Manipulating Trust—the Latest Hack

Written by Mark Evilsizor
From his column Church Tech

There is a saying in IT security circles that it is easier to hack the human than to hack the machine. In other words, our natural instinct to trust authority and help others is often played upon by those who would do us harm. By garnering our trust, they convince us to unlock the doors and injure ourselves. While the Greeks may not have understood the psychology when they made their hollow horse, the general term for this type of security attack is called “social engineering.” The best way to guard against such attempted intrusion is to be aware, so I will share some experiences I have encountered.

Now that phone calls can be placed around the world via the Internet, a common attack is the fake computer support call. The caller preys upon our insecurity with the complexity of modern technology and tells us we have done something wrong; that our PC is infected and harming others. They will borrow credibility by claiming to be from Microsoft. When you answer the phone, it will sound just like a regular call center in the background, because it is. Hacking has become institutionalized and participants report to work just like you and me. However, their intention is to either convince you to pay them for a fix, or to get you to install remote control software on your PC so they can steal bank credentials or other valuable information. The solution, pay attention to the Caller ID and, if it is odd, don’t even answer the phone. If you do answer and someone tries to convince you to give them credit card numbers or install software in exchange for tech support, hang up.

One type of harmful software can encrypt files on your personal computer and your organization’s entire network. If a hacker can get just one person to install their software, all of a company’s files may be locked up and held for ransom. Earlier this year, a Los Angeles hospital chose to pay almost $17,000 to hackers who had shut down their network. In fact, this problem is so common and unresolveable that the FBI advises many organizations to pay up, or rely on backups to restore everything. Most commonly, this software gets installed by someone clicking on a link in an email. In the last few weeks, I have seen hundreds of emails, which appear to come from inside our organization, attempting to circumvent the filter on my organization’s spam filter. They look just like the email a fax or copier might send, however the attached document includes the bad software which, once installed, tries to take over your files. A variation on this type of ransomware is the threat to release files to the public if you don’t pay up. If your organization retains confidential information, this could be devastating to clients. The solution to this kind of hack is to educate and periodically remind staff not to click on unexpected email links and attachments, even if they look legitimate.

One other type of social engineering involves gaining the confidence of someone in an organization’s accounting department. The first step is for a remote thief to look over the organization’s website and learn about its leadership and current projects. They then locate contact information for the accounting department. With details in hand, they send a legitimate looking email to your controller, impersonating the CEO or other high-ranking officer of the organization. In the case I am aware of, a few innocuous emails were sent to build trust. Then came an urgent email requesting wire transfer of a large amount of money to cover the cost of a project the scammer had learned of by investigating your website. If the transfer is made, there is no getting the funds back. The solution in such a situation is to personally talk to anyone requesting a transfer of funds—especially if there is a request for a wire transfer. A variation on this scam involves false emails that appear to represent a company executive requesting information about employees, such as Social Security numbers or health information. Such information may be sold directly to purchasers on the Internet, or used to gain the trust of additional people. An extra phone call is a small price compared with subjecting an organization to the major loss of funds or confidential information.

So, be aware and be wary if you receive unanticipated phone calls, emails, or requests for funds or confidential information. In short, don’t take any wooden nickels…or horses.

Mark Evilsizor has worked in Information Technology for more than 20 years. He currently serves as head of IT for the Linda Hall Library in Kansas City, Mo. Views and opinions expressed are strictly his own.