For the last year and a half, I have been involved in an organization known as HackFormers. HackFormers was founded by several Austinites who shared two passions: a passion for hacking (in the sense of finding, fixing, and defending against security flaws), and a passion for Jesus Christ. Its vision is to teach security principles, and then to show faith principles that go hand-in-hand with security. I gave a presentation at the August chapter meeting. It is in that context that I write today.
So too is it with our spiritual walk. There are times when it takes a literal act of God to get our attention, but more often than not He speaks in a quiet voice. In 1 Kings 19, Elijah watched powerful forces of nature - a windstorm, an earthquake, a fire - but discovered God was not speaking to him through those impressive displays. Instead, the Lord spoke through a gentle breeze - in a voice that Elijah only heard because he was intently listening for it.
Several weeks ago as I was driving through Austin I thought I saw a friend on the other side of the median, at the scene of a minor traffic accident. There are a hundred excuses I could think of for not stopping. It was on the other side of a divided highway; I had just begun a 5-hour drive to East Texas with my kids and had dinner plans with my grandmother; the van was full so we could not have aided in any useful way; it looked like a minor accident and a police officer was already on the scene helping out; and for that matter I was not certain it was my friend in the first place (I got only a brief glance at the scene). The farther I drove down the highway, the easier it was to justify not stopping.
As it turned out though, it was the person I thought it was. The accident was minor and no one was injured, but her vehicle was out of commission for a couple of weeks. In truth there really wasn't anything I could have done in a practical sense, but I could have been a friend during a stressful event, if only I had listened to the voice that said "wait."
The musical band Casting Crowns recorded a song a few years ago called "Slow Fade" that seems to fit:
It's a slow fade when you give yourself away
It's a slow fade when black and white have turned to gray
Thoughts invade, choices are made, a price will be paid
When you give yourself away
People never crumble in a day
Daddies never crumble in a day
Families never crumble in a day
I doubt anyone woke up this morning and decided "I want to put myself into financial ruin today." Maybe it starts with Thursday night poker with the guys, or extending credit a little further than planned, or maybe a weekend in Vegas where things get out of hand. Maybe a dearth of business leads to missed mortgage payments; too ashamed to ask for help, you start looking for less legitimate ways to make a few bucks. A year later, you are facing 15 years for bank robbery. But it doesn't happen overnight.
I doubt anyone woke up this morning and decided "I want to wreck my family today." Maybe it starts with seemingly harmless flirting in the office, or adjusting a bike route to correspond with the jogging route of an attractive neighbor. Perhaps (an insidious risk in our line of work) it starts with stumbling into porn sites while digging around the rotten underbelly of the Internet. Three years later, your children wonder why daddy (or mommy) has a new address. But it didn’t happen overnight.
At the risk of offending some, I’ll offer another point. No one ever woke up one morning and decided “I am going to throw my life away today and leave my loved ones to pick up the pieces.” It might start with a small voice saying your life has no worth, a period of sadness that seems to not have an end, or an illness that won’t let up. Depression sinks its cruel claws in and gradually blinds you to reasons to live. Ten years later we watch in shock as a beloved comedian and actor is buried. But it didn’t happen overnight.
And that’s the point: it didn’t happen overnight, and it (usually) didn’t happen due to a blatantly obvious invitation to do something irreversible. Opportunities to compromise our character, as well as opportunities to be the hands and feet of Christ, are often subtle. We must be alert to recognize them.
Traditional viruses, worms and trojans sought to compromise the computer. Around a decade ago though a new trend emerged, known as phishing, which seeks to compromise the human. Phishing is an attempt to get a victim to reveal sensitive information that the attacker can use for profit: usernames and passwords, credit card numbers, bank account numbers, social security numbers – anything that can be used to either impersonate or defraud the victim.
Casting the Bait
The first step in a phishing campaign is to cast some bait. Sometimes that bait may be targeted at an individual, but more often than not it is cast far and wide with the goal of catching anyone that happens to take the bait.
Importantly, phishing generally tries to abuse your trust in something legitimately trustworthy (or at least something that you would be wise to pay attention to). The phisher might mimic your bank, or your grandmother, or the IRS or FBI. Whatever the cover, the phisher imitates something you would be expected to trust - and then abuses that trust for illicit gain.
The phish message clearly looks nothing like current legitimate messages – but it’s similar if not identical to the format USAA used a few years ago. A member not paying attention might accept it as real. Outdated formatting aside, there are a few clues that this is not legitimate.
The email address – in this case the fraudulent domain was obvious, but other clients may not display the full address by default, and it is quite easy to spoof an address. It is in essence a postal envelope, with no guarantee that the sender wrote their actual address in the return field.
The URL – the links go to www3usaa instead of www.usaa; this one was relatively easy to detect, but the phisher could have chosen a character that more closely resembled a "dot." In fact, with multilingual domain name support beginning about 10 years ago, an attack known as an "IDN Homograph Attack" using visually identical characters from another character set, you could not tell by looking that it was a fraudulent link. Or the attacker could have used Javascript to change the displayed text of the link. I've demonstrated disguised links on my blog - it's easy to make a link look like something other than what it is.
Setting the hook
Now it gets harder to tell that this is fraudulent. The premise was that USAA had sent an email to me via the secure message center on their web site. Had that been the case, I would have had to log in first before seeing the message. But aside from that, the approach is very believable.
The login screen is disturbingly convincing because it is an exact replica (or was as of the time that I received the email), even loading images and formatting scripts from the genuine site. Only the submit handler is changed. There is no visual clue that this is a phish.
Ah, another clue: I have two-factor authentication enabled. I should have been sent a code to my phone, instead of entering an unchanging PIN. But most members probably do not – and this is precisely what they would see. And surprise, I can get here without entering my real password or account.
Upon "logging in" I am asked to provide a few "security questions, " and to provide my email address and email password for good measure. I am finally deposited onto the logout page at the authentic USAA web site. If I did not know better, I might assume I had successfully added a layer of security to my bank account and then logged out, when in fact I have just given an attacker everything they need to defraud me.
The moral? Scammers are very good at mimicking the genuine article. If you don't pay attention to red flags at the beginning, there may be no more warnings that you are falling into a trap.
