Ransomware? I Do Care!
Part 1 — Social Engineering
This is the follow up to our previous “Ransomware! Should I care?” Post. If you haven’t read it already then you can find it here to provide some more context to what is discussed in this post.
Based on media reports the ransomware problem was widespread and impacted large companies so what hope does a home user or small business have?
Malicious software and those seeking to compromise computer systems (Regardless of motive) look to exploit three main things:
- Human curiosity (Social Engineering);
- Human error (misconfigured systems or devices, coding errors);
- Human organisation or risk perception (The way they do or do not manage updates to operating systems and applications. It won’t happen to me. No one would be interested in my data. That is for banks and big business).
So what can you do to protect yourself, your business and your family across each of these domains? Because these can be big topics (depending on how deep we go), we are going to run this as a series.
For the first part of the series we will look at Social Engineering. Social Engineering (just in case you were wondering whether it was an actual thing) is a subject in many ‘hacking courses’. To those using it for evil or personal gain I am sure the subject is ‘Cheating people out of their credentials and ruining their days 101’ and not ‘Social Engineering’. Bottom line is “yes, it’s a thing!”. Now that’s out of the way let’s look at this subject in a little more detail:
Human Curiosity/Social Engineering: This issue is predominantly a human one, the perpetrator seeks to trick the unsuspecting victim into running malicious software or providing access to the target computer. The common method at the moment is by email, you receive an email from an external source or from someone in your contacts list. The email contains a link or an attachment to a file that you are tricked into thinking is very important to you. Of course there are numerous variations and it is not limited to email, you may have been called or your parents have been called by someone from ’Microsoft’ (not the real Microsoft) alerting you to a virus on your computer? The ‘Microsoft’ representative (not a real Microsoft representative) then needs you to install some software or allow remote access to your computer to fix it, so called ‘hackers’ do not always take the most technical path it is usually the ‘path of least resistance’.
Defense: The primary defense against someone trying to socially engineer or trick you is awareness and education. It is sad that we have to start from the point of distrust, but when it comes to email that is probably a good place. It is rare that a company will send you a bill or a ‘parcel tracking’ advice as an attachment or a downloadable file (particularly as a home user, businesses may have a more reasonable expectation of this). If you think about it your invoice, tracking document etc., would be attached. Also consider how they got your email address for the legitimate purpose they are touting if you didn’t provide them with it? If you are thinking “maybe I did, I can’t remember”, just consider whether “maybe” is a decent enough assurance to be ‘person zero’ who unleashes the next global cyber attack on the World because you downloaded and opened a ‘parcel notification’ even though you weren’t expecting a parcel. Possibly a little dramatic, but if you don’t recall it is probably a good reason not to immediately trust the content. If a parcel notification comes to your work email address, did you even use your work email to make a purchase that would mean the notification is sent there? Start with a healthy distrust and work your way back from there. In later posts we show just how easy it is for someone to create an authentic looking but ‘fake’ login page for Facebook.
These are the logical defeats, but these things are designed to trick us or catch us in weak moments when we are robotically reviewing our email and our minds are on other things.
Turning on ‘two factor authentication’ for your cloud based accounts (where it is available) is a good start, as is ensuring that computers and applications are all up to date. These are technical controls that will be discussed in more detail in our follow up posts.
Some ‘just in time’ education
There are numerous sites that deal with the latest scams that are doing the rounds, the best ones will be those that update regularly or as soon as a new variation is detected. It is not much help finding out about a scam after you have already been the victim of it.
The anti-virus companies are onto these pretty quickly and have sites where they update users. Also consider specialist organisations whose sole mission is to protect people against these type of things.
Mailguard is an Australian company that specialises in protecting against Spam, Phishing, SpearPhishing and the malicious content these type of attacks carry (payloads). Their blog appears to be regularly updated and contains a detailed breakdown of the email scams and what to look out for in a given attack. Information is available in their blog http://www.mailguard.com.au/blog. If you take the time to read through the posts you will get a good education in the type of things to look out for in ‘Phishing’ attacks that are designed to try and deceive.
Another site that provides easy to read and follow examples of Phishing is Phishing.org http://www.phishing.org/phishing-examples.
Eek! I think I entered my password somewhere unsafe!?
If you find yourself reading through this or reviewing some of the Phishing examples and are unsure whether you may have provided your username and password to an unknown third party, now is probably a good time to go and change some passwords. Password reuse is another reason that scams like this are very successful, if I get your username and password for Facebook, I will likely have it for your LinkedIn and Twitter and Gmail, etc.
As discussed in the original post, if it is easy for adults to be tricked then it is even easier for younger children to be tricked. It is not uncommon for a child who has social media access and is the target of bullying to also have their social media accounts ‘hacked’. Usually this is the people doing the bullying or people acting with them, tricking the victim and obtaining their username and passwords through similar techniques used by those behind Phishing scams.
A word on Social Engineering and Grooming.
Social engineering and ‘grooming’ may be considered the same thing, our experience is that Social Engineering is usually a single immediate act e.g. getting you to enter your username and password into a fake Facebook page, sending pictures of yourself. Grooming is far more subtle and usually occurs over a long period of time. It is more akin to brainwashing as it usually involves getting people to abandon their morals/family values/social values or long held beliefs and prefer the ideals and beliefs ‘implanted‘ by the ‘groomer’. Sometimes it is a combination of techniques e.g. an initial Social Engineering trick to get some contact with a victim or get access to a computer and get background information on an individual that the ‘groomer’ can use during conversation, or the trick comes during the grooming process in order to compromise the victim and provide more leverage.
If this article has you interested in learning and you would like to protect yourself, your family or your business against these threats and others, then we will soon be launching two online coaching programmes ‘The Parent Admin’ and ‘Becoming the CISO’. If you would like to know more please contact us. Also look out for more posts in this series about implementing technical protections.