I recently warned of a very large recent upsurge in ransomware. Now I must warn you to beware of new successful social engineering, aka phishing, exploits. What is social engineering?
Wikipedia has a good definition of social engineering, more commonly known as phishing.
Social engineering, in the context of information security, refers to psychological manipulation of people into performing actions or divulging confidential information. A type of confidence trick for the purpose of information gathering, fraud, or system access, it differs from a traditional “con” in that it is often one of many steps in a more complex fraud scheme.
In other words, phishing, the internet term for social engineering scams is simply a way to trick you into doing something so that you reveal vital information like bank account info, tax return info or send money unwittingly to a devious person.
Let me tell you about social engineering exploits in three recent real world examples. In the first case, City of Hope in Duarte, CA (City of Hope employees fall victim to phishing attack) had three employees targeted by a phishing scam. They unwittingly revealed protected health information (PHI) which by law must be kept confidential. In the other two cases, the loss of data was much more vast. Both Seagate Technologies (Seagate Phish Exposes All Employee W-2’s) and Snapchat (Snapchat falls hook, line & sinker in phishing attack: Employee data leaked after CEO email scam) had an employee get tricked into providing W2 information on all past and current employees. W2 information is popular to steal so that the scammers can file false tax statements in order to steal tax refunds. In the case of Snapchat the scammers sent an e-mail crafted to look like it came from the company CEO to someone in HR. The e-mail requested the HR person to send all W2 information for current and past Snapchat employees to the CEO. That user dutifully complied and now the company was breached of sensitive personally identifiable information (PII) for which it has an obligation to keep secure and private. I am certain something very similar happened at Seagate.
If you don’t think that is bold and expensive enough, let me paint another even more painful example of social engineering. Here is an e-mail received by Alvaka Networks. It went to Betty in accounts payable. She thought it looked suspicious and contacted me directly to verify if I had requested a wire transfer. I had not and I instantly knew we were the target of a phishing scam. I asked Betty to help me play with him for a while so we could learn more about how they work. We interacted for a while before he dropped away. It is important to note that he had a fake technology transfer contract drafted and signed supposedly by me, an attorney and the other party. That contract was accompanied with detailed wire transfer instructions all within an e-mail organized to look like it was from me. You can read it below. Start at the bottom of the e-mail thread to see the conversation that took place over a couple of days.
From: Oli Thordarson
Sent: Wednesday, July 22
To: Betty Sottosanto
Subject: Re: Availability
Yes everything is fine, i meant to type 65 yesterday not 64.
On Wed, Jul 22, Betty Sottosanto wrote:
Hllo Oli,
I forgot I had an appointment today and therefore I will not be able to take care of the wire transfer until tomorrow. I apologize and hope that is not a problem. However, in reviewing the attached doc it indicates $165K and not $164K as in states in the previous emails? Please clarify.
Hope you’re enjoying your time away on the islands!
B
From: Oli Thordarson
Sent: Wednesday, July 22
To: Betty
Subject: Re: Availability
Good morning Betty,
Please see attached to find instruction for the wire transfer. Let me know you receive this.
On Tue, Jul 21 at 5:01 PM, Betty Sottosanto wrote:
Sure, I can do that first thing in the morning. Remember, the bank is now charging a $25 service fee. Should I just send a check?
From: Oli Thordarson
Sent: Tuesday, July 21
To: Betty Sottosanto
Subject: Re: Availability
Ok. I have a payment of $164k i want you to send out this morning and is going to Taiwan. Can you initiate/send the wire? Let me know so i can send you instruction.
On Tue, Jul 21, 2015 at 4:47 PM, Betty wrote:
Checking is at $489,444.50 & money market just over 1.5 million.
From: Oli Thordarson
Sent: Tuesday, July 21
To: Betty
Subject: Re: Availability
Ok, can you check the bank account and email me the account balances as of today.
On Tue, Jul 21, 2015 at 3:44 PM, Betty wrote:
What’s up?
From: Oli Thordarson
Sent: Tuesday, July 21, 2015 7:46 AM
To: Betty
Subject: Availability
Morning Betty,
Wanted to call you but i am on conference call so i decided to chat with you on here. Do you have a moment to chat in the email? Please let me know.
Thanks
Oli Thordarson
CEO
If you don’t think this can work, I can tell you I know of a situation where this worked and the accounting people wire transferred $200,000.
How can these bad guys pull this off? It is easy. They just go to common information sites like LinkedIn.com and find out who works in accounts payable at Alvaka Networks. With a little more poking around the scammers can find Betty’s e-mail address and my information. Then they send a series of e-mails just like this to several companies and they will on occasion be successful landing a big cache of cash all while they are safely sitting in another country.
So how do you protect yourself and identify these threats? Here are a few tips:
How to Protect Yourself from Phishing Scams
1. Look at the sender’s e-mail address. It will often look completely wrong, but in other cases it might be really close, but you will see a subtle difference such as this one. Look how American Express is spelled – j.doe@amoricanexpress.com.
2. On Windows systems you can hover over the link and see in the bottom left corner where it really takes you. Look carefully as it might be easy to fool you if you are not being astute. Here is an example that might initially look legit –www.americansales.com/americanexpress. In this link they have hijacked another company and created a URL with American Express appended to the end of the link. It is close enough to fool you, but it really takes you to a page that the scammers control. Once there they will continue to fool you until they get their money.
3. Look for bad spelling or use of grammar that does not seem to fit the person you know who might be getting impersonated.
4. If the message is asking for personal information you should consider it highly suspicious. Phishing scams rely on you providing information they need to complete their bad deed.
5. If the offer sounds too good to be true, it probably is. Be wary of get rich quick schemes and other good offers.
6. If someone asks you to send money to cover expenses it is likely a scam. Or they might claim to be a friend in a far off place and they have been mugged, etc. and they need money to get a hotel and airfare home. If you get a message like this it is probably bogus.
7. Watch out for e-mails that claim that your “account needs to be verified” or your account has been compromised and in order to keep your account from being closed you need to reenter all your secret personal information like bank account numbers, passwords, addresses, social security numbers, etc. If you are asked to do this, it is probably a scam.
8. Be wary, and ask questions if necessary. Ask questions for which you know the scammer won’t know the answer if he or she is not legit… or better yet, pick up the phone and call the other person to verify.
9. Conduct a user education at your next staff meeting, and at least quarterly thereafter. Here is a Be Aware of Ransomware user education document from the Alvaka Networks website. It is a great training document as an addition to these phishing protection tips. You can e-mail it to all your users and/or print it out for distribution during the 10 minute training session of your staff meeting. Remember, if you don’t treat IT security as important, neither will your user community.
10. Lastly, link reputation checking and spam filtering is your best safety net for most situations, especially within a company where you can’t be assured that all your users will do the right thing all of the time. Alvaka’s Mailworx service will help block most of the e-mails before they get to your users. A link integrity checking service like Alvaka’s ClickProtect will sniff out bogus URLs and block your users from going to most sites and getting tricked.
Layered protections like this along with user training is your best protection.
If you have questions or concerns, please give me a call at 949 428-5000 or e-mail toli@alvaka.net