Thursday, June 4, 2015

Badgering Us for Badges (and Other Social Engineering Scams)

Social engineering, with respect to the web, is the psychological manipulation of web maintainers (or content owners) to perform certain actions, such as clicking on links in emails and adding those links to websites. I have so many examples, but I'll just provide a couple to start you off:

Subject Line: (empty)


Hi there,

I hope Monday is treating you well? I was just browsing and came across your site. I was wondering if I could offer a couple of suggestions.

As a mother, child safety is very important to me.

Here is a couple of guides I consider to be of great help. Would you consider adding them to your resources page? I think it covers a lot so I’m sure your readers would find them a worth-while read.

1) Random keyword related link
2) Random keyword related link
3) Random keyword related link

And this was the page is was referring to: Completely unrelated webpage (music education resources page) on our website that uses related keywords on education and children and contains lots of resource links.

Either way, I liked your site, keep it up

Kind regards,
A robot scanning our website
This was an actual email I received, however, I removed the names and links to protect the innocent. Note the emotional plea, the poor punctuation and grammar, and the desire for you to provide these links on your webpage, even though your page is considered such a great resource without them.

On this next one, I will reveal the webpage the robot was referring to, so you can understand how smart these robots are:

Subject Line: Astronomy info from retired teacher and students:)


Hi there,

My name's a robot scanning our website and I'm a tutor at the local middle school. The kids that I mentor wanted me to email you and let you know that they think your page, on space is very helpful! We have been learning all about astronomy, since a parent donated an amazing telescope to the school. http://www.tarleton.edu/Costweb/sps

As a thank you they wanted me to reach out to you and give you another great resource they have been using and have found helpful  Random astronomy keyword related link

This group of kids really are wonderful and have come a long way in learning, they were hoping you would add the above link to your page, and because of their hard work, I told them they could have a surprise pizza party this Friday ;)

Let me know if this is something you would be interested in adding to your page!

Thanks,
A robot scanning our website

They received a pizza party just for finding our website and telling us we were missing a webpage! And this tutor, once again, has poor punctuation, poor grammar, and an aching desire to convince me she is a legitimate person. Do I take the bait?

If you look at the Tarleton's Society of Physics Students website they refer to this time, it does look like they hit an appropriate webpage on our website with the resources links about astronomy, though that is only one topic in physics if you look at the entire listing of resources there. Should you add their link to your webpage?

No!

One aspect of Search Engine Optimization that I did not mention in great detail in What is Good for SEO is Good for URL is authority and legitimacy. Search engines rank you based on how relevant you are from other websites. That is to say, if a lot of people link to a particular page, then it must be the authority on that subject.

I mentioned before that we have authority and legitimacy based on our .edu status. In fact, ours is higher than any other domain (e.g., .com, .org, .net).

If we link to someone else, we are saying that the links we place on our website have authority and legitimacy as well. That increases their rank in search results. When it comes to legitimate sites, link exchanges are good for both entities. When they aren't legitimate, we actually lose rank - and they gain.

There lies the need to socially engineer you to believe you should add their link to your webpage.

Social engineers are getting better at their game these days. They can pull a logo off our website and stick it in an email, claiming to be one of us. They can spell their email addresses almost exactly like one of our legitimate ones. They can even build a website to collect information on people and lure us into baiting more people. Take, for example, this more recent attempt to manipulate us:

Subject Line: Spring 2015 Graduate Program We Have Rankings announced!

Website collecting user information to sell to third-parties is pleased to announce its Spring 2015 Graduate Program We Have according to students, enumerating the best graduate programs in the country based solely on ratings and reviews from current or recent graduate students posted on website collecting user information to sell to third-parties.

Program rankings, compiled using data gathered between September 1, 2012 and March 31, 2015, encompass reviews posted by more than 70,000 students participating in over 1,600 graduate programs nationwide.  Ratings are based on a 10 star system (with 1 being the worst and 10 being the best).

For a copy of our Top Rankings Badge & Seal, please click on the link.

For the rankings page, please click Graduate Program We Have Rankings

The Top Graduate Program We Have are listed below:

1 - 7        removed
8             Tarleton State University
8 - 25      removed

METHODOLOGY
Website collecting user information to sell to third-parties reaches current and recent graduate students through scholarship entries as well as social media platforms. 

