In 1992, Kevin Mitnick was the most wanted hacker in the United States. It didn’t stop him. He wanted to hack his phone so the cops couldn’t track it. This ended up with him going after the source code, which he obtained with just a few phone calls.
So-called social engineering remains, nearly thirty years later, one of a company’s largest vulnerabilities. Why spend hours trying to hack into the code when you can trick somebody into giving you access. It can be one of the hardest things to protect yourself from, because expert social engineers know exactly how to get you to give up your password, install malware yourself, or send them the data they are looking for. It relies ultimately on people being people. It can also be used in combination with creating malicious code. There are a number of forms social engineering takes, but they all amount to the same thing: A way to manipulate people into giving up confidential or personal information.
Phishing is probably the best known social engineering technique, in part because it is so common. Most phishing attacks come via email, and they can target anyone. Originally, most phishing attacks were broad and scattershot, with the hackers sending the email to every address they could find in the hope of snagging a victim. Phishing emails often appear to come from a major company, with financial institutions and payment processors such as PayPal being the most common targets. They may threaten dire consequences (Somebody hacked into your account, click on this link now to prove it is you) or unbelievable sales deals. It is now becoming more common for phishing attacks to come via social media. Often the phishers will trick one person into handing over their Facebook password and then use the compromised attack to snare others.
Phishing can also sometimes take place via voice. Tax season every year sees a rash of scam callers pretending to be the IRS and telling people they will be arrested if they don’t pay up. This is sometimes called vishing, ironic given
Spear phishing is more directed. A spear phishing attack uses personal information about the victim, often gathered by stealing somebody’s contact list, or simply from public information about their company. For example, a spear phishing attack may be spoofed as coming from a coworker or a vendor. When senior executives or people with a lot of control over a company’s finances are attacked, it is called whale fishing or whaling. One common form of whale phishing is to spoof a senior executive sending instructions to pay a vendor, with the payment being intercepted.
One such targeted technique is to copy an email sent to the target and replace the links or attachments. Because the user is used to receiving that email, they are much more likely to click.
Pharming and Website Cloning
Pharming redirects users from a legitimate website to a fraudulent one. This may take the form of fake links in an email or it may use DNS cache poisoning, otherwise known as DNS spoofing, which tricks your computer into connecting to the wrong address. Another form of social engineering is to clone a website. There have been a rash of cloned website scams that redirect people looking for hotel rooms, cheap air fares and other travel stuff from the provider’s own site to a fake booking service which charges a high fee to book a room which may or may not exist.
Recently, quite a lot of people have received an email that has one of their passwords (generally an older one) in the subject line, and asks for a ransom in bitcoin otherwise they will be hacked. The email sometimes includes a threat to reveal what kind of porn the person watches and/or embarrassing webcam pictures (this is called sexploitation). Fortunately, this email is an example of scareware – the hackers do not, in fact, have access to anyone’s systems, but are counting on lack of knowledge by their victims to get them to pay up.
How do you Protect Yourself?
Employee education, including senior executives and owners, is the best way to protect your company from phishing attacks. Many phishing emails are easy to spot, containing broken images, spelling errors, etc. However, phishers have become much more efficient lately. Here are some ways to avoid being a victim:
- Never click on links in emails even if it looks like one you are used to getting (such as messages from PayPal saying somebody sent you money). Instead, type the website into your browser or use a bookmark. Never click on shortened links.
- Learn to identify phishing emails. Although misspellings are not as common, generic greetings such as “Dear customer” can be a red flag. Phishing emails generally have an urgent action or response attached to them and play on either greed or fear. If your name is wrong on an email, this is a major red flag. Err on the side of caution. Automated spam prevention may or may not detect phishing emails, but give extra scrutiny to messages that have been flagged.
- Check URLs on websites. One common scam is typosquatting, where scammers will place a cloned site on a URL that is one letter or digit away from the legitimate site. Another is to buy the url with a different main domain, such as .com vs. .net. Always make sure you are really on the site you think you are on.
- Verify the identity of anyone who contacts you. Know the contact patterns of organizations you deal with. For example, find out from your ISP whether they call or email if there’s a billing issue. Don’t provide any personal or confidential information until their identity has been verified.
- Never email financial information such as credit card numbers or bank routing information. Passwords should never be emailed or requested in email, and this policy should be public. Asking for passwords via email is a common social engineering trick.
- Keep all anti-virus, anti-malware and firewall software up to date and make sure it is being used correctly.
- If a coworker, supervisor, vendor, or client sends an unsolicited attachment, call them or contact them via other means to check they sent it before opening it. If sending an attachment, give the person a quick head’s up first.
- Never give your username or password to anyone, even if they seem to be an administrator.
- Make sure that news about current phishing and other social engineering attacks is spread rapidly through the company, particularly if there is scareware circulating. Provide lists of email subject lines that are most commonly used by phishers and advise employees not to even click on those links. Some phishing emails contain scripts that notify the scammer if the email is read, telling them they have a live address. You should also encourage employees to check the internet if they receive a suspicious message, as information is often released on scams in the wild, and tell others about it. However, never forward the actual phishing email to people as a warning, because the malicious link or attachment will go with it.
- Run occasional tests where you send employees spoofed email with links and track who clicks. This is a form of penetration testing and will help you identify employees who need extra training on cyber security. You should not use this against people, but rather as a way to remind everyone to be more careful.
- Never enter financial information on unsecured websites. Make sure the URL begins with https. This is one classic warning sign of fake websites.
- Avoid posting email addresses to the internet. Only post specific contact addresses, and smaller companies may find it better to use a contact form. Advise employees not to post their private email, or if they do to obscure it (for example jjones(at)daredevil.net). This makes it harder for bots to harvest email addresses that can then be used in mass phishing attacks.
- If something in an email or message seems too good to be true, it probably is.
- Train employees to report all phishing attempts to IT and HR. It’s also a good idea to report them to the company that is being spoofed. The IRS and many private companies have contact information specifically for reporting spoofs to them. In this case, you can and should forward the message. Reporting an attack allows other potential victims to be warned and may allow the other company to take steps. For example, if you receive fake invoices from one of your vendors, you absolutely should let them know.
Social engineering is becoming a much more common vector for cyber attacks, especially as servers become more secure in general. The human factor is often the biggest weakness, and proper education is the best way to close it. All employees, at all levels, need to be aware of basic cyber hygiene and take the simple precautions above. For more information on how to protect yourself from this and similar attacks contact Applied Innovations today.