Go "Inside the Mind of a Cyber Criminal"
An overflow crowd packed the Boston Room at Corcoran Commons on October 26 to hear Pat Cain discuss web security issues at the ITS event, “Inside the Mind of a Cyber Criminal.” Pat, the President of the Cooper-Cain group and a Research Fellow at the Anti-Phishing Working Group (APWG), also spends time working with BC’s Computer Policy & Security team.
Pat stated that “phishing attacks use both social engineering and technical subterfuge to steal consumers' personal identity data and/or financial account credentials.” Once criminals have that data, they can quickly empty bank accounts – often before victims are even aware their credentials have been stolen and can do anything to protect their assets.
He also discussed the fact that cyber criminals sometimes have other goals than simply stealing peoples’ money. Sometimes, they may write and spread malicious computer programs just for “fun” or in retaliation to some slight they felt from someone else.
Usually, though, they’re looking for cash, and the main way they get it is to lure people into clicking on something that ultimately provides the criminals with the data (social security numbers, account numbers, passwords, etc.) needed to access accounts.
Pat explained how many of these schemes typically work. After obtaining a list of email addresses, the criminals send out emails that may look legitimate (from a bank or credit card company, for example), but actually contain links to bogus sites designed to collect the personal data they use to empty bank accounts.
He said that “good” lures (those that often work), have a few common characteristics:
- The recipients need to do something (i.e. update a password) “immediately.”
- Their accounts or information may be in some kind of “grave danger” if they don’t do what is requested of them.
- There will be consequences if the action is not completed (i.e. access to funds or credit will be cut off).
- A web address that, at first glance, appears legitimate, but is not (for example, http://bankofamerica.h35.com/Login?p=Security for a Bank of America account; the “h35.com” at the end indicates it is not a legitimate Bank of America site).
Pat also discussed newer scams where an email is sent with a phone number to call. People call the number, and the voice is an actual recording of their real bank’s phone tree. However, the number belongs to the criminals, and captures the account numbers as the customer dials them in.
What can people do to stay safe? Pat offered several suggestions.
- Keep your computer up-to-date and run anti-virus programs regularly.
- Back up your system regularly; if you get a malicious program, the computer can be re-imaged so you can reload your files and start with a clean slate.
- Don’t believe links! If it’s truly important, the sender will get in touch with you at a later time.
Pat also mentioned that the APWG is part of the “Stop. Think. Connect.” initiative designed to build public awareness for online safety.
ITS was extremely happy to see the enthusiastic response to and attendance at this event, and hopes to sponsor it and/or similar events in the future.