For the longest time, when people discussed “Social Engineering” in the IT security arena, it was equated to schmoozing your way past the guard, or calling the Helpdesk to get a password. Social Engineers like Kevin Mitnik have been amazingly successful in working these angles to get inside hundreds, if not more, of applications and systems. But that was so 20th century – it didn’t scale well. As our connectivity to Everything Internet has become ubiquitous, there’ been a dramatic increase in the opportunity to exploit blissfully ignorant people. We’ve gone from being small fishing villages to one big huge phishing city!
Everyone has seen the Nigerian prince scam – those were the good old days when it solicited more of a chuckle than a buck. But today’s hacking community has become MUCH more sophisticated… and to be honest, we all will continue to be fallible as human beings – and it only takes one mistake to open the door for the bad guys. And frankly, I’m convinced that this year’s rash of breaches and incursions can all point to “someone clicking on the wrong thing” as the initial attack vector. What can we do to be more vigilant?
That was then…
After the Nigerian prince scam, there came other doozies – everything from poorly spelled messages from banks to try to entice you to enter your credentials or your personal information, to “click on this button/link to win an iPod,” to “check out this AMAZING financial opportunity.” In all cases, it really didn’t take a lot of brain cells to determine that these email messages were hoaxes.
This is now…
Now there are a myriad of ways that creative miscreants attempt to launch malware onto your computer or to trick you into providing credentials. They really understand the human psyche and our natural tendencies to click on that interesting link; in fact, many would probably be successful Madison Avenue marketers. Under the right (for the attacker!) circumstances, they often are successful in obtaining their victims’ identities (i.e., to get their passwords), taking control of their computers, or shutting them down all together (i.e., Cryptolocker or the malware that just impacted Sony).
Password phishing – can allow for you to enter your password on a dummy site. Once the attackers get your password, they can attempt to use it on the legitimate site. On top of that, they attempt to use the username/password combination against many other sites (banks, shopping sites, etc.) to try to pose as you to conduct fraudulent actions to their benefit and your detriment.
Welcome to the machine – you could suffer the consequences of downloading malware into your computer and/or your company’s network by clicking on a link or downloading a file that you’re not sure about. And guess what? Anti-virus and Windows patches (for example) will not completely protect you as they only protect against the known and not the unknown. There is a proliferation of zero-day exploits scripted specifically to bypass anti-virus detection mechanisms (once the anti-virus companies learn about these exploits, they create updates, or signatures to address them, but that provides a window of opportunity for the miscreants). This (zero-day malware injection) has most likely been an initial attack vector for several of this year’s successful breaches.
Won’t Get Fooled Again?
Some general advice to apply, not only to your workplace, but to your everyday life: BEFORE you elect to download a file or click on a link, be absolutely sure it is something that is legitimate; otherwise bad things can happen to your information, your identity, your credit cards, your computer, or your company’s digital assets. THINK BEFORE YOU CLICK! KEEP CALM! The bad guys are but a click away.
- If an offer is too good to be true, it probably isn’t (true, that is). Don’t click on the link to find out – instead do some research in parallel.
- Don’t fall for scareware scams. Ignore emails from entities saying that your computer is infected and to click on a link to “clean it.”
- The latest batch of nefarious emails are the “order confirmation” messages where the attackers send an email to you that appears to come from a popular retailer telling you to click on a link to check the status of your order (which you never placed in the first place). Don’t click on that link.
- If you receive a message from a financial institution that tells you to click on a link (sometimes they will try to use scare tactics pertaining to there being fraudulent activity in your account), don’t do it. Instead go the bank’s website to verify. The same holds true if you receive a strange email, such as a receipt for goods you have not purchased. The attackers are trying to mess with your head (because you may think someone ordered something that you didn’t) to entice you to click on a link.
- If you receive a message from a company whose product or service you do purchase, be wary of clicking on their direct links (e.g., reserve one hotel room night, get another one for free). Oftentimes any coupons or special deals can also be reflected on that merchant’s website.
- If you get an email message from someone you know who just uses a generic greeting, or if they just send a link only, it’s probably not legitimate. The same is true is you receive an email from someone you haven’t heard from in a while and it just goes right into “business” without exchanging pleasantries. Finally, if you are uncertain about an attachment or link that someone you know has sent, you can just email them; or better yet, there’s this archaic 20th century device called the telephone that you can use to determine if they actually sent it.
- If you’re not sure of a particular email message/attachment/link, you can refer to the following sites to help determine the validity of the message:
- http://www.hoax-slayer.com/phisher-scams.html: links to the phishing page for Hoax-slayer.com
- http://netforbeginners.about.com/od/scamsandidentitytheft/ss/top10inetscams_5.htm#step-heading: lists the top ten email scams
- http://antivirus.about.com/od/emailscams/tp/onlinescams.htm: lists more popular email scams
- http://krebsonsecurity.com/2014/12/be-wary-of-order-confirmation-emails/: provides more information about order confirmation attacks
- When you shop online and need to give out your credit card number or other personal information, make sure you are using a secure website. Check for the lock icon in the lower right hand corner of your browser. It will verify the security level of a site. Another way to determine if you’re on a secure website is to check the beginning of the URL in your address bar. It should read “https” as opposed to “http.” Note that the addition of the “s” stands for secure, although if you’re even more diligent, you may even check to see that the secure certificate is from a reliable source (e.g., GoDaddy, Verisign, etc.).
- Share this information with co-workers, family, and friends. The more aware we all are, the more difficult it will be for the attackers to take advantage of us.
It’s mind bogglingly amazing how many more things we can do over the Internet than we’ve done in the past. But it also exponentially increases opportunity for the bad guys to try to get any of our data that can be monetized. And now it’s not limited by geographic boundaries – if it’s attached to the Internet, then it’s also potentially available to the thousands of nefarious actors who would love to grab your critical data without even having to leave the comfort of their couch.