Back to Back Issues Page
Watch For Scams Newsletter. Cybersecurity and Social Engineering
March 22, 2017
Hello

Cybersecurity and Social Engineering

Watch For Scams is dedicated to helping you avoid becoming a victim of fraud.

If you like this ezine, do a friend a big favor and forward this to them. If a friend forwarded this to you, and if you like what you read, please subscribe by visiting the link below: Subscribe Here

Cybersecurity and Social Engineering

Social engineering taps into the human psyche by exploiting powerful emotions such as fear, urgency, curiosity, sympathy, greed or the strongest feels of them all: the desire for free stuff.

Which is why cybercriminals have caught on.

Cybercrooks use this dangerous weapon to get at the weakest link: us. They know that the easiest way to penetrate a system is to go after the user, not the computer. Why use some hard technical flaw to acquire a password when you can simply ask the user for it?

In fact, psychological cyberattacks are on the rise. For example, a popular social engineering tactic is the technical support scam. An alert pop-up will appear on the screen that tells the user they are infected and need to download a malware application. The user, fearful of infection, will download the fake antivirus or anti-malware application that is instead a vehicle for delivering malware.

So how are the criminals distributing their social engineering schemes? Here are some of the most prevalent forms of social engineering today.

Clickbait

“Huge snake eats man alive!” Have I got your attention? What if I posted a link to a video of the ordeal? You just might be tempted to click, especially because many legitimate articles and other pieces of content use similarly eye-catching headlines to get people to look at their stuff. Cybercriminals get this, and they exploit it.

A particularly popular approach is to capitalize on the human desire to crane one’s neck to see an accident on the side of the road. So beware of links of overly graphic terrorist attack images, natural disasters, and other tragedies.

Watering hole attacks

One of the things cybercriminals do best is collect information about their targets. Browsing habits tell a lot about a person, which is why that ad for cat sweaters keeps popping up in your Facebook feed. Cybercriminals use this information to go after the sites most visited by their target group. Once they discover a particular website is popular with their targets, they infect the site itself with malware. For example, hackers knew the iPhone Dev SDK forum was visited frequently by Facebook, Apple, and other developers. They compromised the website, set up an exploit, and ended up infecting a lot of people.

Social networking attacks

Social networking attacks can be particularly dangerous because criminals play with your mind in two ways. First, they make comments about your personal information. People are worried about what others think of them. Second, they make their messages appear to come from a friend.

This two-pronged approach can be accomplished in one attack. You might receive a message from your ex-boyfriend that says, “lol, is this your new profile pic?” (with a picture of a walrus). The picture has a link. You click on it, because what the heck, ex-boyfriend?! And once you look at that…you’re infected with malware.

Ransomware

Ransomware is nasty business. It’s also social engineering at its finest/worst. Ransomware is a type of malware that holds your files or part of your system ransom. In order to return access, you have to pay cybercriminals. People who want their precious data back might pay up right away. But for those who need additional scare tactics, criminals have come up with law enforcement scams that make it appear as though the U.S. Department of Justice or FBI Cybercrime division are contacting you to claim that you’ve done something illegal.

Even worse, some cybercriminals will stoop to the level of claiming they found child pornography on your computer and then display a piece of child pornography. So, they say, pay up and we’ll make it go away. Users, naturally, tend to panic when faced with a message about child pornography that seems to come from law enforcement. This gross tactic has even lead, in an extreme case, to a user committing suicide.

Phishing/spear phishing

If anyone you know has ever fallen for the old Nigerian prince tale, then guess what? They were phished. Phishing is a form of social engineering that relies on fooling people into handing over money or data through email. Bad guys accomplish this by sending a generic message out to a huge mass of people that might say something like, “You won $1 million! Click here for your reward!” Sadly, there are those that still fall for this.

However, in recent years cybercriminals have upped their phishing game with more sophistication. Spear phishing emails are crafted in order to make someone believe they’re from a legitimate source. The messages might appear to come from banks or businesses, and could include full names, usernames, and other personal info. Crooks know that if you get an email that looks like it’s from your medical provider and it’s talking about a surgery you had last year, you will likely believe it.

So how can you fend of these psychological attacks? Here are a few tried and true methods:

• Equip yourself with antivirus, anti-malware, and anti-exploit security programs. These can fight off malware attacks from a technical standpoint

• Anonymize your data by using the privacy features of your browser. It’s also a good idea to clear cookies every once in a while

• Lock down privacy settings on social media accounts. Make sure you’re making information available only to those you wish to have it

If you believe you have been a victim of this type of scam you should promptly report it to the IC3's website at www.IC3.gov. The IC3's complaint database links complaints together to refer them to the appropriate law enforcement agency for case consideration.

Remember - always watch for scams!

Steve

Back to Back Issues Page