Month: January 2024

InfoSec

Information Security Threats: Phishing, Whaling, etc

Cartoon Representing PhishingPhishing has become a household term in recent years, and for good reason. There are news stories about it, mandatory corporate training to keep you from falling for it, and it still remains prevalent and a fruitful ways for the “bad guys” to succeed. So what is phishing? Phishing represents a range of techniques used by cybercriminals to deceive individuals into divulging sensitive information. Phishing now comes in many forms. And just like every political scandal gets -gate added as a suffix because of Watergate (Gamergate, Chinagate, Emailgate, Russiagate, etc), each of these forms of phishing gets the -ishing suffix. Clever, right?

Phishing: Your Inbox is the Battleground

The OG, Phishing is the most common form of cyber deceit. It involves sending mass emails that appear to come from reputable sources, such as banks or popular websites, with the goal of stealing sensitive data like login credentials or credit card numbers. These emails often create a sense of urgency, prompting you to act quickly with the hope that you won’t do your due diligence. Typically, the sender will appear to come from a safe domain, but will be just wrong. Some common examples are things like goolge.com instead of google.com or gimletrnedia.com instead of gimletmedia.com. Even if they don’t try to make the email sender look legit, the form you get sent you might be for a domain that is set up with those tactics. Another trick is to have a very long domain like secure.google.com.hacker.co/blah/blah/etc.php and people might only notice the “google.com” portion instead of noticing the actual domain is “hacker.co”. These people will make exact duplicates of a Google, Microsoft, Amazon, or bank login screen and then steal your credentials. Where possible, the smart ones will even pass those credentials on and get you logged into the site so you’re none the wiser.

Protection Tip: Always verify the sender’s email address and be wary of emails that demand immediate action. Legitimate organizations won’t ask for sensitive information via email.

Spear Phishing: Targeted Attacks

Spear phishing is a more targeted version of phishing, so named because the same tactics are used as phishing except that the target is very deliberate. This is the difference between dropping a fishing line in a water to catch “any fish that swims by” vs spear fishing and jabbing a spear into the water to catch “this exact fish”. With Spear Phishing, the attacker personalizes the email to fit the recipient – using your name, job title, or other personal information – making the fraudulent communication seem more credible. Often, these emails might even seem to come from a higher-up in the company and they need you to wire money to a vendor urgently, or review this document immediately (behind a phishing lure).

Protection Tip: Be cautious with the amount of personal information you share online. Regularly update your privacy settings on social media and professional platforms. Open Source Intelligence (OSINT) is the key way that attackers learn this information about you to make it seem like they know you or already are in your organization.

Whaling: Going After the Big Fish

We’re keeping the metaphor going here with Whaling. Traditionally, whaling is done with harpoons (and what are harpoons but basically large spears?!?). Whaling attacks are Spear Phishing attacks that specifically target high-profile individuals like CEOs or CFOs. The emails mimic critical business communications, often involving legal or financial matters, to trick the victim into transferring funds or revealing sensitive corporate information.

Protection Tip: High-ranking individuals should be extra vigilant. Double-check the source of unexpected requests and verify through direct, secure communication channels. If possible, have the IT department put extra protection around the email accounts of key figures. Many business email providers offer this protection (Microsoft Defender for Email offers Priority Account Protection, for instance).

Vishing: The Voice of Deception

Now we’ve stopped being clever and have ventured into the “Russiagate” level of naming and have lost the metaphor and instead heading for the land of portmanteaus. Vishing, or voice phishing, involves phone calls instead of emails. The caller impersonates a trusted authority to extract personal information or financial details. If users aren’t trained well or if your organization doesn’t have the right protocols around verifying a caller, this can be an easy way to get too much information. I’ve done this myself when one of my accounts with a retailer was used without authorization. I called up and couldn’t get an answer, but I was able to get a few things from the phone agent that they didn’t mind sharing. Then I called back and had my original information plus this other information and the person on the other end of the line assumed I was okay to know more about the transaction because I knew so much already, so I must be okay. Attackers especially skilled in building trust and using social manipulation can move mountains this way.

Protection Tip: Be skeptical of unsolicited phone calls. If in doubt, hang up and contact the organization directly using an official number.

