Keep the Wooden Horse where it belongs

Troy, 1200BCE (give or take a year). The Greeks have left their camp outside the walls, and in their place is a large wooden horse. Ignoring the cowardly sceptics, the Trojans open the gates, drag this thing inside the city and close and bar the gates. Then it’s party time. Of course, we know what happens next. The horse is full of an advance guard of Greeks, who let themselves out when the party’s at its height, open the gates to the main Greek army and… No more Troy.

The term ‘Trojan horse’ has its place in computer security, as you probably know. An innocuous piece of data or software that when activated, opens the gates to the enemy. Most of these enemies at the gate depend on social engineering to effect their entry, just as the original Trojan horse did (it is believed that the Trojans worshipped Poseidon, who as well as being the god of the seas, was also the god of horses – a large horse would have been an object to be venerated).

It’s impossible to go over all the social engineering techniques which are used, but the use of fake emails, directed at a particular target (spear phishing) is a common way, whereby an innocent party is precisely targeted with a message that requests sensitive information, or which invites the reader to open a particular web site or piece of software, perhaps linked with a hobby or pastime that the victim practices.

Surprisingly, even those people whom you might believe to be sophisticated and immune to these tricks will fall for them. Briefly, there are several major reasons why people fall for them:

  • Authority – given an official letterhead, or the electronic equivalent, most people find it easier to believe what is written below it (“At HMRC we have received your tax return, and require a few more details before presenting you with the final demand. Please click below to enter these details.”).  On the other hand we have the classic 419 scams (which continues to attract victims at all levels), there are the West African princes, bank managers, lawyers, etc. who promise millions in unclaimed inheritances, compensation, etc.
  • Social acceptance – “Thousands have already taken part in this proven cryptocurrency scheme. You can join them.”
  • Commitment – if a phish appeals to a publicly expressed set of ethics (“We know that you value the goodwill of others. Click here to learn how you can make a difference to the most vulnerable in our society.”)
  • Scarcity – “Only 50 more places remain in this once-in-a-lifetime opportunity to join our fund partners.”
  • And of course, plain and simple greed.

Of course, many of these tricks will work over the phone or in text messages. But sometimes the social engineering can take place face to face. Here’s a fictional example from a recent novel:

“Want me to give away my trade secrets?” said Leo. “Okay, here’s one example I’ll give you for free. Most offices, at least most banks, anyway, you can only get in with a special card key, or you need to punch in some sort of access code. Keeps the bad guys out, right?”

“Right,” said Nick.

“Except it doesn’t, of course. Wear the right sort of clothes, and hang around the entrance looking lost. Say to the next person who comes along that you just nipped out to the toilet or for a cup of coffee, and you left your card on your desk. You’re new here, and you haven’t learned the tricks of the new office yet. They take pity on you, let you into the office, they turn left, you turn right, and you’re in. Everyone just thinks you’re new, and from another department.”

“That doesn’t get you into the computers, though,” objected Bobby.

“Aha. Phase two. Find out where the help desk is, if you don’t know already. Wait till there’s no-one there. There’s always going to be a few minutes when they’re doing desk-side support or having lunch or something. Then you use their internal phone and say something like, ‘Help desk here, we’re having problems with the mail system. Can you just give us your password so we can check the mail queue?’ The internal extension on their desk shows them that the call’s coming from the help desk number, so it has to be legit, right? And then you’re in like Flynn.”

“Sounds far too simple. I can’t believe that would ever work.”

“Believe me, it works.”

Make sure you keep the Trojan horses out of your organisation by educating and re-educating your staff on how to recognise phishing traps and scams (some anti-virus sites also offer anti-phishing training for organisations), by blocking suspect sites and also by establishing responsibility and procedures to deal with any possible breach.

First Response can help you develop an internal capability with a CIRP (Cyber Incident Response Plan) – which also includes post-incident support and analysis from your personal Incident Response Specialist.