Tuesday, February 21, 2017

How to Survive a Phishing Attack


This post describes a super easy way to avoid falling prey to phishing and spear-phishing.  While I’m at it I’ll explain about ransomware and botnets so you can sound impressive during fishing  trips and/or ladies’ luncheons.  I’ll even provide a real-life example of a recent situation requiring me to apply my method.

Couple quick notes:  1) You cannot get a virus by reading this blog or clicking on any link within it, ever; and 2) I actually did my homework on this post, and ran my anti-phishing technique past the Chief Information Security Officer of a giant corporation, who gave it her blessing.

Some terminology

In a previous post, I covered plain old spam, which is simply unsolicited e-mail that doesn’t even pretend to be personal.  For example, the subject line is “Enhance your male member!”  The sender hasn’t targeted you based on knowing anything about your, uh, membership … from the sender’s perspective, every man should enhance his mail member!  (And if a woman receives this message, no harm done—she can just forward it to the man in her life.)  Spam is basically electronic junk mail.

Phishing is an attack on your computer which relies on you clicking on an embedded link or opening an attachment, which either loads a virus directly on your computer or takes you to a bogus website that attempts to lure you into disclosing personal information.  Phishing messages are usually blasted out like spam, though the sender will often pretend to be a company you do business with, such as your bank.  There’s usually a sense of urgency, something like “Account locked – update password!” (i.e., “Tell us your old password, sucker!”).

Spear-phishing is more targeted and requires the sender to find out stuff about you in advance (e.g., thru social media) to make the e-mail look more realistic.  Is it important to differentiate between regular phishing and spear phishing?  Probably not.  I think the latter term was contrived mainly to help security experts sound cool.

Ransomware is a computer virus that encrypts your computer’s entire hard drive, so that only the fraudster can decrypt it, which he or she will only do upon being paid a ransom.  (A criminal with no hacking skills can actually buy “exploit kits” from the fraudsters to carry out his own attacks.)  Ransomware is one of the biggest reasons to be careful with your e-mail.

You know how vampires and zombies can make you one of their own by biting you?  Similarly, computer viruses can take over your computer and use it in a separate attack.  Such an infected computer is called a bot, and when hundreds or thousands of them are herded together to mount a large-scale attack, you’ve got a botnet.  (Think of it as an online zombie apocalypse.)  Note that as more devices—not just computers and phones but thermostats, security cameras, DVRs, etc.—are connected to the Internet, they become targets for botnet attacks as well.  In fact, they’re ideal candidates because they’re often cheaply made, poorly designed, and lack security.  They’re like really dumb zombies.

How to survive phishing attacks

My phishing survival technique employs a single simple rule:  if an e-mail appears to be from any bank (even yours), or any other business with which you have an account (e.g., a utility), automatically assume it is a phishing attempt and just delete the e-mail.  You can apply this rule even before opening the message.  It’s that simple.  The decision tree looks like this:

 There is a very small risk, with such a broad rule, that you’ll miss a legitimate e-mail from your bank, but a) it’s better to be safe, and b) remember, your bank knows how to reach you!  They have your money and are very resourceful about getting their business done.  In general, they prefer to phone you or send postal mail because they hate phishing as much as you do and have no interest in training you to fall prey.

The one blanket exception would be account statements.  If you signed up for electronic statements and receive them on a predictable schedule every month, and these statements provide account information without asking you to do anything, you’re probably fine.

As for these “Oh, no, you need to do something!” messages, keep in mind that if there’s really something wrong with your account—like your card number has been compromised, for example—that’s ultimately the bank’s problem.  They are on the hook for the cost of the fraud, so let them do the heavy lifting.  If they can’t be bothered to pick up the phone or mail you a postcard, they can face the consequences.  (For what it’s worth, my card number has been compromised a number of times, and in no case did I get an e-mail.)

All of this being said, I recently decided to amend my very simple rule.  If you’re interested in my amendment, read on.  If you’re already bored and/or have no problem with the simple rule outlined above, you’re done—goodbye!  Go get on with your life!

Sometimes it’s not quite that simple

What if you made a purchase that falls well outside your normal pattern of behavior?  For example, you just made a purchase for $2500, and the largest purchase you’ve ever made previously with this card was $1000?  Or what if you normally shop at J. Crew and Brooks Brothers, and one day get a ghetto impulse and buy something at J.C. Penney?  If you do something outside of your norm and then immediately receive an e-mail purporting to be from your bank, you might consider evaluating it further.

I got an e-mail recently from slcfraud@aexp.com titled “Your Corporate Card.”  This “From” address and subject line didn’t look obviously wrong.  The capitalization in the subject line, “Your Corporate Card,” was a bit odd, but not obviously wrong (e.g., it wasn’t “Security fraud alerted corporate card!!” or “Account info updating needs!” or some other butchered English).  The return address, slcfraud@aexp.com, struck me as feasible, though these things can be spoofed.  Only because I half-expected Amex to choke on a recent transaction, I decided to open the e-mail:

Note how it’s in plain text with no logos or anything.  That might seem a bit odd, but actually it’s completely okay.  Fancy logos and formatting are methods hackers use to make their e-mails look legit.  Don’t be fooled!  It’s far easier to manipulate graphics and logos and such than to say the right things, in perfect English, in an e-mail. 

