Dorian Oliver Collier is an ICT Infrastructure Engineer for the Ministry of Information and Communication (E-Governance Unit) in Sierra Leone.
He got in touch with Comfortably Dumb over LinkedIn and has a really interesting insight into the differing tactics attackers will use, based on demographic and socioeconomic factors. His LinkedIn profile can be found here.
This is going to be the first part of a series we work on together about how convincing phishing scams are conducted, and how you can learn to spot them yourself.
By Dorian Oliver Collier:
So, let me get the ball rolling.
Social Engineering is the bane of the #sierraleonean populace at the moment.
However, I will be focusing on a subset of social engineering and phishing attacks.
What is Social Engineering?
In the InfoSec context, social engineering is the psychological manipulation of a victim by an attacker, in order for them to divulge confidential information, or perform an action on behalf of the atttacker. That could be logging in to their computer, tricking them out of their passwords or even just talking to someone to work out roughly what their security question answers might be.
What is Phishing?
Just in case you aren't familiar with the term, phishing is when an attacker attempts to get a victim to divulge confidential information, or perform a given action by pretending to be a trusted organisation or person over an electronic medium (usually messaging or e-mail).
We are not a wealthy nation by any stretch of the imagination - except in the area of natural resources.
So, with that high level of poverty, people are very susceptible to these type of attacks.
It’s not always a matter of ignorance other than that of desperation - poverty is cruel in a number of ways.
Then we have the uninformed users, with these powerful multiple-core beasts in their pockets - not knowing the massive amount of computationaol and graphical power that they are holding in their hands.
So they do not care about protection, except for physical protection as they have paid a silly amount of money for the newest and best.
WhatsApp is the most popular instant messaging app in Sierra Leone, and as such, it is a juicy target for scammers and social engineers.
Examples of Phishing Attempts and How to Spot Them Yourself!
Image from HRMC's Phishing and Bogus Contact help page.
Above is an example of a phishing email, attempting to impersonate HRMC (the tax and rebates agency in the United Kingdom).
Anyone who's been anywhere near cybersecurity or even read a little into what phishing is will recognise this for what it is - a fairly terrible effort.
But not everyone would. Yeah, you can eyeball that it's a phishing email, but it's worth breaking down messages like these to work out what it is that tips you off, so you can look for it when people get better at it.
First - let's look at the "From" and "Resent-From" fields in the top part of this phishing communication. What's the sign here that this isn't real?
It's the structure of the email address.
Government agencies will tend to register mailboxes and domains that are very simple, concise and clean. info@hrmc.gov.uk or something similar.
The domain to which the email is registered will almost always be the same as the website itself. Emails from HRMC will usually only come from abcfdef@hrmc.gov.uk, as it adds credibility that the message did indeed come from them.
This email came from a "@gkatax.com" mailbox and this is our first tip-off that something isn't right. Add to that, the fact the email was then resent from a private "@hotmail.com" mailbox, and you'd be right to start being suspicious - Strike one.
Next, let's look at the content of the email itself.
Most company-generated emails will have been developed by their outbound marketing and customer service teams, and will tend to include a lot of branding and images. It's easy to spot this sort of stuff, if you look through your emails to find an email from any large brand.
It is very rare for any larger organisation or government agency to type out a message (especially this one about tax) in the in-client word processor function.
It will normally be a much more professional effort, also making it more difficult to forge.
Look for grammar problems, misplaced commas and apostrophes, bad spelling and otherwise broken English in messages.
Proofreaders and marketers very rarely litter their outbound communications with easy-to-spot mistakes - Strike Two.
Lastly, the instructions in the email are suspect.
Most banks, government agencies that deal with financial information and companies in general will never email you to get you to log in again. These attacks are the exact reason why.
If everything else looks okay, but the email is asking you to do something you normally wouldn't do with that company - be safe and just delete it.
This one wants you to fill in a claim form, presumably full of juicy personal data, and send it to them - Strike three, and they're out!
E-mail clients usually come with scanners that look for things like this, and based on their rules and configurations, have gotten fairly good at filtering out low-grade phishing attempts like this one.
But what about messaging apps and SMS messages (smishing)?
No such luck here, unfortunately.
Whatsapp and other messaging apps do not come with the same level of protection - and the preview functionality embedded in them does not allow you to check the URL to see if it's real, and you can't inspect the message sender as deeply either, as both the previews and sender data are easily spoofed by experienced attackers (Phishermen?).
We'll go more into detail in mobile-specific phishing in Part 2.
Advice for the Road from Dorian:
There are no such things as #magical links that will give you free money.
There are no such things as #supernatural links that will add 50GB of data to your phone.
Whatsapp is a lot more dangerous than emails as a method of propagation for phishing attacks.
Whatsapp and Social Media in general IS NOT FOR KIDS.
I see kids as young as 9 years having Whatsapp and Facebook profiles, where they can be easily taken advantage of by phishing campaigns.
We need to strive to inform the older generation about the dangers of phishing attacks, as they tend to take things at face value.
The world is a lot more morally gray, everything online should be met with a healthy dose of skepticism.
Everybody needs to be informed, or the silliness of people being fooled by an African prince from Akwa Ibom state wanting to stash his ill-gotten wealth under your name will continue.
But really, an African prince?
In this day and age where ‘Coming To America’ has been out almost as long as I’ve been alive (if not more).
Time to come up with something more believable!
Think before you click.
See you in Part 2 - where Dorian will go more into how these scams get conducted and the makeup of the messages that are working out in Sierra Leone to part victims from their money.
Comments