Five Steps to a Successful Social Attack: What's Your Threshold?
In a previous post, I highlighted that mass marketing fraud against individuals cost the UK economy £3.5 billion in 2011.
That is ten time more than the cost of plastic card fraud in the same year, or equivalent to the total fraud losses incurred by the financial services sector in the same period!
Sobering perspective, don't you think?
We all know that mass marketing fraud is where criminals aim to defraud multiple individuals to maximise revenue by persuading victims to transfer monies in advance in exchange for promised goods, services or benefits.
And we all know that this is usually done via mass-communications media (such as telephone calls, letters, emails and text messages) and ranges from foreign lottery/ sweepstake frauds through to ponzi schemes and romance frauds or any other abuse of trust... So, we all know better, don't we?...
CAN I GET YOU IN FIVE TRIES?...
The idea of this post was given to me by Andy Dancer, CTO EMEA at Trend Micro and his presentation at the Spring SASIG this year. Mass marketing fraud is not new, and I don't expect any of you, constant readers ;) will fall for the>>>
The foreign heir/heiress to a substantial fortune where he/she offers you a percentage of the fortune in exchange for your help with money transfers and advance fees...
Traditionally, this has been done via letters or email, but criminals move with the times and this scheme received a makeover with the use of Facebook:
(click image to enlarge)
OK, you didn't fall for it, but how many people you know would? So, how about the>>>
Email from your bank that a fraudulent transaction may have been performed on your account and that you are required to check/update your details by following a link in the email.
Yes, the link may look genuine, and we all know not to click on embedded email links, and we all know how to find out the actual URL behind the embedded link, but what if the link looked like http://onlinebanking-chase.com/checking/ssl/update.php?
OK, you may not fall for this one, but how many people you know would? How many people can recognise a phishing site (spelling mistakes, etc.) and a phishing URL (See section 2 of bustspammers page on phishing)? So, let's step it up a bit and see what you would do with the>>>
The fake app (click image to enlarge):
The following text courtesy of Trend Micro: Once the application is installed and run, it creates shortcuts on an infected smartphone’s homepage. If the Android-based device has Facebook installed, it asks the user to share the fake app on Facebook before playing the game. It would also prompt the user to rate the application in the Android Market.
Once user has shared and rated the app, it displays a countdown of the app’s release instead of showing the actual game and was capable of displaying ads using the mobile notification. (In this instance, if you checked the information on the games developer for this Android version of the game, it was not the same as the developer for the iOS version. This app was since taken down).
Now, be truthful, did I get you? OK, for those who were not fooled, how about the>>>
The malware infection than begins with windshield flyers...
This one began with the use of fliers put on windscreens at public car parks and was an innovative way of social-engineering potential victims into visiting a malicious website. The text fo the flier read:
PARKING VIOLATION This vehicle is in violation of standard parking regulations. To view pictures with information about your parking preferences, go to [website-redacted].
Upon following the link, victims would be tricked into installing fake anti-virus software (Full story here).
How close were we on this one?... OK, how about the>>>
The LinkedIn Invite...
What was common with the first four attempts is that you were not expecting them, but what if the scammers have studied you, and sent you something you might actually expect...
(click image to enlarge)
See my point?... (and this attack has actually been observed...)
You might not have fallen for any of these attempts, but on a personal level, how many members of your family would? On a professional level, how many employees in your organisation would, from field staff to C-level execs? Different people will have different thresholds to these attacks which brings me to the whole point of this post:
Security education and awareness is key at all socio-economic levels, whether on a personal or professional front. Our duty, as infosec professional, is to keep educating and spreading the word. And we might even contribute to our country's economy by reducing fraud...
Until next time...
Cross-posted from NeiraJones