Social Engineering Revisited.
Today as we head toward another decade of social engineering issues, we need to admit that social engineering is not dead but has evolved drastically into a new challenge. Social engineering is perhaps the foremost interesting aspect and a real challenge to security. It is and will never change, at least the key ideology behind is the same. The only thing that has changed is the evolution of social engineering. We need to be aware and warry about the concept even more as we get more connected. That means even more challenges that we need to treat everywhere from our secure home to the office to anywhere you physically are present to virtual presence.
Social engineering is at the core of many of today’s attacks, seeking to exploit the curiosity of unsuspecting users. Common tactics include creating a sense of urgency, impersonating trusted brands, seeking to exploit natural curiosity and taking advantage of frequent events such as software updates. These simple techniques are used daily and continue to work in emails and on social media.
The report found that about 55% of social media attacks that impersonated customer-support accounts specifically targeted the customers of financial services companies. Furthermore, 95% of observed web-based attacks that featured ‘fake browser’, ‘plugin updates’ or similar within malvertising campaigns, incorporated social engineering to trick users into installing malware.
So, let us take a trip to the Social Engineering world and what it involves and how much evolution it has taken. Some even call it Social Engineering 2.0. However social engineering still involves tricking people into breaching security protocol or giving away information, most often over the telephone or via email but also through direct observation, known as ‘shoulder-surfing’, and unauthorised physical access.
Social engineering exploits weaknesses in people rather than technology, preying upon the human propensity towards trust in particular. Often, these exploits are used to gather information to support a more targeted cyber-attack, with the initial forays based on the premise of ‘little and often’ so as not to cause concern. Employees at all levels, including senior executives, are vulnerable, in essence it is not only to cybersecurity issues in the workplace but also something that affects your personal security to your family security, your children and so much more.
The human element is becoming increasingly prevalent in cyber and computer network operations—and is also the most unpredictable factor in cybersecurity. More people are connected to and interact with technology, whether they want to or not, and they aren’t necessarily security-aware. This makes their digital world easier to target and access.
At its simplest, social engineering means getting someone to do something you want, or give you information you want, often without the person considering the negative consequences of the action. Since humans interact with computers—and since humans can be manipulated—they are often a company or organization’s weak link. The website social-engineer.org defines “social engineering” as the act of influencing a person to accomplish goals that may not be in the person’s best interest.
Social engineering is often the first step in malicious hacking. It often enables attackers to gain physical access to a target’s devices and networks, and facilitates the gathering and harvesting of credentials (such as username/password combos) for follow-on network-based attacks (such as installing malware on the network or stealing intellectual property).
During major events, spectators are likely to share pictures and video clips with contacts either directly or via social networking sites. Both are common ways of spreading potentially harmful software, especially as the use of shortened links and QR codes gives people no obvious clue as to where the link will take them. During recent athletics tournaments, for example, spam emails using titles such as ‘are Chinese gymnasts too young?’ lured people into opening emails and downloading hidden malware.
Larger organisations usually have the resources to protect themselves technically, yet they still routinely fall prey to this type of low-tech cyber-attack. Alerting employees to the increased likelihood of such cyber-attacks is an important first step. There are also many technical controls that can be implemented, such as using QR readers with built-in security, to help minimise the likelihood of employees visiting sites that present a risk to cyber security.
Social engineering is nothing new however. It’s a tool of psychological manipulation that’s been used since the dawn of man. Why? To influence people into taking action that might not be in their best interest.
Sometimes it’s fairly harmless, like a child sweet-talking his mom to get extra candy. Many times, however, social engineering is used for nefarious purposes.
There are classic examples of social engineering at play throughout human history. Confidence tricks were first used by charmers in the 19th century to con people into trusting others with their valuables. Psychological manipulation, otherwise known as propaganda, influenced droves of people during World War II to go out and buy war bonds. And advertising subtly hints that you’re not pretty enough until you buy this product.
Social engineering taps into the human psyche by exploiting powerful emotions such as fear, urgency, curiosity, sympathy, or the strongest feels of them all: the desire for free t-shirts.
In fact, psychological cyberattacks are on the rise. “We are seeing an increase of blended attacks that rely on a combination of social engineering and malicious software,” says Taggart. For example, a popular social engineering tactic is the technical support scam. An alert pop-up will appear on the screen that tells the user he is infected and needs to download a malware application and/or call this number to have a technician help you. The user, fearful of infection, will download the fake antivirus application or call up the technician, both of which are vehicles for delivering malware instead of eradicating it, and/or scamming people out of their money.
