Secure Digital Life #72
Recorded on July 17, 2018 at G-Unit Studios in Rhode Island!
- Check out our On-Demand material! Some of our previously recorded webcasts are now available On-Demand at: securityweekly.com/ondemand.
The Revenge of the Warhorse
I know, I know, we did a show about this before but we're smarter now.
Let's talk about phishing and scams. Look, we are all just one click away from getting phished anyway. So, let's talk about social engineering and phishing again, since you didn't get it the first time!
Phishing is still the most common kind of attack and all of these are variations on the classics: the nigerian prince and the Spanish lottery scams.
The original nigerian prince scam involved a guy standing outside of an airport or bus station claiming that they had a bunch of money inside, either in a locker (think Get Shorty) or being held in customs. This meant they needed your help (and greed) to go in and get the money. Typically, this involved a bribe of someone (so the quasi illegal hook) that couldn't see you so you get some money out of your bank account for the bribe to get paid back a lot more from the stash.
- The original Spanish lottery scam involved telling you "you won the Spanish lottery" whatever that is and offering to deliver the cash from your winnings. You just had to pay the "excise taxes" or something to get the payoff.
- Today, these scams result in a lot of lost money (you aren't getting it back). The scams have evolved into many different things including the IRS scam, the mystery bail bond, the .... and on an on.
- All of these things are social engineering. They involve throwing your net into a large pool and see what you catch. So, phishing.
- In phishing training, they always get all hung up on talking about "categories" of scams like "spear phishing" and "whaling". People love to spend time coming up with names for things but the reality is, they are all just basic social engineering scams.
- So, being a total hypocrite, I will immediately use my own terms: direct and indirect.
- Direct attacks are social engineering that just straight up gives you the scam (nigerian prince) where indirect attacks are more subtle and rely on you taking some action (phishing).
- How to avoid direct attacks in scams:
- Is this too good to be true? (a guys is going to give you a LOT of money)
- Does something appear to be exactly what I want? (a deep discount on a rental)
- Is something about to solve an unpleasant problem for me just at the right moment? (can I carry that heavy luggage for you)
- in all cases, see 1 Above.
- How to avoid indirect attacks in scams:
- Clickbait? Why are you about to click that link?
- What is the source? Do you know the person? Is the person real? Is the site real?
- Check your links?
A) If you are daring, you can use a vm or something to go to the link
B) Easier, cross validate. Do a whois/dig on the link
C) Ask yourself, does this link make sense?
D) Don't forget that a text link is NOT the actual link. Use the mouseover.
The warhorse. Has to react the right way at the right time regardless of the situation.
- The Warhorse conundrum: So, if you want a warhorse, the horse has to be able to stand tall when bombs are going off so you train the horse with lots of bombs going off until this horse just kind of ignores the whole thing. This is the opposite of what you need to do. You need to protect your flight reflex in the case of indirect attacks. Your inclination is to just ignore the bombs and do what you're told but this the wrong response in the indirect case. Instead, you have to react to the mundane as if it were a bomb all the time or you will click the link. (remember this is an indirect attack).
- The other warhorse conundrum: But, in direct attacks, the opposite is true. Direct attacks (spear phishing) rely on your reaction. Bomb goes off, horse bolts. The school example of the "change to personal behavior policy". In this case, you have to resist the clickbait.
- The point of the warhorse is, you have to be properly trained or you will likely react in the wrong way. It's not about being smart, (thinking is just as dangerous as not thinking) it's about training yourself to react in the right way at the right time.
- So, how do you do this? In the case of direct attacks, you have to be a skeptic. You are going to react and scammers spend a lot of time figuring this out. They will push your button. Imagine this headline: "Donald Trump admits to criminal activity, arrested in White House". How many people would click this without thinking (direct attack)? What about this one: "At least 50% of employees at [your company here] will be laid off within days." Boom. My training plan is to tell people to count to 10. When you hear a blast, count to 10. That gives you time to think. Then validate. It's how you beat clickbait. Same thing is true if you are about to send emails or nude photos. Count to 10. In the case of live direct attacks (real social engineering) look carefully. Does it make sense that a cable tv repairman is wanting in the server room?
Indirect attacks are both easier and harder to deal with. About the only way to deal with this is by training. You want to react to the bomb but you want to react in the right way. "Blah blah blah click here to get your driver's license renewed online". This is much harder because you don't really need your driver's license renewed but there it is, the opportunity. If you mouseover the link and it's hackmeharder.ru/iamgoingtohackyou.php, you know, you might not want to click that. And let's mention punycode attacks. Is there a difference in apple.com and *pple.com (a with an umlaut). Browsers don't display the umlaut so it's tricky.
- Set up a safe space with a secured browser that you ONLY use to test links.
- I use a virtualbox instance running linux (mint) which means that links like this at best affect the linux virtualbox and I just snapshot it back and typically, can't do much even if it worked in linux.
- This is a really easy thing to set up and have available if you need it (and free)
- mint linux is really small so you can just have it sitting there (it also means you are counting to at least 10).
- On that mint box which is now in a shell that is isolated from your local system (don't share anything) you can dig, you can look at the site, you test the link and it won't cost you a thing.
- Create a clean mint install with the gui. Make a clean snapshot after you do the updates. and and just stay there with it. If you get nervous, you haven't really lost anything just either delete it and do a new one or roll it back.
Lastly, don't give anything up. The minute someone asks you for personal information, you have to remember the warhorse. You want to react the right way at the right time. In the case of personal information, it's almost always "run away". A fake website is easy to set up. Once you type in your personal information, it's too late. Again, I use my mint instance and type in fake information if I really want to test a site like "bankofAmerika.com". It's really easy to even set up fake emails to use if you want. Remember, if you type your username and password into a fake site, and you use that username and password on other sites, you have a big problem. So, last tip. Never use the same password on multiple site and use the tiered password approach we have talked about before but mostly, don't clink links to get to sites. Type the sites directly. (There are certainly expected links but again, think).
When under fire, this will be the most dangerous time. Count to 10.