People Are (Still) The Biggest Security Risks

Uploaded on 2016-04-13 in TECHNOLOGY--Hackers, NEWS-Cybersecurity News, FREE TO VIEW, TECHNOLOGY--Resilience

We're battling thousands of years of evolution," says Kevin Epstein, vice president of the Threat Operations Center at Proofpoint. "It's natural to be curious about things. Unfortunately, with email scams, it's better to think before you click."

One more reason we – the collective “we,” that is – continue clicking on malicious links or downloading bogus attachments, despite being told not to: hackers have gotten much better at pretending to be someone they're not, using social engineering to slip past our guard by masquerading as someone else.

It's worked, too. An employees at Seagate was recently the victim of an email phishing scam that lead to the release of W-2s of past and current employees, W-2s that include Social Security numbers and salaries among other personal information. An employee at Snapchat was also just phished into sending out payroll information into the wrong hands.

"Criminals are getting a little bit more sophisticated," says Seth Hamman, assistant professor of computer science at Cedarville University. "The ones making the headlines now are probably not emails with bad grammar or infantile attempts to trick people."

Why it works

You'd think that, by 2016 we'd be smart enough to know not to download anything from anyone we don't know and not to click on links from unknown sources. And generally we are. But hackers are using social engineering to mask their true intentions - and even where those emails are coming from.

In its "The Human Factor 2016" report, Proofpoint found that last year, hackers were much more likely to use email scams to get at us, and that 99.7 percent of documents used in attachment-based campaigns relied on social engineering and macros to work. They also found that 98 percent of URLs in scam messages link to hosted malware. In both cases, criminals relied on users to put the hack onto computers themselves.

"Attackers are leveraging what's been hard wired into our DNA," says Epstein. "Curiosity killed the cat. Curiosity also gets you malware."

Hackers also know when to go in for the kill. Proofpoint found that emails come in at from 9 to 10 a.m., and that Tuesdays are heaviest delivery days. These windows are chosen because that's a time when receivers of those emails may have their guard down: not on Monday when you're right back to work but Tuesday after you've caught up for the weekend, but at a time when you may not have had your coffee yet and are rushing to your first meeting.

Plus, the attachments tend to be what they say they are. "The attachment will claim to be a video file or a Word document and you open it and it will play a video or you will see a Word document. But it's also doing other things in the background," says Epstein.

Social engineering expertise

The survey also found that social engineering is being used in highly targeted attacks on key business players to masquerade as higher ups. Most often, the end result is money being transferred to fraudulent bank accounts.

That may sound unbelievable. Who would send money to a stranger? But the hacker doesn't look like a stranger. One kind of scam, which Epstein calls "low level sophistication," will involve 10-15 emails between the potential victim and the attacker.

"It's not an attacker opening with 'hey this is your CEO please transfer money.' They opened with a 'John this is Sally. I had some questions about a recent invoice,' and then John responded to 'Sally' and then some other things, and in the course of conversation it got down to a transfer situation."

A more sophisticated version of this kind of attack is that John would receive an attachment based email, and the attachment would modify John's email settings so that the next time John gets a message from CEO Sally, it wouldn't go back to Sally but to the attacker who would then forward it to Sally.

"At some point, the attacker would then insert into one of the CEO's emails an extra paragraph or two," he says. "These are not blunt, easily detectable things. These are emails that are written in the native language adopting the tone of the executive's email addresses that appear to be exactly the same, modifying very slight or using hidden settings that you don't see."

It's a higher tech version of an old scam, Epstein adds. "2014 was the year of figuring out how to bypass the alarm system and sneak in," he says. "2015 was the year of showing up with a package under your front arm and knocking on the front door."

Your information is out there

Social engineering is what is making these kinds of scams possible and, says Hamman, not surprising given how much of our information there is to engineer. "So much of our personal identifying information is out there," he says. And he's not just talking that to what you post on twitter. In the last three years, he's been alerted that he's been a victim of a data breach four times.

"My information – who knows where it is and if my information ends up in the wrong hands, they know my birthday, social security number, may or may not know my credit card numbers," he says. When someone is targeted by a criminal who knows this information, the target is more likely to think that the person is who they say they are. "These are sophisticated attacks that people are falling for because the attacker has done their homework," he says.

Last year, Frank Abagnale, who was the real life con-man behind Catch Me If You Can (and has worked for the FBI for more than 40 years), said, “What I did 50 years ago as a teenage boy is 4,000 times easier to do today because of technology,” adding that “technology breeds crime. It always has, and always will.”  He hasn't been proven wrong yet.

CSO Online: http://bit.ly/1TM0W8p

« SMEs Underestimate The PR Damage Caused By A Cyber Breach
Three Reasons To Revise Your Cyber Security Plans »

ManageEngine
CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

AON

AON

Aon is a leading global provider of risk management (including cyber), insurance and reinsurance brokerage, human resources solutions and outsourcing services.

AVR International

AVR International

AVR educate, advise, analyse and provide professional, technical consultancy and support to ensure your business is safe, compliant and protected.

Paladion

Paladion

Paladion is a provider of managed IT security services.

Guardea Cyberdefense

Guardea Cyberdefense

Guardea Cyberdefense is an IT services company specializing in the management of security projects, with a pool of skills selected from a network of specialized partners.

Japan Information Security Audit Association (JASA)

Japan Information Security Audit Association (JASA)

JASA is non-profit association active in developing and managing the quality of Information Security Auditing and Auditors in Japan.

DataSunrise

DataSunrise

DataSunrise Data-Centric high-performance security software protects the sensitive data in real-time in cloud or on premises, and helps organizations to stay compliant.

Cyscale

Cyscale

Cyscale automates the contextual analysis of cloud misconfigurations, vulnerabilities, access, and data, to provide an accurate and actionable assessment of risk.

PhishX

PhishX

PhishX is a SaaS platform for security awareness that simulates Cyberthreats, train people, while measure and analysis results, reducing Cybersecurity risks for People and Companies.

IEEE Cyber Science and Technology Congress (CyberSciTech)

IEEE Cyber Science and Technology Congress (CyberSciTech)

CyberSciTech provides a platform for scientists, researchers, and engineers to share their latest ideas and advances in the broad scope of cyber-related science, technology, and application topics.

Google for Startups

Google for Startups

Google for Startups is Google’s initiative to help startups thrive across every corner of the world.

Delfigo Security

Delfigo Security

Delfigo Security, a pioneer in intelligent authentication, provides a strong, multi-factor authentication solution to prevent identity theft and reduce fraud.

DataExpert Singapore

DataExpert Singapore

DataExpert Singapore provide solutions and services in the areas of Digital Forensics, Data Recovery, Data Duplication, Data Degaussing & Wiping, Data Destruction, and IT Disposal.

Com Olho

Com Olho

Com Olho provides the measurement, analytics, quality assurance, and fraud protection technologies brands need for their business and customers.

Tech Seven Partners

Tech Seven Partners

At TechSeven Partners, we provide a full suite of cyber security solutions for your business including network monitoring, onsite and cloud backup solutions, HIPAA or PCI compliance.

Munio

Munio

Munio is a leading Fortified IT Support and Cyber Security companies in the south east of the UK.

4Geeks Academy

4Geeks Academy

4Geeks Academy hosts coding bootcamps that provide students with job-ready tech skills.