A recently released Intel Security report titled “Hacking into the Human Operating System”
If you’ve been following the news lately, the relentless string of major data breaches impacting millions of customers has affected every major business sector. What remains frightening is how a wave of phishing soars in the aftermath of any major breach, putting those that were impacted by the breach at possibly more risk, and putting those that were not impacted by the breach still in the crosshairs.
Social engineering almost always has a place in the success of these attacks; bringing to light the psychological levers these adversaries rely on to execute successful attacks can help disrupt these events from occurring. Of the six influencing psychological levers mentioned in “Hacking the Human Operating System,” scarcity is an influencing lever used as a mainstay of email phishing attacks, so I wanted to dive a bit deeper into this one.
Scarcity boils down to a limited window of time that’s available to act. It can stretch to both ends of the spectrum – act now to gain something, or act now or else lose something. By doing so, it appeals to targets who are motivated by the opportunity for gain, and conversely preys on targets fearing the risk of loss by inaction.
Examples of missed opportunity:
Examples of fear of inaction:
Particularly, when lures are information-rich and target-relevant, a victim’s impetus to act is extremely strong. Let’s take a look at an example of an attack that uses the scarcity of time to prey on the victim. I’ve numerically annotated sections of the email below to help facilitate the analysis.
At first glance, a few things look correct when looking into the details:
1. The email sender appears to be from “American Express.”
3. Hovering over the “Contact Us,” “Privacy Statement,” and “Add us to your address book” appears to lead to the legitimate American Express site. All domains here begin with https://americanexpress.com.
Upon closer look, there are clues that reveal otherwise:
If you are unsure of whether a destination link is safe, tools like TrustedSource are a good place to start. You can leverage this type of resource to help you check the reputation of a Web page simply by querying its IP address, domain name, or URL. Keep in mind ultra-low prevalence targeted attacks may originate from a new server that lacks reliable reputation information, so while TrustedSource.org is a good place to start, it may not catch all poor reputations.
In this particular case, rather than click on the link, which may land me on a malicious site, I can go to TrustedSource.org and enter the IP address hiding behind the “please click log.” The results reveal that this IP address carries a high risk and is likely not safe (see chart below).
And indeed, the link leads to a spoofed phishing site. At a glance, can you tell which is the legitimate site and which is a spoofed phishing site? (Answer will be revealed at the end.)
To learn more about the psychology and nature of social engineering attacks, a full copy of the research report “Hacking the Human Operating System” can be found here. To test your skills and refresh your knowledge on how to detect phishing emails from legitimate ones, check out the phishing quiz at https://phishingquiz.mcafee.com. You can also run an awareness program within your organization using the quiz to better understand your risk profile.
And by the way, the first of the two images above is from the spoofed site, and the second is from the legitimate site. How did you fare?
7 Tips to Avoid Being Phished:
More about our anti-phishing technology:
American Express’s resources on steps to safeguard yourself:Rees Johnson is Senior Vice President and General Manager of the Content Security Business Unit at Intel Security, which includes Web Security, Email Security, and Data Loss Prevention technology. Rees and his team are in charge of securing the most utilized vectors of ... View Full Bio