Social Engineering Blogs - Page 312 of 559 - An Aggregator for Blogs About Social Engineering and Related Fields

Security Metrics Blog May 16, 2014

7 Ways to Recognize a Phishing Email

“You can fool some of the people all of the time, and all of the people some of the time, but you cannot fool all of the people all of the time.” –Abraham Lincoln David Ellis, Director of Forensic Investigations By: David EllisAre you sure that email from UPS is actually from UPS? (Or Costco, BestBuy, or the myriad of unsolicited emails you receive every day?) Companies and individuals are often targeted by cybercriminals via emails designed to look like they came from a legitimate bank, government agency, or organization. In these emails, the sender asks recipients to click on a link that takes them to a page where they will confirm personal data, account information, etc.

Hey guys, and welcome back to the SecurityQ, your source for business data security. Today on the SecurityQ, I want to cover one question. Are your employees properly trained to protect your business against phishing attacks? Not that type of fishing! Phishing is another tool used by hackers to gain access to your personal data. Phishing relies on your employees willingness to provide sensitive information like passwords, bank, and tax information. Here’s how it works. Companies are targeted via an email that is designed to look like it comes from a legitimate bank, organization our government agency. Then the sender asks to confirm personal information, in essence, phishing for data. For example. Let’s say your business does e-commerce through Pay Pal. Hackers posing as PayPal will contact you via email asking you to confirm sensitive information pertaining to your account. Once information is obtained, hackers use the credentials gained to steal your sensitive data mostly through attacks like malware and back doors to your network. That’s hook, line, and sinker. The scary thing is, you may have the best technology in the world but if your employees aren’t properly trained, that technology is a complete and utter waste. Currently twenty percent of all breaches now involve phishing. Everyone in every industry and every company is ultimately a target. Keep in mind, it takes only one untrained employees to give away all the data you worked so hard to protect. As a business owner, how can you detect phishing attacks and properly train employees? First the message or email you’re receiving may appear entirely convincing. You should keep a lookout for three things. Layout issues, spelling , and grammatical issues, go hand in hand with phishing attacks. Second don’t just check the name of the person sending email. You need to check the email address and ensure that there are no alterations made to it. For example, additional letters for numbers added to the email address. Last, most companies will never ask for your personal information through email. If there’s any doubt, contact the sender. Remember, even savvy technology users can find themselves fooled by messages that appear authentic so be cautious, Our advice? Educate your employees about phishing attacks. When it comes to staying safe online, it never hurts have a little bit a cynicism. Well guys, that’s all the time we have for today on the SecurityQ, but as always we want to hear from you. So post your questions in the comments below, and don’t forget to subscribe. See ya next time on the SecurityQ.wistiaEmbed = Wistia.embed(“exi3oxmnof”); This technique is called phishing, and it’s a way hackers con you into providing your personal information or account data. Once your info is obtained, hackers create new user credentials or install malware (such as backdoors) into your system to steal sensitive data. SEE ALSO: Examples of common phishing attempts.It’s often difficult to distinguish a fake email from a verified one, however most have subtle hints of their scammy nature. Here are seven ways to help you recognize a phishing email and maintain email security.1. Legit companies don’t request your sensitive information via emailChances are if you receive an unsolicited email from an institution that provides a link or attachment and asks you to provide sensitive information, it’s a scam. Most companies will not send you an email asking for passwords, credit card information, credit scores, or tax numbers, nor will they send you a link from which you need to login. Global Pay phishing example Notice the generic salutation at the beginning, and the unsolicited web link attachment?2. Legit companies call you by your namePhishing emails typically use generic salutations such as “Dear valued member,” “Dear account holder,” or “Dear customer.” If a company you deal with required information about your account, the email would call you by name and probably direct you to contact them via phone. Best Buy phishing example Sir/Madam? Also, what’s up with the 17 in the middle of the sentence?3. Legit companies have domain emailsDon’t just check the name of the person sending you the email. Check their email address by hovering your mouse over the ‘from’ address. Make sure no alterations (like additional numbers or letters) have been made. Check out the difference between these two email addresses as an example of altered emails: [email protected] [email protected] Just remember, this isn’t a foolproof method. Sometimes companies make use of unique or varied domains to send emails, and some smaller companies use third party email providers. Costco phishing example “Costco’s” logo is just a bit off. This is what the Costco logo is supposed to look like.See the difference? Subtle, no? 4. Legit companies know how to spellPossibly the easiest way to recognize a scammy email is bad grammar. An email from a legitimate organization should be well written. Little known fact – there’s actually a purpose behind bad syntax. Hackers generally aren’t stupid. They prey on the uneducated because they are easier targets. Eubank phishing example Notice the apostrophe in the word ‘friends’? Me neither. Other than that tiny grammar mistake, this is a very convincing email. 5. Legit companies don’t force you to their websiteSometimes phishing emails are coded entirely as a hyperlink. Therefore, clicking accidentally or deliberately anywhere in the email will open a fake web page, or download spam onto your computer. USPS phishing example This whole email is likely a gigantic hyperlink. 6. Legit companies don’t send unsolicited attachmentsUnsolicited emails that contain attachments reek of hackers. Typically, authentic institutions don’t randomly send you emails with attachments, but instead direct you to download documents or files on their own website. Like the tips above, this method isn’t foolproof. Sometimes companies that already have your email will send you information, such as a white paper, that may require a download. In that case, be on the lookout for high-risk attachment file types include .exe, .scr, and .zip. (When in doubt, contact the company directly using contact information obtained from their actual website.) Accounting phishing example Just remember, curiosity killed the cat.7. Legit company links match legitimate URLsJust because a link says it’s going to send you to one place, doesn’t mean it’s going to. Double check URLs. If the link in the text isn’t identical to the URL displayed as the cursor hovers over the link, that’s a sure sign you will be taken to a site you don’t want to visit. If a hyperlink’s URL doesn’t seem correct, or doesn’t match the context of the email, don’t trust it. Ensure additional security by hovering your mouse over embedded links (without clicking!) and ensure the link begins with https://. Nokia phishing example Although very convincing, the real Nokia wouldn’t be sending you a “Save your stuff” email from [email protected] doesn’t matter if you have the most secure security system in the world. It takes only one untrained employee to be fooled by a phishing attack and give away the data you’ve worked so hard to protect. Make sure both you and your employees understand the telltale signs of a phishing attempt.Was this post helpful? If so, please share!wistiaEmbed = Wistia.embed(“exi3oxmnof”); David Ellis (GCIH, QSA, PFI, CISSP) is Director of Forensic Investigations at SecurityMetrics with over 25 years of law enforcement and investigative experience. Check out his other blog posts.

