Behavior

Deciphering The Legitimacy of an Email: Sender and Receiver

by at

Cybercriminals love email not only because it can be used to easily manipulate potential victims, but because it is also very easy to spoof.  Cybercriminals will set up fake email accounts and corresponding addresses in order to make the message appear to be legitimate.  Spoofed emails are difficult to identify without a careful examination of email message. Specifically the email “header.”

Each email message contains two “headers.”  The first is the visible header, which one can see at the top of any email message. The visible header contains the From,  To,  Date,  CC,  and Subject lines. We see visible headers everyday but never pay much attention to them. Spoofing is so easy that it does’t take a cybercriminal to manipulate  the message header to change the sender’s identify so an email looks like it is coming from someone else.

The second header is called the technical header and which I will discuss in my next post.

One way to begin deciphering the legitimacy an email is by reviewing the visible email header, starting the From: and  To: fields.

From: The Sender 

  • Do you recognize the sender’s email address? Carefully check the address since a bad guy can spoof an address similar to one you may be used to seeing. Check how the name is spelled since the address could contain one dropped or have additional characters.
  • Does the email appear to be sent from someone inside the organization but the subject and content unusual in some way? For example, a manager asking you to buy gift cards when they never asked you to do that before no do you have the authority to do so.
  • Does the sender’s email address look familiar but actually from a different domain then you are used to seeing? For example instead of Your_Boss@Your.Institution the messages comes as Your_Boss@yahoo.com.
  • Do you have no relationship with nor have had any past communications with the sender? These email cold calls may simply be “legitimate  SPAM” but may be nefarious in intent.
  • Is the message from someone you haven’t recently communicated with?
  • Is the message from someone who is a friend of a friend that you may know by name but never communicated with? Cybercriminals will often hack email addresses books and harvest such names.

To: The Recipient

Cybercriminals will send their email messages to a group of people in an attempt to get at least one to take the bait.

  • Is your address a CC on an email sent to one or more recipients you are unfamiliar with? If you don’t recognize the other recipients the criminal may have harvested an email address book from someone on which your name appears. Instead of sending individual emails they do an email blast.
  • Is there any pattern to the other the recipients such as all names starting with the same letter?

If there is any question about an email or a specific request pick up the phone and calling the person you think sent the message to confirm its legitimacy.

Deciphering The Legitimacy of an Email

by at

Cybercriminals utilize a wide variety of tools and tactics. By far the most popular tool one is the use of email. Criminals like to use email in part since it is very easy to spoof an email and email address.  There are even free sites that let you send one-off emails using a spoofed or custom disposable email addresses.

However, much more importantly for the cybercriminal it is even easier to get the recipient to believe it is legitimate.

There are ways to help to decipher an email since most of the email tactics used by cybercriminals do leave traces that help in determining if the email has been spoofed. To uncover these traces one needs take some time to break down the message.

The basic email header contains information such as From, To, Date and Subject and the full header will contain detailed information about where the email came from and how it was routed. The body of the email and attachments can also help to provide additional traces that help to determine the email’s legitimacy.

Over the next series of posts I will be breaking down the content of an email to help to decipher the legitimacy.

Social Engineering and Cybercrime

by at

At one time the name Kevin Mitnick was synonymous with the term “hacker.” In his 2002 book, The Art of Deception, Mitnick claims he did not use software programs or hacking tools for cracking passwords or otherwise exploiting computer or phone security. Instead, he compromised computers solely by using passwords and codes that he gained using strategies to get people to unwittingly divulge information, or file-less attacks. In 2017, 77% of US businesses were compromised due to attacks and exploits which similarly do not involve the installation of malicious software but also through file-less attacks.

Social engineering is an act of psychological manipulation of an individual into performing an action or divulging confidential information. Cybercriminals leverage social engineering by stalking individuals in the social world and manipulate somewhat predictable levels of trust and gullibility [1].  The techniques used by cybercriminals are based on specific cognitive biases attributes of human decision-making. These biases are exploited in various combinations in the creation of almost all attack techniques. [2]

Cybercriminals use social engineering tactics because it can be easier to exploit an individual’s natural inclination to be trusting than to spend time building software tools to break through firewalls and system security. In short, it is much easier for a cybercriminal to get someone into giving up their password than it is to try and hack their password. By crawling though social information shared by the target in online profiles and social media posts the cybercriminals can craft a custom strategy to manipulate them into divulging confidential information or even into carrying out their malicious attacks through influence and persuasion.

