Hit with the Spear

Robert Broxup

This article breaks down the attack into four stages: Identity, Research, Email and Action. Many of the tell-tale signs of spear phishing are the same as for phishing and more information is available in Caught in the Net, one of our previous articles.

Stage 1 – Identify

Identify key personnel within the target business likely to have access to confidential data of interest. Professional skills are often the most substantial asset, and along with client and project details, are used to demonstrate credibility in the marketplace. This information helps to identify targets for data theft and in many cases, can be found as follows:

  • Personal CVs which identify current and previous roles and responsibilities
  • Staff profiles on business websites
  • Social Media profiles which often include visibility and easy access to a list of colleagues
  • Business details on Social Media can provide public access to a list of all past and present employees to help build a profile of the company
  • Client details which build up a supply chain profile
  • CVs and Job Descriptions are often sufficient to build up a profile of an organisation’s cyber defence posture

Information is publicly available to identify key persons within a target business. Reduce what is published and be mindful of how someone could use the details against you or your employers.

Stage 2 – Research

Now that a compiled list of individuals within the target business is available, the next step is to research them individually to identify their interests and how they will respond to communication attempts.

With phishing, an email that looks like it came from your bank, for example, could be sent to 1 million people offering them a discounted or free 90-minute helicopter trip over the city of London. To claim the offer, click a link to login to a website which looks like your bank. Such an email would rule out anyone not interested in helicopter rides and also rule out anyone with a different bank.  With spear phishing, the research on individuals allows a more targeted approach and for communication to be more relevant, and consequently more likely to get attention. With so much personal information published on social media, this is achievable. For example, if someone:

  • Posts a complaint on Twitter about how a specific bank is refusing to deal with a problem
  • Lists paragliding as a hobby on Facebook or Linked In
  • Posts photographs on Instagram with notes on how they enjoyed the view of the mountains while paragliding

Although detailed personal interests might not be available for everyone on the target list, if the target business has 20000 staff, and 100 individuals are potential targets, a significant amount of personal information will likely be available for many of these.

So much information is publicly available to identify the personal interests of any potential target. People need to think more carefully and be mindful about how much information they release into the public domain, and how others could use the information.

Stage 3 – Email

The next step is to write a convincing and personalised email to get the attention of their target and encourage them to take action, such as opening an email attachment, clicking on a link to a website, or calling an expensive premium rate telephone number. The email would be personalised and could ask you to log in for a special offer or tell you that information is available in your account involving your previous complaint.

This approach is not always a single email requiring immediate action; it could be a longer game to increase the level of confidence. The initial email may not have any links or attachments but only written in a way that expects a reply, for the perpetrator to insinuate themselves into your life. The initial email could be something along the lines of, ‘Hi Michael, great to meet last week at the paragliding event’. With other information on social media such as photographs taken in the bar after all paragliders had safely landed, the email could be more detailed. With enough relevant detail, the recipient could genuinely believe the email is from someone they had met in person.

With a follow-up email containing an attachment about paragliding, or if the initial email turns into an ongoing dialogue, a follow-up email at any time is an opportunity to introduce malware. The end game could equally be about seeking investment or other financial help and building a relationship to a point where someone is more receptive to a request for money.

Again, the key difference is the use of detailed personal information to deliver a targeted attack. The more personalised it is, the more realistic the situation is.

With phishing, many emails are often flagged as spam by Anti-Spam services within a relatively short period, so their effectiveness is limited. Some email systems also flag emails as spam because the email is similar to previously known spam. However, because of the personalised nature of spear phishing, emails are less likely to be flagged. Suppose someone registers an email address with Google, Yandex, Yahoo or one of the many free email services available, and uses it to send a personal message. In that case, that is most likely how the email systems will treat it unless the recipient marks it as spam. Email tools can send spear-phishing emails in bulk using databases of previously compiled data.

Other tactics, such as impersonating other employees in the same business, will serve to encourage the desired outcome. As a result of the level of research that goes into target selection, spear phishing is significantly more effective than phishing.

