Tag Archive for: social engineering

Guarding Against Social Engineering Scams During the Holidays: A Primer from the Proficio Cyber Exposure Monitoring Team

The holiday season brings a spike in social engineering scams, leveraging the festive atmosphere to manipulate individuals into divulging sensitive information. Proficio’s Cyber Exposure Monitoring team emphasizes the importance of being vigilant during this high-risk period. This article serves to educate users on recognizing these scams, understanding their impact on organizations, and adopting strategies to safeguard personal and professional data.

Understanding Social Engineering Scams: Social engineering scams are psychological manipulations that trick users into making security mistakes or giving away sensitive information. During the holidays, these can take various forms:

  • Phishing Emails and Messages: Attackers masquerade as reputable entities to elicit personal data.
  • Fake Promotions and Giveaways: Scammers advertise irresistible deals to lure victims into providing credit card details.
  • Pretexting Calls: Fraudsters pose as customer service or tech support to extract confidential information.

How Attackers Trick Users

  • Appeal to Emotion: Scammers exploit the holiday spirit, preying on generosity or urgency.
  • Creating a Sense of Legitimacy: Using logos, language, and email addresses that mimic official entities.
  • Urgency Tactics: Pressuring users to “buy now” and act quickly, bypassing rational judgment.

The Journey to the Dark Web: Once scammers obtain personal data, it often ends up for sale on the dark web, a part of the internet notorious for illicit activities. Here’s how it unfolds:

  • Collection: Scammers consolidate the stolen data, including passwords, social security numbers, and financial details.
  • Exfiltration: The information is transferred to secure locations and databases.
  • Monetization: Cybercriminals auction the data to the highest bidder on dark web marketplaces.

Impact on Organizations

  • Data Breaches: Stolen credentials can lead to unauthorized access to corporate networks.
  • Financial Loss: Organizations may suffer financial damage due to fraud or theft.
  • Reputation Damage: A company’s brand may be tarnished, resulting in lost customer trust and revenue.
  • Operational Disruption: Cyberattacks can disrupt business operations and lead to costly downtimes.

Protective Measures: To protect against social engineering scams, individuals and organizations should:

  • Educate Employees: Regular training sessions on identifying and responding to scams.
  • Implement Verification Protocols: Confirm requests for sensitive information through multiple channels.
  • Use Advanced Security Software: Deploy up-to-date antivirus and anti-phishing tools.
  • Monitor Network Traffic: Keep an eye on unusual activity that could indicate a breach.

The holiday season’s cheer shouldn’t be dampened by cyber threats. By staying informed and adopting strong security practices, both individuals and organizations can defend against the surge in social engineering scams. Proficio’s Cyber Exposure Monitoring team is dedicated to providing the tools and knowledge needed to stay secure during the holidays and beyond.

James Crabb, VP of Global Engineering and Managed Services, leads Security Engineering, Managed Infrastructure, Managed SIEM Infrastructure and Managed Sentinel teams at Proficio. With nearly two decades in IT and cybersecurity, he started in 2003 as a Troposcatter Telecommunications Specialist in the US Army, where he served for 13 years, reaching the rank of Sergeant First Class.  While at Cisco James contributed to the development and implementation of their first MDR Service. 

Contact us to learn more about cyber exposure monitoring and how it protects your external threat exposure.

References & Resources

 

 

Outsmarting Phishing: A Guide to Identifying and Avoiding Cyber Threats

A global effort must be made to help ensure everyone stays safe and protected when using technology whenever and however you connect. As Cybersecurity Awareness Month comes to a close, we want to leave you with a recap of what social engineering is, how the threat actors operate and how to spot a social engineering attack.  Proficio is spotlighting four fundamental cybersecurity behaviors. Each of these behaviors is vital for safeguarding your digital life. This blog highlights the “Secure Our World” initiative from CISA (Cybersecurity and Infrastructure Security Agency). It is a year-round effort that aims to promote cybersecurity best practices and tips for individuals and businesses.   Here are the key takeaways you can apply and encourage others to follow:

1. CREATE STRONG PASSWORDS AND USE A PASSWORD MANAGER: Creating strong passwords and managing them securely is the first line of defense against cyber threats. Weak passwords are easy targets for hackers. By using complex, unique passwords for each of your accounts (made easier by employing a password manager), you significantly reduce the risk of unauthorized access. Strong passwords act as a robust barrier, protecting your sensitive information and digital identity.