 

Resources:

[1] Bosworth, Seymour, and Michel E. Kabay, eds. Computer security handbook. John Wiley & Sons, 2002. Chapter 19 “Social Engineering and Low-Tech Attacks” Karthik Raman, Susan Baumes, Kevin Beets, and Carl Ness.https://onlinelibrary.wiley.com/doi/abs/10.1002/9781118851678.ch19

[2] The Human Factors of Cyber Network Defense Robert S. Gutzwiller1 , Sunny Fugate1 , Benjamin D. Sawyer2 , & P. A. Hancock2 1 Space and Naval Warfare Systems Center Pacific 2 University of Central Florida 2015, Pages 113-122, https://doi.org/10.1016/j.jisa.2014.09.005.

“Watering Hole” Cyber Crime Tactics

by at

20 years ago cybercriminals only used a few techniques to lure in potential victims. One was sending an email with the subject line of “ILOVEYOU” which contained an attachment that was a virus/worm which infected the user’s machine.  The second was sending messages sent from from a Nigerian prince, who offers a share of a huge investment opportunity and then asks for your bank account number so they can transfer the money to you for safekeeping –  for a small advance payment to cover the transfer expense.

Over the past two decades Cybercriminals have gotten very sophisticated in their tactics. One methodology targets specific individuals in an organization to unknowingly allow the criminal to gain access to the organization’s computer network. The tactic called the “watering hole” attacks an organization by compromising a web site that the target would generally trust – a watering hole.

To be able to identify a watering hole to bait the criminal first needs to deploy any number of commonly used tracking tools, like KISSmetrics or AddThis, to see which web sites are being accessed by the employees of an organization. This gives the criminal a map of the sites for them to target vulnerable sites for infiltration, those which don’t have strict security. The criminal then plants malicious code on the watering hole site and simply waits for users to revisit the site(s).

Once users begin visiting the watering hole their device is scanned to look for known security vulnerabilities. Any device identified as having a vulnerability the criminal uses the “drive-by” downloading technique, meaning the criminal doesn’t even need to have the visitor click on a link or download any files. Instead, malicious code like Remote Access Trojan (RAT) is downloaded in the background. When the code is run it scans for additional vulnerabilities with an exploit code deployed that carries out the real intended network attack is delivered an executed.

 

Are Your Online Activities Being Tracked? (Spoiler: Yes)

by at

Ever do a search on Amazon and then have the same exact product you were looking at pop-up as an ad on a web or social media site? The reason this happens is in part to the fact that most Internet web-based services and Internet service providers actively monitor your network traffic.

This is not as nefarious as it seems but your browsing habits are for sale and are highly valued by retailers and marketing companies. Very often an individual actually has consent to some level of  tracking by simply agreeing to use a service. Still, there are ways you can limit what information about your online habits that your web browser is exposing.

One quick way is by using the Electronic Frontier Foundation’s (EFF), a San Francisco-based digital-rights advocacy group, site called Panopticlick.  This site evaluate’s your web browser’s privacy quickly and non-invasively and then provides suggestions on how to limit the about on information which is leaking out.

The EFF provides a description of  Panopticlick in a blog post. What Panopticlick does is to check your browser for four types of browser security. Does the browser:

  1. Block tracking ads, which harvests information from your browser without consent.
  2. Block invisible trackers, which are protocols sites implement to harvests user data, again without consent)
  3. Allows ads and scripts from third parties.
  4. Blocks fingerprinting, which identifies a user based on unique browser data.

While there are plenty of browser exertions out there that help to block trackers, the EFF promote their Privacy Badger. It should also be noted that Panopticlick site only scans for those security issues the Badger mitigates. Still, using the EFF scanning service and the extension is a great start to better privacy!

What is Multi-Factor Authentication?

by at

The traditional method for accessing online systems is through the use of a login name and password. An active online user may have hundred login / password sequences to remember. Trying to remember of those sequence inevitably leads to people using the same login and password sequence or writing them down somewhere.  Sometimes over, and over, and over again. Once could call this single-factor authentication since one only really needs to remember the password associated with an email address.

The problem with single-factor authentication is that to remember passwords people generally use stuff they know like people’s names, dates, etc. This puts a person at risk since if the credentials for one account are discovered then access to multiple online accounts is a click or two away. To help individuals protect their online accounts an increasing number of providers have implemented alternative authentication methods.