However, in recent years cybercriminals have upped their phishing game with more sophistication. Spear phishing emails are crafted to make targeted victims believe they’re from legitimate sources. The messages might appear to come from banks or businesses and could include full names, usernames, and other personal info. Crooks know that if you get an email that looks like it’s from your medical provider and it’s talking about a surgery you had last year, you will likely believe it.
So how can you fend of these psychological attacks? Here are a few tried and true methods:
- Equip yourself with top-of-the-line cybersecurity programs that include technologies to fight off attacks from multiple angles, including blocking exploits, ransomware, adware, and other forms of malware. These can fight off social engineering attacks from a technical standpoint.
- Anonymize your data by using the privacy features of your browser. It’s also a good idea to clear cookies every once in a while.
- Lock down privacy settings on social media accounts. Make sure you’re making information available only to those you wish to have it.
- Use an ad blocker to fend off malvertising and cryptomining attempts via browser.
- Use the right software and hardware systems. If you just use your computer to surf the web, you probably don’t need a powerful processor or the Adobe suite. “Every piece of software you put on your computer has potential vulnerabilities,” says Jérôme Segura, Head of Investigations, Malware Intelligence, at Malwarebytes. “The more you have, the greater your surface of attack is on a particular machine.”
- Finally, and most importantly, use common sense. A healthy dose of skepticism goes a long way. Verify information. Contact the claimed source. “Trust your gut feeling,” says Taggart. “If it feels too good to be true, it probably is. If it feels slightly off, it probably is. Stop and think about what is being asked of you.”
Let us however visit the Anatomy of Social Engineering Attacks and how Exploiting Human Behaviours’ are an easy take. These will take us on the road of understanding social engineering without the big scalpels of cutting and understanding through.
First and foremost, we need to visit the different types of Social Engineering Attacks:
- Email addresses can be spoofed to look like they are coming from a legitimate sender. Be cautious about clicking on links in email- even from trusted sources
- Phone Calls
- Individuals can gain your information by claiming to be with information security, the help desk etc., Never provide your account information, password, or other sensitive data over the phone to unknown individuals
- Imitating an Individual
- Intruders can follow staff into restricted buildings and areas. Never let someone follow you through a door unless you know them.
- Social Networking Reconnaissance
- Information provided by internet resources
- Users can access information you provided online. Be careful what you post and store in your online accounts, Assume anything you post will never be deleted (even if you delete it).
- Redirection of internet traffic to malicious look-a-likes
- Malware can infect any computer and antivirus software is not perfect. Be careful about what you download and open from the internet. Avoid using public computers or kiosks to access your email or any accounts. Assume those computers have keystroke loggers installed.
The question then that is profoundly in built into us, what makes social engineering so scary?
Social engineering is one of the most overlooked yet most effective ways for a malicious user to extract information or gain access into an organizations internal network. There is no science or appliance that can fully protect against social engineering attacks. Social engineering attacks greatly increases the need for strong internal network security controls.
As one of our most powerful motivators, fear is arguably the most commonly manipulated emotion when it comes to social engineering campaigns. Whether in the form of a phony email that your online bank account has been compromised and requires a password change, or an urgent bank security notice, these scams leverage a specific threat to the targeted recipient or group of recipients, which forces them to act quickly to avoid or rectify a dangerous or painful situation.
As an example, cybercriminals recently took advantage of tax season by gathering information stolen from the IRS to call and threaten U.S. residents filing for taxes. After getting hold of victims on the phone, the attackers would immediately become aggressive, threatening immediate police action if money was not wired to a fake IRS account to rectify a tax irregularity.
Notable Social Engineering Attacks
Phishing Against Government Entities
With tax season in full swing in the US and UK, there is a 400% spike in phishing emails targeting taxpayers. Email from IRS and HMRC delivers attachment that steals credentials, including SSN and account numbers. Another variant scams users into paying taxes through an IRS lookalike site.
Free SSL Certificate Abuse
Hackers are taking advantage of a certificate authority offering free SSL-certificates in order to mask malicious intentions. This has resulted in numerous banking malware campaigns allowing malicious users to obtain private data.
Control And Data Acquisition (SCADA) Systems 700,000 people lost power in Ukraine after phishing attacks shut down servers and prevented them from rebooting.
Global Financial Institution Hack
After falling victim to cyber theft, a large financial institution sent fake phishing emails to employees to test their awareness. 20% of users clicked on the link.
Security Company Breach
What started as a phishing email with an attachment capable of installing a backdoor ultimately led to a compromise of their security tokens.