Source: https://www.cisa.gov/

2. TURN ON MULTIFACTOR AUTHENTICATION: Multifactor authentication (MFA) adds an extra layer of security by requiring users to verify their identity through multiple methods, such as passwords, biometrics, or security tokens. Enabling MFA ensures that even if your password is compromised, unauthorized access is thwarted. It is a powerful tool in safeguarding your accounts and maintaining the confidentiality of your data. 3. RECOGNIZE AND REPORT PHISHING: Phishing attacks continue to be a prevalent threat in the digital landscape. Cybercriminals use deceptive emails, messages, or websites to trick individuals into revealing sensitive information. Recognizing phishing attempts and reporting them promptly is essential. By staying vigilant and educating others, you contribute to creating a safer online environment. Reporting phishing incidents enables your IT team and authorities to act, preventing further scams and protecting potential victims. 4. UPDATE YOUR SOFTWARE: Regularly updating your software, including operating systems, browsers, and applications, is critical for cybersecurity. Software updates often include security patches that address vulnerabilities exploited by cyber attackers. Failing to update your software leaves your devices and data exposed to potential exploits. By staying current with software updates, you ensure that your systems are equipped with the latest security features, enhancing overall protection against cyber threats. We encourage you to embrace these cybersecurity behaviors as part of your daily digital habits. By incorporating these practices into your routine, you play an active role in securing our digital world. Join us in spreading the word about “Secure Our World” and let’s work together to create a safer online environment for everyone.

Social Engineering – The Art of Deception

Social Engineering is a common strategy in phishing attacks.  Threat actors manipulate their targets into breaking normal security procedures or divulging confidential information. One of the most common social engineering trends we have observed this year was attackers masquerading as executive staff to trick users into providing sensitive data. Being able to identify the characteristics of these attempts is vital for us to maintain a strong security posture here at Proficio.

The Psychology of Social Engineering

Attackers often claim to be internal leadership or a trusted authority figure in an organization for several reasons:

  • Authority: People are more likely to follow instructions or requests that come from a person of authority. By impersonating these figures, attackers can exploit the psychological tendency to increase the chances of their phishing attempts being successful.
  • Urgency: Messages from leadership often carry a sense of urgency or importance, making the recipient more likely to act quickly without thoroughly verifying the request or authenticity of the email.
  • Trust: Employees generally trust communications from their superiors and colleagues. Attackers exploit this trust to trick employees into revealing sensitive information, clicking on malicious links, or even transferring funds.
  • Fear of Consequences: Employees may fear negative consequences if they ignore or question a request from a high-level executive. This fear can push them to comply without due diligence.
  • Lower Suspicion: Emails from internal sources or well-known contacts are less likely to be marked as spam or to raise suspicion.

Types of Phishing Attacks

Add a new one to the list – Quishing!

  • Quishing: QR code phishing, now known as Quishing, involves deceiving someone into scanning a QR code using their mobile device. The QR code then leads the user to a fraudulent website that might download malware or ask for sensitive information.
  • Spear Phishing: A Spear Phishing attack is a phishing attempt crafted to trick a specific person rather than a wider target. The attackers research the target, or they aim to gather that information to advance their objectives. Once personal details are obtained, such as a birthday, the phishing attempt is tailored to incorporate that personal detail(s) to appear more legitimate. These attacks are typically more successful because they are more believable. In other words, this type of attack has much more context (as outlined by the NIST Phish Scale) that is relevant to the target.
  • Whaling: Whaling is a sub-type of Spear Phishing and is typically even more targeted to specific high-value individuals such as business executives, celebrities, and people with high-net-worth. Access to their account credentials typically provides a gateway to more information and financial gain.
  • Smishing: Smishing is a type of phishing attack deployed via SMS message. This type of phishing attack gets more visibility because of the individual’s notification and because more people are likely to read a text message than an email. Smishing attempts have escalated with the rising popularity of SMS messaging between consumers and businesses. If you receive a text message asking you to send personal information or money, do not reply. Replying to the message lets the attacker know it is an active number and an attack will continue.
  • Vishing: Vishing is a type of attack carried out via phone call. The attackers call the victim, usually with a pre-recorded message or a script. In a recent X (formerly Twitter) breach, a group of hackers pretending to be “IT Staff” were able to convince Twitter employees to hand over credentials all through phone conversations.

Why Use of QR Codes in Phishing Campaigns is Increasing

Because it is easy to generate QR codes using free online tools, QR codes are a simple and scalable attack vector. Attackers place a fake QR code sticker over a legitimate QR code posted to public websites. That fraudulent QR code can lead unknowing users to phishing sites that mimic legitimate websites. Attackers employ QR code spoofing in social engineering tactics more and more. Enticing offers and urgent emails motivate the user to scan the code. How attackers leverage QR code spoofing to achieve their end goal:

  • Malware Distribution: QR codes can be linked to websites malicious websites. For example, when a user scans the QR code, they could be redirected to a website that automatically downloads malicious software onto their devices, opening the door to unauthorized access or data theft.
  • Fake App Downloads: Scanning a QR code in an email might prompt users to download a malicious app, disguised as a legitimate one. Once installed, the app could compromise the user’s device, infect it with malware, malicious pop – up ads or more.
  • Credential Harvesting: Attackers can craft QR codes that lead to phishing sites posing as log in pages. Unsuspecting users may scan the QR code and enter their user id and passwords, thinking they are logging into a legitimate service. The attackers then harvest credentials and put them up for sale on the dark web marketplace or use them for personal or financial gain.
  • Tech Support Scams: Scammers can use QR codes to redirect users to fraudulent tech support websites or phone numbers. Users might fall for calling the provided number, where scammers pose as tech support agents, tricking victims into handing over their credit card information or gaining remote access to their devices.

