The post iMessage Preview Problems appeared first on Social Engineering Blogs.

The post Fighting Phishing Email Scams: What You Should Know appeared first on Social Engineering Blogs.

© SecurityMetrics | www.securitymetrics.com/pci | 801.705.5665 |

Hey guys, and welcome back to the SecurityQ, your source for business data security. Today on the SecurityQ, I want to cover one question. Are your employees properly trained to protect your business against phishing attacks? Not that type of fishing! Phishing is another tool used by hackers to gain access to your personal data. Phishing relies on your employees willingness to provide sensitive information like passwords, bank, and tax information. Here’s how it works. Companies are targeted via an email that is designed to look like it comes from a legitimate bank, organization our government agency. Then the sender asks to confirm personal information, in essence, phishing for data. For example. Let’s say your business does e-commerce through Pay Pal. Hackers posing as PayPal will contact you via email asking you to confirm sensitive information pertaining to your account. Once information is obtained, hackers use the credentials gained to steal your sensitive data mostly through attacks like malware and back doors to your network. That’s hook, line, and sinker. The scary thing is, you may have the best technology in the world but if your employees aren’t properly trained, that technology is a complete and utter waste. Currently twenty percent of all breaches now involve phishing. Everyone in every industry and every company is ultimately a target. Keep in mind, it takes only one untrained employees to give away all the data you worked so hard to protect. As a business owner, how can you detect phishing attacks and properly train employees? First the message or email you’re receiving may appear entirely convincing. You should keep a lookout for three things. Layout issues, spelling , and grammatical issues, go hand in hand with phishing attacks. Second don’t just check the name of the person sending email. You need to check the email address and ensure that there are no alterations made to it. For example, additional letters for numbers added to the email address. Last, most companies will never ask for your personal information through email. If there’s any doubt, contact the sender. Remember, even savvy technology users can find themselves fooled by messages that appear authentic so be cautious, Our advice? Educate your employees about phishing attacks. When it comes to staying safe online, it never hurts have a little bit a cynicism. Well guys, that’s all the time we have for today on the SecurityQ, but as always we want to hear from you. So post your questions in the comments below, and don’t forget to subscribe. See ya next time on the SecurityQ.wistiaEmbed = Wistia.embed(“exi3oxmnof”); This technique is called phishing, and it’s a way hackers con you into providing your personal information or account data. Once your info is obtained, hackers create new user credentials or install malware (such as backdoors) into your system to steal sensitive data. SEE ALSO: Examples of common phishing attempts.It’s often difficult to distinguish a fake email from a verified one, however most have subtle hints of their scammy nature. Here are seven ways to help you recognize a phishing email and maintain email security.1. Legit companies don’t request your sensitive information via emailChances are if you receive an unsolicited email from an institution that provides a link or attachment and asks you to provide sensitive information, it’s a scam. Most companies will not send you an email asking for passwords, credit card information, credit scores, or tax numbers, nor will they send you a link from which you need to login. Notice the generic salutation at the beginning, and the unsolicited web link attachment?2. Legit companies call you by your namePhishing emails typically use generic salutations such as “Dear valued member,” “Dear account holder,” or “Dear customer.” If a company you deal with required information about your account, the email would call you by name and probably direct you to contact them via phone.Sir/Madam? Also, what’s up with the 17 in the middle of the sentence?3. Legit companies have domain emailsDon’t just check the name of the person sending you the email. Check their email address by hovering your mouse over the ‘from’ address. Make sure no alterations (like additional numbers or letters) have been made. Check out the difference between these two email addresses as an example of altered emails: [email protected] [email protected] Just remember, this isn’t a foolproof method. Sometimes companies make use of unique or varied domains to send emails, and some smaller companies use third party email providers.“Costco’s” logo is just a bit off. This is what the Costco logo is supposed to look like.See the difference? Subtle, no? 4. Legit companies know how to spellPossibly the easiest way to recognize a scammy email is bad grammar. An email from a legitimate organization should be well written. Little known fact – there’s actually a purpose behind bad syntax. Hackers generally aren’t stupid. They prey on the uneducated because they are easier targets.Notice the apostrophe in the word ‘friends’? Me neither. Other than that tiny grammar mistake, this is a very convincing email. 5. Legit companies don’t force you to their websiteSometimes phishing emails are coded entirely as a hyperlink. Therefore, clicking accidentally or deliberately anywhere in the email will open a fake web page, or download spam onto your computer.This whole email is likely a gigantic hyperlink. 6. Legit companies don’t send unsolicited attachmentsUnsolicited emails that contain attachments reek of hackers. Typically, authentic institutions don’t randomly send you emails with attachments, but instead direct you to download documents or files on their own website. Like the tips above, this method isn’t foolproof. Sometimes companies that already have your email will send you information, such as a white paper, that may require a download. In that case, be on the lookout for high-risk attachment file types include .exe, .scr, and .zip. (When in doubt, contact the company directly using contact information obtained from their actual website.)Just remember, curiosity killed the cat.7. Legit company links match legitimate URLsJust because a link says it’s going to send you to one place, doesn’t mean it’s going to. Double check URLs. If the link in the text isn’t identical to the URL displayed as the cursor hovers over the link, that’s a sure sign you will be taken to a site you don’t want to visit. If a hyperlink’s URL doesn’t seem correct, or doesn’t match the context of the email, don’t trust it. Ensure additional security by hovering your mouse over embedded links (without clicking!) and ensure the link begins with https://.Although very convincing, the real Nokia wouldn’t be sending you a “Save your stuff” email from [email protected] doesn’t matter if you have the most secure security system in the world. It takes only one untrained employee to be fooled by a phishing attack and give away the data you’ve worked so hard to protect. Make sure both you and your employees understand the telltale signs of a phishing attempt.Was this post helpful? If so, please share!wistiaEmbed = Wistia.embed(“exi3oxmnof”); David Ellis (GCIH, QSA, PFI, CISSP) is Director of Forensic Investigations at SecurityMetrics with over 25 years of law enforcement and investigative experience. Check out his other blog posts.

