The Most Frightening Security Threat Out There? Clever Tricks

We just went over insider threats, which is one of many kinds of clever tricks. Clever tricks don't refer to any specific type of computer scam, but rather, just the art of scamming in general. Black Hat Hackers are usually in it for the challenge, the thrill, and the gain — they are con artists. 

There was a very good article written in NY Magazine titled "Why We All Fall for Con Artists." I highly suggest reading the article; It is both illuminating and relates, in my opinion, very specifically to cyber security. You can read the article here if you are interested:

The basic point is this:

We all have that "it will never happen to me" mentality about a lot of things that threaten our lives — we have to, or we would all buckle quickly from the stress of it all. Additionally, it is simply part of human nature to be trusting; it is essential to our success as a species. Even if sometimes we feel the only thing we can trust is ourselves, there is still always at least that one thing to fall back on. Con artists prey on those things that we trust most. In hacking, this is what's referred to as "social engineering." Hackers study behavioral patterns and use our most reliable practices and routines against us. 

Some Examples

One of the most incredibly common phishing methods is creating a forged sender address. Because the core email protocols don't generally have a mechanism for authentication, it is actually quite easy to spoof a sender address to mislead the recipient about the origin of the email. This means that it wouldn't be terribly difficult for someone to send you an email that had an infected PDF file and make that email look like it had come from an associate inside of your company. You open the email, not thinking twice, download the attachment, and Susie Hacker all of a sudden has access to absolutely all the information on your computer and you are none the wiser. 

Many people believe that there is a certain amount of technical skill involved in hacking, but one of the more interesting computer scams that happened lately involved the hacking of an email account through a customer support agent. The company that hosts this particular email server has always focused on security, and has improved security measures constantly throughout the years, but hacking someone's email address is still not an immensely difficult process. In fact, you can very easily find step-by-step instructions online to this day:

http://bfy.tw/CDji

Your security protocol is only as secure as your weakest link, and there was one young man who decided that it would be even easier than all that fancy computer work. He knew the name of the man that he wanted to hack, his personal email address, the company the man worked for, and his title. This information is, for the most part, readily available for all of us. The young man called up this email service's customer support line and even though he was unable to answer a large number of the security questions, still managed to display enough knowledge about about his victim to convince the representative that he was the man that he claimed to be, and to have the account password reset to one of his choosing. Thirty minutes, start-to-finish, and he had full access to this man's email account. Think about the simplicity and gravity of this scam. Once you're into someone's primary email account, it is easy to start accessing all their other accounts — bank accounts, Amazon accounts, etc. — by simply using the password reset function built into almost every login-capable site that is out there. This very event was the trigger for the now more common two-step verification process required for resetting passwords on many sites.