Language:
SEARCH
  • Recent Posts

  • Categories

  • Archives

phishing

Cybersecurity Awareness Month: Social Engineering – The weakest link

Thursday, October 25th, 2018

When we use the term “hacker” in our day-to-day conversation, we tend to associate it with an attacker who uses their technical expertise to break into protected computer systems and compromise sensitive data. We hear about this breed of hacker in the news and we invest millions of rands in new technologies to improve our network defences.

However, there is another type of attacker who use their tactics to bypass even the most expensive and effective cybersecurity technology. They use a variety of media, including phone calls and social media, and trick people into offering them access to sensitive information. These are the social engineers, hackers who exploit the one weakness found in every institution, also universities: human psychology

Social engineering is a term that covers a broad spectrum of malicious activity. It is a means of attack that leans on human interaction and involves manipulating people. All the methods listed in our previous article use social engineering.

The object of a social engineer is to convince people to bypass or suppress their natural reserve or suspicion in order to get access to technology systems or data. For example, someone who calls the secretary of a department pretending to be from the IT Department asking questions and getting them to reveal sensitive information such as login names, e-mail addresses, WiFi passwords, etc. They are in essence con-artists.

Whether it is through a phone call or an email, social engineering attacks are always very effective because they rely on the weakest link of security – human beings.

The best historical record of social engineering is the story of the Trojan War from Homer’s Illiad. After a ten-year siege on the Trojans, the Greeks pretended to accept their defeat. They left behind an enormous wooden horse as an offer of peace, and the Trojans opened their city gates to bring in the horse as a victory trophy. However, the Greeks soldiers were hiding inside the wooden horse, crept out at night, opened the city gates and allowed the Greek army to enter and destroy the city of Troy.

How to protect yourself:

  • First and foremost, be suspicious of anyone who contacts you via email or telephone and appears to know a lot about you. They may be very friendly and attempt to gain your trust, but if you’ve never dealt with this person before, ask yourself how they know so much about you and why they are contacting you.
  • If you are contacted by telephone, don’t blindly provide information. If you’re suspicious (that little voice in the back of your mind that says “something is not right here”), hang up.
  • Offer to call the person back. Ask them for a direct phone number. If they can’t provide one, discontinue the call.
  • If they do provide a number, do some research. Can you find a website for the company? Do a Google search on the phone number – does it come back linked to the company name you were given?

As a matter of habit, never give personal or sensitive information, for example, your login name, ID number, password and bank account number, over the phone or email. If the person is persistent, explain that you are concerned about security and will not provide this information over the phone. If they don’t accept your explanation, they should not be trusted.

Not only are your inboxes and phone lines being targeted, but so are your social media sites. Take a long, hard look at your social media presence. How much do you reveal about yourself to the world? Do you provide information about your position with a company? Do you share your habits – where you shop, gym or like to eat or socialize? Even the most mundane information you share could make you a target for a social engineering attack. Any social engineer will do their homework on you ahead of time. Whether it’s selfies or cat videos, most us like to tweet, tag, link, comment, like, and post online. Platforms like Facebook and Instagram are full of information social engineers can use.  

How many personal details are displayed on your department or Facebook page? Some departmental web pages even display personal cell phone numbers.

Over the past week, there has also been an increase in extortion phishing. Extortion phishing is the practice of obtaining money through force or threats via email. The victim receives an email suggesting they have been recorded through their webcam whilst watching adult websites. The criminals demand a ransom in Bitcoin or some untraceable cryptocurrency and threaten to circulate the recording to their contacts unless payment is made. Often scammers state that they know your password, installed malware on the computer and demand payment.

The new extortion phish threat plays on our own innate sense of guilt. More worrying, however, is that the passwords they have are often correct or close to correct because they have been leaked through data breaches. Usually, these passwords are old and haven’t been used for months or years. In some cases, they’ve remained unchanged or have only changed by a single letter or number. For example, how many times would I have to guess the correct password if the old password is “christopher” and the new password is “Christopher123”.

Your password and email address are potentially out there for all to see. One way to check if your username and password have been leaked in a data breach is to use a site like Firefox Monitor. You can enter in your e-mail address and the site will tell you if your information, e.g. email address and password have been compromised.

Social engineering attacks range from unsophisticated attacks, for example simply lying to get information, to very elaborate attacks, for example specifically designed websites. They have one thing in common – exploiting the weakest link, human beings. 

For this reason, these attacks will continue to increase, so being aware and cautious is the best defence.

Next time we will focus a little more on the type of attacks the university has suffered over the past year or so, and how to spot them.

Keep safe out there;

Cybersecurity Awareness Month: Where do scammers get your information?

