A Multi-Staged Attack Works Well

A Multi-Staged Attack – usually a phishing email, followed up by a phone call.

It works because like Michele says…

… “if it comes from more than one source, it must be true.”

The Attack

A call will come in, and a stranger will have a believable story that relies on the email they sent you.

What they’re asking of you won’t seem like a big a deal… maybe they’re seeking a little piece of information, or for you to perform a seemingly mundane task on their behalf.

The call will have a sense of urgency, a realistic reason why they need you to do something ASAP. It will seem logical.

The attacker will be slick with words, and you’ll start to feel like helping them

“People don’t want to be rude, it’s a social faux pas. This attack exploits our natural instinct to be helpful” says Michele.

The Defence

don’t click any links in the email they’re referring to

– ask yourself if the call is coming from an expected source?

– be the outgoing call

– buy yourself time. Say something like, “I’d happy to help, but you caught me in the middle of something. Let me finish it and I’ll call you right back, what’s your number?”

I can confirm the effectiveness of this attack.

Did this for years back in the early days of the internet – not for nefarious reasons, but for sales.  It was amazing how many strangers would take my call.

Chain of Events

Search for companies who would benefit from buying advertising on my site > copy/paste sales email that concludes with, “I’ll followup with you in a couple days” > send, then wait 2 days > phone them, “Hi it’s Keri, I’m calling to followup on the email I sent, sure I’ll hold for the manager thanks” > close sale

This has been Part 3/3 in a series with Michele Fincher of Social Engineer, Inc., a premier consulting and training company which specializes in the art and science of social engineering (SE.)

Meet Michele here

Blog tag = social engineering (25)



Watch Out for On-site Impersonation Attacks

When a stranger shows up to your place of business, don’t take it at face value they are who they claim to be.

The Attack

By exploiting people’s trust, manners, and our social nature to be helpful, impersonation is an effective way to gain physical access to somewhere otherwise off-limits.

The attacker will seem genuine, probably because they’ve prepared by collecting information about your organization.

They will look the part, and it will make sense what are they asking for

Example: “Oh you’re wearing a tool belt and construction vest, it seems logical you’d like access to our mechanical room, okay I’ll take you there.”

Like when Michele posed as a singing telegram.

She donned a set of medical scrubs, got some grocery store chocolates and balloons and showed up at the target’s business.

“No, I’m not on today’s appointment list, I’m a singing telegram sent by a secret admirer of Mr. Jones.”

Then better yet, “No I don’t have my ID on me, but look, my name is written on my stethoscope.”

Michele says the security guards did the right thing by escorting her up to see Mr. Jones. In she went and sang her heart out. Everyone loved it, so they forgot about her because she was then left alone to roam the building.

Which Impersonations Work Best, Michele?

pest control, because no one wants to deal with bugs

– play to stereotypes and expectations – she’s a woman so must be the underling, and her male counterpart the boss

– a woman lowers people’s guard, take advantage of a gender bias

– exploit the automatic response to authority. Example: wear a safety vest and hard hat to direct traffic, without having to offer an explanation

The Defence

– ask lots of questions

– ask to see ID

– stop the stranger and ask a non-yes/no question like, “what can I help you find?”

– never leave a guest unattended

– don’t feel shy to be a stickler

This has been Part 2/3 in a series with Michele Fincher, Chief Influencing Agent at Social Engineer, Inc., a premier consulting and training company which specializes in the art and science of social engineering (SE.)

Meet Michele here.

Blog tag = Social Engineering (25)



Do You Pay the Ransomware?

Of all the malware, Ransomware terrifies me… imagine your entire digital life is held hostage.

The Attack

How it works: a message takes over the screen > hi your entire computer is locked, along with all your files > want the key? > pay the ransom > get key, unlock (more here)

The bigger problem is whether or not to pay, because there’s no definitive evidence which is more successful.

Possible Scenarios – pay, they want more, withhold key / pay, they keep their word and send key / don’t pay, and you haven’t backed up in 7 months, imagine the cleanup and rebuilding

The keynote speaker at the recent SecTor security conference manages the Secret Service’s Cyber Intelligence Section, and even those guys haven’t seen a pattern.  Jason B. Brown says it’s consistently 50/50 the key will actually be sent, so they don’t feel comfortable advising either way.

(how to edit a photo before uploading here)

The Defence:

Think before clicking

– Weekly backups

– Strong passwords, stored in a password manager

– Surf stupid sites on a laptop that’s independent of your online life.  No using it to log into email or social media accounts. Photos and documents are moved to your main computer, then deleted. Oh you locked up my empty hard-drive? Wipe & rebuild.

Blog tag = SecTor



Don’t Get “Vished” – Attacked via the Phone

Basically – the phone is used as an attack vector to get information.

Vishing – attacker calls you and extracts sensitive information you’d otherwise not share

This type of psychological attack takes advantage of trust, manners, and our social nature to want to be helpful.

The Attack

A stranger calls you at work. They will usually assume 1 of 2 personas – friendly, or intimidating.

1 – the caller is friendly and fun, making you feel rude saying no to their request

2 – the caller poses as someone higher up the corporate ladder. They’ll create a sense of urgency and obligation for you to provide them the requested information. So not wanting to disappoint your “boss”, you give it to them.

While the above are just 2 of the many possible personas, they’re the most popular. See chart below for more angles.

The Defence

– your gut. If something feels off, don’t be shy to say “I can’t” or flat out “no”

– be the outgoing call. Say, “I can probably help you with that, let me finish this email and I’ll call you right back… what’s you number?”

– phone number spoofing is easy, as in, caller ID is not reliable

– vishing attacks often happen while you’re very busy and distracted, so your defences are already down

– remember no information is inconsequential. The attacker may be seeking a tiny piece of information that seems small and frivolous, but really, it’s a key piece to a bigger puzzle

– someone recently tried to vish me, read the anatomy of the attack here

This has been Part 1/3 in a series with Michele Fincher of Social Engineer, Inc., a premier consulting and training company which specializes in the art and science of social engineering (SE.)

Meet Michele here.



Beware of Bots in your Instagram Feed

Few weeks ago, I Instagramed the below photo, along with the hashtag #MrRobot

Within 13 seconds of posting, the account florstyles12 replied with the below comment.

By the next day, the comment had been deleted.

The Attack

A popular hashtag is posted > bot is programmed to automatically reply > reply is full of links to other accounts > curious recipient visits other accounts > malware is waiting in one of them

The Defence

Time. Note how fast the reply came back.

There’s no way to type those 8 tags in 13 seconds… try it. Right?!

Therefore – must be an automated reply, therefore not clicking and getting involved.

Think before you click.