The post 7 Ways to Recognize a Phishing Email appeared first on Social Engineering Blogs.

The post Top 10 Types of Phishing Emails appeared first on Social Engineering Blogs.

Quick question: How do you know that your plan worked? Are users reporting more issues to the help desk? Are people more able to identify phishing emails? Are users retaining the information from annual training through the year? Basically, if your boss walked in and asked for proof that the budget was put to good use will you have anything to provide besides ‘trust me?’

Probably not and because of that you need to measure the behavior within your organization. Without measuring user behavior you have no way of knowing how successful, or unsuccessful, your security awareness architecture is. You are also left in the situation of ‘fire fighter’ in that you only know that a hole (fire) is present when that hole creates a big problem (i.e., a password attack causing a major data breech).

The Value of Baseline Measurements

There are two types of measurement that are going to be pivotal in showing you significant changes in behavior: baseline and continual. Baseline measurement shows you how users were performing before any changes were made thereby providing you with a point of comparison. Lets say that you started your intervention in June and you measured user behavior through September (see ‘No Baseline graph’). Did your intervention work? To be perfectly honest, this graph shows nothing impressive at all. As a matter of fact, it looks like nothing has happened. Money well spent for sure.

Now lets add a baseline measurement and see how that looks.

Much better! Now you can clearly see that (1) help desk calls have significantly increased, and (2) the number of successful phishing attacks have significantly decreased!

Furthermore, your new training/content plan seems to be producing long term behavior change over the following months. Great job.

This example really outlines the value of baseline measurement. Without it you really have no way of knowing if you made it better, worse, or broke even.

The Value of Continual Measurement

Once you have shown the effectiveness of your security awareness efforts, is their value in consistent measurement after? Of course. Constant measurement of user behavior allows you to see behavior trends and address issues before they become a problem. Lets go back to the help desk and phishing attack example. You continued to measure user behavior for several more months and suddenly you saw this.

What happened? Not only are your users not calling the help desk but they are also falling prey to more phishing attacks. They are performing similar to before your new training and content plan was implemented. Upon further investigation you find out that a new phishing method was just released and your users are having a hard time identifying it. This also leads to less calls to the help desk.

While initially this may seem like a giant leap in the wrong direction, it is exactly what behavior measurement is for. Security threats evolve and your security awareness architecture has to evolve with it. By measuring user behavior consistently you are able to see when patterns like this occur and develop an intervention (e.g., a news letter, quick email) that addresses this before it creates a big problem for your users and you.

The post Measuring Your Success: Baseline and Continual Measurement appeared first on Social Engineering Blogs.

What is the most effective punishment?

Want to know how to reduce user behavior with almost 100% effectiveness? Deprive users of food, water, and/or sex. Go forth and develop content.

