australia in it. And so, effectively, what ended up
happening was a lot of organizations like banks, for example,
that have national in the title like National Australia Bank,
or Commonwealth Bank, were victims of those hacktivists when,
in fact, they had nothing to do with the political process. The next one that is increasing
in significance of risk is terrorist organizations. These are organizations that are
obviously driven by ideology. Often, it’s religiously based. They don’t yet have the technology to
cause severe damage or to affect the way of life of Australian citizens. However, it is just a matter of time
before they do become a significant threat. Now, the reason that I say that is,
terrorists can acquire the technology from other areas, like crime syndicates,
which I’ll talk about in a moment, but at the moment, that hasn’t happened. And so we’re kind of relying on terrorists
to build their own tool sets and implement their own attacks. But once they start to acquire that from
criminal syndicates, we’ll start to see terrorists become quite a significant
threat from a digital perspective. So one of the areas that really probably
impacts Australians the most both from a business perspective and also
from an individual perspective, cybercrime syndicates
or criminal syndicates. Criminal syndicates are very similar in
structure to what would have been the old sort of mafia-type arrangement where you
generally have a head of a family or a leader, you’ll tend to have a number
of key individuals underneath, who then run a diverse group of
individuals which are kind of the people on the street. Some of those people on the street, again,
are everyday citizens that have day jobs but moonlight by providing services
to criminal organizations. What’s interesting is criminal
organizations also have a very well-defined business structure. That structure is very similar to,
I guess, legitimate businesses where legitimate businesses will use
outsourced services. That happens quite a lot in the criminal
syndicate world as well of cybercrime, where they’re outsourcing services to
different providers that provide specialty systems, or services, or labor
to attack individuals. Just as an example, there is a group that
provides services, which is called mules. These mules are basically a labor force
that can be shifted around the globe. They tend to fly people
in and out of countries. And those mules, what they’ll do is, when
they get a whole bunch of credit cards that have been stolen, the mules will
actually use those credit cards on fake credit cards that they’ve created. They’ll go to ATMs and instantaneously,
you’ll have a whole bunch of mules, say for example, in one state,
going to a bank and all simultaneously using those fake accounts to withdraw
money from a whole range of accounts. They’re effectively a labor-hire force,
where they’ll convert the stolen information and cash that out from a
monetary perspective. Now, from an outsourced perspective,
the criminal syndicates really only see 30% of the money that’s cashed out. Seventy percent of that goes
to the individuals or the mules because it’s quite a high-risk activity. They often get caught, they’re filmed,
whereas the cybercrime bosses are often based in foreign countries that have laws
that provide some level of protection or where there’s no extradition. The other sort of really high-risk area
that businesses in particular need to consider is what I term
the trusted insider. The trusted insider, you could
break down into a number of groups. You could break it down into the negligent
individual, who is an individual that hasn’t been properly trained,
doesn’t know the processes, and will make a mistake of some sort that publicly
releases information. The next area that you’ve got
would be the ethical insider. And there are quite a few examples
of ethical insiders. If you think about the Nixon era with the
Watergate scandal, there was a gentleman called Mark Felt, and Mark Felt was the
insider who publicly exposed the corruption that was
occurring to the media. He was known during that
period of time as Deep Throat. Today, we have modern ones like
Edward Snowden, Julian Assange, and Chelsea Manning. These are individuals who saw something
that didn’t gel with their ethical compass and thought that in the public interest
it was important for that information to be disclosed. They’re the kind of modern examples
of an ethical sort of insider. Now, it doesn’t mean that what they’ve
done is correct, or right, or wrong, but it just means that from a ethical and
moral perspective, they saw something, it didn’t gel with their sense or their
belief or what was right and wrong. And so they felt that was it in the public
interest to do something. Now, that may be the case where that was a
public good, and we may see it as a public good in the future. However, some of the mechanisms that
are used to do that do put people and individuals at risk. The other type of insider you’ve got
is the malicious insider. And they’re really motivated
through greed and revenge. They tend to be individuals in
organizations who believe that they’re doing a really good job, that they’re a
fantastic person, they’re a great asset to the company. However, in reality, they may be
a poor-performing individual, they may have been passed over for a
promotion, or missed out on a bonus. And as a result, those individuals will
take it out on those organizations, and will either release information or
steal information as a way to get back to the organization. The other type of insider
you’ve got is espionage. These are individuals that are either
pressured by hacktivist groups, terrorist organizations,
or crime syndicates. Or they’re individuals that have gotten
to a point in their life where they’ve got an alcohol problem or a drug addiction,
