It’s a common occurrence in the world today, someone finds a USB thumb drive on the ground in the parking lot or a waiting area in a business. Your first instinct is very likely to be that of most American’s “studied”, plug it in and see what juicy information you can find. If you are in proximity to a larger corporation this inclination is likely to be higher because the odds are, at least subconsciously, that the drive belongs to someone from within that company.
As shown in several studies performed by researches the trend is that about half the drives are plugged into computers. According to a group from the University of Illinois (source) the “effective” rate is between 45 and 98 percent. That’s a scary number in my mind, especially considering the huge number of ransomware incidents reported on the news this past year. While most of those can be traced back to malicious payloads in emails, the USB trojan horse method is even scarier. Not only does a user risk having their data encrypted and held for ransom, they could be opening their employer up to infiltration.
Picture this scenario for a moment, it’s likely one that’s really happened somewhere. Employee Tina stops by the coffee shop every morning on her way in to work at the local community bank for her latte. It’s a pattern that’s well established and something she doesn’t often deviate from. Johnny is part of a hacker group that’s intent on infiltrating the bank Tina works for and knows that penetrating their firewall and security directly is futile. Safer than trying to get a job at the bank, Johnny’s group decides to try and compromise an employee. See where this is going yet?
I get asked about quite a few emails and their legitimacy, more so these past six months with the rise in phishing/spear-phising messages sent to clients and friends. It’s not a bother, I’d rather get asked my opinion ten times a day than have someone I know or provide services to get nailed by ransomware or a trojan.
Here’s a quick rundown of some items I think important when considering the legitimacy of an email you’ve received.
Phishing emails are exploratory attacks in which criminals attempt to obtain victims’ sensitive data, such as personally identifiable information (PII) or network access credentials. These attacks open the door for further in ltration into any network the victim can access. Phishing typically involves both social engineering and technical trickery to deceive victims into opening attached files, clicking on embedded links and revealing sensitive information.
Spear phishing is more targeted. Cyber criminals who use spear-phishing tactics segment their victims, personalize the emails, impersonate specific senders and use other techniques to bypass traditional email defenses. Their goal is to trick targets into clicking a link or opening an attachment. A phishing campaign may blanket an entire database of email addresses, but spear phishing targets specific individuals within specific organizations with a specific mission. By mining social networks for personal information about targets, an attacker can write emails that are extremely accurate and compelling. Once the target clicks on a link or opens an attachment, the attacker establishes a foothold in the network, enabling them to complete their illicit mission.
“Phishing” Fraud: How to Avoid Getting Fried by Phony Phishermen
“Phishing” involves the use of fraudulent emails and copy-cat websites to trick you into revealing valuable personal information — such as account numbers for banking, securities, mortgage, or credit accounts, your social security numbers, and the login IDs and passwords you use when accessing online financial services providers. The fraudsters who collect this information then use it to steal your money or your identity or both.
When fraudsters go on “phishing” expeditions, they lure their targets into a false sense of security by hijacking the familiar, trusted logos of established, legitimate companies. A typical phishing scam starts with a fraudster sending out millions of emails that appear to come from a high-profile financial services provider or a respected Internet auction house. (more…)
Typical bio’s and introductions are, well, boring and fluff pieces typically. So these are some statements and opinions of mine so anyone that cares knows where I stand and start.
I’m a proud husband and father. Hurt one of my girls in any malicious or perverted ways I will not hesitate to play magician with your body…
I’m proud to have served the Ohio National Guard. While not having seen activation for war I’m still proud to have taken an oath, one I plan to uphold until my last breath.
I began working at a very early age, starting with helping my father on the farm to McDonald’s to Wolohan Lumber (loader, driver, sales) to some IT work before venturing out on my own in 2004.
I officially formed my first company in 2007, Buckeye I.T. Services, LLC when work picked up enough I had to begin hiring employees. We’re now a team of five and will be growing more soon.
I’m very much a people person and believe my personality and communication skills set me apart from many others around.
The Constitution of the United States and the Bill of Rights I value highly and do not like to see them perverted. I’m a life member of the NRA and a firm believer in protecting the 2nd Amendment just as vehemently as journalists wish to protect the 1st Amendment.
I am not beholding of anyone to have gotten myself to where I am now, I owe no politicians nor business any favors. I owe a TON to my parents and my wife who have been strong supporters in my journey.
I am not perfect, I’ve made mistakes but I’ve owned them. I’m opinionated and vocal, but unlike other opinionated people I will always listen and consider opposing views and thoughts.
I support law enforcement and first responders and will truly “have their six”
I bleed Scarlet & Gray.
I am Jake Schaaf, computer nerd, IT guy, geek, husband, father, proud American.