Remember the old joke about the fellow carrying bags of sand across the US/Mexican border on his bike? The guards couldn’t find any contraband in the sand. He returned week after week, same thing: bags of sand, no contraband. Finally, one of the guards runs into him at a bar and asks what he was smuggling. The answer? Bicycles.
Funny, yes, and for the same reason a good magician is entertaining: misdirection. You’re expecting one thing to happen but in reality something entirely different is happening.
Misdirection has been a tactic in battle for centuries as well. From a simple diversion to sophisticated misinformation campaigns, misdirection is a tried and true approach for fooling, and hence besting your opponent.
Misdirection plays an important role in computer hacking as well. Sometimes the hackers’ motives are clear, while in other cases hackers are obscuring their motivations or targets. In other situations the bad guys are using misdirection to control the psychology of their marks.
A simple example: ever wonder why the Nigerian pre-pay scam emails that we receive today are so, well, obvious? Even years after the scam first hit our public consciousness, the emails still begin with “dearly beloved in god” or some such, they still expressly come from small, poor African countries, and sometimes they even mention the “small fee” you will need to pay to release the immense funds coming your way. Ever wonder why the scammers haven’t improved their pitch?
The answer: they are trying to reduce false positives. For every million scam emails they send, they may receive hundreds of replies, but most of those are snarky people who want to fool or con the conmen. Only one in a million might be a truly gullible person who will actually send money. The scammers have learned that more obvious emails will reduce the number of responses that won’t lead to money.
Another example: hackers frequently target bank passwords or other information that will enable them to conduct fraudulent transactions. Obviously, if a hacker can steal money from your bank account, then they will take steps to do so. But whenever something about hackers is “obvious,” watch out. What if a hacker had a different target? It could be anything, from secrets for blackmail purposes to compromise of a piece of infrastructure like a power plant. The attack may look like a straightforward to attempt to steal money, but that doesn’t mean it actually is.
In the world of Cybersecurity, never take anything at face value.