We discuss Popular Social Engineering Tricks To Watch For
Walk-In Clients and share their upsetting stories...
It seems like a day doesn't pass that an unsuspecting customer doesn't share a horror story about how they got scammed into paying for either false technical support or to address a problem on their computer, that was actually perpetuated from the attacker in the first place! Here is a good starting point, of how you can identify some of the well known scams and tactics used by professional con artists trying to steal your money. "Although we inform our clients, provide FREE training, and get them onto a program like our "Absolute Care Essentials" we still get too many customers that haven't taken the time to protect themselves, or they simply wait until something bad happens to them." Robert Crossland indicates addressing these matters BEFORE they happen literally takes just a few minutes. "The importance of small businesses, and home users need to just take that extra moment, to get the tools and advise necessary. Especially if its free from organizations like ours."
Persuasion is part of life. We all try to persuade friends and loved ones to act in a certain way, usually with the best of intentions.
Social engineering is when “persuasion” takes a darker turn. In a broad sense, it includes any action that attempts to influence a person to act against their best interests.
Technically, acts that influence people to behave within their own interests is also social engineering. However, the term is used almost exclusively within the context of fraud, scams, and cyber crime.
Con artists are master social engineers. So are modern hackers who rely on spam and phishing — and they have a few new tricks up their sleeves.
Social Engineering Tactics
Below we describe some of the most common social engineering tactics used today in cyber crime.
In the real world, cyber attacks do not fit into neat categories. Instead, each is unique, often combining multiple channels and tactics.
While categorization is helpful to understand the nature of the beast, remember that many of these tactics will overlap in the wild.
Impersonation is one of the most common types of social engineering. Obviously, it’s when an attacker presents himself or his communication as originating from another party.
Attackers routinely impersonate authority figures – such as police officers or CEOs – knowing many people are quick to follow orders from authority, as has been proven in psychological experiments.
Many other roles are impersonated: lottery officials, wireless service reps, government officials, coworkers, family members – the list is nearly infinite.
Remote tech support scams
Phone scams are nearly as old as telephones. In a typical scam, the attacker calls the victim, poses as someone else, and uses a false pretense to con the victim into sending payment.
In recent years, the tactics have been used for cyber crime. Tech support scams are a common example. The attacker calls posing as an employee from Apple, Dell, or Microsoft and claims
the victim has a malware infection or other tech problem. Rather than conning the victim into sending payment, the attacker walks them through the steps to allow a connection to their computer
through a remote desktop app.
You can hear examples of these calls in this article from Wired. Once attackers are in, they do as they please, typically installing ransomware.
Some attackers take a multi-pronged approach. Posing as the IRS, one group called victims and demanded either payment or computer access immediately.
Emergency email from the boss
Business email compromise (BEC) scams – which have accelerated in recent years – are an example of impersonation used to devastating effect.
In a typical BEC scam, the attacker has intimate knowledge of the target business, including who is authorized to send wire transfers and how the transfers are initiated.
The attacker targets this person, sending them an email purporting to be from their boss (either by compromising or spoofing the boss’ email). The email requests a large wire transfer to the attacker’s account.The email is crafted to mimic prior wire requests. It may also inject a sense of urgency, which is a common marketing technique, by adding “I need this handled ASAP.”
Phishing occurs most often through email and it’s one of the most common ways cyber attacks are launched.
Two main types of email phishing exist:
Emails that trick victims into sharing access credentials.
Emails that trick victims into installing malware.
These tactics are slightly different than BEC (described above), in which attackers detailed knowledge of the business’ operations. In email phishing, attackers simply want to steal access credentials or install malware. We’ve covered many examples of phishing attacks and even have a 20-page report on the topic for IT service providers.
In the first variety, attackers typically encourage victims to visit a phony website and enter access credentials. Occasionally, they encourage victims to send credentials directly via email. Even here, overlap exists – where the phishing websites often attempt to force malware onto the users’ system via drive-by-download or a disguised software update. Many phishing emails attempt to trick users into installing malware directly via a disguised email attachment. While any type of malware can be used, trojans are a common variety designed to persist on the infected system and collect sensitive information, such as banking credentials.
Vishing – or ‘voice phishing’ – is used by brazen attackers who call their targets directly. They often impersonate authority figures and threaten victims to send payment, or else…
Some of tech support scams described are another example of vishing (see ‘Remote tech support scams’ above). Here are a few other examples.
Malware Routes Calls to Attackers
In one recent example of vishing, rather than calling victims, attackers used malware on victims’ smartphones to redirect their calls.
Once installed, the malware detected when calls were placed to banks and redirected them to scammers who impersonated a banking employee. The phone’s caller ID even listed the bank’s legitimate phone number.
In one example, more than 130 utility customers – many of them restaurants – received calls from a person threatening to shut off their electrical service unless payment was made. Many of the calls came at busy times – such as the dinner rush – and at least one victim paid $4,000 to avoid having the power cut. Payments were made online or via prepaid card.
Caller ID Spoofing
The attacker may use caller ID spoofing to make their efforts more convincing.
For example, several New Jersey residents experienced vishing attacks in which the caller impersonated a local sheriff’s office.
The attacker attempted to extort money from victims using the threat of arrest and successfully caller ID spoofing to mimic the sheriff’s office phone number.In another example of impersonating police, the caller posed as a officer and pressured the victims into share personal information that could be used to fraud.
SMiSHing applies phishing tactics through text messages.
Although this channel is less effective at convincing victims of the sender’s authority, attackers find other uses.
Fake shipping service in Japan
In an on-going SMS phishing attack in Japan, victims receive text messages claiming to be from a parcel delivery service. The message guides victims to a website with more information. Rather than collecting information online, the site prompts users to send personal information via SMS. A variation of the attack encourages victims to install a smartphone app. The mobile malware intended to collect login credentials and credit card info and send SMS messages to more potential victims.
SMS phishing via Atlanta
Two Romanian hackers were extradited to the U.S. in April for an elaborate phishing scam that leveraged SMiShing and vishing.
From Romania, the pair used compromised computers around Atlanta to send thousands of automated phone calls and text messages throughout the U.S.
The messages claimed to be from a financial institution and directed victims to call a phone number to resolve a problem. After calling, victims were prompted to enter their bank account numbers, PINs, and/or social security numbers. The hackers collected more than 36,000 bank account numbers, according to court records.
** Content posted by our friends at Calyptix Security.