Saturday, November 17, 2018
facebook

google plus
Trends

Posted at: Sep 15, 2018, 12:31 AM; last updated: Sep 15, 2018, 12:31 AM (IST)

DUPED

What makes us so vulnerable to cyber attacks?
DUPED

Sangeet Toor

Social engineering is the art of psychological manipulation. At the centre of every cyber scam, there is a human being and their own vulnerabilities. Not very long ago, there was a Punjabi guy named Happy, who lived in a small village and studied BCA at a local business. One fine spring morning, when the overall weather was overcast with the Bitcoin clouds, he received a call from a woman who spoke English in thick Indian accent. She was calling from the United States of America, from a company called Nvidia.

Her company sold Nvidia Graphic Processing Units (GPU) at reasonable rates. She claimed that Happy would be able to earn money in a Bitcoin wallet online and the company associates would help with the process of setting everything up over the Internet. The price for one GPU was Rs 30,000. They had an ongoing deal in which two GPU’s were sold for Rs 50,000, but the deal would end the next day. More GPUs meant more Bitcoins. She was reasonable as she called out the short time span to arrange that amount. Happy could get the deal even if he paid Rs 25,000 by the evening. He asked for some time to think about it. She promised to call within half an hour. And you bet she did!

Happy went online and looked into the company profile and products. In the meantime, she sent him a few testimonials and some certificates. Over the next couple of days, Happy paid the two installments to two different bank accounts within India. He called her when the GPUs did not arrive on time. There was a problem with the customs in America. He must pay Rs 30,000 for the items to be on their way. It did not end there. Happy paid six such installments as the plane fee, customs at the layover airport, customs in India, postal charges in India, and the repairs done to items as they were slightly damaged. The GPUs never arrived.

Happy’s father, who is a decent farmer, went to the bank to withdraw cash and it was empty. Happy confessed to being duped. Remorse and shame dawned upon him. They went to the cyber crime unit in Chandigarh. There is little that law enforcement can do in such cases as the attackers mask their caller IDs to make it impossible to trace them, and the bank accounts are linked to other untraceable accounts by obscure routes.

Why humans err

  • Trusting and unsuspecting: Humans are social beings and trust is central to being social. We trust the person we interact with at the face value. Happy trusted Nvidia; the attacker established the associated trust and Happy did not question it.
  • Greed: Our own hidden intent overpowers our ability to suspect. Mostly, it is greed (easy money, getting help for free, too good to be true deals) that drives two humans on diametrically opposite sides of social engineering.
  • Curiosity: It has a special place in the evolution of humans, and the evolution of the cyber attacks also. The attacker engineers the call or email so as to pique the interest of the victim. Happy knew about Bitcoins and mining but it was the mining equipment that was of interest to him.
  • Reaction to urgency: Humans rush to act and react in urgent situations. The attacker created a scenario where the deal would end next day. Happy must act immediately or the deal would slip out of his hands.
Why personal info matters 

  • Identity: An individual’s identity is the most valuable resource. Identity theft, which is common in Europe and USA, is going to be a collective migraine if we don’t understand what is Personally Identifiable Information (PII).
  • PII: Aadhaar Number and bank account information are sensitive PII. An attacker can launch a social engineering attack to get your PII and assume your identity in real life.
  • Online identity: Email and social media account passwords are valuable to authenticate yourself on the Internet. An attacker can social engineer you to get the passwords and send malicious emails from your account.
  • Computer and smartphone resources: An attacker can entice you to divulge your hardware passwords or delete crucial files or get remote access to use your device to launch attacks on other devices.
— The writer is a security analyst


Types of attacks

Phishing attacks: These are accomplished via email.

Vishing attacks: When the social engineering is accomplished through Voice over IP calls, those are called Vishing attacks. Happy was a victim of a vishing attack.

Facebook wants you to change your password: The email suggests that you click the link in the email to reset the password. The attacker acquires your trust by making it look like it came from Facebook.

You had a distant relative by the name AkiyouAkhiya: The relative is now dead and wants you to get the inheritance worth millions of dollars. You must give your name, address, bank information, etc. to get the generous gift. 

Cry for help: These emails prey on the softhearted and generous people who legitimately want to help a stranger in a difficult time. 


To Do or Not To Do

  • Do not open the suspicious email or click on the links in the email. Let that distant relative’s inheritance go to her own grave.
  • If you want to change your Facebook password, do so on Facebook website and not through the link in the email.
  • Know when to trust. If you never made a request for help, do not accept it. As soon as somebody asks for your Aadhaar Number, bank information or password, hang up. Don’t engage.
  • Approach the law enforcement and financial institution if you think you are duped. Change all the passwords immediately.
  • Set the anti-phishing features in your web-browser/email provider settings.

COMMENTS

All readers are invited to post comments responsibly. Any messages with foul language or inciting hatred will be deleted. Comments with all capital letters will also be deleted. Readers are encouraged to flag the comments they feel are inappropriate.
The views expressed in the Comments section are of the individuals writing the post. The Tribune does not endorse or support the views in these posts in any manner.
Share On