Go Phish

Working in the cybersecurity industry for a couple of decades, as a practitioner, researcher, penetration tester, and educator, I’ve run into some crazy stuff.  Some of it is shocking.  Some of it is painful.  Some of it is confusing.  And some of it is amusing.  For me, scam artists can often fall into that last category: amusing.

Anyone who remembers the days before spam filters got good remembers their inbox being graced by Nigerian princes looking for help moving money out of the country, or popular games needing us to log in to claim a special reward, or some lottery randomly selecting our email address and them needing us to send “$50 only!” to claim our prize.

Ah, the good old days.  And by “good” I mean annoying.  Amusing still.  But annoying.

They Are Still at It

Chances are that if you look in your junk email or spam folders now, you’ll still find those old school scams, some of which are almost literally unchanged from when they first started making the rounds a couple decades ago.  Oh, sure, some of the text and some of the names have changed, but you can still find the exact same phrases in use.  They come complete with grammar and spelling errors that would have made your 3rd grade teacher cringe, and stories that are so implausible as to make you wonder how anyone could fall for them.

Now, there is another breed of scammer out there that is a bit more sophisticated.  Or, at least, can be.

We’ve all heard about the Business Email Compromise (BEC) scams and related CEO Fraud scams that are a form of spear phishing.  They usually involve some kind of request to pay an invoice, wire money to an account, or something similar, and target someone in the organization who would have the access and authority to make it happen.  “Shark Tank’s” Barbara Corcoran fell for such a spear phishing scam and it cost her nearly $400,000.

Some of Them Get Focused

As a security practitioner and as a technical asset on the Marketing team, I’m not normally considered to be someone in a position, or with the authority, to respond to such requests.  But that doesn’t stop people from trying the technique on me.

Usually to my great amusement.

Case in point, since joining Gurucul I’ve had several different scammers trying what is commonly called the “Boss Scam.”  In this one, they reach out pretending to be the boss, needing you to get some gift cards for them to give to clients or colleagues or whatever.  It’s a pretty obvious scam that’s easy to avoid.  The amusement I get is from seeing how long I can string the scammer along before they realize I’m not actually going to buy a couple grand worth of gift cards and send them pictures of the numbers.

The real curiosity is why I would receive these at all.  Given my title and position, I’m an unlikely candidate for this kind of scam.  But it does point out that criminals will target who they can, when they can, and we all need to be aware of the sort of attacks we might face.  Unfortunately, these simple scams are not especially dangerous compared to the higher tier threats.

But There Are Much Bigger Threats

There are a lot worse things out there than a wayward Nigerian prince and executives and their staff aren’t the only targets.  In fact, as a recent security blog over at Google pointed out, security researchers have been targeted by a much more sophisticated sort of attacker.  In this case, an attack that appears to be from State actors out of North Korea.  And the object here isn’t just a couple grand worth of gift cards, but of valuable technical expertise and intellectual property.

While it’s basically trivial to spot a fake Nigerian prince or someone pretending to be your boss, a carefully crafted Social Engineering scheme is considerably more difficult to identify and avoid.  Though it shows how sophisticated some of the attackers can be.

After all, security researchers are a technically savvy lot on the whole and know how to spot BS when they see it.  That some of them have fallen for these spear phishing attacks shows just how sophisticated and well-resourced some of the antagonists can be.

You Need to Be Part of The Solution

Our security tools and policies, and technical solutions like Gurucul’s security analytics platform, can do a lot to help thwart a broad range of attackers.  But even the best technical defenses can have trouble dealing with attacks that are purely social and rely on Human factors outside the scope of what the machine can see or understand.  It falls to us, and I mean all of us, to be an active part of the solution using common sense and a knowledge of the threats we face to keep ourselves and our environments safe.

That’s really the bottom line.  While it can be amusing to play with the scammers, we need to stay vigilant and be prepared for spear phishing threats that are considerably more sophisticated than what we usually expect.