Real Life Examples Phishing Emails Sent to Proficio Executives

When using QR Codes, follow these steps first:

  1. Double check the URL that pops up before proceeding to a site – especially if you are asked to enter any information. Does it look suspicious?
  2. Use a QR scanning app that checks for malicious links.
  3. Avoid scanning QR codes from unknown sources.
  4. Monitor accounts after scanning for unauthorized activity.

If you receive an email that appears suspicious, make sure to verify the contents by calling the sender, using an internal messaging system or any other medium. Make sure to notify your IT department.

Don’t Forget – Social Engineering Red Flags

1. Grammar and Spelling Errors One of the more common signs of a phishing email is bad spelling and incorrect grammar. Most businesses have the spell check feature on their email client turned on for outbound emails. Applying autocorrect or highlighting features on most web browsers is also possible. Therefore, emails from a professional source should be free of grammar and spelling errors. 2. Inconsistencies in Email Addresses, Links & Domain Names Look for discrepancies in email addresses, links, and domain names.  If you suspect phishing, check that the email address matches the sender’s email. Hover the cursor over any embedded links to verify URLs behind hyperlinked text are legitimate. If the email is allegedly from PayPal, but the link’s domain does not include “paypal.com,” that’s a huge giveaway.  If the domain names don’t match, don’t click. 3. Threats or a Sense of Urgency Another tactic attackers use is creating a sense of urgency to fluster the recipient.  Emails that threaten negative consequences should always be treated with suspicion. The attacker hopes that if their target reads the phishing email in haste the hallmarks of a phishing campaign might not be detected. 4. Suspicious Attachments If an email with an attached file is sent from an unfamiliar source, or if the recipient did not request or expect to receive a file from the email’s sender, the attachment should be opened with caution. If the attached file has an extension commonly associated with malware downloads (.pdf, .zip, .exe, .scr,.html, etc.) – or has an unfamiliar extension – recipients should flag the file to be virus-scanned before opening. 5. Unusual Request If an email sender has an unusual request, that can also indicate that the message is potentially malicious. For example, if an email claims to be from the IT team asking the recipient to perform tasks typically handled by IT, that’s a big clue that you have received a phishing email, should not follow the instructions, and report it to IT. 6. Request for Credentials, Payment Information or Other Personal Details One of the most sophisticated phishing emails is when a recipient is directed to a fake landing page via an email link and prompted to log in. Recipients should check out the website from which the email was supposedly sent by typing in the URL – rather than clicking on the link in the email – before entering their login credentials into the fake site or making a payment to the attacker.   At Proficio, we use phishing attempts to identify behavioral trends with specific users, understand the social engineering methods being used in the emails, and to detect any malicious content being sent to our users. It’s important to remember regardless of the sender, always 1. verify, 2. validate, and 3. confirm that an email is legitimate before replying or clicking on any links or scanning a QR code.   And, trust your gut.  If the email looks suspicious, it probably is. Learn more about Proficio and how we can help you.

METHOD: Scammers Use Breached Personal Data in Phishing Campaigns

Scammers often use a wide spectrum of social engineering methods when persuading potential victims to follow the desired course of action. Recent campaigns are using details gathered in mass breaches such as passwords, email addresses, and other personal information gained from past data compromises. Such example of scams include:

 

1) Personalized Porn Extortion Scam
This campaign involves the sender claiming to have the evidence of the recipient’s porn viewing activities, and then demands payment in exchange of “suppressing” the evidence. It is also observed that the scammer utilises personal information about the recipient beyond just the name, such as a real password the recipient used that was discovered in a data breach dump. Attackers have also been observed claiming to have RDP (remote desktop protocol) access to your computer as a means to watch you while you browse the pornography sites. The scam often demands payment via non-trackable cryptocurrency like Bitcoin and deems this as “privacy fees.” The real user password used in the scam was likely to have been obtained and in one of the mass data breaches that includes email addresses, passwords, and other personal information.

2) Data Breach Lawsuit Case
In this case, the scammer utilizes the victim’s phone number to prove that the victim has sensitive data that was leaked. The scammer poses as an entity that is preparing to sue the company that allegedly leaked the data:

“Your data is compromised. We are preparing a lawsuit against the company that allowed a big data leak. If all our clients win a case, we plan to get a large amount of compensation and all the data and photos that were stolen from the company. For example, we write to your email and include part your number ****** from a large leak.”

The sender’s objective is to solicit additional personal information from the victim under the guise of preparing the lawsuit, possibly requesting the social security number, banking account details, etc.

Proficio Threat Intelligence Recommendations:

  • Enabling spam filters to recognize and prevent emails from suspicious sources to reach the inbox of employees.
  • Do not email or reply the scammers.
  • Paying only highlights being vulnerable and you may be targeted by the scammers again.


General Information on Campaigns – Click Here