Welcome to the LSUHSC’s Information Security training module on Social Engineering. It is intended for all personnel who have access to LSU’s computing resources and must be renewed on an annual basis.
Social Engineering is becoming the most common and most successful form of hacking. More and more, hackers are choosing to exploit human vulnerabilities rather than attempt to defeat a network’s technical defenses.
People are fooled every day by these scams because they haven't been adequately warned about social engineering techniques. Without the proper education, most people won't recognize a social engineer's techniques because they are designed to take advantage one’s natural tendency to be helpful. Awareness is the number one defensive measure so it is important that you stay up-to-date with your training.
Social Engineering, or “people hacking” is the process of deceiving people into giving away access or confidential information. It is the act of manipulating people into performing actions or divulging confidential information, rather than defeating technical defenses like breaching firewalls or cracking passwords. The term typically applies to trickery or deception for the purpose of information gathering, fraud, or computer system access; in most cases the attacker never comes face-to-face with the victim.
Phishing is a technique to trick you in to taking action you would not ordinarily take (e.g. transferring funds or revealing your password). The hacker sends an email that pretends to be from a legitimate provider of services such as the IT department, HR department, a bank, a brokerage house, an ISP or an email service provider, etc.
In the message of the email, the hacker creates a sense of urgency or fear or other emotional response to motivate the reader to take the action (usually clicking on a link or opening an attachment) he desires.
If you suspect that an email may be a phishing scam, contact the purported sender, without using any links or other information from the email, and confirm the email is legitimate. For example, if the email says its from the IT department, call the Help Desk at 568-HELP.
If it is a phishing email, send it as an attachment using the "Attach Item" function in Outlook to spam@lsuhsc.edu, and delete it from your Inbox.
DO NOT click on any of the links or take any other action directed by the email until you confirm it is legitimate. A phishing message will direct you to take an action such as:
It will contain one or both of the following elements:
Milder messages may omit or imply the consequence: “Due to a lack of activity on your account (reason), you must click on the link below and login with your username and password (action).”
The loss of access to the account is implied.
More aggressive messages may omit the reason: “Funds must be transferred by clicking on the link below before COB today (action) or your payroll account will be overdrawn! (consequence)”
Any email that begins with EXTERNAL EMAIL: EVALUATE and asks you for your username and password or asks you to open an attachment should be considered a phishing email until proven otherwise.
If the answer is “YES” to more than three (3) of the questions above, it may be a phishing email and you should send the email as an attachment (CTRL+ALT+F) to SPAM@lsuhsc.edu or contact your IT supporter for investigation. Do not, under any circumstances, use any of the links or rely on any information from an email you feel may be suspicious.
From: From: Human Resources (HumanResources@hr.securitydept.org) (Not a person)
Sent: Wednesday, January 18, 2017 11:14 AM
Subject: Important Update to Social Media Policy
*EXTERNAL EMAIL: EVALUATE* (Why is an email from HR coming from outside the network?)
LSU Health Sciences Center New Orleans is instituting new social media policies for all faculty and staff. Due to recent events in the news we are going to start blocking many of the popular social media sites for employees who do not need them for justified, business purposes.(reason)
We need your help to determine if you utilize social media and how you feel about this policy change. We have created a portal page on our internal network to get each employees usage of social media so we can determine which policy should be applied to your workstation. Please visit the Portal Page www.hrsecuritydept.org and complete this survey.(action)
Your participation is mandatory and this survey must be completed in the next five business days so we can compile results before the default block policy is applied.(consequence)
Thank you
Social Media Compliance Team (Not a person)
It has five of the characteristics of a phishing email listed above.
From: Bettina Owens - Asst Vice Chancellor for Information Technology
Sent: Thursday, July 07, 2016 2:30 PM
To: LSUHSC N.O. Faculty, Staff and Students
Subject: Email Scams
LSUHSC is currently experiencing an increase in Phishing emails and an increase in people succumbing to these emails by providing the perpetrators with their LSUHSC credentials. Responding to a Phishing email places all of LSUHSC in jeopardy.
