Thursday 25 Apr 2024
DigitalEdge
By
main news image

This article first appeared in Digital Edge, The Edge Malaysia Weekly on April 12, 2021 - April 18, 2021

Life is full of delicious little ironies that make it worth living. Of course, it helps to have healthy relationships, good personal boundaries and a sense of community, but let’s set those aside for the moment. 

As a journalist living and working in the post-Covid-19 environment, there is an expectation that my colleagues and I are required to sit in on any number of tedious, unremarkable and often mundane online-only press conferences. Thankfully, I never bother to RSVP for these events, and my editors are none the wiser. 

What this means is that the events I do RSVP for are extraordinarily exciting, relevant and very often hit home, as was the case with this latest Kaspersky cybersecurity event I was listening in on. 

The presenter was taking us through one of the most audacious cybercrimes in history, namely, the 2014 Carbanak cybertheft. It would go on to siphon billions out of financial institutions the world over. The gentleman noted how the criminals, using various phishing strategies, gained access into relatively low-level terminals within a particular financial institution. 

As soon as they gained access, the criminals were able to install all manner of surreptitious malware that then infected the bank’s broader network. Within a few short years, Carbanak infected institutions in Russia, the US, Germany, China, Ukraine, Canada, Hong Kong, Taiwan, Poland, Pakistan, Iceland and, at this point, you get my meaning. Carbanak went viral. 

It must have been 30 seconds after the presenter first brought up the phishing attempts that my own mobile phone went off. Ordinarily, I would have been mortified, because it is terrible form to have one’s device obnoxiously ring and disrupt an otherwise interesting media presentation. 

But, thankfully, I was at home, microphone muted, webcam switched off and at my table in a position that would generously be described as “undignified”. 

In any event, thanks to the systematic deconstruction of basic societal norms brought about by the mass work-from-home movement, I felt completely free to turn away from the event and answer the phone call. This is how it went: 

Me: Good afternoon. Who is …

Recorded voice: Please be informed that you have an ongoing case with the Inland Revenue Board, and that the government will be moving to take action against you very soon. Please press ‘9’ to speak to an IRB agent. 

Me: *Brings up call on speaker, switches on audio recorder, and presses ‘9’*

“IRB agent”: Hello, this is Mohammad Safuan. I am an IRB agent from the IRB. Is there anything I can help you with? 

Me: I don’t know. Is there anything you can help me with? You’re the one who called me. 

“IRB agent”: I see. So can you please tell me why it was that you received a call from us? 

Me: You’re asking me why you called me? 

“IRB agent”: All right, sir, why don’t you give me your IC number so I can verify the details of your case that you have with us? 

Me: But you’re from the IRB, aren’t you? Don’t you already have my details on file? 

“IRB agent”: Yes, but we need to verify your identity and make sure you’re not pretending to be someone else.

I needed a few seconds to compose myself because I let out an audible chuckle. Agent Safuan was not amused. 

“IRB agent”: Sir, I am Agent Safuan and as an officer with the IRB I’m going to …

Me: What’s your email address? 

“IRB agent”: Excuse me? 

Me: Your email address, Agent Safuan. What is it? Because like you, I too need to verify your identity, just to make sure that you are who you say you are. 

“IRB agent”: You don’t have the right to talk to me like tha—

Me: If I’m mistaken, and it turns out that I do have a problem with the IRB, I’ll deal with it. But that’s beside the point. Right now, I’m pretty sure you’re the one with the problem, because you and I both know that you’re in over your head and that you don’t really know what to do at this point. 

“IRB agent”: *Cuts the call* 

It turns out Agent Safuan did know what to do. He did not need the aggravation and, besides, there are plenty of people to scare into giving their details away. 

And, really, this is why phishing is such an insidious form of social engineering. These are regular people, masquerading as government officials, who employ various scare tactics and strategies to induce anxiety, all in the hopes of getting you to give away personal information.

Phishing can be done cheaply and at scale, using very simple telephony software that randomly generates phone numbers to call into. 

Nothing about this technique is particularly groundbreaking, and yet no one — not even banks — is safe from phishing attempts. 

The moment someone has your IC details, you expose a near-limitless number of vulnerabilities that all the “Agent Safuans” of the world can exploit. The solution is quite simple: Never trust figures of authority simply because they are authority figures, and always, always demand information in return. You have a right to know who you’re dealing with, and you absolutely have a right to ask questions. 

As for me, well, I am a taxpaying, law-abiding citizen who dearly hopes he did not just offend one of the most powerful government agencies in the country. 

Save by subscribing to us for your print and/or digital copy.

P/S: The Edge is also available on Apple's AppStore and Androids' Google Play.

        Copyright © 1999-2023 The Edge Communications Sdn. Bhd. 199301012242 (266980-X). All rights reserved

        Print
        Text Size
        Share