Multi-factor authentication is a method of confirming a user’s identity only after successfully presenting two or more pieces of information from independent categories of credentials  – factors – as a way to confirm their identity. These factors may include knowledge (high school mascot?), a possession (a phone to call), and inherence (biometric info like a fingerprint).

Two-factor authentication is the more commonly use subset of multi-factor utilizing a combination of only, you guessed it,  two factors. An everyday example of two-factor authentication is using an ATM. ATM’s requires a correct combination of a bank card (a possession) and a PIN (knowledge) to allow a transaction. A popular two-factor approached used online involves sending a unique code to the phone paired with your account or using a code generator like Duo.

To protect oneself one should take advantage of two-factor and multi-factor authentication if an online provider uses them. They are reliable methods of verification. If neither are available, consider using a Pass Phrase rather than a simple password

 

Email: The Cybercrime Gateway

by at

Billions of email messages are sent each day.  The ease of use, speed of transmission, and relative anonymity of email has made it a tool for cyber criminals. One survey indicates that 91% of all cyber crime starts with an email.

Using email to commit cybercrime is almost as old as email itself. While there are many ways email can be expoited, here are the more common ones:

Phishing

The term Phishing is a generic term used to describe the very broad category of email techniques used by cybercriminals. Future posts will go to Phishing techniques in greater detail.

Scamming

Based on the centuries old Spanish Prisoner, the infamous Nigerian 419  email scam of the 1990’s is still alive and well in one form or another and is a classic phishing scam. It involves promising the potential victim share of a large sum of money, in return for an up-front payment. If someone actually makes the payment, the scammer either invents a series of further fees for the victim to pay or simply disappears.

Spoofing

A spoofed email is one that appears to originate from one source but is actually sent by another. Like Neighbor Spoofing, falsifying the name and / or email address of someone the receiver is likely to know increases the odds the person will respond or take requested action (check out funny joke in the attachment!) It is actually not too difficult to spoof an email adddress using relatively simple tools.

Spreading Trojans, Viruses and Worms

Emails are perhaps the fastest and easiest way to spread malicious code. For example, the Love Bug reached millions of computers within 36 hours back in 2000,  all thanks to email. Cybercriminals will bind the malicious code in e-greeting cards, fake virus patches, et and email them in messages which are written in a way to make the reader feel like immediate action is required.

Attachments

Attachments are a very common way to spread malicious code. The rule of thumb is to open only those attachments that you are expecting – even if coming from someone you know (remember: email address spoofing!). File names can been spoofed as well so that an attached file that is actually a computer program can look as though it is a simple word processing file. If you are unsure, contact the person and ask if they sent it.

Links

Don’t immediately click on the link(s) in emails. Keep in mind email spoofing since a message may look like it is coming from someone you know! Hover your curser over any links to double check if the destination URL is what it’s claiming to be. To be extra careful, type out URLs manually instead of clicking links.

Getting SPAM Texts? Forward them to 7726

by at

The use of text messaging is a growing tool for marketers. Many texts are legitimate and originate from service providers you may have given your number to.  However, the number of SPAM text messages appears to be growing rapidly. According to the Federal Trade Commission, “It’s illegal to send unsolicited commercial messages to wireless devices, including cell phones and pagers, unless the sender gets your permission first.” The same would hold true for text messages that are sent from robo-callers.

If you’re receiving random messages from unknown numbers or entities it is probably illegal SPAM from someone phishing for information and trying to scam you. So, what can one do?

Report to your carrier

A little known service provided by most cell carriers is SPAM reporting. On an iPhone, select the spam message by holding it down with your finger. A menu will pop up. In the lower right, select More and then the arrow icon. This will create a new message that can be forwarded. On almost all carriers forward the message to 7726. Make sure to copy the phone number that send the message since an auto-reply may ask for it as well.  Why 7726? It spells SPAM.

Block numbers

On an iPhone, go to the offending text and press the “i” in the upper right-hand corner. That is where you will find the option to Block the number. There is no way for the robs-callers to know you’ve blocked them so they can send all the messages messages they want. There is one caveat. The blocked number can still leave a voicemail but you won’t receive a notification. You may notice voicemails piling up on you.

Resist the urge

You may feel the urge to reply to a SPAM text. Maybe you want to tell them how you feel. Maybe you love practical jokes and you want to mess around. Don’t.  Don’t even responding to their request that you reply “NO” to stop their messages. Engaging the sender in any way will make the problem worse.

*Don’t Press 1* : Neighbor Spoofing

by at

Odds are this HAS happened to you.

A call comes through on your phone. The caller ID  shows it is coming from the same area code AND the same

https://www.flickr.com/photos/mag3737/5982743771

https://www.flickr.com/photos/mag3737/5982743771

first three digitals as your phone number. Your first though is that it has to be a neighbor or someone in the community calling. Sometimes it is YOUR number calling you!

However, when you pick up it isn’t a neighbor. Far from it. It turns out top be someone selling an exclusive vacation deal – just “Press 1” and you will get a fantastic price! This technique, called neighbor spoofing, uses an automated robocaller that generate a fake caller ID number that will almost match your number.  It is an illegal activity to trick you into picking up and respond to their questions in an attempt to giving out or confirm personal information.

A robocall is a pre-recorded automated call, usually for telemarketing purposes.  While some robocalls are legitimate (emergency weather alerts), many calls can be predatory or deceptive.  In August 2017, the FTC issued a warning to Hurricane Harvey victims about a flood insurance scam in which homeowners were advised that their flood premium was past due. According to the Robocall Index, maintained by YouMail, 2.6 billion robocalls were placed in July 2017 alone! The FTC reports that robocalls are the top complaint received by the agency.

On the Do Not Call list? It doesn’t matter. The scammers are engaging in illegal activity so why would they obey the registry? What can you do? Unfortunately, the scammers will keep calling. But following the first two suggestions below are important in trying to reduce the number of calls.   

Don’t Answer

When one sees a number they think is a neighbor the first reaction / behavior is to answer since there may be a problem! However, by simply answering such a call thinking it is a neighbor may subject you to even more calls.  There is an underground market for phone numbers for individuals that pick up or respond to questions. Numbers on such lists on are used by robocallers with increased frequency.

Don’t Respond or Confirm

If you do pick up and you can tell it is a robocall, hang up right away. Do not engage the caller and certainly do not respond to any requests to press additional numbers. DON’T PRESS 1. Pressing any number, even if it is responding to their suggestion that doing so will take you off their list, only confirms your number is active and that they reached a live person.

Some people love to engage telemarketers for entertainment, but doing so may actually put you an their “call frequently” list.

Do Block

There is a reason it is called “spoofing.” It prevents you from knowing where the call is really coming from. It may be coming from out of the country! One approach is an block a particular numbers. However, by the time you do that the same scammers have probably moved on to a different number.  While it do takes a bit of work and is annoying, you could systematically block callers, even though it will seem like a finger in the dike approach.

 

What Information Are You Sharing with Facebook Apps ?

by at

The vast majority of Facebook users do it. We install apps built into Facebook and just click through all the questions without reading. We go to a website which are prompter to create a new account or “log in” with Facebook. Logging in with Facebook is easier since who needs yet another account to remember? How many times have you done this? You might be surprised. No. Shocked.

In both of these situations you are not granting access Facenbook itself to any new data, Instead you are granting access to your information by a third party.  According to Facebook, each app that you log in with you automatially agree to share at the very least your gender, the networks you belong to, your username and user ID, and your full name and profile picture. You also grant access to your full friends list and any other public information that you have included on your Facebook profile.

This issue is at the center of the Cambridge Analytica data scandal. The political research firm was able to access data on more than 50 million Facebook users through a third-party personality quiz application call “thisisyourdigitallife”, without the knowledge or consent of any of those users.

To see what apps have your data:

  • Select the drop-down menu on the top-right side of Facebook on the website or mobile appand select “Settings.”
  • Select the “Apps” option (on the left side of the page on the website. Scroll down the to the settings page on the mobile app).

This will display all the apps that you have granted access to and to which data:

If you wish to delete an app on the website hover over it and then the “X” button to remove. You may wish to do a little housecleaning on a regular basis and delete any apps you no longer use. Any data that was previously shared will still be in the possession of the app developer, however. They just won’t get any new data.

You can also manage the data sharing settings for apps you still want to use. If you select the pencil “edit” icon while hovering over the app you will see all the data options you are sharing with that app. Deselect data options any that you wish not to share with them.

The important takeaway is that you need to stay diligent and anytime you access a new Facebook app or use “log in with facebook” to immediately edit these options