The Art of the Con (38 page)

Technically, I am not qualified to discuss the efficacy of modern security platforms or the means by which they might be defeated by hackers directly. Instead, I am interested in cons and scams that have migrated onto the Internet and how they have been adapted to this relatively new arena.

This new age of deception has introduced a new term to the art of deception: social engineering. Kevin Mitnick coined the phrase and has written a great deal about how he gained access to computer systems by targeting the people who operated or maintained them. Mitnick's ingenious strategies were deceptively simple and shockingly effective as described in his book
The Art of Deception
, which effectively illustrated the need for companies to better train their employees to recognize and avoid these types of attacks.

Many times, the human factor is the weakest part of a security system and is easily targeted using techniques taken straight out of the con artist's playbook. Social engineering targets human beings with strategies designed to cause people to give away valuable information or unknowingly perform tasks that aid an outsider. A simple example would be to call someone pretending to be from their own company's help desk and coach that person into downloading harmful software or revealing vital information.

At the annual DEFCON convention in Las Vegas, thousands of hackers gather to share and learn new ideas. Anyone near the convention center would be unwise to use Wi-Fi or cellular services as almost every data signal is being monitored or generated by the attendees. In a small conference room, Chris Hadnagy and his “Social Engineering Org” team host an annual competition where individuals must call a random company, usually a well-known name, and convince whomever they speak with to give up as much data as possible. For obvious reasons, the type of information they're attempting to extract is completely innocuous, but it's fascinating to hear just how much people will volunteer to a stranger on the phone.

Contestants sit in what looks like a homemade clear plastic game show booth to protect them from audience noise as they call complete strangers at their work, using creative pretexts to coax them into revealing data or to perform simple tasks. Every call is played via speaker to the entire room as each contestant attempts to translate age-old scam techniques to a modern playing field. Incredibly, almost all of the people they call will comply unless they have been properly trained not to do so. In these cases, the questions are usually reflected back to the caller in order to verify that they are who they say they are. Any requests are deflected to a manager or specialist and the social engineer soon has to find a way out of the call without inviting suspicion.

Speaking to Chris after the event, he told me that there were several companies that had clearly trained all of their staff not to reveal any information on the phone, but the vast majority remained easy pickings for a charming or inventive human-hacker. The sad truth is that it would be extremely easy for all businesses to educate their staff with a few simple role-playing exercises.

The same methods used by Mitnick and his contemporaries are also used to trick individuals into revealing personal data that seems unimportant. Other times, it is freely given once the scammer has secured the victim's trust. These techniques can be used to target millions of people, a small group, or a specific individual. A prime example of this is appropriately referred to as “phishing.”

Give a Man a Phish . . .

Phishing is, by now, a well-known term among the computer-literate and refers to an attempt to encourage, trick, or force someone to reveal information such as credit card numbers or bank details that can compromise a person's privacy or finances. Usually delivered by e-mail, phishing attacks can be sent to millions of potential marks at once, so that even a tiny percentage success rate can represent a substantial score to scammers.

“Spear-phishing” uses similar methods to target specific individuals or groups using information harvested from social media or other public resources to tailor that message. The resulting communiqué therefore appears less generic and more credible from the outset.

These attempts to initiate contact sometimes develop into a direct communication between the online hustler and his intended mark. The hustler often tries to direct victims to a website that will try to steal information or install harmful software on the mark's device that might capture and transmit anything of value.

A common tactic is to try to scare or panic the recipient into responding by clicking on a link or downloading harmful software. Hustlers might send one million e-mails claiming to be from a well-known bank and stating that someone has been using the mark's bank account. Panicked, many people quickly click on the link in that e-mail and try to log into their account. This would fail on the first attempt, but on the second they would find that their balance is as expected until twenty-four hours later when all of their money will have been sent elsewhere. That first click took the victim to a spoofed website made to look and function exactly like the one they are used to, and similar tactics have been used to make people download mal-ware that's used to steal data, corrupt files, or destroy computers.

Initiating fear or panic is just one of many ways to force people to react without thinking, and new methods appear almost daily. You've no doubt seen hundreds of these e-mails in your own inbox, and I suspect we've all fallen for at least one in our lifetime. Viruses are often spread by accessing a victim's e-mail address book and sending everyone they know a link to trojan software, and because that link appears to come from a known or trusted source, many people click on it without thinking. These e-mails can be obvious, but many are simple and say very little other than “Check this out!” A clever variation says something like “I found this picture of you. Who's that with you?” or “I can't believe what this is saying about you. Is this true?” These simple sentences could come from almost anyone and many people would click the link automatically.

