ARRC Logo
Support
Plan Your IT Strategy
Request Consultation

Month: January 2019

3 Ways Cybercriminals Use Social Engineering to Steal Your Info

Posted on by ARRC Technology

Cybercriminals use social engineering every day to attempt to hack into people’s personal information. Chances are, you have seen all three of these attempts sometime during your lifetime. Social engineering is slightly different though because it preys on the human condition. Attempting to gain trust and manipulate people. This way it’s even easier to have someone almost willingly give out personal information. In general, there are three major ways that cybercriminals use social engineering to steal your info.


The first is via email.
This is one of the most prominent ways that information is stolen. This side of social engineering has been around nearly as long as emails have and its guaranteed that anyone with an email account has seen at least one of the many phishing scams that come from cybercriminals. Perhaps a Nigerian Prince would like to wire you a ton of money because his inheritance is wrapped up in the bank for some reason. All you need to do is pay a few fees to receive the money and you get to keep a portion of his millions. Totally legitimate right? Or maybe the bank needs you to confirm your account number and social security number because of an “account breach”. Why not right? The bank is a legitimate business, it must be real, even the email looks real. Better yet, wouldn’t you love to be a secret shopper? Receive a check for $1000, cash it, and perform a job. Innocent enough right? Not after you wire initial costs and attempt to cash a bad check. These are just some of the ways social engineers prey on unsuspecting and trusting people. If sending money or willingly giving up information isn’t involved, then there is usually malware within the email. The links that can be clicked on will deploy malware to infect your computer files and obtain information about you. It’s amazing how prevalent these scams are. But if you’re educated on them, you won’t become a victim.


Next is posing as someone you know.
This can take several different forms, however the most obvious is copycat Facebook profiles. This is another prominent scam that cybercriminals use to trick people into thinking they are receiving a friend request from someone they know. The profile will often contain a few photos from the original person’s profile so it looks a tad more real. As unsuspecting friends add this profile, it begins to look more legitimate because of similar friends and associates. This profile can ask for money or send links containing malware to infect your computer, or even corrupt your Facebook profile gaining access to personal information. Another way cybercriminals can gain access to your information is by posing as someone within your company. They can send an email that looks like it’s from your boss when really its fake. Usually, something about the email address will be a bit off, if you’re paying attention. Letters are swapped around or a .net becomes a .com at the end of the email. As soon as you open it or click on a link, there goes malware infecting your computer. This scam is usually highly effective because it gets sent to everyone in the company, and people often take it as real from the boss.

Finally, a newer way for cybercriminals to target people is through advertisements.
Considering ads are pretty much everywhere online now, creating ransomware ads is incredibly easy and a bit difficult to spot among the hundreds of people see every day. For this type of social engineering, cybercriminals literally deploy ad campaigns showcasing a product or a service. When you click on the ad, it downloads malware or ransomware onto your computer. Most of the time these ads are for anti-virus software or a pop-up will come on your computer saying your computer has been infected and to click the link to clean the virus. Tricky, tricky cybercriminals.

The key to these three general social engineering styles is to become educated on them and keep an eye out for anything that seems off. It certainly pays nowadays to be diligent during your time on the internet and pay attention to everything. If something seems strange or wrong, avoid it until you are certain it is safe. Try not to click on any links inside of emails unless you are sure, and trust the sender. If you get a friend request from someone, look over their profile and ensure its real. Check out their friends, photos, and posts to ensure they aren’t fake. Then finally don’t trust any anti-virus pop-ups or ads. Make sure that you make educated decisions while surfing the internet, stay safe out there!

Why are you so popular?

Posted on by ARRC Technology

Most people are aware of the many scams that exist on the internet now. It’s tough to simply look at your emails without noticing several phishing emails still in your inbox and those are the obvious ones! Not including the stealthy, “We need you to update your account info, just click the link below”, emails. It can even go deeper with hackers physically talking with you or conning you into giving them the information you shouldn’t. But the largest influx of social engineering has come from social media.  As of right now, worldwide social media users total 2.34 billion according to Statista. That is a lot of people to target and you know they will target as many as possible. 

