Mark Satterfield

Tag: social engineering

  • “Hello can you hear me”: Social engineering or part of the call?

    “Hello can you hear me”: Social engineering or part of the call?

    Have you ever received a phone call where the caller’s first question is, “Can you hear me?”

    A lot of talk on the internet since around 2017 with people saying they were encouraged to say “Yes!” only to later have their voice used to pay for services.

    Table Of Contents
    1. Can I be obligated with a single word?
    2. Confirming you are a real person
    3. Buying time for the operator
    4. Final thoughts

    Disclaimer: I am not a lawyer, and I do not play one on television. I am however familiar with social engineering. I can tell you, in my professional opinion, of all the things that never happened, this never happened the most. đŸ˜‰

    But… really? Is this for real? Or is it fear mongering, which is quite common on the internet? With a simple one word answer, can someone really steal my identity, or obligate me to a purchase?

    Can I be obligated with a single word?

    Yes...No...Maybe

    The answer is: Probably not. Realize, you likely have dozens of video clips with you and your friends on YouTube, or Instagram, or TikTok, or Facebook. And can a single word be used to identify you? So the perpetrators of this likely hoax are saying that a bad actor can order stuff on the internet, be on a call with whoever sales person for however long they need to be on, and then at the crux of the call they will change their voice completely and insert your voice with a single word response “Yes”?

    Does that even sound reasonable? Of course it doesn’t sound reasonable. But it makes for good click bait, and fear mongering creates a lot of interest. The problem is, it also distracts you from real adversaries. Distractions are sometimes fun, but distractions are usually not very good use of your time.

    Why the “Hello can you hear me” then? What are more reasonable thoughts on why these calls come in with that odd question?

    Confirming you are a real person

    Robocall

    The reason for the can you hear me is most likely a robocall where the calling company doesn’t want to waste the time of a real agent. Robo companies are operating on volume – the more the calls the better, because some percentage of people will actually buy what they are selling.

    If an answering machine answers, there is no reason to waste the time of a real agent. When the “just say yes or no” happens, it is because the robocall recognized a voice, but thinks it has an answering machine.

    Buying time for the operator

    A second reason is that the robocaller just transferred the call to a real agent, who is trying to buy themselves time in the awkwardness of having the phone answered. You may have said “Hello” or something else, and they don’t know what you said, so in order to trick you into thinking they were having phone issues they ask you to basically repeat yourself with the cue “Hello? Hello? Can you hear me?”

    Final thoughts

    There are many reasons that a caller would ask whether the called party can hear them, including

    • A delay tactic, while being transferred to a live agent.
    • A simple way to start a conversation and to get the other person to respond.
    • Allows the scammer to test the audio quality of the call and to make sure that they are able to understand the other person.
    • A way to gauge the other person’s interest in the scam. If the other person responds positively to the “Can you hear me?” question, the scammer is more likely to continue with the scam.
    • A way to confuse or startle the other person, making them more likely to fall for the upcoming scam in confusion.
    • A basic tactic for sales, get the potential buyer to get used to saying “yes” in the conversation.

    Now that said, these are my professional opinions. And remember, just because you are paranoid doesn’t mean they aren’t out to get you, so hanging up the phone is the right thing to do.

    From: Your local computer security friend.

  • Watering Hole attack: Cybercriminals subvert your most vulnerable favorite websites

    Watering Hole attack: Cybercriminals subvert your most vulnerable favorite websites

    A watering hole attack is a type of cyberattack in which the attacker targets a website or online service that is known to be frequented by the victim’s target audience. The attacker then compromises the website or service and injects malicious code into it. When the victim visits the website or uses the service, they are infected with malware.

    Table Of Contents
    1. The skill of attack: How watering hole attacks work
    2. How to defend against watering hole attacks
    3. Conclusion

Watering hole attacks are a more sophisticated type of attack than phishing attacks. They are also more difficult to defend against, as the victim is not actively tricked into clicking on a malicious link.

The skill of attack: How watering hole attacks work

There are two broad categories for watering hole attacks.

Opportunistic watering hole

Opportunistic watering hole
Opportunistic watering hole

In one case, there is the opportunistic watering hole attack. In the opportunistic case, the attacker has discovered a vulnerable web site, compromises the web site, and waits for any victim to happen by.

An opportunistic watering hole attack typically follows these steps:

  1. The attacker identifies a website or service that can be compromised.
  2. The attacker compromises the website or service and injects malicious code into it.
  3. Any victim visits the website or uses the service.
  4. The malicious code is executed and the victim is infected with malware.

Targeted watering hole

Targeted watering hole

In a different attack, the watering hole is known to be used by a specific targeted victim. This is a more sophisticated attack against a known specific target.

