NYC Digital Safety

We know virus come from malware, but did you know about the lucrative business that drives these sorts of attacks? Watch / read to learn more

 

Transcript

Davis: So, Dan, I know you’re not the only one to come home or go to work to encounter screens full of frightening messages. In case our audience includes individuals who have encountered the same thing, let’s get into it: why does this happen?

Dan: Well, it usually happens because some kind of malware got installed on the machine. That could happen because the owner of the machine clicked on a link or opened an attachment from an unknown source, or it could be because they fell victim to an all-too-common attack called social engineering.

Davis: So, fortunately, we’ve talked a lot about those data privacy techniques that keep us out of malware land, but what on earth is social engineering? And how does that come into play? How would you define this term and what do we need to know?

Viruses happen because the owner of the machine clicked on a link or opened an attachment from an unknown source, or it could be because they fell victim to an all-too-common attack called social engineering.

Dan: Social engineering is trying to get someone to do something they don’t want to or shouldn’t do. Think about the times you may have called a customer service line and told a small white lie to get a device repaired under warranty, even though you dropped it, or when you convinced the help desk to reset your password without you giving them your secret identity code, because you left your phone that generates that code at home. These are all forms of social engineering, but sometimes they take on different forms when done by bad actors, like when they call your help desk and pretend to be the CEO’s assistant claiming they’re trying to get into the CEO’s mailbox and he has an urgent presentation to give and needs it right now. You can see how social engineering can be used in a whole different way into very different ends.

Davis: That is just about as clear as an explanation I’ve heard, so thank you for that. What is it about us as human people that makes us vulnerable to this type of thing?

Dan: Humans are built to want to be helpful, so we try to do so at every turn. In the example I just gave, the caller will likely play on the fact that the help desk agent can aid in making this big deal happen, maybe pretending it’s for a huge investment in the company, to make a help desk agent more likely to want to help, even if it means bending the rules.

Adding an urgency also makes the drive to help greater and makes the person who is needing to act less likely to think through the validity of that request, because time pressure is being applied. You’ll often see urgency and social engineering efforts and in phishing emails, too. “Your account is about to expire! Act now to keep your data!” Things like that example also calls out another human trait that comes into play in social engineering: a lot reticence to ask a superior to confirm something.

Note that the attacker used the CEO in this scenario, someone that a help desk agent is not likely to know personally and will not immediately think, oh this seems strange, I’ll call the CEO to confirm. I spend a lot of time building a culture into my organizations to establish that calling anyone up to and including the CEO is a-okay when you think something is suspect. That’s a great defense against social engineering.

Davis: The examples you just gave illustrate some amount of research being done by the people perpetuating these things. So how do folks who perform acts of social engineering know personal details about us? That seems super creepy and it also seems like a recipe for manipulating users into taking steps they might not otherwise take.

Adding an urgency also makes the drive to help greater and makes the person who is needing to act less likely to think through the validity of that request, because time pressure is being applied.

Dan: As we talked about in series three, there’s a lot of data about us floating out there from data brokers that collect about our personal lives, to other types of data brokers that build dossiers on organizations from roles and titles and phone numbers and email addresses, and more for use primarily by sales teams to better sell into a company. But that data is also available to anyone who wants to buy it. Add in the information that we provide ourselves on places like LinkedIn and Twitter and you’ve got a great stockpile of who’s who and what they do. Makes the story you can tell in social engineering attempts all the more realistic, and gets you a better chance of your request being fulfilled.

Davis: Right, so if anyone follows me on Twitter and perpetuates social engineering against me, they can just talk about cats and I’m theirs. What are some clues that you’re the subject of a malicious attack when this happens to befall you, Dan?

Dan: Well, first your CEO and your leadership team will likely never ask you to buy them iTunes gift cards, full stop. If they do, call and ask them to verify. But I’ll wager they really didn’t. Gift card scams have become so prevalent that the point of sale systems at places that sell gift cards now actually warn buyers if they’re buying based on an email or other online request that they got it’s likely a scam. The other is unusual urgency in the request, the claimed inability to talk over voice — “I can only do this over text” — or email and phone numbers and email address that aren’t the norm — “I’m locked out of my corporate email account so I’m mailing you for my personal gmail. Can you please help me here?”

Davis: What might cause someone to engage in this sort of behavior? It seems maladaptive to me.

Dan: When there’s money to be made, there’s crime. And in this case, there’s organized crime. There’s large syndicates of groups that make tons of money perpetrating attacks on individuals and organizations trying to get money out of them one way or another. These groups run like businesses and have leadership structures and tech support organizations and rules and policies of how and when and who to attack. It’s a really lucrative business.

There are also cases where nation states can engage in social engineering to attempt to get information against other governments or agencies. They use this to get contact details or convince someone to run something that installs spyware or malware that lets them do recon, or get information about their target, or allow them to come back later and gather more information, or take some action against that network or system. These same things can happen in crime-based social engineering attacks, but the intent is really different.

Davis: If those of you watching are as creeped out by all this as I am, not to worry: our next episode gets into how we can prevent these things from happening in the first place. And if you’ve been through a situation where your devices were hacked or you fell victim to a scam we’ve got an episode on how to move forward, also coming up soon.