Stage 4 – Action

Phishing and spear-phishing emails ultimately require the recipient to take some action, such as:

  • Giving away personal information
  • Logging in to fake websites
  • Registering with fake websites that take your information
  • Allowing attackers to take what they want, for example by opening an attachment which installs malware designed to email or update data to a remote location

Protective Measures

Many phishing and spear-phishing attacks work well because the emails lead people to believe that actions are required urgently. This urgency is only there to reduce the available thinking time. Things are seldom so urgent that you need to ignore common sense and not exercise due diligence; measure twice, cut once!

  • Exercise caution when making personal information publicly available
  • Use effective Anti-Virus / Anti-Malware
  • Use an effective anti-spam solution
  • Be vigilant when opening and reading emails
  • Avoid taking actions which deviate from standard established practices. More information is available here in Deviation from the norm

Unsafe Financial Transactions

Robert Broxup

Despite continuous reports of financial fraud in the media, history appears to keep repeating itself. The same scams exist, and the only real difference is an increase in the level of fraud, not a decrease due to increased awareness. Earlier this month I published an article called ‘deviation from the norm’ which encourages people to be more suspicious when they asked to take action which they would not normally do, or that is different from how most people do things. This article is a follow-up to look at some situations that are still endemic throughout society and which, in some cases, are having a life-changing negative impact on people’s lives.

  • Never use bank transfers to send money to someone you have not met in person, or with whom you have no prior or existing business or personal relationship. Payment for goods and services with Visa or Mastercard has the added security in that if goods or services are not delivered, your bank can process a chargeback to the card. Sites such as eBay have processes in place and can process refunds without needing to involve the bank. Bank transfers bypass this safety net completely, and refunds are not available if goods or services are not delivered.
  • Although cheques are in significant decline, it is still important to remember that cheques can take several days to clear, can be cancelled at any time, and can bounce if funds are not available in the originating account. Wait until funds have cleared before delivering goods or services, processing refunds, or refunding overpayments.
  • Do not make a payment of fees or taxes upfront to receive a payout. Upfront fees for lottery winnings are still a common theme, but also advance fees for loan applications which never materialise. In cases where advance fees include a guaranteed loan offer or fees refunded, the terms and conditions are often so bad that the applicant rejects the loan. For example, they were offered a loan with 2000% APR. Rejection of the loan does not include a refund of fees.
  • Never transfer money upfront to anyone in connection with a job application. If you are applying for a job, your future employer will pay you.
  • Never send money in response to emergencies reported by family members without verifying the facts and speaking to those in distress. E.g. lost wallets and an urgent need to transfer cash to a friend to survive in a foreign country, or being sick and needing to pay for urgent medical care, or arrested and need to pay fees to be released. Whatever form this takes, it exploits the love and care for a family member or friend, and pushes you into helping before you have a chance to realise there is no real emergency.

Deviation from the norm

Robert Broxup

Are you being asked to act in a way that deviates from the usual way of doing things? If you are, then you should exercise some scepticism. When things go wrong and result in financial loss, it is often the case that the vendor asked for something out of the ordinary, and at the time, it would have sounded plausible for whatever reason. There are many examples of this, yet there are far more examples of people losing vast sums of money because a transaction required them to deviate from the norm.

Being asked to pay upfront fees, to receive something of higher value should be met with scepticism. Winning a lottery prize is just one example. To obtain the winnings, the scammers ask people to pay administration fees.  They have £100,000 to give you, but you must pay them a £350 fee. Putting the fact aside that if you never bought a ticket, you would not be a winner, then even if you had genuinely won the prize, receiving a net payment of £99,650 is obvious.

Society has not evolved yet to a point where it can operate without cash as it is often cost-prohibitive for small transactions. Consequently, for businesses where all transactions are small, cash payments are still a requirement. However, it is unusual these days for the cash to be mandatory for medium or large transactions. It could be something as simple as a means of reducing taxation, but it is worth asking questions and being aware of the risks, more so if the vendor will deliver goods or services at a later date. There are cases of businesses taking cash orders after they become aware that a bankruptcy declaration is imminent; high street travel agency being one example. Again, at a time when payments for goods and services are predominantly with a bank card or credit card, cash Only for whatever reason is a deviation from the norm.

