Phishing Scams : When They Know Who You Are

Phishing scams have been around for decades, but in recent years they have become far more advanced due to the incredible amount of your data that has been leaked to the world. It’s important to understand some of the methods being used today, as to ensure you do not fall prey to a would-be attacker. I want to be clear, this is by no means intended to be a complete guide to phishing, but simply to shed some light some of the more recent advancements in how the scams are operated.

Let’s backup a second and explain the roots of what a phishing scam is. Phishing by definition is a cyber crime in which a target is contacted by email, phone, text message, or otherwise to try and lure the target into revealing sensitive information to the attacker. Attackers can pretend to be nearly anyone, so it’s important to always be astute, no matter how legitimate you may believe a message could be. Typical scams include attackers posing as a financial institution (bank or credit card), a popular store (Walmart, Amazon, Costco, etc), or even as sneaky as being a friend or family member. 

Many of us are used to the typical nonsense, which sadly hundreds of thousands (if not more) people fall prey to every year. Phishing emails are by far the most popular as they’re the easiest to send out in mass (and, at basically no cost). Many email services do a relatively good job of blocking these out using a whole long list of methods (sounds like an excellent idea for another post). But, when you receive a phone call or a text message, it becomes a little more real. We are becoming more and more accustomed to getting text messages about our accounts. Many services will send us friendly (err, annoying) messages from time to time. Most notably I get them from this one dentist I went to once, reminding me to book more appointments, but they’re proliferating quite rapidly. For those of you who use 2FA (Two-factor authentication), you’ll be quite familiar with those “Your one time use authorization code for [service] is 123456”. Again, a great topic for another post.

So, when we get a text message saying “Your CIBC Banking account is compromised. Please immediately reset your password using this link : http://www.cibcbankpasswordreset.com/?ks93k0ak20ae”, you take it seriously. But, what if you don’t bank with CIBC? Some people may worry maybe there’s an account they forgot about. Others will think “Oh, just click the link and see what’s going on”. That’s more than enough for the attacker to get their hooks into you. As soon as you click that link, anything could potentially happen. There could be malicious scripts being run in the background which could actually allow programs to be installed onto your computer (really bad). But, the more than likely scenario is that you’ll be directed to a page that LOOKS like the CIBC website only it’s not. It’s just a copy that some attacker has setup. Naturally you being panicked, you enter your banking card, your existing password, and your “new” password then click on “Change Password”. Now, the scam may not be quite this simple, but I’m using an example.

What’s just happened is that the scammer has been sent your bank card, actual password, and as a bonus gift, received a second password. If they’re half intelligent, the page would redirect to something saying “your account is now secure” or whatever. You think you’re good to go, but what happens next is anyone’s guess. Your banking information can be scraped for all your personal info, your identity could be at risk, but more thank likely your accounts will be drained off through a wide variety of ways. Plus, they have your password, and your alternative password. You see, most people love to use the same 2-3 passwords, or variations there-of. They’ll start with a password “monkey123”, but when they have to modify it, they’ll change it to “monkey456”, and so forth. Maybe they get creative and have a second password like “harveyisthebest”, naturally “harvey” being their dog. Point is, all easy to guess stuff. The proper way to deal with passwords is to have a password manager such as LastPass or BitWarden which is exactly what I use. Now the scammers have your password(s). And, being the unsuspecting person that you are, you’ve used those same passwords all over the Internet (a terrible practice). Remember this, it’s important.

Which brings us to the idea that scams are getting more advanced. But how? It’s pretty simple when you understand the larger landscape of what’s happened over the years. Data breaches, and tons of them. You may have heard of them, you know, like when Equifax got hacked. Remember them, the company you never agreed to give all your closest personal financial information to, but they had it anyways, then more or less gave it away to a bunch of hackers and tried to pretend it never happened until it was inevitable they had to admit fault. Let’s not forget they also completely botched the response in almost every way possible. (More here : https://www.csoonline.com/article/3444488/equifax-data-breach-faq-what-happened-who-was-affected-what-was-the-impact.html). But it’s not just Equifax, it’s everyone. Hundreds of major corporations have been compromised over the years. Target, eBay, MySpace, Dropbox, Merriott, LinkedIn, Yahoo, MyFitnessPal, and of course Facebook. Not just one, or two data breaches, but dozens have happened at Facebook; most notably the Cambridge Analytica scandal (which is still operating today, you should know – just in a different way). Big deal, right? So what?! Some person has my email address and a list of the times I booked a room at a hotel. Oh, and they have some basic information about my old jobs. Who cares?! You should. Everyone should.

That information, as innocuous as you may seem to think it is, can be used against you so effectively. Piece together all these attacks and the information that’s been gathered, and you’ve got some real tangible base to target. (For example) I get your full name from LinkedIn’s breach along with your email address. From Dropbox I get your gender and age linked with your email account. Merriott’s breach links your phone number to your email, and then MyFitnessPal gives me your hometown. I could go on, but suddenly a real tangible profile on any one of millions of people begins to emerge. A phisher’s dream. 

As a scammer, I’m going to use this to my advantage. A couple lines of code, and I can begin sending out mass text messages targeted directly at YOU. It’s dirt simple. I’m not sending it from my actual cellphone, I’ll use an online text message service like Twilio where I can blast out millions of texts in seconds, with each one of those texts being personalized. Suddenly you get a text message “EMERGENCY : The account for Paul Hattlmann with CIBC has been compromised…..” – I’m no longer just seeing a generic message, but a direct message with my name, which _really_ rustles my jimmies. Now I’m far more susceptible to click that link and actually engage with this person’s scam. My guard is down, and this style of attack can come in many different forms, many of which you’d be incredibly unsuspecting.

Maybe you’ve recently received an email that says “Hello [yourname], your password is [yourpassword]”. You’re blown away, because it’s actually your password. Inside the e-mail the scammer goes on to say they’ve got your history of “questionable” browsing history on adult sites, and have recorded your webcam of “naughty acts”, which will be sent to everyone in your address book if you don’t send them $1000 through bitcoin. How’d they do it? Well – they didn’t. It’s a ruse, and although your password is real, that’s the only thing they have on you. What they’ve done is effectively taken a data breach from some site, reverse engineered your password, then used it to scare you into sending them money. People fall for this every day, and it’s a well crafted scam.

These are just a few of the examples of what can happen, or how scams operate. Are you concerned about a specific email you’ve received, and wonder if it’s real? I can help you dissect potential scams you’re running into, protect you against ransomware attacks, and keep your data safe should one ever get through.