My cousin, Alan, has died.
He has ceased to be, bereft of life, he rests in peace, he has kicked the bucket, hopped the twig, bit the dust, snuffed it, breathed his last, and gone to meet the High Mucky-Muck in the sky. And you know what I have to say about that? Good riddance to him, the freeloading bastard! I hope he fries!
Not really. Actually, I don't have a cousin Alan. I've never had a cousin Alan. I'm also not witty enough to write something like the paragraph above. I've plagiarized John Cleese' eulogy of Graham Chapman to illustrate a point.
What is that point? Heck if I know.
If you're still reading, you're probably thinking "Carl's finally gone off the deep end." And to be honest, that may be true! Trust me though, dear reader, there's a method to my madness.
You see, the other day there was a fax sent to the office. You can read it here:
My poor, non existent cousin, Alan, has been tragically killed in a car accident and this nice law firm want's 45% of the $9 million USD I've been left for notifying me of this horrific loss. Seems fine, right? No? Hmm...
A couple of things to take note of here:
- I don't have a cousin named Alan, let alone any family in Canada.
- They didn't contact me directly, they sent it over the Security7 corporate fax line.
- Though the letterhead claims they're based in Toronto, the fax came from a phone number in the Armpit of America (aka New Jersey).
- A quick search for the law office on Google reveals some interesting information. There is an actual Canadian law firm by the name, they're pretty big.
They've been around for at least 130 years and they handle some big cases up there north of the border. However, the URL used in the fax does NOT match the one used by the actual law firm ("www.cassels.com" is the real address, not "www.cassels-llp.com" the one from the phony fax).
- Another quick search also shows that Alan has perished multiple times over the past few years and his surviving extended family have come together to form something akin to a support group on various scam report websites.
- I'm probably a big target for scammers because of how often I run my mouth here on the Security7 Networks blog. I've been targeted before, but via email, nothing as archaic as a "fax" has been used to try and scam me.
Heck, I don't even know if I've ever used a fax before. Do people still have them? Clearly they must.
So, adding up all the information, here's what's really going on. This is a social engineering attack. Specifically it's a pretty advanced hybrid of a "spear-phishing" and "pretexting attack." You might be wondering what those things are so I'm about to drop some knowledge on you.
What is Social Engineering?
Social engineering is an attack strategy that relies on manipulating someone to reveal private information via e-mail, social media, the telephone or by physical means.
What are Social Engineering attackers after?
That varies, but it's typically personal identifiable information (PII) or payment card information (PCI) data.
It can be (seemingly) mundane information like your address or birthday to something more substantial like social security number or your online banking account password.
Attackers might even be trying to get into their victim’s computer to install malware that’ll get them all of the information listed above - sometimes without the victim even noticing the software's been installed.
What are some examples of a Social Engineering attack?
Most social engineering attacks happen by email, but they’re not exclusive to that medium. Social engineering attacks can even take place over the phone (as we’ve previously written about here) as well as through a website or even a USB thumb drive.
There are many different variations of social engineering attacks, so I’ve tried to compile a comprehensive list below:
Phishing attacks are the most common social engineering attack. They’re typically perpetrated using a cleverly created website or support portal that almost precisely recreates that of a famous or well-known business or institution. The attacker reaches out to their target via email or social media and baits them into believing their message is from a reliable source. The victim takes the bait (like a fish would) and compromises their personal information on the fake website.
There are many different kinds of Phishing attacks like Spear Phishing or Pretexting, which I'll go over below:
A subset of Phishing, a Spear Phishing attack requires extra effort from the attacker. Attackers who are attempting a Spear Phishing attack need to specify whom they’re going after, what information they’re trying to collect and how they’ll manipulate the victim into giving that information up. While difficult to perform, a Spear Phishing attack can have a considerably higher payoff should it succeed.
Ever gotten an email from a family member or a friend that seems off? They’re asking you to check out something online or bizarrely asking you for money as they’re somehow stranded in a foreign land, and only you’re their only hope. Well, Obi-Wan Kenobi, that’s what we call pretexting.
Typically the attacker is hoping the victim is a decent human being and will help their friend or family member out. If you don’t like your family or have no friends, the attackers would be out of luck. Unfortunately, human beings are social animals, and we often spring to action to protect or help our own.
