Human Behavior Being Exploited By Phishers

Cyber criminals are using phishing to lure web visitors into revealing their sensitive data. Internet surfers are presented with a baited hook, which draws them into revealing login names, passwords, security keys and other valuable data.

The technique can be employed by individuals with little to no hacking skill, luring users to a malware-ridden website in exchange for payment. There are plenty of would-be criminals looking to make a quick buck, and since the campaigns can be so effective, online thieves and criminals are increasingly using this technique to make money.

Many online criminals use phishing in random campaigns sent via email. There is little skill involved. It is simply a numbers game. If enough emails are sent, sooner or later someone will respond and fall for the bait. However, we are now seeing much more sophisticated campaigns launched.

It used to be easy to spot a phishing email. They were littered with grammatical errors and spelling mistakes. Images were used that were clearly fake, and the emails would only fool the most unsuspecting computer user. They claimed victims, nonetheless, but only a few.

Some of the phishing emails now being sent are extremely convincing and very difficult to identify. Even well trained, security-conscious IT professionals have fallen for some of the scams. The reason? They work by exploiting traits in human behavior and use techniques that are particularly effective at drawing the required response.

Human Traits Successfully Being Manipulated by Hackers

Cyber criminals are exploiting human behavior to get users to click on links to malicious websites or open attachments. They rely on common traits that are all but guaranteed to get the desired response. The male of the species, for instance, is easily tricked into opening an apparent JPEG file if he is promised a glimpse of bare female flesh. An offer of sex from an unknown admirer can also work particularly well.

Not everyone is motivated by sex. For others the promise of financial gain does the trick. Criminals exploit greed to get users to click on a link. A money making scheme, or a hot stock tip, can entice many people to click on a link. Curiosity is also exploited. Major news events, conspiracy theories, celebrity news, and information on natural disasters have all been used by email spammers and scammers to get people to visit a malware site or open an email attachment.

Even the sense of duty has been exploited. Emails are sent from the accounts of work colleagues, bosses, civil authorities or law enforcement officers. These are effective at fooling users into complying with requests.

By exploiting human traits and evoking emotions, recipients of these scam and spam emails swallow the hook, and often the line and sinker too.

Spear Phishing: Effort Put in is Rewarded with More Victims

The sending of millions of mistake-ridden emails results in very few individuals falling for the scams. When email spam filtering software is employed, the filters will prevent these emails from even being delivered.

However, a little research goes a long way. Phishers who invest time into researching victims can see the time they spend on the campaign really pay off. A search on social media will reveal a considerable amount of information on an individual. Employers can be found on LinkedIn, Facebook can be used to find out friends’ names, and Twitter exploited to find out a user’s interests.  With this information, highly effective campaigns can be developed.

These phishing campaigns are referred to as spear phishing. As the name suggests, the hacker goes after one fish. These campaigns can be incredibly effective as they exploit trust. If an email is sent that appears to be from a friend or colleague, it is far more likely to be opened. But how is this possible?

SMTP Weaknesses Are Exploited by Phishers

Unfortunately, the SMTP protocol contains a security weakness. Hackers can exploit this weakness to mask the true sender of an email and the return address. To the casual viewer it appears that the email has been sent from a known individual, and even replying to the mail appears to direct it to the correct mail recipient.

Fortunately, a spam or phishing email is not dangerous. It requires an action to be taken by the recipient. Deleting such an email will delete the risk. Only opening the attachment, downloading it, or visiting a link contained in the email will result in the delivery of malware, a virus or the installation of malicious code.

Unfortunately, while most employees know never to double click on a file with a .exe extension, file extensions can be all to easily masked. They can be made to appear as a PDF file or JPEG, or other supposedly innocent file type. Without training, users are likely to open these attachments, and unwittingly activate the executable file.

The way to prevent users from clicking on links and opening attachments is to provide them with security awareness training. Teach staff members how to identify phishing campaigns, and they can check the genuineness of emails before they take action. Developing a culture of security awareness is therefore essential in the fight against cyber crime.

Blocking the emails with a spam filter is even better. That way, the email will never be downloaded and delivered. Unfortunately, from time to time emails do slip through the net. When that happens, employees must know how to react.

Training is therefore important even if a robust and reliable spam filter is used. After all, it is best to be shown how to deal with a phishing email that never arrives than to fall for the first one that gets past a spam filter.

Do Hackers Ever Get Caught and Punished for Their Crimes?

The news is full of reports of data breaches that have been suffered by companies and even governments. Numerous media reports detail how hackers have managed to obtain tens of thousands of confidential records, or in some cases, tens of millions or more. However, it is rare that a hacker is caught and brought to justice for the crimes committed.

Recently, a hacking group in Russia was reported to have stolen a staggering 1 billion passwords. If that was not shocking enough, the authorities know the individuals are located in central Russia. They are also in their early 20s. If they have been identified, why have they not been arrested?

Bringing hackers to justice is complicated

In this case, there are problems because it is the United States that wishes to take action. The crimes were committed against Americans but some countries are unwilling to turn over their own citizens to other countries. In this case, should the criminals be tried in Russia or in the United States? Where should justice occur, where the crimes were committed or in the country most affected by the crimes? Should hackers be extradited?

If there is no treaty in place between two countries, hackers will be tried and sentenced (or not) in their own countries. The United States has tried to get five Chinese hackers extradited and brought to the United States to face trial. They worked for the Chinese military. China is unlikely to take any action, and certainly will not release them to the United States. The individuals are believed to be behind attacks on Alcoa, U.S. Steel and Westinghouse, as well as on other U.S. firms. The criminals were indicted, but that is as far as the U.S. got. They are very likely working on new hacks against U.S. companies.

In some cases, hackers do not need to be extradited. The FBI has previously tricked hackers into coming over to the United States voluntarily. By doing so the tricky issue of extradition has been avoided. The FBI set up a job interview for two hackers using a fake Seattle company. The pair, Alexey Ivanov and Vasily Gorshkov, arrived for the interview and were promptly arrested. The latter received a sentence of 3 years, the former got 48 months.

Spam email kingpin sent 30% of all junk emails!

If you are a cybercriminal or spammer and you have launched attacks on Americans, it is a wise move never to visit the country. However, some just can’t resist. When visiting a car show in Las Vegas in 2010, Russian super-spammer, Oleg Nikolaenko, was arrested and charged for his crimes. He had used a botnet to send the spam emails. That botnet included a staggering half a million computers. Even more staggering was the volume of emails he sent. An estimated 10 billion per day. He is awaiting trial.

Hackers are very good at hiding their real identities and consequently can be difficult to locate. It can be even harder to bring them to justice.

It should come as no surprise to hear that many successful hackers are based in countries that offer protection against extradition to the United States. Unless there are international laws signed, and more cooperation between countries to tackle the global problem of cybercrime, they are unlikely to be tried and sentenced for their offenses.