Social Engineering threats, Email threats. Zero Day threats… With so many threats these days, keeping a computer system or network clean can be a full time job. Wouldn’t it be nice if there was an Early Warning System that could prepare you before the attack actually hits? Is this a pipe dream? To some it is, but if you know how to prepare, you can get ahead of the threats and protect yourself and your networks from these dangers. How, you ask? It will involve some old school techniques combined with new cutting edge technology. Let me explain!
People are People
Scammers count on people to react in a particular way to email and email attachments. When you receive an email with a link that says your check did not clear, your order has shipped, you have a package at the post office, or the IRS is collecting for a tax bill, it is very common to want to investigate further by opening the email or clicking on the file attachment. Often, we don’t automatically assume it is a scam. I mean, they have your email so it must be legit, right? There are several things to keep in mind when you get a message like that:
1) The U.S. Post Office does not send an email unless you sign up for tracking on a package. “Customers would receive notification via postcard that they needed to pick up a parcel or it would be posted on the door,” said Tammy Mayle, Postal Inspector. No matter what — always be wary of any email claiming to come from the Postal Service. “The Postal Service doesn’t have an email address for every postal customer available,” said Mayle.
2) The IRS does not communicate with anyone via email for tax bills, etc.
3) This also holds true for UPS and FedEx. Recent scam emails from FedEx used the following ‘from’ email address:
From: FedEx Online Team Management. <email@example.com
Real email from FedEx would NOT be from a Gmail account!
Another thing to keep in mind is that an estimated 90% of .doc and .xls files contain a macro virus. If the customer is attaching a deprecated Word document with the now unsupported .DOC extension or a deprecated Excel document with the now unsupported .XLS extension, it is suspect. The .DOC and .XLS formats have been officially retired and are unsupported by Microsoft and are now known to be harbors for Macro-related viruses. If you are going to email files, then the files should be zipped. Regardless, many people still open emails containing .XLS file extensions, simply because they do not pay attention. It is the same reason some might get drive by infections from installing a program simply because they clicked next, next, next without reading the text in the box. This is Social Engineering in action.
Most people like to get packages, especially if they contain free stuff! When you receive an email announcing your order is en route or you need to claim your package, it may be too big of a temptation not to open it. Curiosity often gets the best of us. Another great example of social engineering can be found in the “I Love You” virus from a few years ago. Based on the simple fact that all (well most) of us want to be loved, users were urged to open, not a warm message from a loved one, but a virus that infected their entire machine and turned it into an email server that dished up a similar email to everyone in their address book. This particular virus spread like wildfire. Patches were built for most email clients to help stop this and most anti-virus programs no longer allow individual machines to become ‘email servers’. Rather than fixing the problem after it has occurred, however, it is best to stop these social engineering attacks from wreaking havoc in the first place by using a combination of common sense and security.
One of my favorite quotes is, ‘common sense is not that common’! When it comes to security, using plain common sense can be a real plus! When in doubt, consult your IT Department. If you don’t have an IT department, you should always err on the side of caution. Email attachments are still a widely used way to infect computers with unwanted payloads. The common sense approach is to delete email attachments from people you don’t know (WITHOUT opening them first!) Strange links in emails, Instant Messages, blogs, and social network walls should also be carefully reviewed. They just might contain malicious code.
Real Security Starts with Passwords?
Passwords? You bet! You should have passwords set and should not have blank passwords anywhere on the system. This is a great place to start. Second, do not use the same password for personal access that you use at work. Far too many people make this mistake. This basic security ensures that your business accounts and personal accounts cannot be accessed should there be a breach in one source. Another good practice is to NOT write your passwords on a Post-It that is on the wall or under your keyboard! Use upper and lower case letters, numbers and at least one special character in your password, when possible. This makes the password infinitely more secure than ‘qwer123’. Also be aware when setting those passwords that you do not have the Caps Lock key engaged. Most programs will tell you if you do, but some may not.
Most enterprises and many ISP’s for home users have email scanners that take place at the firewall, in the cloud and/or server level before those emails arrive at the desktop. Even in those cases or in cases where you do not have such countermeasures at your disposal, your anti-virus software should have a plug-in that allows you to scan all incoming email and attachments. Most security software will automatically scan each attached file to email or IM messages—even those from trusted sources. The small time that it takes to perform this function is something that can save hours should a file be compromised.
Looking at the BIG Picture
Educating users on the use of their software, and email usage is the most effective way to avoid problems. Ignorance is bliss, but ignoring the threats that are out there can be catastrophic. An unaware computer user is often the one who will fall victim to viruses, spyware, and phishing attacks, all of which are designed to corrupt systems or leak personal information to a third party without the user's consent. Trust is key! You need to know who to trust and when! Advertisements and pop-ups on the Internet have become devious and deceptive, appearing as urgent system messages, and warnings designed to scare users into clicking. As a rule of thumb, if a popup window contains an ad claiming to end pop-ups, speed up your system, or optimize your internet connection, then chances are it's a scam of some sort. If you get an email with a link, hover over that link and see if the destination of the hyperlink is the same as what is displayed on your screen. Proper security practices combined with up to date system patches, applications patches, anti-virus software, anti-malware software, firewalls and backups are a winning team to keep you safe.
Solving the Problem
Security and privacy issues can only be resolved if users take a more careful approach to what and how much information they share. Until everyone learns what to watch out for, there will be issues with infection and hijacking of systems. You may also find many websites containing good information on prevention and protection from infection by simply googling“preventing social engineering”. If you have questions or comments about this article, contact me.
All product names / logos, company names / logos are copyrights of their respective holders. John Boline is an MCSE, MCTS, CNE, USE and a member of the Network Professional Association.The content herein is often based on late-breaking events. Much of the material is based on information from sources that are believed to be reliable. Hagerman & Company, Inc. disclaims all warranties as to the ultimate accuracy or completeness of the information. Hagerman & Company, Inc. and its employees shall have no liability for errors, omissions or inadequacies in the information contained within this article or for any interpretations thereof. The recommendations, positions and best practice policies outlined herein represent Hagerman & Company, Inc. initial analysis and therefore are subject to change as further information which may have bearing on these positions is made available. The reader assumes sole responsibility for the selection of these materials to achieve its intended results. The opinions expressed herein are subject to change without notice. Hagerman & Company, Inc. assumes no obligation to update the forward-looking statements made in this newsletter to reflect any change in circumstances, after the date of publication.Entire contents © 2015 Hagerman & Company, Inc. All rights reserved. Reproduction of this publication in any form without prior written permission is forbidden.