<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=445056146107513&amp;ev=PageView&amp;noscript=1">

Spear-Phishing and Social Engineering: Old Problems Just Keep On Giving!

John Boline

We have been dealing with security issues since computers first emerged in the office place. We moved past the first threats which came to the desktop via the sneaker-net (floppy disks moved from machine to machine) to CD’s, DVD’s, Blu-Ray and even USB devices.

Now the opportunity get a virus, macro-virus, malware, botnet, or other attack can come from many directions, but the same simple methods for keeping your system and data safe have not changed much over time. Several years ago I wrote about the problems of SPAM and how social engineering (no, not social networks but the actual practice of calling on the phone, speaking with someone or sending an email that looks too good to leave closed) was the vehicle for breaching your system or network. Here we are nine years after that first article about SPAM and the same problems still exist. Maybe a bit of review is in order…here goes!

SPAM Is Bad Everywhere
SPAM has become more common in email than junk mail is in your snail mailbox. The cost of printing has driven most mass marketers to use email. It is simple, fast, lower cost and can be sent, albeit illegally, completely anonymously. Techniques for purging in-boxes of this scourge have become multi-layered. Software runs on the desktop or on appliances to filter the messages before they fill your inbox. This is a good thing since SPAM is generally sent at a ratio of 4 or 5 to 1 for those messages you really want. Spammers use all kinds of schemes to get you to open a targeted email; from package and delivery confirmations to messages about packages that ‘could not’ be delivered to you, etc. Amazingly, they have your email address! Here are several things to keep in mind when you receive a message like that:

1) The U.S. Post Office does not send you email unless you sign up for tracking on a package. It would kind of defeat the purpose of using mail service. The Postal Service says it doesn’t use email to notify customers about a package delivery. “Customers would receive notification via postcard that they needed to pick up a parcel or it would be posted on the door,” said Tammy Mayle, Postal Inspector. No matter what — always be wary of any email claiming to come from the Postal Service. “The Postal Service doesn’t have an email address for every postal customer available,” said Mayle.

2) The IRS does not communicate with anyone via email for tax bills, etc.

3) This also holds true for UPS and FedEx. Recent scam emails from FedEx used the following ‘from’ email address:

From: FedEx Online Team Management. <wednailofficer@gmail.com>

Real email from FedEx would NOT be from a Gmail account! So why do people open these email and click on the documents? The answer is Social Engineering. SPAM emails account for over 90% of all email sent domestically.

Social Engineering
Curiosity often gets the best of us. Everyone likes to get packages, especially if they contain free stuff! A good example of this is the ‘I Love You’ virus from a few years back. This social engineering exploit targeted the simple fact that all (well most) of us want to be loved. If you opened that email, it promptly infected your machine, turned it into an email server and then dished up a similar email to everyone in your address book. This particular virus spread like wildfire. Patches were built for most email clients to help stop this and most anti-virus programs no longer allow individual machines to become ‘email servers’. One of the best ways to stop these social engineering attacks is through common sense and security.

Common Sense
Common sense
One of my favorite quotes is, “common sense is not that common!” When it comes to security though, using plain old common sense can be a real life saver! When in doubt, consult your IT Department. If you don’t have an IT department, err on the side of safety. Email attachments are still widely used to infect computers with unwanted payloads. The common sense approach is to delete email attachments from people you don’t know (WITHOUT opening them!). Strange links in emails, Instant Messages, blogs, and social network walls should also be carefully reviewed—they may contain malicious code.

Where Does Security Start?
Passwords? Yes, passwords! You should have passwords set for everything on your system. Second, do not use the same password for personal access that you use at work. Why? Well, this is basic security and it allows you to make sure that all of your business accounts and personal accounts cannot be accessed should there be a breach in one source. Another good practice is to NOT write your passwords on a Post-It that is on the wall or under your keyboard! Use upper and lower case letters, numbers and at least one special character in your password, where possible. This makes the password infinitely more secure than ‘qwer123’. Also be aware when setting those passwords that you do not have the Caps Lock key engaged. Most programs will tell you if you do, even Windows will remind you, but many still do not.

