National Cybersecurity Awareness Month 2019

Impersonation Techniques:
Are you Ready for What’s Next?

Impersonation Techniques:
Are you Ready for What’s Next?

Impersonation Techniques

It’s the final week of National Cybersecurity Awareness Month, and as part of our ongoing theme of Secure IT, we thought we’d take a quick look at various ways attackers are able to impersonate others in order to convince you to fall prey to the many scams they perpetrate.

Some impersonations are easy to spot. Others are not. Some criminals will pretend to be a large organization you likely are doing business with, while others will do deeper research into you and the company you work for and attempt to fool you into believing they are a company executive. Let’s take a look at some of these scams and then hypothesize on what we may see in the future.

Impersonating a Large Corporation

A common impersonation attempt by cyber criminals is for them to pretend to be with one of the major online players that you may pay a regular subscription fee to. Apple Music, Spotify, Netflix, and others are commonly seen. You’ll receive a breathlessly-worded message in your inbox warning you of some sort of problem with your account… and if you don’t click right this second they’ll have no choice but to lock you out of your account and block any further access. If you do click, you’ll be sent to a copycat website that looks similar (if not identical) to the impersonated company, and you’ll be asked to provide your login credentials.

Once you “login” to the fake site, you’ll be asked to confirm all of your billing details – but the criminals ask for far more information than you should be providing. They’ll ask for your complete mailing address, your full credit card details, including expiry and CVV code. Some will ask for other incredibly personal information like your mother’s maiden name and your Social Security Number… everything a cyber criminal needs to steal your identity, open new accounts in your name, or takeover some of your other accounts. Other cyber criminals will use similar techniques but claim to be from your bank or your cell phone carrier.

Just remember the single best advice when it comes to your online accounts: treat every email entering your inbox as suspicious at best, and malicious at worst. If there really is an issue with one of those accounts, go to the site directly; don’t click on any links. If your account really is locked due to an issue, it won’t be hard to find out on your own.

Impersonating a Retailer

Another interesting impersonation technique we see by criminals is them pretending to be a major retailer and if you click on this ad or story shared on social media, you’ll get a free $100 gift card to that retailer. What do you have to lose? All you have to do is click on a link, fill out some information, maybe install an add-on or visit a special webpage and you’ll get your gift card.

We all have friends on social media who share these things, and when you ask them why, they always say something along the lines of “well, it could be real!” Of course, we know it’s not real, and if it were, that company would be bankrupt in no time flat giving out hundreds of millions of dollars of free stuff to customers.

But what is the angle for criminals here? What are they really trying to do? The answer is, it depends on their goal. Many are just trying to get you to like their social media page and follow it. When they’ve amassed a large enough following, they sell the group to someone else who will then change it to serve spam or other things like trying to sell counterfeit goods (like sunglasses or luxury goods). Others will redirect you to a watering-hole attack website where they’ll try to install adware, questionable browser extensions, or actual malicious malware.

What should you do here? Remember: there’s no such thing as a free lunch. There’s always a cost. If you see these types of things pop up as you scroll through your social media feeds, report it. Every major social media platform has the ability to flag content as scams or as malicious, but much of it requires proactive reporting by users.

Tomorrow’s Impersonating Schemes

What about the future of impersonation scams? Where are things headed? Let’s change gears here for a moment: is there a substantial amount of audio and video of you out there on the Internet? Imagine if an attacker was able to recreate a believable video of you saying or doing things that, if sent to your boss, could cost you your job? The attacker won’t send it, of course… but only if you send them $5,000 in cryptocurrency.

While fake news continues to be a buzzword and elicits an emotional response from most people, we may very well see new scams based on the “deep fake” take center stage. The horrific reality of deep fakes? It’s already happening: look no further than the recent example of a voice deep fake used to scam an organization out of about a quarter million dollars by a criminal pretending to be a German CEO. This scenario becoming the next generation of cybercrime is not a few years out as some have predicted – it’s here now, and experts are underestimating how quickly the technology has evolved and the impact it will have across industries.

While it’s hard to predict the implications of this technology, it’s clear that everyone’s credibility will be called into question. In the meantime, organizations are going to need to take the axiom of “trust, but verify” to a whole new level and build in multi-stage sequences of authentication and verification before a single dollar gets transferred out of their company. The bottom line is that you need to start thinking about how you’re going to deal with out-of-band or out of the ordinary requests from higher-ups in your organization and have a very articulated and spelled-out process for moving cash outside of your business.

An ounce of prevention is worth a pound of cure in this case. Keeping your eyes fully open coupled with a very healthy dose of skepticism is what you need to deal with today’s impersonation techniques and those we may see in the near future.

Schedule a demo today!

Richard Henderson

Richard Henderson

Richard Henderson is Head of Global Threat Intelligence, where he is responsible for trend-spotting, industry-watching, and evangelizing the unique capabilities of Lastline’s technologies. He has nearly two decades of experience and involvement in the global hacker community and discovers new trends and activities in the cyber-underground. He is a researcher and regular presenter at conferences and events and was lauded by a former US DHS undersecretary for cybersecurity as having an “insightful view” on the current state of cybersecurity. Richard was one of the first researchers in the world to defeat Apple’s TouchID fingerprint sensor on the iPhone 5S. He has taught courses on radio interception techniques multiple times at the DEFCON hacker conference. Richard is a regular writer and contributor to many publications including BankInfoSecurity, Forbes, Dark Reading, and CSO.
Richard Henderson