Over the past year we have seen a tremendous growth in the proliferation of threats and attacks aimed at the human intelligence level. These threats have been growing at an alarming rate and it is surely due to a lack of knowledge and awareness of the general public. Gone are the days when we have to worry about viruses, worms and hacking being a major pain and something
we all feared, now the phishing scams and social engineering methods has become the primary household name showing its nasty head to consumers and businesses alike. It is only through knowledge and awareness of these issues that we will beat these methods of infection and propagation.
While talking to people on a daily basis it is very clear that the general public tends to shun a blind eye to these issues and thinks that it will not and cannot affect them as individuals. While this is surely not the case and is one of (if not the) main reasons why these high profile and very cunning methods of human attacks are so much a high risk. People do not take these threats seriously today and I will try to shed some light on these issues as i’ve done so over the past few years.
Over the past 2 years we have seen and heard more and more about “phishing” and what it is and the methods of attacks. While consulting with the FBI’s cybercrime division and talking to them about the ways in which they address these issues, they have been overwhelmed by people who have fallen victims of these scams and it’s just a matter of simple common sense. A “phishing attack” can only be successful if the intended recipient is not aware of such a scam or is tempted by the “too good to be true” offer presented.
Why would someone want to invest millions of dollars in you and you’ve never met them, never heard of nor seen anything about them and they throw these millions at you with a mere $25,000 investment on your part. Surely that would catch the attention of anyone looking to get past that life of always being broke or always wanting to take their lives to the next level but was always financially strapped down or stressed out.
Ask yourself, why is the president of such a major organization or country want me of all people to do business with and for them and not have to commit to any signed agreements stating the terms and conditions of the deal.
Why is this major financial institution located in some far region of the world choose me to be the one to work this deal for them, this surely seems odd and should be a cause for concern but yet still, unchecked, they buy into the scam and get burnt. Some people have invested thousands of money into these false deals and it’s after the fact that they realize the severity of their doing.
Common sense should have stepped up and said hey, wait a minute, do I know these guys, what do they want with me and why are they asking me for this payment to buy into such a sweet deal, hmmm, this is suspect.
Instead the opposite happens and you see the $25,000 vs. the millions that are presented in the offer. Hell yea, of course it’s human nature to see the vastness of the offer vs. the small percentage of the buy in payment. If someone came to me right here and now with that very same offer and I knew of and about them i’d do my lil research and then by all means i’m almost sure i’d buy into it. But this is far from the case. You will not find a phish that extravagant locally or nationally because there are so many ways that you can look into that situation to know if it’s legit or not, sometimes the deal is so sweet and looks so good and even after researching it it’s still a hoax, so what do you do.
Do not get suckered by these offers and these too good to be true deals. If someone came to you and told you they were selling you a 10 million dollar winning lottery ticket for $25,000 what would you do . We need to think about these things and weigh in on the validity and chance it takes to make such a move.
I’ve seen too many people burned by this and it’s always the same story over and over. The FBI gets so many of these cases that they have to tackle them in bulk due to how many they are.
So, what is “phishing” and why is it so prevalent today with such high success levels?
Phishing is a method of deception by means of appealing to the human intelligence by presenting something of value that is not legitimate or true.
I’m sure everyone by now has gotten some kind of email from financial institution stating that their account need to be verified or updated and that they need to log into the server to do so. When logging into what you think is the financial institutions server you’re actually logging into somewhere else or someone else’s server. This being the case your information is now in the hands of someone other than yourself who can use it for any means necessary and thus you’re just been “phished”.
So that's in essence the real overview and look on the phishing scene.
Next we have the social engineering techniques which are very similar to “phishing” but can also come in the physical form.
Someone comes to your place of business and tells you they are the CEO of the company from headquarters in DC and they are here to meet with the rest of the management team and they need access to your network, infrastructure or office. This normally gets people arouse due to the fact that he/she is the CEO and you don’t want to mess with that person or else, so this person comes in under false pretenses and gains the access to internal private and confidential business information and property that should never be given out to anyone outside of the company. By the time you catch a with what is going on that person has gathered all the needed information and left with it, now that information is being circulated on the internet and your company is being sued and dragged through the legal system for that reason.
Who is to be blamed?
What went wrong?
Could this be avoided, if so, how?
These are valid questions to a real life issue that happens on a daily basis. A helpdesk representative gets a phone call from someone claiming to be the CTO or CIO or some other C-level executive of the company. He is traveling and for some reason cannot log into the network and so he’s calling the helpdesk to have them unlock his account and help him through the log in process. The helpdesk individual knows the name of the executive and so tries to validate the credentials that person is using to gain access to the network. If this is a person that has done his homework he may know the login name but not the password and so he most certainly tell the helpdesk support rep the login info but states that he can’t remember his password. Now the helpdesk person feels this info is good because the login username is correct and so that person should be who they are and so he/she proceeds to ask for some additional information such as full name, address, last 4 digits of the social security number or the employees unique company ID #.
