What you don’t know about cyber crime
Cyber crime happens in waves and when one type of crime is prevalent, you might be inclined to drop your guard against another.You simply can’t afford to do that, writes
We tend to think of phishing in terms of an email or SMS made to look as though it’s from our bank to trick us into revealing our banking credentials. But phishing is much broader and more sinister than that, and unless you’re on your guard, you can easily fall for an attack without realising it.
On average, it takes most victims about eight months to realise they’ve been victimised, whereas it can take a cyber criminal a day, or less, to pull off an attack. This is according to Chris Novak, the director of the investigative response unit at Verizon, an international company that specialises in information security. Novak was one of the speakers at the PCI Cyber Security Conference in Cape Town this week, where he delivered a compelling presentation on the current cyber-breach landscape.
While phishing emails purportedly from banks are still common, “because they are so successful”, he says, there are other more sinister ways of phishing for data.
“We’re seeing attacks that are a combination of threat and extortion. You’ll get a message supposedly from a law enforcement agency, regulatory agency, or Interpol, and it will say, ‘We’ve detected unusual or illegal activity coming from your computer’. They may say they’ve detected someone viewing child pornography, or making threats against another person, or using your computer to steal information or to hack into others.
“They use claims like these to get you nervous and anxious. Then they’ll say, ‘In order to prevent your assets from being seized or frozen by the government, click here and fill out this affidavit’, which will ask you for your personal information. Or they may ask you to install software to allow them to do a quick scan to prove it wasn’t you. People do it and unwittingly install malware,” Novak says.
“We also see people getting notices from what appears to be a shipping or a courier company. The notice will state that they tried to deliver a package to you, but no one was there to receive it, so please click on the attachment to reschedule a delivery date. And that attachment is malware.”
SLOW DOWN
Novak says that most of these attacks start with someone calling on you to answer a question. “You need to slow yourself down for a minute... pause and think: does the person asking me for this really need it? And most of the time they will try to convey a sense of urgency: you need to do this right now, or else bad things will happen. When those are the prompts you’re getting, it’s because they’re trying to get to you, psychologically, so that you will quickly hand over your private information.”
DRIVE-BY DOWNLOAD
For a phishing attack to be fully successful, “generally you have to go one step further than merely opening the email”, Novak says. In other words, you have to click on a link embedded in the email or download an open an attachment.
“When there’s a link embedded in the email, the moment you visit that site, they start installing software on your device, and you don’t even know it. It’s called a ‘drive-by download’. The site doesn’t even have to finish loading on your screen. The first thing it does is install the malware. So there might be a slight pause while it does that. If they [the cyber criminals] were to bring up the site immediately, you might close it before they got the chance to install the malware.”
‘WATERING HOLE’ ATTACK
A more sinister type of attack can happen when you visit innocuous websites that typically attract a lot of traffic from the public looking for information.
“Cyber criminals will hack the site and have it serve out drive-by malware to all visitors to that site,” Novak says. Sites that are commonly targeted are municipal websites.
“When we detect regional infections, it’s usually from an information site that doesn’t collect any interesting data.” So even without you having downloaded anything, your PC or device can get infected. Your only defence from this form of phishing is up-to-date anti-virus software.
But people are complacent about updating software promptly , including anti-virus software, Novak says. “We see it all the time and I know from talking to family and friends. They’ll ask me, ‘Is it worth me paying for another year of anti-virus protection?’
“The fact that they ask means there are probably many more people who will spend that $50 on something else. People think because they haven’t been hit for the last couple of years, they won’t get hit in future.”
It’s like insurance, he says. We tend to think we don’t need it until we suffer a loss. Then we wish we had had it .
IT’S DOWN TO YOU
While it’s imperative that you make sure your software is up to date and that you install security patches promptly, you also have to guard against trusting technology too much, Novak says. When we place all our faith in technology, we may be more inclined to fall for social engineering.
Social engineering is easier than trying to hack through a pass wall, he says. “I’ll just ask you for your information and if you give it to me, it’s like handing me the key to your house and the alarm code. You can have the most sophisticated alarm system in the world, but if I have the key and the code to disarm it, it does you no good.
“I tell people all the time, ‘If someone were to call you on the phone and pretend to be your alarm company and say, ‘I just want to check your alarm is working, what’s your deactivation code?’ are you going to tell them? No. Yet people will do that with bank account passwords and all sorts of other things. If the conversation is fluid enough, they believe who they are talking to, or get caught at a weak moment.”