Last Friday, when I arrived at the office and put down my backpack, I received a phone call with country code “+86,” indicating it was from Mainland China. As my new job's HR department is from China, I picked it up, unlike what I usually would. The call was from the so-called customer service of the ICBC credit card call center.
“Hi, is it Mr. Chan?” He said in mandarin. “Yes,” I said. “Sorry for disturbing you for a few minutes. I am calling regarding the overdue payment of your credit card.” He told me sincerely about an unpaid credit card statement from one of my cards. He wanted me to help him with the payment.
During the conversation, he gave me the following information:
My full nameMy Hong Kong ID card number in fullAnd he got my mobile so that he could reach meThe credit card numberHis full nameHis employee IDThe date of the purchase (20th Dec 2020. Seemed like a Christmas gift)The location of the purchase (Shanghai Guomei Electronics Appliance Retail Store)The purchased item (It was a Mac Pro!)
Although surprised, I didn’t answer anything about what he said, including when he asked for my acknowledgment of the personal information. He later advised it seemed like an incident of stolen ID. And to settle the problem, I needed to go to the police in Shanghai in person to report this credit card fraud.
He knows that it is nearly impossible for me to suddenly report the incident as I am out of the border. Repeatedly did he ask me to go to the police, but he also understands the difficulty. At last, he said what he could do was to redirect my line to the Shanghai police station.
What shocked me was how much personal information he could tell me about without me giving him anything. That is what keeps me occupied. I searched for the phone number owner, but a company registered it in Shanghai Pudong but nothing else. (In mainland China, a SIM card is required to be bonded with true identity.)
Victims of phone scams in Hong Kong lost HK$402 million from January to September in 2020, almost five times the total stolen in the whole of the previous year.
Apart from a phone scam, a phishing email is another type of the most common way hackers trying to gain information or financial gain from individuals. In cybersecurity, we categorize this kind of technique as “Social Engineering.”
According to NIST SP800–63–3 — Digital Identity Guidelines, Social Engineering is:
The act of deceiving an individual into revealing sensitive information, obtaining unauthorized access, or committing fraud by associating with the individual to gain confidence and trust.
When thinking about hacking, we all think of an image about someone wearing a hoodie and sitting in front of a computer and typing swiftly. Suddenly, something pops up on the screen, and the hacker gains ultimate freeway access to the system.
The notion of hacking humans instead of computers to gain access might sound strange, but it is not. Criminal hackers do not care how they get in but how fast they can get in. If hacking humans is more manageable than computers, then it is the way to go.
Social Engineering attacks are a broad definition that typically involves some psychological manipulation, following otherwise unsuspecting users or employees into giving up sensitive data or confidential information. The most popular information hackers want to get from a social engineering attempt is credentials.
Social engineering could be in different forms that sneak into our daily operations, such as dropping a USB drive in the targeted company's lobby, hoping that someone inside the company would pick it up and plug it into the company machine in an unlocked state.
Con and scam are not talents but skills that people can learn and practice. If you want someone you've just met to comply with your wishes, you stand a better chance of succeeding by establishing common ground. There are two elements worth mentioning to prepare ourselves not to fall for the common mistakes built in our minds.
Security Engineer Gavin Watson explained pretexting in the book “Social Engineering Penetration Testing”:
Pretexting is a method of inventing a scenario to convince victims to divulge information they should not divulge. Pretexting is often used against corporations that retain client data, such as banks, credit card companies, utilities, and the transportation industry. “Pretexters” will request information from the companies by impersonating the client, usually over the phone.
Pretexting takes advantage of the vulnerability in identification techniques over the phone (or voice-only identification). When physical identification is impossible, companies must use other identification methods. This is useful for phone scams like what I just encountered. The key to getting the scam work is the victim believing the attacker is who they state.
Often, these alternate methods involve requesting verification of personal data, such as residence address, date of birth, maiden name, or account number. All this information can be obtained by the pretexter beforehand, either through social media websites or through “dumpster diving.”
Although I do not know where Mr. Li got my information, it is compelling to ask for more. The more specific the knowledge a pretexter knows about you before they get in touch with you, the more valuable the information they can convince you to give up.
