When Clickbait Goes Bad

Everyone makes mistakes, but when something as simple as a single click can have ruinous impacts on your identity, your bank account, and your business, the stakes get a lot higher. All it takes is one simple click on a malicious link in an email, text message, or on a website or application (and, in fairness, a double click on a malicious attachment) and it can take weeks, months, or even years to recover—if recovery is even possible. If you make that same mistake on the corporate network, the ramifications can be business-ending, cost tens of thousands of dollars to mitigate, or make the headlines for yet another security breach.

If one malicious piece of clickbait can actually destroy you and your business, then why are so many people still making this mistake? This blog discusses the challenges with malicious links and attachments, the best ways to recognize them when they do appear, and how their impacts can be significantly reduced, if not altogether mitigated, by following simple cybersecurity hygiene guidelines.

Whatever you want to call them—cybercriminals, hackers, attackers, or threat actors (and technically there is a difference)—their goals are fairly similar. They want to find the easiest path to compromise your identity or penetrate your company’s network. That malicious link is the key to the kingdom for them. With it, they are most likely to do one of two things:

1. Sabotage: spread malware infections, etc. to disrupt or corrupt data, causing harm or inconvenience to you or your company (this can be detrimental to an organization).

2. Theft: lure an unsuspecting user to expose valuables, such as data, identities, or money, or to grant an access point to restricted systems or through which they can move laterally to gain access to restricted information or systems.

Attacks can happen online, in-person, and via other interactions on virtually any electronic device used for communications. This makes for a lucrative business model for threat actors. These organized crime units actually operate as “businesses” in geolocations that are out of the jurisdictions of law enforcement. They target foreign governments, people, and organizations with ransomware, blackmail, extortion, and other devious schemes. The results are profitable for anyone willing to forgo their morals or operate under the guise of patriotism for their nation state.

This is all because that seemingly innocuous little clickbait link can accomplish so much for the threat actor, it is highly advantageous for them to compel you to click it. This is called social engineering and uses myriad traits that bait you to click. In information security, social engineering is also known as “human hacking” because it involves psychologically manipulating people into performing actions or divulging confidential information, and then exploiting that mistake to gain inappropriate access to private information, assets, or other resources of value.

Social engineering scams leverage an understanding of the way people think and act to manipulate a user’s behavior. All the threat actor needs to do is understand what drives a user’s actions. With that knowledge, they can use deceptive tactics, like making them believe that the email or website is real, that the source is trustworthy, and that it is urgent to perform an action. They may also try to insight a heightened emotional response from you (fear, anger, excitement, curiosity, guilt, sadness) because humans are far more likely to take irrational or risky actions when they are in an undesirable emotional state.

Threat actors will also try to exploit a user’s lack of knowledge, which is why many social engineering schemes sit at the forefront of cyberthreat innovation, where they can exploit vulnerabilities before many consumers even have the knowledge to look for them. Drive-by downloads and watering hole threats are good examples of these attack vectors. Additionally, users who don’t realize the full value of their personal data, like their phone number or birthdate, will be a lot less guarded about disclosing this information, and they often don’t have the hindsight to protect themselves and their information from targeted attacks that use these highly personalized tactics.

Top 10 social engineering schemes to look out for

Here is a top ten list of the most common social engineering schemes that could be targeting you.

1. Phishing Attacks (email) – A type of social engineering attack where an attacker disguises as a broadly acceptable trusted entity to trick an unsuspecting user into opening a fraudulent email that contains a malicious link, file attachment, or some form of embedded code. Once clicked, opened, or executed, the contents can install a wide variety of malware (or ransomware) to attempt to steal user data, credentials, create a beachhead, or hold assets hostage. Employees are considered a primary target for many phishing attacks because they have externally facing tools, like email and social media, that potentially could allow the attacker to gain a foothold and move laterally through the corporate network once they’ve infiltrated the employee’s account.

2. Spear Phishing – A very specific variant of phishing that targets specific individuals or groups within an organization using emails (often an email and attachment), social media, instant messaging, etc. The purpose is to get the contacted user to divulge personal information or perform an action that can compromise the network or cause a loss of data or finances. These often involve prior research of the targets that are being phished and often utilize high levels of personalization to encourage the target to carry out the required action. These attacks are design to create a high confidence that the source is trusted by using information only the target would potentially know or recognize as legitimate.

