What’s the lesson about?
To trick, manipulate, and cheat a person is cheaper, faster, and more effective than trying the same on safeguarded technologies. This field of manipulation is called social engineering.
In this lesson, you will try to recognize manipulative e-mails or fake websites. You’ll learn all the things that help you not get fooled: checking the address bar, thinking about the security of public Wi-Fi networks, or securely sharing private information online. Reading this lesson takes about 15 minutes as usual: use every single one of them to brush off the sneaky manipulators!
Do you answer IT specialist’s questions over the phone?
And are you sure it's really him? This type of manipulation is called social engineering. It contains many techniques and methods with which attackers deceive users and make them perform certain actions (such as clicking on a URL link, disclosing information, or approving a payment). These attacks are insidiously stealthy.
An IT technician (from a university) calls you and asks about a particular device or warns you about an invalid license. He refers to a colleague of yours (whose name can be easily found online). By answering, you disclose information, a small piece of the puzzle that the attacker builds from multiple sources. Manipulative techniques differ in the attacker’s goal – which can be anything from accessing an internal network to raiding a bank account. The most popular method is called phishing. Masaryk University deals with ten phishing campaigns annually, which trick a considerable number of users. So, phishing is really happening. Invest a few minutes of extra time in reading our phishing guide so that you won't be the next victim.
How to avoid dangerous websites?
One doesn’t have enough time to check all the details in an everyday fast working routine. However, unconditionally and always check at least the address bar.
You usually end up on fake dangerous websites by clicking the URL link inside a phishing e-mail (see phishing guide). Therefore, you should always rewrite a web address into another browser tab, not clicking on call-to-action links. Each change in the address bar, however small, indicates a fake website. Typical examples of these changes are replacing a dot with a hyphen (www.is-muni.cz), leaving out a letter (www.is.mni.cz), or swapping a similar letter (www.is.munl.cz). The password manager helps you recognize fake websites, too. If it doesn’t offer to fill username and password, it didn’t recognize the website itself, which indicates a problem. Remember, always check the address bar!
Http, https, and a green lock?
The letters HTTP and HTTPS (hypertext transfer protocol secure) have disappeared in recent browsers. Soon, the (green) lock icon will vanish as well, and so will the name of the certificate owner (in this case, Masaryk University). All of that brings us to the fundamental advice: always check the address bar.
Who sees you on Wi-Fi and how to hide?
It doesn't pay off to login to every Wi-Fi. After all, you never know if the Wi-Fi isn’t fake (the attacker can easily name his Wi-Fi by the name of a coffee shop, bank, or wherever you’re connecting). Regardless of whether the Wi-Fi is protected by a password or not, it poses a risk to security and privacy. The good news is, the solution is easy. It’s called a VPN (a virtual private network).
Everyone sees what you’re doing
Public Wi-Fi without a password is dangerous. You reveal your data to anyone who is also connected and a little skilled. Turn off the setting for automatic connection to Wi-Fi without a password (it’s only useful for home and work networks).
The administrator sees what you’re doing
Public Wi-Fi networks with passwords ensure a relatively safer work – other people in the network can't see what you’re up to. However, don’t forget that the network administrator still sees it. Nowadays, many devices alert you if you are about to connect to public (and so possibly untrustworthy) Wi-Fi.
You are almost invisible
A virtual private network is an application that provides a secure connection from anywhere. Imagine a tunnel into which no one can see. With a VPN; your communication, passwords, etc. stay invisible. That’s why you should use it on every device. Installing a VPN is easy; you can find detailed information in lesson five.
What information do you leave behind online?
On the internet, you usually leave behind information on various levels of confidentiality and importance – e.g., the content of e-mail, posted photos, internal business files, cookies, browser search history, etc. The more information you voluntarily give up, the easier it is for the attacker to take advantage of them (identity theft, cyberbullying, personalized ads).
To avoid going mad, start thinking about what kind of information you usually leave behind and try to eliminate them. Begin with these steps:
- Set your social network profiles to private (but that doesn’t mean 100% protection);
- check your friend lists (do you know all of them?);
- stop posting exploitable information (ID card number, vacation date – that’s like messaging a thief ”between 15th and 25th, you can rob my house”).
Differentiate between the information you publish based on their importance. Categorize your online accounts into three boxes: the red one is a super-safe vault for accounts with a high risk of abuse. The yellow box is for something less critical, but you still don't want to leave it in an open green box. Always consider both personal and business accounts. And how to start categorizing? Ask yourself: what kind of data would an attacker get, and what would that mean for me?
Maybe: internet banking, social network profiles, (work) e-mail, work or school information systems.
MORE OR LESS
Maybe: telephone number, permanent residence address.
NOT SO IMPORTANT
Maybe: e-mail with advertisement offers and spam.
You may forget technical terms like phishing, and it may be hard for you to imagine social engineering in your life. But if there’s one thing you should remember from the lesson, it's „always be cautious". Social engineers are creative and sneaky. Verify e-mail or phone demands and always use a secure Internet connection (ideally through a VPN).
Bonuses for curious users
Doughnuts for FBI. Who’s probably the most famous social engineer?
Kevin Mitnick is one of the most famous attackers who used social engineering techniques. During the 80s and 90s, Kevin, thanks to his eloquence, got himself from eavesdropping phone calls to hacking government systems. He’d been hiding from the FBI for three years. Since he never stole money from people and companies – hacking was a challenge for him – he grew on popularity. Kevin wrote a few books, and he’s now working as an expert on business systems security. You can read about him here (and find out the doughnuts secret).
Phishing threats apply to MUNI, too
Of course, they do. Just during 2019, the cyberteam CSIRT-MU addressed a whirlwind of blackmailing. Next, it dealt with a fake request for logging into Microsoft Office, which specifically targeted Czech universities. Also, attackers were offering license renewals. There were e-mail calls for changing faculty logins. In 2018, the attackers started a fake campaign that surprisingly involved warning against phishing.
TOPS of phishing
The most common types of phishing messages are information about failed payments, demands for updating security data, or research of clients’ satisfaction. Typically, the attackers target emotions like fear, trust, and appeal to authority.
MITM: the current threat
MITM stands for Man in the Middle. It’s a sophisticated way of attacking your device. Imagine a connection: your device is on one end; on the other end, there are apps you want to connect to or communicate with (e.g., Internet banking). The attacker slips unnoticed in the middle and starts to change data flows and values. So, when making an online payment, he could change the amount of money or the number of receiving bank account. Unencrypted communication (HTTP addresses, public Wi-Fi with or without password) is especially prone to MITM. The good news is that unencrypted connection is slowly disappearing. But, until it flies away completely, rely on a VPN (the virtual private network).
Ransomware: malicious code that encrypts data
Ransomware can access your device after you open an unknown e-mail attachment, but it can also infect your device through another infected machine on the network. (It’s like catching flu from a doctor's waiting room when you just went to sort out some papers.) The device will report the need to repair and check the disk, but once you confirm it, your data gets encrypted, and a ransom request pops up. We recommend not paying the attackers and disconnect your computer from the network immediately (even if it’s just a suspicion), turn it off, and call professional IT help. As a preventive measure, we repeat: back up your data and update software regularly (mainly antivirus).