It is almost summertime, and while the livin’ supposedly gets a bit easier, it remains risky. As the vacation season approaches and everybody is planning travel, socializing with friends and family and relaxing, people in the “always connected” world should add one more item to their list: Don’t relax when it comes to online security.
Social engineering scams are more ubiquitous and sophisticated than ever. And they can do a lot more than ruin a vacation. As experts consistently point out, a successful scammer can steal, destroy or hold your files hostage, install malware on your computer, steal your identity and other personal information, steal your money, break into your house and ruin your reputation.
There are dozens to hundreds of such scams, but with the help of several experts, CSO has selected a somewhat arbitrary “Top Five” that represent the most common social engineering threats that target individuals and organizations, concluding with some general advice on how to detect and avoid them.
1. You've won a free ticket to the World Cup!
No, you haven’t. But Christopher Hadnagy, CEO of Social-Engineer Inc., said the breathless email that potential victims receive is hard to detect and resist.
“This one is particularly evil,” he said, “since they have a valid SSL (secure sockets layer) certificate. This means that everything really looks legit. It would take extra work to look into the URL and who owns it.”
Of course, if targeted victims clicks on a link that promises to print the ticket, they are instead loaded with a Trojan and then hacked – the goal is to plunder personal banking details.
Hadnagy said he doesn’t know where the scam originates. “Without being able to analyze the malware it would be hard to say,” he said. “But we do know they are using a database breach, as they have a lot of data on their clients. And they are most likely going after banking info from their targets.”
He added that he also doesn’t know how many victims have been ensnared by the scam, “but in Brazil alone there are a reported 50-60 new phishing links reported every day.”
Security vendor McAfee calls a similar scam related to the World Cup the “Red Card Club,” according to Robert Siciliano, CEO of IDTheftSecurity and also a blogger for McAfee.
“It involves 11 footballers whose names appear on web sites that contain the biggest threats of malware infection to fans who visit,” he said. “Cristiano Ronaldo and Lionel Messi lead the pack, followed by other footballers like Karim Ziani and Iker Cassillas.
He said the scam appears to have originated in South America and Europe, and the goal is to, “trick fans into giving up personal information so that the thieves can steal an identity or get credit card information and max out the fan’s cards. The sites most likely to be risky are those offering videos showing the athlete’s skills, and screensaver downloads,” Siciliano said.
The best way to avoid such scams, he said, is to, “beware of the ‘free download’ offer. If a site wants personal information like your email address or credit card before letting you see an ‘exclusive’ story, run for the hills,” he said.
2. We can help you avoid Cryptolocker!
This pitch offers victims a chance to download a security patch to, “protect against new malware circulating over the net,’ allegedly from security vendors,” according to a blog post by John Zorabedian, of security vendor Sophos.
Zorabedian quotes fellow blogger Paul Ducklin, noting that, “the email doesn’t explicitly mention the Cryptolocker ransomware that locks your files and tries to sell them back you. But there is little doubt that many recipients, having heard of the ongoing saga of Cryptolocker, will be more inclined than usual to read on.
Instead of a security patch, victims download Zbot, which cybercriminals use to load other malware onto an infected computer. The most important thing for the targets of such scams to remember is that legitimate security vendors never deliver patches in an email.
[Insider: CSO's ultimate guide to social engineering (registration required)]
3. Please send me money, grandma! And don't tell my parents!
This scam is not new, but it remains popular for a good reason – it still works. Attackers are much better at it, in part because people post so much personal information about themselves on social media sites, making it much easier to provide credible information to a potential victim – often an elderly relative like a grandparent.
“The attacker poses either as a friend or family member in trouble in another country and in need of money,” said Michele Fincher, chief influencing agent at Social-Engineer, Inc. “The request for help is usually combined with a plea for silence out of embarrassment or not wanting to worry other friends or family members.”
Liz Phillips, a freelance journalist, wrote in The Guardian last fall about clicking on a link she thought was from her internet provider, BT, asking her to confirm her email address with a code. Instead, hackers got her entire address book of more than 1,000 contacts, and she started getting calls from friends the next morning saying they had received an email purportedly from her, saying she was stranded in Ukraine, “having lost my passport and cell phone, and urgently needed £2,100 to settle my hotel bill and get home.”
Fortunately, none of her friends or family fell for it, and after spending a morning on the phone with BT and waiting 48 hours for her addresses to be restored, she had learned a hard lesson. “I have learned never to click on a link in an email message, no matter how genuine it appears,” she wrote. “In future I will close the browser, reopen it and type the address directly into the address bar.”