so they’ve got to find some way to pay for that component. Now, the other one that’s probably of
most significance and of most worry is cybercrime that’s committed by government. And there are two, sort of,
different broad aspects. You’ve got internal actions, where
governments are spying on their own citizens, most governments around
the world to do this. You’ve got some governments that are using
propaganda campaigns as well to control their populations. And then the other side you’ve got is
governments attacking other countries. Now, they’re either attacking other
countries for a number of reasons. It’s either for propaganda,
to get a foothold to change the government policy or to claim territory. A similar thing happened in Ukraine,
for example, where the Russian government was using propaganda to incite a bit of a
rebellion within the country around the Russian individuals that were living
in the Ukraine as well as sort of the Ukraine nationals. And then as a result,
you can destabilize an environment and then as you destabilize an environment,
you get rioting, you get war-like conditions occurring, which means that
it’s very easy then to roll in the tanks and take control of a
particular environment. The other area that a lot of governments
use attacks on other countries is outside of spying but also to steal
intellectual property or information. You might kind of ask,
why is that important? I’ll give an example of a mining company. A mining company, the information that
they have, you might say, is not that important. Really, all they’re doing at the end
of the day is digging up ore out of the ground, shipping it to a center
to be put on a ship that then gets sent overseas for processing. However, the cost of doing that is highly
sensitive and important. And if I’m in another country that might
be buying that ore, for example, if I could get that information in terms
of the cost of production to dig that ore out of the ground and to ship it,
I now have a really good negotiation standpoint where I know how far I can
drive them down from a cost perspective. If they were trying to sell the ore to me
at $60 a ton, and I know that that ore is $20 a ton to get out of the ground,
I could quite easily push that company down to paying a price of $25 per ton or
$30 per ton rather than the $60 per ton that they were after. The other sort of interesting about
governments is, if you look at North Korea, for example,
North Korea is a sanctioned country. They’ve got no way to make revenue or to
interact with the Western world or even sort of the Eastern world. What they’ll do is they’ll actually be the
ones that are pushing forward with a number of scams to steal money from
individuals or from different countries or the institutions within those countries. A lot of the scams that we see are
actually from countries or driven by countries like North Korea. Now, North Korea also attacked a
Bangladeshi bank and made off with $91 million in that attack as well. If we just move forward slightly,
I’ve highlighted sort of the ones that are driving, sort of, espionage. And then if we move forward again with the
slide, you’ll see the ones that I think are really of significant importance both
from a business perspective, a country perspective,
and also from an individual perspective as well. On the next slide, we’re going to look
at some common attacks and scams. One of the common ones that you’ll see
on the next slide is a scam which relies on an individual to actually contact the
scammers because you’re tricked by using some very clever techniques where they
haven’t actually put anything malicious on your device. They’re using what’s called JavaScript
to pop up a browser window. And that browser window looks very similar
to, for example, an Apple site or to a Microsoft site depending on the
platform that you’re using. And it will often use a scare tactic
to convince you to call a number. And that number changes quite often. And in the visual example that I’ve got on
the screen, you can see it’s an 03 number. They had detected that my machine was
based in Victoria, so they will give me a local number. Sometimes they’ll actually provide a 1-800
number because they know as soon as you access that page, they’ll know what
kind of browser you’re using. They’ll know what kind of device you’re
connecting from, and they know the rough geo location of your house or workplace in
terms of that internet connection as well. What I’m going to do is I’m going to play
the message that would be normally heard over the speakers that you would
encounter if you were tricked into going to that website. And what I should also point out too is,
some of the times they don’t trick individuals by clicking on links
to go to that website. Sometimes what they’ll do is the adverts
that you see on the sides of websites, one of the tactics for criminal syndicates
is they’ll buy advertising space, they’ll run a normal advert. And then at some point they’ll change the
advert which actually triggers the script that then creates the
fake-looking website. I’m just going to play now
the message that you’d hear. There’s a couple things
to sort of listen for. You’ll hear in the message that
they quote an error ID. That error ID is very important,
and I’ll explain why afterwards. And have a listen to kind of the message
that they’re using and think about how you’d react if you heard
that message as well. – [Voiceover] Error number 268D3. Critical alert from Microsoft. Your computer has alerted us that it is
infected with a virus and spyware. This virus is sending your credit card
details, Facebook login, and personal emails to hackers remotely. Please call us immediately at the
toll-free number listed so that our support engineers can walk you through
