Hackers Targeting Social Media Sites for Social Engineering Attacks

Hackers using Social Engineering attacks are getting much better at their craft, and people are making it very easy for them. A Social Engineer will use information gathered about a person, place or business in specially crafted attacks that play on people’s thoughts, beliefs or emotions.

But how do they get personal information that they could use against someone?

Drum roll please…

Social Media sites!

“No way”, you say, “I only give friends, colleagues and people I know access to my Facebook page.” Do you really? I mean come on, let’s be honest. We have all seen them, people with 500, 1000, even 2000 people or more on their friends list. Do they really know all those people?

People are human, and humans are always into popularity contests. It reminds me of the TV commercial where the daughter is sitting in front of her computer with hundreds of friends on her social media site. And she is making fun of her parents who have like 5 on their site, but then it shows the parents out kayaking (or something like that) with friends.

Hackers are using this very weakness of the human psyche to gain pertinent and sometimes very personal information about a person. But how you ask?

How about Linked-In? Do you get friend requests from people you have never heard of that “know you” from some website, have similar likes or dislikes, or attended the same conference? Hackers are gaining full technical backgrounds, co-worker names, titles and even full resumes using this very simple tactic.

It also works on Facebook. Except here, social engineers gain personal information about you. Everything from news about your family, your interests (sports, clubs, etc), heck some even go as far as to tell you their travel plans and even food preferences. Sometimes a lucky hacker will even get the daily itinerary of a very trusting individual.

How could they leverage this information in an attack?

Simple, from Linked-In they could craft an e-mail saying they are from some company that you worked with or for. Or from Facebook, that they are from your kid’s school or from one of the many clubs that you attend and have scheduling or other important “news”. All this in an attempt to get you to click on a link that heads to a malware infested site or to get you to run a PDF file that contains a backdoor trojan.

A friend recently received an e-mail supposedly from the technical support department for a product that he actually owned. It was about an important update and the link for the update led to a site that tried several browser exploits in attempts to install remote access malware. It was very believable, luckily the broken English in the e-mail made him think twice before he visited the site.

How do you protect yourself from these types of attacks?

It is always best to actually know or have met the person that you are allowing into your social media circles. Limit the level of personal information that you place on these sites. And be very careful telling people your schedules. Do your 2000+ friends really need to know that you will be out of the country for 2 weeks and what airline you will use and what hotel you will be staying at?

Just some things to think about. Hackers are getting much better using Social Engineering attacks. A little discretion will go a long way.

Online Shopping Tips for a Cyber Crime Free Holiday Season

Just another reminder to shop safely this holiday season. Today the Department of Justice announced that it has seized 150 websites that were peddling counterfeit goods.

“For most, the holidays represent a season of good will and giving, but for these criminals, it’s the season to lure in unsuspecting holiday shoppers,” ICE director John Morton said in a statement about the seizure.”

According to Reuters.com the websites included pumaoutlets.net, myjerseyshop.com,  and uggbootsclearanceoutletstores.com.

Cyber Crime is huge business right now, but here are a few steps you can take to protect yourself:

1. It is usually safest to buy from large well known websites. Always make sure that their website name is spelled correctly. Most browsers will automatically highlight the domain name in the link so you can check this. See picture below:

2. Always make sure that the website is using SSL – secure communications when you get to the actual ordering process. The website should switch to secure HTTPS:// instead of just the regular HTTP://, and will look like this:

3. Do not click on links in e-mails that redirect you to a store. It is a common practice for hackers to create e-mails that look legit that link to a counterfeit or malicious servers. Just go directly to the store, you should be able to find any public sales listed there.

4. Beware of horribly misspelled and un-formatted e-mails supposedly from foundations, or organizations. Most SPAM guards catch these now, but don’t spend time on these, just trash them.

5. If a deal is too good to be true, it just might be! Common sense goes a long way in protecting you from online scams.

6. Use strong passwords on your online accounts. A long combination of upper and lower case letters, numbers and symbols is best.

