The Anatomy of a Social Engineering Attack

John Podesta, a key staffer for the Hillary Clinton presidential election campaign received an email, appearing to be from Google, warning him that someone had attempted to access his account and prompted him to change his password. John clicked on the link and entered his current username and password. Unfortunately for John, this was a phishing email and the link that he used to change his password was set up by the hackers to steal his credentials. The hacker used his credentials to download all his emails. These emails were later released to the public by WikiLeaks causing a bit of a stir.

Why are we so susceptible to falling for these attacks? There are six (6) principles that social engineers use to deceive us. The first is reciprocity. Reciprocity suggests that people feel obligated to reciprocate favors received by others. If you do something for me, I will be happy to do something for you. Many scams use a free gift or a prize to entice the victims to click their link or provide information.

Another method that social engineers use is social proof. This concept suggests that people are more likely to conform to the actions if they see others doing it. This works especially well in ambiguous or unfamiliar situations. A familiar tactic would be the website that says 57 people in your area have recently purchased this item.

Authority is a huge tactic that social engineers use, and the one employed above to get John to click on that link. Scammers often pretend to be people from the government or your IT department or one of your trusted vendors. Since they are in authority, you usually trust them and do what they suggest.

Commitment and consistency suggest that once individuals make a public commitment or take a small initial action, they are more likely to remain consistent with that commitment or action in the future. Some phishing scams ask recipients to confirm their email addresses for security purposes. Once they click the link, the victim feels commitment to engage in the sender. The scammer subsequently asks for more personal information or login credentials.

Social engineers use “likability and empathy” to build rapport and trust with their targets by establishing a sense of familiarity and likability. They may mirror the victim’s behaviors, interests, or communications styles.

The final principle to discuss is scarcity. The emotion being pushed here is the fear of missing out. This may look like those familiar statements “for a limited time only” or “while supplies last.” This encourages the target to act quickly out of emotion, rather than slowly, logically, and methodically considering what is being offered.

Let us look at some of the scams out there to see what they are using. The tax collector scam impersonates an IRS agent usually contacting by text or a prerecorded voicemail. They may send you a form to pay and may ask for gift cards or bitcoin in payment. The scammer uses “Authority” to intimidate people to do what they ask, sometimes threatening arrest or revocation of driver’s license. They also use commitment and consistency. Once they pull the victim into the trap, they are committed to continue the discussion. Some issues to note on this scam are the IRS will not ask for payment in Bitcoin or gift cards. They will not send forms via email – forms pulled from the website. The IRS cannot revoke your driver’s license.

The “pig butchering” scam uses “likability and empathy” to capture the victim’s trust and “commitment and consistency” once the victim is engaged. This scam usually starts with a wrong number text or a dating app. Once the scammer builds trust, they mention their success in Bitcoin and connection to an insider. This is the concept of “scarcity.” They share their fake website for trading with the victim.

When the victim uses the site, they watch their money grow and invest more money hence the name of the scam. They are fattening the victim up until they cut contact and take their money. Do not use any digital wallet that you have not thoroughly researched.

So, if you are approached via email, text, or phone slow down, take the emotion out, and determine if it is legitimate. If the proposal sounds too good to be true, identify what social engineering principles are being employed and why.

Original article can be found here.

Scammed! How Hackers Hijack Your Amygdala

Last week an elderly friend called me. He had been scammed out of $13,000 … almost. RIGHT before he finalized sending the money, he had a lucid moment and thought “this is probably a scam”. He ended the call and phoned his bank. All ended well.

So, what can we do to help our elderly friends and family? They are easy pickins for professional scammers. These scams work because they incite a cognitive response in the mind of the potential victim that causes them to jettison all logic. They simply fall prey to an ancient brain-part — the amygdala. Chris Hadnagy (professional white hat social engineer) references the term “amygdala hijacking”. It’s a term coined by Dr. Daniel Goleman. Hadnagy states scammers use techniques that hijack the amygdala which shuts off the logic center of your brain. The tragic result is that in less than 30 minutes your elderly loved one will transfer tens of thousands of dollars to a person they’ve never met.

According to Hadnagy, there are 4 vectors of social engineering attacks: 1. Phishing. 2. Vishing. 3. SMiShing. 4. Impersonation. I’m sure we could add to or subdivide these categories, but this is enough for now.

