I was told as a child to never accept candy from strangers, It’s no different as an adult. Emails, phone calls, and fliers, that offer deals that are just too good to be true are nothing more than adult candy. In this posting, I offer tips on how to stay safe while performing that one task that everyone does during the holiday season (and possibly year-round) – shopping. The article is lengthy, but hopefully it empowers you to be more aware of the attacks present online, and in “real life”, and how to better reduce the risks associated with online shopping.
According to the latest Internet Crime Complaint Center (IC3) report, the number one complaint for 2011 was Non-delivery Payment/Merchandise, with Identity Theft a not-too-distant second place (National White Collar Crime Center, 2011, p. 9). During the holiday season, not getting what you paid for may be more devastating than having your identity stolen, especially if what you paid for was an extra special gift to your child. Protecting yourself online should be a primary goal year-round. However, with the holidays sparking more online shopping, Tweets, posts, email, and just plain Internet traffic in general, the possibility that your information may be compromised is increased.
Here are some of the potential attacks you may experience and tips for reducing the risks that the attacks will be successful.
1. Spam – We’ve all heard of spam by now. The email that has dozens of misspellings and offers that are just too good to be true. Simple rule of thumb is to delete spam. NEVER reply to spam emails (Federal Bureau of Investigation, 2010), not matter what kind of impact you may be looking for in your response. Responding to spam just lets the person executing the attack know they’ve reached a live person, and you invite even more spam in the future.
Consider using a web-based email service, such as Gmail or Yahoo mail, as the email for purchases made online. The primary reason is most web-based services offer spam filtering at the email server, which means the possibility of even seeing spam is reduced. If you prefer to use your own email client, turn on spam filtering within the software.
2. Phishing – Phishing is actually a play on words, where the attacker if fishing for victims (Spring, 2003). Many anti-virus vendors offer to filter for spam email, and email clients also offer the ability to filter for spam, as well as all the other emails you receive (such as emails from Mom).
Filtering emails serves the purpose of validating the sender of an email. Most spammers and phishers either use hijacked email accounts for attacks, or make up email addresses to look like legitimate emails. In Bruce Schneier’s book, “Secrets and Lies: Digital Security in a Networked World”, one of the oldest games around is playing off common misspellings of web addresses (Schneier, 2000, pp. 168–170). “A bunch of attacks target URLs [uniform resource location], some relying on user error and some on user ignorance” (Schneier, 2000, p. 168). So, when viewing an email in an email client, the name of the sender appears to be legitimate, but the actual email address where the email came from is bogus. Filtering email into separate categories allows you to know in an instant if Mom sent the email, because the email will end up in the email folder for Mom. Questionable email will remain in the Inbox folder for further scrutiny.
2) Web Addresses and Security
1. URL spoofing – As I said in the previous note about phishing, attackers will obscure web addresses (URLs) in an attempt to gain information from you without your knowledge. For example, suppose I know you are in a Fantasy Football league and I want to use this knowledge to get a password from you (which you probably use for online banking and online shopping). All I need to do is create a web site, like nffl.com, send you an email address inviting you to this no-cost-to-you league, and have you log into the site. Presto, I have a user name and password you use online and away I go to steal what I can from you.
When you travel anywhere online, ALWAYS check the address of the place you’re visiting. Even large corporations will take advantage of your mistake when typing in a web address. For example, ‘[p]eople who once mistyped “Geico” as “Geigo” ended up at a site owned by Progressive Insurance” (Schneier, 2000, p. 169). In this example, the only harm done is to Geico. In the example I gave earlier related to the Fantasy Football league example, the person harmed is you.
2. Secure communications – banks and online retailers, will use a type of communication that secures the transmission of sensitive data called SSL (Secure Socket Layer). SSL allows for data to be encrypted before being sent to the receiver of the data. Think of SSL as placing your data inside an armored car before being sent to its final destination.
Attackers will seek to exploit your trust in a web site by forging the credentials required for secure transmission. Put another way, they hijack the armored car and place their own people inside the car without you knowing it.
Verify that the web site you are visiting uses trusted credentials and the credentials are actually assigned to the web site owner. All web sites using SSL issue a certificate to your browser before information is exchanged. It’s a bit like having a secret decoder ring, with the web site having the same ring to decode the data you send.
