- Posted March 20, 2017
- ByMatthew F. Fox
Social engineering, the exploitation of human psychology, is nothing new; from the Trojan Horse to today’s 419 email scams, conmen have always tricked gullible individuals out of their valuables and personal information. In the late 1840’s, William Thompson, the original “confidence man”, as coined by newspapers, tricked people in to giving him their belongings after a brief conversation including, “Have you the confidence in me to trust me with your watch until tomorrow?” Many did, and never saw William, or their belongings, again.
According to historian Karen Halttunen, police estimated that during the 1860’s, 1 out of 10 professional criminals in New York was a confidence man.
While measures exist today that prevent many cons from happening, technology has created many new opportunities for the modern conman. Even the most advanced security technologies can be tricked by a clever social engineer.
Today’s most common form of social engineering on the Internet is email phishing. Phishing attacks use email, often combined with malicious websites, to trick victims in to providing personal information – including account credentials or financial information.
Phishing attacks often appear to come from trusted organizations; banks, online stores, and charities are commonly impersonated. Attackers will also take advantage of current events and certain times of the year, including:
- Natural disasters
- Epidemics and health scares
- Economic concerns
- Major political elections
During the 2016 RSA Conference, Tripwire surveyed 200 security professionals. According to the survey, security professionals are observing an increase in the complexity of phishing attacks. To make matters worse, the majority were not confident that their executives would be able to spot a phishing scam. Every member of an organization is vulnerable to attacks of this sort, so it is vital for organizations to perform ongoing security awareness trainings to enable their staff to exercise caution and good judgement to minimize risk.
The majority of phishing attacks may be placed in 1 of 5 categories, each a bit more complex than the last.
This is the most common form of phishing scams, and is described as an attack by which conmen impersonate a legitimate entity in an attempt to steal an individual or organization’s credentials. We’ve all seen emails like this before – a bank or online store has information for you, but you must first log in to view it. The email contains a link to a login form, which looks legitimate, but is just an easy way to collect your personal information.
The success of a deceptive phishing attempt is directly related to how authentic the correspondence, and any subsequent websites look. Because of this, you should always check the URL of any pages you are linked to, to be sure that you are at an authentic site. Also keep an eye out for generic salutations (including your email address,) poor grammar and spelling mistakes.
Below is an example of a deceptive phishing email. Note the URL you are directed to when clicking the “update your account” button – that is definitely not a genuine PayPal link. Other warning signs include the grammatical errors in the email’s subject, and the invalid IP address listed in the message – a major detail that may be overlooked by the untrained eye.
There are, however, several details in this email that may lure a victim in to a false sense of trust. The PayPal logo, social media links, and even the email footer and copyright notice look genuine. In the case of this particular email, the social links were pointing to actual pages, further helping the email look like it really came from PayPal.
More sophisticated email scams, ones that utilize known personal information and are targeted directly at you, are known as spear phishing. Conmen customize attack emails with your name, company, phone number, or other details in an attempt to trick the recipient in to believing they have a connection with the sender.
To protect against this type of scam, control the amount of your personal information that is publicly available online. Check your social media privacy settings to ensure that certain details, like your phone number or email address, is hidden from anyone who isn’t a friend. Many companies use mail filtering solutions that are able to analyze inbound emails for known links and attack attempts, but you still need to use caution and good judgement to avoid becoming a victim.
Spear fishing, when directed towards the executives of an organization, is known as CEO Fraud. Gaining the credentials of a company executive may lead to disastrous results; additional scams where attackers impersonate an executive and abuse their email to authorize fraudulent actions, financial transactions, or other activities which may lead to major legal and trust issues for an organization.
Attacks like this work because executives typically don’t participate in security awareness training, as hinted at by Tripwire’s survey. To counter the threat, all company personnel, regardless of their position, should undergo security awareness training on a regular basis.
This is a method of attack which stems from DNS poisoning, and is one of the more technically advanced forms of phishing.
The Internet uses DNS to convert domain names (i.e. amazon.com) to IP addresses. In the case of a DNS poisoning attack, the conman targets a DNS server and changes the IP addresses associated with a particular domain name. This means that an attacker can redirect victims to a malicious website, even though the victim entered in a genuine domain name.
To protect against pharming attacks, organizations should encourage staff to enter login credentials only on sites that are protected by HTTPS. The presence of HTTPS helps ensure that the website being visited is genuine.
Millions of users take advantage of cloud services, such as Dropbox and Google docs – and so do modern confidence men. These everyday services are popular, and conmen capitalize on their popularity by targeting their users with phishing emails.
One attack against Dropbox users involved an email linking users to a form, hosted on Dropbox, to gain their login credentials. In this case, hosting the form on Dropbox’s own service helped minimize any warnings of fraudulent activity.
In 2015, a similar attack involving Google Drive directed its victims to a page that mimicked Google’s own account login screen to collect their credentials. Since Google uses a singe sign-on model for access to most services, attackers could access a victim’s email, calendar, documents, and any other Google services that were linked to the collected credentials.
To protect against attacks like these, consider implementing 2-factor authentication where possible. Both Dropbox and Google, as well as many other services, offer 2FA as additional layer of login security.
With an understanding of the most popular phishing attacks, you’ll be better prepared to protect yourself from the Internet’s most common form of social engineering. This, of course, does not mean that you’ll be invincible; phishing is constantly evolving to adapt to technologies and user behavior, so always think twice before giving before filling out a form on the Internet.
Concerned that your organization is at risk for phishing attacks? We can help – The Valiant Way. Get in touch today to schedule a security awareness training for your organization.