The holidays are here! The heavy rotation of holiday music fills our cars with songs like Feliz Navidad and Frosty the Snowman. YES, it is time for some stoplight karaoke with friends, and family (pets). Since this time of year is both fun and a bit stressful, we wanted to briefly go over some commonly observed threats that folks will encounter this holiday season and beyond.
Note: Some of the tactics and techniques we describe can be found within the MITRE ATT&CK™ Framework.
The overarching threat landscape that we unwillingly face daily from simply being connecting to the internet is astronomical. Unless proper security gear is used in every household, which can be expensive, or a family member is in our industry, it makes matters challenging to stay safe while banking, shopping, and generally surfing the internet. We are going to describe a few of the biggest concerns and shed some light on a few tactics and techniques that should help folks stay safe and more aware going into the new year.
In short, this is manipulation of people and their actions in order to gain otherwise private information (banking information, usernames, passwords, social security numbers) and any other data that is desired from the attacker. The delivery method for social engineering attacks is not limited to online threats; many times, during our normal day to day human interaction, we come across some form of it. Here are some of the most prolific forms of social engineering
- Phishing is mainly delivered through spam (even through mobile devices) and pretends to be a legitimate entity with an email subject lure to have a user click on a link and sign in to a site. These are often geared towards gaining access to your bank account. Still, as observed in recent years, the actors want anything with a username and password (even your library account information). The reason for this is that most people do not use password safes like (1password, or KeepassXC) and reuse the same password across multiple websites. This allows the threat actors to gain additional access to accounts that they shouldn't have if the passwords were different on all of the sites.
- This threat is a little bit more involved than just a generic phisher. This is a phisher specially crafted by threat actors to directly target potential victims (rather than casting a wide net and phishing as many targets as possible). Though the delivery method is similar, it may appear or come from a friend, family member, colleague, or trusted external contact to mask the real sender's identity and intentions. The content delivered within the email may vary during the attack delivery phase, custom verbiage can be used to make the email feel authentic and more common than not, a link to additional downloadable content (zip files, binaries, etc.) is observed. This is behavior that is seen with advanced threat actors, which is why it is good to question every email and not blindly trust them no matter who is sending it to you.
Fake (Robo) Phone Calls
- These are phone calls that are sometimes automated and state you owe money or your social security number is needed for an outlandish reason. A good example that we will all be facing (again) very soon are the fake Internal Revenue Service (IRS) calls. These calls are automated, scammy voice recordings that threaten to repossess your house if you do not pay a fee immediately. The IRS will usually send a regular letter in the mail or demand funds using gift cards or prepaid credit/debit cards. This activity should be reported by sending an email to firstname.lastname@example.org (Subject: IRS Phone Scam)
- This is something that we do everyday, talking to other people and sometimes it is harder to tell the true nature of people. There are a lot of people, especially during the holidays that are well versed in the power of persuasion. If a stranger is asking you for “a moment of your time” or “ do you have a moment” and you have a gut feeling something is not right, listen to that feeling and walk away politely. This would be the same feeling you get when shopping in a mall and you are approached by individuals that can step in your path (the Kiosk approach) and look for any eye contact or body language to deliver a pitch. This small opening leads to a human connection and makes it harder to walk away.
Fake offers, discounts, or products
- These are a hot topic due to Black Friday and Cyber Monday on the horizon. These can be observed by simply visiting a website that has ads that can be clicked on (which could be injected) and lead you to injected websites that can deliver additional malware downloads, keyloggers, or simply collect information that can be sold to interested third-parties. This is another way to have your password collected for use on other accounts you have where passwords may have been reused.
If you are making purchases online there are a few addons that can help keep you safer that we use and are highly recommended:
Malicious Spam (Malspam)
- Spam has been going on since the days of America Online (AOL) disks were sent through traditional mail in the 90s. This gave many of us our first email accounts, which even then were always targeted due to the ease of delivery to a wide audience. Sending emails with malicious documents attached that have various embedded content to unsuspecting victims is not a new threat, but a successful one. The malicious content delivered through email is typically some form of document with embedded content leading to second stage downloads or direct downloads like (.ELF, .EXE, .ACE, .SCR). The files attached can also be compressed into password protected zip files in an attempt to bypass traditional security controls (those that inspect the contents of emails and attachments). There are a ton of ways to go about the delivery methods, kind of like putting up those holiday lights and looking at your neighbors houses that have different lights, nothing is the same for long and change is always on the horizon for new attack vectors. The common malware variants observed are Trojans, Ransomware, Keyloggers/Spyware.
All of these Social Engineering tactics and techniques are all based around user execution, where an individual initiates the threat delivery chain by answering the phone, opening an email and an attachment, clicking on a link or calling phone numbers stated in a pop-up. If these attempts are successful, then the victim divulges critical personal identifiable information (PII) to scammers. By claiming to be a member of a fake organization or someone from a well known company, criminals will leverage information from their victims, enabling fraud and identity theft.
The time spent with friends and family is both sacred and awkward this time of year, what makes things worse is the constant bombardment of activity to entice us to entrust our personal identifiable information (PII) or hard-earned income into the wrong hands.
Note: We also want to thank everyone in the industry covering the shifts over the holidays so that others may enjoy some time off.