The Humintell Blog May 14, 2014

Brain Games – Body Language & Follow the Leader

Are you a follower? Or a natural born leader?

Take a look at the Brain Games clips below and learn how much of your behavior is based on what your brain is copying from the people around you.

In the Brain Games Episode “Follow the Leader” , you discover how you unconsciously adapt the way you behave, speak, and move according to who you’re talking to, who you’re trying to please, or who you’d like to be like in the future.

Click here to view the embedded video.

Research by psychologist Amy Cuddy revealed that participants have higher levels of testosterone (associated with dominance) and lower levels of cortisol (associated with stress) within 2 minutes of holding the poses below.

Click here to view the embedded video.

So are You a Leader or a Follower?
Share your take on this episode in our Comments

Mind Under Control Blog May 13, 2014

Human Error I – The Ambiguity Effect

Human Error Series – How to Exploit Biases and Defend Against Manipulation

This series was suggested by a member of /r/socialengineering, and upon reading his request it struck me that though many resources detail methods of manipulation that exploit these biases in one way or another, no author has aimed to explain how to exploit each individually and shown how to defend oneself against these biases. Further, we’re expected to be aware of which of the many biases are taking place and are being exploited at any given time, which requires a more detailed knowledge of the fundamental nature of these biases.

By explaining these biases and analyzing their place in hypothetical situations and how they could be abused, seen from the perspective of a social engineer, I hope to

Teach you a more fundamental understanding of human behavior and cognition.
Inspire you to use your own creativity and imagination to approach the subject of applied social psychology.
Allow you to see situations in a different light and be more adaptable in dealing with them.
Raise awareness and shed light on what is happening in your own mind when these biases are being turned against you by others.

