Hacking the human
If you thought cybercrime was mostly about skilled hackers finagling their way through complex firewalls, think again. Most scams involve people being manipulated or blackmailed into handing over their cash.
If you thought cybercrime was mostly about skilled hackers finagling their way through complex firewalls, think again. Most scams involve people being manipulated or blackmailed into handing over their cash.
As online shakedowns go, the Black Friday sneaker scam wasn’t all that sophisticated. Numerous Instagram accounts appeared in the lead-up to the busiest shopping day of the year in the US, which is held in November on the Friday after Thanksgiving, advertising hard-to-find or custom-made sneakers at heavily discounted prices. To buy the sneakers, Instagram users had to send a direct message to the seller and, after some back and forth, were forwarded a link to an online payment platform to transfer the cash.
Collecting limited-edition sneakers is an expensive hobby that first took off in the US, but, like Black Friday itself, the craze has caught on here and people will queue on the street overnight to be first in line to buy a $400 pair of Yeezys, the collectable range
Social-engineering scammers exploit human psychology, rather than technical hacking techniques, to get what they want.
of sneakers from rapper Kanye West.
You can guess what happened to those Instagram shoppers. The sneakers never turned up. Those who messaged complaints or requests for refunds were blocked by the seller and the accounts were eventually shut down, the anonymous scammer free to fleece sneaker collectors in the next dodgy sale.
The key to the scam working is payment systems such as Cash App, Venmo and Facebook Pay. These mobile-phone, app-based services are designed to let friends quickly transfer money to each other – a legitimate vendor typically wouldn’t use them to take payments.
The social-engineering scammers exploit human psychology, rather than technical hacking techniques, to get what they want.
Faced with incredible prices, legitimatelooking product photos, a time-limited sale and claims of “extremely limited stock”, hundreds of sneaker buyers in the US and Canada were sucked into the rort.
US shoppers spent US$7.4 billion ($11.5 billion) online during the Black Friday sales period. You could argue that the event, which has been embraced by local retailers to kick off their Christmas sale season, is a scam in itself – the grim face of consumerist excess. But the cost
The simplest kind of attack involves email fraud, which the FBI estimates has cost US companies US$26 billion since 2016.
Send 10,000 emails and you might suck in 20 people, which is enough to make the scam worth perpetrating.
of Black Friday cybercrime won’t be totted up until well into the new year and is likely to be in the tens of millions of dollars.
THE WEAKEST LINK
Hackers and scammers have always targeted people as the weakest link in cyber defences. But as security systems in digital networks, websites and applications become harder to crack, cybercrims are having to rely on ever more sophisticated ploys aimed at people to get the money or information they want.
“For the past few years, attacks have been focusing on people, not infrastructure,” Crispin Kerr, Australia and New Zealand manager at security firm Proofpoint, told a cyber-security conference in Wellington in October.
“The attackers are getting the people they are targeting to do the work for them.”
The simplest kind of attack, says Kerr, involves email fraud, which the FBI estimates has cost US companies US$26 billion ($40 billion) since 2016.
You might receive an email that appears to come from a well-known company or even a colleague in the firm you work at. It will have the familiar logo and be sent from an address very close to the real company name. A “phishing” scam that hit our shores recently tried to get Apple device users to log on to a website to verify their Apple ID credentials, such as username, password and even credit-card details.
On closer inspection, the web address users were sent to was applsigninaccount.com, with the “e” from Apple missing.
“What is perhaps the most depressing thing about the landscape today is just how spectacularly we’ve seen the rise of spoof emails,” says Kerr. “It’s an attack that doesn’t require any kind of malware or payload whatsoever.”
Instead, it taps into human psychology, adding cues to fool enough email recipients into parting with valuable information. Send 10,000 emails and you might suck in 20 people, which is enough to make the scam worth perpetrating.
SCAMS IN THE WORKPLACE
Alison Moore has seen all manner of scam attempts. As the IT manager at a large New Zealand media company, it is her job to keep the network and email accounts of 265 employees secure.
It is a job that is getting more difficult by the day. In the first two months of the year alone, employees sent out 139,000 emails and received 1.13 million.
“Of those received, over 10% had some sort of corruption to them that was dangerous to our system,” says Moore.
It is the same for most medium and large companies – a deluge of email, much of it filtered out automatically by email scanning software.
“What we look for are things like unusual email attachments, malware and code from spambots running in the background,” says Moore. “If you come into the office in the morning and you’ve got 150
emails, you’re going through them very, very quickly and you might click on one that you shouldn’t. Six out of 10 times, it’s something that a user’s done that’s going to create the problem.”
The inability of email scanning to catch every malevolent message and the security threats posed by phones, text messages and devices brought onto the premises have resulted in Moore’s company implementing security training for every employee.
These days, most professionals have a profile on LinkedIn, the Microsoft-owned social network that has become the default online CV for millions of people. But it is also used by cybercriminals to harvest details for scam emails.
“We’ve had emails come to our head of payroll, supposedly from an employee,” says Moore. “They say, ‘Could you change my direct debit details, I’ve moved bank accounts, here’s my new information.’ It is completely fake.”
LOCKING DOWN IDENTITY
Applying multi-factor authentication to employees’ email addresses and log-in details can thwart attempts to use compromised credentials. Built into email systems such as Outlook and Gmail, it works by requiring the user to authenticate their identity using a method other than entering their password.
The scam that comes into its own during the festive season is the couriercompany phishing attack. “Six out of 10 times, it’s something that a user’s done that’s going to create the problem.”
It can involve signing in via an app on your mobile or entering a code text messaged to you. Increasingly, biometrics are being employed – fingerprint and facial recognition on phones and laptops – to reduce reliance on passwords.
Kerr and other security experts look forward to a password-free world, given the inherent weaknesses in people choosing a password that is easy to remember. If it is memorable, it might be easy to crack.
According to t he Government’s Computer Emergency Response Team (CERT), reported cybercrime incidents increased 205% between 2017 and 2018. The cost of reported incidents was put at $14 million last year, with scams and fraud making up $8 million. Government-funded not-forprofit Netsafe put the number even higher.
CERT was set up in 2017 to mirror centres in other countries established to tackle the rising tide of cybercrime. It received a funding boost in this year’s Budget.
CERT’s director, Rob Pope, says the threat categories are “pretty consistent” – scams and fraud, phishing and credential harvesting and unauthorised access.
THE BIG DATA BREACH
The big trend internationally is the rise in data breaches. They happen with alarming frequency and have seen credentials for millions of people stolen from the systems of Yahoo, Marriott, Adobe, Dropbox and many others.
“Often this data is then sold or published freely online,” says Pope. “Once this happens, any number of attackers can use this information to target people for future attacks.”
Most of the measures we can take to be safer online are little things such as making sure you use a different password on each account.
Data breaches feed one of the fastestgrowing scams – extortion emails, in particular, webcam blackmail emails – which CERT reports increased 28% between July and September.