Website collecting user information to sell to third-parties assigns 15 ranking categories to each graduate program at each graduate school.  Rankings cover a variety of student topics such as academic competitiveness, career support, financial aid and quality of network.

For a given graduate program, rankings are determined by calculating the average score for each program based on the 15 ranking categories.  These scores are then compared across all ranked schools for that program and are translated into a final ranking for that graduate program, i.e., “business and management”.  A given graduate program is not ranked until a minimum threshold of graduate student surveys is completed for that program

Contact information for a robot scanning our website
Again, removing the actual names to protect the innocent, but I did go to their website - not from the email, though! The email contained tracking code that allows the robots scanning our website to recognize they hit a live email address, so they can spam you with more emails or sell your contact information to a third-party vendor who will spam you with more emails. Note the endless cycle that comes from curiosity?

I don't want to sound cynical. There are some legitimate reports out there ranking universities with scientific methods, so I read through the methodology you might have skimmed over. That's right, I didn't even have to ask them for it. After all, a methodology stated up front would provide legitimacy all on its own, right? Yeah, I knew you were shaking your head.

Look carefully at the content of the email: the information is based on student responses. They have convinced over 70,000 individuals to create an account in order to look through the results and vote on their universities. By creating an account, they collect information about these individuals.

Take another look at the numbers they mention, including "70,000 individuals." There are 322 million people in the United States, by 2014 estimate, so what portion of the population has a graduate degree or higher? And they've been running this website for 3 years with only that kind of response?

As I said, I tried not to be cynical. There are crowd-sourced databases from legitimate and authorized firms on the web, so I searched on Google for the website and entered from there. I have to say that the website looks very sophisticated (as many do), so it does become harder to see beyond the flashiness of the design and information plastered everywhere.

I looked specifically for the page listing out our rank within the graduate program they mentioned we were number 8 on. When I finally found it, there was a link to Tarleton State University next to the number 8, so I clicked on our name to see their detailed report on our grades from student voters.

The first thing I saw on our report card were lots and lots of stars covering 60% of the webpage. That is the distraction they hope you will linger on. When I looked up above those stars, I saw just how many students responded to our university's report card: 7.

A big, whopping 7.

And given they are user names and not actual names, I couldn't verify if they had actually attended Tarleton.

Then I went back to the full list, clicked on the number 1 ranking university, and there were 29 respondents.

Oh, but it gets better.

I went back to the full list this next round, and I clicked on the number 2 ranking university. Drum roll, please, for the number of respondents that brought this university to a number 2 national ranking on this particular graduate program: only 1 respondent.

Just 1.

Essentially, if you want a higher ranking, you have to convince your students (or your neighbors, since the voting is anonymous) to create accounts on this particular website (not a unbiased firm randomly surveying the population), pass this unknown company your personal information, and then vote up your university graduate program. May the most popular university program win.

There is no way this was scientifically calculated, measured or weighed to give us the national ranking they claim we have. Link badge denied.

How to Avoid Being Socially Engineered


These are some of the steps you should take to avoid clicking on links in emails or posting those links or link badges onto your wesbite:
  1. Check the email address
    • Legitimate company or firm?
    • Words spelled correctly?
    • Word spelled slightly off or extra punctuation added to what would normally be a legitimate company or firm?
  2. Check spelling, in general
  3. Check grammar and punctuation
  4. Check for an emotional plea
    • Are they trying to convince you to do something in a short time frame or insisting that you respond to an email they've sent you before?
    • Are they using reverse psychology?
    • Are they pleading to your humanity?
  5. Check how they found you and how relevant you are to the link exchange they are requesting
    • Keywords randomly found on your page?
    • Do you have a resource page with your email address on it?
  6. Check the links from a search engine instead of the email
  7. Check their methodology for scientific weights and measurements
    • What is their scope?
    • What are their criteria?
    • Where (sources) do they collect their information?
    • Is their information even accurate?
    • How do they calculate the results?
    • How do they weigh their final results?
If you do find an email that looks like social engineering, go ahead an delete it. If you think it may be legitimate, forward it to us, and we'll investigate it for you. If you have any other questions about social engineering, in general, you can contact Tarleton's Information Security Officer, Marilyn Meador.

-Karole