Social engineering. It’s a con game. And a con game by any other name stings just as badly. 

Like any form of con, social engineering dupes their victims by playing on their emotions. Fear, excitement, and surprise. And they prey on human nature as well. The desire to help others, recognizing authority, and even the dream of hitting it big in the lottery. All of this comes into play in social engineering. 

By design, the scammers who employ social engineering do so in an attempt to bilk people out of their personal information, their money, or both. More broadly, they’re designed to give scammers access—to a credit card, bank account, proprietary company information, and even physical access to a building or restricted space in the case of tailgating attacks. In this way, social engineering is an attack technique rather than a specific type of attack.  

Several types of attacks employ social engineering: 

Phishing scams 
Romance scams 
Imposter scams 
Phony sweepstakes scams  
Employment scams 
Tax scams 
Social media scams 
Tech support scams 

The list goes on. Yet those are among the top attacks that use social engineering as a means of hoodwinking their victims. It’s a scammer’s secret weapon. Time and time again, we’ve seen just how effective it can be. 

So while many bad actors turn to social engineering tricks to do their dirty work, they share several common characteristics. That makes them easy to spot. If you know what you’re looking for. 

How to spot social engineering 

1) You receive an urgent or threatening message. 

An overexcited or aggressive tone in an email, text, DM, or any kind of message you receive should put up a big red flag. Scammers use these scare tactics to get you to act without thinking things through first.  

Common examples include imposter scams. The scammer will send a text or email that looks like it comes from someone you know. And they’ll say they’re in a jam of some sort, like their car has broken down in the middle of nowhere, or that they have a medical emergency and to go to urgent care. In many of these cases, scammers will quickly ask for money. 

Another classic is the tax scam, where a scammer poses as a tax agent or representative. From there, they bully money out of their victims with threats of legal action or even arrest. Dealing with an actual tax issue might be uncomfortable, but a legitimate tax agent won’t threaten you like that. 

2) You get an incredible offer. Too incredible. 

You’ve won a sweepstakes! (That you never entered.) Get a great deal on this hard-to-find item! (That will never ship after you’ve paid for it.) Scammers will concoct all kinds of stories to separate you from your personal information. 

The scammers behind bogus prizes and sweepstakes will ask you for banking information or sometimes even your tax ID number to pay out your winnings. Winnings you’ll never receive, of course. The scammer wants that information to raid your accounts and commit all kinds of identity theft.  

Those great deals? The scammers might not ship them at all. They’ll drain your credit or debit card instead and leave you tapping your foot by your mailbox. Sometimes, the scammers might indeed ship you something after all—a knock-off item. One possibly made with child labor. 

3) Something about that message looks odd. 

Scammers will often pose as people you know. That can include friends, family members, co-workers, bosses, vendors or clients at work, and so on. And when they do, something about the message you get will seem a bit strange. 

For starters, the message might not sound like it came from them. What they say and how they say it seems off or out of character. It might include links or attachments you didn’t expect to get. Or the message might come to you via a DM sent from a “new” account they set up. In the workplace, you might get a message from your boss instructing you to pay someone a large sum from the company account.  

These are all signs that something scammy might be afoot. You’ll want to follow up with these people in person or with a quick phone call just to confirm. Reach them in any way other than by replying to the message you received. Even if it looks like a legitimate account. There’s the chance their account was hacked. 

Preventing social engineering con games 

How do scammers know how to reach you in the first place? And how do they seem to know just enough about you to cook up a convincing story? Clever scammers have resources, and they’ll do their homework. You can give them far less to work with by taking the following steps. 

1. Clean up your personal data online.

Online data brokers hoard all kinds of personal information about individuals. And they’ll sell it to anyone. That includes scammers. Data brokers gather it from multiple sources, such as public records and third parties that have further information like browsing histories and shopping histories (think your supermarket club card). With that information, a scammer can sound quite convincing—like they know you in some way or where your interests lie. You can get this information removed so scammers can’t get their hands on it. Our Personal Data Cleanup scans some of the riskiest data broker sites and shows you which ones are selling your personal info. It also provides guidance on how you can remove your data from those sites and with select products, it can even manage the removal for you. ​

2. Set your social media accounts to private.

Needless to say, social media says a lot about you and what you’re into. You already know that because you put a part of yourself out there with each post—not to mention a record of the groups, pages, and things that you follow or like. All this provides yet more grist for a scammer’s mill when it comes time for them to concoct their stories. Setting your accounts to private takes your posts out of the public eye, and the eye of potential scammers too. This can help reduce your risk of getting conned.