Smishing: SMS-Based Scams

Another portmanteau, Smishing is like phishing but carried out through SMS text messages. These messages may contain malicious links or request personal information. You have probably received these recently. USPS wants to tell you you have a package that can’t be delivered. The IRS wants to talk to you about your huge overdue tax bill. Your bank wants to confirm your information. None of this is something that would happen or be communicated this way unexpectedly. Never respond to a text link, but instead go to the actual site and login. Any legitimate messages for you will be there when you arrive. If you’re still in doubt, call the company using a phone number from their verified web page or a trusted directory and confirm the message. Otherwise, you’re asking for trouble.

Protection Tip: Avoid clicking on links in text messages from unknown sources. Install a reputable security app on your phone to filter out potential scams.

In the current world of online threats, knowledge and familiarity is your best defense. By understanding these tactics and adopting cautious online behaviors, you can significantly reduce the risk of falling victim to these increasingly sophisticated scams. Remember, cybersecurity is a continuous process. Regularly updating your software, using strong, unique passwords, and being mindful of the information you share online are crucial steps in protecting yourself and your data.

Stay informed, stay skeptical, and stay safe.

InfoSec

Information Security Threats: Malware

Computer showing a malware messageWe’ve been talking about the CIA Triad, which is a shorthand for what it is that we’re trying to defend with our security practices. Now that we understand what’s at stake, we’re going to spend the next few posts talking about how various threats are going to try to take out one or more of those legs. In this post, we’re going to talk about Malware.

Malware, which is a portmanteau of “malicious software,” encompasses a broad range of software intentionally designed to harm, exploit, or disrupt computers, networks, servers, and computer systems. This includes a variety of forms such as viruses, worms, trojan horses, ransomware, spyware, adware, and more. Each type of malware has its unique mode of infection and impact, ranging from stealing sensitive information, damaging system operations, to hijacking core computing functions for malicious intent. The significance of understanding and guarding against malware cannot be overstated.

In our increasingly digital and interconnected world, where personal and professional lives are mixed with technology, malware poses a significant threat to individual privacy, financial security, and business operations. The growth of malware highlights the need for robust cybersecurity measures, regular system updates, cautious online behavior, and an informed understanding of digital threats. By recognizing the potential hazards of malware and taking proactive steps to protect against it, individuals and organizations can significantly reduce their vulnerability to these malicious threats.

1. Viruses

  • Definition: A virus is a type of malicious software that, when executed, replicates itself by modifying other computer programs and inserting its own code.
  • How it Works: When this replication succeeds, the affected areas are then said to be “infected”. Viruses often require a host program to be executed, such as a document or file.
  • Impact: They can perform various malicious tasks, such as stealing hard disk space or CPU time, accessing private information, corrupting data, displaying political or humorous messages on the user’s screen, spamming their email contacts, and even rendering the computer useless.

2. Worms: The Independent Malware

  • Definition: A worm is similar to a virus by design and is considered a sub-class of a virus. However, it differs in its function – it spreads across networks and computers without needing a host file.
  • How it Works: Worms exploit vulnerabilities in operating systems and software and are known for their capability to replicate themselves autonomously.
  • Impact: They often cause harm to their host networks by consuming bandwidth and overloading web servers. Worms can also carry payloads, which might steal data, delete files, or create botnets.

3. Trojans: The Deceptive Threat

  • Definition: A Trojan horse, or Trojan, is any malicious computer program which misleads users of its true intent.
  • How it Works: Unlike viruses and worms, Trojans do not replicate themselves but pose as legitimate software. Users are typically tricked by some form of social engineering into loading and executing Trojans on their systems.
  • Impact: Once activated, Trojans can enable cyber-criminals to spy on you, steal your sensitive data, and gain backdoor access to your system.

4. Ransomware: The Hostage-Taker

  • Definition: Normally, cryptography is defensive in nature. You encrypt things to keep them for “eyes only”. Cryptovirology is using cryptography in an offensive way… “infecting you with encryption” in a way. Ransomware is a type of malware that uses cryptovirology and threatens to publish the victim’s data or perpetually block access to it unless a ransom is paid.
  • How it Works: Some ransomware types encrypt files on the system’s hard drive (cryptoviral extortion), while others may simply lock the system and display messages intended to coerce the user into paying.
  • Impact: Ransomware attacks can lead to significant data loss and financial damages, both from the ransom paid and the downtime caused by the attack.

Understanding these various types of malware is the first step in protecting yourself and your organization from them. Always ensure you have updated antivirus software, practice safe browsing, and be cautious with emails and downloads. Awareness and preparedness are key in navigating the complex world of digital threats.