How Does Anyone Avoid Remote Social Engineering?

Social engineering is a method of using human interaction to convince people to break their normal security processes. It can utilize the newest technology, but that isn’t necessary in order to reach a goal. It’s been around since the beginning of time in its physical social engineering and even phone scam form. It’s a con-game for cyber thieves. Today, while physical social engineering is still very much alive and well, remote social engineering is gaining steam due to the availability of information that can be found on the Internet.

Roughly 50% of a social engineer’s time is spent doing research on potential victims. They get a significant portion of this information online. LinkedIn, for example is a wealth of information, as people post their professional history and current professional status there. A social engineer will collect data found from various sites, personal and professional, find weaknesses and use those against their targets.

One tactic that is on the rise is business email compromise or BEC. This scam costs businesses of all sizes over $3.1 Billion per year, according to the FBI’s Internet Crime Complaint Center (IC3). Since January of 2015, this type of crime has increased by 1,300%. Yes, that is the correct figure. It has been reported from within all 50 states and from within 100 countries.

This uses remote social engineering, typically using phishing email, to convince those in an organization to wire large sums of money to the cyber criminals’ bank accounts and/or becoming more common, convincing someone in the company to send human resources information such as W2s. W2 fraud has caught out Seagate and Snapchat recently. This type of scam resulted in tax fraud in 2016 to the tune of $21 billion.

Limit the information you post about your company or its business on the Internet. Even if you do use the security tools available on your social media sites, you should consider all information on the Internet available to the general public.

Remember not to get caught up in how you think a cyber thief should look or sound. People who perform remote social engineering are not restricted to the stereotypical hacker sitting in a dark room at a computer. Now nation-state actors, those wanting to gain trade secrets, and even those just wanting a big payday engage in social engineering tactics and strategies. The motivation is varied for whomever is performing the activity. The most obvious is for financial gain.

Most of the time, the signs that a con is occurring are so subtle that the targets don’t know what is happening. Exploiting the human desire to be helpful by gaining trust on a personal level is how the game is played. Always be aware of who is asking for information and when it’s sensitive and some type of cost is associated. If there is any suspicion at all, just say “No.”

© Copyright 2017 Stickley on Security

FBI Issues Revised PSA Warning of BEC Scams

The FBIs Internet Crime Complaint Center (IC3) issued a public service announcement (I-050417-PSA) recently updating previous warnings about the continued increase in business email compromise (BEC). This is a sophisticated scam that relies upon the victim being tricked into performing a fraudulent wire transfer or giving up other sensitive information such as W-2 details. While the crime can be carried out upon any type of organization, the IC3 particularly warns those who work with foreign suppliers or who regularly perform wire transfers.

In these types of scams, victims are convinced to give up information via E-mail Account Compromise (EAC). The scammers target particular persons who have authority to perform wire transfers. They then send email requesting the action. Often, they will impersonate a manager or someone with significant authority within the organization, such as the CFO.

Any time a request like these are made, it is critical to verify them before taking any action. According to the IC3 updated statistics, there have been over 40,000 BEC/EAC crimes costing over $5.3 billion between October 2013 and December 2016. In the last half of 2016 alone, these scams cost U.S. individuals over $346 million.

These scams can be avoided by taking just a few steps:

-Always have another person verify any wire transfers.

-Confirm with the requestor that he or she did indeed ask for it. Do this by placing a phone call, walking to his or her desk, or sending a new email message.

-Trust your instincts if a request seems strange. The boss would prefer to be questioned before you send off a fraudulent wire transfer.

Use caution about what information you provide on social media and business networking websites such as LinkedIn or Xing. Often, this is exactly how the scammers find out whom to target. If you work in the accounting department, perhaps reconsider putting your title on your profile. Instead, list broad descriptions of your job duties.

According to this recent PSA, the IC3 saw a “50% increase in the number of complaints in 2016 filed by businesses working with dedicated international suppliers.” It also saw a 480% increase in complaints regarding real estate transactions.