A targeted watering hole attack typically follows these steps:

  1. The attacker enumerates websites and online services that are known to be frequented by the targeted victim.
  2. The attacker enumerates vulnerabilities on the websites and online services.
  3. The attacker compromises the websites or services and injects malicious code into them.
  4. The victim visits the website or uses the service. In order to evade detection, the attacker may include exemption code to prevent the malware from running on any targets other than the identified target.
  5. The malicious code is executed and the victim is infected with malware.

The malware can then be used to gain access to the victim’s computer or network, or to steal data.

How to defend against watering hole attacks

There are a number of ways to defend against watering hole attacks, including:

Conclusion

Watering hole attacks are a serious threat to organizations and individuals. By taking steps to educate users, use security software, monitor websites, and use intrusion detection systems, organizations can help to protect themselves from these attacks.

  • The first rule of security: “Be aware” of your surroundings

    The first rule of security: “Be aware” of your surroundings

    The COVID19 Coronavirus situation has affected our families, our homes, and our work environments. Our children are home, some people are new at working remotely, others have to be extra vigilant in keeping their areas clean and sterile, and even more are stressed and overworked with more caseloads and more patient care than is common.

    Bad guys! First rule of security, be aware of your surroundings
    Internet Bad Guys!
    Table Of Contents
    1. Know your contacts (your people, your connections)
    2. Know your computer (your systems)
    3. Know your context (your surroundings, your work environment)
    4. Famous last words

    During these stressful times, the Internet Bad Guys are going to do their best to trick you. They are working hard to entice you to do the wrong thing. The Bad Guys are going to strike your nerves with Fear, Uncertainty, and Doubt, three of the most powerful influencers ever used against mankind.

    How can you protect yourself? The same methods you use to keep you safe “in real life” will also secure your digital world — be aware!  Know your contacts, know your computer, and know your context. Let’s take a look.

    Know your contacts (your people, your connections)

    • Do not open links from unknown contacts! Do not open files! Are you receiving more emails about “COVID19”? Information about your stimulus check? Brand new “Preventions” and “Cures”? Source for Toilet Paper and Masks? Do not click those links unless you know the sender, and do not open attachments. These social engineering techniques are known as Phishing attacks.
    • Are you receiving phone calls asking for information? Spoofing Caller ID is easy; do not rely on Caller ID alone to identify the caller. Be especially vigilant with odd requests such as sending money, or a caller suggesting that you open a web page.  These social engineering techniques are known as Vishing attacks.
    • Did you receive a USB memory stick in the mail or find one while shopping? “Free Gift” from Best Buy or your favorite shopping site? “Proprietary Information” from your employer? Just toss it in the garbage. USBs can be used to spread viruses. If you do not know its origin, it is not worth risking a computer virus infection.  These social engineering techniques are known as USB Drop attacks.

    Know your computer (your systems)

    • Be aware when things are not working correctly, or seem particularly slow. Contact your manager or help desk if you notice anything that “doesn’t seem right”.
    • Keep your computers and phone software up to date. Install all security updates when they are available. Make sure your virus protector is on and updated.

    Know your context (your surroundings, your work environment)

    • Just like in the real world, know your surroundings. Be aware of who is around. Be especially aware when discussing sensitive information. Our environments are rapidly changing, and our work lives and home lives are now more tightly integrated than just a few weeks ago. Know who is around when you are discussing sensitive information, whether it be financial information, patient data, or anything else that should be kept private.

    Famous last words

    Take care of yourself
    Take care of yourself

    Remember, security starts with you. Be aware, be conscious of your surroundings, and be knowledgeable about your rapidly changing work environment. 

    Fear, uncertainty, and doubt:  Three powerful influencers especially at times like today when our physical health is threatened.  Let’s be careful out there.

    Tell me more! What are your safety tips? How can we all be safe out there?

  • Vishing Scams: How to Safeguard Yourself from Deceptive Voice Attacks

    Vishing Scams: How to Safeguard Yourself from Deceptive Voice Attacks

    “AHA advises hospitals to be alert for potential ‘vishing’ attacks”

     â€œHackers Extradited to U.S. over $18M Vishing Scam”

    Vish is the new Phish!

    Have you received a threatening call from the government? The urgent message will demand that you pay an immediate fine or tax or penalty; or else face imminent arrest by the IRS, or revocation of your medical credentials, or something even worse. 

    These calls are known as “vishing” campaigns in the espionage and social engineering subculture. Vishing is a social engineering technique very similar to the familiar email “phish”. However, instead of the now familiar email phish, vish rely on voice calls and voicemails.

    Table Of Contents
    1. A. Vishing examples
    2. B. Vishing: Don't be a victim
    3. C. The Trojan horse

    A. Vishing examples

    As with phishing emails, vishing voice calls take many forms. In all the forms, you will receive a time-sensitive message alerting you to impending doom. Let’s take a look at a few common vish campaigns.

