The weakest link
15 August 2019
The end user can definitely be the weakest link when it comes to a cybercriminal's chain of attack, so Ben LeDoux looks at how to stop employees breaking the chain.
FOR INFORMATION security engineers, 'the end user is the weakest link' seems to be the tagline for every seminar as it relates to phishing. For end users, it feels like another example of why they feel the technology industry is very condescending towards their customers. As an information security professional, please let me apologise and explain this tagline.
Some end users inside of every company can be considered the weak link in a cybercriminal’s attack chain. But like a bicycle technician who does regular tune ups, it is the information security team’s job to make sure that the chain is getting everything it needs to maintain a strong integrity to not be have any “weak links”. But the inevitable follow up question to that statement tends to be from our overworked information security professionals is “How am I supposed to maintain any type of training for end users with all of my other job duties?” or “My IT team isn’t a big team and provides no training”.
Fear not dear end user and by extension your poor, overworked information security professionals wishing to expound the knowledge of when to not click on that link. While the way that an attacker attempts to compromise an account has become more sophisticated, several of the ways to suspect a malicious e-mail still remain very much the same.
The following is a current phishing trend that the information security community have been battling over the past several months. While the song and dance performed by the cybercriminal is very specific, the ways to identify if the e-mail is malicious can be applied to any e-mail you receive as an end user.
“Are you there?”
A simple sentence, one that you have probably heard countless times in your life. However, in the last several months, these simple words in e-mail form have kickstarted a malicious fraud campaign that has seen users in companies across the world buying gift cards and providing them to who they think are their supervisors only to be out hundreds and in some cases thousands of dollars.
If you haven’t received one of these e-mails, the con goes like this. An e-mail lands in the inbox with a subject line and/or message body asking the words “Are you there?” or something along the lines of needing to speak with you but with the only medium they can converse through is e-mail.
And who are these people sending you the e-mail? Well if the signature and the name in the from field is any indication, it is your co-worker or supervisor. But if you hover over the e-mail, depending on your company’s spoofing rules, either the e-mail address or the reply-to address will show that the person you are talking to is not, in fact, your co-worker or supervisor.
But the people who are sending these e-mails are hoping that you do not notice these small details. Instead, they hope the fake name at the top and in the signature will be enough for you not to notice that when you reply, the e-mail you are replying to does not belong to anybody you know. There might be a hint of someone you know in the e-mail if the attacker is target enough, instead of sending to email@example.com, you find the e-mail address you’re sending to is firstname.lastname@example.org. But in some cases, it is as simple as email@example.com in the hopes of the end user not noticing.
So you replied to the e-mail letting them know you’re there, now what? Now the person replies back (making sure to continue the signature façade but also removing the e-mail address you’re sending to from the e-mail or if they’re targeted enough, putting your co-worker or supervisor’s e-mail into the e-mail chain in case you decide to read through) and they ask you for gift cards:
“Please go out and buy 10 $100 gift cards, scratch off the backs, and send me the numbers. I cannot do this now and am unavailable to talk due to this meeting. You will be reimbursed.”
And that is the con. The malicious e-mail account has asked for $1,000 in gift cards with the promise of reimbursement which will never come because, you guessed it, this is not your co-worker or supervisor.
These attacks are getting more prevalent in user mailboxes so I hope the preceding paragraphs are enough to make you think twice when receiving an e-mail like this. However, I do know that there are some instances where this type of conversation does happen. So here are some tips to help you figure out if the person on the other end of the e-mail chain is legitimate:
- Look at the e-mail address. It isn’t enough to see a familiar name in the from field, look at the e-mail address attached to it. Is this an e-mail address that you know and recognise? If not, you’re likely being lured into a scam. But because e-mail spoofing is prevalent in today’s attacks, don’t let this be your only scrutinisation of an e-mail.
- Check the reply-to address. If the e-mail is being spoofed, there is a different e-mail address that you’ll be replying to since the malicious user does not have access to the e-mail they’re spoofing but need to interact with you. If you don’t recognise the address when you click reply, you’re likely being lured into a scam. But because there is a chance that the other account could be compromised, don’t let your scrutinisation of the e-mail end here.
- Don’t trust e-mail. If this is not a normal request, don’t be afraid to call the person or walk down the hall and talk to them. Having a quick conversation could save you from sending your hard-earned money to a scammer.
- Vet the user. If you are uncomfortable reaching out to the person who the e-mail is supposed to be coming from (And you shouldn’t, let me make that clear), don’t be afraid to ask them questions that the person should know. “What is my extension?”, “Which meeting are you at?”, or even “Could you provide your employee ID?” would work. Again, for your sake and your money, it is worth it to make sure you know who you are talking to.
- Lastly, find the person. Even if they have been able to provide all of that information, finding the person or calling them and confirming can take very little time. These type of e-mails prey on the fear that the person is unreachable but that often is not the case. Reach out separate of the e-mail whether it be in person if you know where to find them or by phone or text if you know how to reach them.
Remember, email is not inherently secure, and many monetary losses and malicious data exfiltration attacks come from the simplest of emails. Every email, especially those involving financial transactions, should be scrutinized for legitimacy, and if something doesn’t feel right, you should verify the message via other means.
“The end user is the weakest link.”
My hope is that by using the bullet points listed above, you now become one of the strongest defences in your company’s cybersecurity arsenal. To re-iterate, while these bullet points may seem very specific to the e-mail scenario above, they can be used when you look at every e-mail that enters into your inbox and help you not be the link that breaks the chain.
Ben LeDoux is an Information Security Professional with Metropolitan State University of Denver and a 2018 finalist with the United State Cyber Challenge. For more information, visit www.msudenver.edu