One of the top methods to spread malware on the internet has been through spam emails. Have you come across emails from random people you don't know and they ask you to click on a link or download an attachment "for more information"? If yes, then your system was one of the targets of a cyber criminal (or most likely a part of their spam list).
In 2016, 60% of enterprises were victims of social engineering attacks - https://www.scmagazineuk.com/60-enterprises-victims-social-engineering-attacks-2016/article/1475806
Phishing, Spam, Whaling; these are all types of an attack from the social engineering toolkit. And they are well known! So, why do people fall prey to these attacks? We're taught not to accept candy from a stranger on the street, so why click on links or download attachments from emails sent by a random stranger on the Internet?
The answer, which I have come to, is human nature. A phishing or spam email which is meant to extract Personally Identifiable Information (PII) or spread malware through attachments is not very "obviously phishy". They're carefully drafted to entice, stir fear and awaken the greed in you. Sounds too hyperbolic? Trust me, it's not.
The system is only as strong as each of its components. A system with state-of-the-art anti-malware technology can still be compromised. Why? Because the weakest link in any system is the human link. This is why it is very important for everyone to know and understand how to protect themselves from cyber attacks, especially social engineering. Here's an account which proves that even a well educated and highly intelligent person can fall prey to such attacks.
Disclaimer: The information presented in this post is ONLY for learning purposes. I will not be held responsible for a reader who uses this information for any kind of malicious purposes.
Mr. G was fretting about his application to the University of Colorado, Boulder. He had researched Yocket, talked to seniors and had finally come to a conclusion that the University would respond to him sometime in March.
I used services from an anonymous email-sender website. Such websites allow you to send an email with a spoofed "from" field. There are hundreds or thousands of such websites. I filled up the "from", "to" and "email body" fields. Three simple steps. This is similar to how a cyber criminal would send spam emails. (Instead of using an online website, they would probably use a mass-spamming software to send thousands of emails at once.) Since the USA was, on an average about 14 hours behind India, I decided to send this email in the middle of the night to make it seem more authentic.
What happened next? Here's a true account of what he said to me the next day:
"I checked my phone in the morning and saw an email titled 'Graduate Application Decision'. My heart started beating hard; I was so nervous! I opened the email and I saw there was a link for me to visit the application website. I clicked on it and your LinkedIn profile page came up. I was confused for a minute and then it hit me."
Unfortunately, I'm writing this blog post months after that incident. Mr. G has already deleted that email so, I cannot place a screenshot. But here's an example of how it looked:
The above incident is a prime example of how cyber-criminals can play with your fears. If I can do it, you can be confident that a cyber criminal will do it a hundred times better. Such methods allow malware to be downloaded into your system the moment you click on the link. The same applies to email attachments as well.
Cyber criminals ALWAYS have the advantage
While the technology of the good guys is improving everyday, so is that of the bad guys. Unfortunately, the good guys have to take care of every system and network vulnerability while the bad guys just have to find one loophole that they can exploit. This puts the bad guys one step ahead of the good guys, ALWAYS.
Why are social engineering attacks successful?
A group of seventy hackers at DEFCON 2016 were surveyed and 84% of the respondents said they used social engineering as part of their attack strategy - https://www.esecurityplanet.com/hackers/fully-84-percent-of-hackers-leverage-social-engineering-in-attacks.htmlIn 2016, 60% of enterprises were victims of social engineering attacks - https://www.scmagazineuk.com/60-enterprises-victims-social-engineering-attacks-2016/article/1475806
Phishing, Spam, Whaling; these are all types of an attack from the social engineering toolkit. And they are well known! So, why do people fall prey to these attacks? We're taught not to accept candy from a stranger on the street, so why click on links or download attachments from emails sent by a random stranger on the Internet?
The answer, which I have come to, is human nature. A phishing or spam email which is meant to extract Personally Identifiable Information (PII) or spread malware through attachments is not very "obviously phishy". They're carefully drafted to entice, stir fear and awaken the greed in you. Sounds too hyperbolic? Trust me, it's not.
The system is only as strong as each of its components. A system with state-of-the-art anti-malware technology can still be compromised. Why? Because the weakest link in any system is the human link. This is why it is very important for everyone to know and understand how to protect themselves from cyber attacks, especially social engineering. Here's an account which proves that even a well educated and highly intelligent person can fall prey to such attacks.
Disclaimer: The information presented in this post is ONLY for learning purposes. I will not be held responsible for a reader who uses this information for any kind of malicious purposes.
Preying on my roommate
My roommate (say Mr. G) and I, were filling university applications during the months of September to December, 2017. We knew which universities the other was applying to, which university was the other's dream and which universities we were expecting a good response from. So, as an experiment, I decided to prank (or test) Mr. G.Mr. G was fretting about his application to the University of Colorado, Boulder. He had researched Yocket, talked to seniors and had finally come to a conclusion that the University would respond to him sometime in March.
