Your computer files are being held for ransom. Pay up, or lose them. Your bank account is being emptied, so click here to stop it. Your friend has died, click on this funeral home site for more information. Social engineering thugs have reached new lows.
Social engineers, those criminals who take advantage of human behavior to gain access to data or infiltrate businesses, were once content to trick people with free offers or funny videos before unleashing their scams. Today, social engineering gangs have taken a darker turn toward strong-arm tactics, threats, emotional cruelty and dire ultimatums.
While the total number of emails used per spear-phishing campaign has decreased and the number of those targeted has also decreased, the number of spear-phishing campaigns themselves jumped 91 percent in 2013, according to Symantec Corp.'s 2014 Internet Security Threat Report, released in mid-April.
Campaigns run about three times longer than those in 2012, and indicate that user awareness and protection technologies have driven spear phishers to tighten their targeting and sharpen their social engineering. Symantec also reports that "real world" social engineers are combining virtual and real world attack to increase the odds of success.
Chief Hacker at Social-Engineer.org, Chris Hadnagy, sees an increase in use of this tactic on business employees.
"Groups are sending phishing emails with malicious attachments," which a cautious employee usually ignores.
"But then they're following up with a phone call that says, 'Hi, this is Bob in accounting. I just sent you an email with a spreadsheet. I just need you to open that up real quick and check it out.' Those factors put together make you trust them and take that action." Social engineering tactics like these serve as the entryway to the latest internet scams.
1. Phishing with new lethal-strains of ransomware
Ransomware caught businesses' attention in 2013 with Cryptolocker, which infects computers running Microsoft Windows and encrypts all of its files, as well as files on a shared server. The extortionists then hold the encryption key for ransom (about $500 USD), to be paid with untraceable Bitcoin. The longer the victim waits to pay, the higher the price, or the data can be erased.
Now, copycat CryptoDefense has popped up in 2014 and targets texts, picture, video, PDF and MS Office files and encrypts these with a strong RSA-2048 key, which is hard to undo. It also wipes out Shadow Copies, which are used by many backup programs.
In February a Charlotte, N.C. law firm came forward and described how their whole file server was scrambled by Cryptolocker, and the firm lost all its files. The IT team tried to disinfect the machine, but the plan backfired and prevented decryption. They also tried to pay the ransom, but it was too late since they had tampered with the malware. The social engineering attack used an email "from AT&T" with a malicious attachment that was mistaken for a voice-mail message from their phone answering service.
Sign up for Computerworld eNewsletters.