the removal process over the phone. If you close this page before calling us,
we will be forced to disable your computer to prevent further damage to our network. – As you can hear, they were
using an error code. And the error code is used for them
to identify when you call, what kind of campaign you
were involved in. They’ll run multiple campaigns
simultaneously from a call center targeting different individuals
around different countries. And so they’ll use the error code to
identify, “Okay, this is a campaign that was being run in Australia,
it was for one around Microsoft. We know it’s a person using a Microsoft
platform and not an Apple platform.” There’s a number of,
sort of, things that they’ll use. You also heard them using the scare
tactic, that if you don’t call the number that’s provided, they’ll
disconnect your machine. And a lot of individuals will actually
fall for that because they believe that this is a legitimate-looking website. It looks very much like a Microsoft thing. When they’re trying to close it in their
browser, it doesn’t close, it stays there. If they reboot their machine,
it’s designed in a way that as soon as the machine reboots, the web browser
pops up again with that same sort of error message. The next clip that I’m going to play for
you gives you an example of what happens when you call the scammers back. And it’s quite interesting that I’ve
called multiple times just to give you an example of the different sort of voices
and to show that these are fully-fledged call centers that they’re running. – All representatives are currently
assisting other customers. – [Female] Thanks for calling. How can I help you? – [Harry] Thanks for calling support. My name is Harry. How may I help you? – [James] Thank you for calling. My name is James. How may I help you? – [Alec] Thank you for calling support. My name is Alec, how may I help you? – [Jack] Thank you for calling support,
my name is Jack. How may I help you? – [Peter] Thank you for calling support. This is Peter, how may I assist you? – So as you can hear,
it’s a diverse range of individuals, both male and female. And they do the whole nice thing of,
“All of our callers are currently busy. You’re in a queue.” So it adds to the legitimacy that tricks
people into thinking that they’re actually talking to somebody from Microsoft. A lot of times they’re running these
call centers out of India, Philippines, and a few other countries. So these are services that crime
syndicates are actually using. They’re fully operational and they’re kind
of available for anybody to purchase and use as well. I have another clip which I won’t play,
but in that clip, I called, and what was interesting,
as soon as you mention the word malware, they know straight away that this is
somebody who’s obviously got an understanding of how malware works,
and they’ll hang up on you. But if you ring up and you’re playing the
kind of, “I don’t know anything about computers. I’ve got this error message,” they’ll be
extremely helpful in trying to solve the problem for you. If you quote the error code correctly,
they’ll look up on their internal systems the script that they need to follow. They’ll then try and sell you
a solution to fix the problem. They’ll charge you anywhere
between $300 to $1,000. And they’ll ask for your
credit card details. And at that point, that’s when they’ve
actually done two things. They’ve got money now out of your account,
and then they’ve got your credit card information with some additional details
that they’ll then sell on to other people in the crime, sort of, world as well. If you don’t quote the ID correctly,
you put them into a little bit of a spin because now they don’t know what kind
of campaign you were involved in. At this point, they then
become extremely helpful. And will start to ask a lot of other
questions to try and identify what kind of machine you’re using. They’ll ask for your telephone number, so
that way, if they get disconnected they can call you back. They’ll ask for additional information in
terms of where you’re based to try and understand, geographically,
what kind of things they could scam you out of. And then what they’ll do is they’ll use a
public service that they’ve bought. So very similar to what you’re connected
to now from a webinar perspective, there’s a thing called go-to support. And that’s a commercial product that’s
available to a lot of organizations. And they’ll actually purchase an account,
and then try and remotely connect to your device, and they’ll talk you through
how to set up the remote connection. And then their aim is to take control of
your device and then to install malware, again, to get you to pay with credit card
information and details, so that way they can extract finances and sell that card
details on as well. On the next slide, we’ve got some
information that’s probably, you know, the number one scam, so apart
from tricking you by hijacking adverts and things like that, the number one way
to really attack people is what they call phishing, pharming,
vishing, or smishing. The reason that they use this technique
is because it works. So phishing, vishing, and smishing are
techniques of sending a message to an individual and tricking that
individual to either open an attachment and that attachment will either contain
some malicious content or that attachment will contain instructions on connecting
back to the criminals where they’ll have a fake website etc. And again, to trick you to hand
over information, money etc. The other thing that phishing,
vishing, and smishing also is aimed at doing is clicking on links that take
you to websites where the website will either collect information. It’ll take you through a whole process
where you need to enter additional information. Or that website will be engineered in a
