BreachExchange mailing list archives

Previous By Date Next
Previous By Thread Next

How cyber criminals use social engineering

From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Mon, 1 Feb 2016 18:23:06 -0700
http://www.thespectrum.com/story/life/features/mesquite/2016/02/01/how-cyber-criminals-use-social-engineering/79542112/

Hacking your head; sometimes it is fairly harmless, like a child
sweet-talking his mom in order to get extra candy. Many times, however,
social engineering is used for nefarious purposes.

Social engineering taps into the human psyche by exploiting powerful
emotions such as fear, urgency, curiosity, sympathy, or the strongest
feeling of all, the desire for free stuff.

Cyber crooks use this dangerous weapon to get at the weakest link: us. They
know that the easiest way to penetrate a system is to go after the user,
not the computer. Why use some hard technical flaw to acquire a password
when you can simply ask the user for it.

In fact, psychological cyber attacks are on the rise. There is an increase
of blended attacks that rely on a combination of social engineering and
malicious software.

For example, a popular social engineering tactic is the technical support
scam. An alert pop-up will appear on the screen that tells the user they’re
infected and needs to download a malware application. The user, fearful of
the infection, will download the fake antivirus or anti-malware application
that is instead a vehicle for delivering malware.

So, how are the criminals distributing their social engineering schemes?
Here are some of the most prevalent forms of social engineering today:

Clickbait

"Huge snake eats man alive!" Have I got your attention? What if I posted a
link to a video of the ordeal? You just might be tempted to click,
especially because many legitimate articles and other pieces of content use
similarly eye-catching headlines to get people to look at their stuff.
Cyber criminals get this, and they exploit it.

A particularly popular approach is to capitalize on the innately human
desire to crane one's neck to see an accident on the side of the road. So,
beware of links to overly graphic terrorist attack images, natural
disasters and other tragedies.

Watering hole attacks

One of the things cyber criminals do best is collect information about
their targets. Browsing habits tell a lot about a person, which is why that
ad for cat sweaters keeps popping up in your Facebook feed. Cyber criminals
use this information to go after the sites most visited by their target
group. Once they discover a particular website is popular with their
targets, they infect the site itself with malware.

For example, hackers knew the iPhone Dev SDK forum was visited frequently
by Facebook, Apple and other developers. They compromised the website, set
up an exploit, and ended up infecting a lot of people.

Social networking attacks

Social networking attacks can be particularly dangerous because criminals
mess with your mind in two ways. First, they make digs at your personal
information.  Cyber criminals know that one of the biggest vulnerabilities
people have is their self-image. People are worried about what others think
of them. Second, they make their messages appear to come from a friend.

This two-pronged approach can be accomplished in one attack. You might
receive a message from your ex-boyfriend that says, "lol, is this your new
profile pic?" (with a picture of a walrus). The picture has a link. You
click on it, because what the heck, ex-boyfriend. Next thing you know, you
are infected with malware.

Ransomware

Ransomware is nasty business. It is also social engineering at its
finest/worst.

Ransomware is a type of malware that holds your files or part of your
system ransom. In order to return access, you have to pay cyber criminals.
People who want their precious data back might pay up right away. But for
those who need additional scare tactics, cyber criminals have come up with
law enforcement scams that make it appear as though the U.S. Department of
Justice or FBI Cybercrime Division are contacting you to claim you have
done something illegal.

Even worse, some cyber criminals will stoop to the level of claiming they
found child pornography on your computer — and then display a piece of
child pornography. So, they say, pay up and we will make it go away. Users,
naturally, tend to panic when faced with a message about child pornography
that seems to come from law enforcement. This gross tactic has even led, in
one extreme case, to a user committing suicide.

Phishing/spear phishing

If your dad has ever fallen for the old Nigerian prince tale, then guess
what? He was phished. Phishing is a form of social engineering that relies
on fooling people into handing over money or data through email.

Bad guys accomplish this by sending a generic message out to a huge mass of
people that might say something like, "You won $1 million! Click here for
your reward!" Sadly, there are those that still fall for this.

However, in recent years, cyber criminals have upped their phishing game
with more sophistication. Spear phishing emails are crafted in order to
make someone believe they are from a legitimate source. The messages might
appear to come from banks or businesses, and could include full names,
usernames, and other personal info. Crooks know that if you get an email
that looks like it is from your medical provider and it is talking about a
surgery you had last year, you will likely believe it.

So, how can you fend of these psychological attacks? Here are a few tried
and true methods:

• Equip yourself with antivirus, anti-malware and anti-exploit security
programs. These can fight off malware attacks from a technical standpoint.

• Remove identifying particulars from your data by using the privacy
features of your browser.

• Lock down privacy settings on social media accounts. Make sure you are
making information available only to those you wish to have it.

• Use the right software and hardware systems. If you just use your
computer to surf the web, you probably do not need a powerful processor or
the software suite of products. Every piece of software you put on your
computer has potential vulnerabilities.  The more you have, the greater
your surface of attack is on a particular machine.

• Finally, and most importantly, use common sense. A healthy dose of
skepticism goes a long way. Verify information. Contact the claimed source.
Trust your gut feeling: if it feels too good to be true, it probably is. If
it feels slightly off, it probably is. Stop and think about what is being
asked of you.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Need access to data breach details or alerts when new breaches happen? Risk Based Security's Cyber Risk Analytics 
portal, fueled by the RBS breach research team, provides detailed information on how data breaches occur and which 
vendors to trust. Contact us today for a demo.
Previous By Date Next
Previous By Thread Next

Current thread: