Tag Archives: blogging

Another one from the #whydidntyouwarnme desk: Phishing and Framing

Reviews and Commentary, , , , , , , , , , , , , , , , , , , , , , , , , , ,

Q. Explain the concept of social engineering Framing. Why is it a key fundamental in a social engineering plan? Provide an example of Framing in your own context of a work or social setting.

Framing is how a Social Engineering target dynamically reacts to a situation based on life experiences and their own traits and characteristics (Hadnagy 159-160). Social Engineers use a technique called frame bridging to close the gap between the scenario a Social Engineer wants the target to respond to and personal facts about the target. A pretext is a strategy the Social Engineer has prepared to bridge the frame – in other words overcome resistance to the scenario.

Today I received the following phishing email. A screenshot of the email is below, and text with the link removed follows. The links are not live because it is a graphic, and no one should click on them if they were live.

“Hi!

My name is Veronica.

Your website or a website that your company hosts is infringing on a copyright-protected images owned by myself.

Take a look at this document with the links to my images you used at www.chasenfratz.com and my earlier publications to obtain the evidence of my copyrights.

Download it now and check this out for yourself:

(url probably leading to something bad was here)

I believe you have willfully infringed my rights under 17 U.S.C. Section 101 et seq. and could be liable for statutory damages as high as $150,000 as set forth in Section 504(c)(2) of the Digital Millennium Copyright Act (”DMCA”) therein.

This letter is official notification. I seek the removal of the infringing material referenced above. Please take note as a service provider, the Digital Millennium Copyright Act requires you, to remove or disable access to the infringing materials upon receipt of this notice. If you do not cease the use of the aforementioned copyrighted material a lawsuit will be commenced against you.

I have a good faith belief that use of the copyrighted materials described above as allegedly infringing is not authorized by the copyright owner, its agent, or the law.

I swear, under penalty of perjury, that the information in the notification is accurate and that I am the copyright owner or am authorized to act on behalf of the owner of an exclusive right that is allegedly infringed.

Best regards,
Veronica Garcia

05/11/2021″

It’s possible that whoever sent this message, whether a person or a bot, distributed them to anyone they could get to who has a blog. Social Engineers deliberately choose words that evoke emotions in the receiver (Hadnagy 163). Clearly fear is what I’m supposed to feel while reading a message like this. There are a lot of scary-sounding legal terms and phrases thrown around, and the dollar amount of possible damages that supposedly could result if I don’t act is high.

The purpose of invoking strong emotions in a target is to get the amygdala in the brain to compel the target to act and click the link before the logical part of the brain says “wait that might be a phishing email” (Hadnagy 184-185). The basic human emotions of anger, surprise, fear, disgust, contempt, sadness or happiness are tools that Social Engineers exploit for different purposes (Hadnagy 163).

If I wasn’t sure about the authenticity of the above email, I could look up the law that has been cited and the name of the artist or designer claiming infringement to see if there is any possibility it might be real. I’m not even bothering to do that, because there are several things about my particular framing that this pretext did not succeed in bridging even that far.

  1. I’m currently enrolled in a Social Engineering class and the kind of activity represented in this email is foremost in my mind and has been for weeks.
  2. I’ve actually received a genuine email recently regarding trademark infringement. The allegation of trademark infringement was about an adhesive dots product I had been selling in my Etsy shop. I had used the phrase “glue dots” as a tag to help describe the product when another company claims the phrase “glue dots” as a registered trademark. In my opinion “glue dots” is way too generic a phrase to legitimately claim a trademark on, but my opinion means nothing. For one thing I’m not even an attorney. Etsy informed me that they had removed my listing for that product. Just to make sure the issue was real, I contacted the law firm mentioned in the email and the manufacturer of the product in question. The law firm did not answer my inquiry but I did confirm it actually exists and specializes in that type of law. Today’s phishing email is extra suspicious because there is no law firm mentioned. The manufacturer of the adhesive dots product responded to me and confirmed it was a real issue that they were trying to resolve. In short, I have some idea what a real email of this nature looks like and this is NOT it.
  3. I’ve been involved with business blogging as part of my work for nearly 20 years, possibly since before the term “blogs” was even in wide use, and I have a pretty good idea about what copyright violation and fair use are. If I was actually guilty of this I would know! At least I think I would. Humility is important, because while people like us are busy working at something legitimate, malicious Social Engineers are planning new schemes instead. We can never let our guard down or assume that we know everything and will easily catch every scam.

Additional Framing Techniques

The Social Engineer who created this phishing example could have used the technique of reinforcing the frame, that is causing me to think about it and therefore strengthen it, if they had done even a little bit of OSINT (Open Source Intelligence) on me (Hadnagy 166). But it’s clear they did none, other than to use my web site url which may have been scraped by a bot.

For example the phrase “Your website or a website that your company hosts” is kind of a giveaway. I would have done a little more digging if they had said “the Fiber Arts section” or something like that indicating it might not be a generic scam email. Creating an email with a more personal and specific pretext via the knowledge gained by OSINT is called spear phishing.

Negating the frame is a way of inadvertently undermining the operation by reminding the target of what they should be suspicious about (Hadnagy 165). The phishers in this case avoided that blunder – they didn’t say anything like “Beware, this is not a scam email!”

Another way of leveraging the framing of a target is hinting at or insinuating something without directly coming out and saying it. This is called evoking the frame (Hadnagy 164). I would have known what the implied threat was if the phishers had said something like “if you don’t stop using our copyrighted material we will be forced to take serious action“. Kind of like a gangster in a movie or TV show saying “this is a nice place you got here, it would be a shame if something happened to it!

Works Cited

Hadnagy, Christopher. Social Engineering: The Science of Human Hacking. John Wiley & Sons, Inc. 2018.