…

No? I didn’t think so. When making security awareness content, we as info sec professionals are not able to use the most effective punishers and therefore have to evaluate our user base to figure out what is the next best thing. This punishment has to be easy to implement and applicable across your entire user base. Furthermore it has to be easy to maintain. Lets say you have an issue with users not properly disposing of PII so you decide to implement a termination policy for all instances of improperly handled or disposed of PII. While very effective (because it gets at the users ability to purchase food and water) it is not easy to maintain. You will either end up with a lot less employees REAL quick or you turn into the boy that cried wolf. Lets say that instead of termination, you force the employee to click through a 10-slide power point outlining what PII is and how to properly dispose of it. That won’t work either for the opposite reason- even though it’s easy to maintain, it’s effectiveness, as a punisher will wear off drastically. Think of this similarly to getting desensitized to a pop-up notification. It is for this reason choosing a contingency is often one of the hardest parts of using punishment in a content plan.

Indirectly punishing behaviors

Imagine that your organization has a major problem with users loosing mobile devices, laptops, and tablets. A loss is reported at least once every two weeks and each lost device exposes your organization to a data breech of some highly sensitive information (e.g., customer credit card information). In an effort to reduce this behavior, and keep your organization out of the news, you inflict a $100 penalty for loss of a phone, $300 for tablets, and $500 for a laptop. You see an immediate drop in device loss but after a few months some other patterns start to emerge. First, calls to report anything to the security team significantly reduce. This includes reports about phishing attacks and suspicious computer behavior. Second, when a device is lost, users are taking an average of 2 weeks to inform the security team. In the past, lost devices were reported within 24 hours. Both of these present a major problem to your organization and are the unfortunate side effect of a poorly used punishment. This example demonstrates how even though a punishment is inflicted upon a specific behavior it does not guarantee that the effect will be isolated. The plan was to reduce loss of devices, but users were also being deterred from reporting the loss as well as calling the security team at all.

While major, these two topics are just a few in a long list of reasons why using punishment to change user behavior is difficult to do. To be effective, a large amount of control is needed otherwise you can create more problems than you started with.

The post Security Awareness Content: Challenges of Using Punishment appeared first on Social Engineering Blogs.

See any problems here?

Of course you do! The budget for this program is going to be INSANE! No practical business will support paying $1 for each ticket at the help desk for any longer than 6 months- MAX. This leads into the second, and biggest problem with using reinforcement. If the only reason that users are reporting issues is because of a reward, the minute that the reward is removed the desired behavior plummets. Unless you can replace the reward with something of equal subjective value their incentive is gone and the trained behavior is lost.

*Finding something of equal subjective value to cash on a large scale is damn near impossible. I only say ‘damn near’ because I’m sure there is some magical place out there that can do it but I’ve never come across it. *

Finally, lets say that instead of $1 you gave them a free lunch- because your users really like lunch. How long will that be an effective reward? My guess is that after about a month of free lunches have been accrued the value of the reward will go down dramatically and so will your behavior. Suddenly, you have to switch the reward to something else – of equal subjective value- to keep them responding.

Vicious cycle anyone?

How to Use Reinforcement to Your Advantage

As you can see, reinforcement is a tricky thing but when can we use it to change behavior.

Lets go back to the help desk problem. Instead of paying for each help desk ticket, indefinitely, you make it a charity fundraiser for the holiday.

“Every time you call the help desk, $1 will be donated to buy gifts for families in need. Weekly progress will be reported!”

Some of you might look at this and say “even if we had the budget for that, we still have the same problem of removing the reward and loosing the behavior once the fund raiser was over” but consider two very important differences.

1-    The reinforcement has a clearly defined ‘end point’ that has nothing to do with the user, the company, or their behavior but is a product of the reward. The gifts have to be bought at some point otherwise the fundraiser was pointless. Essentially you are isolating the reinforcement contingency and increasing your chances of the behavior persisting after.

-Not to mention periodic fundraisers to increase behavior –if needed- are MUCH more sustainable to the budget than constant reinforcement.

2-    The second and most important is how closely the reinforcement (e.g., $1) and behavior are paired. In our first example the employee saw the DIRECT effect of calling the help desk on their pay check therefore it was very closely paired to their behavior

Just like if Pavlov’s dogs were fed EVERY time the research assistant came in.

The minute that the user realized the reinforcement was removed, the behavior that followed stopped (i.e., calling the help desk).

Back to Pavloc: The dogs would eventually stop salivating once they knew that the assistants were never going to feed them.

In our second example, the users see the money increase but it is NOT directly related to each time they call the help desk. Instead it goes into an anonymous pool that may jump $100 a week even if they just called the help desk once. Since the reinforcement is not closely tied to each behavior they perform, the chances of the behavior persisting after the reinforcement is removed increases significantly.

