Social engineering thugs have reached new lows, as gangs play on users’ fears of privacy loss, theft and even death. Credit: Thinkstock Your computer files are being held for ransom. Pay up, or lose them. Your bank account is being emptied, so click here to stop it. Your friend has died, click on this funeral home site for more information. Social engineering thugs have reached new lows.Social engineers, those criminals who take advantage of human behavior to gain access to data or infiltrate businesses, were once content to trick people with free offers or funny videos before unleashing their scams. Today, social engineering gangs have taken a darker turn toward strong-arm tactics, threats, emotional cruelty and dire ultimatums.While the total number of emails used per spear-phishing campaign has decreased and the number of those targeted has also decreased, the number of spear-phishing campaigns themselves jumped 91 percent in 2013, according to Symantec Corp.’s 2014 Internet Security Threat Report, released in mid-April.Campaigns run about three times longer than those in 2012, and indicate that user awareness and protection technologies have driven spear phishers to tighten their targeting and sharpen their social engineering. Symantec also reports that “real world” social engineers are combining virtual and real world attack to increase the odds of success. Chief Human Hacker at Social-Engineer Inc., Chris Hadnagy, sees an increase in use of this tactic on business employees.“Groups are sending phishing emails with malicious attachments,” which a cautious employee usually ignores. “But then they’re following up with a phone call that says, ‘Hi, this is Bob in accounting. I just sent you an email with a spreadsheet. I just need you to open that up real quick and check it out.’ Those factors put together make you trust them and take that action.” Social engineering tactics like these serve as the entryway to the latest internet scams.1. Phishing with new lethal-strains of ransomwareRansomware caught businesses’ attention in 2013 with Cryptolocker, which infects computers running Microsoft Windows and encrypts all of its files, as well as files on a shared server. The extortionists then hold the encryption key for ransom (about $500 USD), to be paid with untraceable Bitcoin. The longer the victim waits to pay, the higher the price, or the data can be erased.Now, copycat CryptoDefense has popped up in 2014 and targets texts, picture, video, PDF and MS Office files and encrypts these with a strong RSA-2048 key, which is hard to undo. It also wipes out Shadow Copies, which are used by many backup programs.In February a Charlotte, N.C. law firm came forward and described how their whole file server was scrambled by Cryptolocker, and the firm lost all its files. The IT team tried to disinfect the machine, but the plan backfired and prevented decryption. They also tried to pay the ransom, but it was too late since they had tampered with the malware. The social engineering attack used an email “from AT&T” with a malicious attachment that was mistaken for a voice-mail message from their phone answering service.Companies that back up files once a week are caught off guard by the scam and are often willing to pay the ransom. “It’s the choice between paying 500 bucks or losing a week’s worth of work – for maybe more than one person, says Stu Sjouwerman, cofounder of security training company KnowBe4 LLC in Clearwater, Fla.While the scammers used a phony AT&T address in the law firm case, other telco companies saw variants of the phishing scam, too, Sjouwerman adds. Symantec estimates that ransomware like Cyberlocker earned criminals over $34,000 in one month alone in late 2013.Small and medium-size businesses with fewer than 500 employees account for 41 percent of all spear-phishing attacks, compared to 36 percent in 2012, according to Symantec. Large enterprises with more than 2,500 employees accounted for 39 percent of all targeted attacks, compared with 50 percent in 2012 and 2011.Small and mid-size businesses run into two challenges, says Scott Greaux, VP at PhishMe.com in Chantilly, Va. “One is the perception that I don’t have anything people would want. [Two], they might have the traditional [security] tools in place but they might be behind the times, even if they are using web-filtering.”Before it happens to you – “make sure you do have backups and test your restore function on a very regular basis,” Sjouwerman says. Also, invest in security awareness training for all employees.2. IVR and robocalls for credit card informationInteractive voice response systems and “robocalls” play a central role in new social engineering scams seeking credit card or password information. Bad guys steal thousands of phone numbers and use a robocaller to call unsuspecting employees.“It’s fully automated, Sjouwerman says.