Social Engineering: Eight Common Tactics
Scammers Strike When Chips Are Down
Marcus said Avert has seen a rise in the number of presidential campaign-related and economic crunch-based spam emails lately.
"There have been a bunch of phishing attacks related to banks being bought by others," said Marcus. "The email will say 'Your bank is being bought by this bank. Click here to make sure you update information before the sale closes.' It's an attempt to get you to release your information so they can log into your account to either steal your money or sell your information to someone else."
6. Abusing faith in social networking sites
Facebook, Myspace and Linked In are hugely popular social networking sites. And people have a lot of faith in them, according to Marcus. A recent spear-phishing incident targeted Linked In users, and the attack was surprising to many. Marcus said, increasingly, social networking devotees are being fooled by emails that claim to be from sites like Facebook, but are really from scammers.
"They will get an email that says: 'The site is doing maintenance, click here to update your information.' Of course, when you click on the link, you go to the bad guys' site." Marcus recommends advising employees to type Web addresses in manually to avoid malicious links. And also to keep in mind that it is very rare for a site to send out a request for a password change or an account update. (For more tips see How to Use Social Networking Sites Safely.)
7. Typo Squatting
On the Web, bad guys also bank on the common mistakes people make when they type, according to Marcus. When you type in a URL that's just one letter off, suddenly you can end up with unintended consequences.
"Bad guys prepare for typing mistakes and the site they prepare is going to look a lot like the site you thought you were going to, like Google."
Instead of going where they wanted, unsuspecting users who make typing mistakes end up on a fake site that either intends to sell something, steal something, or push out malware.
8. Using FUD to affect the stock market
The security and vulnerabilities of products, and even entire companies, can make an impact on the equities market, according to new research from Avert. Researchers studied the impact of events such as Microsoft's Patch Tuesday on the company's stock and found a noticeable swing each month after vulnerability information was released.
"Publicly-released information has an effect on stock prices," said Marcus. "Another recent example is the fake information that was circulated a few weeks ago about Steve Jobs' health. Apple stock took a dive on that. That is a clear example of someone inserting FUD and a resulting effect on a stock." Presumably the culprits held a 'short' position which allowed them to profit from this trick.
The converse approach is to use email to execute the ancient 'pump-and-dump' tactic. A scammer can buy a large volume of a penny stock, the blast out emails under the guise of an investment advisor touting that stock's great potential (that's the 'pump'). If enough recipients of this spam email rush to buy the stock, the price will spike upward. The scammer then quickly 'dumps' his shares at a great profit.