Bad Guys

Security

The Bad Guys

In the 6th century BC, the great Chinese general Sun Tzu famously wrote, "If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle." Make no mistake about it: when it comes to online security, we are at war with a skilled and determined enemy. In the "How You Protect You" section, know yourself by comparing your practices with those we strongly suggest. In this section, we will help you better understand the advisory so you can overcome them.

When we say the word "hacker" , "fraudster" or "cybercriminal", what images does it conjure? An geeky guy with unkempt hair and glasses? Some slickly dressed but somehow smarmy "snake-oil salesman?" A kid with too much time on her hands? While we are certain that some hackers, fraudsters and other cybercriminals fit those perceptions, who they really are might surprise you.

Hackers are not just freelance computer geeks making a score here there and there and spending the money on video games (although there are certainly some who fit this profile.) Most of these cybercriminals are highly intelligent, highly motivated, highly educated and highly paid. Some work for nations like China, Nigeria, Iran, and North Korea , terrorist organizations like Al-Quaeda and hacktivist groups like Anonymous. Others work for organized criminal enterprises like the Russian Mafia. Still others are employed by corporations, hired to steal information from competitors.

Cybercrime is big business. Jeff Multz, Security Evangelist for Dell SecureWorks, frequently reminds us that if all the annual revenues from online theft were combined into a single company (Crime, Inc.), it would be the largest corporation in the world, dwarfing behemoths like Big Oil and Wal-Mart. Where do all these revenues come from? From people like you. Just like you. And if you are not very careful, you may end up contributing directly to their success.

It is a sobering thought, but as the saying goes, forewarned is forearmed. Know your enemy and you can overcome him.

Now that you know who the Bad Guys are, let's look at some of the tactics they use against you. Bear in mind that this is a general overview; new tactics are being developed all the time, but the overall strategy remains the same: to take what belongs to you for themselves.

Tactics

Remember that, fundamentally, these are con artists, masquerading as something favorable or benign. When a website, email, phone call, or text comes from the Bad Guys, these signs will tip their hand:

  • Gain Your Confidence. The fraudster will claim to be from the Bank or other organization you know and trust
  • Create a Situation. "Click Here to be directed to our new site to verify your information!" or "We are doing a system upgrade and need to confirm your information"
  • Apply a High-Pressure Situation Based on Fear. They attempt to create a sense of urgency, for example: "If we don't confirm your debit card number, your card will be de-activated!"
  • Pretend All Is Well When They Get What They Want. You might get a "Thank You" or "Virus Removed" message…or nothing at all!

Techniques

Phishing

IT folks, for whatever reason, are not the world's greatest spellers. Phishing (pronounced "Fishing") is a technique where the cybercriminal sends an email message that contains a link to a malicious site or an attachment with malware hidden within it.

Vishing

Vishing (pronounced just like it's written, for some reason) is Phishing over a phone call (hence the "V" for ‘Voice'). The fraudster calls, pretending to be from the Bank, and asks for personal information. Remember, the Bank already has your information! We won't cold-call you and ask for it. Remember, hackers try to scam us, too, so if you call us, we will ask you to identify yourself with personal information, but we won't call, email or text you out of the blue to get information we already have.

SMiShing

SMiShing is a term for Phishing over text (SMS). The fraudster will send a text message to your cell phone, pretending to be from the Bank and try to trick you into clicking a link or texting information back to him.

Scamware

This is a newer form of malware that tricks you into installing a virus on your computer. There are many variations on how Scamware manifests itself, but here is an example: A message appears on your computer stating, "You've been infected with SomeSuperVirus" and telling you to "Click Here" so "Windows Security Program" will remove it and scan your system to be sure it's safe. Of course, the Scamware detects some fake virus and you have to pay a $29.95 (or similar figure) to download the program that "fixes" it. Of course, the program you download and pay for is more spyware…it "removes" the phantom virus, but puts lots of undetected malware on your system.

Ransomware

This technique is a newer and more aggressive form of malware. Ransomware takes over your computer and locks it down so you cannot use it unless you pay the hacker. For example, you might get an FBI logo popping up with a message stating that illegal activity has been found on your computer, and if you pay a fine, they'll delete it for you. These "fines" are pricy, in the hundreds of dollars. Of course, paying the hacker doesn't always solve the problem…and now they have your credit card number!

It is important to remember that in the first few hours and days of a new malware attack it seems impossible to overcome if you've been infected. But, NEVER PANIC and give the thieves what they want. Fixes DO come out for these attacks, and most of the time, your computer can be rescued. Once you've given your information out, however, it's out there and cannot be retrieved!

Low Tech

Beware of letters in the mail that contain checks, calls claiming you've won the Canadian Lottery, faxes, Secret Shopper ads, and other older technology communications that promise you large sums of money for a small, up-front fee. As a general rule, do not give out information or your debit card number as a response to unsolicited communications.