way where it automatically detects what kind of system you’re using,
the browser version. And it looks for what exploits are
available in that browser, so that way, they can push malware to your machine
without you actually even clicking on anything else or doing anything. It’s the number one way
to attack individuals. It’s also used by governments to attack
organizations when you want to attack a foreign organization as well. And really, it works very well. The reason that it works so well is,
a lot of the messages, again, are using that psychology of fear,
or fear of missing out, or pressuring an individual, where you might get
an email that says, “If you don’t click on this thing now, the Australian Federal
Police will turn up and issue a warrant for your arrest, etc., and things
like that to try and get you scared and intimidate you
to click on the link. The other challenge that we have is, the
technology that we’re using today is really not helping the situation. If you receive an email on your Mac or
your PC, and you’re using Outlook, for example, it’ll show you the From
field as well as who the sender is. Now, it’s very easy to forge
the From field. Now when you’re using a device like a
tablet or a mobile phone, the equivalent mail tool on that device,
in order to save space because you’ve got limited visual real estate,
will often drop some fields off. And as a result, you tend to see only the
forged fields and not the underlying fields that you would normally see on a
Mac or a PC, as an example. Just by responding to an email,
for example, you may think an email has arrived from a work colleague, or from
a family member, or from your children, when in fact it’s been a forged email
that’s come from somebody else. What are the kinds of information
that they’re after? On the next slide, here are the kinds
of things that they’re looking to really extract from you. And that’s your full name,
usernames that you might use, email address, date of birth,
tax file numbers, credit/debit card information, your home address,
driver’s license, Medicare number, place of birth, passwords, pin numbers,
your mother’s maiden name, your first pet, first car, and passport details. And this information is really critical
for them for a number of reasons. They may not ask for all of this
information instantly but they’ll ask for different key components that they’re
looking for to either steal your identity, or to take control of your accounts that
you have on different services. They’ll often ask for mother’s maiden
name, first pet or car, because a lot of banks and a lot of
service providers will use that as your secret password to unlock an account
that’s been locked or if you’ve forgotten your password as well. On the next slide, I’ve got a example
of a scam that has come in via email. And you can see if you sort of look
very closely in this email, there’s a difference between the sender
and the actual email address. And so you can see in that email address
that it’s not actually from the Department of Human Services, but it’s actually
from a .com address. If you are looking at this scam email,
for example, on your mobile phone, you would not see that,
and it would look like a legitimate email. The other kind of weird signals that we
see in this is they made a mistake where they left some of the [inaudible] and HTML
coding that does what’s called spacing, whereas you wouldn’t normally see
that in a proper government thing. They’re using things that we’ve kind of
trained the public around, you know, when you see the padlock things,
it’s safe when you see the padlock, so you can see they’ve used that padlock
in the email message to kind of convince the recipient that this email is a secure
email, so therefore it’s safe to respond to. And you can see the range
of information they’re asking for. Your given names, date of birth, tax file
numbers, and then a whole range of information down below including
driver’s license and passport. In this kind of scam,
they will be collecting that information and selling that information
on to other scammers as well. On the next slide, I wanted to show you,
they can also use celebrities and media to create fake news to convince people
both either on a website or in an email that something is actually true
when it’s not. And they’ll often use quotes
to make it look real. They’ll have things in there to try and
convince you that there’s easy money to be made, so the fear of missing out,
you should get involved. They’ll include images of the celebrities,
and again, create this whole sort of fear of missing out, so you
need to participate or partake. On the next slide, some of the scams can
actually be multi-step scams. You might receive an email that’s making
initial contact, they’ve really harvested your email address. So in that blue stuff that’s
kind of pixelated, that’s the email address that this
particular scam was sent to. What they’ll do is they’ll ask you
to click on the document, and that does two things. One, as soon as you click, it confirms
that the email address at the other end is real and that there’s a human there. And so now that email has become
a bit more valuable. Two, by clicking on that, that could go to
a particular webpage or it could open an attachment which attacks your machine. Let’s have a look at what happens
when you click in this instance. On the next slide, when you click on that
link, it actually takes you to a web portal. And that web portal very cleverly uses a
lot of different web services or pretends to be a lot of different web services. Whether it’s Google’s, an iCloud from
Apple, or a Microsoft one, or Dropbox. At this point, they don’t really know what
kind of cloud service you’re using. But very cleverly, they’re getting the
individual to self-select a cloud service that they use to get access to this