Sociality and social interaction is an interplay of all manner of manipulations and influences, and what is apparent is not often what is actual. What you think is happening might not be as it seems, and might actually be a part of the game other people, and even your own brain, are playing with your mind.

Enjoy!

– Joven

The Ambiguity Effect

The What

The ambiguity effect is a bias where decision making is affected by a lack of information, or ambiguity. However, since multiple biases are affected by certain types of ambiguity and uncertainty, we use the nomer ambiguity effect specifically for the cognitive bias in decision making which effects our innate preference for choices where the probability of a favorable outcome is known versus those where the probability of a favorable outcome is unknown.

Key Takeaway: When given an option people are more likely to avoid the options in which the probability feels unknown.

A very rudimentary example would be the following hypothetical scenario:

I offer you the choice between two boxes of marbles, one of which has 50 red marbles and 50 black marbles, the other has a randomly chosen content of between 0-100 black marbles, and the rest (up until 100) being red marbles. Whichever box you choose, you choose a color and then take out one marble at random. If you predicted the correct color, you get $100.

Now, these two options are statistically no different. Either way you choose, you have the exact same chance of being correct and getting your $100. However, like everyone else, you will choose the first box, simply because you know the contents of that box. Even if I were to raise the winning amount to $120 for the second box, or $200, you would still choose the first box, as would I. Why? Because you have no idea what the exact chance is that you will win $200, but you do know the exact chance you will win $100.

Key Takeaway: People have a fundamental aversion towards uncertainty.

Investment works much the same for many people. Last year, investing in Dogecoin would’ve netted you over a 1000% return on your investment, and it was predicted to rise in around that margin. However, it was also considered a volatile commodity, and chances were you could stand to lose much of your investment. Even if given a similar option now, this would probably have dissuaded you from even considering it a possibility.

The Why:

Why is this effect harmful to you, and why could it be useful in social situations? Three reasons:

1. As game theory tells us, what matters most in decision making when taking into account these biases is ‘subjective probability,’ or how likely do you (or in social situations, your [[Wiki]Target]) think these probabilities are. The extent of likelihood will decide whether or not you will believe a certain course of action is the right course of action, and how fervently you believe it.
2. The chance of a certain situation or claim cannot only be magnified or minimized, but also deliberately obfuscated, meaning that a person can be dissuaded from making a certain choice by posing it as leading to an ambiguous outcome, or conversely, persuaded to make a certain choice by deliberately obfuscating the alternative, even when the other choice can also be viewed as ambiguous.
3. The opposite can also be done, where you call into question the likelihood of a situation either by making it unclear what that probability is when one has already been assigned, or raising the possibility that there is a chance of failure and so calling their certainty into question. As stated before, people have a fundamental aversion for uncertainty, and that is precisely why obfuscating an issue tends to make people want to leave that issue entirely.

Abusing the ambiguity effect to cast doubt on situations and influencing decisions falls under the more general tactic of Probability Abuse.

The How

In our first situation, let’s assume that we are running a pretext of Party Psychic in an attempt to woo a special lady. Now, we may have ascertained some information about her beforehand (through various means), and during our ‘reading’ we suddenly touch on an accident that she had when she was eleven years old. Upon detailing the intricacies of this event, where we ‘feel her continued distress and pain’ which we ‘sensed the moment she got in the room,’ the pesky skeptics in the room are asking out loud how we could possibly know such a thing, in an attempt not so much to thwart our reading as to plea for their cognitive dissonance to be resolved.

So, “how did you know that?”

At this point, it is clear that just saying “my inner spirit showed me” on its own is not going to help convince anyone of the veracity of your divine nature. So instead, we place it in a juxtaposition with a claim that, though more statistically likely in a realistic sense, feels incredibly implausible, much more then the simple suspension of disbelief that is required for our answer, “‘I just have a gift” or, in a grander show of self-aggrandizement, “it’s not mind reading, just basic deduction. There is an entire science behind it, and it is really quite easy once you get the hang of it.”

Then, the juxtaposition would be: “Well, either that, or I broke into her doctor’s office and checked her medical records, and though that would be quite easy to do for someone like me, I’d say it’s an awful lot of effort to put into twenty minutes’ worth of entertainment.”

(A similar and brilliant juxtaposition was famously used when Mentalist Derren Brown “predicted” the lottery numbers live on British television.)