“The message goes something like – ‘This is your credit card company. We are checking on a potential fraudulent charge on your card. Did you purchase a flat screen TV for $3,295? Press 1 for yes or 2 for no.’” If the person responds no – the script then asks the victim to enter his credit card number, expiration date and security code.In some cases, employees worry that their company credit card has been compromised and they might get into trouble, so they play along.“Just to add insult to injury, they ask the victim to enter a cell phone number so that a customer service rep can call you back about this and they’ll reverse the charge,” he adds.While the scam seems to be aimed at consumers, the concept of combining robocalls and IVR has implications for businesses, too, says Chris Silvers, owner and principal information security consultant CG Silvers Consulting in Atlanta.“The most obvious scenario would be to spoof an internal call from the voicemail system, asking employees to confirm their voicemail password and maybe prompting for an emergency cell phone number or something similar.”Prevention: Never act on incoming robocalls, experts say, and don’t trust the name on Caller ID. One telltale sign of the robocall scam – it will refer to the message from “your credit card company” but doesn’t say the actual name.3. Healthcare records for spear-phishing attacksWith massive data breaches in 2013, the criminal element has reached a point where they can grab personally identifiable information and start merging records – including healthcare records.For instance, a bogus email looks like it’s coming from your employer and its healthcare provider announcing that they’ve made some changes to your healthcare program. They’re offering preferred insurance rates for customers with your number of children. Then they invite the email reader to check out a link that looks like it goes to the health insurer’s web page.“Because the email is loaded with the reader’s personal information, there’s a high likelihood of one click – and that’s all it takes” to infiltrate company systems, Sjouwerman says.4. Phishing with funeralsPerhaps a new low – social engineering gangs have been caught sending people phishing emails that appear to be from a funeral home telling the reader that a close friend of yours is deceased and the burial ceremony is on this date. They have already penetrated and compromised the funeral home’s website, so the moment that the concerned friend clicks on the compromised website they get redirected to a bad guy’s server.Hadnagy confirms that this social engineering scam is sad, but true. “There are a few stories of this being used successfully. People click and get loaded with exploit kits or the scammers harvest credentials.”At the bogus site, the bad guys quickly drop a piece of malware that over time pulls down a boatload of keylogger and other information. It also drops a Trojan, and the computer has just become a zombie able to carry out nefarious acts such as attacking other computers and sending spam.Bottom line – think before you act on emotion, Greaux says.“Typically the [scammers’] motivator is fear, greed or curiosity. If you send out 10 emails [or calls,] chances are 1 out of 10 of the recipients is going to be motivated by the emotion that they’re trying to use.” Related content news Amazon debuts biometric security device, updates Detective and GuardDuty Amazon’s latest security offerings, announced at its re:Invent conference, cover everything from advanced biometrics to new tools for defeating runtime and cloud threats, including identity and access management (IAM) capabilities. By Jon Gold Nov 29, 2023 3 mins Biometrics Security Monitoring Software Threat and Vulnerability Management news Almost all developers are using AI despite security concerns, survey suggests About 96% of developers are using AI tools and nearly eight out of 10 coders are bypassing security policies to use them, while placing unfounded trust into AI’s competence and security, according to the report by Snyk. By John Mello Jr. Nov 29, 2023 4 mins Development Tools Security Practices Supply Chain news FBI probes Pennsylvanian water utility hack by pro-Iran group Federal and state investigations are underway for the recent pro-Iran hack into a Pennsylvania-based water utility targeting Israel-made equipment. By Shweta Sharma Nov 29, 2023 4 mins Cyberattacks Utilities Industry feature 3 ways to fix old, unsafe code that lingers from open-source and legacy programs Code vulnerability is not only a risk of open-source code, with many legacy systems still in use — whether out of necessity or lack of visibility — the truth is that cybersecurity teams will inevitably need to address the problem. By Maria Korolov Nov 29, 2023 9 mins Security Practices Vulnerabilities Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe