When it comes to digital security, there seems to be a definitive skew towards articles which focus on the result of poor digital security, or what the implications of a breach in your network security may entail. Similarly, there also seems to be a raft of information on what you need to do to secure your network or protect yourself from being an easy target for the latest scam or threat.
Thus this blog aims to go one step further and provide you with a synopsis of 6 emerging threats so that you can work out ahead of time what you need to do – or not do as the case may be – to protect your company, rather than taking corrective steps to fix something that went wrong. Some of these threats may not be new per se, but have been included due to their rise to prominence and recent increase in use by scammers and hackers.
1. Whaling
Hackers are always after one thing: your personal data so they can use it for financial gain. However they can get this information, they will. At first there were spam emails such as the infamous “Nigerian Scams” asking for money outright, but with time hackers evolved their methodologies and the term phishing came to prominence. Hackers realised that if they could send emails to individuals or employees which looked legitimate and asked the recipient to do something simple such as visit a website, they could install malware code on their computer and then access a raft of personal information which they could use.
Following phishing (which is still rife) came spear-phishing which for all intents and purposes works on the same premise as phishing, with one key difference. Spear-phishing emails have been carefully crafted to include personal information about the recipient and seem to come from trusted sources. This lowers the defenses of the recipient and makes them less suspicious. With this carefully crafted approach, hackers saw a rise in success rates.
Therefore, hackers have turned their attention to the higher end of town where the money really is – Management (the Whales). The emails they send are no less personalised, but now refer to critical business matters, such as a legal subpoenas, customer complaints or staffing issues. Generally, emails may appear to have been sent from a trustworthy source such as the Law Courts, a staff member within the organization or an affiliated business. Using email domains which are similar to, yet slightly different from the correct URL, a cursory glance at the address will not cause alarm. (See below “Man in the Mailbox Attacks”).
As the email seems legitimate there is more chance a recipient will interact with the email contents and follow a link to a fake website – which may ask you to enter passwords or similar or may simply install malware such as a key logger to your computer – or open a malware-infected attachment.
Be warned, these attacks are increasing. If you are suspicious, chances are you have a reason to be; don’t interact with the email, but do some research on the sender’s address, or google the URL it is sending you to.
2. Smishing
Whilst not nearly as rife as it currently is in the USA, smishing is inevitably coming to Australia soon. Smishing is the use of SMS and bogus phone calls to dupe a recipient into providing personal information to a hacker – akin to a phishing scam. A scammer will broadcast an SMS message or voicemail message to multiple recipients with a message similar to the ones below:
Your [financial institution name] credit card beginning with 5353 has been used to make an online purchase of $1450. If you do not believe you have made a purchase, please visit www.boguswebsitename.com.au (where the user will be prompted to enter information to negate the purchase)
OR
Notice – this is an automated message from [Bank Name]; your ATM card has been suspended. To reactivate please call 80## #### and follow the prompts
Ultimately, the hacker is trying to get your personal information and is working on the basis that a % of people will not think before entering their data. Be wary of such scams. If you receive a message you are unsure of, always call the official company customer support line rather than interacting with the message.
3. Man in the Mailbox
In September this year, the Godai Group released a White Paper which reported on a practice being used increasingly by hackers to gain access to personal information. Two researchers showed how the existing practice of “Domain typo squatting” (hackers obtaining URLs which are similar in spelling to legitimate sites and embedding malware on the site for all visitors who come there by mistake) had evolved and how obtaining URLs with similar domains (Doppelganger Domains) to popular domains could be used to capture sensitive information exchanged over email without the intrusion being detected. They named the practice “Man in the Mailbox ”.
The practice works on exploiting human error and on oversight. The researchers showed that by obtaining a doppelganger domain emails intended for a legitimate recipient could be intercepted and how a doppelganger email could be used to harvest (phish) company sensitive information.
In simple terms, the two researchers showed that by purchasing 30 misspelt domain names for prominent US companies they could intercept email easily. Whenever an email was sent by a third-party to the misspelt company’s email addresses, the researchers could successfully intercept it. With some simple coding, the researchers showed how easy it was to minimise detection by passing on all emails received ‘accidently’ to the intended recipient. This image taken from their white paper shows how easy it is.
Quite simply, an attacker could purchase both uscompany.com and rubank.com allowing him to capture the mistyped email domains and establish a chain of communication with them in the middle. As The researchers stated:
“Most likely, the recipient at the ru.bank.com address will be unaware that the email sourced from a Doppelganger Domain. The ru.bank.com user will then reply to the Doppelganger Domain email address, with the pertinent information we requested”
4. Smartphone Malware
Smartphone malware is hardly a new concept, but the tools being used by hackers to crack smartphones are new and more clever than ever. As apps developed for phones become more platform neutral (able to operate on android, windows 7 etc and able to run HTML, XML, Flash etc), there is increased likelihood that web-based worms will rise up and start to be more of an issue as the hosts which they can spread to become more numerous.
The SpyEye hacker application is but one example. SpyEye seeks to intercept bank issued SMS codes (for the purposes of online banking) and redirect them to the hacker without the knowledge of the phone’s owner. SpyEye which is often installed unknowingly by a user when they download other apps. Quite often it sits dormant, waiting for the right flags to be triggered before engaging. Infosecland.com recently reported that:
“SpyEye is known to be one of the more powerful data-sniffing Trojans ever developed, and the release of the source code means the likelihood that there will be a dramatic increase in its application is a very real scenario”
5. Remote Systems Hacking
During the Black Hat and Defcon conferences held in America in August this year, presenters were able to demonstrate a couple of disturbing attack scenarios. Unlike the threats posed above, this one doesn’t seek to harvest sensitive data, but rather puts your security and potentially personal safety at risk.
In one quite blood-chilling scenario, researchers demonstrated how easy it was to use SMS commands to control on-board computers in a car, and thereby get it to lock/unlock the doors and even remotely start it. Whilst the researchers were not able to show other elements of the car’s operation controlled via SMS, it seems only logical that in due-course other embedded devices controlled by the on-board computer such as airbags, power seats, windows, ABS, cruise Control and GPS could all be hacked.
The implications do not stop there however. Home and office automation systems are also on the rise. It would be therefore entirely plausible to make the small leap from controlling car systems to being able to disable security systems, control lighting and air conditioning and any other elements controlled from one source.
6. E-wallet pick pocketing
Near field communication is being embedded into more and more elements of our life. From credit and debit cards, through to newer smart phones which are being released in the Northern Hemisphere. In terms of smart phones what this will mean is increased use of E-wallets by consumers as part of their everyday. PINs, passwords, account details and other sensitive information will all be housed on the one device.
What you can therefore bank on is that cyber-criminals will be eager to follow this increasing trend and take steps to intercept this valuable data flow. How they will do it is yet to be seen, however, rest assured if there is way to be found, it will be the hackers who find it.
Final Take out
As with all things digital, the best thing you can do to protect yourself is be vigilant, be aware of new threats and ensure that your office has up-to-date malware and anti-spam technologies in place. Not only will an anti-malware platform protect you and warn you about dubious sites, but a good anti-spam platform will eradicate spam, malware and phishing emails, even before they get to you.
Lastly, make sure you question everything. If you are unsure of an email, an SMS or something doesn’t look right, pick up the phone, call the organisation and find out the truth; it’s the best way to protect yourself.