particular document that is ported to be in this cloud service. In the next stage of the attack,
when you click on one of the cloud services, it’s now asking for your
email address and password. Obviously, they’re looking for your login
credentials to get access to that account. Now, interestingly enough,
when you put in your login credentials, sometimes it’ll work instantaneously. And what they’re doing is they’ve now
stolen that login credential, and behind the scenes,
logged you into the legitimate service so that it all looks normal. In this particular instance,
they weren’t doing that. In this particular instance, they
were just collecting and harvesting your information. And on the next slide,
it takes you to a web page that then downloads a document from a bank called
Chase, where they’ve then sort of blacked out certain things to make it look
like a legitimate document. And they’re pretending that this is
a wire transfer, for example. Now, at this stage, in this scam,
they’ve harvested your credentials, but they could have also gone
one step further. The PDF that you download and open could
actually contain malicious content, which would then install malicious
software on your device, giving them full control
of your machine as well. Other examples of scams on the next slide. There’s two examples that I’ve got here. One is, they’re using the whole thing
of, “Your mailbox is full.” And so you need to upgrade your mailbox. And again, you could click on that link
and it’ll either take you to a malicious website or they’ll trick you
into handing over credentials. And the other example lower down on that
page is, there’s a package from FedEx or a package from DHL, or some sort of service
provider like Australia Post. And you need to click here very
importantly to view a message in your browser. These are all kind of ways to trick you to
interact and go to a malicious site or hand over credentials and information or
basically download malicious content to your machine. On the next slide, there’s a very new
and clever way of attacking individuals. In this example, data breaches
happen on a daily basis. And what tends to happen is individuals
who use the same password on one site as well another site. And so when you get a data breach,
what happens is that information of your password is now in the public. In this particular individual’s case,
what they’ve done is they’ve sent an email to that individual, and highlighted the
password that they’re using, which is Methly5Bromide. And so they’re trying to create the
illusion that they now have access to your accounts, that they’ve installed
some malware on your machine, when, in fact, they haven’t
done that at all. They’ve just used information that they
found online from a data breach. And they’ve set up a whole scam and are
using fear of blackmail, that potentially they’ve filmed you doing some things
whether you were being naked in front of your laptop or your PC, and that if you
don’t provide a certain amount of bitcoins by a certain period of time,
they’re going to release that information to your family and friends. Now, in this kind of example,
this is truly just a blackmail scam that they haven’t actually taken
control of your webcam. However, there are instances where they
can take control of your webcam and actually do secretly film individuals. But they’ll provide a bit more evidence
rather than just sort of your password to say that they’ve done this. On the next slide, I just wanted to really
highlight that data breaches happen almost across every organization. Expect your information
to be released at some point. With some of these examples, you might
have provided your home address, your postal address, your date of birth,
your usernames, your passwords, and things like that. So, expect that you will receive emails or
scammers that are using that information to trick you into doing things,
and really, they want to collect more data and information so that way they can reach
the information they’ve got and pass it on to other individuals. On the next slide, there’s a great little
website that you can use called Have I Been Pwned? And that website is run by an Australian. And if you go to haveibeenpwned.com,
you can put in your email address, and it’ll actually show you which
companies have actually lost your information and data. And as you can see, as of the 11th of
October, there’s over 8 billion user accounts bits of information that can be
used on different individuals. On the next slide, one of the things that
I’ll just highlight very, very sort of quickly is another type of
scam is what’s called invoicing scam. And that’s definitely on the increase. What hackers do and criminals do
is they’ll take control of somebody’s email account. They may have, for example,
tricked you into clicking on a link. Now that you’ve clicked on that link,
they’ve taken control of your email account, or you’ve provided
your email account details, and they will now send invoices
to different companies that you interact with, or fake bills saying that
this money needs to be paid. It needs to be paid now. Or they’ll manipulate invoices that…
if you run a business, they’ll manipulate those
invoices so that it doesn’t actually contain your bank account details,
it contains the scammer’s. And there have been instances of companies
in Australia doing transfers of $3 million thinking that the money was going to a
legitimate service, when in fact it was actually going to a scammer’s account. Okay, so let’s keep moving along,
and we’ll look at how to think like a hacker. On the next slide, I want you to really
think about how would you break into a house. And this is really how hackers sort of
think about attacking you as an individual or attacking organizations. As we move forward in this slide deck,