 

Facebook has seen a lot of scrutiny lately revolving around Russian meddling in the 2016 election. Not only did they find literally millions of fake Facebook accounts, but they also found that there were FB ads created to sway American voters. This is a perfect example of the new age of social engineering. All of this comes from profiles that look legitimate on the outside but once you do a little digging you can quickly tell the difference. Same goes for the advertisements, they look as though they are from a real company or person, the ad does say sponsored like regular FB ad content. But when you click on it, you can either infect your computer with malware or unknowingly give away your login info.  

 

Another example of social engineering via Facebook ads was back in 2011 after Steve Jobs passed away. A fake FB ad claimed that Apple was giving away iPads in honor of his passing. Well, that ad went viral and thousands of people clicked on the link, which in turn infected their computers and devices.  

 

Social engineering has gotten more complicated with (MIP) minimally invested profiles and (FIP) fully invested profiles, found mostly on Facebook and LinkedIn. MIPs are created in bulk, usually have very little original content on them, and usually a sexy or provocative photo as the main profile picture. Then they usually go around making friend requests in hopes that certain users won’t look into the profile and simply add them. The reason for this is to be able to eventually send you malware via FB messenger as well as post on someone’s FB “wall”. 

 

The FIPs that get created take a little more time and effort, however, they are more efficient because they really look the part. To an untrained eye, a profile like this could pass as an acquaintance. The best way to crack this mystery profile is by looking at their friends and content on their wall. If both of these raise even one red flag, it’s likely it’s a fake FIP profile. These are intended to target a specific person or vertical in an industry. This can usually be seen once you look into mutual friends or even do a reverse image search.  

 

These are just a few of the main ways that social engineers are using social media to target people. While snooping on your co-workers, checking to see what crazy Uncle Larry just posted, or simply browsing through memes, always be diligent and aware of your internet surroundings. If that’s tough, make sure you’re firewall and antivirus are up to par! Don’t let a social engineer manipulate you into surrendering your information.  

Breaking Down Social Engineering

Posted on by ARRC Technology

Most people are aware of terms like phishing and malware, but do you know those are a part of a larger scheme called social engineering? This is not a new kind of fraud, in fact, it’s been used for many years to manipulate a wide range of people into giving up important data about themselves or the workplace. A prime example of social engineering goes back to Greek mythology with the Trojan horse. They infiltrated the city of Troy with a “peace offering” filled with soldiers, thus winning the war.

With technology at the forefront of our lives, social engineering has entered a new era. Physical human interaction is not necessarily required anymore. These criminals can gain information through emails, pop-ups, and public Wi-Fi networks, to name a few. The main objective is to influence, manipulate or trick users into giving up privileged information or access within an organization. They are doing this right under your nose, and if you’re not paying attention you will be a victim of this as well.  

External Threats 

With technology at the forefront of most businesses, external threats are becoming the benchmark for social engineers. They can hack into core business processes by manipulating people through technological means. There are so many ways for social engineers to trick people, that it is best to ensure you are well versed in some of the ways they can hack your system. 

 

Baiting 

First of all, baiting can be done both in person and online. Physical baiting would be a hacker leaving a thumb drive somewhere at a business, then an employee picks it up and plugs it into a computer. Could be curiosity, or simply thinking a co-worker left something behind. However, as soon as the thumb drive gets plugged in, it will infect your computer with malware. The online version of this could be an enticing ad, something to pique interest. Things like “Congrats, you’ve won!” Also, there is scareware, in which users are deceived to think their system is infected with malware, saying things like “Your computer has been infected, click here to start virus protection.” By clicking on it, you unintentionally downloaded malware to your computer. If you understand what you are looking for, you can usually avoid these situations.  

 

Phishing

This is probably one of the most popular social engineering attacks. Fairly generalized, this usually comes in the form of an email. Often, they ask the user to change their email or log in to check on a policy violation. Usually, the email will look official and even take you to a site that looks almost identical to the one you may be used to. After that, any information you type in will we transmitted to the hacker. You just fell for the oldest online hack in the book.  

