Does this sound familiar?
“Hi, this is John Smith from [your MLS] help desk. I want to help make sure that your computer is set up so that some changes we’ll be making here don’t cause you a problem in accessing the MLS. First, please confirm your MLS username or public ID.” After being told the public ID, John tells the MLS subscriber their address, phone number, and email address and has them confirm it. Then John says, “Are you near your computer and online? Great! Now, I want you to log into the MLS and change your password – but don’t tell me what it is – for security reasons you should never tell anyone what it is.” Finally, John helps the person download a patch to make sure the new MLS report designer will work when it is upgraded next month.
What just happened? The MLS subscriber just had their computer and all online accounts breached – including MLS, banking, and whatever other accounts they may have accessed from that computer. He or she was a victim of what hackers call “social engineering” or “phishing”: breaching security by manipulating the person instead of the computer.
The hacker’s aim was to build trust, then betray it. First, he went to the MLS web site, where he found the name of a support staff employee. He assumed that name when he called the MLS subscriber, whom we’ll call the “victim.” Using that identity, he appealed to the victim’s fear of MLS service disruption to get him to provide information and make changes to his or her computer. The first thing the hacker asked for was the public ID. If all the hacker needed was a username and password to access the MLS, this got him halfway there. If the victim had not told the hacker his or her public ID, the hacker would have just said, “That’s okay, I’ve looked up your account by name,” and continued. The hacker had already gone online and looked up the victim’s publicly available information on the Internet to make it seem as though the hacker were sitting in the MLS office reading off information in the victim’s file. The hacker then told the victim to change his password, but not to tell him the new password for security reasons, seemingly showing care for the victim’s security. Then he had the victim download a file from a web site that took over the victim’s computer, logged anything the victim typed – including any computer and online account logins on that computer – and sent the files to a computer where the hacker would later download it for analysis. At each step along the way, the hacker learned more and more sensitive information about the MLS subscriber – maybe even enough to get an actual MLS staff person to change the password for him. Finally, the crowning achievement: getting the victim to install malicious software that betrayed the victim’s own system.
What other information would you provide to someone you believe is a staff person at your MLS or Association: credit card, Social Security, or license numbers? Would you change your password to “test,” just for a moment while they “fixed something in your account”? Would you change a setting or run a command on your computer? Any of these things could cause you a security problem! Remember, sometimes people aren’t who you think they are.
How would you validate that a request is legitimate? Remember, caller ID can easily be faked. An email from the MLS or Association could have been spoofed to seem as though it came from them – just as the MLS system can send an email to the consumer that seems to come from you. A call to the main MLS number or sending an email to someone else you know in the organization would be reasonable steps. Remember, the hacker may try to make the situation seem urgent enough that you don’t take any steps to verify their identity or ”need to know,” but do your best to validate that a request is legitimate when you encounter suspicious behavior.
“Phishing” is a form of social engineering that involves electronic communications – traditionally email, but now social media as well. Messages or posts that tell you that something is urgent and suggest that you click on a link immediately are classic examples of phishing. “People are saying terrible things about you! Check out this link!” “Take a look at this crazy picture I just posted to Facebook!” And, of course, there are posts on Twitter with arresting messages and dangerous links; links are automatically shortened on Twitter, so there is no way of seeing just what you are clicking on. In any of these cases, you could very easily find yourself on a site that installs a virus on your computer, or a web site designed to look like your bank and gather your banking information.
“Spear phishing” is a form of phishing which is much more carefully planned and constructed – more like the example of “John Smith” on the telephone at the beginning of this article. “Spear phishing” uses specific information that the hacker has gathered about you and your organization to create an extremely plausible email that makes you very likely to click on a link or open an attachment without thinking about it. For example, you might receive a message from an industry vendor whose name you know with a personal message to you and a Word document about a “new product,” asking for your feedback today. The document has embedded in it malicious software, which, like “John Smith’s” MLS service patch, will capture your keystrokes and passwords. Spear phishing is difficult to fight, because it sounds so convincing and the tendency is to act without thinking about it.
Still, when you get an email or a tweet or a phone call, take a second or two to think to yourself, “Do I know this person? Is opening this file or clicking on this link or typing in this command the right thing to do? Is there anything suspicious about what’s being asked of me?” It’s not paranoia; it’s awareness.
Don’t become a victim of “social engineering” or “phishing.” Security awareness can help prevent the theft of your private and sensitive information.
About the author: Matt Cohen is Clareity Consulting’s Chief Technologist and leads its security assessment practice. Matt has spoken at many conferences, workshops, and leadership retreats around the country on security-related topics, and is a well-regarded real estate industry expert on real estate technology and information security. Clareity Consulting (www.callclareity.com) was founded in 1996 to provide management and information technology consulting to the real estate industry.