*For a more detailed look at this process see my previous blog on Pavlov and his dogs.

Based on all of this, be careful when using reinforcement. While it may provide an immediate result, it’s something that needs budget and time to maintain. If used wrong, you will just be setting yourself up for an uphill battle.

The post Security Awareness Content: Challenges of Using Reinforcement appeared first on Social Engineering Blogs.

So why am I telling you this, well in July someone attempted to scam / commit online fraud against me, and I have to say it was one of the best approaches I have seen to date. So the aim of this post is to give some awareness, and to share the little story of how I wasted their time for the week and perhaps bring a smile to your face

So my story starts on the 1st July 2012 when I put my MacBook Pro up for sale on Gumtree. I did some searching around for how much they are selling for and wanted to avoid eBay fees so Gumtree seemed like a winner. Below is a pic of the ad:

Soon after posting I received an email via Gumtree asking if the item was still for sale, and indeed it was so I replied confirming as much.

About 24 hours later the guy gets back to me saying he would like to buy the laptop and will be £20 towards delivery, and provided me a mobile number to call (

+447035920292). Now I did think this was a little odd as who in the UK tells someone else in the UK the country code, but hey I thought I would give him a call.

So I make the call and I speak to what I think was an African guy calling himself Francis Saine ([email protected]), hes English wasn’t great but I have sold things to foreign students before, and decided to set my paranoia to the side and see how it goes.

Now the next bit is the clever bit, so he asked me to send him a PayPal money request for £770 and he can then make the payment. I had never used this feature before, but as you are protected by PayPal I thought all is good.

My new friend Francis later in the day sends me an email letting me know the address the laptop will be sent to (a London address) which backed up part of the phone conversation we had. Another 24 hours later I get an email from PayPal informing me Francis has paid me, and the money will be released once I provided proof of posting. ALARM BELLS RINGING….. Fun Time

Now as you can see this PayPal email is set so the response will be sent to [email protected] which obviously isnt PayPal, so I decided to also check the headers and I saw this:

MIME-Version: 1.0 Received: by 10.224.184.75 with SMTP id cj11mr31753768qab.16.1341334634836; Tue, 03 Jul 2012 09:57:14 -0700 (PDT) Sender: [email protected]

Now I got a couple of emails from the fake PayPal email dude and I have to say aside from this oversight it looked really really good. The clever thing is, because you sent a payment request, if you login to your PayPal account it says pending, and the phishing emails also confirm pending status, so the average Joe is going to fall for this.

About the same time I get an email from Francis telling me he has sent me the money, and that I must send the laptop tomorrow for Next Day Delivery before 1PM tomorrow, and its going to his sister as a Birthday present. So I assume they dont want to be waiting all day to intercept the laptop.

So what would you do in this situation? Well I am a nice guy, so I wrapped up the laptop as its a Birthday present and sent it in the post!!

Well at least thats what Francis thought, and thats what Shazad and his fake PayPal thought to. It took me a while but I eventually managed to create a Royal Mail Special Delivery tracking number that showed up as valid on the Post Office tracking page

Then I get an email from fake PayPal confirming I have sent a valid tracking number and I will get the funds in my account in 24 hours, wooohooo.

Now during this time, just so its clear I have informed Gumtree, PayPal, London Met Police and the eCrime center, so they can utilise the information I collect to possibly catch these guys in the act.

The next day about 3PM I get another email from fake PayPal saying that my tracker number does not appear to be authentic, I also guess the laptop is now 2 hours late being delivered so they are wondering if I sent it at all? Obviously I hadn’t sent it, so how can I send them a picture of the receipt to confirm the tracking? I make one takes about 45 mins and I send it off, fake PayPal are happy and confirm again my money is on its way

So at this point I have a phone number, some email addresses and a drop off address. I thought it would be handy to get hold of Francis’s IP address then I could find out his ISP and Country to aid the Police further. So I decided to Phish him myself

So I continued to exchange emails with him to build some rapport with him, and get him interested in other things I might be selling. He is interested in the iPad I have for sale, and he wants to see pics and get more info. So eventually he visits the fake site I spun up and I get his user agent info from the Apache logs Sadly these guys are doing abit to protect themselves, looks like they are using anonymous proxies and routing traffic through a VPS in the US. Oh well it was worth a shot.

This is really the high level story, I hope it brought a smile to your face, I know it did me just for wasting 6 days of these guys time overall, and I can only assume a wasted day hanging around in London for the laptop to arrive. As far as I know they didn’t get caught, but they didn’t get my laptop, and I am still waiting for fake PayPal to send me my funds, I keep asking but now they dont want to email me any more

So please take this blog post as a reminder that even people in the industry like us could fall prey to the scammers, but if we ID it early we can have abit of a play. Of course be careful what you do, as you dont know who these people are, or what resources they have available to them.

