It’s the people…
This post has been written by Dr. Kostas Lampropoulos from University of Patras, Greece
(Patras, Greece), Mar. 26th
A stranger with an amazing offer!
If someone stopped you in the middle of the street, promised you discounts in shopping and traveling and asked you to give him your wallet, what would you do?
Well… you probably wouldn’t IMMEDIATELY give him your wallet. We can all argue that even the less skeptical of us would first ask for more information, try to know the person who is making the offer and establish some kind of trust before handing over their wallet.
Let’s take the same example to the digital world. An email is send to all the employees of a company asking to enter their company credentials with the promise of discounts in shopping and traveling. What will happen?
An interesting EU project Dogana conducted the above experiment and the results are depicted in the following figure.
Results from sending a phishing email to the employees of a company
Yes! 24% of the employees gave their credentials. It’s like one out of four people would give immediately his/her wallet to a stranger who he/she had just met.
But it’s not always a stranger!
In 2017 Facebook users started receiving messages from their friends with a video link with their name and a title “It’s you?”. Sometimes the video also had their profile picture to look more convincing. A click on the video link would redirect users to a malicious website which tried to install malware on their devices, in order to “properly play the video”. Of course, if someone installed the malware, then his/her device would send the virus to his Facebook friends as well. Various Facebook viruses in the past had been able to spread themselves by using the friends of Facebook users, but this latest virus used very clever techniques (even a smiling face emoji) to attract victims into clicking on the video link. According to these viruses primary target is to steal your information.
- IP and other System Info.
- Facebook account information.
- Browsing history.
- E-mail accounts and other passwords.
The “its you?” facebook virus
How can we protect ourselves?
Everyone with an email account has received, at some point, a message trying to trick him/her into giving his/her credentials or download a malware. This could be someone impersonating an employee of his/her bank, an administrator in his/her company etc. So, the question is how can we protect ourselves against attacks that try to trick us? It is not a reassuring answer and it is certainly not an easy task. New technology innovations and services are entering our everyday life at a faster rate that everyday people can understand and operate. At the same time the attacks are becoming more and more sophisticated and even the trained users are tricked sometimes.
Proper training is required not only for people working with computers but everyone owning a PC or a mobile device. CIPSEC project is currently working on a platform for online cybersecurity training which will host various interactive courses to train technicians for the installation and configuration of CIPSEC’s security products. Such courses will include some general information (theory) on the topic of each product e.g. honeypots, antivirus, hardware security etc. and focused details on how to setup and manage the security components of the CIPSEC framework. Also, each course will include an “interactive part” where someone can work with a security tool on a simulation environment before working with it in the actual framework. The next figure depicts part of the theory and also the interactive parts of a honeypot and a forensics visualization tool.
CIPSEC training service: Honeypot
CIPSEC training service: Forensics Visualization tool
CIPSEC has identified that in the area of cyber-protection, training should not only focus on technicians. Thus, this platform will also include interactive courses for inexperienced users and will try to educate them on how to protect themselves and their companies from online threats and attacks that will try to trick them and steal their information. Apart from our efforts there are also many other technical and educational tools that try to address the same problem. Still though, we have a long distance to cover and until then we need to spread the word that everyone must be extra careful when someone offers deals that look too good to be true.
Just remember, it takes just one click from one employee to expose the intranet of a company and just one mistake from a user to hand over the full control of his mobile device.
CIPSEC project results receive funding from the European Union’s Horizon 2020 Research and Innovation Programme, under Grant Agreement no 700378.
The opinions expressed and arguments employed in this publication do not necessarily reflect the official views of the Research Executive Agency (REA) nor the European Commission.