it’ll start to build up sort of different things that you should think about. When you look at a house,
you really need to kind of determine what kind of alarms are in place, whose home,
you look for patterns of behavior, do they leave the bins out
and things like that. And as we move forward again,
I’ve kind of highlighted different things that will sort of build up on this deck
that illustrate different ways to attack a house. And this is no different to how you attack
an individual or how you attack a business. With a house, for example,
you could break in, so use of systems, or I could turn up to the front door,
and I could be wearing a uniform. And I could say, “Look, I’m from AGL,”
or one of the power companies. We’ve seen some unusual spikes
on your electricity meter. We’re concerned that it’s going
to cause a fire in your house. I need to come in and just have a quick
look around and check a couple of your points.” And so if somebody turns up with a
clipboard that looks like they’ve got an ID, they look like they should be,
you know, the person from that company, most people will let them in. Even if they turn up and say, “Look,
I’m here to change your globes to energy saving globes as part
of a government initiative. That’s a great way to get
into a house as well.” So that’s that whole tactic of giving
somebody something and using the reciprocal thing of, “I’ve helped you,
so now help me by letting me in to do my job,” type of thing. Other things that you could do
is clone the remote. You could steal the remote,
you could wait for an opportunity for the door to open and sneak in. There’s a lot of different techniques that
hackers use that are similar in terms of breaking into a house,
whether you’re going in directly, whether you’re using a thing called social
engineering to trick people into giving information,
or you’re exploiting flaws within existing systems like with a lot of sliding
windows, they have a flaw where you can jimmy them and lift them up,
and actually get in that way if people don’t have secure locks
on them as well. On the next slide, so moving forward,
I wanted to really highlight that information and data is the new oil
in this digital age. And to think about all the information
that you’re releasing and putting out there on the internet. Because that information can be monetized
and is actually worth a lot to different governments and criminal syndicates. On the next slide, what I wanted to
highlight is something that we’re starting to see in society
that’s quite worrying. There’s the cyber-enabled information
influence, warfare and manipulation, and this is the rise of what
we call deep fakes. And there’s also a thing
called a shallow fake. A shallow a fake is where somebody commits
an incident in a particular country, hijacking that video footage and that
messaging, and distorting the truth around that, and pushing that out through
different social media platforms to convince a population of something
that is actually fake that it was actually true. A deep fake is where you’ve captured
images of real individuals like politicians, and you’ve used a
computer to generate a fake individual, and it’s very easy to do that and have
video footage now that looks like it’s the real individual, the voice
sounds like it’s real. But the whole thing is actually fake and
they’re using that as a way to discredit individuals or to make it look like
certain individuals have said things that they haven’t. CEOs, celebrities, and politicians are
obviously in the line of fire for deep fakes. On the next slide, one of the worrying
things about all this sort of information influence warfare that’s coming about is,
most people these days get their news from social media. In the U.S., for example,
68% of people get their news from these social media sites rather than the
traditional media outlets, likeThe Age, Fairfax, etc., theFinancial Times. So the worrying thing is that this
information is often manipulated by cybercriminals or quite often
foreign governments as well. On the next slide, what I wanted
to kind of highlight here is, it’s really important to think about
information that you have has a monetary value. The information that you give up can be
used as a weapon, either against you or others. And really, the person that’s got the most
information these days is organizations, governments, or individuals, who then
start to have the most amount of power. When you look at services like Facebook,
Facebook is a service where you as the consumer are the product,
and what you do and say on Facebook and how you interact is actually being
recorded and sold to organizations so they can target you for
marketing purposes as well. What are some of the tips and sort
of tricks, I guess, in things to be safe online? On the next slide, I’ve highlighted
some very high-level things. You know, trust less. Don’t believe everything
you read or see online. Don’t click on links in emails or SMS. So SMS, phishing via SMS is called
smishing, and a similar thing by voice is called vishing. So, don’t even trust things that look like
they come from people you know. The reason being, it’s very
easy to forge an SMS. I can send an SMS that makes it look like
it’s come from one of your children, or your spouse, or from your work and
it’ll actually appear in your normal SMS feed from that individual. Again, don’t believe something…
have a code phrase or password with people that you love or care about. At least that way if you receive a message
that says, “Help, I need you to do something urgently because I’ve lost my
wallet and I need you to transfer money to a family friend,” that, you know,
if it’s not with that sort of code word that you’ve pre-arranged,
then that’s definitely something that is a scam or an attack. Think twice before giving
