Mr.Robot is a four-season tech thriller that follows the life of Elliot, a young programmer who works as a computer security engineer by day and as a vigilante hacker by night.
Elliot finds himself at a crossroads when the mysterious leader of a clandestine group of hackers recruits him to destroy the company he is paid to protect.
Last month, we explored an episode about social engineering, where Elliot, the protagonist, uses those same social engineering skills to hack the mobile phone of his boss, Gideon Goddard, founder of Allsafe Cybersecurity, the company where Elliot works.
In today’s article, we focus on a scene about spoofing, which means falsification, in this case of identity, in order to obtain important personal data from the victim.
Action
In the first phase, Elliot meets the victim in the street, walking his dog, and casually asks to use the victim’s mobile phone because his battery is dead and he needs to call his mother.
After a brief hesitation, the victim agrees and the protagonist makes the call. Only to himself, in order to find out the victim’s phone number. In addition, with access to the mobile phone, he manages to see the applications on the phone and find out which banking application the man has installed.
Once home, he finds the victim’s social network and email address and calls him, pretending to be from the bank, to inform him that his account is in danger. To resolve the matter, the victim has to confirm his identity by sharing information such as his dog’s name, favorite team and address.
Despite being an apparently real call, the victim is suspicious, asking for the caller’s name and contact details, but continues to answer the identity confirmation questions.
By sharing this information, Elliot was able to speed up the process of cracking the victim’s social media password.
This fake call from a bank was nothing less than spoofing, the main trick of which is to call one number and make another appear on the recipient’s screen.
Spoofing
The person answering the call is tricked into giving out the identification and security passwords for home banking. The hacker, warning of the security danger, leads the victim to rush and give the passwords.
This is why you need to be very careful when answering calls from unknown numbers. The only way to prevent this type of scam is not to answer, to hang up and, above all, not to pass on personal information.
In recent years, computer and telecoms scams have been on the rise, particularly using techniques such as ‘Hello Dad, Hello Mum’. According to the PSP’s national directorate, in 2019 Portugal recorded 6,758 cases of computer fraud, a figure that rose to 11,241 in 2022 and 10,910 in 2023, between January and October.
Lessons learnt
To ensure that these numbers continue to fall, here are some tips to help you avoid being the target of these scams:
- Favour MFA so that you have an extra layer of protection in case someone tries to access an application or the email itself.
- Activate the spam filter in your email. With this policy, you’ll prevent many fake emails from reaching your inbox.
- In addition to email, beware of unsolicited text messages. Only click on the links you receive once you’ve checked that they’re not phishing.
- In the case of sms, don’t provide sensitive information unless you’re sure it’s not phishing.
- Don’t click on links or open attachments from emails with unknown senders.
- If, for some reason, it could be legitimate, contact the sender by other means to confirm the e-mail’s veracity.
- If you receive a suspicious e-mail or text message asking you to log in to your account, do not click on the link provided. Instead, open a new window or the app on your mobile phone and log in directly to your account.
- Invest in cyber security software. Good software will alert you to possible threats, stop downloads and prevent malware from taking over.
- Choose to hide applications inside folders so that they are not easily visible.
By learning from these examples and implementing robust cybersecurity practices, companies can better protect their information and, likewise, reduce the risk of successful attacks.
Stay safe with ActiveSys.