You may now be savvy enough to know that when a friend reaches out on Facebook and says they’ve been mugged in London and are in desperate need of cash, that it’s a scam. But social engineers, the criminals that pull off these kinds of ploys by trying to trick you, are one step ahead.
Social engineering attacks are getting more specific because targeted attacks are generating far better results.
What that means is the hackers may need to do more work to find out personal information, and it may take longer, but the payoff is often larger.
Today’s attacks are not just a broad spam effort, sending out a million emails with an offer for Viagra. These are now individual attacks where they are going after people one by one.
Here are five new scams circulating that involve greater individual information gathering tactics.
This is Microsoft support –we want to help
A new kind of attack is hitting many people lately. It starts with a phone call from someone claiming to be from Microsoft support, calling because an abnormal number of errors have been originating from your computer.
The person on the other end says they want to help fix it because there is a bug and they have been making calls to licensed Windows users. All this pretext makes sense; you are a licensed Windows user, you own a machine with Windows on it and the caller wants to help you.
The caller tells the victim to go to the event log and walks them through the steps to get to the system log.
Just about every Windows user will have a multitude of errors in the event log, simply because little things happen; a service crashes, something doesn’t start. There are always errors, but when a non-experienced user opens it up and sees all these so called “critical errors”, it looks very scary.
At that point, the victim is eagerly ready to do whatever the alleged “support” person wants them to do. The social engineer advises them to go to Teamviewer.com, a remote-access service that will give them control of the machine. Once the social engineer has access to the machine, they then install some type of rootkit or other piece of malware that will allow them to have continual access.
Donate to the hurricane recovery efforts!
Charitable contribution scams have been a problem for years. Any time there is a high-profile incident, such as the devastating earthquake in Haiti or the earthquake and tsunami in Japan, criminals quickly get into the game and launch fake contribution sites. The best way to avoid this is to go to a reputable organization, such as the Red Cross, and initiate the contact yourself if you want to donate. However, a particularly vile targeted social engineering ploy has cropped up recently that seeks specifically to target victims who may have lost loved ones in a disaster.
In this example, about 8-10 hours after the incident occurs, web sites pop up claiming to help find those who may have been lost in the disaster. They claim to have access to government data bases and rescue effort information. They typically don’t ask for financial information, but do require names, addresses and contact information, such as email and phone numbers.
While you’re waiting to hear back about the person you are seeking information on, you get a call from a charity. The person from the charity will often strike up a conversation and claim to be collecting contributions because they feel passionate about the cause as they have lost a family member in a disaster. Secretly, they know the victim they’ve contacted has lost someone, too, and this helps build up a camaraderie.
Touched by the caller, the victim then offers up a credit card number over the phone to donate to the alleged charity. Now they have your address, your name, relative’s name from the web site and also a credit card. It’s basically every piece of information they need to steal one’s identity.
About your job application…
Both job seekers and head-hunting organizations alike are being hit by social engineers who know they are looking for employment or seeking new employees.
In both instances, this is a dangerous scam. Whether you’re the person looking for work or the company posting new jobs, both parties are stating – I’m willing to accept email attachments and information from strangers.
According to a warning from the FBI, more than $150,000 was stolen from a U.S. business via unauthorized wire transfer as a result of an e-mail the business received that contained malware that resulted from a job posting.
The malware was embedded in an e-mail response to a job posting the business placed on an employment website and allowed the attacker to obtain the online banking credentials of the person who was authorized to conduct financial transactions within the company, the FBI alert reads. The malicious actor changed the account settings to allow the sending of wire transfers, one to the Ukraine and two to domestic accounts. The malware was identified as a Bredolab variant, svrwsc.exe. This malware was connected to the ZeuS/Zbot Trojan, which is commonly used by cyber criminals to defraud U.S. businesses.
Malicious attachments have become such a problem that many organizations now require job seekers to fill out an online form, rather than accept resumes and cover letters as an attachment. And the threat for job seekers of receiving a malicious message from a social engineer is high, as well. Many people now used LinkedIn to broadcast that they’re looking for work, a quick way for a social engineer to know who is a potential target.
@Twitterguy, what do you think about what Obama said on #cybersecurity? http://shar.es/HNGAt ”
Social engineers are taking the time to regularly observe what people tweet about and using that information, launch attacks that seem more believable. One way this is happening is in the form of popular hashtags. In fact, earlier this month, the U.K. debut of the new season of Glee prompted social engineers to hijack the hashtag #gleeonsky for several hours. British Sky Broadcasting paid to use the hashtag to promote the new season, but spammers got ahold of it quickly and began embedding malicious links into tweets with the popular term.
These spammers can redirect you to any webpage they like once you have clicked on the link. It could be a phishing site designed to steal your Twitter credentials, it could be a fake pharmacy, it could be a porn site or it could be a website harboring malware.
Twitter mentions are another way to get someone’s attention. If the social engineer knows enough about what you’re interested in, all they have to do is tweet your handle and add some information in that makes the tweet seem legitimate. Say you’re the politically active type who is tweeting quite a bit about the GOP primary race lately. A tweet that mentions you, and points you to a link asking you what you think about Mitt Romney’s latest debate statements can appear perfectly legitimate. Once you’ve clicked through – they’ve got you!
Get more Twitter followers!
Be warned of services claiming to get Twitter users more followers. If you spend any time at all on twitter, you’ll see tweets all over that say something like: GET MORE FOLLOWERS MY BEST FRIENDS? I WILL FOLLOW YOU BACK IF YOU FOLLOW ME – [LINK] Clicking on the link takes the user to a web service that promises to get them many more new followers.
The pages ask you to enter your Twitter username and password. That request alone should instantly have you running for the hills – why should a third-party webpage require your Twitter credentials? What are the owners of these webpages planning to do with your username and password? Can they be trusted? Twitter itself even warns about these services on their help center information page.
Remember, when you give out your username and password to another site or application, you are giving control of your account to someone else,” the Twitter rules explain. “They may then post duplicated, spam, or malicious updates and links, send unwanted direct messages, aggressively follow, or violate other Twitter rules with your account. Some third-party applications have been implicated in spam behavior, fraud, the selling of usernames and passwords, and phishing. Play it safe – do not give your username and password out to any third-party application that you have not thoroughly researched.
These are just some common sense rules to follow. For more information visit the Department of Homeland Security Website and blog: http://blog.dhs.gov/2011/07/protect-yourself-against-social.html