Friday, October 12th, 2018

In the last article, we provided you with a few tips on how to create strong passwords in order to make the hacker’s job harder at accessing your personal data. Using weak passwords is one way hackers and scammers get your information?”.

But where do scammers get your information?

The graphic below depicts the world where most of us find ourselves, and where scammers might obtain important snippets of our personal data that, in many cases, is there for the taking:

This is your world

Your personal information is in places beyond your control.

The cell phone has become an indispensable communications tool in the 21st century. According to the Pew Research Centre, South Africa is placed 24th on the world list with a smartphone usage of 37% of the total population. However, according to a recent global survey by McAfee and One Poll, 36% of those smartphone users have no form or password, pin or fingerprint protection on their devices. This means that if their phone falls into the wrong hands, they risk opening up all sorts of personal information such as bank details and online logins to whoever finds or steals the smartphone.

How much of your personal information have you placed out there on the internet?

  • Over 30% of South African Internet users share at least 3 pieces of personal information posted on their social media profiles that can make stealing their identity easy.
  • 60% of South African Internet users have revealed they had no idea what their privacy settings are and who could see their personal information on those sites.

Old-style junk mail, invoices, receipts and ordinary letters can still provide scammers with a wealth of information. Dumpster-diving can reveal documents with your ID Number, old bank statements with your account details, old credit cards, unwanted junk e-mail, payslips and tax forms. Even old prescriptions & medical aid claims can provide scammer with a wealth of information from your personal information.

The modern equivalent of a filing cabinet, a flash disk poses a huge risk to the security of your personal data. Flash disks are small and cheap and can often be forgotten plugged into computers, fall out of pockets and be stolen, providing scammers with all the data stored on that device.

Your bank, your employers and SARS all store and work with your personal information. You have placed a tremendous amount of trust in these organizations to keep your personal data safe. How many people at your bank, for instance, have access to your personal data, who can they potentially give that data to?

Your driver’s license has a lot of information on it, including fingerprints, date of birth and ID number. The new style “smart” licenses will hold even more information, and if the license gets into the wrong hands it can be used for identity theft. For instance, in order to open up a cell phone contract, you would need an ID document or driver’s license, bank account details and proof of address, almost all of which can be obtained by dumpster-diving or someone rifling through your paperwork.

Finally, your computer (at work or at home) or your laptop holds a huge amount of your personal information. If stolen, the hard-drives can easily be trawled for personal information. If there is no password or a weak password on the laptop it makes stealing this information much easier.

This is your world:

  • Since 2007, more money has been made from trafficking financial data acquired by identity theft, than money made from drug trafficking.
  • 8.8 million South Africans were victims of identity theft in 2015.
  • 1 in 3 South Africans do not have a password on their cellphones or computer.
  • 70% of South Africans change their passwords after being compromised. (So 30% of South Africans don’t do anything even after they have been compromised)
  • 1 in 3 South Africans admits sharing passwords with other people.

There are 4 areas where we all neglect the security of our personal information:

  1. IndifferenceLack of Feeling
  2. IgnoranceLack of Knowledge
  3. InabilityLack of Training or Education
  4. InactionLack of Respect

What can you do to improve your personal data security and to prevent identity theft?

When someone comes and knocks on your front door, do you just open the door and let them in? No, you check who it is and then you decide if you want to open your door to them or not. The power of access is in your hands because you control the door.

The same principle applies to your personal data. Be careful and vigilant and be the gatekeeper of your personal data! Control what data is given out and who receives it. You have the control!

Next time we will look at the modus operandi of identity thieves. 

 

Warning: Phishing scams with fake invoices

Monday, October 1st, 2018

The nature of the university as an academic institution means that goods like books and academic journals are purchased by staff.

Phishing scammers will often exploit these purchases by either spoofing the e-mail addresses of well-known publishers or sending “invoices” that are infected with malware to fool people into divulging personal details like passwords and bank account details, or more seriously, infecting their victim’s computers with ransomware which encrypts the contents of the hard drive and demands a ransom to unlock access to the encrypted files.

Last week several colleagues reported that they were getting invoices from a journal publisher for books they allegedly purchased. An invoice for books purchased is usually attached.

Here is an example of the phishing scam:

Please keep an eye open for this threat over the next few days. We have been reading reports of a drastic increase in the incidents of ransomware infections targeting large institutions like universities. Keep on your toes, these criminals will never stop trying, because they catch their victims from the university so easily. Don’t become a victim. Fight them by reporting these scams to the IT CyberSecurity Team, and by spreading the news to your colleagues and classmates.

 If you have received mail that looks like this please immediately report it to the Information Technology Security Team using the following method: (especially if it comes from a university address) Once you have reported it, delete it or put it in your Junk Mail folder.

