Nigerian Email Scam, Phishing Attacks & More: Beware of Your Inbox
When we picture a hacker, some of us imagine a person sitting in a dark room, crouching over a bright-lit monitor, typing words into a black-and-white terminal screen that are incomprehensible to the average person. A hacker should be, in our minds, a technological whiz-kid who will spend hours until he finds that one vulnerability that will grant him access to the system he’s trying to crack.
As usual in such cases, reality can be quite different. While these sort of hackers do exist, they are considered the hacker elites. But these days, most people who exploit vulnerabilities to gain access to a system simply follow previously written scripts they found on Google. They lack the technical knowledge required for knowing how to discover vulnerabilities that haven’t already been discovered, which is why they’re often referred to as “Script kiddies”. Furthermore, hackers now commonly employ different methods in order to perform an attack. While uncovering vulnerabilities and writing code to exploit them is indeed part of their work, a lot of the so-called hacking is actually done through social engineering, or the manipulation of victims.
Kevin Mitnick, who at one time was the most wanted computer criminal in the United States, relied heavily on the tactic of social engineering. By calling phone company employees and masquerading as one of their own, he was often able to obtain internal and sometimes even confidential information from them.
Today, social engineering is a highly popular method used by hackers, fraudsters and scammers. Even cyberattacks involving technologically-sophisticated elements like Phishing and malware also include an aspect social engineering, and it often plays a pivotal part in the success of the attack. The recent TeslaCrypt ransomware attack is a great example; in a unique move like we’ve never seen before, cybercriminals set up a Help line to further entangle victims in their scheme–a perfect example of incorporating social engineering.
Here, we’ll look at some of the most popular attacks that involve social engineering in one way or another. It’s important to know about them, as this knowledge is the best way to avoid becoming a victim.
Nigerian Email Scams
The Nigerian email scam, also known as the “419 scam,” pre-dates the Internet. The attacker masquerades as a bank account manager (in earlier days, the attacker would masquerade as a Nigerian prince) and asks the victim to help him transfer a large sum of money, a chunk of which the victim would supposedly keep himself. The only hurdle is the need for the victim to pay a small fee in order to release the funds. The goal of the scammer, of course, is obtaining that “smaller” fee from the victim. This scam solely relies on the scammer’s social engineering abilities, and in most times everything is done exclusively via email.
There’s also the business version of the Nigerian scam, in which a company is contacted by a third party claiming that there are goods stuck in customs. In this scenario, the scam works the same way. The victim company is encouraged to send funds to “release the goods,” under the impression that there will be a big payoff since the scammer has assured them that there are already customers waiting to receive those goods.
If, in a Nigerian email scam, the attackers use social engineering to appeal to victims’ greed, in Romance scams they appeal to victims’ sense of loneliness and their desire to find love.
The attackers in a Romance scam approach single people through social media or dating websites using a fake account. They take on the persona presented through their fake accounts, attempting to give false hope to their victims and to spark a romantic relationship. The fake character is poor and lives far from the victim’s location, and when the time comes, the scammer convinces the victim to send money (whether for a flight ticket to meet up, or because they are in distress). That money goes straight to the scammer, and the victim never meets the person he or she thought they had a relationship with.
Technical Supporter/Bank Representative
In this social engineering attack, a scammer calls up the victim and identifies himself as a bank representative, or a rep from the victim’s telephone company or any other service provider that the victim is using. The attacker may already have partial information on the victim, and he uses it to establish the victim’s trust. After all, if the person calling you already has information that only your service provider should know, he must really be who he says he is, right?
Once the attacker has the victim engaged in conversation, he requests additional information that he supposedly needs because of an issue with something the “company” has on file.
Stranded Traveler Scam
The Stranded Traveler scam does involve some technical skill in addition to social engineering. That’s because the social engineering attack begins only after the attacker has hacked the victim’s email account. The attacker uses the access to the victim’s inbox to send emails to all of the victim’s contacts stating something along the lines of “I’m stuck in X country and my wallet has been stolen. Please wire me some money so I can get home.” The wire details are, of course, the attacker’s. In this scenario, the scammer hopes to social engineer the victim’s contacts into sending money out of their desire to help their friend.
