As developers, we’re a prime target for social engineering scams. Hacking people is much easier than hacking infrastructures, and developers have access to things that are especially appealing to attackers.
While this article isn’t strictly about coding - or even computers at all! - every dev should know how to avoid social engineering scams to keep themselves and their projects safe.
- Everyone else, too
Be Careful With Sharing on Social Media
Does something about this tweet look concerning?
If you guessed “answering this question pretty much gives a hacker everything they need to reset your password” - then yep. Correct.
Gone are the days when tech-savvy people avoided having any online identity. Now, your Twitter name is your full name, and your workplace is in your bio (I mean, do you REALLY work at Google unless you say so in your bio?). With your name and workplace, attackers can guess your work email. If you start throwing in personal info like answers to security questions - it’s over.
Even if your workplace doesn’t have security questions, chances are your passwords are based on your personal info such as pet names anyway. 79% of users admit to having personal info in their passwords… and that’s just the ones who admit to it.
Check out CUPP. CUPP is a tool where you can input someone’s name, pet name, child name, DOB, etc. and generate a list of potential passwords. It works. Quite well.
In short: be careful with the info your share online! And if the entire world ABSOLUTELY needs to know the street you and Mr. Whiskers grew up on, then use a password manager, damn it.
Enable 2FA and Integrate it Into Your Projects
Wherever possible, enable 2FA on services you use, such as your Google account, bank accounts, Slack, etc. While 2FA isn’t perfect, it’s pretty close.
If you’re working on a project that requires personal login and deals with any sensitive information, please consider coding a 2FA option into your app. Here are some resources:
- Just use Google Sign-In instead, maybe?
- Google Authenticator
- The Pitfalls Of Developing Your Own 2FA
Don't Get Phished
Phishing is still the most popular form of social engineering. 92% of malware is delivered via email, and 95% of attacks on enterprise networks are the result of successful spear phishing.
Many developers are still operating on the archaic belief that phishing emails are poorly written, have terrible grammar and are obviously fake. Unfortunately, phishing emails have evolved significantly in the past few years. Nowadays, many phishing emails will be excellently written and almost indistinguishable from a legitimate email.
Here are some of the most common phishing scams lately:
Spear phishing involves selectively targetting employees, and developers are especially vulnerable. Spear phishers will discover information about you, and then selectively use it against you.
One of the most classic examples of spear phishing is sending fake invoices to people in finance teams. Lately, however, attackers have been expanding their reach by farming employee’s social media accounts and sending them tailored email scams.
Here’s a fun story.
So, I had to take a day off from work to take my dog to the vet. The team was short-staffed already, so I was feeling a little guilty.
I posted a pic of my dog on Instagram with the caption “Taking Lucy to the vet today. Feeling guilty about missing work though!”
About an hour later, I got this email from my boss:
“Hi [my name],
Hope Lucy is okay! But if you miss another day of work I might have to fire you. LOL.
Please send $15,000 to this client before COB today. [client details]
I was planning on transferring the amount, but it completely slipped my mind before the end of the day. I called my boss in panic apologizing for not paying the client in time.
He asked me what on Earth I was talking about.
Spear phishing takes many forms and is becoming progressively more sophisticated with the rise of social media.
To protect yourself from spear phishing, consider the following:
- Was I expecting this email from this person? Have we discussed the matter through other channels previously?
- Does the email convey a sense of urgency?
- Does the email demand action from me?
- Can I confirm the authenticity of this email through other channels?
Also, check the sender’s email address for any potential typos - e.g., replacing an “i” with an “l”, or an “m” with “rn”. Even if the email address is perfect, remember that spoofing addresses is simple and that there’s no guarantee the email came from the shown source.
This is the most well-known form of phishing. It involves posing as a business, often styling emails to look like what that business would typically send. Here’s an example with Dropbox:
Fun fact: this form of phishing is how hackers got into John Podesta’s email account!
To protect yourself from this type of phishing, consider the following:
- Does the email convey a sense of urgency, or demand action from me?
- Does anything look off about the sender?
- When I hover over links in the email, does the popup box show that they point to a strange location?
Smishing (SMS phishing) is similar to standard phishing emails, but over SMS instead. Smishing texts will usually impersonate companies and encourage you to click on a link or give away your personal info.
Smishing attacks are difficult to detect, which is why the general advice is never to follow links you receive over text.
Vishing (“voice” and “phishing”) involves phishing through phone calls. Of course, this isn’t a big deal to us, because what kind of developer seriously answers the phone nowadays? Just send me a text, FFS.
Most vishing relies on spoofing the caller ID to appear as a legitimate source. In a recent scam, attackers have been spoofing Apple. Phone calls coming from these scammers appear entirely legitimate, featuring “Apple Inc” as the caller name, and even showing Apple’s logo. Victims would be prompted to share their personal information, and potentially make credit card purchases.
To avoid vishing, consider:
- Was I expecting this phone call?
- Does the call convey a sense of urgency, or demand action from me?
- Is the caller asking for my personal information?
Okay, I made that word up. But social media phishing is beginning to become a big deal. Here are some of the tactics to watch out for:
LinkedIn Contact Compromise: In this attack, a hacker has already compromised one of your contacts. Through the contact, they leverage the trust you have and send you a message asking you to follow a link.
The Infamy Video: A compromised contact, usually on Facebook, will send you a message with a link. They’ll claim the link is a video of you doing something embarrassing, with a very high view count. If you click on the link, it’ll redirect you to a fake Facebook login page.
Twitter Baiting: An attacker will find a Twitter comment thread where a legitimate company is interacting with some users. The attacker will set the same display name and profile picture as the company, then insert themselves into the thread, usually encouraging users to click on a malicious link.
Automate, Automate, Automate
… the security of software applications should not be entrusted completely to developers. Instead, as Podjarny said, companies should introduce automation into security controls, implement automatic malware-detection scans, multi-factor authentication, and auto-expiring access tokens to ensure attackers are not able to gain access to or to inject malware into sensitive software programmes.
Where possible, try to integrate automation into your security practices. Humans can only be so aware, and there’s a lot of awesome apps out there that help fill the gaps. Enable 2FA, install a password manager if you haven’t already, and scan your networks regularly.
The world is a scary place, and everyone is out to get you. Try to stay up to date on the latest phishing scams, as attackers are continually learning and are never too far behind us.