all right. Now, our next chapter for end user security focuses on email and attachments. Now, we're gonna spend a ton of time in this section because ideally, we talked about these through social engineering and the fishing modules and one of the easiest ways for me to spread malicious activity
for me to fish for information.
Ah, for me to distribute malicious code is through email attachment. This is one of the main ways that email that phishing attacks have been established throughout the years. Like I said, fishing originated with the phone system. But now, really, most phishing attacks come through email. One of the nice things is it
provides anonymity from the sender.
You know, when I do social engineering and I do these some of these attacks or these attempts for attacks or exports in person, I have to be able to carry out a sense of legitimacy, a sense of urgency. I have to act authoritatively as if I belong there.
But social engineering cross e mails, just words on a page, and they could be interpreted in any way.
So it's much easier, uh, for Mia's an attacker to distribute my or to query for information anonymously. It's an easy, easy way to make a mass appeal. There are a lot of mailing lists out of there.
Companies make their living selling mailing list. What's your name and email?
And if you think about it, when's the last time you've gotten a service that somebody didn't ask you for your email address? I go to enroll my son in AA baseball league. Give us your name and your email address.
I want a frequent shopper card because I don't want to pay $5 for a bag of sugar. I wanna pay 99 cents. So here's my name and my email address.
I want to download this game. I want to access this website. I want to do this, that the other people want that information from me. Why? So that they can turn around and sell it to someone else who buys that information. The highest bidder, essentially. So as an attacker,
all I need is a list of email addresses, and I'm gonna send out my please and my marketing information and so on.
And let me tell you, Ah, trick of the trade is giving you that option to unsubscribe often that unsubscribe links will take you to a malicious sight. Or that site will ask you for your password in order to unsubscribe, enter your password for this email address or
ah, simply by clicking on unsubscribe.
I now know that that's a legitimate email address. So email attachments or email is really a quick and easy way for me as an attacker to get information into trick. You know, we would like to think that people aren't still opening attachments
from strangers. They're not still opening attachments that haven't been digitally signed.
That's not the case. If these attacks weren't successful, they wouldn't be used.
Um, as a matter of fact, uh, you know, I see it on a day in day out basis. Hey, I got this link from somebody that sent me to an inappropriate website. What should I do? Well, you should have called me before you clicked on the link, because now your computer sending out the link to the inappropriate Web site right?
That can certainly be embarrassing for people within an organization,
but more than that were spreading infections throughout the environment. So we have to be very careful. We care, because email attachments are the easiest way of distributing viruses, and these attacks today are very, very smart. They'll read your email list. They'll send out, they'll propagate,
uh, this attack to the people in your email list. So
you know, here's a file. It looks like it comes from you. You're a legitimate person, I trust. So I'm gonna open the attachment in. The same thing happens to me. The point I want to make there is it's not enough for you to know the person from whom whom the email comes. That's old half that's been destroyed. That idea long ago, I need
before I open up an attachment
to make sure that attachments been scanned for malicious activity using your anti virus software and then also, I would prefer that it's digitally signed as well. So I get the guarantee that it comes from the origin, the sender that it purports to come from, and also that it hasn't been modified.
Ah, and as I mentioned, the virus has read your email list and send itself out to those. So be very, very careful
when we click on links in e mails, often their websites that we can visit that are infected with malicious code. So just by clicking on a link in an email, I might be opening up my Web browser to be compromised. I might, you know, have some impact more than my
my Web browser. It might affect my system as a whole. Could possibly lead to a data breach.
Wouldn't be very cautious. Never click on the Lincoln email. One other thing. A link may redirect you to a site that seems legitimate, So maybe I send you a link that says your capital one account has been compromised. Please click on this link to reset your password.
Well, it's very easy for me to create a website that looks like capital one
easy to impersonate a website,
right? That's why we don't access websites that are secure. You know that we don't access financial Web sites unless we're using https. We're using a secure protocol,
so you click on that link. It looks like capital one, and there's a nen tree box for user name and password. You type that information, Give your password. Now, all of a sudden I know your account information for Capital One. It is profoundly easy in a huge area of concern to click on links and e mails.
What should I do? Go to my Web browser and type out Capital one. Make sure I'm at Capital One's Web site using a secure protocol https before I connect in. And that way, if there's a concern, learn about it from a guaranteed in the secure source.
