Information security basics for physical security professionals
By Justin Casey and Tony O’Brien
This article has been written in collaboration with my colleague and fellow security professional Justin Casey. When I say collaboration what I mean is that Justin has written the majority of the article and I pop in from time to time with my two cents. When it comes to information security awareness my strengths lie in social engineering and physical hard and soft access penetration. Justin is much more of a tech guy than I am. I asked him to work with me on a series of articles on information security for security operatives. I believe it’s an area where there is little emphasis in the security sector but lots of risk. Over the next weeks and months we will look at various areas of information security that we believe are important for every security operative to be aware of. This week we start with phishing. Like I said the majority of the material is Justin and I’ll chime in with these orange boxes from time to time.
So what exactly is ‘phishing’?
Phishing in layman’s terms can be considered as the original form of ‘CatFishing’ as it is the act of contacting random or targeted people via email and pretending to be a legitimate business, identity or organisation in the hope of obtaining some sort of personal/sensitive data.
Have you ever received an unexpected email from somebody offering something that just sounds too good to be true?
One of the most well known cases of Phishing is the infamous ‘Nigerian prince’ who wants to share his wealth and give you an elaborate sum of money and all you have to do is provide your bank details or pay a small administrative fee for the money transfer so that he can send you this money’
Although it is one of the oldest and most well known forms of internet scams right throughout the world, still to this day it is very lucrative as it requires little to no investments in order to deploy. The main factor of this form of attack is quantity over quality, what I mean by this is that instead of trying to target 20-30 individuals and scam them of hundreds or thousands of euro’s, the more favourable and likely approach is to target hundreds or thousands of people and scam them of 20-30 euro’s each. So now the offer of potentially gaining a large sum of money for such a little risk of losing 20-30 euro’s seems worth the risk to many people.
And it is because of this mass targeting approach mixed with the risk-vs-reward element that means still in this day and age even though it sounds way too good to be true, it is still a VERY, VERY common scam.
Even though the Nigerian Prince phishing campaign is still quiet prevalent, the style and tactics of phishing has evolved alongside its notoriety and the advance of technology. Some examples of its evolution include Whaling (the CEO transfer request) or Spear Phishing – (the account/membership renewal styles of phishing).
‘Whaling’ – The CEO transfer request.
This is one of the most common styles of Phishing attacks carried out among the corporate and executive world of business. This attack is implemented by identifying the CFO or members of the finance department within an organisation and contacting them trying to impersonate the CEO or ‘Top Dog’ executives of that organisation, requesting that they transfer a certain amount of funds to the attackers bank account. The reason this scam has a tendency to work is because it exploits various psychological human responses including factors such as submission to Authority, the sense of urgency and the general need to feel important or to help those on your team.
As you can see from a basic example in the picture above the attacker contacted a member of the finance department pretending to be one of the executives claiming that they are busy and cannot handle the issue themselves and that it is of priority as it must be done prior the closing of banking hours also that they can not take calls at the moment meaning verification of the email is limited.
But how does someone from outside the organisation obtain the direct email addresses to specific departments???
There are many methods in which people could obtain this information including darkweb databases from various hacks that have took place but also there are more easily accessible ways to find such info, one of which is an online service by the name of Hunter.io
Before we delve into Hunter.io (which is a great system) I want to look at this from a security officers perspective. I can very much see an email like this being sent to a security team from a spoofed client manager account asking for an alarm code/access code or credentials to be generated for a fictional employee. Or granting access to a fictional contractor to the site.The contractor arrives an hour later with a copy of said email as in most cases is granted access after a quick sign in. Always check and double check these emails and never assume it is legitimate just because it looks like it came from a manager.
Is a website and browser extension that utilizes Open Source Intelligence Gathering in order to ‘scrape’ domain headers and web-pages to identify and gather email addresses that may be present. This means that you can go to the Hunter.io website and enter the domain of the target organisation and Hunter.io will provide a list of any email addresses it has gathered on that domain as well as the ability to apply filters based on the specific departments you require and can also include the names, social networking accounts or mobile phone numbers etc of the person who owns the email address if it has that information, as shown in the image below where I used Google.com as an example that gave over 17,000 results from 10 different departments.
The FBI have released statements claiming that this style of attack is a 26billion dollar scam and that last year alone Whaling phishing has cost corporate businesses in excess of $670 MILLION!! Some examples of this include cases such as in 2018 Pathé a french film company lost over 21million due to CEO email fraud, it is unknown if any of these funds where recovered but both the managing director and the CFO where fired as a direct result of the attack, throughout the years even some of the leading silicon valley corporations have been victim to this style of phishing, including in 2013 when a Lithuanian man target two of the major tech-savvy giants which where later identified to be Facebook and Google. The man impersonated email accounts , invoices and company stamps of one of the leading Asian computer parts suppliers that both companies did business with and over the course of two years he managed to swindle over $100 Million until the companies realized what was happening and an American court indited the man and had him arrested.
