cybercrime | Securing the Human Operating System

Deciphering The Legitimacy of an Email: Sender and Receiver

August 26, 2019September 4, 2019

by Eric Schnell at 8:23pmSeptember 4, 2019

Cybercriminals love email not only because it can be used to easily manipulate potential victims, but because it is also very easy to spoof. Cybercriminals will set up fake email accounts and corresponding addresses in order to make the message appear to be legitimate. Spoofed emails are difficult to identify without a careful examination of email message. Specifically the email “header.”

Each email message contains two “headers.” The first is the visible header, which one can see at the top of any email message. The visible header contains the From, To, Date, CC, and Subject lines. We see visible headers everyday but never pay much attention to them. Spoofing is so easy that it does’t take a cybercriminal to manipulate the message header to change the sender’s identify so an email looks like it is coming from someone else.

The second header is called the technical header and which I will discuss in my next post.

One way to begin deciphering the legitimacy an email is by reviewing the visible email header, starting the From: and To: fields.

From: The Sender

Do you recognize the sender’s email address? Carefully check the address since a bad guy can spoof an address similar to one you may be used to seeing. Check how the name is spelled since the address could contain one dropped or have additional characters.
Does the email appear to be sent from someone inside the organization but the subject and content unusual in some way? For example, a manager asking you to buy gift cards when they never asked you to do that before no do you have the authority to do so.
Does the sender’s email address look familiar but actually from a different domain then you are used to seeing? For example instead of Your_Boss@Your.Institution the messages comes as Your_Boss@yahoo.com.
Do you have no relationship with nor have had any past communications with the sender? These email cold calls may simply be “legitimate SPAM” but may be nefarious in intent.
Is the message from someone you haven’t recently communicated with?
Is the message from someone who is a friend of a friend that you may know by name but never communicated with? Cybercriminals will often hack email addresses books and harvest such names.

To: The Recipient

Cybercriminals will send their email messages to a group of people in an attempt to get at least one to take the bait.

Is your address a CC on an email sent to one or more recipients you are unfamiliar with? If you don’t recognize the other recipients the criminal may have harvested an email address book from someone on which your name appears. Instead of sending individual emails they do an email blast.
Is there any pattern to the other the recipients such as all names starting with the same letter?

If there is any question about an email or a specific request pick up the phone and calling the person you think sent the message to confirm its legitimacy.

Deciphering The Legitimacy of an Email: The Message Header

August 26, 2019August 27, 2019

by Eric Schnell at 8:17pmAugust 27, 2019

Cybercriminals love email. They love email not only because it can be used to manipulate potential victims but also because it is also very easy to “spoof.” Simply put, a spoofed email is one in which the address in the From field is not that of the actual sender. However, how often do we just scan our our email messages for specific names or subjects and just assume they are legitimate? Every.Single.Day. This is why the bad guys love email.

Identifying a spoofed email requires the careful examination of the message, starting with the email “header.” Before we get into how to examine a header it is important to understand how an email gets transmitted.

After you construct an email message and hit Send your email program (e.g. Gmail, Outlook) uploads the message to a SMTP (Simple Mail Transport Protocol) server, a computer that begins the process of transmitting the message to the intended recipient. Your message is the then relayed from SMTP server to SMTP server across the Internet to its final destination domain (e.g. gmail.com) .

When your message arrives at it’s destination domain it is stored in the recipient’s mailbox at an IMAP (Internet Message Access Protocol) or POP (Post Office Protocol ) server. This email server provides a temporary in-box where the message waits until it is fetched by an email program.

The information contained in the email header provides the details on where the message is coming from, and where it is going to, so all the servers can assist in the routing. Every email message contains two headers. The first is the visible header, which one sees at the top of any email message and contains the From, To, Date, CC, and Subject lines.

The second email header is called the technical header. The technical header is almost always hidden from view but can take a bit of digging in your email client to figure out how to make it visible. The information included in the technical header is all the – you guessed it – technical details required for routing of an email message.

Over the next few posts I will discuss details of the visible header and what to look for in the header to help decipher the legitimacy of an email. I will also discuss the technical header and how it is used by servers and SPAM filters to weed out illegitimate messages.

Deciphering The Legitimacy of an Email

August 13, 2019August 13, 2019

by Eric Schnell at 3:43pmAugust 13, 2019

Cybercriminals utilize a wide variety of tools and tactics. By far the most popular tool one is the use of email. Criminals like to use email in part since it is very easy to spoof an email and email address. There are even free sites that let you send one-off emails using a spoofed or custom disposable email addresses.