Phishing emails attempt to trick individuals into divulging their user IDs,passwords, social security numbers, etc. If you are in doubt whether an email is a phishing email please send the email as an attachment (CTRL+ALT+F) to SPAM@lsuhsc.edu or contact your IT supporter for investigation.
Guidelines on phishing:
Thanks to all who picked up that this was a phishing email and took the time to let us know about it.
*********************************************
This message has been authorized by LSU Health Sciences Center administration for mass distribution as a service to our faculty, staff, and students.
From: Maddox, Amy Marie [mailto:amaddo@tbh.net]
Sent: Monday, February 06, 2017 10:06 AM
Subject: Important Message From HR Department
*EXTERNAL EMAIL: EVALUATE*
To All Faculty\Staff
Hi, a private document has been sent to you by the Human Resources Department
Click Here to Log into Employee Self Service to view the document now.
HR Department
From: Maddox, Amy Marie [mailto:amaddo@tbh.net]
Sent: Monday, February 06, 2017 10:06 AM
To All Faculty\Staff
Subject: Important Message From HR Department
*EXTERNAL EMAIL: EVALUATE* (Email is from outside the LSUHSC campus)
Hi, a private (sense of urgency) document has been sent to you by the Human Resources Department
Click Here to Log into Employee Self Service(Action) to view the document now.(More urgency!)
HR Department (Not a person)
Also, note the date. February 6th is just a few days after the deadline for sending W-2 forms to employees. This may be a scam to get your tax information in order to file a fraudulent return.
From: IT Helpdesk[helpdesk@lsuhsc.com.ru]
Sent: Monday, September 26, 2016 8:45 AM
To: {Recipient List Suppressed}
Subject: Irregular Account Activity
*EXTERNAL EMAIL: EVALUATE*
Our system has detected irregular activity on your account. Taking precautions, certain limitations and measures have been placed on your account in accordance of the User Agreement and Privacy Policy.
To regain access without any interruption to your account, please visit the following link to our Security Customer Support Center to help you re-validate your account activity and keep your account safe from potential risk.
www.lsuhsc.helpdesk.com.ru
Please read the entire page and follow all directions to validate your account.
Thanks for your cooperation.
IT Helpdesk
From: IT Helpdesk (Not a person) [helpdesk@lsuhsc.com.ru]
Sent: Monday, September 26, 2016 8:45 AM
To: {Recipient List Suppressed}(Must be serious!)
Subject: Irregular (It is serious!) Account Activity
*EXTERNAL EMAIL: EVALUATE* Email is from outside the LSUHSC campus
Our system has detected irregular activity on your account.(reason) Taking precautions, certain limitations and measures have been placed on your account (consequence) in accordance of the User Agreement and Privacy Policy.
To regain access without any interruption to your account, please visit the following link (action) to our Security Customer Support Center to help you re-validate your account activity and keep your account safe from potential risk.
www.lsuhsc.helpdesk.com.ru
Please read the entire page and follow all directions to validate your account.
Thanks for your cooperation.
IT Helpdesk (Not a person)
While anyone can receive a phishing email at any time, there are certain times where phishing is more active. These include:
LSUHSC-NO will NEVER ask for your user name or password in an email.
If it is an email sent to all employees and/or students, it will contain the sender’s name and job title and the following text will be appended to the end of the message: “This message has been authorized by LSU Health Sciences Center administration for mass distribution as a service to our faculty, staff and students.”
Emails from outside the LSUHSC network will contain the message “*EXTERNAL EMAIL: EVALUATE*” NEVER provide your username or password in response to an email from outside the LSUHSC network.
Be especially wary of any unexpected email that arrives after the first of the year or after a well publicized disaster. It could very well be a phishing email.
If you’re not sure whether an email is a phishing scam or not, independently confirm the email by contacting the sender without using any information in the email. Obtain information from your own contact list or from the sender’s website.
Send all suspected phishing emails as an attachment to spam@lsuhsc.edu, and
delete them from your Inbox.
Often hackers will simply call the intended victim and persuade them to take a desired action. This is often called “voice phishing” or “vishing”.