    1. Jail threats with the DEA or IRS

    A popular vish is the Drug Enforcement Administration (DEA), calling to explain that there has been suspicious drug prescription activity or some other anomaly associated with your medical license. If you deny having any association with the fraud, the caller may demand to validate that you are actually you. They’ll need you to provide your medical license number, maybe your home address and a credit card with your name on it. Or they may demand that you pay a fine or face revocation of your license. If you don’t pay, the caller will have to immediately notify the hospitals where you have privileges. Of course, the fine can be paid by way of Western Union or MoneyGram.

    Another vish is the Internal Revenue Service (IRS), calling about delinquent tax liens. In this scenario, the caller may claim to be at your address waiting for you, but of course you are at work or at another location. They may have your home address, and the caller ID will normally be spoofed to be a real government agency such as a local police station. In this scenario, the caller will give you the option of either paying the debt or being arrested. The caller may demand that you call an “agent” at another phone number to make arrangements for payment.

    2. Bank, telephone, or company

    Banks and other companies are also popular vish. The caller ID may actually show your bank’s number (do not believe the caller ID!). The scheme may describe how there has been suspicious activity on your account, or maybe even an upgraded card that is now available to you. The caller may have the last four digits of your account number (fairly easy to find since it is on nearly every receipt). To prove that you have the card in your hand, the caller will ask you to verify the remaining digits, or to verify your billing address, or provide the three-digit code on the back of the card. In general, just say no. If you believe the call is actually from your bank, then call the bank back on the number on the back of your card.

    3. Hospital or school emergency

    Another vish is the emergency call from a hospital or school. Your child, mother, or spouse has been involved in an accident, and the caller needs your permission to treat your loved one. In order to verify your identity over the phone, they’ll need some form of personal identification such as your birthdate, or your social security number, or a bank card number.

    B. Vishing: Don’t be a victim

    Vish are ever evolving. There is no way to know what tomorrow’s vish will be. That said, here are a few tips to help you avoid being a victim.

    1. Be suspicious!

    Avoid responding to phone calls unless you know the caller and understand the implications. Research the caller’s identity. If you call the caller back, avoid using the contact information provided by the caller. Instead, use a known valid number if at all possible, such as the number on your bankcard, or a known contact number for the government agency from which the caller is claiming association. 

    Do not go to websites the caller provides since the website may be infected with malware. Instead, go to the official websites that you know are valid and use the official phone numbers available to you.

    2. Keep secrets secret!

    Often the vish is used to get “just a little more” information about you for an even bigger fraud like identity theft or creating credit cards in your name. Therefore, avoid confirming or providing personal information to the caller. Sensitive information like account numbers, Social Security Number, addresses, passwords, birthdates, and even mother’s maiden name can be used against you.

    3. Maintain your personal, financial, and professional contacts!

    Update your mailing addresses, phone numbers, and email addresses with important organizations. Notify your employers, banks, and legal institutions when personal contact information changes.

    4. If you think you are a victim?

    Report the situation to affected parties. Contact your leader if you have been vished at work or if the vish regards a work related context such as your medical license. Contact your bank if your financial accounts are compromised. Change all passwords for accounts that are compromised. Watch for signs of identity theft. Consider reporting the phone call to the police if you feel physically threatened.

    5. Most of all, be alert!

    Social engineering attacks take many forms, and not all forms are easy to spot. Technology safeguards alone cannot protect you. You must be able to outsmart “the bad guy”. Look for signs of trouble, question everything, and ask probing questions instead of answering them. 

    Remember, security starts with you.

    C. The Trojan horse

    A little cuddly teddy bear might be a vicious vishing ransomware instead
    Sometimes all that glitters is not gold. A little cuddly teddy bear might be vicious ransomware instead

    Social Engineering is a confidence fraud and takes many forms. A classic social engineering swindle happened during the Trojan War. As the story goes, after ten years in an exhausting and unsuccessful siege against Troy, the Greek army packed their bags and set sail leaving an enormous wooden horse to the Trojans – a gift seemingly to say, “We lose, you win”. 

    The Trojans wheeled their new bounty into the gates and celebrated their victory with food, drink, and glad hearts! Only, this horse was not a gift. Greek warriors filled the horse, warriors who waited patiently until the Trojans fell asleep. The warriors then violently took over the city.

    Today, Trojan software is a particular class of malware that tricks users by appearing to perform legitimate operations while actually doing something nefarious. In the world of vishing, the Trojan caller is the caller masquerading their identity as the bank, IRS, or hospital; when in fact, the caller is really part of a scam. Note to self: Do not fall prey to the deceptive Trojan horse!