Bank Transfers to people or businesses where no existing relationship exists is asking for trouble, but this still happens. Again, payment by bank card or credit card is a well-established practice. Other established payment options, such as WorldPay and PayPal, have fraud-prevention measure in place. These established payment services protect consumers, but far too often people are asked to deviate from this norm and transfer money directly to a bank account, only never to receive goods or services, and even worse, never be able to contact the recipient.

Reasons which sound plausible for needing to deviate from the norm include:

  • The suggestion that there is a legal or official requirement for it to be different. For example, an alleged policy that consumers must pay a deposit on a holiday in cash. In practice, this circumvents all the protection offered by Visa or MasterCard if something goes wrong.
  • ‘This is how we do it with all our customers, and you save money.’  An attempt to convince you that the ‘deviation from the norm’ is the usual practice that everyone uses.
  • Time constraints such as a theatre ticket valid this week and you must transfer payment immediately to get the tickets in time for the performance; creating a sense of urgency to deviate from the norm.
  • The card machine is not working today, and sadly this offer will not be available tomorrow. Creates the fear of loss while offering deviation from the norm as a viable solution.
  • Discounts offered for bank transfers or cash payments because of card payment fees. Creates financial incentive to deviate from the norm.
  • ‘We only have two left.’ Using scarcity as a means of pushing a deviation from the established ways of doing things.

These examples are very familiar to many readers, as stories keep resurfacing, but that is because the problem is far from being resolved. The suggestion here is to take a more holistic approach and be suspicious whenever a transaction deviates from the usual way of doing things in society.

It is easier to commit fraud against you if you are a willing participant. If you are complicit in making payments to fraudsters, financial institutions will use this as a means of denying any refund claims. However, the definition of ‘complicit’ is gradually changing in favour of consumers, and more safeguards are in place, along with greater awareness.

This article is not a suggestion that every deviation from everyday practices is an attempt to commit fraud against you, but rather encouraging you to be sceptical and make judgement whenever something does deviate.

12 Months of GDPR

Robert Broxup

General Data Protection Regulation (GDPR) became law in the UK exactly one year ago, and this article reports on personal observations over 12 months. GDPR has created greater awareness of best practices for handling personal data because of the fear of financial penalties of up to 4% of annual turnover or 20,000,000 Euros, whichever is higher. During this time, a significant number of complaints have been made to data protection authorities requesting investigations and some have resulted in financial penalties.

More information is available at https://ec.europa.eu/commission/priorities/justice-and-fundamental-rights/data-protection/2018-reform-eu-data-protection-rules_en

For UK readers also visit the website of the UK’s Information Commissioner’s Office:

Email Notifications

I have received many privacy notifications from companies stating that they hold and process personal data. Roughly 50% of these notifications were from businesses with which I had no prior contact or to which I have not given consent to process data.

  • Requests for data removal have resulted in a need to provide for more personal data to confirm my identity
  • Two businesses wanted a scan of my passport or driving licence before they would remove the data
  • Some email notifications indicated that removal of personal data required recipients to login and change their data settings

Observations suggest that:

  • How some businesses have chosen to implement GDPR forces people to jump through hoops to have their data removed
  • Hackers can easily use GDPR related emails for phishing. With everyone expecting such emails in response to the introduction of GDPR, many removal requests could already have resulted in more personal details than before being processed inappropriately.

Date of Birth

Use of Date of Birth as a security question has increased. I’ve said many times that people should not use immutable facts for security. Still, the point here is that over the last 12 months companies have asked for my date of birth when in fact I would never have had a legitimate reason to give it to them in the first place.

It became evident that companies are requesting Dates of Birth for security, but the real purpose is to populate a previously blank field in their database. I put this to the test in the following two ways:

  • I gave a bogus date of birth. The company accepted it as correct for security
  • I told them they would have nothing to compare it against because there was no legitimate need for them to know. Following a pause, the operator checked with their manager and asked an alternative security question.

