Employee Manual to Prevent Cryptolocker and More
A common way computers are infected or compromised has always been a simple yet well thought out deception. It can happen to anyone and the use of social trickery is nothing new. Understanding the victim is all that’s needed to receive their cooperation.
If you’re thinking it could never happen to me this refreshed couldn’t hurt. You might want to share the examples here with your friends, family and especially your employees. Social engineering has come a long way since the possibility of seeing Anna Kournikova naked.
Here’s a common example that has been used to infect computers with the crippling Cryptolocker extortion attack.
This one and variations are going to get more popular as Santa starts shipping his presents. In this example the “From” email isn’t even disguised which means these guys were really lazy. Don’t bother replying because the Email address belongs to someone who has already been hacked and was probably shut down by the time you receive your Email.
Any Email “bait” like this will appear to be a legitimate message. The attacker linked to text and a graphic located at FedEx. The simple line of code below is all that’s needed to display the FedEx logo
<img src= “https:// catalog.fedex.com/images/external/gsi/hdr_fedex.jpg">
This Email from fake UPS is also tempting because you certainly wouldn’t want to miss anything. We all love packages.
Human Resources Needs You
Here’s one directed at employees designed to be a standard employment request. In this case, it’s to use the company car. It’s very common to see attachments that appear to come from Human Resources.
The “From” address and even filename has been doctored to make it appear to be from within the company. If the company is large or you’re a new employee downloading and filling in this form may not seem suspicious. It’s not unusual for an attack to be targeted since information on officers and HR managers is easy to find.
You’ve Been Reported
I’ve received a few claiming to be from Dun & Bradstreet trying to scare companies into thinking they need to clear their good name.
It’s also common to see fake Emails from the Better Business Bureau. In the U.K. there’s Companies House which registers and keeps track of companies for the Department for Business, Innovation and Skills.
Question Every Email
These phishing expeditions are common and effective in all countries. I generally question every Email even when it comes from someone I know. How many times have you received Email from friends saying they’ve been hacked? If you have any doubts just contact the sender or an official with the company sending the message. My bank has always thanked me for calling. They love to impress customers with their knowledge of security trends.
Curiosity Killed Your Job
It’s not unusual to receive messages which appear to be meant for someone else. More than a few attacks succeed because of human curiosity.
Speaking of curiosity, I’ll end with a newer version of a classic bait and steal scheme.
I’ve worked for companies where discussion of salaries could be cause for immediate termination. An ancient method for infiltrating a company involved dropping an infected floppy disks labeled something like “Employee Salaries” in public places. This “Baiting” is still used but relies on DVD’s, USB Flash drive or SD cards labeled as personal or secure data. Visitors often have access to rest rooms in secure areas. What they leave on top of a towel rack could be more dangerous than high explosives.
I’m sure what I’ve discussed isn’t anything new but you may know someone who would benefit from this lesson. Share these examples along with a healthy dose of paranoia. The data you save may be your own.