Home » Secure Computing » Phishing

Phishing & Social Engineering

Introduction

Social engineering techniques are among the most powerful tools in the hackers' toolbox. Generically, social engineering is the motivation of someone ('the mark') to disclose personal or other important information that the hacker can use to their own advantage (e.g., to steal an identity in order to exploit financial information or extract an important password in order to break into a server).

Just like the traditional grifters of the past, hackers use the general tendency of people to want to 'be nice', 'stay out of trouble', and/or 'protect their own assets' to motivate them to give out information – and even feel good about doing it.

Examples

Probably the most popular and well-known social engineering scam is known as the '419 scam' (after the section of the Nigerian Penal Code that discusses this sort of infraction) or, more generically, as an 'Advance Fee Fraud'. In this scam, an important government official (or similar personage) has tragically died, leaving behind a large sum of money. In exchange for your help in moving the money from an unfriendly foreign country to a more friendly bank account, you will be rewarded with a substantial reward (e.g., 20% of 60 million dollars). Who could resist doing good and being rewarded for your good deed? This scam has been conducted via postal mail, fax, and telex in addition to the far less expensive e-mail proliferation mechanism.

Surprisingly, the proffering of your bank account number is not usually the way 419 scammers make money. Their income derives from the fees you must pay to bribe certain officials, lubricate the liberation of the money from a bank account, and so on. It is believed that no one has ever received money in return for these investments. In fact, many folks have lost small fortunes (a New Yorker article, from Fox News (with a reference to the pastor's wife who killed him after losing their family savings), folks in Japan, and a BBC report of a scammed Briton.

While most people these days have heard of the 419 scam and recognize it by the telltale "too good to be true" litmus test, social engineers use other motivations to extract folks' information:

• "This email confirms you have paid $xxx for [some product]": Of course, you never bought anything from the company and will give them information to find the errant payment and refund your money. The scam is that they are just collecting your credit information to make actual charges.
• "Paypal (or someone) needs you to reconfirm your information": No they don't. The web page is legitimate except for one little link that sends your information to the scammer instead of to Paypal. Everything look legitimate until that very last click.
• "Your account at [xxx] has been suspended for ...": No it hasn't. But you'll have to supply a goodly amount of personal information to get it back. Don't do this!

Click this to see a marked up actual example of phishing email.

Defense

Vigilance is the only defense against social engineering. Look for these markers to know you're getting ready to divulge too much:

• "Here's your big chance to play the new fantastic version of the [xxx] game!" The link, of course, goes somewhere where they will extract some private information (real name? a password that might work somewhere else? your birthdate in order to prove you are 'old enough' to play, etc.). This really is the #1 rule: Avoid clicking links people send you instead of using a search engine to find the proper link.
• Anything that sounds too good to be true probably is. It is unlikely that you have won the Irish Sweepstakes, even if you elect to send in a $1,000 security payment.
• Any time you get a solicitation in email that you did not request – even from a trusted friend – should be discarded immediately. No reputable company works this way.
• Email with misspelled, mispunctuated, or bizarrely formatted text is almost surely a scam.
• If something feels like it requires action, confirm via telephone with someone you know (or at least can verify, e.g., by calling the corporate headquarters) before you send money. A recent scam asks for money because your best friend (or aunt or grandmother or ...) is caught in Europe (or some faraway place) and can't return until they pay bail, or a fee, or some other money-requirement. You, the trustworthy friend or relative can help them! Call them at home to make sure they're not there before sending money.
• Any time you are getting ready to feel good about giving away some money or information,think twice: Why am I really doing this? Do I know who is on the other end of my bequest? "Hey, John, please remind me of the combination to get into the machine room." Who is really asking?
• "Please come back to FaceBook!" The link, of course, goes to a FaceBook look-alike which presumably reaps your name and password. Avoid clicking links people send you instead of using a search engine to find the proper link.
• "Please call this number to verify [xxx]." You'll get a recording asking you to leave all sorts of useful information. Don't even think of calling telephone numbers you can't verify (perhaps by checking a phone book or institutional phone list) sent to you unsolicited in email.
• Keywords to avoid: verify, account, won, lottery, respond [now, quickly], or you will suffer [some horrible thing] See these? Click delete.
• Vishing: These same pitches and scams work in airports, for panhandlers, and all sorts of non-computer scammers, too, by the way. They even work when people call you on the phone! "Hey, Jill, this is Ralph over in accounting. I've forgotten [xxx], can you help me out?" Look up their number and call them back.
• SMSiShing: Same idea for text messages are you phone.Don't believe a bank will text you; call them on an independently verified number.

With eyes wide open, the Internet can be a happy and safe place for many sorts of transactions.