[BreachExchange] Yes, Nonprofits Get Scammed, Too

[Audrey McNeil]

http://www.nten.org/article/nonprofit-scam-security/

Security is serious business for nonprofits. Not only do they need to
protect themselves from attacks, but they have a responsibility to protect
sensitive client and donor data. There are many protocols you can establish
to protect your organization, but the first step starts with individual
people.

While the technology we depend on has changed over the years, people’s
social behavior hasn’t. This leaves us at risk of having our goodwill
exploited. In security circles we call this scheming activity “social
engineering.” It’s an attempt to acquire sensitive information for
malicious reasons through deception.

An act of social engineering starts with a lie. The lie doesn’t have to be
outright; often it’s easier if the lie has a grain of truth. The best
social engineering attempts will frame a thread of misinformation within a
jumble of truth. It’s not a matter of if, but when a fraudster will target
you or your organization. There are a variety of tactics, so I will focus
on three of the most common; phishing, pretexting, and baiting.

Phishing

In a March 2016 article in SC Magazine, a payroll employee at Pivotal
Software received an email from CEO Rob Mee asking them for tax information
on employees. Not realizing something was wrong, the employee replied with
the W-2 information for an unknown number of employees. As you might guess
from the title of this article, it was not, in fact, Rob Mee that sent the
email.

Phishing (pronounced “fishing”) seeks sensitive information through a
deceptive email that masquerades as a trustworthy source. Typically, this
is a wide-net activity: the more people an attacker approaches, the more
likely they are to find a victim. If the net is wide enough, even a .01%
response rate can be productive. A great example is the common “Nigerian
Prince” emails. These scams, known as Advance Fee or 419 scams, have been
around in one form or another since the 1920s. They work by convincing
their target that they will receive a large payoff in return for providing
the would-be fraudster with a “small” amount of funds, sometimes several
payments. The fraudster will then make up excuse after excuse and draw out
the interaction until the target refuses to give any further money—at which
point the fraudster will disappear along with the money, never to be heard
from again.

We now see these same tactics employed to convince users to download files
or attachments which contain malware (in the best case) or Ransomware that
encrypts your files, and demands payment in the form of bitcoins before it
will decrypt the files again. For those who do not backup their systems to
an external device on a regular basis, this can be devastating.

The events at Pivotal are an example of a more targeted attack called spear
phishing. This type of attack is characterized as a more personalized
attack directed at specific individuals, groups, or companies. Whaling is
another form of phishing directed at executives and other high-value
targets. These attacks often appear in the form of a legal subpoena,
customer complaint, or executive issue. In both spear phishing and whaling,
the attacker will often spend a great amount of time doing research on
their target in order to craft a believable attack that is harder to
identify.

Pretexting

“I’m really sorry to bother you, but I’m running really late for my
appointment with the Head of Marketing, and I managed to leave my laptop at
home with the client list! He’s really counting on me here—can you forward
me a copy?”

Pretexting is creating an invented scenario which engages a target to act
in a way they otherwise wouldn’t. To make their scenario more believable,
an attacker will often play on their target’s sympathy by crying down the
phone, admitting something embarrassing, or telling someone about just how
terrible their day has been. The attacks involve a lot of prior research so
the attacker sounds as natural as possible and can think on their feet
while interacting with their target. Smaller acts of pretexting are often
used to gather information as part of a larger attack and are favored by
identity thieves.

Other examples include the “Microsoft phone scam” where the attacker calls
claiming to be from Microsoft, saying that your PC has a virus, and that
they can help you over the phone. These calls often end with the attacker
asking their target to download malicious software onto their computer.
Similarly, in the “Grandparent scam” the attacker calls claiming to be a
grandchild or other relative stranded abroad and in need of money. Because
these attacks play on victims’ fears and ask for immediate action, they are
often believable to those who are less tech savvy.

Baiting

“Aw sweet, free USB drive!”

The modern day Trojan horse. Have you ever found a USB on the ground and
wondered what treasures it might hold? Or more likely, you’ve needed to
access your email urgently and connected to a Wi-Fi hotspot you didn’t
verify first. This attack is all about putting a carrot out and waiting for
someone to take it. The USB is infected or a hacker is snooping your web
traffic on their Wi-Fi. This is often seen online in the form of free music
or movie download advertisements. These adverts will often ask that the
victim create an account asking for personal information or the file itself
is malware. Baiting is also being seen with phones via cell tower spoofing,
meaning a third party could be looking at your call, text, and mobile data
in real time without your being aware.

Protecting yourself

While these attacks seem complex and distinct, they all have commonalities
based in simple deception. Awareness and vigilance will go a long way
towards protecting yourself.

Phishing attacks can be combatted in a variety of ways:

Verify the source. If you receive a weird email, call the person who
supposedly sent it and confirm it was them.
Did your bank email you to ask for updated details? Don’t click on the link
in the email, use a search engine to navigate to the website yourself and
login through secure means. Hovering your mouse over a link will often
display the link address (at the bottom of your browser), which makes it
easier to confirm its validity.
Look for spelling errors or strange grammar. Attackers often purposely
include such mistakes to weed out less gullible targets, and make things a
little easier for themselves.
Distrust emails which demand immediate action. If it’s important, it’s
likely you would have been contacted by phone or text.
A company who deals with you should know your name. Emails addressed to
Dear Customer, Valued Client, etc. are likely fraudulent.

Pretexting is often difficult to spot right away, due to the creative
nature of the act:

Being polite but suspicious will help. If something seems off, or someone
seems too nosey, don’t be afraid to ask questions.
If a deal seems too good to be true, it probably is.
Whenever possible, verify odd requests from a third source. If your bank
calls you to discuss your account but requires you to confirm personal
information first, call them back with a known good number or visit in
person at a local branch.

Avoiding baiting attacks is relatively easy:

If you wouldn’t pick something up and put it in your mouth, don’t pick it
up and put it in your computer!
Remember that nothing in life is free. If you are not paying for the
product, then you are the product.

Lastly, while it won’t directly protect you, talk to your friends, family,
and coworkers about the dangers of social engineering. Social engineering
education doesn’t have to be formal to be effective.

With social engineering, you can’t avoid being a target, but you can avoid
being a victim. Awareness and personal vigilance make all the difference.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161017/a75e87ab/attachment.html>