Beware of Social Engineering Attacks
The explosion of social networking has served as an enabling factor for scammers. If you have hundreds of friends on Facebook, Twitter or other popular sites, the chances that at least one of them will have their password stolen are pretty high. Then they will send a message along the lines of ‘I am traveling in Rome and got robbed. Can you wire me some money to get home?’ You’re still open to these scams even if you’re not on Facebook.
29 July 2010
In light of the upcoming “capture-the-flag type” type contest at DEF CON, this is as good a time as any to talk about social engineering. There is no technical solution to this issue. Humans cannot be patched (I am paraphrasing from a t-shirt that I saw at a conference). So, we need to help people recognize a scam when they see one.
In a CSO Online article they talk about the favorite ‘pick-up’ lines of social engineers. These and some stories shared by the publication’s readers are pretty instructive, so I will mention a few of them here for everybody’s benefit.
The explosion of social networking has served as an enabling factor for scammers. If you have hundreds of friends on Facebook, Twitter or other popular sites, the chances that at least one of them will have their password stolen are pretty high. Then they will send a message along the lines of ‘I am traveling in Rome and got robbed. Can you wire me some money to get home?’ You’re still open to these scams even if you’re not on Facebook. Most people hand out their e-mail addresses to numerous diverse people, e.g., kids’ sports teams coaches, doctors, etc. If one account on the list gets compromised, a legitimate sounding email will go to all members. Recently I received two messages asking me to wire money to London — one from a parent on my son’s hockey team and another from my realtor.
Another powerful lure is “Check out this video of you”. It is very human to click on that link, but I would first call the person who sent you the e-mail and double-check. This habit may annoy your online friends but it is better to be safe than sorry.
Some scammers are after your personal data, but others are more interested in business information. They can, for example, pose as IT personnel. ‘Hi, this is Chuck from IT. I am calling to run you through a set of screens to remove a virus from your computer’. It is very natural to give the guy your login credentials and walk away while they ‘fix’ your computer. Please verify that the person calling actually works for your company. Use employee directories or ask for their extension and call them back (do not call on their cell unless you recognize the number).
Less likely, but still more dangerous ways to physically penetrate a business is to pretend to be an employee or a vendor. Have you ever held the door for somebody who has forgotten their access card? Probably a number of times. Have you ever asked them to identify themselves? Probably never. Especially, if their hands are full — they are carrying something obviously heavy like a box of printer paper or a desktop computer.
It is easy to pretend to be a representative of a well-known technology company like IBM or Cisco. Everybody expects them to be on premises to fix something. One thing to remember, though — it is easy to get a shirt from virtually any company at the local Salvation Army shop.
How about this one as a phishing lure: "You have not paid for the item you recently won on eBay. Please click here to pay."? While some may think it silly to worry about one’s eBay feedback score, there are even crueler ways to force people to follow a malicious link. With bad economic news continuing to dominate the media — a fake message from HR directing people to go to a site within an hour to accept or reject their severance package is likely to have a high success rate.
Common sense is really the only protection from social engineering. If it doesn’t feel right — it probably isn’t.
Before I get to some hints on how to identify phishing links, here are a couple of real stories.
Sweets can be really dangerous! A 2007 diamond heist at a major bank in Antwerp, Belgium involved an elderly man who offered the female staff chocolates and eventually gained their trust with regular visits while he pretended to be a successful businessman. Ultimately the bank lost 120,000 carats of diamonds because the man was able to gain enough trust to be given off-hours access to the bank's vault reserved for VIP clients. The bank has a $2 million security system. But the thief never had to deal with that. He used his passcard to get into the vault, went straight for the area that he knew held uncut diamonds, and emptied five of the deposit boxes.
Low-tech/high-tech combinations are known to be very effective. Another true story is when scammers stuck fake parking tickets on people's cars in Grand Forks, ND. The fake tickets were yellow and said: "PARKING VIOLATION This vehicle is in violation of standard parking regulations. To view pictures with information about your parking preferences, go to PARKING.COM." People who went there were asked to install a photo viewer which was actually installing all kind of malware.
Finally, here are examples of those infamous links that we should not touch. The following irregularities usually point to a malicious link:
- Look out for URLs that contain hyphens. Popular sites with large traffic usually don’t have domain names like ‘Intralinks-doc.com’
- Legitimate sites do not have the keywords ‘verify’ or ‘update’ in their domain names. In other words, you won’t see a URL such as ‘Intralinks-verify.com’
- Pay attention to the string before the ‘.com’. For example, the following is not a legitimate Intralinks domain - ‘Intralinks.servicex.com’
- Bogus but similar looking addresses are another favorite weapon for scammers
- Numbers in the URL are always suspicious. Examples include ‘188.8.131.52/Intralinks.com’, ‘Intralinks3.com’, ‘234.231.445.com/Intralinks’ or ‘Intralinks.343435454.com’
Good luck in protecting yourself!
Mushegh Hakhinian represents Intralinks at the Cloud Security Alliance SME Council, is a certified information systems security professional, and is a frequent contributor to industry publications. Prior to joining Intralinks, Mr. Hakhinian lead security functions at a multi-tenant online banking service provider and an international bank.