Phishing is typically an email delivery. That’s how my friend was targeted. He received an email informing him his Norton antivirus subscription had just been renewed for $250. He was kindly informed to “call this number if you’d like to cancel.” Panic set in. The amygdala hijack was on. He completely ignored the fact he NEVER had a Norton antivirus account.

Vishing uses the same content essentially as a phishing email but delivered over a phone call. SMiShing is the same – except over text message. Impersonation is an in-person visit from someone pretending to be someone like phoneline repair or a plumber.

In almost all these cases the scam works because the content of the message causes the victim to immediately panic. The anger, fear, or excitement they feel disables all the logic which they would normally use to make informed decisions. This is where the amygdala takes center stage. Logic takes a lunch break.

It’s here that the scammer handholds the victim all the way through the scam. They promise to fully refund the victim’s money. This makes the amygdala happy. The scammers convince the victim to let them remote connect to their computer. Next, they do some confusingly technical looking things to build false trust. But it’s all a ruse. The scammer is counting on the good heart and trusting character of the victim. Trust and honesty make them the perfect victim.

To protect yourself and your loved ones, here are a few rules:

1. Trust no one.

2. If you get any kind of communication you didn’t expect, pay attention to your feelings. Does it make you anxious in any way? Then it’s a scam.

3. If the message you received claims your bank account or credit card have been charged, close the message and contact your bank using a known-good number.

4. If the message appears to come from a government agency, close the message and contact the agency using a known good number.

5. Every organization that deals with your money has a fraud department. Contact them. They can help you get things straightened out.

6. Contact the Cyber Guys at CyberEye.

Original Article appeared in the Sierra Vista Herald here

Put On Your Cyber Armor Before Your First Cup

Knights Prepare: In the early Middle Ages, knights spent hours getting ready for battle putting on their armor with the help of a squire.  There were hooded coats, trousers, gloves and shoes made of chain mail. Add the helmet, shield, and sword, and they were ready for war.

Cyber Protection: In order to be safe in the cyber world, computer users need to be prepared for the cyber battle that we did not request. We need protection.   Here are two examples of attacks and how to defend your home or business.

Ransomware Attacks: To avoid having to pay the ransom for your data held hostage, your organization should be backing up data nightly or more often if operations require.  In that case, you will only lose one day’s worth of data plus the time and resources it takes to restore your infected system.    

Suncrypt: This happened to Haywood County School District in North Carolina.  Their computers were attacked by Suncrypt ransomware.  They did not pay the ransom because they had backups, however, they had to delay school for a week to restore everything.  Suncrypt uses a Windows admin utility called “PowerShell” to send a file to execute on other computers in order to rename and encrypt every folder on the infected computer. The hackers now have your data hostage.

Could It Have Been Avoided?: What could the school district have done to avoid the infection altogether? 

Admin Privileges: First, the person who clicked on the phishing email had “administrative” privileges.  Cybersecurity has a concept called “least privilege” where a user has a least amount of privilege to do her work.  All internet browsing and email reading should be done as a non-admin user.  It is critical to only use admin privileges when performing admin functions (configuration and installation).

Outbound Powershell: Second, the computer security policy allowed the use of outbound PowerShell.  The system policy should have disabled outbound PowerShell capability. Powershell is the new favorite of hackers.  According to https://news.softpedia.com/news/malware-created-with-microsoft-powershell-is-on-the-rise-503103.shtml   eighty-seven percent (87%) of common malware uses PowerShell. This one change to your system can block much of the current malware.

Controlled Folder Access: Finally, for this particular attack, and those like it, the entire attack would have been thwarted if the systems had a simple setting enabled called “Controlled Folder Access.”  This feature allows only authorized applications and users to modify folders.  This would have completely blocked Suncrypt.

Phishing Attacks:  Phishing is getting very complex.  There are new targeted phishing campaigns where emails are sent to company users claiming to be from the IT Department.  The emails explain that certain sent emails were quarantined and provides a link for the user to login and review the files.  The link takes you to a screen that looks exactly like the company login.  The hackers grab the user’s credentials when they attempt to login and fix the problem.

Don’t Click It: The lesson here is to always hover over any link.  Do NOT click the link without checking it.  When you hover over the link, the details of the link show in the bottom left-hand corner of your browser or pops out on your email application.  Verify the entire link carefully. Hackers can be creative with their domain names making them similar to the real domain names. So look closely.   When it comes to links, hover, hover, and hover again. 

Put Your Cyber Armor On: So, along with that first cup of coffee or tea in the morning, remember to put on your cyber armor before you check your emails.

Gone Phishin’

Happy to Help: An entry level accountant, “Sebastian”, receives an email from his CEO. Sebastian is excited the CEO recognizes him and needs his help on a major acquisition. The CEO requests a wire of 50 million Euros immediately sent to a bank account for the acquisition. Sebastian quickly executes the transfer. He feels like a hero. He can almost smell that promotion.

Oops: Unfortunately for Sebastian, and his large Austrian aerospace company, FACC, the email was not from his CEO. This was one of the most profitable phishing expeditions ever. The company could only recover 20% of the funds.  The CEO was fired and most likely, Sebastian. 

Phishing: Phishing is a type of cyber-attack that uses email to trick the recipient into doing some particular action or providing private information.  The term was coined in 1995 as a variant of fishing and refers to the “bait” used to get the victim to “bite.”   There are several variations of phishing.  Whaling refers to targeting high-level personnel in an organization.   Spear phishing refers to a phishing attack targeting a specific group of people like the military, a specific company, or certain professionals.

More Complex Today: With the techniques used today, it is not always simple to identify a phishing attack.  Although the Nigerian Prince scam, with its poor grammar and misspelled words, is still around, there are new scams that look extremely legitimate and appear to be from legitimate organizations. 

What to Watch For: Here are some methods to skillfully spot the phishing email. If an email is asking for personal information or asking you to verify details like bank or credit card information, don’t take the bait.  Established companies never ask for sensitive information. Be cautious of emails presenting dire warnings and potential consequences which require urgent action. Some examples might be a warning that an account of yours has expired or has been hacked.  Similarly, be wary if there is an urgent deadline to go along with the dire consequences.  Another common phishing tactic is to offer large financial rewards. This could be winning a lottery that you did not enter or being the prize-money winner for a bogus contest. If it sounds too good to be true, it probably is. 

What Next?: Now that you are starting to smell something phishy, how do you determine what to do? First, don’t click on the provided link, if there is one.  Hover over the link and look at the bottom left corner of your browser or email client.  It should show the full web address.  Some bogus web addresses will have extra words or letters added which do not belong to the legitimate address. Carefully scrutinize the address. (For example, g00gle is not the same as google.)  Also, beware of short URLs (hyperlinked website addresses).  Hackers can hide their true address inside a tiny URL link.  When you get an email that seems like it really came from your bank, for example, mentioning dire consequence and an urgent deadline, call the bank using a number YOU KNOW is good, or check the official website. (Google the website; don’t click the link in the email to determine if the email is legitimate.)  Many spear phishing attacks can be thwarted with policies requiring a second method of approval prior to email requests for funding (which Sebastian should have looked for).

Protection: To protect your business, you should look at increasing your cyber defenses. This may be something like using email services that stop most phishing attempts. Businesses can use email certificates to digitally sign emails so recipients can verify they came from you.  

The Keys: Training and awareness are the key.  There are services you can leverage that provide phishing training. It’s even better if the training also includes simulated phishing attempts targeting your employees to determine how well the training is sinking in.

Perhaps if “Sebastian” from FACC had the proper training, he might still be enjoying his employment there – along with his CEO. 

On A Hot Day

Not The Droids You’re Looking For: On a hot day (which was not unusual for the desert planet of Tatooine), overlooking the Mos Eisley space port, the Jedi master warned his freshly-minted apprentice to be careful, with good reason. No sooner had they hovered into town in the weathered X-34, when they were stopped at an impromptu checkpoint. The gleaming troopers searching for stolen imperial plans demanded to see identification. Waving his aged fingers, the holy man muttered, “You don’t need to see his identification.” In a perplexing turn of events, the menacing guard robotically repeated those words, thereby blasting that exchange into galactic popular culture.

