To ensure success hackers often use multiple approaches to the same problem. These may be technological in the hacking tools they bring to bear or in the knowledge of vulnerabilities that can be exploited, but they also make use of Social Engineering.
Social Engineering is the use of psychological tricks against people to get them to do something against their interest or to the benefit of the attacker. Social Engineering has been around for a lot longer than the phrase, Con Men and Scam Artists have made use of the same techniques for centuries in order to get what they want.
One of the best examples of Social Engineering is the Greek’s leaving behind a large wooden horse after pretending to give up on the decade long siege of Troy (https://en.wikipedia.org/wiki/Trojan_Horse). Even the term Trojan is used in cyber security to indicate a malicious program that pretends to be something it’s not (e.g. an innocuous program or browser plugin that contains a key logger).
Hackers make use of Social Engineering as it’s often quicker to convince someone to perform an action or give up some information than it is to find and exploit a technological vulnerability.
They make use of multiple strategies to help achieve their goals:
Phishing and Spear Phishing – Spammed or targeted emails that aim at getting the victim to hand over information, take an action or to activate a malicious attachment/website. Fun Fact: scammers often deliberately include spelling mistakes to single out more credulous people.
Pretexting – Where scammers need to operate in-person (either via a phone or face-to-face) they’ll spend time crafting a plausible reason as to why they need what they’re asking for. Unlike phishing attacks which use urgency coupled with fear (either of missing out or of some repercussion), pretexting relies on building trust with the victim in order to make use of them.
Baiting – Relies on people receiving “something for nothing”. For example usb sticks can be put in a reception area or organisation’s car park, often with a juicy label like “Redundancies 2017” in the hope that people will be curious enough to pick up the device and plug it into a machine. Once that’s done the machine can be compromised in seconds, often installing back doors and “phoning home” to the attacker for exploitation at their leisure.
Quid Pro Quo – In order to instil a sense of obligation an attacker will offer help in some form with the expectation that the user will respond in kind to a request from the attacker.
Tailgating – Our final example is tailgating where someone who lacks authority to enter a particular area follows behind someone who has access. This can be as simple as impersonating a delivery driver with a package or being in a common smoking area and following other smokers back into the building.
In order to reduce the risk to yourself and the university be aware of red flags when dealing with people. Some red flags include unsolicited urgent communications with implied threat/benefit and strangers looking for the benefit of the doubt.
But also take into account the sensitivity of information you’re being asked for or the impact of an action you’re being asked to do. Hackers and scammers can do very little without your help!
Western Intelligence services have lost control of a number of ‘cyber weapons’. These are essentially toolkits built around one or more vulnerabilities that the intelligence services have discovered but not disclosed to vendors.
The recent WannaCry ransomware which had such devastating effect on the NHS and around the world made use of one such undisclosed vulnerability.
These ‘cyber weapons’ are crafted exploits available across multiple operating systems (Windows, Apple, Linux) and devices (Android, iPhones, Windows phones).
As a result, the threat environment at the moment is very high and system vendors and security companies are working hard to understand the vulnerabilities and provide fixes or protection. Users need to ensure systems are patched or security products installed in order to benefit from this protection and reduce their risk.
Additionally two further attacks have shown disturbing developments.
UCL was suffered a ransomware attack on 15th June this year that investigation showed was initiated by users browsing a site that was running malicious advertising. The attack itself was initiated via an advert that not only made use of a ‘zero-day exploit’ (a vulnerability not known to vendors and therefore not fixed or protected against) but didn’t require the user to click on anything. Around a dozen computers were infected which resulted in the IT department shutting down all network drives in order to contain and eradicate the infection.
A further ransomware attack called NotPetya appeared on the 27th June. It made use of the same WannaCry vulnerability in addition to several others. This attack is remarkable because it appears the hackers had no intention of decrypting any of the machines that had been infected. Even those users who dutifully paid $300 received nothing in return.
In this environment it becomes incredibly important that organisations and users take time to ensure their systems are properly protected:
Always ensure your machines and devices are upgraded regularly. All major Operating System manufacturers offer automatic updates and this feature should be turned on.
Computers and devices should have some form of anti-virus/anti-malware or internet security suite installed.
Install ad blockers where possible on all browsers (for more advanced users, look into script blocking add-ons)
Don’t use an administrator login as your normal login, create a separate user with normal rights and use that for your day to day use. The more rights your account has, the more damage can be done if it is compromised.
