- Email: [email protected]
Understanding Social Engineering-Based Scams
REVIEWS
Reviews BOOK REVIEW
Understanding Social Engineering-Based Scams Ed: Markus Jakobsson. Published by Springer. ISBN: 978-1-4939-6455-0. Price: E80.07, 130pgs, hardback. E-book version also available. ost people view computer security as a technology issue. The truth is, however, that a lot of it is really about human behaviour. Regardless of whether you’re a statesponsored hacker, a criminal gang or a lone fraudster, if you can trick people into carrying out actions that are not in their own best interests then you’re half way to achieving your goals. A simple step such as clicking on an email attachment or following a link to a malicious web page can easily subvert all the technical defences you’ve put in place. And that’s true at both an individual and a corporate level. If a hacker can fool you into installing malware on your machine, the result can be, for example, a reverse shell giving the attacker full control over your machine while all the company’s firewalls, intrusion detection systems and other defences remain clueless.
M
It’s well known that spear-phishing attacks – highly targeted against individuals – are the most common first step in what people like to call the advanced persistent threat (APT). Phishing is a classic social engineering scenario in that the emails are specifically designed to provoke a human, not machine, response. While phishing attacks usually lead quickly to some kind of technical exploit – such as the installation of malware – this is not always the case. Indeed, the only technical component of many of the threats out there, including spam, fraud and some forms of phishing – are the emails used to deliver them. You could argue that email plus human frailty is the biggest Internet-borne threat we face.
4
Network Security
There’s nothing especially new about this. Many scams, for example, were once delivered by postal mail and were adapted to the fax age before finally arriving by email. The explosion of the Internet, however, has enabled these frauds to scale up and gain a global pool of potential victims.
“Many scams were once delivered by postal mail and were adapted to the fax age before finally arriving by email. The explosion of the Internet, however, has enabled these frauds to scale up and gain a global pool of potential victims” That’s not to say that these criminal activities don’t evolve. As anyone who has had to deal with spam knows (and that must be pretty much everyone these days), fraudsters often take advantage of current events and social trends in an attempt to lure victims into making that fateful click. This book – a collection of papers by a number of authors – has a whole section on trends and how email-based frauds and spam (the key focus of the work) have developed. It’s interesting to note, for example, that the classic ‘Nigerian’ scam may use a clever self-selecting trick. Most of us dismiss these emails as obvious scams because of the poor grammar and blatant absurdities. However, a researcher at Microsoft believes that while this style of message started from genuine incompetence, it is now a deliberate ploy to weed out people who are not easily tricked. That’s because the classic fee-forwarding scam involves several rounds of interaction between fraudster and victim and only the most gullible will fall for it. The book also discusses how fraudsters have turned to ever-more focused targeting
An example of the data presented in the book – in this case, targeted versus nontargeted scam campaigns.
of victims. This is being enabled, to some extent, by the huge amounts of information about all of us that are currently washing around on the Internet. Some of this comes from data breaches in which details of hacked websites’ users – such as email address, physical address and more – are dumped into the public domain, often in batches of millions of records. But there’s also the information we provide ourselves via social networking, blogs and so on. Cyber-criminals are gathering and aggregating this data in huge amounts. While the book focuses on email-based scams, many of the principles carry over to other delivery methods. For example, Facebook, LinkedIn, Twitter and other social media are now being exploited heavily by scammers. The common denominator, after all, doesn’t involve technology but our weakness for being tricked. If that makes it sound like this subject is the preserve of psychologists or sociologists, rest assured that there is also ‘hard’ science presented in the book. It provides, for example, interesting data on trends and the success rate of fraud campaigns, and in-depth analysis of why we fall for scams. There’s also analysis of some of the techniques used, such as obfuscating text to evade spam filters.
