Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Tuesday August 20 2019, @05:54PM   Printer-friendly
from the do-you-have-a-phishing-license? dept.

Phishing is still the most common way for cyber attackers to gain entry into networks. Whether it's crooks looking for financial gain or state-backed hacking operations engaging in cyber espionage, it almost always starts with a message designed to make someone click a link or give away sensitive information. Just one person falling victim can be enough to provide hackers with the foothold they need to gain access to the whole corporate network and the confidential information stored within.

But blaming the victim rarely solves anything – especially given how phishing emails can be so highly tailored towards victims, meaning it can be almost impossible to distinguish a real message from a spoofed one created as part of an attack.

"It's fairly easy for an attacker to get hold of an email address and pretend to be somebody," says Amanda Widdowson, cybersecurity champion for the Chartered Institute of Ergonomics & Human Factors and human factors capability lead for Thales Cyber & Consulting.

[...] "There's a power play going on in a lot of these emails. There's somebody impersonating a position of authority, of seniority, effectively saying don't ask questions, just get it done, which is effective," says Tim Sadler, CEO of email security provider Tessian.

"When people send spear-phishing emails, they're taking on the persona or identity of a trusted person. That personalisation makes it highly effective in terms of getting the target to comply with the request, pay the invoice, do what they need to do," he adds.

[...] "There's very little to let the person receiving the email know the person they're receiving it from is who they say they are. It's a little asymmetric, asking a person to do the hard bit, then making not life easy for them," says James Hatch, director of cyber services at BAE Systems.

This behavior isn't restricted to email either; there are times when banks, utilities, telecommunications and other service providers will call customers out of the blue, and then ask the customer to provide their personal security details to verify it's them, yet the customer has no way of identifying if the call is a hoax or not.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 4, Insightful) by AthanasiusKircher on Tuesday August 20 2019, @06:31PM (7 children)

    by AthanasiusKircher (5291) on Tuesday August 20 2019, @06:31PM (#882715) Journal

    A corporate email system should flag EXTERNAL emails to alert internal users that this email comes from an outside source.

    Indeed. This is the most significant thing. I worked for an institution a few years back where someone in the finance office received emails that appeared to come from one of the top administrative officers at the institution, ultimately requesting a wire. Luckily someone there said, "Huh -- we don't usually wire money this way" and asked questions before executing the order. Point is that the email address was spoofed, but the server it came from was wrong, which should have led to a red flag. But no one would know that unless they look at the email headers, or have something to flag such emails.

    To respond to one other thing in TFS:

    This behavior isn't restricted to email either; there are times when banks, utilities, telecommunications and other service providers will call customers out of the blue, and then ask the customer to provide their personal security details to verify it's them, yet the customer has no way of identifying if the call is a hoax or not.

    Uh, why not just say, "I'll need to call you back at the number I know is at your official website. Do you have an extension or a way to direct me to get to you using that number? I'm not giving my personal info out on the phone to a random caller until I verify who I'm talking to first."

    I frankly don't ever remember any company calling me out of the blue and then asking ME to verify who I am. They have my number; they should assume they're talking to the right person. But if I did have that scenario, I'd do as I mentioned above.

    Starting Score:    1  point
    Moderation   +2  
       Insightful=2, Total=2
    Extra 'Insightful' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   4  
  • (Score: 2) by vux984 on Tuesday August 20 2019, @07:42PM (6 children)

    by vux984 (5045) on Tuesday August 20 2019, @07:42PM (#882747)

    You should always be able to accept / reject mail claiming to be from your own domain. This is what DKIM and SPF are good for. It doesn't help you if its an "almost spoof" though...

    if you are john@fishco.com and someone sends a fully and properly SPF And DKIM secured message from john@FlSHCO.com you'll never catch it automatically. If you want to stop wire-fraud scams, you need clear and well communicated policy on authorizing wire transfers.

    "Uh, why not just say, "I'll need to call you back at the number I know is at your official website. Do you have an extension or a way to direct me to get to you using that number? I'm not giving my personal info out on the phone to a random caller until I verify who I'm talking to first."

    It's good advice, but you are relying on the victim to be sufficiently un-trusting and wary. And everyone has to get on board, stoners, the elderly, everyone... or someone still falls for it.

