Letter from the CISO, Vol 3 Issue 2
Washington University Community:
Is our best good enough?
In the battle against malicious cyber actors, we are constantly challenged by more clever and sophisticated attacks.
For example, for several years after we implemented DUO 2-Factor Authentication (2FA), the number of successful account-compromise attacks dropped to almost zero. And then the bad actors figured out how to socially engineer second factor DUO Passcodes, so we had to eliminate second factor DUO Passcodes. Then they learned how to “push bomb” users with floods of 2FA push requests until people just couldn’t stand it anymore and tapped “approve”. This led us to change a setting that limits the number of pushes per hour.
In short, it is an arms race. Malicious actors try to get through our defenses, and we try to block them and make it ever more difficult.
Your Smarts are Our Best Defense
In last month’s column, I stated that “the human firewall is our last, best defense,” meaning that your smarts and vigilance will succeed in detecting social engineering attacks when the technology just isn’t enough. This is critically important! 70-90% of successful compromises are related to social engineering.
And what is the most dangerous social engineering technique?
Spear Phishing!
Spear Phishing sounds dangerous, and it is. According to Roger Grimes of KnowBe4 (see https://blog.knowbe4.com/wake-up-call-its-time-to-focus-more-on-preventing-spear-phishing):
“…spear phishing attacks that use personalized messages…make up only 0.1% of all email-based attacks according to Barracuda’s data but are responsible for 66% of all breaches.”
Roger Grimes
Spear phishing attacks are narrowly focused and specifically targeted.
A regular phishing message might say something like, “Warning! Your account has been compromised.” then ask you to “Click on this link to reset your password.” The messages are sometimes so obvious that they might as well also say “Sucker!” after them.
Spear phishing attacks use personal or confidential information about a potential victim, or organization, to deceive them into taking harmful actions. The attacks can range from basic and short-term, to sophisticated and long-term.
Basic spear phishing often starts by exploiting specific information, perhaps gleaned from LinkedIn, online directories, and social media. Attackers craft emails implying they have insider knowledge or connections, making it easier to gain the victim’s trust. For instance, an email might include information about departments and coworkers, creating a false sense of legitimacy.
Sophisticated spear phishing attacks are even more deceptive. Attackers may leverage compromised email accounts, and any existing conversations with trusted partners, leading the recipient to believe the new fraudulent messages are genuine. This tactic is sometimes referred to as Business Email Compromise and is often used to redirect payments.
Spear phishing attacks can be business-related or personal. In both cases, trust can be assumed from a history of interaction or built over time.
Pre-Texting
Pre-texting is the social engineering technique where malicious actors create a fake persona, or scenario, to convince targets to divulge sensitive information or perform certain actions. These attacks often start very simply, for example, with a message via email, social media, a dating app, or text message from someone you don’t know. Sometimes they come from a copycat account made to look like someone you know. The message may simply say “Hi! How are you!” And if you respond, the malicious actor slowly builds the relationship, sometimes over months.
Warning signs include:
- Perfect matches in dating apps, but an inability to meet in person or even video conference, often justified by distance, service in the military, expense, technical problem.
- Suggestions that the conversation be moved to a secure, private application like WhatsApp or Signal.
- Suggestions that your relationship be kept secret from friends and family, because they’ll be “jealous of what we have and try to break us up”.
You know for sure you’re being attacked when you receive:
- Requests for explicit photographs, which can lead to “sextortion” demands.
- Promises of expensive gifts (that never arrive).
- Suggestions that an investment approach is working well for them, and encouragement that you try it.
I recently heard of a romance-scam victim who felt the malicious actor had been the best boyfriend she had ever had due to the way he treated her, even after scamming her out of her lifesavings.
Detecting spear phishing emails and pre-texting is far more challenging than regular phishing attempts due to low volume, generally good writing, lack of malware or malicious links, and use of channels not protected or monitored by the university.
How to defend yourself and your family
Once again, and I say it every month, be vigilant, skeptical, and a little bit paranoid.
Talk to your family, friends, and coworkers about these threats.
Having read this far, you are almost certainly the most knowledgeable person in your circles about spear phishing, pre-texting, and social engineering. Share your wisdom. Plant the seeds of vigilance, skepticism, and paranoia with others.
Be especially skeptical of unexpected requests like when I am invited (out of the blue) to connect with celebrities like Elon Musk or Jeff Bezos.
Integrity is about always giving our best. In this case, sharing your knowledge, vigilance, skepticism, and paranoia is the best way to help.
If you need help with any of these, please contact the Office of Information Security.
Thank you for reading and being members of the university’s Information Security team!
Good luck, and be careful out there!
-Chris Shull, CISO