This brings us to my analysis of the grammar etc. in the e-mail itself.  There is a stray bracket in the message (toward the end:  “Corporate Payment Services}”).  That’s a bit spotty, and such things should be considered suspicious.  There’s also a dangling participle:  “In order to assist you in a timely manner, please call us at the numbers provided rather than responding to this message.”  (The first clause refers to them—i.e., they would be assisting you—but the second clause refers to you; i.e., here’s what you should do.)  Certainly this is bad grammar, but it’s the kind of error a native speaker would make—even an Amex employee.  It’s not the kind of error made by dastardly foreign hackers who hate America.  Even still, as a general rule I would normally delete this e-mail on the basis of this, or any, grammatical error.  If this makes extra work for your bank, shame on them for filling corporate communications positions with people who can’t write a decent sentence.

All of this aside, there was one fundamental characteristic of this e-mail that caused me to take it seriously:  it didn’t ask me to click on anything, and it suggested I call the toll-free number on the back of my Amex card.  That is exactly the kind of action a bank would legitimately ask you to take, and dialing this number is an inarguably safe thing to do.  (I cannot imagine how a hacker could print a fraudulent toll-free number on the back of my card.  He would need physical access to my wallet, in which case he would presumably have no need to do anything online.)

I did note that the number provided in the e-mail didn’t match the number on my card, but it’s not uncommon for a financial entity to have multiple toll-free numbers.   You should never dial a toll-free number provided in an e-mail.  While that’s not as obviously dangerous as clicking on a link in an e-mail, it could still get you in trouble.  What if you reach a voice-response system that sounds authentic, and asks you to enter your card number?  That would be an easy way for a fraudster to hack your account.  Always go with the phone number printed on your statement or card.

Based on the e-mail above I called Amex, and sure enough, they had locked out my card because my last transaction looked suspicious to them.  During the call they authenticated me based on my caller ID, and accurately described the suspicious transaction.  I told them it was legit, they unfroze my account, and all is well. 

So:  does this mean opening the e-mail was a good idea?  No, not really.  If I had my life to live over, I’d probably have deleted the e-mail and just called Amex.  The slightly more complicated decision tree is this:

How common is all this, anyway?

Is this much ado about nothing?  Actually, I think this stuff is important because phishing is so rampant.  Looking in my junk mail (i.e., messages my ISP determined were fraudulent), I see the following: 
  • 2 messages from Apple on 2/11 saying “Your account is locked”
  • 3 messages from my regular bank between 2/3 and 2/9 saying “Action Required”
  • 1 message from my Visa card issuer on 12/21 saying “Notification ID: 2591912…”
  • 1 message from Apple on 11/07 saying “Apple Inc | Security notice”
  • 1 message from PayPal on 10/27 saying “Your PayPal account ha…”
Along with this, I see messages seeming to be from friends of mine that somehow triggered my ISP’s junk mail filter.  What if my ISP hadn’t filtered these?

Address book phishing

I’m not aware that the phrase “address book phishing” has any widespread meaning, but I’m talking about viruses etc. that replicate by forwarding themselves to everybody in the victim’s e-mail address book.  If your ISP lets these through, it can be tricky spotting them.  Here are a few ways.

Message is unexpected – Often I’ll get an e-mail from somebody I know, but who very seldom e-mails me.  For example, my friend’s wife e-mails me every so often and has done so for years.  Why would she?  Either her PC’s got a virus, or she’s trying to start an affair.  Either way, my reaction is the same:  delete that message!  If she really needs to contact me she’ll surely find another way.

Here’s a true story:  my wife e-mailed my brother several times to ask about some bike thing she wanted to buy me for my birthday.  My brother didn’t respond, either because he suspected phishing, or was just really behind on e-mail.  So the next time my brother called me on the phone, my wife intercepted the call and, before fetching me, said to my brother in a low voice, “Call me!”  He was totally perplexed, and she eventually had to call him herself.

Subject line is missing or suspicious – Of the four bogus messages I received recently purporting to be from friends, three have no subject line at all and the fourth has the subject line “RE: ” with nothing else.  The lack of a subject line is usually a giveaway unless you have really lazy friends.  Other suspicious subject lines would be the sender’s name, your name, or something insanely generic like “Hello.”  (If I e-mail a friend just to say hi, I’ll say something a bit more specific, perhaps involving an inside joke.)

Text of message doesn’t read right – Say you’re fooled into opening such an e-mail and now have text to look at.  The hardest thing for fraudsters to get right is grammar (either because they’re foreigners or because they’re stupid).  If your friends use terrible grammar and spelling, I recommend you find some better friends.  Otherwise, be very careful with messages that don’t read right.

If, for whatever reason, you decide not to open an e-mail that appears to be from a friend, it never hurts to create a new message, address it to the friend, give it a subject like “Suspicious e-mail…” and ask if he or she e-mailed you recently.  You can leave the original message in your Inbox while awaiting a response (unless you’re afraid you’ll open it by accident, like if your software is set up to automatically move from one message to the next).

So, here’s a more complete flowchart of how to handle messages:

Will this approach keep me safe?

Actually, avoiding phishing scams is not enough to keep you safe.  We’re probably all eventually doomed, because data breaches of giant databases have become so common.  For example, an insurance company I do business with was hacked awhile back, and had over 70 million customer profiles compromised, including mine.  So, if you screw up and disclose personal information and/or help a virus to spread, you shouldn’t feel too bad. 

Still, I guess it’s nice to have a methodology for not being a complete sucker, and that’s what I’ve endeavored to provide.

For a complete index of albertnet posts, click here.

No comments:

Post a Comment