A hacker might impersonate a Help Desk supporter or a computer vendor such as Microsoft during a phone conversation in an attempt to:
Other variations include:
Passwords should NEVER be given out during a telephone conversation.
Computer vendors will NOT call users directly.
The Help Desk will ask for a secondary form of authentication when unlocking your account or resetting your password such as:
The caller gives his name and states he works for MicroSoft Corp. He is calling you because he is getting numerous alerts from your computer indicating your computer is infected with multiple viruses. Your computer is working fine as far as you can tell. He wants you to carry out a series of steps to correct the problem.
“Smishing” or “SMS phishing “is similar to phishing except the communication is sent via text messaging.
Criminals set up an automated dialing system to text or call people in a particular region or area code (or sometimes they use stolen customer phone numbers from banks or credit unions).
The victims receive a message designed to trick them into installing malware or revealing financial or other sensitive information.
Armed with access to the victim’s phone or information revealed by the victim, criminals can steal from victims’ bank accounts, charge purchases on their charge cards, create a phony ATM card, etc.
Because of the similarities betweens texts and emails, smishing techniques are similar to phishing techniques. When ever your receive a text you should ask youself the following questions:
If the answer is “YES” to more than three (3) of the questions above, it may be a smishing text.
You receive the following text:
“Dear Walmart shopper, Congratulations you have just won a $1000 Walmart Gift Card. Click here to claim your gift. www.fraudulentwebsiteaddress.com “
Once you click on the link, you are asked a number of personally identifying questions “for verification purposes” culminating in a request for your credit card number.
Once you provide that information, the smishers have everything they need to steal your identity.
In July 2016 many iPhone users received the following text:
“Apple Store
Your account is on the verge of closure!
We have recently determined that more computer are connected to your
account and multiple password failures were present before access.
Now you need to re-confirm your account information to us..
If this is not done within 48 hours, we will be forced to suspend your
account,
To confirm your Apple ID safely, click on the link below:
Click here to unlock your Apple ID
www.apple.com
Failing to do so until the 28/07/2016 will be considered a denial of
our terms and conditions and your account will be permanently closed.”
When users clicked on the link and supplied their Apple ID and password, their accounts were stolen.
Hackers have been using SMS messages to trick users into loading malware on their Android phones.
The victim receives a text:
“You have received a multimedia message from +[01] [555-555-5555] Follow the link http://www.mmsforyou.net/mms.apk to view the message”
Clicking on the link downloads the malware which gives the hacker complete control of the phone.
The hacker can monitor the victim’s location, eavesdrop on conversations, steal passwords, activate the phone’s camera, etc.
Baiting is similar to phishing except that instead of providing a reason or consequence, victims are led to believe they will receive some sort of benefit.
The simplest form of baiting is to send an email with a subject line designed to pique your curiosity enough to get you to click on the link or attachment.
Don’t click on these links in unsolicited emails or text messages. Instead, send all such emails to spam@lsuhsc.edu.
Another variation of baiting involves leaving various types of computer media (CDs, DVDs, USB drives, SD cards, etc.) where prospective victims will find it.
The media are labeled with something designed to pique the victim’s curiosity like “Executive salary report” or “Wet T-Shirt Video”.
The media actually contain malware that will install itself when it is plugged in the victim’s computer.
The malware gives the hacker complete control over the victim’s computer.
In a study by the University of Illinois, researchers left 300 USB drives in and around the Urbana-Champaign campus.
As part of a security audit, employees were mailed a USB drive along with a letter stating that an update to the company’s anti-virus software was needed and gave the employees instructions on how to plug in the USB drive and run the “update”.
The “update” was a malware program which gave the auditors the access they were seeking.
Recently, hackers have been combining different social engineering attacks. One example is called Franco-phoning.
In April 2013, the administrative assistant to a vice president at a French-based multinational company received an email referencing an invoice hosted on a popular file sharing service. A few minutes later, the same administrative assistant received a phone call from another vice president within the company, instructing her to examine and process the invoice. The vice president spoke with authority and used perfect French. However, the invoice was a fake and the vice president who called her was an attacker.