Major Bank Heist
In Belgium, an unknown man walked out with 120,000 carats of diamonds worth about €21 million Euros (or $28 million in 2007), using only his charm and no technology.
4-1-9 “Nigerian Prince” Scams
Advance Fee Fraud (AFF) aka “4-1-9” fraud, where victims are promised a portion of a large amount of money in return for paying the upfront costs of retrieving it. These scams cost victims $12.7 billion worldwide in 2013 alone and I can only let you guess how much as todate.
A hacker group was able to place malware onto multiple Los Angeles based hospitals resulting in multiple cases of network downtime. The attackers demanded a large sum of money in exchange of regaining control and we know as at last year how much has been happening and now with machine learning/AI we can only see the tip of the iceberg.
Social media and our tendency to overshare, provides a wealth of information about individuals and their contacts completely free of charge.
Your publicly available profiles such as Amazon wish lists, eBay bidding history, Facebook, Instagram are examples of ways attackers can:
- Define cyber attack targets by where they work or what groups they are apart of.
- Learn routines, patterns of behavior, interests, contacts, location and their weaknesses.
- Find answers to security questions used to authenticate or reset passwords.
- Formulate precisely targeted attacks.
All of these leads us to one even bigger question. Which why should we care?
We should and it is more obvious than ever and we can just give you some examples by looking at the global statistics, which shows some alarming figures.
- Over 110 trillion emails are sent annually.
- On average, 205 billion emails are sent daily.
- 90% spam & marketing.
- 23% of phishing attacks are successful due to recipients opening the messages. 11% clicked on attachments.
- Over 5 Million customers targeted for attacks.
- 60% click a link.
- 26% call back.
- 14% reply to texts.
- Medical identity theft has nearly doubled in 5 years, from 1.4 million adult victims to over 2.3 million in 2014 only. Imagine 4 years after how much we are looking at.
- 88% of reported stolen assets were personal data.
Hackers will target the weakest link of a security system –most often the employees of an organization. As a whole, individuals tend to share too much information on social media. This is becoming a larger issue as the number of social media platforms increase.
The Business impact of social engineering attacks to organizations hits even more as they relate to the risks and impact that goes to Financial loss, Reputation, compliance risk, cyber espionage/loss of intellectual property and legal repercussions.
Going forward we need to understand the anatomy of a social engineering method.
The anatomy of a hack is fairly basic in concept: this attack method relies on human vulnerability to break security. Basically, attackers trick people into breaching data through various nefarious means—it is easier to manipulate someone into giving up passwords or sensitive data than it is to try to hack that information. Learn how to recognize and prevent social engineering attacks.The attacks often come in the form of emails and links to phony (but realistic-looking) websites.
- Observation Your end user is active in your organization getting their tasks done. Suddenly the end user observes something that seemingly they need to do something about, either to prevent a negative consequence or benefit from an opportunity. (The attacker’s first attack vector).
- Orientation in business refers to human judgement to put this into context with past experience and business understanding, to quickly predict what to do next. (“Hmm, I see phishing red flags here…”)
- Decide using the data and orientation toward rational, productive behavior. (“I’m not clicking that!“)
- Action putting that decision in motion. (User clicks on the Phish Alert Button instead)
WHO’S AT RISK OF SOCIAL ENGINEERING ATTACKS?
The reality is that everyone is the potential target of a social engineering attack. However, some industries are more likely to be attacked—those that deal with sensitive data have more risk. Industries such as legal, government, and healthcare, and companies that handle payment card data are the most at risk because cyber-criminals can use that sensitive information for insider trading, false documents and credit cards, blackmail, corporate espionage, and more.
HOW CAN YOU PROTECT YOUR ORGANIZATION?
The first line of defense is awareness. Your company might have the best technical security controls money can buy; however, one under-informed employee can still unknowingly give hackers unauthorized access. All it takes is one social engineering attack such as a phishing email or cleverly disguised social media advertisement. Training employees to be vigilant and aware is critical to protecting your data. Teach them to identify red flag emails and suspicious phone calls. Educating staff members about trustworthy—and untrustworthy—sources is a crucial investment.
THE BEST COUNTERMEASURE
With social engineering attacks becoming increasingly sophisticated, the best countermeasure is training and education of your staff. However, proper training requires time, resources, and the right expertise. Engaging an experienced and knowledgeable security training expert, like Security Pursuit will ensure your employees know how to be diligent and alert to potential attacks. We offer onsite and online training to ensure every employee has access to the knowledge they need to protect your organization.
How can hackers leverage open-source information to help them gain access to target networks?
