News Ticker

Cyber criminals often resort to simple trickery

Larry Magid’s 1 minute CBS News Tech Talk segment on Trend Micro report

By Larry Magid

As it does every year, security firm Trend Micro has released its annual threat report, titled “Security Predictions for 2016 and Beyond.” And, to me, the most profound statement in the report is “cybercriminals don’t need to use the most advanced technologies or sophisticated methods to succeed. Sometimes, simply understanding the psychology behind each scheme and its targets can be enough to make up for the lack of sophistication.”

It’s a very important observation. While professionals scramble to thwart sophisticated cyber intrusions, many of us remain vulnerable to simple trickery, otherwise known as social engineering. Common examples include those “phishing” emails we’ve all gotten that appear to come from a bank, Paypal, Microsoft, the IRS or some other well-known organization but are actually the work of criminals intent on getting us to reveal personal information that can be used to steal our identity or money or unwittingly employ us to help spread spam or even commandeer our computers to help infect other devices.

Fear is a very powerful motivator. It’s used by governments to justify wars, by companies to sell us products and by criminals to extort us into cooperating with their schemes. The Trend Micro report observes that “cyber extortionists” are “banking on the use of fear.” And it predicts that “2016 will be the year of online extortion.” One form of extortion that’s been around for years is “ransomware,” which typically involves malicious software that locks you out of your own files until you pay to have them unlocked. Sometimes these programs arrive in the form of so-called “anti-virus” software that promises to protect you from a certain threat but instead gives the attacker control over your computer or mobile device.
This post first appeared in the San Jose Mercury News

This post first appeared in the San Jose Mercury News

And sometimes that attacker reaches out by phone. I’ve gotten several calls from “Microsoft security” informing me that my machine has been infected and offering to “fix it” for me if I let them install remote access software. These criminals can be very convincing — even leading you through a series of steps that will cause the Windows System Event Log to show you that there is a “critical error.” But that’s a normal occurrence — nearly all Windows machines will display that message. The real Microsoft never calls customers to warn them about security risks.

Speaking of fear, Trend Micro is predicting that cyber extortionists will devise “new ways to target its victim’s psyche to make each attack ‘personal’– either for an end user or an enterprise.” The attack against Sony is a famous example of how an attacker was able to get a great deal of private information that ultimately embarrassed Sony, some of its employees and contractors and even people who simply exchanged email with someone at Sony.

In some cases, these attacks will be motivated by money. Pay us and we go away quietly. But Trend Micro also predicts an increase in so-called “hacktivist” attacks designed to embarrass or expose agencies, companies and officials who are doing something the attacker doesn’t approve of, such as the recent attack that exposed the social security numbers, personal email and other information from CIA Director John Brennan and Homeland Security Director Jeh Johnson, which reportedly were motivated by opposition to U.S. policy towards Palestine.

Another form of extortion is the unapproved distribution of personal photographs such as those that depict people nude or engaged in sexual acts. So called “sextortion” or “revenge porn” has been used to cajole people into paying money or engaging in sex-acts in exchange for the promise of not distributing or taking down such images. Earlier this year Kevin Bollaer was sentenced to 18 years in prison for operating two websites — one that posted nude and sexually explicit pictures of women and another that enabled victims to pay to have their pictures removed from the first site. This crime is sometimes motivated purely out of rage, such as when someone wants to hurt a former partner after a breakup.

Trend Micro is predicting that businesses will fall for “elaborate tricks that use new social engineering lures” including a big increase in schemes to persuade workers to transfer money to accounts controlled by criminals. Sometimes called “spear phishing,” these aren’t just random attacks but will take advantage of “knowledge of ongoing business activities” to appear legitimate.

And the most dire prediction is that “at least one consumer-grade smart device failure will be lethal in 2016.” Given the number of devices, including cars, door locks and even medical implants that are now connected, the possibility of a fatal attack is certainly not out of the question, but it brings us back to the one of the major themes of the Trend report. Fear is a powerful motivator. Fear can cause us to make bad decisions, but, when put into proper perspective, it can also motivate us to take reasonable precautions.

Disclosure: Larry Magid is CEO of, a non-profit Internet safety organization that receives financial support from Trend Micro and other companies.