HIGHLY IMPORTANT
Maybe: internet banking, social network profiles, (work) e-mail, work or school information systems.
In this lesson, you will try to recognize manipulative e-mails or fake websites. You’ll learn all the things that help you not get fooled: checking the address bar, thinking about the security of public Wi-Fi networks, or securely sharing private information online. Reading this lesson takes about 15 minutes as usual: use every single one of them to brush off the sneaky manipulators!
An IT technician (from a university) calls you and asks about a particular device or warns you about an invalid license. He refers to a colleague of yours (whose name can be easily found online). By answering, you disclose information, a small piece of the puzzle that the attacker builds from multiple sources. Manipulative techniques differ in the attacker’s goal – which can be anything from accessing an internal network to raiding a bank account. The most popular method is called phishing. Masaryk University deals with ten phishing campaigns annually, which trick a considerable number of users. So, phishing is really happening. Invest a few minutes of extra time in reading our phishing guide so that you won't be the next victim.
You usually end up on fake dangerous websites by clicking the URL link inside a phishing e-mail (see phishing guide). Therefore, you should always rewrite a web address into another browser tab, not clicking on call-to-action links. Each change in the address bar, however small, indicates a fake website. Typical examples of these changes are replacing a dot with a hyphen (www.is-muni.cz), leaving out a letter (www.is.mni.cz), or swapping a similar letter (www.is.munl.cz). The password manager helps you recognize fake websites, too. If it doesn’t offer to fill username and password, it didn’t recognize the website itself, which indicates a problem. Remember, always check the address bar!
The letters HTTP and HTTPS (hypertext transfer protocol secure) have disappeared in recent browsers. Soon, the (green) lock icon will vanish as well, and so will the name of the certificate owner (in this case, Masaryk University). All of that brings us to the fundamental advice: always check the address bar.
Public Wi-Fi without a password is dangerous. You reveal your data to anyone who is also connected and a little skilled. Turn off the setting for automatic connection to Wi-Fi without a password (it’s only useful for home and work networks).
Public Wi-Fi networks with passwords ensure a relatively safer work – other people in the network can't see what you’re up to. However, don’t forget that the network administrator still sees it. Nowadays, many devices alert you if you are about to connect to public (and so possibly untrustworthy) Wi-Fi.
A virtual private network is an application that provides a secure connection from anywhere. Imagine a tunnel into which no one can see. With a VPN; your communication, passwords, etc. stay invisible. That’s why you should use it on every device. Installing a VPN is easy; you can find detailed information in lesson five.
To avoid going mad, start thinking about what kind of information you usually leave behind and try to eliminate them. Begin with these steps:
Differentiate between the information you publish based on their importance. Categorize your online accounts into three boxes: the red one is a super-safe vault for accounts with a high risk of abuse. The yellow box is for something less critical, but you still don't want to leave it in an open green box. Always consider both personal and business accounts. And how to start categorizing? Ask yourself: what kind of data would an attacker get, and what would that mean for me?
Maybe: internet banking, social network profiles, (work) e-mail, work or school information systems.
Maybe: telephone number, permanent residence address.
Maybe: e-mail with advertisement offers and spam.
Kevin Mitnick is one of the most famous attackers who used social engineering techniques. During the 80s and 90s, Kevin, thanks to his eloquence, got himself from eavesdropping phone calls to hacking government systems. He’d been hiding from the FBI for three years. Since he never stole money from people and companies – hacking was a challenge for him – he grew on popularity. Kevin wrote a few books, and he’s now working as an expert on business systems security. You can read about him here (and find out the doughnuts secret).
Of course, they do. Just during 2019, the cyberteam CSIRT-MU addressed a whirlwind of blackmailing. Next, it dealt with a fake request for logging into Microsoft Office, which specifically targeted Czech universities. Also, attackers were offering license renewals. There were e-mail calls for changing faculty logins. In 2018, the attackers started a fake campaign that surprisingly involved warning against phishing.
The most common types of phishing messages are information about failed payments, demands for updating security data, or research of clients’ satisfaction. Typically, the attackers target emotions like fear, trust, and appeal to authority.
MITM stands for Man in the Middle. It’s a sophisticated way of attacking your device. Imagine a connection: your device is on one end; on the other end, there are apps you want to connect to or communicate with (e.g., Internet banking). The attacker slips unnoticed in the middle and starts to change data flows and values. So, when making an online payment, he could change the amount of money or the number of receiving bank account. Unencrypted communication (HTTP addresses, public Wi-Fi with or without password) is especially prone to MITM. The good news is that unencrypted connection is slowly disappearing. But, until it flies away completely, rely on a VPN (the virtual private network).
Ransomware can access your device after you open an unknown e-mail attachment, but it can also infect your device through another infected machine on the network. (It’s like catching flu from a doctor's waiting room when you just went to sort out some papers.) The device will report the need to repair and check the disk, but once you confirm it, your data gets encrypted, and a ransom request pops up. We recommend not paying the attackers and disconnect your computer from the network immediately (even if it’s just a suspicion), turn it off, and call professional IT help. As a preventive measure, we repeat: back up your data and update software regularly (mainly antivirus).