Recent Posts

Wednesday, April 6, 2011

All about Phising


There have been reports lately of huge numbers of people falling for all sorts of what I think are easy to avoid traps by cybercriminals. In an attempt to maybe help some of you who might not have the time or care to look into all the different ways unscrupulous persons can steal sensitive information from you. I am going to try to explain in a series of posts ways in which you can practice better common sense and avoid getting pwned.

Before I start with anything  I really want to emphasize my feelings about the definition of a hacker. A hacker in my view and most other people who are interested in the phenomenon is someone who has an obsession with a piece of technology to the point they have to understand every single part of it, someone who is determined to achieve difficult technical tasks because the are a challenge and out of curiosity. Hackers, sometimes are criminals. But that should not tarnish the label at all. Hackers have created some of our most amazing technologies and services. We would not have the world we live in if it weren’t for their tireless efforts and obsessive compulsion to challenge themselves. Judging hackers by the few bad apples is akin to saying all police are bad just because a few are dicks, or racism or sexism or any other ism. I try my best (even though I don’t always make a point of it) to use the term cybercriminal rather than hacker when it fits because I want to try and make people more aware of the difference. Hackers are curious and although sometimes not in tune with the law, I sincerely believe that looking at information should never ever ever land anyone in jail, stealing it on the other hand I don’t know…

Now that that’s out of the way on to the article.

This is part one and is VERY simple, I am  going to, explain ways in which you might be compromised and offer some pretty simple and obvious changes you can make to be a little safer.

One of the more common points of attack is known as Phishing.

A phishing attack is when someone sends you an email claiming to be someone else in order to get you to open the link and give up information. Phishing can also be done by setting up fake websites with the same or similar domain names as ones you would trust in an attempt to get user login information.

I kind of like to organize the phishing attacks in two categories; there’s personal phishing and business phishing the way I see it.

An example of personal phishing would be to send someone an email claiming to be Facebook for example, the email can say you logged in from somewhere you don’t know and send you a link to a url to ‘fix’ your security settings. Once you click the link you’d be sent to a site that looks like the Facebook login site but isn’t, there you fill out your login information, maybe change a couple of pretend security settings (a good phisher will actually have you turn off any alerts rather than turn them on) and click next. At this point your sent directly to Facebook to avoid arousing suspicion and continue on about your day. Completely oblivious to the fact that you just gave your password away and turned off all your security emails. This is of course a simple example using something rather harmless in the scheme of things, phishers have been known to steal bank, social security and email login information among the many other much more dangerous threats to your security than losing a Facebook profile.

An example of a business spear phishing attack would be pretty much the same as above, you send an email, wait for someone to bait the hook, and then reel ‘em in the only real difference is motives, sometimes it’s access to a system, sometimes its wanting to wire millions of dollars to a fake account or steal proprietary information. Businesses' have a lot more to lose by phishing attacks and I think their best option would be to get phone verification with caller id before transferring any payments. It’s possible to get around that but it’s be a lot more technically than what I think most phishers are capable of.

The next form of attack I think is pretty common is social engineering, this involves more or less ‘hacking’ humans rather than machines.

Social engineering is a hard, if not impossible thing to completely protect yourself from. Social engineers will pretend to be people you know or you yourself in order to get access to otherwise confidential information. Social engineers usually don’t go through the internet but rather use phone calls or direct in person communication to achieve their goals.

An example of a social engineering attack would; someone phishing you and after getting your personal information, calling your bank or phone company and asking them to transfer money, cancel your account or pretty much do whatever the hell they want because the person on the phone thinks their you.

Another example. an attacker call him Jim, sees your friends will Bill Bob on Facebook. Jim looks at Bill Bobs profile and sees he has a public phone number on FB (Never ever ever post any real number you actually answer on Facebook or any other social networking site, no matter how much they ask or promise security.) Jim gives Bill a call and claims to be a paramedic and that you were beaten and robbed and that this was the first number he saw and so he’s calling Bill because he needs to know your last name just for a quick form. In a panic and not really thinking Bill gives the ‘paramedic’ your last name. This is a really simple and probably not to practical of an attack but I use it to show how social engineers tend to use people you know in order to get to you. This is doubly bad for people who work for companies as compromising their personal information usually gives hackers an ‘in’ to the companies networks.

The only two ways I see to avoid be ‘social engineered’ is to either not have a Facebook page at all, or create one with a completely false name but an avatar pic people would recognize is yours and send messages with all your friend requests explaining who you are and why you don’t use your real name. This will make it very difficult for social engineers to find the real you.

Another quick hint is to use a different email address for all your social networking accounts with completely different names, sometimes social engineers can find you by your email. I like to have one chain of fake name-fake mail-fake-social networking page so that no path leads to any legit information. Don’t forget that you never have to use real information online and the more random you are the harder you are to trace.

Thanks for reading hit the comments if you have any suggestions on things I should cover or want to add something I might have missed or not covered.

No comments:

Post a Comment