There are a lot of different ways you could lose your personal data. We’ll go through some of these attack types in this section.
If you’ve ever seen the movie “Catch Me If You Can”, you’ve seen tangible examples of social engineering. The movie shows the character played by Leonardo DiCaprio using manipulation techniques to exploit others to gain what he wants. Social engineering attacks can be made in the heat of a moment but it can also take months to gather enough information about the target before the actual exploit can be successfully made. The same tactics can be used in a single phone call or an email as well, and the actual attack might be over before you know it.
Social engineering attacks usually target you by:
Emotions: They use your fear or excitement to manipulate you to take actions you wouldn’t normally take. All of your emotions can be used depending on the attacker’s goals.
Urgency: You are coaxed into thinking you need to act urgently, thus ignoring your suspicions.
Trust: Most of these attackers are really good at gaining trust. People inherently trust their co-workers and a social engineering attack can come from someone you think you know or should know. Would you open a locked door to a (possible) co-worker who is carrying a box full of papers? Would you suspect a worker carrying a tool box and wearing a high-visibility vest?
These skills and tactics are often used in a myriad of different ways and for other kinds of attacks, not limited to just social engineering attacks.
Phishing relies on fooling the victim into trusting the attacker and providing them with the needed information. The form of the attack can be anything, but the most used form of a phishing attack is an email. The email, phone call, SMS or other form of direct contact can be used to gather more information for later attacks as well.
Any information you provide to the attacker will help them in their activities. The attackers can use even the tiniest bit of information received in conjunction with sources of information. With the information, they can for example conduct identity thefts or frauds, raise loans or coax your colleagues or relatives into giving them more usable information.
Spear phishing is a special form of phishing that is more targeted. Spear phishing attacks are often predated by earlier information gathering. The earlier actions can also be made with the same phishing methods.
Common methods used in phishing attacks to get your reaction include:
The message is too good to be true. You’ve either won something or have a good chance of winning. The wording makes it sound like a really good one-time offer, just for you!
A sense of urgency. Different tactics can be used to try to make you act fast before you think. For example, a limited-time offer, or something special for the five fastest people to order. Using fear is another option; the attack can try to use a fear of losing your private financial information if you do not act fast. The wording could be something like “your account is compromised, act fast to secure it!”
Links. Links in these emails might not be what they seem. Methods that obfuscate the URL are used. In HTML emails, the link text can be anything and the actual link something else. Characters can be substituted to make them look similar but leading to different sites. It is preferrable to type the website address yourself than to click on the received link.
Attachments. Attachments can contain malware that will allow attackers access to your computer. This is the most common way that malware spreads. If you didn’t expect attachments, do not open them. Keep your virus scanners updated with the latest virus definitions.
The sender is suspicious. If the email is from a known sender but the content is unusual, be careful – the message might be phishing or a spam message. Verify that the email address matches the sender’s name. Often the name might be familiar but the actual email address randomised. If the message is from an unknown sender, be even more suspicious.
The stereotypical phishing scam of receiving an email from a foreign prince promising large sums of money in return for your bank details still exists, but be assured- scammers have also become much more sophisticated and often have much more information to work from due to our increased presence online.
Let's look at an example of phishing that uses multiple online platforms in a seemingly typical social interaction:
A concert that you were looking forward to sold out before you managed to get tickets. You go to the Facebook page of the event to see if anyone is offering to sell tickets second-hand. You're in luck! Two seats are offered by a woman who has a Facebook account that says she lives in your area. You begin a private message with her where she tells you that you can pay her via Paypal and she will send you the pdf tickets via email as soon as the money arrives. She even gives you her full name and email address, and sends an image of the tickets with the bar code and serial number blacked out. Paypal is normally a secure way to send money for goods, offering consumer protections against fraud. But this person urges you to click the option on Paypal that says you are sending money to a "friend or family" in order for her to save on fees- and she will pass the savings to you. You hesitate, knowing that this woman is unknown to you. But she pressures that many people want the tickets and if you don't send the money this way, she will sell to someone else. You decide to send the money. Suddenly, her Facebook account is frozen, and she has disappeared- along with your money.
Malware (malicious software) is a term that groups all kinds of malicious software. The most known type of a malware is a virus. The different types of malware include the following:
Viruses are commonly spread through executables (programs) or MS Office files using macros. They try to spread via different means, usually by using your contacts, but can also use known vulnerabilities of operating systems to spread. Viruses typically require manual activation.
Ransomware uses different ways to spread itself but when activated, it encrypts some of your files and ransoms you for the decryption key to regain access to these files.
Worms typically self-replicate and spread independently of the user. Worms can create all kinds of problems for your systems.
Individual bots form a botnet which can lay dormant until the attacker decides to use the botnet for different purposes such as a DDoS (distributed denial-of-service) attack. A DDoS attack floods a target system with traffic to disrupt normal use.
Trojan horses are a type of malicious program that is disguised as a legitimate program. Once executed, it too can cause all kinds of problems.
Adware can operate in a grey area where it might provide some kind of services in exchange for showing you ads. Most often users get adware without their permission. They can be made really difficult to get rid of and will most likely slow your computer down. The ads shown might also lead to other exploits done to your computer.
Spyware spies on your computer use and can record your credit card numbers, usernames and passwords as you type them.
All of the malware types can spread via the same ways and can operate and change their attack types using multiple methods as well. Most of these malwares can be used to gain direct access to your computer for the attacker.
Nation state actors and APT groups
Nation state actors or APT (Advanced Persistent Threat) are groups with a “licence to hack”. They are thought to be supported by the nations they are serving. They either hack for the state or are state-sponsored criminal organisations. These groups are generally impossible to prosecute as they’re hard to track and protected by the nations they’re working for.
These groups utilise novel ways to gain access to their targets and might persist in the systems for months or even years before detection. They’re not in a hurry to make profit as they are usually in it for the intelligence instead of a quick profit.
Lots of countries have or sponsor these groups. Even though most of the identified groups are from Russia, China and North Korea, the western world has their own groups working on gathering intelligence on their adversaries.
Sign up to solve exercises
After completing chapter 3, you should be able to:
understand why it’s important to keep our communications private
explain some methods we use to make different types of communication private
explain what encryption is and how can you verify if communication is encrypted