Login
Social engineering. It’s a con game. And a con game by any other name stings just as badly.
Like any form of con, social engineering dupes their victims by playing on their emotions. Fear, excitement, and surprise. And they prey on human nature as well. The desire to help others, recognizing authority, and even the dream of hitting it big in the lottery. All of this comes into play in social engineering.
By design, the scammers who employ social engineering do so in an attempt to bilk people out of their personal information, their money, or both. More broadly, they’re designed to give scammers access—to a credit card, bank account, proprietary company information, and even physical access to a building or restricted space in the case of tailgating attacks. In this way, social engineering is an attack technique rather than a specific type of attack.
Several types of attacks employ social engineering:
The list goes on. Yet those are among the top attacks that use social engineering as a means of hoodwinking their victims. It’s a scammer’s secret weapon. Time and time again, we’ve seen just how effective it can be.
So while many bad actors turn to social engineering tricks to do their dirty work, they share several common characteristics. That makes them easy to spot. If you know what you’re looking for.
An overexcited or aggressive tone in an email, text, DM, or any kind of message you receive should put up a big red flag. Scammers use these scare tactics to get you to act without thinking things through first.
Common examples include imposter scams. The scammer will send a text or email that looks like it comes from someone you know. And they’ll say they’re in a jam of some sort, like their car has broken down in the middle of nowhere, or that they have a medical emergency and to go to urgent care. In many of these cases, scammers will quickly ask for money.
Another classic is the tax scam, where a scammer poses as a tax agent or representative. From there, they bully money out of their victims with threats of legal action or even arrest. Dealing with an actual tax issue might be uncomfortable, but a legitimate tax agent won’t threaten you like that.
You’ve won a sweepstakes! (That you never entered.) Get a great deal on this hard-to-find item! (That will never ship after you’ve paid for it.) Scammers will concoct all kinds of stories to separate you from your personal information.
The scammers behind bogus prizes and sweepstakes will ask you for banking information or sometimes even your tax ID number to pay out your winnings. Winnings you’ll never receive, of course. The scammer wants that information to raid your accounts and commit all kinds of identity theft.
Those great deals? The scammers might not ship them at all. They’ll drain your credit or debit card instead and leave you tapping your foot by your mailbox. Sometimes, the scammers might indeed ship you something after all—a knock-off item. One possibly made with child labor.
Scammers will often pose as people you know. That can include friends, family members, co-workers, bosses, vendors or clients at work, and so on. And when they do, something about the message you get will seem a bit strange.
For starters, the message might not sound like it came from them. What they say and how they say it seems off or out of character. It might include links or attachments you didn’t expect to get. Or the message might come to you via a DM sent from a “new” account they set up. In the workplace, you might get a message from your boss instructing you to pay someone a large sum from the company account.
These are all signs that something scammy might be afoot. You’ll want to follow up with these people in person or with a quick phone call just to confirm. Reach them in any way other than by replying to the message you received. Even if it looks like a legitimate account. There’s the chance their account was hacked.
How do scammers know how to reach you in the first place? And how do they seem to know just enough about you to cook up a convincing story? Clever scammers have resources, and they’ll do their homework. You can give them far less to work with by taking the following steps.
Online data brokers hoard all kinds of personal information about individuals. And they’ll sell it to anyone. That includes scammers. Data brokers gather it from multiple sources, such as public records and third parties that have further information like browsing histories and shopping histories (think your supermarket club card). With that information, a scammer can sound quite convincing—like they know you in some way or where your interests lie. You can get this information removed so scammers can’t get their hands on it. Our Personal Data Cleanup scans some of the riskiest data broker sites and shows you which ones are selling your personal info. It also provides guidance on how you can remove your data from those sites and with select products, it can even manage the removal for you.
Needless to say, social media says a lot about you and what you’re into. You already know that because you put a part of yourself out there with each post—not to mention a record of the groups, pages, and things that you follow or like. All this provides yet more grist for a scammer’s mill when it comes time for them to concoct their stories. Setting your accounts to private takes your posts out of the public eye, and the eye of potential scammers too. This can help reduce your risk of getting conned.
Scammers throw all kinds of bogus links at people in the hope they’ll click and wind up on their scammy websites. They’ll also send attachments loaded with malware—a payload that contains ransomware, spyware, or viruses. If you get a message about one of your accounts, a shipment, or anything that involves your personal or financial info, confirm the sender. Did the message come from a legitimate address or account? Or was the address spoofed or the account a fake? For example, some scammers create social media accounts to pose as the U.S. Internal Revenue Service (IRS). The IRS doesn’t contact people through social media. If you have a concern about a message or account, visit the site in question by typing it in directly instead of clicking on the link in the message. Access your information from there or call their customer service line.
The combination of these two things makes it tough for scammers to crack your accounts. Even if they somehow get hold of your password, they can’t get into your account without the multifactor authentication number (usually sent to your phone in some form). A password manager as part of comprehensive online protection software can help you create and securely store those strong, unique passwords. Also, never give your authentication number to anyone after you receive it. Another common scammer trick is to masquerade as a customer service rep and ask you to send that number to them.
This is the one piece of advice scammers don’t want you to have, let alone follow. They count on you getting caught up in the moment—the emotion of it all. Once again, emotions, urgency, and human nature are all key components in any social engineering con. The moment you stop and think about the message, what it’s asking of you, and the way it’s asking you for it, will often quickly let you know that something is not quite right. Follow up. A quick phone call or face-to-face chat can help you from getting conned.
The post Social Engineering—The Scammer’s Secret Weapon appeared first on McAfee Blog.
Two U.S. men have been charged with hacking into a U.S. Drug Enforcement Agency (DEA) online portal that taps into 16 different federal law enforcement databases. Both are alleged to be part of a larger criminal organization that specializes in using fake emergency data requests from compromised police and government email accounts to publicly threaten and extort their victims.
