Security teams across the globe are grappling with a seemingly insurmountable problem, and that is, people make mistakes! We all have moments of weakness, and we all have the potential of being manipulated by malicious actors.
And yes, even those who are responsible for maintaining the security of our critical systems, will sometimes fall victim to a social engineering scam.
With this in mind, it’s hardly surprising that cyber-criminals seek to exploit our naivety in order to trick us into handing over money, or sensitive information which they can use to further their agenda.
While it is true that we all make mistakes, we also wise up to the various tricks and scams that come our way.
To compensate, social engineering attack vectors are becoming increasingly more sophisticated, as well as more threatening.
It’s a game of cat and mouse, and we must always endeavor to stay ahead of the curve to make sure that we can quickly identify social engineering attempts, as and when they arise.
What is Social Engineering?
The purpose of social engineering is to trick unsuspecting victims into handing over sensitive data or violating security protocols to allow the attacker to gain access to sensitive data, through other means.
Naturally, our employees are our first line of defense, yet they also tend to be the weakest link. And all it takes is one moment of weakness, which might involve downloading an email attachment or clicking on a link to an unknown website, to wreak havoc on our systems and data.
Earlier social engineering attempts were fairly primitive and typically involved sending the same email to many recipients, however, these days, they are becoming increasingly more targeted, and the attackers are willing to put in a lot of time and effort into gaining the trust of their victims.
For example, they might add the victim on Facebook, like and comment on their posts, send the occasional message, and then, after some time, convince them to hand over sensitive data, and sometimes even their bank details.
Common Social Engineering Attack Techniques
There are a variety of different techniques that attackers will use to trick employees and individuals into handing over valuable information, although the differences between them can be subtle. Below are the most commonly used terms to describe these different methods.
Phishing is the most common type of social engineering attack and is usually delivered in the form of an email. However, attackers may also use social media, SMS, or some other media. The attacker will impersonate a trusted entity, such as a work colleague, bank, or reputed organization, in an attempt to trick the victim into clicking on a malicious link or downloading an email attachment containing malware.
Spear-phishing & pretexting
Traditionally, attackers would compile a large list of potential targets, and send each one a “copy and paste” email, in the hope that one would bite. However, as users became savvier, and spam filters became more sophisticated, the attacks had to evolve and become more targeted. Such attacks are commonly referred to as “spear-phishing”.
The attacker may choose to target a specific employee within an organization – especially newer employees as they’re easier to trick, or they may broaden their horizons and focus on all employees within that organization.
Given that their primary motive is likely to be financial gain, they will often target financial departments. Of course, spear phishing requires a lot more time and effort to execute, compared to traditional phishing techniques.
After all, the attacker will need to find out as much as they can about the target. They will also need to customize their emails to make them seem more legitimate. Another term you might come across is “pretexting”.
However, pretexting is really just another word that describes the act of deceiving the victim into handing over-privileged data.
Whaling, as you might be able to guess, is where the attacker targets high-ranking employees within an organization. These might be CEOs, CFOs, or other senior executives, and the goal is to gain access to high-value data. Attackers will also target Government agencies, in an attempt to obtain classified information.
Baiting and quid pro quo
Baiting, as the name suggests, is where the attacker sets up traps in order to entice victims into handing over credentials or installing a malicious program. The “bait” can be either a physical object, such as a USB drive or a link to a malicious website/application, which offers free movie downloads or some other service that users might be interested in.
Another term that is often used is “quid pro quo” – a Latin phrase that means an exchange of goods or services. It is actually very similar to baiting, in that, the attacker will offer something to the victim, in exchange for their data.
Of course, the victim is unaware that the attacker is trying to cheat them out of their data. An example of a “quid pro quo” attack is where an attacker poses as a legitimate technical support engineer, who offers to help the victim with a real problem.
The attacker will ask the user for their login credentials, or other valuable data. Alternatively, they may provide the user with a “free” security update, which they claim will solve their problem. Instead, the program will infect their computer with malware.
Vishing is where the attacker uses phone calls to trick the victim into handing over valuable data. The attacker will set up a fake phone number, and call the victim claiming to be their bank, or some other trusted entity, asking them for their account details.
Scareware, as you might expect, is designed to scare victims into handing over sensitive information. It often presents itself in the form of a pop-up, informing the victim that they have been infected with a virus and that they need to install their software to fix the problem. Of course, the software they install with be malware.
Tailgating, also referred to as “piggybacking”, is a technique used by the attacker to gain physical access to an employee’s device, or the company’s server. The attacker may gain access to the physical premises by pretending to be an employee, claiming they have lost their ID card or a similar excuse. Naturally, tailgating is more effective in organizations where there is a large number of employees.
AI and social engineering are not an obvious combination. However, attackers are starting to realize that AI can be used to bypass even the most sophisticated anti-malware solutions, and even impersonate the voices of senior executives.
Some AI-powered malware is able to insert itself into existing emails and use machine learning algorithms to mimic both the tone and topic of the conversation. AI can be used to identify users who are more susceptible to phishing scams, and a whole lot more.