Cyber Jedi Mind Tricks: You may compare your computer to the weak-minded fools vulnerable to a Jedi mind trick: It does what it is programmed to do. Nothing more. For example, when an operating system looks for files (like when it hunts for malware), it does so in a methodical manner. Malware authors know how this is done, and they modify the list the operating system uses to find files, hiding their secret plans deep in the file system. They may even modify registry settings, install additional user accounts, and set up scheduled tasks.

Defender: According to several reputable sources, the Windows Defender component of Windows 10 is all the antivirus you need. It will take care of commodity malware, and it does so quietly. It doesn’t alert you when it finds malicious files. That’s good and bad. You won’t have a lot of alerts you have to investigate–that’s good, but you also won’t have a lot of alerts to investigate–that’s bad. You want to know when you get infected, so you can do something about it.

Don’t Fall For It: You also need to be aware and avoid falling for the Jedi mind trick yourself. It may come to you in the form of a popup, warning you that your computer is infected. It’s a lie. Don’t click anything in that window of warning. The red “x” in the upper right corner isn’t the close button. Every part of that window is the “install” button. Instead of clicking anywhere in that window, use the Windows Task Manager to find your browser instances, and end the task on all of them.

If Infected: What do you do if your computer legitimately becomes infected with malware? Like the stormtroopers on Tatooine, you can systematically check the identification of every program, and visit every mysterious dark hole within the Windows Operating System; however, be aware there are Jedi that will prevent your successful search. The most effective way to be sure you’ve deleted all the secret plans the malware left behind is to reinstall the operating system then reinstall all the necessary programs. Just make sure you create a backup of all your irreplaceable files before you do.

Let’s just be clear: Malware wants to hide, and it’s very good at it. A knot of Stormtroopers  fitted with pure white armor briefly interrupted the Jedi concerning his mismatched metal companions at Mos Eisley. They were rebuffed. You will be rebuffed if you think you can find the malicious secret plans embedded in your computer.

Riddled by Ransomware

Ransomware. The word sends chills up your spine; or it should. Ransomware is essentially a cyber-criminal holding hostage your digital life in a binary bag. Cyber-criminals do this by zipping all your important, irreplaceable files and setting a password on them. The crooks “generously” offer to sell you the password for a “minor” fee. Truth is, the fee is not so minor, nor convenient.

How It’s Delivered: Most ransomware comes as either an email attachment, or it comes by infecting you when you visit a compromised website. For example, a few weeks ago, the actual website for the World Health Organization was compromised and serving up malware to every visitor to the site!

Protection: You used to protect yourself from this type of attack by creating a daily backup of your critical files. Files like Quickbooks, family photos, and the digital scan of your high school diploma. I said keeping backups used to work. The crooks have changed their tactics. As more and more of us got better at backing up our files, fewer and fewer of us paid the ransom; therefore, we cut into their profits. That’s bad for business.

Lockout or Stealing: Before, they just stole your access to the files by encrypting them. Now they actually steal copies of the files. If you don’t pay up, they will dump your files on the dark web–not to the highest bidder–but for free. Maybe you’re not concerned if your pictures of Fluffy end up in the darkest corners of the Internet, but how about your Quickbooks, or the scans of your birth certificate, social security card and driver’s license? It is not uncommon (nor is it recommended), for people to keep spreadsheets of all their bank and investment account numbers and the associated usernames and passwords. These are certainly not the files you want to become public!

Anti-Virus Enough? I know what you’re thinking. “I have anti-virus so I don’t have to worry, right?” Wrong. Your antivirus won’t stop it. If it could, you’d rarely hear about these attacks in the news. Don’t delete it though; it will stop some malware.

Two Keys: It is imperative for every user to do two things. First, ensure you don’t surf the web with an account that has administrator privileges. Second, become suspicious of EVERY email you receive; if your gut tells you an email looks “fishy”, then it is probably “phishy”. Additionally, if you receive an email, and the tone is one intended to terrify you with dire consequences for inaction, be on your guard. That is a favorite tactic of cyber-crooks.

Helpful Hint: One last suggestion, if you do store critical files like those I mentioned, then you should zip them and password-protect them yourself with an annoyingly long password. Finally write the password in a book and lock it in your desk drawer. If you follow this recommendation, it won’t matter if those files get dumped onto the dark web, because you have protected them.  You turned the tables on crooks. They will be unaware that the bag they hold is filled with digital dust.