up information to anybody. Back up your information and your data. Definitely do not pay ransoms. At some point, you can expect that you
will make a mistake and click on something that will then encrypt your PC or your Mac
and cause you to lose all your family photos and information. But if you have a backup of that
information, you’ll be able to restore that. Don’t pay the ransom because paying
the ransom just helps to perpetuate the problem. Check your privacy settings on your phone,
your browser, and the system that you use. Definitely don’t use the same password
across multiple internet sites. If that password is used, for example,
on Facebook, LinkedIn, maybe your pizza orders, and then your
Amazon shopping, if one of those sites is breached, cybercriminals can now use
that information to log into your account on any of those other services and take
control of those services, and make payments and things like that as well. Don’t use passwords that
can be guessed easily. Make them a little bit more cryptic. Don’t connect cables and devices
from other people to your phone. One of the new tricks is cables can
actually contain malicious commands that can be remotely triggered. The cable looks like a normal charging
cable and it will charge your phone but as soon as you plug it into your
device will actually trick your device into connecting to a website that then
loads malware onto your device, giving the cybercriminals, the governments
full control of your device. And so again, it’s very important not to
connect or share things with people you don’t know. And even with people that you do know,
because they may not have the same level of, I guess, sort of cyber hygiene,
if you like, as yourself. That brings us to the conclusion, sort of,
for me and gives us a little bit of time for some questions. So, Sam, I’ll hand back to you, if there
sort of any questions that people would like to ask. – Fantastic. Thank you very much, Damien. And, there was so much content there. We’ve actually sort of gone
to the end of our…a lot of time. But if people can hang around if they
want to ask some questions, please type your questions into the
question field you’ll see on your screen and you can click Submit. And we’ll get to as many as we can in the
short while and then just do send them through and Damien might have some time
to respond to some via email if we don’t get to them. There was one that came through as we were
going, and the question was, what are your thoughts on the voice ID
recognition system that the ATO has implemented? Would you say it’s safe? – So the idea with the sort of government
system that there’s a number of different techniques that they use
to kind of improve security. They’re using sort of multifactor,
and some government agencies are now using biometrics as well. Biometrics can be tricked,
the audio biometrics. Cybercriminals now with deep fakes can
actually record enough of your voice to actually trick a system where the
system might ask you for, say your date of birth, say the address, etc.
and they can actually replay that back. Multifactor authentication
is hugely important. For example, with the ATO sending you an
SMS every time you log into myGov. One thing to be conscious of, though,
however, is cybercriminals adapt very quickly. One of the things that they can do is they
can actually clone your phone. When they clone your phone,
they then also receive your SMS. That’s another technique that
they’re using as well. Some scammers will actually try and port
your number to a new phone provider so that way, there will be a period of time
where your phone you think is working normally but, in fact, they’ve actually
ported it to a handset that they’ve got, and they’re now receiving
all your calls and SMS. – All right. Thank you. And again, please do send me questions
through if you’ve got them. Now’s the time. Don’t be shy. Just send them through
the questions portal. We’ve had a few come through. From Stephen, “If you get a fake message,
say that Microsoft warning not to turn off your computer, how do you stop
this message reoccurring? Can you delete it?” – You can if you start your computer in
safe mode because what tends to happen is they’ve modified the browser setting
and made that page their homepage. Sometimes you can go into,
like, a safe mode. You could even try and…if you do
Control + Alt + Delete on a Microsoft plarform, for example,
you may be able to get to task manager and kill that service. For example, if it was in Firefox or
Chrome, what you’d then have to do is uninstall the application, that particular
browser, and then reinstall it from scratch. Some of the other things that you could do
if you’re using Firefox, is a great little tool that you can download
called NoScript. And NoScript is a plugin that actually
blocks JavaScript. Now, the con side of it is a lot of
websites will then to use JavaScript to enhance the look and feel of a website. But at least it gives you protection where
you could, say, you’re going to an untrusted site you’ve never been
to before, you can block all JavaScript, make sure that it looks okay, or you get
the information that you need. And then it also helps to stop
fracking [SP] of…where you’re browsing by a lot of other websites that then sell
that content on to marketing firms. – All right. Thanks. Question coming from Rose, asking,
“Should I be concerned about some of my business cards that were stolen recently?” – Definitely, because what they’ll do is
they’ll tend to use that information on the business cards because now they’ve
got your email address, your full name, they’ll have your mobile number. Sometimes they could use that business
card to pretend to be you. And then they’ll use that as a way to scam
other people out of information. One of the tactics that they’ll use
