Hackers Buy Christmas Presents Too

What is your weakest point in your security(People, Process & Technology)?

Safe to say that people are the weakest link.  And by that I mean social engineering your workforce to either click on something they should not, or do something like give out too much information (yes my boss is on vacation right now).  Email me at xyz.lastname@abc.com .

 

The hacker is always trying to piece together more information to do a better job spear phishing various levels of employees.

A good review of the potential Christmas schemes from Avast¹:

1. Shopping Invoices for Ghost Transactions.
2. Bogus Courier Receipts Delivering Trojans.
3. e-Commerce Phishing.
4. Mining Personal Data — Bogus Gift Card Promos
5. Compromised High-Traffic Websites.
6. Poisoned Christmas Shopping Search Results.
7. Malvertisements: Malicious Advertisements
8. Greeting Cards — Bringing Bad Tidings.
9. Fake Charity Sites.
10. Bargain-Hunter Scams.

 

We can figure out some of the scams in the above list…

But an interesting one is compromised high-traffic websites.

Especially if you are interested in that topic. So let’s say you are interested in toys for your kids at Christmas?  What happens if your favorite toy store is compromised? Then an email from your favorite toy store can cause a problem.

I waded into the spam folder and tried to find an appropriate email:

spamfromoverstock

Notice how it is a “Christmas Liquidation” of an Apple MacBook in the subject line, but then in the body it is an Asus Laptop.

 

My rule of thumb is to never click on a link from any email unless you know that domain name.  (for me).

For users I just tell them not to click on the link at all, instead to find the link by using Google. So if you want laptops cheap for Christmas shop on Google or Amazon or other vendors.

Never click on links.

That rule of thumb will save most people from going down the road of getting compromised

As far as taking calls from unknown people…

there is no more famous social engineer than Kevin Mitnick² who was caught in February 1995. He made his famous hacks by calling people and pretending to be tech support. It is amazing what the person that answers the phone will give out to a stranger without verifying who is actually calling.

Even 20 years later some of these tactics work with an accomplished liar, and quick thinking social engineer.

{ One Mitnick anecdote: The intrepid social engineer calls up the network operations center of a cell phone company during a snowstorm. After befriending the operators, he asks them: “I left my SecureID card on my desk. Will you fetch it for me?” he asks. }

 

My rule of thumb is to take their number and call them back before giving out anything beyond public information like what is on your website. Our hours are 7am – 6pm and until 9pm for the holidays.

 

Never give out information on specific people.

You would have to recognize the voice before giving out what weather there is out of your window if it was up to me.

Compromised sites during any holiday should make all of us wary of the potential phishing attacks.

Phishing is as I have wrote about before only useful on the days when we are at our weakest.

 

My blog post to train emotional detachment …

Defeat Phishing: Train Emotional Detachment to Scams

Contact Us to help you with anti-social engineering techniques

 

  1.  https://forum.avast.com/index.php?topic=40647.0
  2. http://www.csoonline.com/article/2113271/social-engineering/kevin-mitnick-and-anti-social-engineering.html

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.