“There is some solid science presented in the book. It provides interesting data on trends and the success rate of fraud campaigns, and in-depth analysis of why we fall for scams” As to what we do about this problem – well, that really isn’t the main focus of the book, although there is some discussion about why spam filters are largely useless and the role that email authentication technologies (SPF, DKIM and DMARC) could play, if only they were universally deployed. It’s important to understand just how damaging email-based fraud can be. At a personal level it can be devastating to people who have been defrauded out of their life savings. But with the rapidly rising menace of business email compromise (BEC, aka ‘CEO fraud’) it is also capable of stealing millions of dollars from organisations. The book is a good step towards measuring and understanding the menace. There’s more information available here: www.springer.com/gp book/9781493964550. – SM-D
January 2017
Reviews BOOK REVIEW
Understanding Social Engineering-Based Scams Ed: Markus Jakobsson. Published by Springer. ISBN: 978-1-4939-6455-0. Price: E80.07, 130pgs, hardback. E-book version also available. ost people view computer security as a technology issue. The truth is, however, that a lot of it is really about human behaviour. Regardless of whether you’re a statesponsored hacker, a criminal gang or a lone fraudster, if you can trick people into carrying out actions that are not in their own best interests then you’re half way to achieving your goals. A simple step such as clicking on an email attachment or following a link to a malicious web page can easily subvert all the technical defences you’ve put in place. And that’s true at both an individual and a corporate level. If a hacker can fool you into installing malware on your machine, the result can be, for example, a reverse shell giving the attacker full control over your machine while all the company’s firewalls, intrusion detection systems and other defences remain clueless.
M
It’s well known that spear-phishing attacks – highly targeted against individuals – are the most common first step in what people like to call the advanced persistent threat (APT). Phishing is a classic social engineering scenario in that the emails are specifically designed to provoke a human, not machine, response. While phishing attacks usually lead quickly to some kind of technical exploit – such as the installation of malware – this is not always the case. Indeed, the only technical component of many of the threats out there, including spam, fraud and some forms of phishing – are the emails used to deliver them. You could argue that email plus human frailty is the biggest Internet-borne threat we face.
4
Network Security
There’s nothing especially new about this. Many scams, for example, were once delivered by postal mail and were adapted to the fax age before finally arriving by email. The explosion of the Internet, however, has enabled these frauds to scale up and gain a global pool of potential victims.
“Many scams were once delivered by postal mail and were adapted to the fax age before finally arriving by email. The explosion of the Internet, however, has enabled these frauds to scale up and gain a global pool of potential victims” That’s not to say that these criminal activities don’t evolve. As anyone who has had to deal with spam knows (and that must be pretty much everyone these days), fraudsters often take advantage of current events and social trends in an attempt to lure victims into making that fateful click. This book – a collection of papers by a number of authors – has a whole section on trends and how email-based frauds and spam (the key focus of the work) have developed. It’s interesting to note, for example, that the classic ‘Nigerian’ scam may use a clever self-selecting trick. Most of us dismiss these emails as obvious scams because of the poor grammar and blatant absurdities. However, a researcher at Microsoft believes that while this style of message started from genuine incompetence, it is now a deliberate ploy to weed out people who are not easily tricked. That’s because the classic fee-forwarding scam involves several rounds of interaction between fraudster and victim and only the most gullible will fall for it. The book also discusses how fraudsters have turned to ever-more focused targeting
An example of the data presented in the book – in this case, targeted versus nontargeted scam campaigns.
of victims. This is being enabled, to some extent, by the huge amounts of information about all of us that are currently washing around on the Internet. Some of this comes from data breaches in which details of hacked websites’ users – such as email address, physical address and more – are dumped into the public domain, often in batches of millions of records. But there’s also the information we provide ourselves via social networking, blogs and so on. Cyber-criminals are gathering and aggregating this data in huge amounts. While the book focuses on email-based scams, many of the principles carry over to other delivery methods. For example, Facebook, LinkedIn, Twitter and other social media are now being exploited heavily by scammers. The common denominator, after all, doesn’t involve technology but our weakness for being tricked. If that makes it sound like this subject is the preserve of psychologists or sociologists, rest assured that there is also ‘hard’ science presented in the book. It provides, for example, interesting data on trends and the success rate of fraud campaigns, and in-depth analysis of why we fall for scams. There’s also analysis of some of the techniques used, such as obfuscating text to evade spam filters.
“There is some solid science presented in the book. It provides interesting data on trends and the success rate of fraud campaigns, and in-depth analysis of why we fall for scams” As to what we do about this problem – well, that really isn’t the main focus of the book, although there is some discussion about why spam filters are largely useless and the role that email authentication technologies (SPF, DKIM and DMARC) could play, if only they were universally deployed. It’s important to understand just how damaging email-based fraud can be. At a personal level it can be devastating to people who have been defrauded out of their life savings. But with the rapidly rising menace of business email compromise (BEC, aka ‘CEO fraud’) it is also capable of stealing millions of dollars from organisations. The book is a good step towards measuring and understanding the menace. There’s more information available here: www.springer.com/gp book/9781493964550. – SM-D
January 2017