Written by Matthew Baird, Calpe Cloud

Consider your current technology & systems – how, what and why you use it, convenience, necessity, compliance or compromise. We all have something others want, money, resources, connections, influence. What if the technology & botique IT services you so depend on can actively work against your interests & be your greatest security weakness?

Not how it’s configured or who it’s made by, but that you use every common application, give access to everything to do anything, a small % necessary for the trivial function need and often reporting or completely dependant on a remote service to provide it.

Now considering this idea, pair it with ‘What if I’m hacked?’ systems access has great value beyond stealing data files, intellectual property, pictures and passwords. The real value for a big score is found in contact lists, subscription accounts, activity history & logs plus the compromised machine’s resources (CPU/GPU/HDD). Systems + accounts (+your credit card attached) are valuable for crypto mining, spam relaying and scaling a small hack to an incredible reach via your contacts and customers.

I’m not going to discuss the tired and boring you should be doing X/Y/Z cyber security & IT bla bla, scary scary, buy a thing, do or dont do a thing’. Technology is a trivial tool – the real threats are the techniques and methods that enable the use of these tools. I’ve been granted the opportunity to share and educate. I’m Matthew Baird – Cyber Security Engineer, Technical Security Consultant and a laundry list of other titled roles, my business – calpe.cloud – an IT services & technical security business operating in Gib & beyond.

In the recent years, Gib has seen a substantial increase in phishing emails, calls and on occasion, physical reconnisance by malicious actors. Directly targeting companies by methods of social engineering & low-tech means (often presenting as a senior manager, key client, someone with stake, authority and often in an urgent manner).

Companies:
Companies in July 17, 2024 – 18 suspected fraud cases, in 1 week. Contact via phone impersonating natwest & G.I.B, £1.7 million willingly given by one victim, £470k by another, plus other amounts undisclosed.

Friend example:
A friend (aka Steve) had a close shave recently. A former employee & younger friend (aka Sarah) messaged them via a popular messaging service, asking to borrow money seemingly in a panic, having earned less this month, extra bills to pay, needs it quickly heres the bank account info after a few messages exchanged.

Fortunately we were meeting after an event, he asked for a second opinion, I looked at some of the exchanged and I asked, had she called you? She had not. Have you seen her today? He had not. Have you called her? He did but no answer and nothing since. Any contact by other means? No other methods.

Lets consider the scenario logically:

1. A request for money was made – not a common occourance.
2. Time pressure (bills due now) and sympathy applied (she worked 2 part-time jobs).
3. Text only communication method.
4. No voice communication or other verification has been made.
5. Attempts to call and confirm failed.

First thought – 0 Battery on her phone, plausable it could be a real request, she’s an honest girl.
Second thought – No communications outside this chat app. Why not?
Response:

Check timestamps, last messages exchanged, when call attempts were made, when last message was seen (if indicator enabled).
Less income this month, extra bills to pay & needs it quickly – the attacker preying on overall circumstances & stretched time.
Messages had been seen before and after call attempt was made, sender has seen the messages and ignored the voice call, no contact on any other chat apps or by normal call.
Suspicion arises, I suggest he find another method to contact her not on that platform. If it’s so urgent she should be in contact or see him physically very soon.
Conclusion; Try calling her by regular call instead, wait for her to contact you directly (phone), our evening continues and he keeps the lines open.
After all – her account had been compromised on only one chat platform, they had no voice samples (to clone a voice), only chat history (to select targets) and had only basic social media information from the account and profile pictures.

Investigating cases in Gibraltar shows the common tactics; time pressure, urgency, utilising a new banking service or ‘new’ recipient account information, enabled by interpersonal/interbusiness connection without confirmation & in other examples – installing new software, all guided by someone else on a phone, chat app or other.

Although methods of approach may seem cold, it’s fairly warm in the sense a picture has been painted, all the information people & companies post freely online, it’s akin to an intelligence dossier in the wrong hands, a useful map of relationships, buzzwords and activities to be exploited for credibility building.

Actionable practices:

Be paranoid – Don’t take any blind communications at face value, humans are the weakest link in all security.

Communication from unknown numbers, emails, video calls or other sources:

1. Question – ask direct questions to identify whom, why & what the contact is about – be aware time-pressures, social inconvenience and threats from ‘authority’ are common tactics. Don’t give away any new or usable information they may not be aware of (colleague names, locations, times of previous business). Could this be an AI voice or Video overlay – think of the context.
2. Verify – confirm by other means – (ie send me an email from your work email, what was your last interaction with them?) – If videocall, ask them to place a hand infront of their face, look for a blur and break in the face shape/colour/features.
3. Refute – if verification cant be made, terminate communication.

It’s better to check and cause minor insult than to put it at risk and lose everything, security has a place in daily business on and offline.

+350 540 99287
matthew@calpe.cloud
Cyber Security & Technical Expert