Be vigilant and don’t fall for unsolicited attempts to get you to click links, open attachments or perform some other action (especially where there’s an implied or explicit threat or reward)
Ensure backups are taken of your most important files. This should be either on a separate system or, preferably, on removable storage.
The energy wasted by leaving your PC on isn’t the only thing you need to be concerned about. Not rebooting your PC regularly can mean it’s less protected against malware and other security risks. Every month, Digital Technology Services installs updates to staff and student computers to maintain security and address issues. These take effect when the PC is restarted.
If you do not do this, you are not adequately safeguarding your PC and the University’s IT. Please remember to restart frequently, it will make the computer run better too.
Student PCs at the University are restarted automatically every day but everyone should also make sure they update and restart their own equipment regularly to help keep it secure against the latest malware and viruses.
The University has received notification of fraudsters running sophisticated scams at other universities to obtain users’ login details for the HR portal. These details are subsequently used to change bank account details so wages and expenses are paid to the fraudsters.
On receipt of this notification SHU is taking the following action:
Contacting all staff who have changed banking details since the last pay day on January 15th verifying the change is legitimate
Adding filters to the SHU mail systems to block known e-mail subject titles. A search of the logs show no previous use of these subject titles in previous emails
Communicating with staff via the staff intranet, eView and the IT Security Blog
There’s no indication that SHU has been targeted yet and staff are being informed of the current risk via a number of channels.
As always please be aware of unsolicited emails enticing you to click a link or open an attachment. This particular phishing attempt used both branded emails and a branded web login page indistinguishable from the actual HR employee portal
If you’ve:
had any suspicious/unsolicited emails
clicked on a link in an unsolicited email taking you to the Core Portal
entered username/password into the Core Portal that has subsequently failed to load
For more information see this article on protecting yourself from phishing fraud and this advice on the staff intranet about dealing with suspicious emails.
IT security is a fast moving and complex area which can have a significant impact on your online safety and security. Practicing some fundamental principles can help reduce the chances of being targeted or succumbing to an attack.
Your goal is to make yourself much less attractive to hackers usually by significantly increasing the time needed for them to gain a foothold – “time is money” is as true for hackers as anyone else who’s self-employed.
You
Hackers have realised that one of the easiest way to bypass IT security is to manipulate you. They will do this either to:
gain access to systems (“Hi there I’m from Microsoft, we’ve noticed a problem with your system and would like to help, can you just …”)
get you to divulge your information like username and passwords (“Your Amazon package could not be delivered, click on the link and sign in to review further delivery options”)
trick you into installing malicious software (“Demand for overdue payment! Please find attached an invoice for immediate payment”)
In some cases it takes just minutes to take control of a machine or device once the initial comprise has happened via deceptive attachments or clicking a link to a malicious site.
Hackers will attempt to make you feel as if you’re obligated to do something, either to receive a benefit or avoid a penalty. Take time to review any communication (email, sms, phone call or instant messaging) that has any of the following features:
unsolicited
imparted urgency
carries an explicit or implied benefit/threat
expects you to take an action (click on a link, divulge information)
Common sense will help you weed out the attacks relying on you to succeed.
Passwords
Passwords need to be complex, long and unique (CLU).
Simple, eight character passwords in general can be cracked within minutes by determined hackers. Mixing in upper and lower case, numbers as well as symbols make your password harder to crack.
Increasing the password length can also have a big effect on the time taken – aim for at least 12 characters but more will significantly increase the time taken.
Don’t use the same password across multiple sites/services as hackers will scan hundreds of sites with hacked username/email address/password combinations to see what else can be compromised.
Updates
Hackers and companies are engaged in an arms race to uncover/secure vulnerabilities in products released to the public. Out of date software is a boon to hackers who make use of tools to automatically check for a wide variety of exploits and flaws and report on the ones that offer the best chances to take control.
Anything that can be connected to the internet needs to be kept up to date and doing so reduces the opportunities for attackers and making it much harder for them to hack you. Ensure automated updates are turned on for all your devices and operating systems.
Where possible install Anti-Virus/Internet Security software from a reputable company and ensure it is kept up to date. Companies like Kaspersky, AVG, F-Secure, Sophos, McAfee, etc spend significant amounts of money identifying, researching and defending against new and emerging threats and make it significantly harder for hackers to get a foothold.
Backups
Even with these precautions you may still be hacked. The arms race between hackers and companies often means that hackers notice and exploit a vulnerability first as they’ve the most to gain from it. Where a compromise has occurred you may lose access to your personal files, photos, music or other information.