Whenever we meet someone for the first time, four baseline questions comes up in our mind:
Who is the person?What does this person want?How long is this encounter going to take?Is this person a threat?
If you immediately look back to your recent attempt to meet someone, these questions come up consciously or unconsciously. Social Engineers prepare all the answers beforehand to calm you and re-confirm the last question’s response (I am not a threat!).
Back to my phone call yesterday, as an example, “Mr. Li” (according to what he told me) filled the blank:
He is the customer service representative from the ICBC credit card call center.He wants me to inform me about the unsettled payment“A few minutes,” as he said at the beginning of the callHe was trying to help, so he cannot be a threat!
When it comes to influencing, we tend to like people who like and understand us, and that is what Mr. Li good at. He tried several times to sell the problem I faced and proposed a solution for me with the remarks, “This is the best I can do FOR YOU.”
I do appreciate Mr. Li’s attitude and his passionate voice. Empathy, after all, is the best selling tool. It is not something that unique to hackers but all the good salespeople and even parents. Using pre-staged empathy could help people implant ideas to the targets and reinforce the first encounter's non-threatening impression.
I keep telling customers to take care of the people pillar in the PPT framework as trust is always there if people are involved. A recent survey sponsored by CyberArk (a cybersecurity company), “The CISO View 2021 Survey: Zero Trust and Privileged Access,” showed a major shift in spear-phishing and impersonation attack patterns:
Extensive increases in credential theft attempts were reported for personal data (70%) and financial systems and data (66%). This is clear evidence of attackers’ interest in gaining “high-value” access to susceptible systems that users instead of administrators often hold.The most broadly reported group suffering increased attacks is end-users — including business users with sensitive data access. A majority of respondents (56%) report such end-users as being more targeted by attackers.Attacks are on the rise against senior leadership (48%), third-party vendors and contractors (39%), and DevOps and cloud engineers (33%).
One of the best ways to prevent pretexting is simply having the awareness that it’s conceivable and that techniques like email or phone spoofing can make it unclear who’s reaching out to contact you. Any security awareness training at the corporate level should include information on social engineering.
On a personal level, it’s necessary to be particularly cautious whenever anyone who has initiated contact with you begins asking for personal information. Remember, your bank already knows everything they need— they shouldn’t need you to tell them your account number.
When friends become enemies, we all started to wonder what’s wrong. And that quickly turns into the question of whether trust innately is the problem. Changing the attitude from “trust but verify” to “distrust and verify” requires finding out the most fundamental relationship, whether internal or external, to default-deny any request.
With the COVID-19 pandemic guiding an indefinite work-from-home lifestyle, zero-trust security has the ideal opportunity to become part of the standard security practice. With the proper understanding and approach, companies can modernize their infrastructure to include this more comprehensive protection, even if only beginning from a granular basis.
If a pizza guy tries to follow you inside your office building (piggy-backing), tell them to call the person who ordered it to let them in. The pizza won’t get cold for delaying the delivery for only a few minutes.
We should try our best not to expose and have the least privileged mindset at all times. Letting someone in a building without a good check and balance would inevitably create a hole in your fortress that is supposedly hard to penetrate.
A bit disappointed, but I played along. Sadly, the actor as the policeman was highly unprofessional. He was supposed to do what we called a “call for action” and ask me to verify my information.
But this time, he asked me to open a computer and check for his police credential. The website is redirected to an HTTPS website claiming as the Shanghai Police official website, but it was hosted with self-signed SSL certification.
I was disappointed as there are trusted CA certification that is free of charge, why can’t they make it more authentic? Anyway, I opened the “official” website with my isolated browser and said to them I cannot find his identity. He paused for a few seconds and then said it is impossible and would like to use WeChat for video calls.
Although using WeChat on cases may be the actual police investigation process in mainland China, I told him before hung up that he needs more training on pretexting and go back to work wondering how and who sold my data all day.
After I hung up, I search in multiple places to check if someone reporting the same phone scam. Eventually, I found out that I missed the best part of the play. There would be a scene where someone would hold a police batch in a photo or video call. Until next time, Mr. Li!
Thank you for reading. May InfoSec be with you🖖.