Attacking Through Emails

In this post, we’ll discuss phishing (not fishing) and spear phishing as means of attacking through your emails.

Email Scams

I have chosen to include this category because some scams are delivered by email.  They are similar to phishing emails in that they want something.  Many times it is to start a very person correspondence or a series of calls.  Picture a room full of people with computers and they just sent out a scam.  Within MINUTES, someone shouts ‘Got a live one’ and everyone snickers before they begin talking to the person in a very sincere voice.

Think this doesn’t work? Consider that  Nigerian scams, see below, started 20 years ago.  Note the date at the top, when I received it.  IF IT DID NOT WORK, THEY WOULD STOP DOING IT.

This is a lazy one because they just want you to email your bank credentials to them.  Many want you to call or write and then they gradually hook you.  All have a time frame when the wonderful offer will expire if you don’t act.

See the official looking note at the bottom that the email has been scanned by Avast antivirus software.  Ha ha!   Remember, if something is too good to be true, it probably is.

ch 3 - scam

Phishing

These are sent to all the emails the bad guys can get from buying lists or scraping emails off the web.  Bad Actor: “We hope the potential victim does business with the place of business on the email.  If not, there are lots of other suckers prospective victims just waiting for us.”

I get lots of these, often several times a day.  I present you with some samples herein, minus of course the bad links.  I have made images so the links are not active in this post.  Remember these were NOT sent by the company they appear to be from.

The first one is from Linked In.  Now if the person that gets this is a member of linked in they will be interested.  Note the ‘IMPORTANT MESSAGE’.  Victim: “Dang!  My profile has a situation, I better hurry and click so I won’t miss any of those messages I get from Linked In”.

The mail address at the bottom is a nice touch, don’t you think?

ch 3 - linked in

Coming up is one from Bank of America.  It’s pretty and has their logo and colors and looks very real.  It even has a ‘Security Checkpoint’ on it, whatever that is, so I will believe it is real.    Victim: “Oh man, there’s a multiple IP conflict on my account (whatever that is) and they are going to close it.  I better act fast. Whew!”

Glad to know BOA is an Equal Housing Lender but it makes it look more real.

Oopsie, this is America and the date used in the Security Checkpoint is 18/02 NOT 02/18 as in America.  Still not a bad job.  They are hoping, that when it’s mixed in the 200 other business or personal emails you receive every day you will not think and TAKE ACTION.

ch 3 - boa

Ok, last one.  This one appears to be from the Chase Bank.  This time I have ‘suspicious activity’ on my account.  Victim: “Oh no my account is suspended!  How did… oh they tell me how it got suspended and all I have to do is click on this button to fix it.  How thoughtful.”

The button will take the victim to a website page that looks like a Chase page, complete with logo and asks for them to verify their account by entering their login and password.

This one is a member of FDIC so it MUST be ok.  Bad Actor: “By the time they figure out I got their password, I will have the real bank transfer funds from their accounts to my account in another bank that will only exist temporarily until I can cash out of it, WITH THEIR MONEY.”  This works because they take you to a similar website like http://www.chasebank.com  while the REAL bank is at http://www.chase.com.

ch 3 - chase

Solutions

1) No legitimate company every asks you to click a link and enter your credentials in an email.

2) Pick up the phone and call and verify.  Don’t use ANY number on the suspicious email.

3) Run the cursor over the link and carefully check the lower left of the browser to see if the URL is valid.  Watch for URL’s similar to the real one.

4) Avoid opening attachments until you know the source of the email.

5) Use a different email than your regular email to sign up for things on the Internet.

6) Hire an outside firm to train and test your employees phishing campaign that records who responds to it.

Spear Phishing

Spear phishing is simply targeted phishing.  Whereas phishing is more general, for example, all the Bank of America customers, spear phishing often targets some specific person or organization.  For example, you receive an email with your company’s email and name on it – complete with company logo, i.e. looking just like it came from someone in your organization, possibly your boss.  And who wouldn’t reset their boss’s password and give them another or loan them their login if the boss were in a hurry?  Victim: “Darn, the boss has forgotten his password again. That’s three times this month!”  Real Victim – The Boss: “You gave who my password?

Or it could be from a friend or loved one.  Spear Phishers attempt to make you drop your guard just a little bit.  They may use information you post on Facebook or elsewhere to figure out what to put in the email.  It also could reference a recent purchase you made, for example iTunes, if your Facebook post shows you with an iPhone.  Or how about a photo you posted two years ago with you and another person you tagged.  They, the bad actor, write you and include the photo with some comment like, ‘those were some good times huh?’  They are trying to associate themselves with you to get you to trust them.