What are the warning signs that my email could be fraudulent, that there's something up with it.
You know, to me, the best indication is looking at the grammar and the spelling. And sometimes I almost feel like some of these Attackers would be more successful if they just run through spellcheck once or twice. And grammar check. Sometimes the grammars just atrocious. And I remember I got a message.
It was really funny was years ago,
but it was from Donald Rumsfeld telling me I got in the $75,000 refund from the I. R s. Well, first of all, I'm pretty sure I didn't get a $75,000 refund from the I. R. S. And I'm even more sure if I had, it would have been Donald Rumsfeld. You know, they were
It was such an important thing. They contacted Donald Rumsfeld so he could tell me directly.
It was just ridiculous. But then you look at the spelling and grammar mistakes, and it's just obviously not legitimate. Um, unsolicited download. Click here to download this free application. And a lot of times, websites will have that if you're in a legitimate website, where to click
to download something that you need access should be very clear.
Right. Um, and again, I really would caution you about downloading files, follow your company's security policy, but at home, very, very cautious. Like I said, very few things in this world are free. When you download something free from the Internet,
you're probably installing spyware on your system. You're probably gonna have to provide personal information in order to get that free download.
Honestly, you know, um, I heard somebody say that if they're not,
uh, what was What was the quote? Something like if they're not offering a product, you're the product, meaning that they're selling you to the next end. So give me all your information. I'm gonna put that on the list. I'm gonna sell that list to somewhere else.
That sense of urgency. Your system is infected with trojan 0.99 dot e x e.
Click here to download the fix right, Unless I've authorized a scan on my system to an external source on the Internet, which I never should have done in the first place, they don't know what my systems infected with.
That's simply that I've gotten a pop up generator on my system, and they know that people respond to that threat. It's fearmongering, basically. Ah, and you know, my favorite used to be, ah, pop up window that says, Are you tired of annoying pop ups? Click here.
You know what? If you're popping up to sell me a pop up blocker, that's probably not the most ethical organization. Use trusted sources on the Internet. Remember, unless a company has a reputation and don't get me wrong when I say there's nothing free on the Internet, there are some good
open source pieces of software that are out there. I don't know if anybody's used OpenOffice.
That's great. Um, open source. Usually, uh, it's not really free. They would like a donation for your continued use of a product, but
my best suggestion to use if It's something you just have tohave Google.
Ask Aunt Google. Look, att customer information. See? You know what's out there about the product? Read several different reviews. Go to trusted sites for downloads and again, probably at work. You're limited as to what files you can download on your system,
but, you know Ah, see, Nat was a trusted source for downloads.
Ah, and there many other you could you could even type in Google trusted sources for download. You know the best thing. Check with your security team. You know, most people I know in security, you're happy to help. So, listen, I was thinking about downloading this software. Can you recommend a good safe download site for me to go to?
You've got the time. Don't be in such a hurry. There's nowhere online that knows that. Time bombs ticking on my computer. Slow it down and verify these things Before you would ever install something on your systems. So what to do? Verify with known parties. You get an email from me. Give me a call.
Yeah, This seems like an odd thing you'd send me. Kelly. Did this come from you?
No. Sure didn't. So take that moment. Pick up the phone,
check the email address in a link. Now I'm still don't click on links and e mails, but usually you can hover over a link. And regardless of what the link says, it'll often show you the true address to which that's linking. Sometimes you're right. Click and go to the properties of the link, but usually you can tell,
um, go close the email and access the site through your browser.
Don't download unsolicited down. Just
don't do that. Stop it. Don't do it.
Take the e mails and send them to your security team because don't forget. It's not enough that I don't get infected. I want to make sure that none of my co workers, uh, fall for that trap and people will so send it to your security team. Make them aware and let them distribute the warnings.
Keep your system's updated again. Usually, your security team at work is gonna be responsible for that. But at home and on your laptops, make sure you keep track and keep up to date with your anti virus. Any spyware anti malware software. Because when a new security threat is discovered, usually
there's a signature file
or ah, some sort of a file that contains the updates. Really, your software is only as good as its last update, so make sure you stay on top of that. Watch out for suspicious activity in your e mails. Be very leery of opening attachments. Check for digital signature, pick up the phone and verify. Check with your security team.
But once again, the theme of this entire series is Be suspicious.
Don't be the person that is responsible for an infection on your entire network. Slow down and verify.