 

Spear Phishing 

Similar to generic phishing, spear phishing is a more targeted scam. This does take a little more time and research for hackers to pull off, but when they do it’s hard to tell the difference. They often tailor their messages based on characteristics, job positions, and contacts belonging to their victims to make their attack less conspicuous. This could be in the form of an email, acting as the IT guy with the same signature and even cc’s to co-workers. It looks legitimate but as soon as you click the link, you are allowing malware to flood your computer.   

  

Internal Threats 

Originally, social engineering took place in a physical setting. A hacker would do some preliminary research on a company structure or focus on behaviors in order to get that initial access into a building, server room or IT space. Once they have a “foot in the door” so to speak, obtaining pertinent data or planting malware becomes that much easier.  

 

Tailgating 

Often, they will enter a building without an access pass by simply acting like an employee that left it at home, this technique is known as tailgating. The only credential they need is confidence. This can also include a hacker posing as an IT person and conning people into believing that to be true so they can gain access to high-security areas. This is far easier than it sounds too. You can find company shirts at your local thrift store, exude confidence and gain access.  

 

Psychology 

Another interesting process hackers use to con their way into a business is by creating a hostile situation. According to PC World, people avoid those that appear to be mad, upset or angry. So, a hacker can have a fake heated phone call and reduce the likelihood of being stopped or questioned. Human psychology really is a tricky thing, isn’t it? 

 

Public Information 

Then of course, the more you know about someone the more likely you are going to gain the information you need from them. This involves everything from scoping out parking lots, observing the workspace and even dumpster diving. Nothing is safe anymore and your life is not always as secure as you’d like to think. Something as innocent as a bill can be used to harvest more information about a person. 

 

Pretexting 

Similar to online phishing, pretexting is a popular fraud tactic for phone calls. Often, they will disguise themselves as an authority such as a bank, tax official or even police. They will probe you with questions that could lead to giving up information that could compromise your identity. This personal information can be used to find out a whole slew of things. Not only can they get away with your money immediately, but they can also easily steal your identity with pertinent information like social security numbers or banking information. 

 

Prevention 

Social engineering can be prevented by being educated in it. With so many different ways to steal your important data its imperative that individuals and businesses go through some sort of training regarding these issues. However, on a day to day basis, getting into certain habits can help. First of all, pay attention to your surroundings. Remember that physical social engineering still exists and you don’t want to be the one that caused your business corrupted data. Next, do not open emails or attachments from suspicious sources. Moreover, if a legitimate-looking email seems slightly suspicious, go to the source and find out for sure if they sent it. Also, multi-factor authentication can curb fraud immensely. One of the most valuable pieces of information attackers seek is user credentials. Using multifactor authentication helps ensure your account’s protection in the event of system compromise. Furthermore, if an offer seems too good to be true, it probably is. Don’t click the link, you didn’t win a cruise. Then finally, keep your antivirus and/or antimalware software updated at all times. This is the best line of defense if for some reason your system has been compromised. For the most part, use your best judgment and common sense. Social engineers have gotten very good at their jobs, but that’s okay because you’ve gotten very good at yours too and can combat these sneaky hackers.

Breaking Down Social Engineering

Posted on by ARRC Technology

Most people are aware of terms like phishing and malware, but do you know those are a part of a larger scheme called social engineering? This is not a new kind of fraud, in fact, it’s been used for many years to manipulate a wide range of people into giving up important data about themselves or the workplace. A prime example of social engineering goes back to Greek mythology with the Trojan horse. They infiltrated the city of Troy with a “peace offering” filled with soldiers, thus winning the war.

With technology at the forefront of our lives, social engineering has entered a new era. Physical human interaction is not necessarily required anymore. These criminals can gain information through emails, pop-ups, and public Wi-Fi networks, to name a few. The main objective is to influence, manipulate or trick users into giving up privileged information or access within an organization. They are doing this right under your nose, and if you’re not paying attention you will be a victim of this as well.  

External Threats 

With technology at the forefront of most businesses, external threats are becoming the benchmark for social engineers. They can hack into core business processes by manipulating people through technological means. There are so many ways for social engineers to trick people, that it is best to ensure you are well versed in some of the ways they can hack your system. 

