"Donate to the hurricane recovery efforts!"
Charitable contribution scams have been a problem for years. Any time there is a high-profile incident, such as the devastating earthquake in Haiti or the earthquake and tsunami in Japan, criminals quickly get into the game and launch fake contribution sites. The best way to avoid this is to go to a reputable organization, such as the Red Cross, and initiate the contact yourself if you want to donate. However, Hadnagy says a particularly vile targeted social engineering ploy has cropped up recently that seeks specifically to target victims who may have lost loved ones in a disaster.
In this example, Hadnagy says about 8-10 hours after the incident occurs, web sites pop up claiming to help find those who may have been lost in the disaster. They claim to have access to government data bases and rescue effort information. They typically don't ask for financial information, but do require names, addresses and contact information, such as email and phone numbers.
"While you're waiting to hear back about the person you are seeking information on, you get a call from a charity," said Hadnagy. "The person from the charity will often strike up a conversation and claim to be collecting contributions because they feel passionate about the cause as they have lost a family member in a disaster. Secretly, they know the victim they've contacted has lost someone, too, and this helps build up a camaraderie."
Touched by the caller, the victim then offers up a credit card number over the phone to donate to the alleged charity.
"Now they have your address, your name, relative's name from the web site and also a credit card. It's basically every piece they need to commit identity theft," said Hadnagy.
Hadnagy has also heard of criminals who then go on to launch secondary attacks to obtain even more sensitive information, such as placing a call posing as a banking representative to verify the charity donation is legitimate and asking for the victim's social security number "for verification purposes."
"About your job application..."
Both job seekers and head-hunting organizations are being hit by social engineers who know they are looking for employment or seeking new employees.
"In both directions, this is a dangerous one," said Hadnagy. "Whether you are the person looking for work or the company posting new jobs, both parties are saying 'I'm willing to accept attachments and information from strangers.'"
According to a warning from the FBI, more than $150,000 was stolen from a U.S. business via unauthorized wire transfer as a result of an e-mail the business received that contained malware that resulted from a job posting.
"The malware was embedded in an e-mail response to a job posting the business placed on an employment website and allowed the attacker to obtain the online banking credentials of the person who was authorized to conduct financial transactions within the company," the FBI alert reads. "The malicious actor changed the account settings to allow the sending of wire transfers, one to the Ukraine and two to domestic accounts. The malware was identified as a Bredolab variant, svrwsc.exe. This malware was connected to the ZeuS/Zbot Trojan, which is commonly used by cyber criminals to defraud U.S. businesses."
Malicious attachments have become such a problem that many organizations now require job seekers to fill out an online form, rather than accept resumes and cover letters in attachment, said Hadnagy. And the threat for job seekers of receiving a malicious message from a social engineer is high, too, he said. Many people now used LinkedIn to broadcast that they are looking for work, a quick way for a social engineer to know who is a potential target.