3. Whaling Attacks – Another highly targeted and more sophisticated form of phishing attack that targets senior executives and c-level personnel. It is, by definition, a modified version of a spear phishing attack because the goal is to bring in the “whale” (aka executive) of an organization. These attacks feature fraudulent but well-crafted emails that use business language and tone while conveying a sense of urgency to encourage the user to perform a secondary action, such as initiating a wire transfer. Financial institutions, cloud storage sites, file hosting sites, and e-commerce sites are some of the most targeted since there executives are easily identifiable on the Internet. Whaling attacks tend to get large returns for the threat actors and pose some of the biggest risks to businesses because the targets potentially have the capability to execute on the request by giving orders to their subordinates.

4. Smishing and Vishing – Similar to email phishing, smishing is a fraudulent text message that contains a link to a form that is designed to steal the user’s information. Clicking the link may also download malware, such as viruses, ransomware, spyware, or adware, onto the user’s device. These often take the form of urgent requests from a delivery service, bank, or even a superior at work that leverages the link as a means of taking “quick action” to solve an urgent problem or gain an end users trust as the first step in a more sophisticated attack.

Vishing involves fraudulent calls or voicemails that pose as legitimate companies to solicit personal information, such as your name, address, driver’s license number, social security number, and credit card information. They may also record your voice and use this recording to authorize charges or access to your financial accounts. Phone calls are typically more trusted communications than the written word in an email or text message, and these can be more difficult to identify if the threat actor is posing as a company or person you already have a trusted relationship with, like an electric company or insurance carrier.

5. Baiting – This is a highly manipulative social engineering technique that leverages tempting offers (i.e. movie or music downloads, discounts, and prizes) or even malware-infected devices (i.e. USB drives) to infect a user’s system with malware or steal their sensitive information. The vehicle for baiting can be anything listed above, and end users should generally follow the philosophy that, if it sounds too good to be true, it probably is fraudulent.

6. Business Email Compromise (BEC) – An email cybercrime that specifically targets businesses with the goal of defrauding the company. A common associated scam is an email account compromise (EAC) or takeover. Both are difficult to detect and prevent, and both have increased as cloud-based infrastructures have become more common and extensive. BEC scams have exposed organizations to billions in potential losses when threat actors pose as legitimate employees and interact with workflows or create exceptions that divert funds or information to a malicious entity.

7. Tech Support, Rebate, or Legal Scams – These types of fraud involve a scammer masquerading as a legitimate support service, organization, or legal entity and commonly feature popups with malicious links via a web browser, phishing, smishing, or vishing. (i.e. a fake error notification that links to a fake help line or website). These attempt to convince the user of a problem or opportunity and may prompt for payment through gift cards or other untraceable means. The end goal can be either financial or to infect the asset with additional malware under the guise of trying to help the victim.

8. Romantic Scams – Scams where a criminal or con-artist adopts a fake online identity to gain their victim’s trust and affection, then manipulates and steals from them. They are present on most dating and social media sites, often claim to be out of the country for work, and usually end up asking for money for a medical or legal emergency. Some gain access the victim’s bank account information and use this to carry out other theft and fraud schemes. Victims fall for this type of attack via sensitivity based on the portrayal of emotions by the threat actor.

9. Scareware and Personal Threats – These are tactics that are designed to scare people into visiting a fraudulent and infected website or into downloading malicious software (malware). These often appear as pop-up ads or spam emails that warn about an immediate threat or another issue that needs to be fixed immediately by clicking a link. Once clicked, rather than helping the user fix a problem, the malware is deployed to conduct some other nefarious activity. This is related to technical support scams; however, the messaging is based on fear, urgency, and the potential threat of incarceration.

10. Watering Hole Attacks – By either infecting existing websites, or cloning them with similar URLs, threat actors use watering hole attacks to capture credentials and other personally identifiable information for identity-based scams. Threat actors use a variety of techniques to lure users towards the malicious website in the hope the victim cannot identify the attack and attempts to login or reference other information. One example involves leveraging fraudulent email ads to encourage the target to unsubscribe by clicking a malicious “unsubscribe” link or filling in a fraudulent “unsubscribe” form. Ultimately, a watering hole attack is designed to capture information that you would normally enter on a legitimate site. It gets its name from wild animals being drawn to a pool of water based on thirst but being attacked by a predator lurking below the muck.

For the end user, determining that the email is malicious (links or attachments) can be tricky, but there are some basic practices anyone can implement to spot the schemes. Here are the top five most cybersecurity experts will recommend.