All these information can be had by various means and so this is nothing for a person performing a social engineering attack to gain access to. So validating all the info the helpdesk rep now changes the password and helps the user to gain access to the network and its resources. Being a C-Level executive you can just imagine the access and information available to he/she once they are logged in and authenticated on the network.
I’ve seen organizations where the helpdesk gets so scared when a C-level executive calls in with a support issue that they just need the name and some info in order to quickly expedite the support issue and get that person on the way. This is wrong and presents many critical vulnerabilities and should be addressed immediately.
Social engineering like phishing can be stopped and mitigated by user awareness and knowledge. Policies, practices and measures can and should be put in place to offset these methods of attacks. Companies should spend more time going over scenarios like these in order to get the support people alert and proactive to these issues.
Wow, now this is a growing issue that is even a bigger problem due to the arrogance of users thinking they are not affected nor will they be affected by this issue. Most of the victims i’ve spoken to had no clue they were victims of such an attack until years after when the person who did the wrongs simply missed a payment or 2, and now you’re caught smack dead in the middle of the scheme of things. At that point it is already too late because you have been victimized for years and now that you’ve found out about it is way too late, the damage has been done. The most unfortunate part about the Identity theft issue is the fact that the information will still remain on your credit for the full term of the cycle and you have to hope to God that the person was keeping up on their payments and so the credit standing was good.
I recently met a lady that just found out that she was the victim of an identity theft scam after years of being used by someone else, fortunately for her that person was keeping up to date and current on the payments and so that was generating good things for her report. How she came to find out about the theft is one of the credit card companies called her asking to make payment arrangements for a past due balance she had and when she continued to deny the claims she came to find out the sad truth about the whole situation. There was a car, an apartment, credit cards and other things in her name and she had no idea about it.
Let me tell you how bad this can get and for how long you can be screwed by such a nasty issue, yet still, there are simply ways for protecting yourself from things like this. These days with the privacy issues and concerns surrounding the selling and use of your private information it is so easy to find or get information on or about you on the internet that it’s not even funny. Don’t worry about the information, worry about the use and abuse of it. It’s like worrying about doing online shopping and using your bankcard and credit card online when the banks all have that very same information online and that’s where the accounts were opened and are kept.
I recommend a credit monitoring service for you, your spouse, your children (yes, your children as well) and anyone with a valid social security number. These credit monitoring services do a very good job of keeping you alerted and updated on any happenings with your social security number and credit. I personally use Credit Expert and I have found them to be very good, very quick to alert and very detailed as to who, what , where, why and when anything affects my social security number and credit. I highly recommend the service which is a yearly fee but it is very much worth it and should be looked into.
When you think about the long term effects and heartaches that presents itself from a identity theft case the yearly fee associated with these services is well worth it. Go get it NOW. There are quite a few good ones available but they differ in offers and benefits. With Credit Expert I get a free credit report every 30 days if I want it, I can log in and have a look at what is on my credit, who I have credit with (if any), what are my reported balances and the contact information for the creditor. I have found this to be a very valuable and needed resource and I recommend it.
How can my identity be gained, lost or acquired.
There are more ways to lose your identity than it is to prevent it from being lost, as I said before, don’t worry about losing it, worry about the use and abuse of it. Someone having your private information such as your employer, a company that you did business with, a place you went to apply for a job and had to fill out an application form that had all your info, a utility company that you had to subscribe to for their service, so many ways of giving your information out, don’t worry about the info, worry about the use or abuse.
I remember seeing an article in 2005 where a nursing assistant had a patient in the hospital and he though the guy was going to die and so he took the patients information and started using it, he got credit cards and other things in the name of the patient and was doing good until the patient didn’t die and so after coming out of the hospital a few months later the patient started to see strange things and collection notices coming to him. After contacting the authorities and turning the matter over to them and they conducted an investigation they found out it was the nursing assistant, wow.
Don’t worry about the information, worry about the use and abuse.
I had started writing this article a few months ago after seeing what happened with that patient due to the theft from the nursing aid but with all the things that were going on I was just consumed in consulting issues with people who were affected or became so afraid of these issues that they don’t even want to face the reality of it.
I am sure by now everyone has heard about the data loss issue of the 26 million U.S. VA members which has sparked a whole sleuth of privacy issues, regulations and laws at the highest levels. This should not have come as a surprise to people because over the past year we have seen data breaches and identity theft problems at the highest levels of government and business. Everyday there is a new breach reported from some major financial institution or organization and with that comes the fears about what will happen next. The biggest problem with this is, how long ago did the theft/loss actually occur?
You’re being advised of the breach now but how long ago did it happen and to what extent of breach did the victim actually get. While that is the bad part of the situation the better part that saves us from the real effects of these issues is the alerting and monitoring services like Credit Expert, True Credit, Equifax and the other credit bureaus. They will alert you of any possible use of your social security number way before the company that was breached discloses the loss of the data depending on the use of the information that was lost. In some breach cases the information is never used but it's better to be safe than sorry. I implore you to look into these services for yourselves as the time from alert to major impact on your credit is just a matter of you stopping the issue.
My next look at this issue will go into the methods of securing your data that in the event of data loss it is secured.