© Copyright 2017 Stickley on Security

Facebook and Google Scammed Out of Millions – Stark Reminder That Anyone Can Be a Victim

There is another reminder that businesses, regardless of size should continue to be vigilant with cybersecurity training and awareness programs. Two large and well-known organizations were targeted in a business email compromise (BEC) scam that resulted in significant financial losses to them. While it isn’t the first time BEC has been seen in the news, the amount of money involved and the companies may be surprising.

In March, the U.S. Department of Justice (DOJ) said that someone from overseas created a company impersonating an “Asian-based manufacturer of computer hardware” that just happened to have dealings with Google and Facebook. The Taiwanese computer company, Quanta Computer (Quanta) was identified as the impersonated computer manufacturer.

It was an elaborate and very well planned phishing scam indeed. The suspect, Evaldas Rimasauskas registered and incorporated a company in Latvia using the Quanta name. He then opened and managed bank accounts in Latvia and Cypress. He constructed email messages pretending to be the vendor and sent them to targeted employees at Google and Facebook. The resulting damage was theft of over $100 million from the companies that those employees authorized to be wired to Rimasauskas’ overseas bank accounts.

It is easy to get in a rush and just quickly respond to email messages. Most employees receive anywhere from 50-300 email messages any given day. It is understandable that mistakes are made. However, when it comes to those who have authority to set up or wire money to and from the company financial accounts, it is crucial to confirm any requests for these actions.

Organizations also should have clear processes in place for wire transfers.

These should include:

-A requirement for any transfers to be confirmed by multiple people
-A confirmation step with the vendor or third party contact by telephone or in some other manner besides replying to any messages
-Thorough validation that the sender’s email address is legitimate
-Procedures for what to do should there be a mistake

You might be asking how Rimasauskas knew the employees to target. Consider the amount of and type of information that people publish on their social networking and/or business networking sites. LinkedIn has most, if not all of the information someone attempting a scam such as this one needs. So consider preparing guidelines for them so that they don’t give away so much information.

In a press release regarding this case, acting U.S. Attorney John H. Kim said, “This case should serve as a wake-up call to all companies – even the most sophisticated – that they too can be victims of phishing attacks by cyber criminals.”

© Copyright 2017 Stickley on Security

Google Warns of Wide-Spread Phishing Scam That Can Steal Your Account Info

If you get a request to view or edit a Google Docs file, you should really consider whether you really want to before clicking any links. Google is reporting an ongoing wide-spread phishing scam that will not only give cybercriminals your Google login information, but will also spam your contacts and give them access to your email.

If you have already clicked something, there is some recourse. First, change your Google password and enable multifactor authentication (MFA) if you haven’t already done so. Then, go into the Connected Apps and Sites section and revoke edit access to Google Docs to the unfamiliar account.

The link in the phishing email takes users to a login screen that looks very realistic. However, it grants access to a malicious third-party web app that is named “Google Docs.” That is where access to your account is given to the cybercriminals.

The difference between this phishing scam and others is that it takes advantage of the ability to create non-Google web apps with bogus names.

Google has disabled the offending accounts, according to a statement. It also released an update that it disabled the application as well, but still advises users not to click on links for the time being. More investigations are ongoing in an attempt to get to the bottom of it.

© Copyright 2017 Stickley on Security

Student Loan Applicants Victims of Tax Fraud from Breached IRS Data Recovery Tool

The New York Times recently reported a data breach of the Internal Revenue Service (IRS) websites that taxpayers can use to auto populate student loan application forms with relevant income tax data. The two sites, FAFSA.gov and studentloans.gov are in addition to a previous IRS breach in 2015 with the “get transcript” feature of the site.

In this incident, the IRS is estimating that up to 100,000 parents and students who applied for loans were affected. The cyberthieves can use the information that is auto-populated into the FAFSA (Federal Application For Student Aid) to file fraudulent returns with the IRS and get victims’ refunds. At this time, the IRS believes that fewer than 8,000 fraudulent returns have been filed and refunds paid to thieves as a result of this.

All who have been victims of this or any incident in which social security numbers were accessed should take some steps to protect themselves from additional fraud and identity theft.

