Thursday, July 17, 2014

Protecting your Data from New Types of Attacks - Installment #2

Trying to stay informed of all the scams being used to manipulate our computers for information, resources, and eventually money, can be a daunting task.  Reading technology news can be helpful and keep you informed, but it is hard to learn everything from a single source.  Sharing information with others about how an attack works, and how best to protect yourself from each one, is imperative in slowing down the effectiveness of these attacks.

In December, in our first Protecting your Data from New Types of Attacks post, we discussed Cryptolocker, which is a type of ransomware that spread quickly and infected the computers of unsuspecting users.  Once infected, the computer was encrypted and the user was denied access to their own data.  This post covers four types of attacks, including ransomware, and is based on a recent article published in CSO magazine, and is covered in a modified version on their websiteFour of the newest (and lowest) Social Engineering Scams. Each of these attacks are currently being used by social engineers in an attempt to gain access to data you would not willingly give them access to otherwise.

Ransomware is a specific type of attack directed at your computer.  Unlike some attacks, this type is directed at your computer but not necessarily to steal your data and use it elsewhere.  Instead, this type of attack blocks you from your data by encrypting it in hopes you will pay to gain access back.  

How it works:  Once your computer is infected, it is rendered unusable and you must pay off the attackers if you want to unencrypt your device.  The longer you wait to pay the fee, the higher the price.  Reports have also been made that tampering with the encryption in an effort to resolve the issue yourself can prevent the decryption altogether.  Beyond Cryptolocker, CryptoDefense was released this February, targeting pictures, videos, and other common files as well as certain types of backup program files.  CryptoDefense is also ransomware and works much the same way as Cryptolocker.

To protect yourself:
  • Keep your devices up to date
  • Run anti-virus and keep it up to date
  • Use caution when clicking on links in emails
  • Use caution installing software you do not know
  • Use caution clicking on items from websites you do not know

Automated calls for credit card information
With the advances of technology, our credit cards are monitored much more actively than they were two, five, or ten years ago.  Now as we make purchases they are scanned for fraud, or irregularities, in real time to prevent us from being scammed if our information is somehow compromised.  Since credit card companies guarantee we are not responsible for items we did not authorize, much of the burden of preventing scams falls on them.  To provide this guarantee, credit card companies are vigilant in flagging what could potentially be fraud from what seems like a normal charge based on each user's habits.  Tracking all of these charges, making a decision on whether to flag the charge or not, then contacting each customer would be nearly impossible for humans alone to perform.  Instead, software performs these functions, and many systems also investigate suspicious charges by using automated systems to verify with a customer whether a charge is legitimate or fraud.  Unfortunately, like many technology items, social engineers have found a way to exploit this service.

How it works:  After phone numbers have been stolen, an automatic robocaller calls you and identifies itself as your credit card company contacting you about a potentially fraudulent charge.  Of course this gets almost anyone's attention because no one wants to pay for something someone else ordered and received!  Now that they have your attention, they read off the "fraudulent" charge and the amount, then ask for a button response that corresponds to whether or not you made this charge.  Once you respond that this was not a legitimate charge, you are prompted to enter your credit card number, expiration, and security code, and sometimes a phone number so a representative can call you back later to reverse the "fraudulent" charges.  What makes this scam so effective is that other than your phone number, they do not have to have any other accurate information about you.  They can make up any type of item and cost they want, because they are merely pretending to report a potential fraud.    

To protect yourself:  Never give out credit card information including the number, expiration, or security code to anyone over the phone unless you have called them direct and are certain of the number you called.  If you received an email claiming there have been fraudulent charges, do not use the phone number listed in the email.  Instead, go to the website of the company directly and use the numbers listed there. Any credit card company calling you to inquire about a fraudulent charge will not ask you for your credit card number, and especially not your security code.  They will ask for your address, and answers to security questions you have previously set up with them.   Also, report all instances of this type of attack to the company they claimed to be calling on behalf of directly so the company can inform and protect other customers.  Most importantly, remember that someone calling you on the phone does not guarantee they are who they say they are.  The thought of having a stranger walk up to you in the parking lot of a mall and asking for personal information is laughable and you would never think of giving them the information they are asking for.  Treat someone calling on the phone with as much scrutiny.  Having someone call on the phone can be even more dangerous because you do not have a location or description of the person you spoke with.  Treating unknown callers as strangers because they are will save you time and grief.