I used services from an anonymous email-sender website. Such websites allow you to send an email with a spoofed "from" field. There are hundreds or thousands of such websites. I filled up the "from", "to" and "email body" fields. Three simple steps. This is similar to how a cyber criminal would send spam emails. (Instead of using an online website, they would probably use a mass-spamming software to send thousands of emails at once.) Since the USA was, on an average about 14 hours behind India, I decided to send this email in the middle of the night to make it seem more authentic.
What happened next? Here's a true account of what he said to me the next day:
"I checked my phone in the morning and saw an email titled 'Graduate Application Decision'. My heart started beating hard; I was so nervous! I opened the email and I saw there was a link for me to visit the application website. I clicked on it and your LinkedIn profile page came up. I was confused for a minute and then it hit me."
Unfortunately, I'm writing this blog post months after that incident. Mr. G has already deleted that email so, I cannot place a screenshot. But here's an example of how it looked:
The above incident is a prime example of how cyber-criminals can play with your fears. If I can do it, you can be confident that a cyber criminal will do it a hundred times better. Such methods allow malware to be downloaded into your system the moment you click on the link. The same applies to email attachments as well.
The important question. How do we tackle this?
There are two techniques to avoid getting scammed:- Training and Awareness,
- Technology improvements (spam filters, anti-phishing toolbars, patches/updates).
In this post, we'll not talk about technology techniques but about training and awareness. Technology will continue to improve but since the human link is the weakest, that needs to be addressed. In the above incident, the spam filter actually didn't catch the spam email. Spam filters are fail-safe, so if they cannot decide if a mail is spam they let it through. It is also safe to say, the more authentic a mail looks, the more serious the cyber criminal is.
Here are six simple precautionary measures that anyone can follow:
Tip #1: Never click on any link present in the email body.
Tip #2: If there is no option other than clicking on the link, make sure to check where the hyperlink is pointing to.
If you observe the lower left corner in the photo above, you can see that the link points to my LinkedIn profile rather than the application website.
Tip #3 If the email sounds too good to be true, it probably is fake.
Tip #4: Do not provide any sort of PII over email (or phone or over any form of online communication). PIIs include your credit/debit card numbers, bio-metric records and date of birth among others.
Information like date of birth and mother's maiden name are classified as PII but are easily available on the Internet. It may be justified to state here that PII is a legal and not a technical concept.
Tip #5: Never reply to a spam email.
Replying to a spam email tells the cyber criminal that the email address is active. They can use this information for other malicious purposes.
Tip #6: If in doubt, analyze the email header
Analyzing an email header is not as complicated as it sounds. The steps are simple:
Here are six simple precautionary measures that anyone can follow:
Tip #1: Never click on any link present in the email body.
Tip #2: If there is no option other than clicking on the link, make sure to check where the hyperlink is pointing to.
If you observe the lower left corner in the photo above, you can see that the link points to my LinkedIn profile rather than the application website.
Tip #3 If the email sounds too good to be true, it probably is fake.
Tip #4: Do not provide any sort of PII over email (or phone or over any form of online communication). PIIs include your credit/debit card numbers, bio-metric records and date of birth among others.
Information like date of birth and mother's maiden name are classified as PII but are easily available on the Internet. It may be justified to state here that PII is a legal and not a technical concept.
Tip #5: Never reply to a spam email.
Replying to a spam email tells the cyber criminal that the email address is active. They can use this information for other malicious purposes.
Tip #6: If in doubt, analyze the email header
Analyzing an email header is not as complicated as it sounds. The steps are simple:
- Get the raw message ('Show Original' in Gmail),
- Copy text starting from "Delivered-To" until the start of email body,
- Paste it into MXToolbox Email Analyzer (https://mxtoolbox.com/EmailHeaders.aspx),
- Look for suspicious information in the results.
What can go wrong in the worst case scenario?
Many people do not take cyber security seriously. "It will never happen to me", "What can a cyber criminal possibly want from me?"; these are excuses given by the average person. It is said that, as far as security is concerned people do not believe until they're personally affected. In the case of cyber security, if you do not act until you're affected, you might find yourself with a zero balance bank account and stolen identity.
Cyber criminals are not always looking for financial gain by attacking your system. They might want to compromise your system, not for financial gain but for making it part of a botnet. A botnet is an army of computers which are ready to attack a target system on a single command from the attacker's C&C (Command and Control) center. If your system is compromised, then it might be part of a bigger criminal activity without your knowledge.
It is possible to identify your coordinates simply by analyzing your shadow in one of the photos that you might post online. This can become very dangerous if you're posting photos when you're present in that location.
Learning for the day
In the incident I previously described, all I needed to know was the universities to which my roommate had applied. I could glean this information from any of his social media activities or simply by pretending to be an education loan provider - they do ask which university the student is planning to attend.
Be wary of social engineering attacks. Cyber criminals are experts at convincing people and extracting the information they need. They will scour through your Facebook, Twitter, Instagram activity, etc. to get what they want. They might even call you! In today's age where everyone posts to social media, cyber criminals have been handed the basic information that they need on a silver platter.
Make every effort to prevent making yourself from being more vulnerable than you already are.