7. And finally, avoid using bank Visa cards that tie directly to your bank account online if you can. Use gift cards, limited value credit cards, or cards that have one time use virtual numbers or shop safe features. Even standard credit cards can have better safeguards and refund policies than a bank card. When in doubt ask your bank about it’s credit card policies.

Surf safely and have a great Holiday!

Free “Kid Logger 5.5” Key Logger and Activity Recorder

Looking for a good Key Logger program that is free? Check out the opensource program Kid Logger 5.5.

Recently I was in need of a key logger type program. As for my list of needs, it needed to record keys typed, websites visited and most of all needed to be low cost. Kid Logger meets all those needs and more.

Kid Logger not only records key strokes and webpages visited, but also logs chat room sessions, programs opened, pictures or videos viewed, copy/paste operations and USB drive usage. But that is not all; it also takes desktop screen captures at a defined interval, can be set to record audio chats, or can be triggered to record any sound by a definable sound level. And if that is not enough, the program can be password protected and encrypts all logs by default.

You can also record individual user’s activities from a user checklist.

 

That is an impressive list for a free program. But how well does it work? Exceptional, as you can see below, the program records every keystroke to a running log.

 

Also, it keeps screen captures in the log directory in .JPG format.

 

I was very impressed with Kid Logger, especially upon viewing the logs and seeing a log entry that stated “Internet History Deleted”. Very interesting indeed.

Because of its laundry list of capabilities, Kid Logger could be used in a variety of situations. It does a great job of keeping tabs on young children and what they are getting into. But be forewarned, logging a user’s actions without prior consent is illegal in many areas. So before you run out and install this on all your employee’s machines, you will need to check with your state and local laws.

Check out Kid Logger, you will not be disappointed.

Hacker Free Holiday Shopping

Oh, the joy of the Holidays. You may, like many, decide to buy some (or all) of your gifts online this year. And why not? Why go out in the cold, snow and slush, fight traffic, and have to walk a mile from the only available parking spot? Why push through aisles of crabby people only to find out that the person in front of you just bought the last Nerf N-Strike Stampede?

When you could have just stayed home in your jammies and fuzzy slippers and ordered it online…

Shopping online is fantastic. But unfortunately there are some modern day Grinches out there that try to ruin it for everyone. That latest e-mail you received from a “name brand” store that has the super Nerf Vulcan Automatic Heavy Blaster for half price just may not be legit. It could be a fake e-mail that leads you to a spoofed site.

Spoofed sites are a common technique that hackers use to collect personal & financial information from unsuspecting victims. A spoofed site is a site that is run by hackers, and is camouflaged to look like the website of a real store. Many times it is very hard to tell the difference between a spoofed site and a real one. Here are some browser screenshots comparing legit websites with sample spoofed sites.

See if you can tell them apart (Click images for larger view):

 

Wow, pretty much identical. The one on the top is the original site. The one on the bottom is fake. The only discernable difference is the address bar. If you look closely, the real site says “http://www.sears.com” while the fake site says “http://192.168.96.128”.

The address 192.168.96.128 is not a valid routable internet address, but a real spoofed site would be using a live IP address. Internet explorer 8 ties to help you out against these types of attacks by highlighting the website (domain) name in the browser. If you look at the address bar on the top, sears.com is in bold.

Here is another example:

 

Okay, these ones aren’t quite identical, but this shows that spoofed sites can look and behave just like the real ones. The advertisements have dynamically updated on the spoofed site just as they would on the real one. So advertisements beside, the only real difference is the address bar.

If you look closely, the real site has “amazon.com highlighted and again the fake site just lists an IP address. One other difference is the icon in the address bar. The real site has the Amazon icon and the fake one has the generic internet explorer icon. But this is not always the case.

Using the IP address is just one tactic hackers use. For additional ways site names are spoofed check out my article, “Spoofing a Website Address: How to Obscure a URL”.

Please be careful this Holiday Season as you shop for your loved ones. Be leery of using links in e-mails, especially in unsolicited mail. You can always manually surf to the website yourself and find any deals that are legit.

Have a happy and safe Holidays!