The post Playing Nicely with Scammers … Wasting their time for giggles :) appeared first on Social Engineering Blogs.

So with that in mind I wanted to talk about phishing, and how important it is to select the right bait.

So as a social engineer there are going to be many times when phishing is going to be the best approach to get your gig off to a good start. Phishing is a low risk approach, but the rewards can be very high.

The important thing to say at this point is I am talking about phishes that have a higher percentage chance of success, this might sound obvious but all phishes are not created equal. APT, Hacktivists and those just out to make a buck play the percentages, they send a large amount of email out, and the quality isnt always that great (You have seen them, you can spot them a mile off). Of course this is different to spear phishing, where things are more targeted and frankly they do a better job when it comes to the content of the phish. The reason I mention this is, if this is what your customer wants (they probably know the answer, and it might not help them in reality, or you for that matter) simulate it appropriately, but depending on your targets it could be hit and miss.

So how do you do it right? Like most things in social engineering do your homework. OSINT plays a big part here, what are your targets doing online, are there common interests, shared groups and themes around their activities. What types of language and communication is their employer using to communicate, what campaigns are running, what would be expected?? When I talk about language I mean both the actual language (many people involved in SE have to deal with people outside of the English speaking world), this doesn’t mean that you cant use English, your homework will tell you this, but regardless you are looking for the phrases, buzzwords, key names and meanings that will imply legitimacy.

Legitimacy is important, and will often force you to use languages and subjects that don’t shout spam and phishing email, but this is something important to consider also. What inbound controls are you facing, how will your email be graded, what tests can you do, how can you verify delivery of phish? These are all components you will need to be considering if you are truly simulating your customers external threat.

So lets assume legitimacy has played its part, your phish has arrived in the targets inbox, and they think it looks legit. So what is it that is going to make them open your attachment, or click that link? Influence that’s what. You may remember some time ago I wrote about the 6 rules of influence, well this approach will help you in your phishing attack. Perhaps they will click your link as they will gain access to something difficult to get hold of (scarcity), perhaps its a direction from the top and must be followed (authority), or perhaps its as simple as the chance of winning something, I mean who doesn’t want to get there hands on a sexy iPad 3.

Right so your target is all about the clicky clicky, you have succeed? Erm possibly not This is where playing the odds comes in handy. To get to this stage you have already had a few levels of phishing success, the mail made it pass all the ingress checking and arrived in the inbox, the subject was appropriate enough that your target opened and read the email, now they are clicking the link or opening the attachment. This is success, but I imagine in most cases now you want shells

Of course you do, who doesn’t. Of course if this works you can do the happy dance, but if it doesn’t you will be pulling out your initialed hanky and weeping like a baby. Why didn’t it work? Perhaps your payload wasn’t built properly, perhaps you set the handler up wrong, perhaps your system crashed, who knows, but you had all your eggs in that one basket. This is why you should play the odds with your phish, have multiple out, this leads to success at some level.

Playing the odds in my mind means the following. First of all I always try and include some form of credential harvesting component (Its a common winner in my experience), I also tend to employ the joys of a BeEF hook. I think BeEF has alot to offer in the future so now is a good time to build it into your approach (you can grab systems info, launch iFrames, keylogging and all sorts). Its also a good idea to consult your Apache logs to see whats being give away. If you do a sample wave of phishing you can use this as recon (I tend to use what I consider low value targets here) and find out browser types, plugins running, java versions etc, all important information for phishing. Include some browser exploits based on what your recon has informed you about, if you can do it transparently great, but if you need to pop up a windows or dialog box (ala Java Exploit) then make sure its believable.

This isnt an exclusive list by any means, and I appreciate I have not gone into huge detail (perhaps I will give a talk on it) but I really think you will see an increase if your success, and as a result increase the value of the service you provide to your customer. Oh and don’t forget, if its appropriate a little phone call could help in the legitimacy stakes and get that clicking going on

So as always I hope this was of some interest, and of some help. I welcome all questions and feedback, and if you liked it please feel free to share with others. Until next time, take care.

The post Human Phishing … Playing the Odds appeared first on Social Engineering Blogs.

Fingerprint: 45804CAD853F9B306353DE971455C18D

Further reading:

How To Write Phishing Emails That Get Clicked

The post How DMARC Combats Phishing appeared first on Social Engineering Blogs.