 

Baiting 

First of all, baiting can be done both in person and online. Physical baiting would be a hacker leaving a thumb drive somewhere at a business, then an employee picks it up and plugs it into a computer. Could be curiosity, or simply thinking a co-worker left something behind. However, as soon as the thumb drive gets plugged in, it will infect your computer with malware. The online version of this could be an enticing ad, something to pique interest. Things like “Congrats, you’ve won!” Also, there is scareware, in which users are deceived to think their system is infected with malware, saying things like “Your computer has been infected, click here to start virus protection.” By clicking on it, you unintentionally downloaded malware to your computer. If you understand what you are looking for, you can usually avoid these situations.  

 

Phishing

This is probably one of the most popular social engineering attacks. Fairly generalized, this usually comes in the form of an email. Often, they ask the user to change their email or log in to check on a policy violation. Usually, the email will look official and even take you to a site that looks almost identical to the one you may be used to. After that, any information you type in will we transmitted to the hacker. You just fell for the oldest online hack in the book.  

 

Spear Phishing 

Similar to generic phishing, spear phishing is a more targeted scam. This does take a little more time and research for hackers to pull off, but when they do it’s hard to tell the difference. They often tailor their messages based on characteristics, job positions, and contacts belonging to their victims to make their attack less conspicuous. This could be in the form of an email, acting as the IT guy with the same signature and even cc’s to co-workers. It looks legitimate but as soon as you click the link, you are allowing malware to flood your computer.   

  

Internal Threats 

Originally, social engineering took place in a physical setting. A hacker would do some preliminary research on a company structure or focus on behaviors in order to get that initial access into a building, server room or IT space. Once they have a “foot in the door” so to speak, obtaining pertinent data or planting malware becomes that much easier.  

 

Tailgating 

Often, they will enter a building without an access pass by simply acting like an employee that left it at home, this technique is known as tailgating. The only credential they need is confidence. This can also include a hacker posing as an IT person and conning people into believing that to be true so they can gain access to high-security areas. This is far easier than it sounds too. You can find company shirts at your local thrift store, exude confidence and gain access.  

 

Psychology 

Another interesting process hackers use to con their way into a business is by creating a hostile situation. According to PC World, people avoid those that appear to be mad, upset or angry. So, a hacker can have a fake heated phone call and reduce the likelihood of being stopped or questioned. Human psychology really is a tricky thing, isn’t it? 

 

Public Information 

Then of course, the more you know about someone the more likely you are going to gain the information you need from them. This involves everything from scoping out parking lots, observing the workspace and even dumpster diving. Nothing is safe anymore and your life is not always as secure as you’d like to think. Something as innocent as a bill can be used to harvest more information about a person. 

 

Pretexting 

Similar to online phishing, pretexting is a popular fraud tactic for phone calls. Often, they will disguise themselves as an authority such as a bank, tax official or even police. They will probe you with questions that could lead to giving up information that could compromise your identity. This personal information can be used to find out a whole slew of things. Not only can they get away with your money immediately, but they can also easily steal your identity with pertinent information like social security numbers or banking information. 

 

Prevention 

Social engineering can be prevented by being educated in it. With so many different ways to steal your important data its imperative that individuals and businesses go through some sort of training regarding these issues. However, on a day to day basis, getting into certain habits can help. First of all, pay attention to your surroundings. Remember that physical social engineering still exists and you don’t want to be the one that caused your business corrupted data. Next, do not open emails or attachments from suspicious sources. Moreover, if a legitimate-looking email seems slightly suspicious, go to the source and find out for sure if they sent it. Also, multi-factor authentication can curb fraud immensely. One of the most valuable pieces of information attackers seek is user credentials. Using multifactor authentication helps ensure your account’s protection in the event of system compromise. Furthermore, if an offer seems too good to be true, it probably is. Don’t click the link, you didn’t win a cruise. Then finally, keep your antivirus and/or antimalware software updated at all times. This is the best line of defense if for some reason your system has been compromised. For the most part, use your best judgment and common sense. Social engineers have gotten very good at their jobs, but that’s okay because you’ve gotten very good at yours too and can combat these sneaky hackers.