How to Start a Blog

Marketing, , , ,

A friend of mine solicited advice in Facebook on this topic, and since what I’ve written is probably too long for that platform, I’ll make a blog post out of it!

  1. First think about what the purpose of your blog is. All of the decisions you make will flow from that, so be clear in your mind on why you are doing it. What is the theme, if you have one? Pick out a title that fits the theme and purpose. While doing business blogging as part of my living, I was taught that one of the purposes of blogging and other social media is to give your company a more personal feel and create a connection with the audience. Whether your purpose in blogging is to make money or just express yourself, informality is expected so if you want to go off topic now and then and write about whatever is on your mind at the time, that is ok to do.
  2. Decide whether you need your own domain name. Is it acceptable to have your blog at myblog.wordpress.com for example or is it important to have www.myblog.com? If you want your own domain, is there a domain name available that fits your chosen title?
  3. Decide whether you want to use your real name or a pen name.
  4. Decide what email address you want to associate with your account. If you’re using a pen name, you might not want to use the same email address you use when you’re using your real name online. Also if you want readers to be able to contact you by email, it might be useful to have a separate email for this so you can better manage the spam settings. On most platforms that I’m familiar with, allowing readers to contact you by email is voluntary.
  5. If you have any interest at all in Pinterest, Facebook, Twitter or other social media platforms, get an account in each to complement your blog – using your pen name if you have one, or it’s ok to use accounts under your real name if you don’t mind revealing all your online activities to the world. Many blog platforms allow you to link your blog to these accounts and it makes promotion of your blog a lot quicker and easier and gives people more ways to interact with you. You will most likely to be prompted to link these accounts when you set up your blog so it’s convenient to have them ready before you start. It’s a lot of work to fill all the social media platforms with content, so whenever you can have one account propagate content to the others automatically it’s a big help. For example, my Twitter account accepts feeds from my other activities, mostly automatically, and I rarely have to go straight to Twitter to add content, though I still can if I want to – http://www.limegreennews.com/ – the rest of that web site is very out of date, but the Twitter feed at least is current!
  6. Select a blogging software platform. Make sure you picked out a title and how you want to identify yourself online before you start playing around with the software because you often cannot change the name after you start setting up your account. I don’t think you can go far wrong with WordPress because people have written a lot of useful free plug-ins and you will be able to do a lot with it. If there are certain special features that are important to you it might not hurt to look at a comparison chart of different blog software, such as this one – http://startbloggingonline.com/blog-platform-comparison-chart/ or this one – http://weblogs.about.com/od/choosingabloghost/p/BlogSoftware.htm. It isn’t strictly necessary to use “blogging” software to have a blog because the meaning of the word “blog” comes from “web log” which is just a web page that is updated frequently. If you use “blogging” software it will make it easier for people to understand what you’re doing but if you want to get more creative with the format, you can do that. Update in 2022: These days when using someone else’s software, you have to beware of companies that are trying to enforce social engineering by practicing viewpoint-based discrimination. I recommend you research and choose your blogging platform wisely!
  7. Select an avatar image to identify yourself as you set up your account. There will be other decisions to make as you set up the account, they will vary depending on the platform, just keep your purpose in mind while doing it and those decisions will be easy.
  8. Now comes the fun part – filling the blog with content! Whether doing personal or business blogging, if I’m stuck for an idea I ask myself, what’s going on right now in my life that might be interesting to someone? A project, an observation, an interesting event? If you have an interesting life, finding time to write will probably be more of a problem than finding things to write about. In any kind of creative work, I find it helpful to keep a notebook or scrapbook at hand to jot down any ideas that I can work on later when I have time. Also if you’re stuck in a situation where you are in a waiting room or a line or something, writing is a great portable activity – write a rough draft and refine it when you get home! With today’s mobile devices, you don’t even have to wait until you get home!

Other tips for getting ideas for content:

  • Do you get emails with interesting topics that might spark some commentary from you? Collect them in a folder in your email software, and when you’re feeling dry, read some and see if you get inspired.
  • Have you read articles online or in publications that are interesting? Clip them or print them out and put them in a folder to look at on days when you want to write but need ideas.
  • Have you written a substantive or interesting email or social media post? Turn that into a blog post! For example, a fellow artist at an outdoor show once asked me for advice for finding shows. I wrote him an email and later used it as a newsletter article because I thought it would be helpful to other people.
  • Reviews are enjoyable to read and a good service to the readers and are always a good fallback if you’re stuck for ideas.
  • If you want to cover a certain topic, you can use the Yahoo News service to have emails sent to you with links to news articles that include keywords of your choosing. Open yourself up to news outlets that cover the topics of interest to you – free community papers, bulletin boards, newsletters, online magazines? A blog is a good place to report timely news since it’s meant to be frequently updated and informal, and posting news is a useful public service too.
  • Is someone you know doing something interesting that fits your theme? Interview them!
  • Consider allowing guest bloggers. Perhaps you have a friend with a blog and you can strike up a deal where you can occasionally write a post for their blog and they write one for you. Be sure to allow including a link back to the guest author’s blog – that will expose both of your blogs to new readers.
  • If you don’t have time for a substantial blog post, don’t feel intimidated – it’s ok to post just a photo, or a couple of lines of commentary, or embed a video you like now and then. Remember it’s informal! It’s more important to post frequently than it is to post long, substantial articles. I personally like to read long, substantial articles, so I would not follow a blog that did not include one from time to time. However I’m probably not typical and many people in your audience would probably rather read something short. I’m always being told to cut down my writings – but I usually refuse if I can get away with it! My reasoning is that people who want to read my blog want to read things written in my “voice”, so I don’t want to mess with that. There are literally millions of other people they can read if they don’t like my style. There is a lot of competition so the way to stand out is to be yourself, in my opinion!