I Know What You Did Last Summer is a 1997 American slasher film based on the 1973 novel of the same name by Lois Duncan. This was a very good yet creepy movie to say the least. You may be asking yourself what does this have to do with cybersecurity?

Well, there are a lot of creepy people out in the cyber world lurking the Internet and looking for information about you, like what you did last summer, for the purposes of identity theft or access to your critical corporate business assets. It’s called social engineering.

There are many social engineering techniques, or as one of my colleagues likes to call it, “recruitment.”

Let’s look at a few types as defined by Wikipedia:

  • Pretexting: Creating and using an invented scenario (the pretext) to engage a targeted victim in a manner that increases the chance the victim will divulge information
  • Phishing: Phishing is a technique of fraudulently obtaining private information. Typically, the phisher sends an email that appears to come from a legitimate business—a bank, or credit card company—requesting “verification” of information and warning of some dire consequence if it is not provided
  • Spear Phishing: Phishing attempts directed at specific individuals or companies have been termed spear phishing. Attackers may gather personal information about their target to increase their probability of success. This technique is, by far, the most successful on the Internet today, accounting for 91 percent of attacks

There are many others but let’s look more closely at Spear Phishing. Personally it’s my favorite and has a very high rate of success.

Let’s run through a use case scenario. You, the target, are a senior vice president of a fairly large organization. I’m an attacker who wants to access your corporate business assets.

By doing a little online research on your LinkedIn account, Facebook, Twitter and Google +, I find out you went to ABC College, graduated in 1995, played varsity football and were an academic all American. You enjoy great BBQ, listen to AWOLNATION, are an avid supporter of XYZ charity organization and your favorite NFL player is Richard Sherman of the Seattle Seahawks.

Hmmm…that’s really good information so let me write this person a message via email,  text or a social networking site like Facebook or Twitter and see if I can get him to click this link (It is very easy to get duped into clicking on a malicious link.) These malicious links may look like they were sent by someone you trust, such as:

  • A colleague or friend or someone who you know
  • A legitimate-looking organization
  • A business that you know

If the target clicks the link, we now can possibly view the local file system and/or mapped drives, upload and download files to and from the end-user system, open and interact with files on the compromised system, gather user names and passwords from endpoint applications, deploy a keylogger that tracks the user’s keystrokes or simply perform a password dump from the user’s favorite web browser…Yikes!

The senior VP comes into work on a Monday, opens up his email and sees the following message from ABCcollege.org

 

Dear Alumni,

On May 15, 2015, ABC College is hosting a fundraiser for our nationally ranked football team so they can travel to Hawaii to play on national television. We would like all of our former Academic All Americans to make an appearance if possible. Fifty percent of the funds raised will be given to XYZ charity. We will be serving Famous Joe’s BBQ and have live music all day from five bands, including AWOLNATION. We also are expecting a very brief appearance by Richard Sherman.  If you are interested, register here www. __________.com .

We hope to see you there!

 

This technique works well because it plays on a person’s heart and interests. But, one click and it’s a wrap. I now own that machine.

Security awareness is the cheapest risk reducing measure out there. Make sure your organization is pro-actively staying ahead of these threats. Remember, security is everyone’s responsibility.