Chapter 3
Thinking Like the Enemy
Abstract
Understanding the psychology of malicious messaging can be as much of a resource to stopping it as any log file technology or security analysis. The vast majority of attacks are aimed at anyone who will respond, whereas only a small minority of attacks are exquisitely targeted for very high value targets. There are two primary goals for a sender of a malicious email. The first goal is for you to actually see the email. This means that the email needs to be constructed to avoid automated scanning and quarantining programs. The second goal is to have you act on the email. In some cases, this is as simple as opening it and reading it. In other cases, the sender wants you to open an attachment. Success for the bad guys comes when someone opens and replies to their messages, shares a like-farming post, clicks on a malicious link, or opens an attachment.
Keywords
Goals
Motivations
Understanding the psychology of a phishing attack can be as much of a resource to stopping it as any technology or security analysis. Understanding both sides of the attack gives the defender a better perspective as to what makes his/her organization vulnerable, and just how far the attacker might go to exploit that vulnerability. For example, understanding that the motivating factor of one class of attacker might solely be glory driven would imply that their resolve to work through layers of defense could be minimal, leading them to give up quickly in order to find an easier target. However, that same class of attacker might be more determined if the target was to be perceived as having high value, since compromising a higher value target would yield greater prestige and greater validation. For senders of malicious email, this duality is particularly true: the vast majority of attacks are aimed at anyone who will respond while a small minority of attacks are exquisitely targeted for very high value targets.
There are two primary goals for a sender of a malicious email. The first goal is for you to actually see the email. This means that the email needs to be constructed to avoid automated scanning and quarantining programs. The second goal is to have you act on the email. In some cases, this is as simple as opening it and reading it. In other cases, the sender wants you to open an attachment.
And therein lies a significant challenge: how to understand the goals and intentions of the sender of malicious email. For you to actually see the email, it must reach you, which means it must be targeted, it must have addressing that you do not recognize as malicious, and it must have content that passes through any filters that might be on your system. In order for you to actually act on the message—be that clicking, opening attachments, sharing, or replying, the seen message must be appropriate to your needs, wants, and likes (or dislikes).
Targeting: Malicious email may be targeted specifically at you or may be shotgunned to as many recipients as possible. The email that is sent to a wide range of recipients is generally more easily identifiable as potentially malicious. The email that specifically targets you can be extremely difficult to detect. There is a cost trade-off to the sender: it is cheap and easy to send the same email to thousands of recipients, while it is quite costly to develop the knowledge base required to specifically target a single person in a believable manner. The two types of email are referred to as UnTargeted Malicious Email (UTME) and Targeted Malicious Email (TME). UTME is sent to as many people as possible: it is, by definition, un-targeted. TME, also known as spear-phishing (a play on the term “spear-fishing”) is much more precise, targeting as few as one individual with a highly personalized attack designed to be as effective as possible. It is very expensive to develop the level of information about a single person—their work habits, their conversations, their likes and dislikes, and son on—to mount an effective TME attack, so that level of effort is typically reserved only for very high value targets. An example of the type of target that would warrant this type of effort would be someone in a high technology enterprise who has easy access to the details of marketing plans or development ideas. Getting such a person to open an attachment in an email can open the entire corporation’s network to the attackers, allowing them unfettered access to very sensitive data.
Addressing: Malicious email senders normally do not want their real identities to be discovered, so may use a variety of hiding techniques to mask the true source of the email. The visible sender identity may be forged as that of a very common name, to mimic an identity in your contacts list, or as that of a celebrity. One of the first tricks to identify potential malicious email is to look at the invisible parts of the addressing to see what it really looks like. Chapter 4 will deal with this in detail.
Content: Malicious email can contain a variety of content types that are dangerous. Some of the most innocuous malicious messaging is chain messages, typically forwarded or shared many times, which contains a distorted version of events designed to elicit an emotional response in the recipient. The purpose of these malicious emails is to affect belief structures, and these mails are called either Meme-Propaganda or Memetic Attacks. The examples provided in Chapter 2 covered a large variety of the types of content in malicious messages, although it is worth noting that the imaginations of the attackers are without bounds. In fact, they are quite amazing. One example of a malicious message alerted a recipient to a purported dead body found outside and asked that the recipient open the attachment to identify the decedent. This simply illustrates that nothing at all is off-limits.
