Yazılım Kulübü

In this blog, we are going to discuss Baiting which is a common method of a Social Engineering attack the others include phishing, pretexting, watering holes, quid pro quo and tailgating.

1. What is Baiting?

Baiting is Phishing’s devious cousin. As the name suggests, Baiting involves luring an unsuspecting victim with a highly attractive offer playing on fear, greed and temptation  to make them part with their personal sensitive data like log-in details. Through fraudulent, fake methods, both attempt to capture confidential, personal details such as a password or banking information such as a PIN so they can access your business networks and systems to instal malware which executes ransomware.

2. Baiting Psychology

As is the case with all forms of Social Engineering, Baiting relies heavily on psychological manipulation to take particular actions that are potentially harmful. It is an information security confidence trick with the malicious aim for the victim to give away highly confidential and personal information. This is then used to form the basis for various methods of cyber crime and gain access to personal and organisation’s networks.

3. Baiting Techniques

Baiting can take on many digital forms including physical devices such as a USB drive as well as online methods offering too good to be true downloads and attachments which turn out to be the opposite – highly damaging and malicious. At the heart of the reason for the ‘bait’ is to prey on the human foibles and weaknesses of fear, anxiety, curiosity, trust and greed.

With the malware-infected USB drive, the cyber criminal will go to an open, public area such as the reception lobby of the targeted organization/company or if they can gain access to the offices, a break-out, communal space such as co-working areas, coffee bars, restrooms, shelves in busy corridors (or perhaps even a desk itself)  to plant several USB devices branded with a corporate logo or similar and reassuring trusted sticker such as HR or Finance. They then wait for a curious, intrigued employee to have his curiosity piqued and pick it up, take it into the building and install on their computer.

Once installed, the victim will see a list of files and folders with relevant business terms relating to their business, organization or sector. The file may be called ‘Q3 Profit and Loss Projection’ or a folder with the title ‘HR Information – CONFIDENTIAL’ or ‘Banking Inside Information’.  Each file and folder will be engineered and designed  to elicit the desired response the hacker wants them to take – that is to download the malicious attachment(s) (the ‘bait’) and deliver the malicious ‘trojan-horse’ software to the computer which will then spread out into the internal network and then allows the cyber criminal to move on to the next stage of their attack such as one which involves spear-phishing, watering hole or another method of social engineering.

In the online world the same methods that prey on our curiosity, greed and trust are at the heart of ‘baiting attacks’. When there is a that vital, not-to-be-missed Champions League game featuring Liverpool, Paris St. Germain or Besiktas, the latest Anthony Joshua, Gennady Golovkin or Canelo Alvarez fight, the cyber criminal knows the events we all want to view and go to any lengths to find the event’s livestream. Now the compelling, highly popular ‘Mad Men’ is no longer on Netflix, ardent fans will be searching high and low for the series and episodes no longer available. A malicious site with a tempting download link will lurk somewhere in cyberspace such as a peer-to-peer network and wait for the unsuspecting Don Draper fan who will want to download and view without a second thought to their own cyber security and that of their company as well.

4. Baiting: A Case Study

In 2016, a study was carried out to see how people reacted to a ‘baiting style attack’, On the Urbana-Champaign campus part of the University of Illinois, researchers planted approximately 300 USB drives. 48% of these devices were found, picked up and installed into computers some within minutes of their discovery.  For the purposes of this study, no malicious attachments were executed. The files on the USBs had HTML files with img tags to allow researchers to monitor and track movement and use.

Only 16% of those who picked up and installed the drive, went to the trouble of scanning it first with anti-virus tools. While most said that they only picked up and installed the drive to see who was the owner and to return it to them, a significant minority admitted to wanting to keep it for themselves. This leads to a small but highly worrying potential data breach and exposes a highly vulnerable gap in the attack surface and as a result, increased cyber risk and danger to information security.

This confirmed the suspicions of many in the security world who reported that unsuspecting users can be coerced through curiosity, greed etc. into picking up unknown devices and becoming victims of social engineering methods. This leads to their organization becoming vulnerable to cyber attacks, data breaches and ransomware campaigns potentially costing millions of dollars and untold, unrepairable reputational damage.

5. Techniques to Prevent Baiting

Scammers who use baiting techniques know very well how to play with our fears and emotions. When you do receive an email that promotes feelings of fear, greed etc. be careful and alert – act calmly and think slowly, do not be rash with your actions.

Alertness and awareness will serve you well and protect you against baiting and other social engineering attacks. So when you do come across a pop-up advertisement or a highly attractive, alluring offer think before you click and be aware and alert – think twice before you enter any personal information especially anything to do with banking and payments such as credit card and account information.

Keep your antivirus and antimalware security settings up-to-date so they flag potentially harmful and malicious cyber threats. Can that URL really be trusted and is it secure and have an up-to-date, valid security certificate? For example when you use Google Chrome, check that there is a lock sign in the browser search window. This will allow you to see if your connection is secure, can be trusted and has a valid certificate. Scan your computer regularly to further protect yourself against these cyber threats and help improve your cybersecurity hygiene.

6. Cyber Security Awareness Training / Information Security Awareness Training against Baiting

To help protect not only yourself but also your company or organization, it is essential to increase your awareness against social engineering attacks such as baiting. With Information Security tools such as Keepnet’s Awareness Educator, your cyber security posture can be strengthened by appropriate targeted education and relevant Information Security training. Together with Keepnet integrations such as the Phishing Simulator module, your colleagues’ awareness will be further enhanced with suitable courses and phishing simulations to reduce future risk of sophisticated malicious social engineering attacks including phishing emails.

7. Simulated Phishing Tests / Phishing Simulation Against Baiting

To prevent Baiting and other Social Engineering Attacks you have to generate fake phishing url links or create phishing email templates. Increasing cyber security awareness through timely, targeted and specially tailored training is essential. To deliver such important security awareness training programs, you can use Phishing Simulation software such as Keepnet Labs’ Phishing Simulator. This allows you to start creating Phishing email templates like the one above.