EmailEmail Considerations
Many enterprises have email scanners that take place at the firewall, in the cloud and / or server level before those emails arrive at the desktop. Even in those cases or in cases where you do not have such countermeasures at your disposal, your anti-virus software should have a plug-in that allows you to scan all incoming email and attachments. Most security software will automatically scan each attached file to email or IM messages—even those from trusted sources. The small amount of time that it takes to perform this function can potentially save you hours of work if a file is compromised.

BackupBackup, Backup, Backup!
If all else fails, back up your computer data regularly. This cannot be stated often enough. Do not assume that someone else is doing this for you!The failure of a computer hard drive or the mistaken deletion of a data file can be devastating and can mean the loss of many hours of work. Think about what you use every day and how much time it would take you to recover should those files be corrupted, deleted or inaccessible due to a hard drive failure. It is very important that you save the important files you are working on periodically. If you do so, you have something that can be accessed via a backup, shadow copy or other means. If the file is not saved, all the backups in the world will not do you any good! Make it a practice to save those open files you are working on all day. Save early and save often! You can guard against disasters by having backups. If your IT department performs backups, that is great. If not, there are online services that can back-up your system for a small price (i.e. Carbonite, Mozy, etc.) so that you will never have that feeling of losing everything. These services also provide access to those backups in the case of a stolen laptop. Doing these things will help save you a lot of grief and provide even more protection should your system or its files be hijacked by ‘ransom ware’!

Looking at the BIG Picture
People say ignorance is bliss, but ignorance of the threats that are out there can be catastrophic. An unaware computer user is often the one who will fall victim to viruses, spyware, and phishing attacks, all of which are designed to corrupt systems or leak personal information to a third party without the user's consent. You need to know who to trust and when! Many advertisements and internet pop-ups have become devious and deceptive. They can often appear to be urgent system messages and warnings designed to scare you into clicking. As a rule of thumb, if a popup window contains an ad claiming to end pop-ups, speed up your system, or optimize your internet connection, then chances are it's a scam of some sort. If you get an email with a link, hover over that link and see if the destination of the hyperlink is the same as what is displayed on your screen. Proper security practices combined with up-to-date system patches, application patches, anti-virus software, anti-malware software, firewalls and backups are a winning team to keep you safe.

Solving The Problem
Thomas PaineThe SPAM problems that plague our technological security can only be resolved if users take a more careful approach to what and how much they share. For those in the business world, this may mean controlling what sites employees can access. Common Sense, just as it was in Thomas Paine’s time, is apparently not as common as one might think! Until users are better educated, there will continue to be issues with infection and hijacking of systems. There are many sites on the web that give some very good information on prevention and protection from infection: simply google “preventing social engineering”. If you have questions or comments about this article, contact me.

All product names / logos, company names / logos are copyrights of their respective holders. John Boline is an MCSE, MCTS, CNE, USE and a member of the Network Professional Association.The content herein is often based on late-breaking events. Much of the material is based on information from sources that are believed to be reliable. Hagerman & Company, Inc. disclaims all warranties as to the ultimate accuracy or completeness of the information. Hagerman & Company, Inc. and its employees shall have no liability for errors, omissions or inadequacies in the information contained within this article or for any interpretations thereof. The recommendations, positions and best practice policies outlined herein represent Hagerman & Company, Inc. initial analysis and therefore are subject to change as further information which may have bearing on these positions is made available. The reader assumes sole responsibility for the selection of these materials to achieve its intended results. The opinions expressed herein are subject to change without notice. Hagerman & Company, Inc. assumes no obligation to update the forward-looking statements made in this newsletter to reflect any change in circumstances, after the date of publication. Entire contents © 2015 Hagerman & Company, Inc. All rights reserved. Reproduction of this publication in any form without prior written permission is forbidden.

Submitted by John Boline, Service Manager MCSE, CNE, USE, Hagerman & Company, Inc.