Your computer files are being held for ransom. Pay up, or lose them. Your bank account is being emptied, so click here to stop it. Your friend has died, click on this funeral home site for more information. Social engineering thugs have reached new lows.
Social engineers, those criminals who take advantage of human behavior to gain access to data or infiltrate businesses, were once content to trick people with free offers or funny videos before unleashing their scams. Today, social engineering gangs have taken a darker turn toward strong-arm tactics, threats, emotional cruelty and dire ultimatums.
While the total number of emails used per spear-phishing campaign has decreased and the number of those targeted has also decreased, the number of spear-phishing campaigns themselves jumped 91 percent in 2013, according to Symantec Corp.’s 2014 Internet Security Threat Report, released in mid-April.
Campaigns run about three times longer than those in 2012, and indicate that user awareness and protection technologies have driven spear phishers to tighten their targeting and sharpen their social engineering. Symantec also reports that “real world” social engineers are combining virtual and real world attack to increase the odds of success.
Chief Human Hacker at Social-Engineer Inc., Chris Hadnagy, sees an increase in use of this tactic on business employees.
“Groups are sending phishing emails with malicious attachments,” which a cautious employee usually ignores.
“But then they’re following up with a phone call that says, ‘Hi, this is Bob in accounting. I just sent you an email with a spreadsheet. I just need you to open that up real quick and check it out.’ Those factors put together make you trust them and take that action.” Social engineering tactics like these serve as the entryway to the latest internet scams.
1. Phishing with new lethal-strains of ransomware
Ransomware caught businesses’ attention in 2013 with Cryptolocker, which infects computers running Microsoft Windows and encrypts all of its files, as well as files on a shared server. The extortionists then hold the encryption key for ransom (about $500 USD), to be paid with untraceable Bitcoin. The longer the victim waits to pay, the higher the price, or the data can be erased.
Now, copycat CryptoDefense has popped up in 2014 and targets texts, picture, video, PDF and MS Office files and encrypts these with a strong RSA-2048 key, which is hard to undo. It also wipes out Shadow Copies, which are used by many backup programs.
In February a Charlotte, N.C. law firm came forward and described how their whole file server was scrambled by Cryptolocker, and the firm lost all its files. The IT team tried to disinfect the machine, but the plan backfired and prevented decryption. They also tried to pay the ransom, but it was too late since they had tampered with the malware. The social engineering attack used an email "from AT&T" with a malicious attachment that was mistaken for a voice-mail message from their phone answering service.
Companies that back up files once a week are caught off guard by the scam and are often willing to pay the ransom.
“It’s the choice between paying 500 bucks or losing a week’s worth of work – for maybe more than one person, says Stu Sjouwerman, cofounder of security training company KnowBe4 LLC in Clearwater, Fla.
While the scammers used a phony AT&T address in the law firm case, other telco companies saw variants of the phishing scam, too, Sjouwerman adds. Symantec estimates that ransomware like Cyberlocker earned criminals over $34,000 in one month alone in late 2013.
Small and medium-size businesses with fewer than 500 employees account for 41 percent of all spear-phishing attacks, compared to 36 percent in 2012, according to Symantec. Large enterprises with more than 2,500 employees accounted for 39 percent of all targeted attacks, compared with 50 percent in 2012 and 2011.
Small and mid-size businesses run into two challenges, says Scott Greaux, VP at PhishMe.com in Chantilly, Va.
“One is the perception that I don’t have anything people would want. [Two], they might have the traditional [security] tools in place but they might be behind the times, even if they are using web-filtering.”
Before it happens to you – “make sure you do have backups and test your restore function on a very regular basis,” Sjouwerman says. Also, invest in security awareness training for all employees.
2. IVR and robocalls for credit card information
Interactive voice response systems and “robocalls” play a central role in new social engineering scams seeking credit card or password information. Bad guys steal thousands of phone numbers and use a robocaller to call unsuspecting employees.
“It’s fully automated, Sjouwerman says.
“The message goes something like – ‘This is your credit card company. We are checking on a potential fraudulent charge on your card. Did you purchase a flat screen TV for $3,295? Press 1 for yes or 2 for no.’” If the person responds no – the script then asks the victim to enter his credit card number, expiration date and security code.
In some cases, employees worry that their company credit card has been compromised and they might get into trouble, so they play along.
“Just to add insult to injury, they ask the victim to enter a cell phone number so that a customer service rep can call you back about this and they’ll reverse the charge,” he adds.
While the scam seems to be aimed at consumers, the concept of combining robocalls and IVR has implications for businesses, too, says Chris Silvers, owner and principal information security consultant CG Silvers Consulting in Atlanta.
“The most obvious scenario would be to spoof an internal call from the voicemail system, asking employees to confirm their voicemail password and maybe prompting for an emergency cell phone number or something similar.”
Prevention: Never act on incoming robocalls, experts say, and don’t trust the name on Caller ID. One telltale sign of the robocall scam – it will refer to the message from “your credit card company” but doesn’t say the actual name.
3. Healthcare records for spear-phishing attacks
With massive data breaches in 2013, the criminal element has reached a point where they can grab personally identifiable information and start merging records – including healthcare records.
For instance, a bogus email looks like it’s coming from your employer and its healthcare provider announcing that they’ve made some changes to your healthcare program. They’re offering preferred insurance rates for customers with your number of children. Then they invite the email reader to check out a link that looks like it goes to the health insurer’s web page.
“Because the email is loaded with the reader’s personal information, there’s a high likelihood of one click – and that’s all it takes” to infiltrate company systems, Sjouwerman says.
4. Phishing with funerals
Perhaps a new low - social engineering gangs have been caught sending people phishing emails that appear to be from a funeral home telling the reader that a close friend of yours is deceased and the burial ceremony is on this date. They have already penetrated and compromised the funeral home’s website, so the moment that the concerned friend clicks on the compromised website they get redirected to a bad guy’s server.
Hadnagy confirms that this social engineering scam is sad, but true. “There are a few stories of this being used successfully. People click and get loaded with exploit kits or the scammers harvest credentials.”
At the bogus site, the bad guys quickly drop a piece of malware that over time pulls down a boatload of keylogger and other information. It also drops a Trojan, and the computer has just become a zombie able to carry out nefarious acts such as attacking other computers and sending spam.
Bottom line – think before you act on emotion, Greaux says.
“Typically the [scammers’] motivator is fear, greed or curiosity. If you send out 10 emails [or calls,] chances are 1 out of 10 of the recipients is going to be motivated by the emotion that they’re trying to use.”