“Phishing is more of a thing now because many people have turned to a criminal life and because Covid is a very successful phishing lure. We are all stretched thin, and as a result, we can make more security mistakes.”
If you have heard of the process of social engineering, the ability of a hacker to trick you into divulging your private details, then you might have come across ethical hacker Rachel Tobac. She's the CEO of SocialProof Security and board member of Women in Security and Privacy. I virtually attended one of her more recent talks, during which she explained her craft and gave some suggestions on how we all can improve our personal security and make her job more difficult.
Tobac has carried out some notable security stunts in the past, such as live hacking a CNN report's accounts and stealing his airline points. “I hack so people can understand how hackers think and hopefully you will avoid these mistakes,” she told her audience.
During her talk, she showed the video of this exploit and then reviewed her tradecraft. In that particular incident, she didn’t talk to the reporter directly but leveraged information she had collected from public sources such as his birthday, email address, and postal address. By using a voice changer app and spoofing his phone number, Tobac was able to obtain more information and eventually transferred thousands of airline points to her own account.
Tobac’s talk is timely, because as she says, “Phishing is more of a thing now because many people have turned to a criminal life and because Covid is a very successful phishing lure. We are all stretched thin, and as a result, we can make more security mistakes.”
She spoke about being aware of what she calls “lazy hacker scams.” These are low-hanging fruit that include alerts for non-existent shipping packages, phony tech support calls, impersonating someone from your bank, gift card scams or sick family member money requests. “Everyone expects to get them these days,” she said. “They happen because they work. Someone is falling for this stuff every day. You can’t trust caller ID or emails that say you have a virus on your computer.”
What do social engineering attacks look like?
She pointed out some common social engineering tricks, including:
Introducing some sense of urgency, so that you won’t be as careful and will act emotionally and in the moment
Finding a common bond between hackers and their targets, to make a pretext more credible and convincing
Understanding the “yes ladder” -- where hackers can get you to agree with their point of view to remove any awkwardness and improve trust to obtain your data
So how to fight these time-tested techniques? Tobac has several great suggestions.
First, be politely paranoid. Her recommendation is to use two methods of communication to confirm your identity whenever you get a call or a text. To learn more about the social engineering techniques, she recommends reading Robert Cialdini’s book, Influence: The Psychology of Persuasion.
We have often written about using multi-factor authentication (MFA) to secure your accounts. She recommends starting with any kind of MFA and then moving up to more secure versions. “Am I going to convince my great aunt to use a FIDO hardware key tomorrow? Probably not, but I can start her out by using SMS-based MFA, that is a good first step,” she said during her talk. Of course, the best MFA is to use FIDO security keys if you are in the public eye or have admin access. “That makes my job very difficult,” she said.
Next, don’t delay patching your systems. Tobac used this technique when she was invited to hack movie mogul Jeffrey Katzenberg’s computer.
Also, prune your social media and online photo collections with care. This was something that I realized I was at risk: I had copies of my IDs on iCloud because I once took a picture of them from my phone. Part of the pruning process is to also remove companies you do business with from all of your social media — this includes pictures of your furniture, things that you bought on Amazon, and so on. These are all clues that the social engineer can use to find out more information about you or use in a conversation to try to gain your trust.
Additionally, limit your exposure and threat surface. If you're a business owner, an easy way to do this is to reduce the number of people who have admin access to your networks and accounts. Remember the big Twitter hack? More than 1,500 employees at that time had such access, which is why they were hacked so easily. Another way is to work on only one machine and segregate your work and personal online footprints. There are a few tools to do this: use multi-account containers for Chrome or other secure browsers to segregate your different identities.
Finally, think about using what Tobac calls “burner postal addresses.” We all know what burner phones are, but she takes it a step further by purposely creates fake postal addresses when filling out forms that require an address. If you need to keep track of them, put them in your password manager.
If you're interested in hearing more hacker tales, I recommend you watch a few episodes of the Avast Hacker Archives, a series in which Avast CISO Jaya Baloo investigates more tradecraft and favorite situations.