A while back a colleague of mine was spear phished. It was really clever how they did it. She was contacted, not through a direct email, but via a message system of a professional group she was a member of. The message purported to be from a ‘worried colleague’. They had seen her profile on the professional group website and had also noticed that a Facebook account had been created using her photo. The Facebook page was real, her professional photo was being used and a variety of less than complimentary Facebook posts were in the timeline.
The person, who sent the phishing email, came across as being ‘a friend’ trying to help out and pointing to the abuses made in my colleagues name. They offered help saying that they’d also been a victim of this sort of identity theft and knew how to counter it. They asked my colleague to email them and they’d show her what to do.
It was a very convincing email. It used some of the oldest tricks in the book; tricks that conmen have used for centuries. It attempted to build a connection with my colleague, to find a common ground. The email was from a trusted source – her professional network. The writer created a scenario shrouded in fear, uncertainty and doubt, to cause my colleague to feel anxious and that her reputation was at risk. The phisher then held out a helping hand to make it all go away. It was a perfect example of highly targeted social engineering, in other words, using normal human behavior to manipulate a person into revealing far too much.
The case above had a happy ending. My colleague is a cyber security professional and recognized the signs of a sophisticated spear phishing attempt. But not everyone is so lucky and human behavior manipulation has become the pivot upon which cyber security attacks are based.
To Err is to Be Human
Social engineering is a technique used to manipulate a behavior. It isn’t new. As mentioned above, conmen and tricksters have been using this in one form or another for centuries. One of the most famous cases of social engineers was Frank Abagnale; the film “Catch Me If You Can” was a portrait of his life as a confidence trickster. Frank used people’s natural need to trust to commit fraud.
Social engineering in the context of cyber crime has been used extensively. One of the most infamous examples was the ‘I Love You’ virus. This was an email born malware infection, which swept the world in 2000. The email contained the subject ILOVEYOU and contained a ‘love letter’ which when opened ran the malicious code and infected the computer. This trick played on our own vanity – how exciting to get a love letter, almost impossible to resist opening it, just in case it was a secret admirer. And that is exactly what happened with the virus infecting about 45 million computers within 2 days of its release into the wild.
Since then, cybercriminals have embraced social engineering and human behavior manipulation turning it into almost an art form. The whole area of phishing is based on this very concept.
The Big Phish: Business Email Compromise
Phishing and its rich cousin, spear phishing, is arguably the most successful cyber security vector ever with 123,972 unique phishing attacks in 2015. Phishing emails are very cleverly pulled together by the cybercriminal. In the mass mail out, less targeted ‘phishing’ variant, the hacker makes the email look just like a legitimate site, one that you’d enter login credentials; these credentials then being stolen by the hacker behind the spoof site. According to research by APWG Internet Policy Committee into Phishing, PayPal, Apple and TaoBao are the most popular spoofed sites for phishers, with 54% of all spoof sites representing one of the big three.
But the true art of phishing is seen in spear phishing. Spear phishers have to spend quality time getting to know their target. The emails are crafted to reel in their prey, using full personalization and creating trust and connection between the phisher and the victim. One of the latest scams to be based on the principles of manipulation of human behavior is the Business Email Compromise or BEC. BEC scams have been hitting business, of all sizes, big-time.
A BEC is a form of spear phishing. It has a complicated profile. Firstly, deep reconnaissance is made to identify a business owner, or key employee, that will become the proxy for the phish. This individual then has their email account either spoofed or compromised. The phisher will then learn as much as they can about their victim and the company they are targeting. They use this information to create highly convincing emails and instructions – using the ‘personality’ of the victim to come across as real. An example of the type of information that is really useful to phishers would be the calendar of the victim- are they away on business on certain days and so on. This allows the phisher to build up a personal profile and so mimic the person more precisely.
Once they have control of the email account, they can then apply email rules to make sure they don’t get detected when they utilize the account. Or, if they spoof the account, they make the email look like it is from that individual. With account control they can then enact their plan, which goes something like this:
1. Create an email from this key staff member, to ask for a wire transfer of monies to a new creditor.
2. This email will go to one of the compromised users subordinates. So for example if the CFO’s account is compromised the email might go to the finance controller.
3. A variation on the above is where the phisher asks Human Resources for ‘employee details’ and thereby stealing identities which they can use for fraudulent tax returns and so on.
There are a number of different tactics being used, based on a compromised business account. Each one of them uses our natural trust system to trick us into performing actions we’d normally be reticent to do. BEC attacks are working. The FBI has recorded 7000 U.S. business BEC scams since late 2013 with losses of around $740 million.
Controlling Our Behavior
Phishing is so popular and successful that phishing is moving into other spheres. ‘SmiShing’ is the new phishing; with mobile devices being targeted with SMS based phishing messages – like this one. When checked the ‘Apple’ link goes to a spoof site in Romania where you are requested to enter your Apple login credentials. If you did so, they would be stolen and used to login to the real Apple site. Variants on this attack type also include a SMS message from a bank asking you to call a number to talk about a possible fraud attack on your account. When you do, you are asked for various details including your online banking password – the result being your bank account is cleared out.
There are ways that we can use to counter this abuse of our humanness, but it means being more aware of ourselves, how we react and how cybercriminals operate. Some basic checks include:
Caution is the watchword for anyone receiving an email requesting a funds transfer (for example).
Do not click directly on a link in an email, but instead, if it refers to an account, go to that account through the browser first.
Check email addresses – if you expand the address you may see it has unusual characters or is simply not the name it pretends to be.
Build a robust security strategy across the whole organization, taking both technologies and human behavior into account.