Increasingly, the board of directors is the target.22

Solutions

1) Use a different internal email signature than you use outside the company.

2) Add something extra to any emails that contain a link.

3) Run the cursor over the link and carefully check the lower left of the browser to see if the URL is valid.

4) A company policy to NEVER ask for credentials through an email.

5) Have your friends use your middle initial when they address you or a nickname.

6) Call the person to verify it’s from them before clicking on a link or opening an attachment.

Spear Phishing for a Fund Transfer Scam

There is a variation of spear phishing that goes like this.  Suppose you are the person in charge of funds, say the CFO.  While your CEO is on a trip, you get an email from her that may even sound like her directing you to wire some funds to an account as she is about to go to a meeting and she needs it sent now.  What do you do?

If you think this is small stuff, think again.  The FBI1 reports that between 2013 and mid 2016 that $2 billion was lost to this scheme worldwide with 12,000 reported company victims.  This was just updated to $3.1 billion with over 22,000 victims.24

 Solutions

1) Company policy that all fund transfers over $1000 must be verified by phone call with the requesting individual.

2) Company policy that prevents the CEO from authorizing fund transfers while on a trip.

3) Create a place to request fund transfers after login to the network and only authorize certain individuals to do this.

 

 

 

Hackers LOVE Social Media Posts

Suppose I asked you to provide this list of information on social media:

  1. Your Name
  2. Your pet’s names
  3. Your kid’s names and ages
  4. Where your kids go to school
  5. Where you went to school
  6. When your birthday is
  7. When your family member birthdays are
  8. Your gender
  9. Your family member genders
  10. Your race
  11. Your family member’s race
  12. Type of car you drive
  13. Type of car your spouse drives
  14. When you are on vacation
  15. Where you like to go when on vacation
  16. Where your kids catch the bus
  17. When your kids catch the bus
  18. What you like to buy
  19. What shows you like
  20. What books you like
  21. Who your friends are
  22. What type of political views you have
  23. What your house looks like inside
  24. What valuables you have in your house
  25. How old are you and each member of your home
  26. Your approximate household income
  27. Where you work
  28. Where your spouse works
  29. What music you like

Would you give it to me?  Or would you think me up to no good?  Sadly you have most likely given it away already or are in the process drip by drip.  Social Media can be a treasure trove of information for marketers but also hackers and other perps.  Let’s map the number above to actions you might take.

Unless you are up to no good, you probably set up an account using your real name. (1)  You probably also provided your birth date when you setup your account.  This is one piece needed for identity theft.

Let’s say that you post out photos of yourself (8,10).  Suppose a few were from when you are on vacation and you were smart enough to NOT post them until you returned home so as to not advertise you absence.  The GPS coordinates of each shot are imbedded in the photos so the perp knows each place you were while on vacation and when. (14, 15)

Your kids look so cute getting on the bus so you post a photo.  Again, the GPS information is in the photo so the perp knows the where and the when of waiting on a bus.  They can probably infer when they arrive from other posts you make. (16, 17)  From the time of arrival and the bus stop the perp can lookup bus routes and determine which school your kids go to.

You mention your car or post a photo of it while you are driving.  (12)  Eventually you post a shot of the front of you home and by elimination the perp can figure out which is your spouse’s car.

You are careful and never post your kid’s photos online but your family member’s aren’t and post photos of your whole family and then link the photo to you. (9, 11)

Post any photos taken inside your house?  Did you check what is showing in the background in the other room? (23, 24)  Did you post birthday photos of each child? (3, 25)  Don’t forget the pet, they are so cute! (2)

What do you post or share? (22)

Chat with friends from your high school or join a high school group? (5, 21)

Like to click on ads? (18)

From what you like to buy and photos inside your house and your cars and the house itself, your income can be inferred. (26)

To help people decide if they want to connect with you, you can display your favorite movies and books in your profile and even your favorite music. (19, 20, 29)

Every talk about your job or your spouse’s? (27, 28)

The hacker can now figure out how to answer your security questions and get your password.  The robber can now know when you aren’t home and if you have anything worth stealing and even where it is in your home.  The molester even knows how and when to get to your children.

Think you are safe because you only share with friends?  Think again.  Anything marketing firms can purchase, hacker and other perps can also purchase or steal.  I’m sure, you can come up with additional information not on this list that you have disclosed.  Don’t feel badly.  We have all done it.  Just think in the future what the information you provide might be used for.