We mentioned it above, but Vishing is an example of a social engineering attack that takes place over the telephone. Vishing attacks have become increasingly popular recently. You might have experienced one or two these yourself. Attackers have lately pretended to be from the IRS, and they’re attempting to collect back taxes. Other attackers are claiming to be from Microsoft’s support team and are calling to notify you that your computer has been compromised and they need access to your end-point to rectify the problem.
Vishing attacks are very, very low tech but seem to be incredibly successful. I’ve written previously how to avoid a Vishing attack here.
Baiting is a more physical type of social engineering attack. A Baiting attack capitalizes on our basic curiosity. An attacker might use an everyday item like a USB thumb drive that’s been loaded up with Ransomware and left in an easy to find manner with the hope that someone will pick it up and plug it in.
Heck, humans have been using this attack since the Trojan War. Replace the thumb drive and malware with a large wooden horse and a few Greek soldiers, and you get the idea.
Another physical, social engineering attack. Attackers in this instance try to blend into the crowd to sneak into their target’s place of business. A lot of workplaces today are very security conscious. Electronic door locks, ID badges with RFID chips embedded in them, all technology implemented to keep someone that doesn’t belong out.
These attacks often work for the very same reason the other’s do. The attacker is praying for our fundamental human nature. Someone who dresses the part (suit, tie, etc.) who walks in behind you isn’t necessarily going to raise any alarm bells. It’s highly unlikely you’re looking for their badge in the first place let alone to see if they scanned or tapped it. Once physically inside their victim’s world becomes the attacker’s oyster. There’s no limit to the damage they can cause once they’re inside.
Why do Social Engineering attacks work?
Social engineering attacks work because we’re imperfect creatures. The attackers know this, and they pray on our fundamental human nature to carry out their nefarious schemes. In this world of social media, they know how ready and willing we are to share personal information.
These attackers are trying to leverage our emotions. They know how primally we react to emotional triggers and exploit them accordingly.
How can I stop a Social Engineering attack?
That’s a tough question to answer, but there are a few steps you can take to help prevent these kinds of attacks.
- Slow down and control your emotions - Remember the attacker is trying to manipulate your emotions into making a quick reaction. The more time you take to think about the situation the more likely you’ll start to realize something’s up. We might be animals when it comes to our emotions, but we’re also brilliant. By slowing down, our rational brain allows us to overcome our feelings.
- Think about what you’re reading/seeing - The more time you give yourself for rational thought, the better off you are when it comes to seeing through the attacker’s ruse. Look for things like strange word choices or misspellings. Look for visual clues like off-brand graphics (if it comes from someplace like your bank or a store you frequent). You’re more astute than you might give yourself credit for. If something seems off, it probably is.
- Check to see who sent the message - Email masking is incredibly prominent in today’s world. Most email clients format the sender address so that it’s easier to discern who it’s from. The problem is attackers leverage this. If you’ve got the feeling the message you’re reading isn’t on the level check to see who sent it. If the name is familiar, but the email address isn’t there’s a good chance you’re experiencing a social engineering attack.
- Don’t follow blind links - Links are easy to hide, just like email addresses. If you can’t discern where a web-link is going to send you don’t click on it. Always make sure to hover or right-click on an email link (whatever your email client is set up for) to see where it might send you.
- Be wary of attachments - If you’ve gone through the steps mentioned above, you probably know what I’m going to say here. Don’t download attachments from people you don’t know. Heck, sometimes it’s a bad idea to download attachments from people that you do. Be on the lookout for e-mail attachments that appear to be Microsoft Word or Excel files. They might contain pretty nasty surprises.
In all honesty, it’s not very difficult to escape a social engineering attack. The attacker is relying on you making a snap judgment. If you take a minute or two to pause and reflect on the situation, you should be okay.
If you’re interested in learning more about social engineering attacks or how to avoid becoming the victim of one check out our Security Awareness Training page and send us a message. We’d love to hear from you.
Like our blog? Subscribe using the CTA in the upper right-hand corner of this page. Feel like sharing your thoughts with us? Use the comment section below.