  1. Watch for mistakes and the odd display, construction, or formatting of the email, including misspellings, typos, poor grammar, or suspicious link or file names. The presence of these can help the end user determine if the message is deceptive. The context of the message or the time it was sent can also help to tip you off, including malformed times and dates. Likewise, irregularities in the URL, poor image quality, and outdated logos can all indicate the email is malicious or that you have been linked to a fraudulent website (and should leave immediately).
  2. Inspect the sender’s email address. If you receive a suspicious message—or any message asking you to click a link or download a document, check to see if it is coming from a legitimate email address, or review your company’s global address list or the social media profile that sent the message. Email addresses that are very clearly incorrect, or that would not be associated with a business account, are a clear giveaway, but also watch for the more detailed imitators. Fake social media accounts and email addresses that mimic the legitimate versions are a growing trend, and substituting numbers or symbols for letters can make them difficult to determine at a glance. For example, using 0 for O or + for t can fool most individuals that choose not to perform a detailed inspection of the address.
  3. Prove or validate the identity of the sender. If you receive a suspicious email or message from a source that seems legitimate, you can try contacting the source through an alternative communication vehicle, like a phone call. For instance, if you get a message that claims to be from your bank, call your bank to inquire about the message. If you get a notification about an online account, avoid the email and log into your account through your usual, verified process to determine if it could be a legitimate notification or if it is an attempt at a scam. Don’t click on the link in the email; navigate to the website on your own.
  4. Pay attention to your emotions. If the message triggers a curious, fearful, or negative response, consider your elevated emotional response a red flag. Emails can be just as threatening as being accosted, and keeping calm is crucial to determining a scam versus reality.
  5. Be wary of volunteering information—even basic data like your email address or phone number could leave you vulnerable. If it sounds too good to be true, it probably is. Giveaways and incentives are strong motivators, and thus common targeting methods and attack drivers. As a rule of thumb, never disclose your personally identifiable information to unknown or untrusted sources – especially over the phone or Internet.

What’s the best defense against a malicious URL?

Knowing how to identify and avoid (or better yet, report) a malicious link is an important preventative strategy, but, once in a while, we all make a mistake. Whether the email or website looks real or fails to trigger our “fight or flight” response, we are never 100% secure in our ability to spot a bad link. A good cybersecurity hygiene can safeguard you when preventative education, training, and identification fails.

Cyber hygiene, or cybersecurity hygiene, is a set of practices organizations and individuals perform regularly to maintain the health and security of users, devices, networks, clouds, and data. It isn’t unlike our own personal hygiene. Showering frequently and brushing (and flossing) our teeth are the precautionary measures we take to prevent the spread of disease, reduce the risk of cavities, and overall maintain our physical health. In the same way, organizations can follow basic cybersecurity actions regularly to prevent data breaches and other security incidents.

Good cybersecurity balances routine procedures to ensure your computer is operating correctly and that you (as a user) are operating it safely. By maintaining good cyber hygiene, the risk of security incidents, data compromise and loss, operational interruptions and downtime, financial loss and government fines, damage to reputation, and legal liability risks are all minimized. Furthermore, the impacts of a malicious click can be significantly reduced, and the most common attacks can be thwarted by implementing simple concepts like least privilege.

In other words, when something does go wrong, your cybersecurity hygiene makes the difference between the link you clicked doing nothing at all, or beginning a devastating compromise of you, your computer, and your company. This is because basic tenants, like the removal of administrative rights, can stop the injection and execution of malware since the malicious code does not have enough privileges to execute in the context of the identity that is interactively using the system. This is just one example, but many other basic cybersecurity hygiene concepts are important to minimize this risk, including vulnerability and patch management and enhanced detection and response (EDR) solutions. All together, they form the basis for a five step model for endpoint cybersecurity hygiene that can protect an end user after they make a mistake.

What are 4 of the best practices for maintaining good cybersecurity hygiene?

Here are some basic cybersecurity hygiene practices that you can implement now to keep you safe even after you’ve clicked a malicious link:

1. Allow the operating system and applications to apply recommended security updates or ensure your organization is applying them in a timely manner after public disclosure. This will help prevent exploitation of any known vulnerabilities associated with clicking an errant link or opening a malicious file.

2. Ensure that your anti-virus solution is properly licensed, receiving updates, and periodically scanning your system for dormant malware or advanced persistent threats.

3. Interact with your computer as a standard user and not an administrator for daily activities. This concept of least privilege will thwart malware that needs administrative privileges to infect your computer. This one method is by far the most effective at stopping an attack and is recommended by cyber insurance carriers and regulatory compliance bodies alike.

4. Ditch your old computer. If your operating system is end of life, like Windows 7 or Windows XP, consider updating or replacing your system – an end-of-life system is not receiving security patches any longer, and odds are that the antivirus vendor is no longer providing updates since it has been depreciated. It is just not a safe device to have on the Internet, and hackers know this. Vulnerabilities and exploits are easy targets since end users have no way of mitigating the risks. If you cannot afford to replace the hardware, and it is not compatible with a newer operating system, consider initiatives like Google Chrome OS Flex to modernize your operating system and stay protected.

In an ideal scenario, when you identify a phishing email or visit a fraudulent website, based on your training, you will be able to recognize the potential threat. You’ll then close the web page or email and report the threat to your information security department for analysis and to prevent others from receiving the same content, and if needed, have your asset assessed for additional threats. As more devious tactics come into play, however, it can become more and more difficult to spot malicious intent in something as simple as a hyperlink. This is why good cybersecurity hygiene is so important.

Let’s walk through a malicious link and click scenario so we can see where good cybersecurity hygiene comes into play, and the impact it can have on the situation.

The scenario: You open a phishing email or visit a fraudulent website and click on a malicious link. The results could compromise you and your entire organization….

Bad hygiene Good Hygiene
That link attempts to infect your computer with malware when it is clicked That link attempts to infect your computer with malware and you see odd behavior on your system Immediately disconnect from the network or Internet and inform your information security department.
The malware exploits the unpatched vulnerabilities in your operating system, browser, or associated third party application and infects your system with a virus. Your system should be regularly patched and all vulnerabilities should be remediated, so that malware cannot continue to exploit your system or others on the network.
Your anti-virus software is outdated and fails to detect a particular virus, allowing it to execute on your system. Your anti-virus is up to date, which allows it to detect and eradicate the virus before it can execute. In addition, if your anti-virus solution contains EDR capabilities, any additional threats from the malware can be identified promptly even if the virus tries to obfuscate its signature.
You have full admin rights on your system, which means you can execute anything on your computer, change critical settings, and even uninstall security applications designed to protect your system. You’ve removed administrative rights and are interacting with standard user privileges. This means that the system has safeguarded the account that does have administrative privileges and has thereby mitigated 88% of your Microsoft vulnerabilities. This prevents the vast majority of exploits from executing on your computer, therefore blocking the attack.
Your computer can openly share files, printers, video, with other systems on your network. Lateral movement between systems is wide open and ransomware or other vulnerabilities can be leveraged in an attack. Lateral movement between all assets on a network are restricted and any peer-to-peer communications have been disabled. This prevents the malware and ransomware from spreading unattended from system to system.
A user can launch a remote access session (RDP, SSH, VNC, etc.) to a system anywhere with just a username and password. These open ports can be used during an attack and malware can be injected once a session is active. Your remote access sessions all use multi-factor authentication (MFA) and follow the concepts of least privilege. The assets accepting remote access do not have any public listening ports to initiate the session. These ports can thus not be used during an attack and malware cannot be injected into an active session.

Conclusion: Cybersecurity Hygiene and a Watchful Eye can help block malicious activity

The risk is real. Everything from stealing your passwords to encrypting all of your files (in the form of ransomware) are potential outcomes if you have poor cybersecurity hygiene. Cybercriminals are highly motivated to trick you into believing their malicious messages, and it can be easy to make a mistake. All it takes is one click on a bad link and the results can be devasting. However, by education and training to identify these fraudulent links, emails, and websites in the first place, and by following basic cybersecurity hygiene, you can mitigate the vast majority of this risk.

While this blog’s recommendations are not a 100% solution, these are the best things we can do to protect ourselves and our organizations in the event that we do make a mistake. Our best recommendation is always training and education to prevent an erroneous click, but when it does happen, good hygiene, including the removal of administrative privileges, will be your best defense.

Endpoint Privilege Management (EPM) can help improve cybersecurity hygiene and protect users, and organizations, from simple mistakes (clickbait, malicious links, etc.) by removing admin rights and providing context-based application protection. Click here for more information about how you can get started.

This post was first first published on BeyondTrust website by . You can view it by clicking here