A certificate will be signed by a certificate authority, which is a bit like the decoder ring manufacturer signing the rings with a super secret seal of approval. Browsers will warn you if the web site you’re visiting and the certificate it’s issuing don’t match. When you encounter this warning, leave the web site immediately. In addition, attackers will create their own certificates (a self-signed certificate) to fake a real certificate. Most browsers will warn you when this happens.
What to truly watch out for is a combination of a web site which is bogus and a certificate which is valid. ALWAYS be aware of where you’re going on the Internet.
3) Social Engineering – I left this as a topic by itself, because social engineering doesn’t just happen over the Internet. In fact, social engineers use a wide variety of methods to get information from you without using the Internet at all.
1. Perloading – preloading, or “influencing subjects before the event” (“Elicitation Preloading,” 2009), is when an attack makes comments (or sends emails) to a victim to get the victim to think about the information the attacker wants.
Suppose I want to find out your mother’s maiden name? If I start off the conversation by making statements about families and the origins of names, I get you to start thinking about your family’s names. Eventually, we will start talking about maiden names, and eventually you may reveal the piece of information used by banks all over the world as a way of identifying you as you. Again, the best way to defeat this type of attack is to ask questions and trust your gut. If you get an uneasy feeling about how the conversation is going, stop the conversation or emails.
2. Pretexting – pretexting is “[p]retending to be someone else in order to obtain information, typically over the phone” (“pretexting,” 2010). However, it has been done using other forms of communication (like email and Facebook) as well. I once received a phone call from someone identifying themselves as working for the federal court system. The caller explained in very professional terms how I was going to be paid for my services on a jury, when the jury date was, and how I was going to be paid. The caller then started to ask where I did my banking. This question immediately raised a red flag and the conversation ended.
Attackers have no problem with pretending to be someone else if it gets them information required for a successful attack. When confronted with communications from someone claiming to be of authority, always ask to call them back or verify the email address with a verified source. People of true authority will not press you for information without some sort of validation handy and will provide a way to properly verify their identity.
Another, more subtle approach, is to elicit an emotional response from the victim. I attended a wonderful presentation on social engineering as an attack vector during my CSSLP training. The attack was simple. During a snowstorm, attackers placed a flier on cars that were parked less than perfectly (“Malware infection that began with windshield fliers,” 2009). The fliers indicated that there was a picture of the horribly parked car on a web site, along with other cars that were parked in a similar fashion. Once the victim visited the web site, malware was downloaded onto the victim’s machine. The lesson here is that not all threats to online security are online; some threats start in the “real world”.
The best rule of thumb to protect your information is trust but validate. Trust that the reason for the information being disclosed is legitimate, but question why it’s being requested. Trust you didn’t make a mistake while typing in that web address, but verify anyway.
Stay Safe and Happy Holidays!
Elicitation Preloading. (2009, September 16).The Official Social Engineering Framework. Retrieved November 25, 2011, from http://www.social-engineer.org/framework/Elicitation_Preloading
Federal Bureau of Investigation. (2010, November 24). Tips to Avoid Being Scammed This Holiday Season. Retrieved November 25, 2011, from http://www.fbi.gov/news/pressrel/press-releases/escams_112410
Malware infection that began with windshield fliers. (2009, February 3).ISC Diary. Retrieved November 25, 2011, from http://isc.sans.edu/diary.html?storyid=5797
National White Collar Crime Center. (2011). 2010_ic3report.pdf. 2010 Internet Crime Report – Internet Crime Complaint Center. Retrieved November 25, 2011, from http://www.ic3.gov/media/annualreport/2010_ic3report.pdf
pretexting. (2010).Free Online Dictionary, Thesaurus and Encyclopedia. Retrieved from http://encyclopedia2.thefreedictionary.com/pretexting
Schneier, B. (2000). Secrets and Lies: Digital Security in a Networked World. New York, NY: John Wiley & Sons, Inc.
Spring, T. (2003, November 17). Spam Slayer: Do You Speak Spam? PC World. Retrieved November 25, 2011, from http://www.pcworld.com/article/113431/spam_slayer_do_you_speak_spam.html