So, this first uses the juxtaposition to create a false dichotomy between burglary and psychology, and then uses obfuscation to make the chance of the logical second situation more ambiguous then the first, thus making a person more willing to choose to believe your original explanation. The ‘favorable situation’ in this sense is the clarity and removal of doubt as to the explanation.

In our second situation, we’ll see why the ambiguity principle is more generally applicable, in the sense that it’s used to cast doubt on the alternative implicitly, rather than something you’d build an attack or interaction on.

Imagine you would want to get into a certain office but you have no access, as you’re not an employee. You have a fake business-ID on hand, though no real ID, and you have a matching outfit and a reason to be there. The moment you walk up to the security agent outside, and you make your introduction, he will first actively believe you at your word, and only then will his brain start finding reasons to reject your claim (as per the Rejection Principle).

It will do so based on various counterclaims that might enter his head, most importantly the immediate opposite claim “This guy is not who he says he is.” His favorable outcomes are the following:

You enter, he has done his job and will have you bother him no longer, you can do your job which means the boss will happy.
He catches you in a lie, he has caught an intruder, and he will get commended.

Of course, in general, these situations rely more on the fact that you make the second situation far less likely (and indeed, both ambiguity and probability reappraisal are in play), but in a strictly probability-base scenario he would then potentially still consider it further because it has an established chance that allows him to weigh the pro and cons of either decision. So, what you’re further doing is obfuscating the probability that some good, no matter how good, can come of doubt:

“What good will it do to run all the way back home and grab my ID? I have three more offices to visit today and I really don’t want to lose my job over this. Also, I have my business ID right here, name and everything. Surely that’ll do?”

The probability of him benefitting from pressing the issue is now completely unknown, he has been filled with fear of “the boss” that will take precedence over reassessing that probability, and he can’t stand there for five minutes considering his options. What is the easier, more certain decision at this point?

This point is perhaps more obvious when using this same tactic to trap someone else.

Suppose you wanted to bring someone under suspicion, in the above example of being an impersonator or, in a more relatable situation, cast doubt on a liar in your own social circles.
You could tell that same guard: “The worst thing that could happen if we call to check is a few minutes’ hold-up. If we don’t check, what are the odds he’s bad, and who knows what could happen?”

There is still the probability of loss in the sense that the guy could be genuine and then genuinely annoyed and angry, but now the alternative is reframed to be obscure instead. “Who knows what could happen?” and “what are the odds?” imply a heavy uncertainty should the decision be made to go through with not checking up on him. The only difference between this situation and the previous is the framing of the situation.

Key Takeaway: In general, all situations that are based on chance and can have a favorable or unfavorable outcome can be manipulated in largely the same way, by framing favorable or unfavorable, likely and unlikely, and certain and uncertain.

By using metaphors this can be used to persuade people into otherwise risky situations. For instance, most people would prefer the certainty of a paycheck over the uncertainty of owning their own business, but can usually be motivated to reassess that preference when you compare an unknown probabilistic action with one that is well-known and certain, e.g. “Owning a business instead of working for a paycheck is like being taught how to fish instead of being given a fish.”

You can even take the perceived risk-aspect away entirely, which is a trick that salesmen and marketers often use: “We know our product will the best purchase you’ll ever make, but if you aren’t satisfied for any reason within those first 30 days, we’ll give you your money back, guaranteed, no questions asked.”

Or, “If I turn out to be wrong and Rob isn’t lying, I will take full responsibility. I’ll personally apologize and do everything to make things right again between you two. But believe me, Sarah, that guy is cheating on you. I guarantee it.”

Summary

What to use the ambiguity effect for:

To make people reassess their decisions by rewriting their perception of probability, without trying to persuade them openly.
To elicit feelings of doubt by creating ambiguity.
To elicit feelings of certainty by removing ambiguity.

How to defend against the ambiguity effect:

Always make sure that you’re dismissing an option because it’s benefits are unlikely to be worth it, not because you don’t know the exact likelihood that they will be.
Always try to get as much relevant information to weigh into your decisions as possible before making them.
Treat probability fairly, and be wary of those that, intentionally or unintentionally, frame one option more favorable or unfaborable than it realistically is. They might be a key give-away of their own biases and preferences.

Related BetterBytes:

coming soon™