3. Confirm before you click. Better yet, type in addresses yourself.

Scammers throw all kinds of bogus links at people in the hope they’ll click and wind up on their scammy websites. They’ll also send attachments loaded with malware—a payload that contains ransomware, spyware, or viruses. If you get a message about one of your accounts, a shipment, or anything that involves your personal or financial info, confirm the sender. Did the message come from a legitimate address or account? Or was the address spoofed or the account a fake? For example, some scammers create social media accounts to pose as the U.S. Internal Revenue Service (IRS). The IRS doesn’t contact people through social media. If you have a concern about a message or account, visit the site in question by typing it in directly instead of clicking on the link in the message. Access your information from there or call their customer service line.

4. Use strong, unique passwords and multi-factor authentication.

The combination of these two things makes it tough for scammers to crack your accounts. Even if they somehow get hold of your password, they can’t get into your account without the multifactor authentication number (usually sent to your phone in some form). A password manager as part of comprehensive online protection software can help you create and securely store those strong, unique passwords. Also, never give your authentication number to anyone after you receive it. Another common scammer trick is to masquerade as a customer service rep and ask you to send that number to them.

5. Slow down. View messages skeptically.

This is the one piece of advice scammers don’t want you to have, let alone follow. They count on you getting caught up in the moment—the emotion of it all. Once again, emotions, urgency, and human nature are all key components in any social engineering con. The moment you stop and think about the message, what it’s asking of you, and the way it’s asking you for it, will often quickly let you know that something is not quite right. Follow up. A quick phone call or face-to-face chat can help you from getting conned. 

The post Social Engineering—The Scammer’s Secret Weapon appeared first on McAfee Blog.

Read More

This is a clever new <a href=”https://www.nassiben.com/video-based-crypta>side-channel attack:

The first attack uses an Internet-connected surveillance camera to take a high-speed video of the power LED on a smart card reader­or of an attached peripheral device­during cryptographic operations. This technique allowed the researchers to pull a 256-bit ECDSA key off the same government-approved smart card used in Minerva. The other allowed the researchers to recover the private SIKE key of a Samsung Galaxy S8 phone by training the camera of an iPhone 13 on the power LED of a USB speaker connected to the handset, in a similar way to how Hertzbleed pulled SIKE keys off Intel and AMD CPUs.

There are lots of limitations:

When the camera is 60 feet away, the room lights must be turned off, but they can be turned on if the surveillance camera is at a distance of about 6 feet. (An attacker can also use an iPhone to record the smart card reader power LED.) The video must be captured for 65 minutes, during which the reader must constantly perform the operation.

[…]

The attack assumes there is an existing side channel that leaks power consumption, timing, or other physical manifestations of the device as it performs a cryptographic operation.

So don’t expect this attack to be recovering keys in the real world anytime soon. But, still, really nice work.

More details from the researchers.

Read More

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

While cryptocurrencies have been celebrated for their potential to revolutionize finance, their anonymous nature has also been exploited for illicit activities. From drug dealing and arms trafficking to funding terrorism, black market activities have thrived under the cloak of cryptocurrency’s pseudonymity. According to a report by Chainalysis in 2023, around $21 billion in crypto transactions were linked to illegal activities.

Money laundering, too, has found a home in the crypto space. Overall, between 2017 and 2021, crooks laundered over $33 billion worth of cryptocurrency.

Moreover, tax evasion has surged with crypto’s rise. Crypto traders evading their tax obligations could be costing the Internal Revenue Service upwards of $50 billion annually.

Law enforcement’s response to technological challenges

While the majority of cryptocurrency transactions remain legitimate, these dark sides of cryptocurrency cannot be ignored. Regulatory and law enforcement agencies worldwide have an urgent task ahead: to develop robust mechanisms to combat these illicit uses while supporting the technology’s legitimate growth. We should craft and use Blockchains that are safe and advantageous to everyone except lawbreakers.

There is a long-standing tradition of law enforcement agencies modifying their approaches to chase criminals who exploit the newest technologies for illicit purposes. This adaptability was evident when technologies like fax machines and pagers were invented. Throughout history, the legal system has consistently demonstrated its ability to adapt and grow in order to confront emerging technological challenges.

Even though Blockchain represents a revolutionary development in the finance and tech spheres, it is merely the latest example of how law enforcement must continually innovate and adapt to new technologies. Given this perspective, it is hard to argue that Bitcoin and other coins pose an insurmountable problem for law enforcement.

As Blockchain technology is still young, we have a unique opportunity to enhance law enforcement’s understanding of it and improve its security. Individuals interested in Blockchain should assist law enforcement in understanding and harnessing the potential of this technology.

A practical approach to achieving this is implementing a public-private information-sharing process like the one employed to exchange cybersecurity threat details. These dialogues can establish a mechanism through which the Bitcoin community can contribute their knowledge to help law enforcement overcome challenges encountered during cybercrime investigations.