It is likely that “smart phishing”, as it is becoming known, will be a major headache for IT teams and anti-malware software vendors in the years to come.
Examples of Social Engineering Attacks
Below are some of the most notorious social engineering attacks we’ve seen in the last decade, in order of first to last.
South Carolina Department of Revenue, 2012
In 2012, millions of Social Security numbers and thousands of credit and debit card records were stolen from the South Carolina Department of Revenue. The breach was caused by a phishing scam that targeted employees, convincing them to share their usernames and passwords with the attackers, thus giving them access to their data.
In 2013, the payment details of 40 million customers were stolen from Target, the US department store chain, due to a phishing attack. The hackers were able to install malware on the network of a partnering company, which in turn allowed them to access the Target network, where they were able to extract credit and debit card information.
Sony Pictures, 2014
In 2014, following an investigation, the FBI found evidence of a spear phishing attack on Sony Pictures. The attack was allegedly carried out by the North Korean government. The attackers stole a wide range of documents, including business agreements, and financial and employment information.
Ubiquiti Networks, 2015
In 2015, Ubiquiti Networks, an American technology company lost almost USD 40 million in a phishing attack. A Hong Kong-based employee’s email account was compromised by hackers, who then used the account to request payments from the accounting department.
Ethereum Classic Website, 2017
In 2017, a fraudster managed to convince the hosting provider of the Ethereum Classic website that he was the owner, therefore being granted access. The hacker was then able to redirect the Ethereum Classic domain to his own server. He then inserted code on the website which enabled him to copy the private keys users typed into the site, thus allowing the hacker to steal funds from the victims’ accounts. The exact amount of money stolen is unknown, although it is said that several people lost thousands of dollars worth of cryptocurrency.
Cabarrus County, 2018
In 2018, Cabarrus County, a part of the U.S. state of North Carolina, fell victim to a social engineering / BEC (Business Email Compromise) scam, costing them roughly USD 1.7 million. The attackers didn’t directly target the county officials, but instead targeted their suppliers, requesting that they change the bank account details to their own. The attackers allegedly presented legitimate documentation. After the money was transferred, the attackers channeled the money through several other accounts in order to cover their tracks.
In 2019, Toyota, the Japanese automotive manufacturer, fell victim to a social engineering / BEC attack, costing them approximately USD 37 million. The fraudster managed to trick a finance executive into changing the bank account details of the intended recipient before a wire transfer was initiated.
Shark Tank, 2020
In 2020, American businesswoman, Barbara Corcoran, was tricked into handing over almost USD 400,000, due to a social engineering scam. The fraudster sent her bookkeeper an email pretending to be her assistant, using an email address that was very similar to what the bookkeeper was expecting. The email requested a payment relating to a real estate investment that Barbara was involved in. After the payment was authorized, the bookkeeper found out that the transaction was fraudulent after they sent an email to the correct recipient who was unaware of the transaction.
How to Prevent Social Engineering Attacks
Social engineering attacks are very hard to prevent as they target unsuspecting victims. As such, the most effective method of protection would be to ensure that all employees are trained to identify suspicious emails, and are frequently reminded to stay vigilant. In addition to security awareness training, below are some of the most notable ways that an organization can protect itself against social engineering attacks.
Use multi-factor authentication
Passwords alone are not considered to be a secure enough method of authentication, as they are too easy for an attacker to obtain – either via social engineering, brute-force-guessing, or some other means. Multi-factor authentication (MFA) requires additional verification methods, which include something you have, and something you are. Such additional factors may include biometric information, such as a fingerprint scan, or a passcode that is sent to your mobile device.
Restrict access to critical systems
In the event that an attacker was to successfully obtain a set of credentials and gain access to a user account, the account should have the least privileges necessary for its role. This will obviously minimize the amount of damage an attacker can do with their access. Before implementing access controls it’s generally a good idea to discover and classify your critical data, as this will make it easier to know what data you need to protect, and where it is located.
Carry out penetration testing
An effective way to test for vulnerabilities and ensure that your employees remain vigilant in identifying potential phishing attacks is to carry out regular pen-testing. The pen-tester should try as many different techniques as possible to either obtain credentials from employees or trick them into installing a fake malware program onto their devices.
Monitor privileged accounts
In order to know if an attacker has gained access to your network, you need to ensure that you are able to quickly identify suspicious user activity. Most sophisticated real-time auditing solution like Lepide Auditor use machine learning techniques to identify anomalous user behavior. For example, if an employee accesses sensitive data in a way that is not normal for a given user, an alert will be sent to the relevant personnel, who can investigate the incident. It is also possible to monitor company email accounts. However, you should obtain consent from your employees first, or at least provide them with a notification that is clear and conspicuous. Some auditing solutions are able to detect and respond to events that match a pre-defined threshold condition, which can help to identify potential ransomware attacks.
As always, ensure that you have the latest and greatest anti-phishing / SPAM filtering solutions in place, and configure them accordingly. Likewise, utilize as many intrusion prevention technologies as possible, including a Next-Gen firewall and cloud-based WAF. Finally, ensure that security patches are installed as soon as they become available, in order to prevent an attacker from exploiting vulnerabilities in your network.