Healthy Skepticism
This month’s update focuses on social engineering schemes. In one case attackers have been successful in getting victims to believe a pretty implausible lie, and in another attackers leverage seemingly benign social media platforms to generate viral postings for money or to spread malware.
Our first story comes from an article on CNN that reminds us that the phone is the oldest and one of the most effective instruments of social engineering. Because it only takes very simple software to spoof caller ID, attackers are calling victims claiming to be from the FBI, using the FBI’s local field office in the caller ID to lend credibility. The attacker may also research the victim on-line, presenting facts about the victim that leads them to believe that they are legitimate government representatives. If the victim believes the attacker’s story, the attacker asks for money to settle a criminal charge or for some other pretext. While it seems unlikely that the FBI would call out of the blue, the scheme has successfully extracted $450 million from victims.
The second story involves “like-farming,” the practice of trying to induce large numbers of people to like an entry on Facebook or a similar platform. Scammers post a cute picture or some easy quiz (i.e., only a genius can name a city without the letter Q in its name”). Since social media platforms decide how often to show an item based on its popularity, mass participation in the quiz causes more and more people to see the content. In some cases, the scammer is merely collecting information from the person liking the posting. Usually, however, once the attacker generates enough interest, they add a hidden malware element into the content, so when you click on the picture, video, or other attachment, your machine becomes infected.
What can you do?
Both of these scams rely on people’s willingness to believe the facts presented to them. Healthy skepticism is your best friend.
- Remember that caller ID, like email “sent from name,” is completely under the control of the caller/sender. Ask yourself: is there any reason to believe the FBI has a warrant for you, and even if they did, would they call you out of the blue to let you know?
- Feel free to hang up the phone and call the FBI back at a number you find on their website. Don’t trust a call with an improbable story just because the caller pretends to have a credential.
- Remember that there is lots of information about all of us that is available publicly. Employment history, property taxes, and family information are all out there.
- There is no good reason for someone to post an easy quiz and claim that only brilliant people can solve it. The fact that your friend forwarded it to you doesn’t make it any safer.
Stay aware and stay cybersafe!
About Cybersafe
The Division of Information Technology is dedicated to informing the community of the latest cybersecurity threats. Visit fitnyc.edu/cybersafe and stay tuned for emails from [email protected] for the latest from the Cybersafe campaign at FIT.
Walter Kerner
Chief Information Security Officer
Division of Information technology