Challenges for law enforcement in investigating cryptocurrency crimes

Still, certain features of Bitcoin and other popular cryptocurrencies present substantial challenges for law enforcement. Collaborating with distant international counterparts, each with its distinct policies often complicates investigative efforts. Identifying an individual from a Bitcoin address is also not easy. Cryptocurrency exchanges operating in different jurisdictions, the use of mixers and tumblers to obfuscate transactions, and the rapid evolution of technology pose significant hurdles for investigators.

The greatest obstacle in any cybercrime investigation is attributing a specific person to a virtual offense. Prosecutors often attempt to link a particular MAC or IP address, or an email address, to a specific individual. This becomes significantly more challenging when someone utilizes Tor, proxies, or employs privacy coins like Monero.

Another complication arises from the fact that many email providers, as well as cell phone companies, either cannot or do not find it necessary to validate the information their users provide them.

One potential solution to overcome these challenges is to employ data analysis from multiple sources, aiming to isolate and identify the single offender in the crowd.

Advantages of Blockchain for law enforcement

Despite the various challenges it presents, the Blockchain actually offers several advantages to law enforcement. One of the notable benefits is the ability to trace all transactions associated with a particular Bitcoin address, including records dating back to its initial transaction.

Cases like Silk Road, Mt. Gox, and others have showcased the proficiency of law enforcement agencies in tracing transactions on the Blockchain. Carl Force, a DEA agent, faced accusations of pilfering Bitcoins during the Silk Road investigation. During the trial, a chart was presented as evidence, demonstrating how law enforcement successfully tracked the funds across the Blockchain, despite Carl Force’s attempts to divide the transactions among multiple addresses.

Contrary to popular belief, Bitcoin is not as anonymous as many people think. Each Bitcoin address may serve as an account number for an individual. If a person can be linked to a specific address, it becomes possible to access information about all the transactions associated with that person.

If an individual utilizes a crypto wallet to interact with the Blockchain, the wallet organization will associate the address with the individual, similar to how a bank keeps records of its customers and their accounts.

New software tools can identify patterns in Blockchain transactions, such as repeated transactions between specific addresses or sudden large transactions, indicating potential illegal activity and leading to particular people.

The Blockchain operates as a peer-to-peer system, where no single entity has exclusive authority to remove records. It functions as a publicly accessible ledger of data blocks, and it cannot be revised or tampered with. This ability allows law enforcement to track the flow of funds in a manner that was previously impossible.

Law enforcement agencies often face a significant challenge when dealing with phone and Internet companies due to varying regulations regarding the retention of customer data. The process of locating the specific provider that possesses the information needed to trace a high-level cyber-criminal can be time-consuming, spanning multiple providers and even different countries.

Furthermore, there is always a risk that the trail may have gone cold by the time the relevant provider is identified. In contrast, the Blockchain serves as a permanent repository for all data. It retains information indefinitely, ensuring that it is always accessible. This eliminates the need for extensive investigations across multiple providers and offers a streamlined way to obtain the required data.

The Third Party Doctrine states that individuals should not expect confidentiality for data shared with third parties such as ISPs, banks, etc., creating complications for law enforcement. It enables law enforcement to obtain records from ISPs, banks, and cellphone carriers through a subpoena rather than a search warrant. However, Blockchain operates differently in this regard. There are no such complications when it comes to Blockchain. It is straightforward to utilize Blockchain and trace transactions without needing a subpoena. The Blockchain is intentionally designed to be open and accessible to all, eliminating the need for legal procedures to access its data.

When evidence emerges in a foreign country, U.S. law enforcement is required to adhere to the Mutual Legal Assistance Treaty (MLAT) procedure in order to seek assistance from foreign agencies. One significant example highlights the Department of Justice engaging in a legal battle against Microsoft. This case revolved around the question of whether the DOJ possesses the authority to access data stored in a Microsoft data center located in Ireland. Microsoft argued that the DOJ could not employ a search warrant to obtain overseas data and must follow the MLAT procedure instead. However, with Blockchain, such issues do not arise as it allows access from anywhere in the world without the need for MLAT.

Final thoughts

It is an undeniable reality that illegal money transfers will persist. It is impossible to completely eliminate criminals from utilizing Blockchain or the internet as a whole. However, what we can strive for is to develop solutions that make it increasingly challenging for illicit parties to thrive. Law enforcement should concentrate their efforts on the specific areas of the Blockchain where criminal activities frequently emerge. Individuals must collaborate and devise innovative strategies that law enforcement can adopt to combat these challenges effectively.

Read More