However, much more importantly for the cybercriminal it is even easier to get the recipient to believe it is legitimate.

There are ways to help to decipher an email since most of the email tactics used by cybercriminals do leave traces that help in determining if the email has been spoofed. To uncover these traces one needs take some time to break down the message.

The basic email header contains information such as From, To, Date and Subject and the full header will contain detailed information about where the email came from and how it was routed. The body of the email and attachments can also help to provide additional traces that help to determine the email’s legitimacy.

Over the next series of posts I will be breaking down the content of an email to help to decipher the legitimacy.

Social Engineering and Cybercrime

August 7, 2019August 7, 2019

by Eric Schnell at 6:38pmAugust 7, 2019

At one time the name Kevin Mitnick was synonymous with the term “hacker.” In his 2002 book, The Art of Deception, Mitnick claims he did not use software programs or hacking tools for cracking passwords or otherwise exploiting computer or phone security. Instead, he compromised computers solely by using passwords and codes that he gained using strategies to get people to unwittingly divulge information, or file-less attacks. In 2017, 77% of US businesses were compromised due to attacks and exploits which similarly do not involve the installation of malicious software but also through file-less attacks.

Social engineering is an act of psychological manipulation of an individual into performing an action or divulging confidential information. Cybercriminals leverage social engineering by stalking individuals in the social world and manipulate somewhat predictable levels of trust and gullibility [1]. The techniques used by cybercriminals are based on specific cognitive biases attributes of human decision-making. These biases are exploited in various combinations in the creation of almost all attack techniques. [2]

Cybercriminals use social engineering tactics because it can be easier to exploit an individual’s natural inclination to be trusting than to spend time building software tools to break through firewalls and system security. In short, it is much easier for a cybercriminal to get someone into giving up their password than it is to try and hack their password. By crawling though social information shared by the target in online profiles and social media posts the cybercriminals can craft a custom strategy to manipulate them into divulging confidential information or even into carrying out their malicious attacks through influence and persuasion.

Resources:

[1] Bosworth, Seymour, and Michel E. Kabay, eds. Computer security handbook. John Wiley & Sons, 2002. Chapter 19 “Social Engineering and Low-Tech Attacks” Karthik Raman, Susan Baumes, Kevin Beets, and Carl Ness.https://onlinelibrary.wiley.com/doi/abs/10.1002/9781118851678.ch19

[2] The Human Factors of Cyber Network Defense Robert S. Gutzwiller1 , Sunny Fugate1 , Benjamin D. Sawyer2 , & P. A. Hancock2 1 Space and Naval Warfare Systems Center Pacific 2 University of Central Florida 2015, Pages 113-122, https://doi.org/10.1016/j.jisa.2014.09.005.

“Watering Hole” Cyber Crime Tactics

July 2, 2019July 1, 2019

by Eric Schnell at 4:50pmJuly 1, 2019

20 years ago cybercriminals only used a few techniques to lure in potential victims. One was sending an email with the subject line of “ILOVEYOU” which contained an attachment that was a virus/worm which infected the user’s machine. The second was sending messages sent from from a Nigerian prince, who offers a share of a huge investment opportunity and then asks for your bank account number so they can transfer the money to you for safekeeping – for a small advance payment to cover the transfer expense.

Over the past two decades Cybercriminals have gotten very sophisticated in their tactics. One methodology targets specific individuals in an organization to unknowingly allow the criminal to gain access to the organization’s computer network. The tactic called the “watering hole” attacks an organization by compromising a web site that the target would generally trust – a watering hole.

To be able to identify a watering hole to bait the criminal first needs to deploy any number of commonly used tracking tools, like KISSmetrics or AddThis, to see which web sites are being accessed by the employees of an organization. This gives the criminal a map of the sites for them to target vulnerable sites for infiltration, those which don’t have strict security. The criminal then plants malicious code on the watering hole site and simply waits for users to revisit the site(s).

Once users begin visiting the watering hole their device is scanned to look for known security vulnerabilities. Any device identified as having a vulnerability the criminal uses the “drive-by” downloading technique, meaning the criminal doesn’t even need to have the visitor click on a link or download any files. Instead, malicious code like Remote Access Trojan (RAT) is downloaded in the background. When the code is run it scans for additional vulnerabilities with an exploit code deployed that carries out the real intended network attack is delivered an executed.