sometimes with scamming is they’ll send messages to people, and it’ll be
from a particular phone number. Or they’ll dial people from
a particular phone number. If you call somebody,
you can fake the caller ID. You think you’re talking to that
particular individual, when in fact, you’re not talking to them at all. And I did come across an elderly lady who,
they faked her number and used her number on the caller ID and said ITO office
calling, but it had her home number. And as a consequence, she got thousands of
phone calls of people abusing her and yelling and this was an elderly lady that
had nothing to do with the scam at all. It’s just a random chance that
they used her details. – How unfortunate. Question from Papari [SP] who asks,
“If we find our email is breached on the website you mentioned,
what should we do?” – So make sure that you have changed the
passwords across all the different services that you use on the internet. You may want to consider getting a
password manager, which is some software that can basically help you
have really complex passwords. And you just need to know one password to
access the password manager that then helps you log into
all these other services. Another thing, if you don’t want to buy a
password manager, what some people do is they’ll have a password that they use on
sort of generic sites that they don’t care if somebody gets hold of because that site
doesn’t have any information, they can’t purchase anything. And then their banking sites will be a
different password and maybe other sites they use for online shopping will again be
a different set of passwords as well. But it’s good to be aware of what
information has been stolen about you, and that way that kind of helps you sort
of prepare for when somebody’s asking you questions or sending you an email,
you start to become a bit more suspicious about, “Oh, okay. So I know they’re approaching me because
they’ve got already this information.” They’re trying to get additional
information because now that adds value to that data that can then be sold on for
somebody else to then attack you in a different way. – All right. Thanks. The question from Neal says,
“I run a printing business and get files every day on USB. How can I avoid this?” – Very, very difficult. So one of the things with your printing
business is, you need to be conscious that when you use a device,
that device could have malware on it embedded either in the PDF or the Adobe
file, or in another mechanism. I’ve seen some companies set up
what they call a sacrificial PC, or sacrificial device, where they’ll
plug their content into that device. If that device basically gets malware on
it or gets wiped for whatever reason, it doesn’t impact their production systems. And then they can often transfer that file
using that device through a web service. There are different websites where…
so there’s a website called VirusTotal. And in VirusTotal, you can upload a copy
of the file as well if you’re using it on a sacrificial machine,
where it’ll tell you whether there’s any embedded malware or
whether that’s suspicious. Now, even if that comes back and says
that that file’s not suspicious, you’ll find that those websites might
catch 80% of suspicious files. But there’s an interesting stat where
malware tends to only be used once for a majority of the time, so only 40% of the
time does malware tend to be reused. It’s quite interesting that malware tends
to be specifically engineered to target specific individuals or
a group of individuals. But yeah, definitely would recommend
have good backups in place for your production systems. Have a plan if something happens,
and use a sacrificial machine where you could plug something in and run the latest
sort of antivirus and scanning tools. For that device, you have to go
a bit beyond just AV. You can buy what they call EDR,
which is…it uses a combination of behavioral and cloud-based services,
where it’s kind of crowdsourcing, where if that device contained malware,
hopefully, it’s been picked up or seen by somebody else out in the world and so
you kind of benefit from that as well. – Thank you. And that answers one of the questions that
had come in about antivirus software. So, you would recommend the EDR
that you mentioned, would you? – Yeah, definitely. So anti-virus really…you know,
at the end of the day, antivirus is probably only about 40%
to, say, 55% effective. It’s very easy…like, there’s an
outsourced service where criminal syndicates can say to somebody,
“Look, can you engineer a piece of malware for me? I want that malware to be undetectable
for the next two months.” And then what they do is they pay money
into an escrow account. And then that malware producer will only
get their money if they meet that service level agreement. And so they’re incentivized to very
rapidly, and they can change malware within about five minutes so that it’s
undetectable, again, to antivirus. And that’s because antivirus
uses a signature. Whereas EDR software tends to use a bit
more of a heuristic thing where it’s looking for weird things that that
application might be trying to do, like, if they’re trying to write into a file
space that shouldn’t normally be accessed, or are there spelling mistakes in the
executable or the application because that’s an indication that it was developed
using non-standard software development techniques as well. – So, thank you, once again,
Damien, for your time. We really appreciate it. And thank you to all our alumni
and friends for tuning in today. It’s fantastic to have you here. And I hope you have
a good rest of your day. Thanks very much.

Comments (1)

  1. Nice Job, its so cool!, See this New Album 'Monish Jasbird – Death Blow', channel link www.youtube.com/channel/UCv_x5rlxirO-WKjLIyk6okQ?sub_confirmation=1 , if you like to 🙂

Comment here