File income tax returns early every single year. This will prevent someone who may have saved your details from doing it first. A payment card number can be changed relatively easily, but a social security number remains with you and can only be changed under extreme circumstances and with extreme effort.

If you haven’t filed this year, contact the IRS proactively to find out if you are on the list of those affected in this. So far, they have notified 35,000 victims and will continue to send out letters.

Monitor your credit reports regularly. Everyone with credit in the U.S. is entitled to one free credit report each year from each one of the three major credit reporting agencies (CRA). You can get it from their sites, but watch for the fine print where it asks for payment. If so, they might be trying to sneak in extra services and products that you are not required to purchase to get your free report. There is also a website, annualcreditreport.com where you can order them all. Report any suspicious accounts you see on them to the CRAs and get it resolved. Sometimes they are honest reporting mistakes, but sometimes they are fraud.

Add fraud alerts to your credit reports. These won’t prevent someone from opening an account in your name, but they will let you know if someone does.

If you have no need to apply for credit of any kind for a while, consider putting a credit freeze on your reports. This will prevent anyone, including you from opening accounts. If you need to apply for something, you can take the freeze off temporarily. Be aware that this service usually costs a small fee and there may be lead times to remove a freeze.

If you do find fraudulent charges on any payment card accounts or otherwise, be sure to change passwords for those accounts immediately.

Report fraud and Identity theft to the Federal Trade Commission (FTC) and to your local law enforcement agencies. Sometimes, the CRAs will provide services free of charge to fraud victims with a police report number.

The IRS noticed an increase in FAFSA applications that were not finished in the fall. This was a possible indicator that hackers may have been at work. In addition, IRS Commissioner, John Koskinen reported in a Senate Finance Committee hearing about this that the agency had concerns several months ago about the security of the site. However, they chose to leave the Data Retrieval Tool up as there was no evidence of foul play. And parents and students rely heavily on the tool so they don’t have to manually re-enter all the information.

The tool has been taken down now and will not be put back into place until October as new security is being put into place. Anyone needing tax return information from 2015 (the filing year needed for the current term application period) will need to manually enter the information into the FAFSA. If you don’t have your returns, you can order a transcript from the IRS at its website.

© Copyright 2017 Stickley on Security

Free Travel Coming Your Way Via Airlines. Or Is It Really?

The airline industry has a lot of information on passengers. That’s why using them for phishing attacks is useful to cyber criminals. In response to a warning from Delta Airlines, the U.S. Computer Emergency Readiness Team (US-CERT) issued an alert recently warning airlines consumers to be on the lookout for email messages attempting to gain access to personal and sensitive information.

Delta recently put a notice on its website warning its passengers of attempts to access personal data in email messages claiming to be from the airline. In these, are promises of free travel or prizes, invoices, or other documents, which Delta makes clear are fraudulent and may contain malware. The criminals go to great lengths to copy the company’s website making it difficult to tell it’s fake.

If you receive a message in email, social media, or any other way promising free travel or prizes from any airline, you should consider it suspicious. Before clicking any links or attachments, go directly to the airline’s website to verify contests or giveaways. Most likely, these are phony. If it seems too good to be true, it really is.

The Delta notice also warns consumers that they do not market to them using giveaways and prizes.

Although Delta issued this particular notice, other airlines are not immune to similar scams and phishing attacks. Southwest has been used often in scams seen on Facebook and United experienced a breach of its systems in 2015. Loyalty programs for airlines, hotels, and others are frequently targeted by scammers.

When signing up for programs like these, always use strong passwords that include:

At least eight characters
Upper and lower case letters
At least one number
At least one special character

Passwords also should not contain personal or sensitive information such as birthdates, names, or addresses. Remember to change passwords regularly, even for loyalty programs and that each password used on a site is unique to that site.

There is one last thing. If you are entering sensitive information into any website, such as payment card details, be sure to confirm that the site is secure. Look for the lock icon or the “https://” preceding the address and that the spelling of the URL is correct before hitting the “enter” or “return” key. When in doubt, don’t enter any information.

© Copyright 2017 Stickley on Security