  1. Start up a new mail addressed to csirt@sun.ac.za, cc sysadm@sun.ac.za.
  2. Use the Title “SPAM” (without quotes) in the Subject.
  3. With this New Mail window open, drag the suspicious spam/phishing mail from your Inbox into the New Mail Window. It will attach the mail as an enclosure and a small icon with a light yellow envelope will appear in the attachments section of the New Mail.
  4. Send the mail.

[ARTICLE BY DAVID WILES]

 

“Office 365 verification” phishing scam from compromised student account

Monday, September 3rd, 2018

Please be on the lookout for the following phishing scam coming this morning from a compromised student account:

The subject will be “Office365 E-mail Verification” (or a variation) and says that “you recently made a request to terminate your Office365 mail” and to click on a link to cancel this termination.

The mail should be immediately suspicious to most people with common sense and awareness of phishing scams, but here are a few signs:

  1. Why is a student account sending you mail about your “termination” of an Office365 account?
  2. Why are they threatening you to verify or lose your account?
  3. Why does the link point to a site that is not in the university network and is in Brazil of all places?
  4. Why is something as “important” as this being sent in a non-secure email? 

Here is an example of one of these phishing emails that several observant students and colleague have sent me this morning already!

If you have accidentally clicked on the link and given your login details to the phishers it is vitally important that you immediately go to the USERADM page (either http://www.sun.ac.za/password or www.sun.ac.za/useradm and change your password immediately. (Make sure the new password is completely different and is a strong password that will not be easily guessed, as well as changing the passwords on your social media and private e-mail accounts, especially if you use the same passwords on these accounts.)

If you have received mail that looks like the one above, please immediately report it to the Information Technology Security Team using the following method: (especially if it looks like it comes from a university address) Once you have reported it, delete it immediately.

  1. Start up a new mail addressed to csirt@sun.ac.za (CC: sysadm@sun.ac.za)
  2. Use the Title “SPAM” (without quotes) in the Subject.
  3. With this New Mail window open, drag the suspicious spam/phishing mail from your Inbox into the New Mail Window. It will attach the mail as an enclosure and a small icon with a light yellow envelope will appear in the attachments section of the New Mail.
  4. Send the mail.

[ARTICLE BY DAVID WILES]

 

Warning: Phishing scam exploiting ABSA new logo

Tuesday, July 17th, 2018

Many of you use ABSA as your bank of choice, as well as making use of ABSA Bank’s Internet Banking facilities, so this warning might be of particular significance.

Earlier this month ABSA announced a new logo – part of its rebranding campaign – and almost immediately phishing scammers exploited this opportunity to continue their nefarious campaign of identity theft through phishing email attacks.

Several users have reported getting the following email – allegedly from ABSA – taking advantage of the new logo to target the bank’s customers in a phishing email scam by attempting to trick users to click on a link to take them to a fake website.

The scam email states that it comes from Absa CEO Maria Ramos, but it’s actually from an outside source and informs victims that “today marks a very significant day in the Absa journey”. The email uses Absa’s slogan, saying “We are also launching a new, fresh and vibrant Absa logo and identity that reflects our commitment to you, our customers”. Potential victims are then encouraged to click on their “New Absa eStatements” in PDF format. This is not a statement, but an HTML file which takes users to a phishing website.

Here is one example of the phishing e-mail which has already appeared in several University email accounts, as well as personal home email accounts:

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

As always, you should never respond to a suspicious looking email or message or click on a link in any suspicious looking email. Rather delete the email. No South African bank will ever contact customers and request sensitive information (card PIN, card CVV or online banking password) via email, telephone or SMS.

If you have received a phishing email, immediately report it to the Information Technology CyberSecurity Team using the following method:
 
1. Start up a new mail addressed to sysadm@sun.ac.za (CC: help@sun.ac.za)
2. Use the Title “SPAM” (without quotes) in the Subject.
3. With this New Mail window open, drag the suspicious spam/phishing mail from your Inbox into the New Mail Window. It will attach the mail as an enclosure and a small icon with a light yellow envelope will appear in the attachments section of the New Mail.
4. Send the mail.

IF YOU HAVE FALLEN FOR THE SCAM:
If you did click on the link of a phishing spam and unwittingly gave the scammers your username, email address and password  immediately go to http://www.sun.ac.za/useradm and change the passwords on ALL your university accounts (making sure the new password is completely different and is a strong password that will not be easily guessed.), as well as changing the passwords on your social media and private email accounts (especially if you use the same passwords on these accounts.)
 
Useful information on how to report and combat phishing and spam can also be found on our blog

[ARTICLE BY DAVID WILES]

 

© 2013-2024 Disclaimer: The views and opinions expressed in this page are strictly those of the page author(s) and content contributor(s). The contents of this page have not been reviewed or approved by Stellenbosch University.