Using Healthcare records for phishing
With the number of companies experiencing data breaches going up all the time, it stands to reason some healthcare records have been captured in the tide.  With each data breach, more and more data about us as individuals is available to the wrong kind of people.  Given enough time, and the wrong incentive, social engineers are able to consolidate information from multiple sources to get a much clearer picture about us than would have been available in the past. 

How it works:  Phishing emails are directed to you that appear to be from your employer and your corresponding health care provider.  These emails include announcements about changes to your healthcare coverage for people with your type of plan coverage.  There is enough accurate information in these emails to make the email seem legitimate, but the links in the email can compromise the device you used to open the email.  

To protect yourself:  Always be sure you know who is sending an email to you before opening the email.  Also, if you are suspicious of the email or concerned it may not be legitimate, do not open the email.  If you are not expecting any information from your employer about your health care coverage, call your Human Resources department to check to see if you should have received an email of this type.  If you deleted the email, request that it be sent to you again.  If you opened the email, do not click on any of the links.  Follow up with your employer directly to gain access to any materials you may need.

Using funeral information for phishing
More often than not, attackers use fear and urgency to get us to give information we would not normally share.  This is a smart tactic and is often effective because we are less likely to question someone who has legitimate information about us.  This is especially true when we think someone is in danger.

How it works:  An attacker sends you an email stating a friend of yours has died with the details of the funeral.  Unfortunately, before the email is ever sent to you, the funeral home's website was hacked.  Once you click on a link on the website, say to get more information about your friend's funeral, you are redirected to a server not related to the funeral home and your computer becomes infected.  This type of scam infects your device with a keylogger, which is a type of hardware or software that records every keystroke made on the infected device like bank accounts and user account credentials.  The keylogger records the keystrokes locally, then relays that information back to the server that installed it in the first place at predetermined intervals.  Additionally, this attack also infects your machine with a trojan virus so they can connect to your computer later and use its resources to try and infect more devices.

To protect yourself:  Always question emails that are sent to you and never assume they are safe unless they are from people you know and communicate with often, or from companies you do business with or have solicited information from.  Even emails from people you often communicate with can be dangerous.  If you get an email from someone you often communicate with and the email does not seem like any other email they have ever sent you, the subject is bizarre, or it is to a large group of people they normally do not send to, trust your instinct and do not open the email.  Call the sender directly to see if they sent the email or delete it if you cannot speak with them directly.  If the email is important, they will send it again or contact you directly some other way.  If you receive an email from someone you are not familiar with or did not solicit, do not click on any of the links in the email.  Instead, if you see something you are interested in, go to the website directly.  There are times, as in this example, going to the website directly would not protect you, but luckily these are less common.  Calling to speak to someone who works at the company and inquiring about an email you received can never hurt.

While staying informed of the types of scams that are occurring is important, there are also steps you can take to protect your devices and your data at all times.  The information listed above in the to protect yourself sections can be applied to almost anything you do on a computing device.  Additionally, share what you know about scams with friends and family to help protect them too.  After all, you are likely listed as a contact on their computer and if they get infected, the likelihood is high you will be one of the first people to get an infected email from their device.  If you have important data, plan ahead by making backup copies regularly and keep them offsite or using a cloud based backup service like ours so you can recover from an attack.  

Most importantly, always question who is contacting you to share information.  Are they representing themselves as working for a company that would have your information but ask for information not used for identify verification anyway?  Are they calling from a company you did not solicit information from?  Does any part of their solicitation use fear or urgency tactics?  If yes, hang up and call the company back directly to report the issue.  Every company should appreciate the efforts you are making to protect your identity and your data. 

As always, err on the side of caution and stay safe!

No comments:

Post a Comment