How do phishing scams work & why do we fall for them? – Mothership.SG | #phishing | #scams | #education | #technology | #infosec

In this age of internet security threats and cybercrime, “cyberheroes” rather than superheroes, might be who we require most in our hour of need.

Cyber security has been a hot topic in recent months, especially following the massive OCBC phishing scam.

The scam affected 790 people, who were defrauded of about S$13.7 million.

For many of them, the loss constituted their entire life savings, as scammers emptied their bank accounts in a matter of seconds.

And while this particular incident was one of the most insidious cybercrime attacks in recent memory, it was not the most far-reaching.

In 2018, the SingHealth data breach affected 1.5 million citizens, including Prime Minister Lee Hsien Loong, in what has been reported as one of the worst cyber attacks in Singapore history.

We asked a cyber security expert Ankit from PSB Academy how these scams could have occurred and why cyber security is a growing industry that deserves more attention.

According to Ankit, who has seven years of experience in the IT field and has been lecturing on cyber security at PSB Academy for three years, the recent phishing attack is an example of a “classic online scam”.

But even though much has been made about the sophisticated methods used in the scam, Ankit shared that while it’s considered intelligent, it’s certainly not the most advanced.

Said Ankit: “This is a great example where scammers used their technical skills and mixed it with the insecurities of human behaviour to propagate the attack.

Ankit added that scammers often create a sense of urgency in their phishing SMSes to get us to react to the messages quickly, thus impairing our ability to think clearly about the situation.

“The cybercriminals were also skilled enough to prey on the fact that cyber-awareness is scarce among members of the public and used it to their advantage.”

So, how could such phishing attacks have happened?

Besides technical know-how and zeroing in on our emotional vulnerabilities, what scammers needed as well, was patience.

According to Ankit, such attacks can take months to plan and strategise “through reconnaissance and testing”.

“This is not a one-day or one-week operation and, it is possible that some victims’ banking details were phished in previous attempts that went unregistered,” shared Ankit.

Ankit noted that back in 2015, the Association of Banks in Singapore had warned about malware on mobile phones that let hackers intercept SMS One-Time-Passwords (OTPs) and use them for fraudulent transactions.

Hackers can also spoof SMS sender names or spoof victims’ phone numbers such that they receive a copy of SMS OTPs.

In this latest case, Ankit noted a mix of methods.

This includes the possibility of malware being installed on victims’ phones which can intercept OTPs generated by the security tokens issued by the bank.

“Customers receive a phishing SMS with a link to a fake bank login website, enter their bank username or access code and bank account PIN on the fake site. The scammer steals these details and keys them into the bank’s mobile banking app on their device,” said Ankit.

This would have triggered an SMS OTP to the customer’s registered phone, where they would then be prompted by the phishing site to enter.

It is also possible for SMS OTPs to be diverted abroad by scammers.

Said Ankit: “It is possible that some SMS OTPs were diverted abroad by scammers. In September last year, scammers hacked into the systems of overseas telcos and used them to change the location information of the mobile phone numbers used by Singapore victims which tricked Singapore telco networks into thinking the Singapore numbers were roaming overseas on other countries’ networks.”

Regarding how scammers could have embedded their messages in legitimate SMS threads sent by the bank, Ankit shared that the sender ID functionality can be misused by threat actors who mask their actual phone numbers with an alphanumeric identifier instead.

Sender IDs refers to the text display name that users see at the top of their message threads, and is used by many Singapore-based organisations and banks in their SMSs to customers.

“Phones are coded to group messages by sender IDs, so the spoofed messages will appear in the same thread as previous messages sent by the official sender. This could have been the reason why scammers were able to embed the fake message in the SMS thread used by OCBC,” said Ankit.

In the case of the SingHealth data breach, where hackers managed to gain access through a compromised front-end workstation, the attack could have been easily prevented, said Ankit.

He added that the incident could have been nipped in the bud if employees had adequate levels of cyber-security awareness, training, as well as resources to respond effectively to the attack.

“Lack of cyber-security awareness, weak passwords, unpatched software, staff who fell prey to phishing attacks and an IT team that could not identify a security incident — these were some of the fundamental shortcomings that left the back door open to the worst data breach in Singapore’s history,” said Ankit.

Future of cybercrime

Ankit has seen an increase in spoofing attacks in recent months.

“Today, spoofing attacks feature a caller ID that shows the same area code/prefix. However, that incoming call could be from anywhere — even a foreign country. Online scams heavily rely on human characteristics and it’s these characteristics that make us more vulnerable to frauds.”

As if these implications are not scary enough, cybercrime could take an even nastier turn.

“According to Nicole Eagan, CSO of cyber security company Darktrace, we can expect to see a digital war of algorithms,” shared Ankit.

This means that as the world becomes more connected and everything becomes a smart device, expect cybercriminals to spread malware from one device to another as they “talk” to each other.

So, as much as the Internet of Things (IOT) has been heralded as a boon to efficiency, it comes with inherent risks.

Thankfully, IOT happens to be one of the courses covered at PSB Academy’s course on cyber security.

Cyber security is a topic that has seen a lot of interest in recent years and is an industry that Ankit foresees exponential growth.

Cyber Security programmes

PSB Academy has been offering programmes in cyber security since 2017, with 588 graduates passing through its doors since 2018.

Said Ankit: “In the current day and age that we live is information-intensive and information has really become the most expensive asset that government and businesses need to protect. A potential data leak, maybe from the defence databases can lead to hazardous impact.”

“Disruptions in businesses, reputational damages, loss of sensitive data or even a risk of legal action can just be a few of the consequences of a data leak, there may be many more.”

According to Ankit, the modules taught are often applicable in real-world scenarios.

“Relevant topics include Secure Programming, which teaches students how to threat-model their websites or applications. In Software Reverse Engineering, students learn to reverse engineer malware and analyse their potential impacts on systems and network. Students also learn about encryption in Cryptographic Concepts and understand the actual working of the various cryptosystems. They can also learn how to perform digital forensics in Computer Forensics.”

As the IT and technology field progress, Ankit foresees more professionals in cyber security.

Much like new-age superheroes, Ankit likens these cyber-security professionals to be “guardians of the internet”, as they create secure systems and a secure digital environment for consumers.

But Ankit believes being a protector has its limits; users themselves have to be aware of the dangers and pitfalls of the internet.

“We need more cyber trained professionals who can design and maintain secure systems and applications. However, raising awareness is the key to curb such incidents.”

The basic rule is — don’t click on suspicious links, and verify the platform/individual before sharing any key personal information.

“These are the basic steps we can take to not fall for any scams,” said Ankit.

All images via Pixabay

This sponsored article is brought to you by PSB Academy.

Source link