Blood Sucking Hackers

June 5, 2019

by Eric Schnell at 1:51pm

On June 3rd, Quest Diagnostics filed a report with the Security and Exchange Commission (SEC) stating that it was notified on May 14th that between August 1, 2018 and March 30, 2019 an unauthorized user access to American Medical Collection Agency (AMCA) system that contained information received from various entities, including Quest Diagnostics. The information included credit card numbers and bank account information, medical information and other personal information of approximately 11.9 million people.

The very next day LabCorp filed a similar brief with the SEC stating that the AMCA informed them that it is sending notices to approximately 200,000 LabCorp consumers whose credit card or bank account information may have been accessed.

AMCA is third-party collection agency that stores information such as first and last names, credit card and bank account numbers, birth dates, addresses, phone numbers, dates of services, health care provider information, and the amount customers owe. The information AMCA received comes from a company called Optum360, a revenue cycle management provider. No information about lab results is passed on to the AMCA. Both Quest and LabCorp have suspended business with the AMCA.

The question most consumers are probably asking themselves is when they will be notified. Right now there is a lot of finger pointing. The laboratory companies systems were not breeched and neither were Optum360’s. The challenge is that while those companies appear to be committed to keeping all relevant parties informed the AMCA has not given them any specific information about the individuals impacted.

Credit Freezing and Unfreezing: Now Free!

August 22, 2018October 4, 2018

by Eric Schnell at 5:00pmOctober 4, 2018

When Equifax was hacked a while back there was social media outrange when their solution was for individuals to freeze their credit reports. The issue? They would change the individual a fee to freeze your credit report and then another to unfreeze. The Economic Growth, Regulatory Relief and Consumer Protection Act enacted in May 2018 had the hidden benefit that it is now free in every state to freeze and unfreeze your credit file and that of your dependents.

If you’ve been holding out because you’re not particularly worried about ID theft, here’s another reason to reconsider: The credit bureaus profit from selling copies of your file to others, so freezing your file also lets you deny these dinosaurs a valuable revenue stream.

Individuals much contact each of the three major credit bureaus to file a freeze/unfreeze request:

Equifax Freeze Page
800-685-1111

Experian
888-397-3742

TransUnion
By Phone: 888-909-8872

Cybercrime by the Numbers

June 18, 2018July 18, 2018

by Eric Schnell at 7:58amJuly 18, 2018

https://www.fbi.gov/image-repository/cyber-crime.jpg/@@images/image/high

We read and hear a lot about cyber attacks and the latest threats in the news, seemingly daily. When one takes a look at the numbers the real costs to associated with cybercrime become a real eye opener.

- There are around 3.8 billion Internet users and will grow to an estimated 6 billion by 2020. Each Internet user is seen by cyberthieves as a potential victim.
- Researchers track the quantity of new malware released, with estimates ranging from 300,000 to a million viruses and other malicious software products being created – every day.
- The number of U.S. data breach incidents tracked in 2017 was 1,579. Of those, 21.4 percent involved phishing and 12.4 percent involved ransomware/malware. Unauthorized Access represented nearly 11 percent.
- Nearly 20 percent of data breaches included credit and debit card information. Nearly 158 million Social Security Numbers were exposed.
- Cybercrime is reported to be costing business 600 billion a year. According to CSO, an online magazine for chief security and information officers, cybercrime damage is predicted to reach $6 trillion by 2021.
- The FBI reports $209 million in ransom was paid from ransomware attacks in just the first quarter of 2016, compared to $24 million in ransom payments in all of 2015. Global ransomware damage costs were predicted to exceed $5 billion in 2017.
- Bureau of Justice Statistics (BJS) reports suggest actual losses from identity theft remain relatively small. Only 14% of victims suffered out-of-pocket losses, and of those victims, about half lost $99 or less. The average loss was $1500 per incident.
- The Equifax breach, which exposed the personal data of 143 million US consumers in September 2017, cost the company nearly $90 million in the first four months after discovery.
- Over 40% of US businesses were compromised due to fileless attacks and exploits. The number of fileless attacks are increasing significantly.

Sources:

McAfee CSIS Report: Economic Impact of Cybercrime— No Slowing Down

McAfee Labs Quarterly Threat Report June 2017

Accenture Cost of Cyber Crime Study

FBI Cyber Crime

Identity Theft Resource Center: 2017 Data Breach Year-End Review

What is this GDPR Thing and Why Should I Care?

