In the everyday life of a computing professional, everything we do, implement, or design is done with utmost attention to security. Be it installing anti-virus and malware software to protect computers from remote intrusion, or physical locks and cables to prevent theft of devices, security is a big deal when it comes to computer systems and securing personal data. However, there is no malware software package when it comes to people, and there is no intrusion detection system to tell you when someone contacts you pretending to be someone they really aren’t.
Normally when people think of “hackers”, they think of the Hollywood image of some whiz kid typing 200 lines per second of code in an effort to gain access to some super computer for illicit purposes, such as that portrayed by Matthew Broderick in the classic movie WarGames. In reality “hacking” is merely the act of exploiting a vulnerability, or a weakness in a system in an attempt to gain access to something they ordinarily would be restricted from. In his book “The Art of Deception” famed hacker turned security consultant Kevin Mitnick describes social engineering as the key tool he used in his exploits. According to Greene (2003), “At age 12, Mitnick used social engineering to bypass the punchcard system used in the Los Angeles bus system. After a friendly bus driver told him where he could buy his own ticket punch, he could ride any bus in the greater LA area using unused transfer slips he found in the trash. Social engineering became his primary method of obtaining information, including user-names and passwords and modem phone numbers.” More recently terms such as phishing, or vishing have come into vogue, but it all amounts to the same thing. Someone trying to deceive another into believing they are someone else, be it a utility worker trying to gain access to your physical home, or a credit card company calling to ask you for your pin for identification purposes, or someone spoofing an e-mail in an attempt to pass themselves off as you!
Recently I was contacted by an agency about a security pin I had requested via a phone call, and subsequent e-mail. The problem was, I had requested no such credentials, and upon further investigation had realized someone was using my name, spoofing my email address, and using my business affiliations as a part of a social engineering hack. Thankfully, those whom were the targets of the hack had their suspicions about the request, and the hack was ultimately unsuccessful. However, it could have turned out very differently had one individual not questioned the authenticity of the request.
We all have been programed to be helpful, and especially within the context of providing customer service, or allow people to “do their jobs” sometimes we don’t critically look at the situation and take people at their word. We take it for granted that the fellow wearing the red hat, and a fireman’s outfit really works for the fire department. This is the heart of the social engineering exploit, and the reason why it works a good enough percentage of the time that people will still use it.
Typical social engineering and phishing attacks today occur by e-mail. Most people have become savvy enough to spot obvious phishing attempts, but not all, and depending on the drive or the sophistication of the attacker, some of these spoofed emails and website links can look quite genuine. Here are a few tips that may help you recognize a phishing attempt via email:
- Check both the ‘To’ and the ‘From’. If they both have the same address-person-name in them, it is a phishing email.
- If the email tells you to open an attachment, don’t, especially if the attachment name ends in .pif .exe .bat .asp or .scr.
- If you see a hyper link in the body of the email, do not click it. You can use your cursor to hover over the word/link to see where the address leads, generally it is not someplace you want to go.
- If you get a suspicious email from a friend, call them and ask them if they sent you that email to verify it’s legitimacy.
- Never respond to an offer of money in exchange for personal information. If you have a rich uncle in Nigeria, I’m sure you were well aware of it prior to receiving an e-mail alerting you that you are the sole heir to his fortune.
- Some phishing emails can look quite genuine, so as a matter of best practice always navigate directly to the websites of businesses contacting you. Banks and businesses will never email you asking for your passwords or credentials.
- Use your internet browsers anti-phishing measures (Firefox, Safari, and internet explorer have them). Using these features will alert you if you do follow a link in a phishing email and warn you if the site is fraudulent.
The phone is a powerful tool for someone seeking to gain information for illicit purposes. They may make several phone calls in an effort to pick up corporate lingo, spoof telephone numbers, and even find out what music is played in your institution when on hold! They may pretend to be law enforcement, or vendors seeking details about systems and infrastructure. Best practice is to always get the number of the agency, and verify that number and agency before calling them back. Never offer anyone’s personal information, or discuss company details with someone you haven’t verified to be who they say they are over the phone, and that includes your own.
In conclusion, be wary and be wise. Don’t be afraid to ask questions, and don’t take things at face value. If you have any doubt whatsoever about the authenticity of a person requesting information from you via phone, email, or in person DO NOT feel that you have a responsibility to answer their questions without getting yours answered first to your satisfaction. And even then, be wary, be wise, and be well.
Greene, Thomas C. (January 13, 2003). “Chapter One: Kevin Mitnick’s story” Retrieved from: http://www.theregister.co.uk/2003/01/13/chapter_one_kevin_mitnicks_story/