Often wiping the device/computer and re-installing is the only effective way to be certain the problem has been dealt with. In these cases (where your files have been locked away by an attacker or a wipe and re-install is required) the only way to get your files back is from a backup.
Make sure you do regular backups of important information and just as importantly, make sure you can restore them. This can be as simple as copying the files to a usb stick or backup hard-drive.
A particularly nasty phishing scam is currently circulating using an infected PDF attachment to take victims to a fake gmail sign-in page. Once the user has signed in the scam is then sent to other gmail users with information from the sent items folder. This means the phishing attacks can look very convincing with realistic subject lines and appearing to come from known contacts.
Once the hackers have access to your account they may be able to use your personal details and password on other services you use. You can avoid being targeted by enabling two-factor authentication. To check whether the log in page is genuine, look out for the prefix ‘data:text/html’ in the browser location bar, which indicates that you are being directed to an illegitimate web page. The real log in page should start https://accounts.google.com/ServiceLogin
It’s files (not people) that are likely to be captured but it’s a crime that’s increasing and one you should protect yourself against.
In the last few years, a particularly malicious form of software – known as Ransomware – has emerged as a lucrative income source for criminals. Once an infected file of this kind unleashes itself on your computer you will find you are unable to access files and will probably receive a ransom demand for payment in untraceable currency (such as Bitcoin) to release the files which have been encrypted and locked. Ransomware is spread through phishing emails containing harmful attachments or links or via scam websites which trick people into accidentally installing the software on their computers.
While awareness about the need to safeguard sensitive and confidential data is improving, people tend to be less cautious about protecting computers and hard drives. We believe that anti-virus software and firewalls will keep us safe but malware is evolving all the time and those who want to exploit it work hard to stay ahead of the defences we put in place. Many of us have items we value stored on a hard drive – key pieces from a portfolio of work, precious family photos or videos or the information we need to complete a fast approaching deadline. Ransomware is designed to exploit this and deliberately puts pressure on the intended victim through psychological tricks such as a countdown ticker and possibly a webcam feed to the attacker. You might also receive a demand which implies illegal material has been found on your computer. Sometimes, criminals will call you or someone in an organisation before they send the email to improve the chances of it being opened.
Protect yourself from this kind of threat, by taking these actions.
Always check links and web pages to be sure they are genuine; constant vigilance is your best defence.
Keep your files backed up. If you have other copies of your important files, you will be less pressured by fraudsters’ tricks.
If you find yourself the victim of an attack, keep a cool head. Don’t give in to demands (even if you pay, you may not get your files back) and turn off your computer immediately. Then telephone IT Help on x 3333 to explain what has happened and ask for advice.
Phishing uses fraudulent emails, texts and phone calls to obtain personal and financial information (such as account details and passwords) or to trick people in to performing an action (such as authorising a payment). These attempts are becoming increasingly professional and try to appear genuine by mimicking the look and brand of companies or organisations to gain trust.
Fraudsters often invest a lot of time and effort in trying to hack the accounts of people who have access to budgets or personal, sensitive or confidential information. Targeted attacks are known as ‘spear phishing’ and phishing high value targets in an organisation is known as ‘whaling’.
This video (courtesy of one of our suppliers, Cisco) gives an insight into how a hacker might think and act.
There are several ways to spot phishing emails:
Be suspicious of any urgent requests for personal or financial information
Be wary of attempts to make you take immediate action around financial payments, transfers or authorisations
Check the quality of the communications. Misspelling, poor punctuation and bad grammar are often tell-tale signs of phishing
Check hyperlinks and email addresses by hovering over them to show where they lead. If they aren’t genuine, they will often be peculiar web or email addresses.
How can you protect yourself?
Always ensure you are using a secure webpage when submitted credit card or other sensitive information. Secure web addresses begin with ‘https://’ and/or show a security lock.
Do not give out personal information in response to an unsolicited email, phone call or text.
Be sure you are going to the correct site by typing in the address yourself
If in doubt, call the company or individual which the email claims to be from. They will usually be able to confirm whether the communication is genuine or not.
If you think one of your accounts has been compromised, you should change your password immediately.
If you’ve responded in the past to one or more phishing emails be aware that you may be the target of further, more sophisticated attacks via email or phone.
If you have clicked on a suspicious link or opened an attachment, suspect you have a virus or have any other IT Security concerns, please contact IT Help.
For more advice about dealing with suspicious emails, visit the University’s IT Help pages.
