Social Engineering Chronicles - #2

in #security7 years ago

The Newest Media

Every day, there are tens of thousands of people who are trying to find a way to scam you out of your money. This means there are plenty of minds to figure out new ways to make someone click on a nasty link, or give up their personal information.

adult-2835281_640.png

My girlfriend has received multiple text messages from random numbers asking her to click on a link to take her to some new social media platform their friend invited them too. That link could take someone almost anywhere. It could be a download link that tries to get the user to download a package. Perhaps something malicious?

It can also lead you to pages that may ask for login information. Consider if you got a text from AT&T asking you to go to a link to reset your password. This text includes your first and last name as

You say to yourself, “I should be able to trust this text from AT&T right? How would they have texted me knowing I had AT&T as a provider and known my name?”

question-2309040_640.jpg

So you go to the website and it asks for your email, old password, and the two new password fields. So you fill in the information, and nothing happens.

Maybe they follow up with a fake email that you changed your password. You never did. You simply gave them your password and they are on your account right now trying to gain information about you.

Human Failures

It may not seem so, but humans have an inherent giving of trust. A person who falls for this trusted that someone who knew they had AT&T and was texting them knowing their first and last name would have to be AT&T, but that is just not true.

There are lists that you can buy on the internet, dark web or not, that have phone numbers and names of who owns them. They get these from so many different places it would be difficult to list them all. It ranges from website breaches to phishing campaigns and everything inbetween.

The con man at this point would then set up a script to send texts to everybody on that list that all said AT&T. While maybe over half of the people would know it was fake, if I have a list of 10k. That is still around 4k people I can have a chance at phishing today.

goal-oriented-2929843_640.jpg

They give up the number of people they phish for a more effective bait.

Pay Attention

You need to pay attention when you are going about your day. If there is a link in a text from someone you don’t know, best case is to not click on it.

If for some reason you can’t help but click on it. Either by necessity or just really curious. (I really hope not) Whatever webpage this link takes you too, if you know the website you are supposed to be on and it looks legitimate, make sure you look for the little HTTPS in your URL.

The three main browsers have the URL look like this when you are on a secure page.

Chrome URL.PNG

Firefox URL.PNG

Edge poor.PNG

Remember, when it comes to your information and the wild wild west of the internet, “It is guilty until proven innocent.”


-Bias Narrative


Do you understand your keys?

Your Steem Wallet and You

Sort:  

Nice post.
If we take this a little further with Address bar Spoofing with LTR characters, the attacker can make the URL in address bar look like legitimate website like Google over HTTPS. So to be safe, the users need to check for '://' after https and confirm it is not a single slash':/'.
Thanks for the post.

Hmm, didn't know that. Just goes to show how much any of us know about security. Thank you!