The supposed invoice was actually a Trojan that was configured to contact a command-and-control (C&C) server located in Ukraine. Using the Trojan, the attacker immediately took control of the administrative assistant’s infected computer. They logged keystrokes, viewed the desktop, and browsed and copied files.
The best defense is to independently verify everything before taking action on any request that seems out of the ordinary. Always ask yourself two questions:
If the caller claims to be from IT, call IT on a separate line and verify what the caller says. If the caller claims to be from your bank, call your regular banker to verify what you are being told.
One type of suspicious email is the hoax. It warns of a virus or other type of malware that will cause serious harm to your computer such as wiping the hard drive. It is especially perfidious because it usually comes from a well-meaning friend or relative who has been duped by the hoax.
Hoax emails generally have the following characteristics:
The main problem caused by Hoaxes is that they overload email systems with unnecessary traffic.
In addition, those that follow the instructions in the Hoax email wind up disabling their computers and must have them repaired or reconfigured before they are usable again.
As with other threats, Hoaxes have developed variations. Some variants to watch out for are:
How do you determine whether a message is genuine or a hoax?
You can check the following websites:
It is a violation of CM-42 to re-transmit virus hoaxes.
Hackers could attempt to learn your password or breach confidential information by:
Prevention:
A hacker might learn information by:
Destroy all information in accordance with PM-36 once it is no longer needed.
Contact your local computer supporter or the Help Desk for assistance with properly erasing or destroying computer media.
Physical access to a computer is the ultimate access a hacker can obtain.
A hacker could access, remove, destroy, or otherwise damage your computer.
Once the hacker has removed the computer, he has all the time he needs to crack passwords, obtain encryption keys
Prevention: Always use good physical security measures to prevent theft or damage to your computer.
Few things generate as visceral a sense of biliousness as the thought that a member of our LSUHSC-NO community would break the trust of their patients, students and coworkers. But, as the stories below demonstrate, the possibility exists.
Jean Baptiste Alvarez (a/k/a Alex) of Pennsylvania was found guilty in 2016 of conspiracy to defraud the United States with respect to false claims, aggravated identity theft and misuse of social security numbers. According to evidence presented at trial, Alvarez unlawfully provided to Peterson Rene and Marc Celestin, who is charged separately, the personal identifying information (PII) of hundreds of real persons.
Alvarez used his job as a technician at a West Philadelphia mental health clinic called Kirkbride Center to obtain and smuggle out patient information. That patient information was taken from census sheets at the clinic and included patient names, Social Security numbers and dates of birth. Alvarez then sold the information for up to $1,000 per page; that information was subsequently used to file fake tax returns.In total, Alvarez was charged with disclosing and using the Social Security numbers and PII of approximately 183 persons.
In 2015, Ta'sha Thomas pled guilty to gaining access to patient information in the health unit's database, taking the information and selling it to another person, Mona Hill, who used the information to file fraudulent federal tax returns. Ms. Hill paid Ms. Thomas between $8,000 and $9,000 for the stolen information. Additionally, Ms. Hill received more than $400,000 from the fraudulent returns. She has been separately prosecuted and convicted.
Alverez and Thomas were not hackers gaining access to information from a remote location. They worked in the facilities they pillaged. As they were stealing from their patients, they were sitting next to coworkers who were doing their best to serve those same patients.
But what about those coworkers? Did they notice anything?
We must all be on the alert for behaviors that might be indicators of an insider threat. Knowing the safeguards that must be applied to handling information, report behaviors such as:
If you observe any of these behaviors or suspicious behaviors by an individual, report the activity to your supervisor or the Office of Compliance Programs.
While not all suspicious behaviors or circumstances represent a threat, each situation must be examined along with information from other sources to determine whether or not there is a risk. Observing even a single activity and not reporting it can increase the potential damage that can be done.
Social engineering hackers work very hard to make their scams appear legitimate.
Sooner or later, everyone will be fooled by a social engineering scheme. If you are fooled, you probably won’t remember it because it appeared to be no different than hundreds of other legitimate issues you have addressed as part of your duties.
Simply take whatever corrective action is required. (changing passwords, repeating training, etc.)
If you have any questions, please contact the Office of Compliance Programs by: