For ideas on obfuscated URLs, see Bypassing URL/Domain/IP Formats
Phishing
See Phishing.
Cybersquatting / Domain squatting
- Cybersquatting (Wikipedia)
Cybersquatting/domain squatting is the practice of registering, trafficking in, or using an Internet domain name, with a bad faith intent to profit from the goodwill of a trademark belonging to someone else.
Domain name warehousing: registrars obtaining control of expired domain names already under their management, with the intent to hold or “warehouse” names for their own use and/or profit.
Squatting Techniques:
| Squatting Technique | Description | Examples |
|---|---|---|
| Typosquatting / URL hijacking | Intentionally register misspelled variants of target domain names to profit from users’ typing mistakes or to deceive users into believing that they are visiting the correct target domain. Usually registering names one edit distance from the original domain, as these are the most common and overlooked mistakes users make | whatsalpp [.] com |
| Combosquatting | No misspelling, but appending an arbitrary word (e.g. security, payment, verification) that appears legitimate, but that anyone could register | netflix-payments [.] com |
| Doppelganger domain | Domain spelled identical to a legitimate fully qualified domain name (FQDN) but missing the dot between host/subdomain and domain, to be used for malicious purposes | accountmicrosoft [.] com |
| Homographsquatting | Domains take advantage of internationalized domain names (IDNs), where Unicode characters are allowed. Attackers usually replace one or more characters in the target domain with visually similar characters from another language. These domains can be perfectly indistinguishable from their targets, as in the case of apple.com, where the English letter “a” (U+0061) was replaced with the Cyrillic letter “а” (U+0430). | microsofŧ [.] com |
| Soundsquatting | Domains take advantage of homophones, i.e., words that sound alike (for example, weather and whether) | 4ever21 [.] com |
| Bitsquatting | Domains have a character that differs in one bit from the same character as the targeted legitimate domain. Bitsquatting can benefit attackers because a hardware error can cause a random bit-flip in memory where domain names are stored temporarily. Thus, even though users type the correct domains, they may still be led to malicious ones. | micposoft [.] com |
| Levelsquatting | Domains that include the targeted brand’s domain name as a subdomain. This attack is especially worrisome for mobile users because the browser’s address bar might not be wide enough to display the entire domain name. | microsoft [.] com [.] example.com |
Social Engineering Attacks
- Confirm.to – Confirm that someone reads the email. ALWAYS use another email address. Append .confirm.to to recipients’ e-mail addresses before sending. Will get a receipt if the recipient opens and reads the email.
- Google “fake email” to spoof email (illegal without approval)
Security Awareness Program
Security Awareness & Phishing Program.
Free security awareness modules (English and French):
Publications & Websites
- NIST Special Publication 800-50: “Building an Information Technology Security Awareness and Training Program”, http://csrc.nist.gov/publications/nistpubs/800-50/NIST-SP800-50.pdf
- NIST Special Publication 800-16: “Information Technology Security Training Requirements: A Role-and Performance-Based Model”, http://csrc.nist.gov/publications/nistpubs/800-16/800-16.pdf
- NIST Special Publication 800-55, Security Metrics Guide for Information Technology Systems (Sample awareness and training metric in Appendix B)
- ENISA “The new users’ guide: How to raise information security awareness”, Nov 29th 2010, ISBN 978-92-9204-049-9, https://www.enisa.europa.eu/publications/archive/copy_of_new-users-guide
- ENISA Obtaining support and funding from senior management, 2008, http://www.enisa.europa.eu/publications/archive/obtaining-support (last visited on 19 November 2010);
- SANS Securing the Human, http://www.securingthehuman.org/
- ISC2 magazine 2012 Volume 4 (issue 20), article “Teaching Moment: From Fairy Tales to Info Security”
- Verizon Data Breach Investigations Report (DBIR) 2014
- Advanced Cyber Threats Facing Our Nation February 14th 2013, Kevin Mandia, http://intelligence.house.gov/sites/intelligence.house.gov/files/documents/MandiaTestimony02142013.pdf
- Gartner “Effective Security Awareness Starts With Defined Objectives”, December 10th 2013
- Gartner “Magic Quadrant for Security Awareness Computer-Based Training Vendors”, October 13th 2014
- Creative Research Systems, http://www.surveysystem.com/sscalc.htm
Conferences - ISC2 e-symposium “Creating a Mindset and Culture of Risk Awareness”, October 30th 2012
- ISC2 e-symposium “Malware and Awareness The Two Front Battle”, April 30th 2013
- SecTor 2014 conference “Security Awareness Has Failed: A Suggested New Approach!”, François van Heerden, October 2014, http://sector.ca/presentations
- SecTor 2014 conference “Human Metrics – Measuring Behavior”, Lance Spitzner (SANS), October 2014, http://sector.ca/presentations
- SANS Securing the Human, “Building an Effective Phishing Program”, https://www.securingthehuman.org/media/resources/presentations/STH-Presentation-PhishingYourEmployees.pdf