Prosecutors for the Eastern District of New York today unsealed criminal complaints against Sagar Steven Singh — a.k.a “Weep” — a 19-year-old from Pawtucket, Rhode Island; and Nicholas Ceraolo, 25, of Queens, NY, who allegedly went by the handles “Convict” and “Ominus.”
The Justice Department says Singh and Ceraolo belong to a group of cybercriminals known to its members as “ViLE,” who specialize in obtaining personal information about third-party victims, which they then use to harass, threaten or extort the victims, a practice known as “doxing.”
“ViLE is collaborative, and the members routinely share tactics and illicitly obtained information with each other,” prosecutors charged.
The government alleges the defendants and other members of ViLE use various methods to obtain victims’ personal information, including:
-tricking customer service employees;
-submitting fraudulent legal process to social media companies to elicit users’ registration information;
-co-opting and corrupting corporate insiders;
-searching public and private online databases;
-accessing a nonpublic United States government database without authorization
-unlawfully using official email accounts belonging to other countries.
The complaint says once they obtained a victim’s information, Singh and Ceraolo would post the information in an online forum. The government refers to this community only as “Forum-1,” saying that it is administered by the leader of ViLE (referenced in the complaint as “CC-1”).
“Victims are extorted into paying CC-1 to have their information removed from Forum-1,” prosecutors allege. “Singh also uses the threat of revealing personal information to extort victims into giving him access to their social media accounts, which Singh then resells.”
Sources tell KrebsOnSecurity in addition to being members of ViLE, both Weep and Ominous are or were staff members for Doxbin, a highly toxic online community that provides a forum for digging up personal information on people and posting it publicly. This is supported by the Doxbin administrator’s claimed responsibility for a high-profile intrusion at the DEA’s law enforcement data sharing portal last year.
A screenshot of alleged access to the Drug Enforcement Agency’s intelligence sharing portal, shared by “KT,” the current administrator of the doxing and harassment community Doxbin.
The government alleges that on May 7, 2022, Singh used stolen credentials to log into a U.S. federal government portal without authorization. The complaint doesn’t specify which agency portal was hacked, but it does state that the portal included access to law enforcement databases that track narcotics seizures in the United States.
On May 12, 2022, KrebsOnSecurity broke the news that hackers had gained access to a DEA portal that taps into 16 different federal law enforcement databases. As reported at the time, the inside scoop on how that hack went down came from KT, the current administrator of the Doxbin and the individual referenced in the government’s complaint as “CC-1.”
Indeed, a screenshot of the ViLE group website includes the group’s official roster, which lists KT at the top, followed by Weep and Ominus.
A screenshot of the website for the cybercriminal group “ViLE.” Image: USDOJ.
In March 2022, KrebsOnSecurity warned that multiple cybercrime groups were finding success with fraudulent Emergency Data Requests (EDRs), wherein the hackers use compromised police and government email accounts to file warrantless data requests with social media firms and mobile telephony providers, attesting that the information being requested can’t wait for a warrant because it relates to an urgent matter of life and death.
That story showed that the previous owner of the Doxbin also was part of a teenage hacking group that specialized in offering fake EDRs as a service on the dark web.
Prosecutors say they tied Singh to the government portal hack because he connected to it from an Internet address that he’d previously used to access a social media account registered in his name. When they raided Singh’s residence on Sept. 8, 2022 and seized his devices, investigators with Homeland Security found a cellular phone and laptop that allegedly “contained extensive evidence of access to the Portal.”
The complaint alleges that between February 2022 and May 2022, Ceraolo used an official email account belonging to a Bangladeshi police official to pose as a police officer in communication with U.S.-based social media platforms.
“In these communications, Ceraolo requested personal information about users of these platforms, under the false pretense that the users were committing crimes or in life-threatening danger,” the complaint states.
For example, on or about March 13, 2022, Ceraolo allegedly used the Bangladeshi police email account to falsely claim that the target of the EDR had sent bomb threats, distributed child pornography and threatened officials of the Bangladeshi government.
On or about May 9, 2022, the government says, Singh sent a friend screenshots of text messages between himself and someone he had doxed on the Doxbin and was trying to extort for their Instagram handle. The data included the victim’s Social Security number, driver’s license number, cellphone number, and home address.
“Look familiar?” Singh allegedly wrote to the victim. “You’re gonna comply to me if you don’t want anything negative to happen to your parents. . . I have every detail involving your parents . . . allowing me to do whatever I desire to them in malicious ways.”
Neither of the defendants could be immediately reached for comment. KT, the current administrator of Doxbin, declined a request for comment on the charges.
Ceraolo is a self-described security researcher who has been credited in many news stories over the years with discovering security vulnerabilities at AT&T, T-Mobile, Comcast and Cox Communications.
Ceraolo’s stated partner in most of these discoveries — a 30-year-old Connecticut man named Ryan “Phobia” Stevenson — was charged in 2019 with being part of a group that stole millions of dollars worth of cryptocurrencies via SIM-swapping, a crime that involves tricking a mobile provider into routing a target’s calls and text messages to another device.
In 2018, KrebsOnSecurity detailed how Stevenson earned bug bounty rewards and public recognition from top telecom companies for finding and reporting security holes in their websites, all the while secretly peddling those same vulnerabilities to cybercriminals.
According to the Justice Department, if convicted Ceraolo faces up to 20 years’ imprisonment for conspiracy to commit wire fraud; both Ceraolo and Singh face five years’ imprisonment for conspiracy to commit computer intrusions.
A copy of the complaint against Ceraolo and Singh is here (PDF).
FreshRSS 