A social engineering attack persuades the target to click on a link, open an attachment, install a program, or download a file. The link may redirect the target to a website that solicits personal information (that is then collected by the attacker) or has malware on it that then infects the target’s computer. That malware might install a keylogger (a malicious program that records any keystroke, often to pilfer passwords), or some other program or code that enables the attacker to move from the target’s computer to the target’s network and others in the organization.
Attackers employ many tricks to try to get a human target to provide them with information or access. They appeal to ego (“Promotion details are in the attached”), financial need (“You’ve just won the jackpot, click here!”), curiosity (“How to lose 10 lbs. in 10 min!”), humanity (“Click this link to donate to victims of Hurricane Joaquin”), or job duties (“Please review my attached resume”) — all with the goal of getting the target to either click on a link that redirects the target to a malicious website or open an attachment that contains malware.
Phone elicitation and phishing are two of the biggest social engineering techniques that attackers use to infiltrate companies.
Phone calls—often called “vishing,” for “voice fishing”—sometimes require the malicious actor to adopt a persona to persuade the target to give up critical information. For example, a social engineer might pose as someone from the IT help desk who claims that the target’s password needs to be reset.
Through phishing, a potential hacker tries to acquire such information as usernames, passwords, and financial or other sensitive information. Its name, of course, is a derivative of fishing, where some sort of bait is used to catch fish. In phishing, the bait is a persuasive email with a malicious attachment or link, and the fish (or phish) is the target. (Curious about the “ph” in “phishing”? It’s a nod to the earliest hackers, who were known as “phreakers” for their exploration and hacking of phone systems).
Targeted phishing is known as spear phishing, where the “bait” is directed at a specific individual or company. Customizing the attack increases the probability that the victim will fall for the spear-phishing campaign.
In-person interactions are perhaps the most challenging to pull off, because they happen in real time, and the malicious actor needs to actually try to act out a scenario. The social engineer needs to dress the part (candidate running late for an interview, FedEx delivery man, cafeteria worker, fellow employee) and may require a badge to make it past building security.
To conduct a convincing social engineering campaign, significant homework must be done on the target. This often takes the form of gathering open-source information about the target in order to craft a legitimate-looking spear-phishing email, or a credible vishing call. The information-hunting can include scouring the Internet, for instance, or physically dumpster-diving for clues in the trash at the target’s residence or company.
Social engineering via email or text (versus via voice or in-person) has a built-in big benefit. It is scalable: With the push of a button, a social engineer can attempt to attack many targets. Also, because the social engineer isn’t communicating with the target in real time, the social engineer has time to change tactics or craft a new story if there is any pushback or suspicion from the target.
How can organizations better protect themselves against social engineering attacks?
Attackers and defenders are constantly playing cat and mouse. Defenders try to stay ahead of attackers’ methods, and attackers are always coming up with new ways to strike. This back and forth will only continue.
Humans will also continue to be the weak link. No matter how secure a network, device, system, or organization is from a technical point of view, humans can often be exploited, manipulated, and taken advantage of. However, people and businesses can take steps to better protect themselves against social engineering attacks.
No matter how secure a network, device, system, or organization is technically, humans can often be exploited, manipulated, and taken advantage of.
Individuals should be vigilant regarding emails, unsolicited phone calls, or in-person interactions that attempt to get people to reveal personal or sensitive information, or require going to an unfamiliar website or installing an unfamiliar program. Companies should regularly provide security-awareness training to employees. The training may include everything from yearly static PowerPoint presentations to regular interactive in-house phishing attempts.
To see where they are vulnerable and where to focus security efforts, organizations should undergo a penetration test (or “pen test”) of their networks and systems. The companies that conduct pen testing often also provide physical assessments to determine where the weak spots are in terms of building security so that social engineers don’t physically make it through the door.
Organizations should be ready to respond to a cyberattack, and have a remediation and resilience plan in place. No one should be blindsided. The accepted general wisdom is that it’s a matter of when, not if, an attack will occur. Also, we need to understand that a trained employee is much harder to fool, and dramatically less gullible when they are confronted with attack vectors that try to social engineer them. Step your users through new-school security awareness training. Get a quote and find out how surprisingly affordable this is for your organization.
Finally, the continuing rise in social engineering attacks, including phishing, ransomware and business email compromise, aka CEO fraud; Why the social engineering problem can be managed but never solved. This also means that there is the growing need to build “human firewalls.”
N.B: The views and opinions expressed in this article are those of the author and do not necessarily reflect the official position of the African Academic Network on Internet Policy.