    " frankly don't ever remember any company calling me out of the blue and then asking ME to verify who I am. They have my number; they should assume they're talking to the right person. But if I did have that scenario, I'd do as I mentioned above."

    It's happened to be me several times; I wouldn't say its common, but it definitely happens. I think on the whole companies are getting better but even if they never did it the scammers would keep on because people would still fall for it.

    • (Score: 2) by vux984 on Wednesday August 21 2019, @12:04AM (1 child)

      by vux984 (5045) on Wednesday August 21 2019, @12:04AM (#882866)

      Today I got hit with another microsoft tech support scam call... with a new angle. This one was claiming I was owed a refund for the microsoft technical support services because the government ordered them to shut it down. ... blah blah blah going to creditcard/bank information whatever.

      Nobody savvy is going to fall for this, but the uninformed will. I'm kind of impressed really that they've taken negative news coverage of their own scam tactics and are leveraging that to bolster the credibility of this new scam.

        Some poor sap who isn't really following along is still going to have seen talking heads on the news and headlines in the paper or whatever about microsoft tech support scams and that they are illegal etc, and without a finer appreciation for the details could well believe that the last computer they bought had a microsoft technical support surcharge on it that microsoft now has to refund them or something... 'they even heard something about that in the news' right? so it must be true!

      • (Score: 2) by DannyB on Wednesday August 21 2019, @03:05PM

        by DannyB (5839) Subscriber Badge on Wednesday August 21 2019, @03:05PM (#883159) Journal

        Nobody savvy is going to fall for this, but the uninformed will.

        The greedy will fall for it. Even if they are savvy. Their greed will override their logic and any ability to be spectical.

        --
        People today are educated enough to repeat what they are taught but not to question what they are taught.
    • (Score: 2) by AthanasiusKircher on Wednesday August 21 2019, @12:18AM (1 child)

      by AthanasiusKircher (5291) on Wednesday August 21 2019, @12:18AM (#882871) Journal

      It's good advice, but you are relying on the victim to be sufficiently un-trusting and wary. And everyone has to get on board, stoners, the elderly, everyone... or someone still falls for it.

      What's your solution then? It's fine to complain about imperfect ones, but do you have something better?

      Because I don't think there is really one if people are freely allowed to make phone calls in a society. Sure, there are efforts to cut down on spam calls now (and we should try that), but that will never stop all scammers. I remember my grandmother getting scam calls 30 years ago. I also remember a scamming salesman coming to her door even longer ago than that. Scams are nothing new, and if you get rid of one form of it, scammers will try a different one.

      I don't really know why anyone would give ANYONE personal information upon request, unless they had a specific need for it. I've been to stores in the past decade that will ring my purchases up at the register and say, "Can I get your phone number?" I simply say, "No." Usually it causes them to look up in slight surprise, because I'm not impolite about it, but I'm also quite blunt. "Well, can I get an email?" "No." "Can I have your ZIP code?" "No." "Sir, our system just requires me to enter..." At that point, if I'm buying an item I can easily get elsewhere, I often just say, "Nevermind. I'll go somewhere that doesn't need my complete biography in order to sell me a lightbulb. Thank you," and leave. If I really just want to make the purchase, I'll just say, "Well, I'll give you a fake ZIP code." And usually the clerk is just happy to accept it.

      Similarly, many websites ask for all sorts of personal info for no apparent reason to sign up or register or whatever. I'm not giving them any personal information. If I'm making a purchase and they need to verify my payment address and phone number, I'll enter it then, but sort of that, nobody gets my personal data. You want a birthday? I'll give you a fake one. You want my address? I'll give you a fake one. I have a few I use regularly for these situations, so if I'm ever asked again, I can guess what it was. You want an email? I'll give you a fake one, unless you need to a confirmation to let me use your page, in which case I'll give you my spam email account that I never check except to establish those sorts of accounts.

      So, some random person calls you on the phone and starts asking you for personal information? Why the hell would you give it to them? I don't give it to ANYONE unless it's really necessary. (E.g., I have an established business relationship, and *I* made the contact. Or I am trying to establish an ongoing business relationship that requires such information.)