The people who generate malicious messages, be it for theft of personal information, solicitation of relationships, like-farming, or any of the other motivations, have one and only one thing in common: they are people. Beyond that, they vary in amazing number of ways. Some are very poor, operating out of internet cafes under the watch of gang leaders. Some are modestly well-off, operating out of their homes or a local cafe. Others are wealthy, having been in the game for long enough to reap a lot of rewards. Two stories of real people help to illustrate who these people are.
Adam Vitale: Mr. Vitale pleaded guilty in 2008 to violating US Federal law for spamming people. He claimed to be making $40,000 per week doing this. He specialized in stock price scams, so that the insiders could profit from selling stocks whose prices had artificially inflated as a result of their activities, although was willing to engage in a variety of other scams, including advertising computer security software.1
Two Nigerian Scammers: Mother Jones reporter Erika Eichelberger wrote of meeting two young men engaged in what they referred to as trickery, “insist[ing] that tricking someone is not the same thing as stealing” from them. These two men participate in advance-fee scams, also known at the 419 scam, and claim to be worth about $60,000 each.2
These two stories illustrate the great variety, and it is important to underscore that a malicious email message may be from someone trying to steal your money, your time, or your information. Because of the wide range of motivations, it is impossible to specify a single type of person who engages in this activity. Instead, it is all types of persons, from all over the world, who have varying moral bases.
The motivation is clear: it is to gain something that they would not otherwise have. In some cases, the motivation is to get you to send money directly. In other cases, it is to get you to click on a link that will download malicious software onto your computer. In yet other cases, the motivation is to get you to open an attachment that will enable activity on your computer that you would rather not have happening.
The motivation could be to harness the power of your computer as a zombie member of a botnet, which can then be rented out by the hour for a variety of activities, including conducting denial of service attacks on specific systems. Or the motivation might be to install software on your computer that allows the controlling person access to all of your data, including sensitive company data. A very common motivation is simply to get you to enter sensitive personal information into a reply email or a website so that the person can then steal your identity, empty your bank account, or use your electronic identity for nefarious purposes.
The motivations range from simple, such as the meter repair scam detected in Oregon, to viciously clever, such as a Netflix user phishing scam. In the meter repair scam, customers were contacted with demands for hundreds of dollars for repairs to their meters, with the threat that if they did not pay, their electrical service would be turned off.3 In the Netflix user phishing scam, users are duped into going to a website that looks like the real Netflix site but which is not. The trick is enabled through the purchase of sponsored ads, pop-up windows, or emails. When the phony website loads, it directs the user to access Member Services and provides a toll-free number for the member to call. The person at the end of that toll-free number is not a Netflix employee at all, but in fact a scammer. The phone person then walks the customer through a software download process that provides the scammers with backdoor access to the customer’s computer.4
Unfortunately, this range of motivations means that focusing on motivation as a way to understand people who are behind malicious messaging is a losing cause. The simple definition of the motivation is theft, but the variety of means through which that theft is accomplished is amazingly large.
Because people in general do not much care to have their money, their identities, or their data stolen, there is a concerted effort by service providers and law enforcement to limit the activities of malicious messagers. Unfortunately, it is a game of steps. When one method or channel is countered, a new method emerges. The bad guys actually study the activities of the defenders and develop methods that are not detectable by their current approaches. What this means is that you must constantly be on guard, waiting for that next surprise.
Success for the bad guys comes when someone opens and replies to their messages, shares a like-farming post, clicks on a malicious link, or opens an attachment. That is the first step in getting access to what they really want, but it is a critical first step and the ultimate success can not occur until that happens.
So, bottom line: do not click on links, do not open attachments, and treat every message with suspicion. But if you feel the need to follow a link or open an attachment, do it carefully.
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.