Similar to standard phishing techniques spear phishing is aimed at the general public rather than corporations or businesses although what makes this attack different is that it specifically targets certain groups of people. This means that an attacker would generally obtain the email addresses of individuals who use a certain service and then would replicate the corporate identity of the service provider in order to fool the victims into believing that the email was legitimate. Primarily this tactic is used to obtain credentials such as usernames and passwords or to inject viruses, ransomware, spyware, etc. Which means that it requires a slightly more advanced knowledge of computers in order to carry out the attack successfully. Attackers will typically clone a login page of the service provider and then email the list of service users they have gathered in the hope that many of the service users will click a hyper-link included in the email which often brings them to the cloned version of what they believe is the real webpage when in fact it is going to capture the login credentials they submit and relay that information back to the attacker, all the while the victim is then redirected to the real login page so as they think that they simply made a typo and have no idea that they just gave away there login details to the attacker.
A quick (and cheeky) test I did
To test the premise of spear phishing and how effective it would be I did a little test last week. I created an ad on a well known jobs website as a fictional and unnamed security company. I advertised decent rates of pay and conditions and requested that a minimum of 3 years experience in the industry. I asked for CV’s to be uploaded along with a copy of a PSA licence. In 3 days I got 34 CV’s sent to me almost all of whom are actively working in the industry. Their CV’s contained all of their contact details including e-mails. They also tell me where they currently work and for whom as well as details of their manager as a reference. I also have a copy of their PSA licence. I’m not going to go into the damage I could do to them and their organisation with this information in this article (maybe later) but it substantial. My point is that it was an unnamed security company and contact and they gave me everything without a second thought. Don’t worry though I deleted all of it and removed the job ad so as to save them the embarrassment.
Here are examples below of how this attack may be carried out, take a look at the first example and see if you can spot the tell tale signs that this is not from the legitimate service provider…..
Well, did you find it??? It is small and subtle but a good demonstration of how easily you could fall for such an attack, how often do we scrutinize our emails? Especially when our eyes are just naturally drawn to colours and logos which sub-continuously authenticate or justify such things for us without the response to nit-pick and examine further, but this is what makes attackers so successful with this style of attack as many of them are extremely smart and understand the natural human responses to certain stimuli triggers.
Lets have a look at one more that was attempting to hijack the credit card details of victims but this example has a clearer indication of ‘Red-Flags’
NOBODY is safe from being targeted from any of these Phishing campaigns!
Just last week I myself was targeted with a phishing attempt as shown below
How Not to be a victim of Phishing……
Simply put, conducting due diligence on an email can identify its legitimacy but there are certain tell-tale signs or ‘red flags’ that we can look out for
- Pay attention to spelling.
The first and usually the most determining factor is the senders email address as many times the attacker will purchase a domain of a similar name and just add/remove or change a single letter so that it is harder to notice the subtle difference without scrutinising it.
- Don’t Panic
Often times these emails are worded in a way to cause panic or sense of urgency, whether this means that it states some sort of time window or that maybe your account is at risk for some reason and gives a feeling that you need to act fast to amend something, first take the time to verify all aspects of the email before acting on its contents.
- Do not click any links!!
If you have any suspicions at all then do not click on any links whatsoever that maybe included in the email or respond to the email, all it takes is one click and that could be all an attacker needs to progress and elevate their phishing attack into a flat out attempt to hack your device directly.
Always look out for the ssl certs or that the websites begin with HTTPS so that your communication with this website is considered as secured.
- Routinely Monitor your accounts
Regularly check your accounts to see if there has been any suspicious or unknown logins from devices other than your own.
Lastly be proactive and stay up to date with the various methods and counter measures of common and new styles of attacks, invest a small bit of time into learning more about cyber security and conduct training and information sessions for any clients, colleges or staff as the weakest link in any organisation is always the human element and basic human error……
I hope you all got some awareness and maybe some new information from this article. Information security is not new but it is growing and it is something we all need to be aware of. Over the next few weeks we are going to mix in a number of these types of articles with our regular articles. If you would like to cover any particular topic then let us know and we will see what we can do. Until then ….
Don’t believe everything you see in an email !!!!!!
Justin is a young but dedicated security professional who has spent the past number of years seizing each and every opportunity that has crossed his path in order to learn and progress within the industry, including extensive training in Physical, Cyber and Intelligence sectors. As an instructor & official representative of the European Security Academy (ESA) over the years Justin has been involved in the delivery of specialist training solutions for various international Law Enforcement, Military and government units. He has lead both covert surveillance and close protection operations as well as putting in the ground work here in Ireland as a security operative for Celtic Security Solutions. Recently Justin has began a new position in Dublin as a trainer for the International Centre of Security Excellence (ICSE). You can connect with him on LinkedIn here