“Vishing” uses phone calls or VoIP interfaces to convince a mark that the caller represents a company or service, often a technical help desk. If the victim accepts the scammer's story, he is conned into typing harmful commands on his device or downloading malware. Ian Kendall, a close friend with Asperger's syndrome and a passion for pedantry, takes great pleasure in tormenting bogus help-desk callers, often toying with them for hours in an effort to waste their time. For Ian, their lack of actual technical knowledge is obvious but to the uninitiated, they can easily sound convincing.

Spamface

Lottery scams, psychic messages, and romantic propositions are common online scam tactics, and once someone takes the bait he is groomed and clipped just as he would be in a face-to-face swindle. Spam mail, which was once sent to victims by the sack-load, quickly migrated to the Internet; as the older generation of potential victims passes, scammers now find their quarry electronically and con people using fake identities or stolen credibility. The same methods used for decades to entice the desperate or unwary remain just as effective in an e-mail—and now they can be sent to millions of potential marks at once. E-mail junk filters quickly learn to weed out obvious ploys, but as new schemes appear, a few slip the net and find their way to our inboxes.

Social media offers a convenient window into people's lives, revealing addresses, dates of birth, phone numbers, and all sorts of useful trivia for crooks to use and abuse. Just by “friending” a potential mark, a con artist can learn a great deal about him. By hacking into someone's account, scammers can pretend to be that person in order to then target his friends and family. In fact, social media is one of the most powerful and useful tools for a hustler to connect with fresh fish.

I honestly don't think it's possible to be completely safe online. If targeted by sophisticated hackers, no one's data is secure. The best we can do is to observe best practices, be less impulsive, and learn to detect online deception whenever possible.

Another
Real Hustle
scam was based on websites that conned people into filling out forms requesting dangerous amounts of personal data. We created a bogus employment agency and invited hopeful clients to fill out a long form that required them to share details that could ultimately be used to steal their identity, including a credit card number to “verify” each applicant. Only one of our potential marks refused to give any information that would compromise her security. As I watched her type each section of the form, she quickly ignored anything that asked for sensitive data. Later, during our interview, I asked why she hadn't completed the form. She explained her concerns, accurately stating how each item of information might be used illegally. As it turned out, our “mark” had spent years working for the police as a victims' counselor and had helped many people deal with the repercussions of identity theft.

If we could all learn to be as vigilant without the need to experience or witness these scams firsthand, it would be much easier to avoid becoming a target. Sadly, none of us are perfect; we are all prone to moments of weakness or thoughtlessness and technology often moves faster than the means to protect us.

Fresh Fields

Technology continues to advance at blistering speeds, with manufacturers racing to release the latest products before their competitors. The speed of these advances is too much for many security methods to keep up, and gaps in the fence are widened as it stretches to cover new ground. Hackers have a knack for spotting an opening before it can be anticipated by developers, and whenever a new device or software is released, the race to break down its defenses begins.

As a confirmed tech-addict, I am all too aware of the dangers posed by new ways to carry or interpret my personal data. Simply by observing best practices we can all maintain a certain level of security, but the platforms we use online or the devices we buy often turn out to have their own flaws that compromise our digital safety.

New developments present new opportunities for all kinds of con artists. Remember the fake cash register in a London store during the holiday season? In many shops, staff now carry a portable device with a tiny plastic card reader. Many of these are well-known smartphones or tablets, and it would be a simple matter to walk into any large store with the same device, pretend to be a member of the staff, and steal credit card details during a busy period.

In most major cities, people carry their digital lives in their pockets, communicating and sharing through the ether and interacting with those devices hundreds of times a day. As we move from cell tower to cell tower and Wi-Fi to Wi-Fi, our information bleeds constantly, leaving a trail that can be followed or intercepted. Wi-Fi signals are particularly susceptible—it is an easy matter to create a hotspot with a common name and attract people to take advantage of free Internet access. Public Wi-Fi can be cloned or used to monitor data being transmitted by other users. Trapping user details and passwords sent to secure sites is unnecessary if the access key that is sent back from the site (a “cookie”
*
—a piece of code that allows your device to remain logged into a secure site) is unencrypted and easy to intercept, then paste onto the hacker's own computer. This form of attack gives criminals full access to a secure page—such as e-mail or banking sites—so long as the victim doesn't log out, which can be prevented if the hacker has the means to block the mark from doing so. This is just one way to intercept our data, but there are many more.

Bluetooth can be used to take over some devices, switch them on, send messages, monitor conversations, or even to dial expensive premium rate phone numbers. A hacker in the UK once demonstrated how a very common model of cell phone could easily be forced to switch on and transmit anything the microphone heard. The phone was incredibly easy to hack and at that time was one of the most popular devices among British government employees, who often work with highly sensitive information. Theoretically, a hacker with a large enough antenna could scan the houses of Parliament for vulnerable phones and listen in to any conversation nearby. The manufacturer of the cell phone had been notified of this weakness, but as is typical of many large corporations, the threat of bad publicity was of greater concern and the weakness was never publicized.