May 25, 2018May 22, 2018

by Eric Schnell at 12:12pmMay 22, 2018

You may have seen a flood of updated privacy policies from your online service providers flooding your in-box over the past couple months. These are the direct result of new data privacy laws, the General Data Protection Regulation (GDPR) taking effect across the European Union (EU) today. These laws provide consumers with more control over their personal data.

What Is It?

GDPR was ratified in April 2016 and establishes a single set of personal data protection rules across Europe. Companies and online service providers outside the EU are subject to this regulation when they collect data concerning any EU citizen. Personal data is defined as any information relating to a person who can be identified directly or indirectly including information that can be linked back to an individual. There is no distinction between personal data about an individual in their private, public or work lives.

Companies will be required to implement appropriate technical and organizational measures in how they handle and process personal data. Data protection safeguards must be appropriate to the degree of risk associated with the data being collected and held. If there is a data beach and any of the laws were not properly applied fines could be as high as 20 million Euro or 4% of annual revenue, whichever amount is higher.

Since US companies with EU citizens as customers must follow DGPR laws US citizens may benefit from the laws.

Why Should I Care?

The theft or accidental disclosure of an individual’s data by an online service provide exposes that individual to any number of potential issues. The intent of the law is to provide individuals with more control over which data on them is being collected and places significant restrictions on how companies manage data to reduce of eliminate that exposure.

Under GDPR companies obtaining data from individuals must detail the purpose of data and how it will be used, if the data will be transferred internationally , how long it will stored. Individuals retain the right to access, lodge a complaint, or withdraw consent at any time. They also have the right to be forgotten. The data must be erased if it is no longer needed for the reason it was collected.

If any company experiences a data breach, they must notify the individuals whose data was stolen must be informed with 72 hours. This is in contrast to many more recent security breaches which come out in the news months later.

Another part of the regulation requires that consent for the company to collect data must be given by the individual by a clear affirmative action. This consent does not need to be explicitly given and can be implied by the person’s relationship with the company. Any data being collected and retained must be for specific, explicit and legitimate purposes.

Resources

Russell and Fuller. GDPR For Dummies. 2017. Wiley & Sons.

GDPR for Dummies from Caroline Boscher

Email: The Cybercrime Gateway

May 3, 2018October 4, 2018

by Eric Schnell at 7:02pmOctober 4, 2018

Billions of email messages are sent each day. The ease of use, speed of transmission, and relative anonymity of email has made it a tool for cyber criminals. One survey indicates that 91% of all cyber crime starts with an email.

Using email to commit cybercrime is almost as old as email itself. While there are many ways email can be expoited, here are the more common ones:

Phishing

The term Phishing is a generic term used to describe the very broad category of email techniques used by cybercriminals. Future posts will go to Phishing techniques in greater detail.

Scamming

Based on the centuries old Spanish Prisoner, the infamous Nigerian 419 email scam of the 1990’s is still alive and well in one form or another and is a classic phishing scam. It involves promising the potential victim share of a large sum of money, in return for an up-front payment. If someone actually makes the payment, the scammer either invents a series of further fees for the victim to pay or simply disappears.

Spoofing

A spoofed email is one that appears to originate from one source but is actually sent by another. Like Neighbor Spoofing, falsifying the name and / or email address of someone the receiver is likely to know increases the odds the person will respond or take requested action (check out funny joke in the attachment!) It is actually not too difficult to spoof an email adddress using relatively simple tools.

Spreading Trojans, Viruses and Worms

Emails are perhaps the fastest and easiest way to spread malicious code. For example, the Love Bug reached millions of computers within 36 hours back in 2000, all thanks to email. Cybercriminals will bind the malicious code in e-greeting cards, fake virus patches, et and email them in messages which are written in a way to make the reader feel like immediate action is required.

Attachments

Attachments are a very common way to spread malicious code. The rule of thumb is to open only those attachments that you are expecting – even if coming from someone you know (remember: email address spoofing!). File names can been spoofed as well so that an attached file that is actually a computer program can look as though it is a simple word processing file. If you are unsure, contact the person and ask if they sent it.

Links

Don’t immediately click on the link(s) in emails. Keep in mind email spoofing since a message may look like it is coming from someone you know! Hover your curser over any links to double check if the destination URL is what it’s claiming to be. To be extra careful, type out URLs manually instead of clicking links.