The legitimacy of these businesses is not in question, as we are not talking about potentially fraudulent companies that nobody has ever heard of; we are talking about national brands. Unless people are mindful of to whom they gave their date of birth to, it is reasonable to assume that when asked for confirmation, they would be willing to give it.

Personalised Junk Mail

The quantity of personalised mail has reduced quite significantly, but the amount of non-personal mail has increased substantially during the same period. The increase is roughly 50/50 between:

  • Letters addressed to ‘owner/occupier’ without any named individual – suggests that where businesses have a refined customer list but no consent to hold personal data, they remove the names and keep targeting the addresses.
  • Unaddressed mail – suggesting many businesses have chosen to deliver leaflets

More information is available here to learn how to stop receiving junk mail:  https://www.citizensadvice.org.uk/consumer/post/stop-getting-junk-mail/

Public Data Feeds

Publicly available data sources are still available free of charge, or with nominal payment, from government departments and local authorities. Consequently, 2nd level websites and services which use publicly available data still have access to all the data, and make it available to everyone free of charge or for a fee.

Requests to remove data still result in resistance and a need to jump through hoops, including significantly more personal information before taking action. The removal is only effective until a replacement data feed to processed. No evidence is available to indicate that a separate list is available to ensure that removal requests are permanently applied.

This information is more than sufficient for fraud to take place. Yet, to my knowledge, nobody has ever consented to this information being made available publicly by authorities or given consent to 3rd party organisations to process this data and sell it online. Such businesses can, however, claim a ‘Legitimate Interest’ under GDPR.

A data broker can claim to have a legitimate interest because their source of income is from the sale of your data. Although data privacy advocates would like nothing more than to see some of these businesses cease to exist, and this has come up in conversation many times over the last 12 months, this is unlikely to happen any time soon because the businesses are highly profitable. Their business purpose is to profit from your data, so they have a ‘Legitimate Interest’ in processing it; potentially a court case waiting to happen in the future to define the boundary with case law.

Increased User Accounts

More and more websites insist that online accounts are required to make purchases. There are many business reasons for mandatory user accounts, and an increase over the previous 12 months could be a coincidence. However, a user account does address the issue of maintaining data accuracy as a user account will essentially transfer responsibility for data accuracy to the user, who can log in and edit their data. Also, over the last 12 months, I have observed several accounts created without my consent, along with emails inviting me to verify details.

There are long term security implications to consider:

  • People can quickly lose track of user accounts over time, if at the time of placing an order, creating an account was mandatory despite knowing it would likely be a one-time purchase. Equally, an issue is if security questions are used based on historical facts.
  • Many websites still send passwords by email in plain text in response to forgotten password options. However, sites are increasingly switching to a more secure reset process.
  • Sites could store credit card details in the accounts to which people no longer have access
  • Re-use of logon credentials and security questions between sites increases the risk of more important sites begin compromised

Not everyone maintains an inventory of user accounts; in fact, it is more likely that very few people do. More user accounts mean more opportunities for hacking user accounts. Many sites authenticate with Facebook or Google; however, if either these are compromised, all connected accounts are also compromised.

Increased cookie popups

Consent to store cookies has been implemented in many different ways from a visible page on the website, to popups demanding users click on a button to access cookies.

  • Website platforms such as Word Press have implemented it as standard so that anyone with a website powered by Word Press will get the functionality automatically
  • Website developers have implemented intrusive popups which disrupts the user experience on the site such as fading out the content of the page, requiring ‘accept’ to be selected before the visitor can read the page. Not allowing selection of the ‘accept’ button until the entire page has downloaded and not providing an option to ‘decline’.
  • Many sites don’t have a ‘decline’ option’. Although websites often need cookies for the duration of the session or security, these reasons are no in the regulations. Website developers choice to have either ‘allow’ or ‘leave’ creates a new problem. People will ‘allow’ as an automatic response which in the long-term will render the concept useless. Rather like the millions of people who tick a box to say they accept terms and conditions, but never actually open and read them.

More information is available at: