If you’re planning to take the SY0-501 version of the Security+ exam, you should understand some other common attacks in addition to malware. This includes recognizing attacks via email and phone.
For example, can you answer this question?
Q. Maggie reports that she keeps receiving unwanted emails about mortgages. What does this describe?
A. Phishing
B. Spear phishing
C. Spam
D. Vishing
More, do you know why the correct answer is correct and the incorrect answers are incorrect? The answer and explanation are available at the end of this post.
Spam
Spam is unwanted or unsolicited email. Depending on which study you quote, between 80 percent and 92 percent of all Internet email is spam. Some spam is harmless advertisements, while much more is malicious. Spam can include malicious links, malicious code, or malicious attachments. Even when it’s not malicious, when only 1 of 10 emails is valid, it can waste a lot of your time.
In some cases, legitimate companies encourage users to opt in to their email lists and then send them email about their products. When users opt in to a mailing list, they agree to the terms. On the surface, you’d think that this means that you agree to receive email from the company and that’s true. However, terms often include agreeing to allow their partners to send you email, which means the original company can share your email address with others.
Legitimate companies don’t send you malicious spam, but they might send you more email than you want. Laws require them to include the ability to opt out, indicating you don’t want to receive any more emails from them. Once you opt out, you shouldn’t receive any more emails from that company.
Criminals use a variety of methods to collect email addresses. They buy lists from other criminals and harvest them from web sites. Some malware scans address books of infected computers to collect email. Because they are criminals, they don’t care about laws, but they might include opt-out instructions in spam they send. However, instead of using this to remove you from their email list, attackers use this as confirmation that your email address is valid. The result is more spam.
Vishing
Vishing attacks use the phone system to trick users into giving up personal and financial information. It often uses Voice over IP (VoIP) technology and tries to trick the user similar to other phishing attacks. When the attack uses VoIP, it can spoof caller ID, making it appear as though the call came from a real company.
In one form, a machine leaves a phone message saying that you need to return the call concerning one of your credit cards. In another form, you receive an email with the same information. If you call, you’ll hear an automated recording giving some vague excuse about a policy and prompting you to verify your identity. One by one, the recording prompts you for more information, such as your name, birthday, Social Security number, credit card number, expiration date, and so on. Sometimes, the recording asks for usernames and passwords. If you give all the requested information, the recording indicates they have verified your account. In reality, you just gave up valuable information on yourself.
Another example of vishing is just a regular phone call from a criminal. A popular ploy is a call from a company claiming to be “Credit Services” and offering to give you lower credit card rates. They play around with caller ID and have it display anything they want. A common ploy is to display a number similar to yours, making them appear local. They often announce, “This is your second and final notice,” trying to evoke a sense of urgency.
If you answer, the automated system forwards you to a live person who begins asking a series of “qualifying” questions, such as how much credit card debt you have and what your interest rates are. They then promise that they can help you lower your debt and get you a better rate. Next, they start asking some personal questions. They might ask for the last four digits of your Social Security number so they can “verify your account is in good standing.” They might ask you for the code on your credit card “to verify you still have it.”
Eventually, they hope to get your credit card number, expiration date, and code so that they can use it to post fraudulent charges. Some people have reported similar callers trying to get their bank information so that they can transfer money out of the accounts.
They hang up right away if you ask them to take you off their list, or stop calling. Similarly, they hang up when they hear words such as criminal, thief, and other words I’ll leave out of this book. Some even reply with insults. They’ve called me so often, I’ve played along a few times. I love it when they ask for information on my credit card. I respond by saying, “Can you hold on so I can get it?” I then put the phone in a drawer and go back to work. Once, they stayed on the line for more than three hours waiting for me.
Q. Maggie reports that she keeps receiving unwanted emails about mortgages. What does this describe?
A. Phishing
B. Spear phishing
C. Spam
D. Vishing
Answer is C. Spam is unwanted emails from any source.
Phishing and spear phishing are types of attacks using email.
Vishing is similar to phishing, but it uses telephone technology.
See Chapter 6 of the CompTIA Security+: Get Certified Get Ahead: SY0-501 Study Guide for more information on common attacks.