Although we usually talk about the ways to protect information from threats, today we are going to list several proven and popular ways to lose data and, possibly, even money. The point of this post is to identify the risks for individual users, and how bringing their habits to work can lead to issues in the corporate infrastructure.
1.Succumbing to social engineering and/or phishing
This is showing any sort of credulity or excessive curiosity, for example, by opening a questionable email attachment or following a link to a malicious site (and entering login data to any service mimicked by that site).
This type of damage is guaranteed; the scale of it depends on the target taken by the attacker.
Social engineering is one of the oldest methods and, paradoxically, still a very effective way to gain unauthorized access to information resources. The attack does not focus strictly on information systems, but on their operators, i.e. on people.
This method has been widely used by distributors of email worms and Trojans that trick users into running suspicious attachments or following questionable links. A detailed description of the method can be found here.
Phishing and spearphishing are online scams with the purpose of gaining access to users’ confidential data. The action is achieved by means of mass mailing, for example, on behalf of popular brands, as well as by sending private messages within various web services, like on behalf of banks or in social networks. A letter often contains a direct link to the site that looks indistinguishable from the genuine one or to the site, which redirects. Once the user comes to a fake page, the scammers use various psychological techniques to try and make the user enter the login data. It allows the fraudsters to gain access to web services and billing accounts, or penetrate corporate infrastructures.
Phishing is a form of social engineering. Its efficiency depends on the level of potential victims’ awareness of the basics of network security. Web services never send emails with requests to access user account data, password, etc., but these are the things not everybody knows. Although web services prefer to openly warn their users that under no circumstances will they ask for passwords by email or phone.
The recent cases of successful phishing campaigns were the efforts of the Syrian Electronic Army. Most of their break-ins were accomplished through phishing.
2. Entering billing information on a fake site of a bank
The scale of damage is limited only by the amount of funds in the account the attackers gain access to. However, hackers may not need all the money at once and could decide to spare some to come and get next time.
Hackers are subtle. They skillfully copy bank sites, but spotting a phony is almost always easy. All billing web services use secure connection protocols for the operations so that if there is just http in the address bar instead of https, then it is a fraud. Grammar and spelling mistakes can also give out the false nature of these sites. Your strongest means of protection is paying attention.
On the other hand, antivirus vendors and browser developers constantly watch out for new malicious resources on the Internet. That is why security solutions and popular browsers are supplied with antiphishing tools as well as with the means to combat malware. Alas, this does not negate the need to stay alert.
Of the people interviewed in the summer survey by B2B International and Kaspersky Lab, about 62% confirmed having been faced with attempts of financial fraud. 30% of them had received phishing emails claiming to be sent by their banks, and 10% had been redirected to suspicious web sites.
4% lost their money because of an online fraud, and 41% of those victims failed to get all their money back. 45% of respondents believed the bank had to compensate them for losses of that kind, but they were far from true. And 42% of users believed that banks ought to offer their customers free security software, but the banks never did.
3. Installing fake antivirus
A fake antivirus is another popular way to take money from the gullible. According to the above mentioned survey by B2B International, 21% of respondents have come across fake antiviruses. The scale of damage varied. A fake antivirus is almost sure to try and take money for the “license” ($30 to $70, sometimes even more). This year there was a case when a malicious program called Android.Fakedefender posed as an antivirus, then locked the device like ransomware and demanded money for the “license” again.
Fake antiviruses are often multipurpose Trojans, which after installing on a computer, scare the user with notifications that the entire computer or gadget literally drowns in every kind of infection. Some of these rogue antiviruses can remove or at least attempt to remove real antivirus programs from the device.
How do they get on user devices? Here is the most typical case:
The scammers (a criminal group Innovative Marketing, Inc., the authors of WinFixer/XPAntivirus and many other programs of the kind) created seven fake advertising agencies that bought legitimate website placements on behalf of major advertisers. Their advertising contained a cunning script that did not reveal itself while being checked by the hosting provider, but launched only for the visitor’s browser, redirecting it to a page of IM. The page displayed warning messages, simulated scanning of the user’s system and showed the list of allegedly detected threats. The whole performance was to intimidate the visitor and force him to pay $30-$70 for the license to install a “remedy antivirus” on the computer.
Judging by the fact that by 2010, fraudsters had earned about 180 million dollars, there is no shortage of the gullible and frightened in the world.
4. Using the same simple passwords for many resources and never changing them
This is a reliable way to lose everything, the safe method repeatedly tested by numerous victims reluctant to memorize or record dozens of passwords for all their accounts. The scale of damage is determined by the number of accounts the attackers manage to hijack.
Simple passwords are easy prey for hackers, especially for those who are not very tech savvy. Many times, repeated passwords for different resources including those related to billing operations are all the more easy to crack. Particularly active network users are forced to invent dozens and even hundreds of passwords. And most people prefer to handle the problem in the easiest way – by reusing passwords on multiple resources at once. They do know that they violate network security laws by doing this, but this is where the old myths are fostered, like “Who needs me?” and “There are more interesting victims than me” rule. According to the survey by B2B International 23% of respondents do believe that they can ever become cyber attack targets.
But those are actual myths or just excuses for…
5. …not taking any care to ensure security
This means not installing any firewalls or security solutions, assuming that the most popular resources must be impregnable for intruders, etc.
The absence of protection against malware, according to the survey of B2B International, caused financial losses for 36% of the respondents. Those were not necessarily direct thefts. It could be, for example, the cost of repairing mobile devices crippled by malware. But there is no essential difference in the way the money was lost.
At the same time 11% of users with protection software enabled on their devices acknowledged that they did that after an incident had occurred.
Eventually these are not all the possible ways of “losing everything”, many other ones are waiting to be found by those who are willing, or rather by those who are unwilling to spend their time on ensuring their own security. It is easy to do and pays off handsomely. But as John Armstrong put it, you can’t help people that don’t want to be helped.