Phishing attacks are also considered to be a form of social engineering. The attackers build a website masquerading as a legitimate company, usually a bank. The website looks like the real, legitimate bank’s site; indeed, even professionals sometimes have difficulty distinguishing Phishing websites from real sites.
Phishing is a prime example of how social engineering has a variety of forms. It doesn’t just happen via emails or phone calls, but websites and other resources as well. All are used to manipulate the victim to divulge information, grant access, or download a file.
If you would like to learn more about how to avoid Phishing attacks check out What Are Phishing Scams and How to Avoid Them
Spear Phishing Attacks
While Phishing attacks are aimed at masses, and involve sending millions of emails in hopes of obtaining a few credentials, Spear Phishing attacks are specifically tailored to a few specific victims. Instead of sending a generic “Your account will be suspended if you don’t update your information” message to a huge list of email addresses, the hackers design emails based on their targets. This can be anything from having a personalized message (“Dear Mr. McPherson…”) or mentioning a conference the victim recently attended. Many Spear Phishing emails are aimed not at getting the user to divulge information, but rather at getting the victim to open an attachment that’s infected with malware. Hackers often use this method of attack to gain access into organizations, so employees should be especially vigilant about watching out for these types of attacks in the workplace.
Work From Home Scam
In the scams we’ve described so far, the goal of the attacker is to steal money or information. In a Work from home scam, also known as “Mule Recruitment” scam, the purpose is different: build the infrastructure that allows attackers to steal victims’ money.
In our post about fraudsters and mules, we discussed how mules are used to help hackers obtain stolen money. We described the “bank drop” scenario in which a fraudster can make fraudulent transfers from the accounts hackers have stolen credentials for to the mule’s account. When the mule receives the transfer, he or she cashes out the money and sends it to the fraudster via Western Union or another money transfer service.
Mules who are recruited for these purposes are often individuals who are looking for work. They receive an email from a legitimate-looking company saying that the company has received their resume and that they were approved for a “work from home” position. The fraudsters send the employees fake recruitment forms and even perform quick phone interviews to add legitimacy to the process. The position is usually the same; the title is “Account Manager,” and it involves receiving money from US customers and forwarding it to the company once it arrives. Of course, those “customers” from whom the money is being received are actually victims of Phishing attacks and malware. The scam goes on until the bank realizes that the employee is actually a mule and the account is promptly frozen. Many mules use their own personal accounts for this “work,” meaning that their personal funds also get frozen, making them additional victims.
There are several variations to being a mule. What we’ve described above is a mule who receives fraudulent money transfers. There are mules who also reship items bought with stolen credit cards (thinking they’re working for a logistics company), or who go to stores to purchase items with stolen credit cards (thinking that they’re “mystery shoppers”).
SMS Phishing Scam
In July 2015, a new social engineering hack method that gives hackers access to victims’ email accounts surfaced. As reported by Symantec, “this simple yet effective attack method is significantly more economical than traditional spear-phishing, where an attacker would need to register a domain and set up a phishing site. In this case, the only cost to the bad guys is an SMS message.”
Cybercriminals carrying out this type of attack appear to be targeting specific individuals in order to obtain information about them. They’re doing so by first obtaining the victim’s mobile phone number and email address (information that surely isn’t difficult to come by). Here’s how it works:
The attacker begins the password recovery option offered by many email providers. He selects to have a verification code sent to the victim’s phone number. When the code is sent, the hacker then sends the victim a separate SMS message from his own phone, pretending to be the email service provider. This second text message informs the victim that their email account has been breached, and requests that the victim text back the verification code they received. Once the victim does so, the hacker has complete access to the email account.
When it comes to cybersecurity, the human element is usually the weakest link. Social engineering is the ideal way for hackers to exploit this vulnerable spot. Hackers and fraudsters continue to develop new methods for manipulating people, as the cost of trial-and-error isn’t usually very hard. For these reasons, it’s important to stay informed on all the latest scams to avoid being victimized.