Alert: Social Engineering, Phishing and Hacking, Oh My!
As the classic Billy Joel song starts: "Got a call from an old friend, we used to be real close..."
He called to alert me that someone had gotten into one of his accounts and was wreaking havoc. "How could someone access my account?" he asked.
"They probably got your password," I said. "But how?" he asked.
The answer to his specific question was covered in a previous blog article. However, this conversation just cropped up at a point when I was already thinking about the escalation in "social engineering" attacks, and was considering writing a blog article (aka "Warning") about it. Then I received not one, but TWO different social engineering attempts via email within the past three days! So we definitely need to cover this topic -- and quick. It's serious.
"Social Engineering" refers to the practice of using trickery to get you (the target) to voluntarily hand over critical information, such as usernames and/or passwords. This has become so prevalent that I, personally, see at least 2 or 3 attempts per day piling up in my spam folder on the server. And if it's a new attack that's been crafted to circumvent spam filters, it could get through to my (your) inbox until security experts catch wind of it and update the anti-spam filters. I'm seeing one or two a week slip through lately, and it's quite disconcerting when I think about casual computer users who will get sucked into the scheme, unwittingly.
These attacks mimic an email notification from a known, trusted source, such as your bank, PayPal, the Better Business Bureau, Facebook, LinkedIN, and so forth. The attackers create an email that looks exactly like the normal system notices that are sent out by these folks. But they change the links to hit their own servers. The most classic example is an email that sends you a dire notice ("low balance warning!") with a link to login and check on it. When you click the link it takes you to a page on their servers that looks JUST LIKE your bank's login page. When you enter your username and password, they store it to a database on their server and then put up an error box saying "Invalid username or password, please try again" with an OK button. When you click OK they redirect you to the REAL bank login page. Thus, the page reloads and when you enter your name and password you are logged in. Since passwords are obscured with ****** as you type, it's natural to just assume you had a typo the first time. You never notice anything was awry. However, they now have your username and password!
It can be harder to get around bank security in this fashion, but other sites such as LinkedIN or Groupon, etc. have lighter-weight security that's easier to mimic and take advantage of. An overwhelming majority of people will use the same password in multiple places, thus they have a better than average shot of then getting into even more sites (and perhaps more critical ones) using those same credentials.
For the past few weeks I've been seeing "warnings" from the Better Business Bureau that someone had filed a complaint against my business, urging me to "click here" to investigate. That's a juicy lure. Except for the fact that I received two in a row, at two different email addresses (one personal, the other business, both end up in the same inbox). I noticed it was sent to a whole slew of people too, in alphabetical order.
Those are classic signals that it's a hack attempt. If you see a notice going out to a bunch of people on a CC list alphabetically, you can bet they're just spamming a list of names, in alphabetical order.
About three days ago I received an email from AT&T "confirming" my recent online payment. Of $2,492.47!
Of course for a brief instant my heart stopped. "WHAT?!"
But the hackers made two key mistakes. First and foremost, the amount. That was such an unbelievably high amount that there's no way one could "accidentally" run up a nearly $3,000 phone bill and have it auto-charge. Second, the amount actually read 2,492.47$ which is obviously written by someone overseas, not in America. We write $3 not 3$. Those two things jumped out and initially made me take pause. Then, upon closer inspection, I noticed that they had a typo in the word directly below the dollar amount. So I quickly figured out that this was fishy. I deleted the email and did not click anything. Separately, I opened a browser and went to AT&T and logged in and found that my account was normal. The last charge they showed was the last I processed, in the proper amount, and next month's wasn't invoiced yet. $0 owed. All good.
That was three days ago. Today I received an email from LinkedIN telling me I have a new contact request from a name I don't know, at a company I don't know (Jerrems at Medco), and 44 unread messages. I happen to know I hardly use LinkedIN messaging and don't have ANY unread messages at all, nevermind 44. So again, this jumped out at me. I merely moused-over the link and sure enough, it was going to a website in Eastern Europe (the Czech Republic)! See the screenshot below and noticed the link in yellow, which popped up when I merely moused-over the blue link.
That was the last straw -- this is getting serious.
So how do you remain safe? Here are some safety tips:
1. Don't click links out of emails. I say this all the time. Open a web browser and specifically GO to the site in question and login directly. If your bank or phone company sends you a notice, go to their website manually and login and see if it's true or not. It's actually NOT common for banks and the like to have you "click here to login". They usually just suggest you go login to the site.
2. Be suspicious of serious "warnings" and dollars amounts posted directly in emails. Usually banks will say "Your account has been updated. Please go check it out". They don't say "We posted $5,000 to your account. Click here to see".
3. Use mouse-overs if you can, to view a link before clicking. Not all email software and hardware devices support them, but if your does, then use it.
4. Don't use the same password at multiple sites, if you can help it. This was covered in more depth in a previous blog article, but here's a quick primer: Use a password program to store and remember them if you must. Or worst case, at least segregate sites into two or three categories, with a unique password for each category. That's only 2 or 3 passwords to remember -- one for banking/financial, one for "medium importance" sites, and one for unimportant "fodder" sites (everyone makes you create an account these days).
All in all, use common sense. Sure, it's possible someone lodged a BBB complaint against you. Anything is possible. But if you are not in a dispute with anyone and have never had a single complaint in 19 years in business, what are the odds?
Be careful out there, it's a jungle.