      Honestly, kids should be taught this from an early age. Elderly people likely have encountered scammers at some point in their lives, but if they've become gullible or unfamiliar with novel types of scams, they just need to be told not to give out any information to anyone who asks unless they made the contact themselves. If they can't do that, they need to have limited telephone access (keeping outgoing calls for emergencies, but screening incoming), or perhaps even live-in help. Just like children who aren't aware enough of scams, the elderly need assistance and watching. If you have another solution, we're all ears.

      • (Score: 2) by vux984 on Wednesday August 21 2019, @03:42AM

        by vux984 (5045) on Wednesday August 21 2019, @03:42AM (#882942)

        "What's your solution then?"

        I agree there isn't a solution. You can't fix stupid.

        But I do think fixing caller id properly would go a long way.
        -Don't let people generate numbers at will en masse, that have no bearing to reality, and spoof numbers that don't belong to them.
        -Local Numbers belong to entities within the country Telcos should know who is using what numbers, and enforce validation before letting a number through.
        - Give people the tools to block them / report them. If I get a spam call claiming to be a number from inside the US; the callerID should be traceable back to a US entity that's responsible for knowing who is making calls with that number, and taking responsibility for what their customers do. (e.g. cut service)
        - Show true call origin information. If the connection is coming from India then that should be made known. If they are 'proxying' through a US forwarder so it looks like its coming from the US, fine, but then see the point immediately above.

        You also had a good idea.
        - provide inexpensive call screening to all customers or even build it into basic services, or free if you are over 65. Really, how many people call my grandmother?? A handful of friends and family members who would rapidly have their numbers whitelisted, and then everything else goes to a professional reception service that screens calls, manages whitelisting, and then connects people -- even offering a short introduction/warning prior to connecting and staying on the call for a minute or two. Major utilities and services could register their registered call out numbers for whitelisting in advance. Local businesses that generate a lot of calls out -- dentist appointment reminders, carpet installers etc, could register to be whitelisted locally or whatever, etc.

        So most legit calls wouldn't get need interaction. With all that in place human screeners would only need to be involved in exceptional cases -- family checking in grandma from a hotel in Bangladesh or a payphone in Florida; and a couple bucks on your monthly bill would cover that.

        Hell... if the incoming call isn't whitelisted, the caller pays 25 cents before connecting. With all above in place, you might not even need human screeners -- simply charging suspicious callers ought to to ruin the economics of mass-robodialing for victims. Worried about scammers stealing someone's phone service and using it to mass call... default to a $2/month suspicious call limit at which point you need to call customer service to authorize increasing it. So a stolen phone service is good for 8 calls.

        There isn't a single good reason this stuff can't be done.

    • (Score: 0) by Anonymous Coward on Wednesday August 21 2019, @07:02AM (1 child)

      by Anonymous Coward on Wednesday August 21 2019, @07:02AM (#883001)

      if you are john@fishco.com and someone sends a fully and properly SPF And DKIM secured message from john@FlSHCO.com you'll never catch it automatically

      Huh? Why not? If you have a proper mail setup in place, you already have separated your user-facing MTAs (inside) from the Internet-facing MTAs (outside). That means e-mails from inside fishco.com should never be routed through the outside MTA unless coming from inside. You can, and should, have a spam rule in place to flag local domains coming from the outside interface.

      • (Score: 2) by vux984 on Wednesday August 21 2019, @05:14PM

        by vux984 (5045) on Wednesday August 21 2019, @05:14PM (#883231)

        "You can, and should, have a spam rule in place to flag local domains coming from the outside interface."

        john@FlSHCO.COM is not a local domain. the l is a lowercase L. so its really john@FLSHCO.COM.

        What spam rule would you have in place to flag a message that properly passes SPF and DKIM for FLSHCO.COM, an external domain coming from the external interface??

        "Why not? If you have a proper mail setup in place, you already have separated your user-facing MTAs (inside) from the Internet-facing MTAs (outside)."

        You also don't really need this if you have SPF and DKIM/DMARC setup. Instead of a spam rule flagging local domains from an outside the interface you publish a DMARC reject policy. At that point someone trying to spoof your headers, would be caught and rejected because it lacked the signatures. It's actually a better solution because someone trying to spoof email as coming from you and sending to a 3rd party also gets rejected because if the 3rd party is checking DMARC policy they'll see that its not signed properly and that your domain policy says to reject it it if its not signed.

        There's not really much advantage to the layout you've described but there's certainly no harm in it as 2nd layer -- defense in depth is impossible to criticize.