Welcome to NCSAM week 2! This week we’ll take an in-depth look at three of the most common social engineering attacks, and the characteristics that aid in correctly identifying them. But before we reach that three-way fork, what do these have in common?
All phishing attacks are an attempt to gain unauthorized access. It’s how breaches begin almost half the time (the other half being exploitation of vulnerable systems). A traditional phishing attack is designed to provide the attacker with your username and password. Vishing may lead to the caller directly accessing your computer. No matter which format, the bad guys are trying to trick you into coughing up sensitive information, so they can use it to compromise your device or the college’s network and systems.
Without further ado and in order of prevalence (and effectiveness):
Phishing is when an attacker sends email with a malicious link inside that is designed to entice the recipient to click it. Like a hook inside bait, the attacker attempts to make it very tempting to click the link so that we all “bite”.
Generally, phishing emails will be pretty formulaic. They will include a lure (bait to attract, or using fear to compel) and a sense of urgency to act now. Some get dressed up in stolen web graphics, others can be plain text. All generic phishing attempts originate from email addresses that DO NOT end with “@williams.edu”. However, if a Williams account was compromised, then it could be used to phish others here.
Example 1: Google-based phish attempt
The lure is the enticing link to a Word doc titled “September Payroll Benefit,” but the tell is the “@gmail.com” sender address (OIT will only ever email from @williams.edu) which is highlighted with a warning showing its external origin. When (not if) you receive something like this, think about it for a moment...does it make sense that Ms. Reinhardt, one of our History Professors here, would be sharing payroll information from "itshelpdesk7071"? Answer: no, it makes no sense at all, and Ms. Reinhardt's name was likely scraped from public sources and used in the phish attempt.
Compare and contrast with a spam message I received:
There is nothing this email is asking me to do. It’s just junk mail. Why did someone send me this? Likely to probe if there’s an account (they did not receive a delivery failure notice) for later attacks. The worst thing to do would be to reply “hi” back (or any reply), confirming a vulnerable human is actively monitoring the account. Note, the email is still flagged with a bold amber "External" tag to call your attention to the source.
Example 2: clipped from a long pretext phish:
The United Bank for Africa is a legitimate bank, but uses the “@ubagroup.com” domain for their business, not @hotmail.com.
Smishing is a SMS/text message-based version of phishing (SMS + Phishing = Smishing) that uses a mobile phone number instead of an email address. Otherwise, it's truly the same as phishing, just via a different communication mode. Attackers, and especially those that excel at social engineering, are always updating their Tactics, Techniques and Procedures (TTPs) to include new and emerging technologies and messaging platforms. SMS is simple when the sender can use burner phones to avoid service disruption and prosecution. It's effective because they can automate their attacks and cycle through phone numbers sequentially.
Example #1: Obvious smish I received
Apply the same filters as you would for phishing. Does this make sense? No, I'm not a DCU customer or member, so I was immediately suspicious. I never "claimed" the funds shown on 9/20. Finally, a legitimate bank or credit union would not send business related traffic to "thatonlineshop.com". Three strikes, you're out!
Example #2: Less obvious example
There is no obvious tell in this one. But there's an old saying to remember...if it seems too good to be true, it probably is. Sure, I could go online and research whether or not individuals by those names won such a prize back in January. But then if you look at the use of capitals ("jan" instead of Jan, "Me" capitalized where it doesn't need to be, and "this" is not capitalized after a period) and the urgency part ("text him right now"), you should be suspicious without the research.
Vishing is the voice phone call version of phishing, usually with a live malicious actor who tries to convince you to follow their instructions. If your phone starts to ring from a number you don’t recognize, and the device indicates it’s “Potential Spam” or something similar, there might be a visher on the other end, ready to try to voice-phish you. Human nature is to be polite, but you are welcome to hang up on anyone that calls you to tell you your computer has a problem. The next thing that they will likely ask you to do, is visit a website and type in a code that they give you. That may be all they need to remotely attach to your system.
Obviously, there is no visual example to share in this case. Instead, here's a combination attack that uses a phishing lure to get the recipient to initiate the vishing attack:
In this case, the request is that the recipient call the 808 number at the top and bottom of the image shown. 808 is not toll free, it's the exchange for Hawai'i! Again, ask yourself does this make sense? Have I purchased Geek Squad Care? No, so all the rest of the details are irrelevant and are just there to make the email look official. They even grabbed some graphics from the Best Buy site to imply authenticity. Capitalization is also off, a consistent trend especially when the attacker is using English as a second language (very common).
If you "bite" and call the number, they will usually give you two choices...renew the invoice or cancel. If you renew, they'll ask you for a credit card to charge. And oh boy will they use it to charge you. If you opt to cancel, no problem...they'll just need the credit card to issue the credit to. See how they want your credit card either way?
Whatever type of disruption you receive, the best solution is ALWAYS to just ignore it. You may be able to do more, like reporting it or unsubscribing, but the safest thing to advocate for 100% of the time is to do nothing. Williams doesn’t ask you to determine whether an email is spam or phish. If you didn’t expect it and don’t want it, simply forward it to [email protected] and let us have a look. This is a safe action to take, and can help Google and OIT identify these quickly and take intervene if necessary.