Oldest Trick In The Book

oldesttrick_imageSometimes the old ones are still the best ones, even in cyber security.

When you read that two of the high ranking officials in the campaign of Hilary Clinton both suffered at the hands of cyber-criminals you’d be forgiven for thinking what hope there is for the rest of us.

One would like to assume that if you were the campaign Chairman and a high ranking campaign organiser for the potential future inhabitant of the most powerful office in the world, then your cyber skills, cyber advice, cyber mitigation strategies and anything else you can prefix with the word cyber would be of the highest calibre of technical sophistication.

Sadly not; both the individuals identified, John Podesta the campaign Chairman and William Rinehart, a campaign organiser both suffered from a similar style of attack – where you are told in an email to change your password immediately – essentially one of the oldest tricks in the cyber criminals book.

Such attacks called ‘phishing’ and the more focused ‘spear phishing’ attacks have been around since the late 1980s, pretty much ever since people started using email, and have steadily increased ever since. Their purpose is to attempt to obtain sensitive personal information, such as usernames and passwords, for malicious reasons.

They do this by masquerading as trustworthy organisations, from Google and Facebook to Banks and financial services providers and send out spoof emails and in some cases txt messages, attempting to convince the target that they must take some action. This action is usually ‘click a link’ to reset passwords. Of course the link in question takes the unsuspecting user to a fraudulent website, that they can type their personal details into.

Alternatively, by clicking the link it can commence the download and installation of malware, ransomeware or other computer virus style software. Despite all the efforts of security company’s software, all the training that people have received, it still works and works well.

So what can be done? Everybody knows that you can get ‘hacked’, that these criminals are out there, so the first thing to do is to be aware and proactive. Should you receive such an email NEVER respond to it by clicking on a link or an attachment that is contained within it. If you are concerned about its contents then open your browser and go directly to the website, be that Google or Facebook, that the suspicious email relates too and log into it independently. Once logged in you can look to see if the claims in the suspicious email have any credence whatsoever – and chances are they don’t

Once you are confident that the email you have received is fraudulent then label it as ‘spam’ so future emails from that particular source will never in the future get to your InBox. If this email gives you an unsubscribe option, you may be tempted to click it – DON’T as even that can be fraudulent.

The next thing to consider is do you know the source that this email is coming from? Do you have dealings with the company that it says it is from? If not, then simply delete it. Also check the email address that it is sent from if it looks suspicious or just badly worded, then again delete it.

One final aspect to consider is that these emails will more than likely contain a sense of urgency about them, suggesting that your account has seen some unusual activity, or that they believe that your account has suffered unlawful access. This is designed to put you into a mode of mild panic, getting you to worry that all your personal details or your bank account is being drained right before your eyes! Don’t be fooled. This is social engineering. As humans we are all designed to react to a crisis especially one that suggests that time is limited in order to get a resolution. Keep a cool head about it all.

In both the cases within Hillary Clintons campaign team they received emails asking them to ‘change passwords’ and they believed it. Clicking on the link that took them to what appeared to be a legitimate Google page, but was actually a site designed by the hackers to capture a target’s log-in credentials. Their actions enabled criminals to access their email accounts, the details and contents of which were then posted online.

If only they had NOT clicked then things would have been very different They really did fall for this scam hook, line and sinker. It just goes to show that sometimes the old ones are still the best ones!

Share: Share on FacebookTweet about this on TwitterShare on Google+Share on LinkedInPin on PinterestEmail this to someone