She is not alone, of course. The FBI has issued an advisory on the grandparent scam, and CBS News did an interview in mid-April with a jailed con man who said those who know how to do the scam well can make $10,000 in a day.
4. Hi, this is Jim from accounting ...
A multi-stage scam that Hadnagy calls “Multi-stage SE,” is aimed at planting malware on the networks of enterprises. It uses both email and phone, hoping to snare careless or unwary employees.
“A typical attack goes like this,” he said.
Stage 1: An email is sent with an attachment that looks like it’s from someone internal.
Stage 2: Moments later, a call is placed from a spoofed number. “Hi, this is Jim from accounting. I just sent you a report that I need your comments on ASAP. Can you open it please?”
“Jim I see it, let me…” as clicking occurs. “Uh, Jim, it just crashes, not sure what is going on…”
"Dang it, I probably sent you the wrong version. It is end of the day, can you give me till the morning and I will send you an updated one?”
"Sure no problem.”
Stage 3: Now malware is planted and the network is hacked.
Hadnagy said that, as is often the case, the scam works because people don’t, “stop and look. Most of the time there are ‘tells’ in the email, as the URL is wrong. Do I know Jim from accounting? Why is he sending me this report? There are a lot of things that can throw red flags, but one needs to think critically to understand that and catch the hacker.”
5. We're here to help ... ourselves to your files, your money, your identity
The “tech support” scam is another well-established attack that remains popular because it is so effective – cybercriminals calling or emailing, claiming to represent tech support or the “Helpdesk” of enterprises ranging from Microsoft, PayPal, Verizon, Netflix and others.
Theresa Payton, president and CEO of Fortalice and a former White House CIO, said scammers sometimes, “offer support and service for a low monthly price that really don't provide any support at all, or worse, takes enough information from you to commit ID theft.”
Or, they try to get victims to click on a link to download security updates and bug fixes, “that allow the cybercriminals to place spyware or malware on your computer,” Payton said.
Fincher cites a report from Ars Technica estimating that tech support scams have made tens of millions of dollars.
The Verizon scam is similar, Fincher said. “The scammers call cell phones and direct customers to navigate to a special website to get a rebate, but instead, collect credentials.
Microsoft has issued a bulletin outlining how scammers will call impersonating the company’s tech support. “They claim to know you have a virus on your computer and step you through downloading a solution, which is typically Team Viewer, giving them full access to your machine,” Fincher said.
The simplest way to spot the scam, Payton said, is to remember some simple advice from Microsoft: Neither the company nor its partners make unsolicited phone calls.
In general …
The most dangerous thing about social engineering scams is that the scammers have become so much better. “It is easy to do and hard to protect against,” Hadnagy said. “The days of phishers being lame have passed. Now they use Spellcheck and they know what is enticing us.”
James Lyne, global head of security research at Sophos, made a similar observation in a recent interview with SCMagazineUK. “Scam messages don’t always have bad English, poor copies of logos or really obviously dodgy links. Sometimes they look practically identical to legitimate messages,” he said.
David Britton, vice president of industry solutions, 41st Parameter (part of the credit monitoring firm Experian), agreed, adding that, “attackers can now actually use the “social” part of social engineering, to create communications that appear to come from “trusted” acquaintances.”
This, he said, means criminals can, “cross-reference stolen consumer data to create very sophisticated scams, which could ultimately result in millions of dollars in losses if businesses cannot tell the difference between friend and foe, customer and attacker.”
How can people avoid them? Christopher Martincavage, senior sales engineer at SilverSky, suggests that for enterprises, “a good internal education training program is always a great start, especially since most attacks are longlined. Also, good security countermeasures such as email protection and zero-day detection can reduce the chances of this reaching an end user.”
He and others also say it is crucial never to download patches or updates from an email. “Always patch from the app or go to the site manually,” he said.
Hadnagy agrees that it is important to, “stay educated about the current scams. Learn to use critical thinking – if something sounds too good to be true it probably is and therefore requires some checking into it before you start giving over data.”
In short, don’t trust unsolicited offers for tech support, updates, patches or free stuff. Payton said there are reputable companies that offer IT support. “Go someplace like the bbb.org to find a BBB Accredited Business, ask friends, or research places on Angie's List to find someone you can trust,” she said.