Professional Documents
Culture Documents
FEATURE
Social engineering is the art of exploiting human psychology, rather than technical
hacking techniques, to gain access to buildings, systems or data.
For example, instead of trying to find a software vulnerability, a social engineer might
call an employee and pose as an IT support person, trying to trick the employee into
divulging his password.
Famous hacker Kevin Mitnick helped popularize the term 'social engineering' in the
'90s, although the idea and many of the techniques have been around as long as there
have been scam artists.
[ Learn 7 new social engineering tactics threat actors are using now. | Get the latest from
CSO by signing up for our newsletters. ]
Even if you've got all the bells and whistles when it comes to securing your data center,
your cloud deployments, your building's physical security, and you've invested in
defensive technologies, have the right security policies and processes in place and
measure their effectiveness and continuously improve, still a crafty social engineer can
weasel his way right through (or around).
Table of
Contents
SHOW MORE
Social engineering has proven to be a very successful way for a criminal to "get inside"
your organization. Once a social engineer has a trusted employee's password, he can
simply log in and snoop around for sensitive data. With an access card or code in order
to physically get inside a facility, the criminal can access data, steal assets or even
harm people.
You don't need to go thrift store shopping to pull off a social engineering attack, though.
They work just as well over e-mail, the phone, or social media. What all of the attacks
have in common is that they use human nature to their advantage, preying on our
greed, fear, curiosity, and even our desire to help others.
RECOMMENDED WHITEPAPERS
CAC-in-the-Cloud
1. On the phone
A social engineer might call and pretend to be a fellow employee or a trusted outside
authority (such as law enforcement or an auditor).
2. In the office
"Can you hold the door for me? I don't have my key/access card on me." How often
have you heard that in your building? While the person asking may not seem
suspicious, this is a very common tactic used by social engineers.
3. Online
Social networking sites have made social engineering attacks easier to conduct.
Today's attackers can go to sites like LinkedIn and find all of the users that work at a
company and gather plenty of detailed information that can be used to further an
attack.
Social engineers also take advantage of breaking news events, holidays, pop culture,
and other devices to lure victims. In Woman loses $1,825 to mystery shopping scam
posing as BestMark, Inc. you see how criminals leveraged the name of a known
mystery shopping company to conduct their scam. Scammers often use fake charities
to further their criminal goals around the holidays.
Attackers will also customize phishing attacks to target known interests (e.g., favorite
artists, actors, music, politics, philanthropies) that can be leveraged to entice users to
click on malware-laced attachments.
A good way to get a sense of what social engineering tactics you should look out for is
to know about what's been used in the past. We've got all the details in an extensive
article on the subject, but for the moment let's focus on three social engineering
techniques — independent of technological platforms — that have been successful for
scammers in a big way.
Offer something sweet. As any con artist will tell you, the easiest way to scam a mark
is to exploit their own greed. This is the foundation of the classic Nigerian 419 scam, in
which the scammer tries to convince the victim to help get supposedly ill-gotten cash
out of their own country into a safe bank, offering a portion of the funds in exchange.
These "Nigerian prince" emails have been a running joke for decades, but they're still
an effective social engineering technique that people fall for: in 2007 the treasurer of a
sparsely populated Michigan county gave $1.2 million in public funds to such a
scammer in the hopes of personally cashing in. Another common lure is the prospect of
a new, better job, which apparently is something far too many of us want: in a hugely
embarassing 2011 breach, the security company RSA was compromised when at least
two low-level employees opened a malware file attached to a phishing email with the
file name "2011 recruitment plan.xls."
Fake it till you make it. One of the simplest — and surprisingly most successful —
social engineering techniques is to simply pretend to be your victim. In one of Kevin
Mitnick's legendary early scams, he got access to Digital Equipment Corporation's OS
development servers simply by calling the company, claiming to be one of their lead
developers, and saying he was having trouble logging in; he was immediately rewarded
with a new login and password. This all happened in 1979, and you'd think things
would've improved since then, but you'd be wrong: in 2016, a hacker got control of a
U.S. Department of Justice email address and used it to impersonate an employee,
coaxing a help desk into handing over an access token for the DoJ intranet by saying it
was his first week on the job and he didn't know how anything worked.
Act like you're in charge. Most of us are primed to respect authority — or, as it turns
out, to respect people who act like they have the authority to do what they're doing.
You can exploit varying degrees of knowledge of a company's internal processes to
convince people that you have the right to be places or see things that you shouldn't,
or that a communication coming from you is really coming from someone they respect.
For instance, in 2015 finance employees at Ubiquiti Networks wired millions of dollars
in company money to scam artists who were impersonating company executives,
probably using a lookalike URL in their email address. On the lower tech side,
investigators working for British tabloids in the late '00s and early '10s often found ways
to get access to victims' voicemail accounts by pretending to be other employees of the
phone company via sheer bluffing; for instance, one PI convinced Vodafone to reset
actress Sienna Miller's voicemail PIN by calling and claiming to be "John from credit
control."
Sometimes it's external authorities whose demands we comply with without giving it
much thought. Hillary Clinton campaign honcho John Podesta had his email hacked by
Russian spies in 2016 when they sent him a phishing email disguised as a note from
Google asking him to reset his password. By taking action that he thought would
secure his account, he actually gave his login credentials away.
ISACA’s latest report State of Security 2021, Part 2 (a survey of almost 3,700 global
cybersecurity professionals) discovered that social engineering is the leading cause of
compromises experienced by organizations, while PhishLabs’ Quarterly Threat Trends
and Intelligence Report revealed a 22% increase in the volume of phishing attacks in
the first half of this year compared to the same period in 2020. Likewise, findings from
Verizon’s 2021 Data Breach Investigations Report highlighted social engineering as the
most common data breach attack method, observing that 85% of attacks prey upon the
human element of cybersecurity in some way. Recent research by Gemini has also
illustrated how cyber-criminals use social engineering techniques to bypass specific
security protocols such as 3D Secure to commit payment fraud.
Social engineering attack trends are often cyclical, typically coming and going with
regularity. For Nader Henein, research vice president at Gartner, a significant trend is
that social engineering has become a standard element of larger attack toolboxes,
being deployed in combination with other tools against organizations and individuals in
a professional and repeatable approach. “Much of these capabilities, be it phishing or
the use of deepfakes to convince or coerce targets, are being delivered in combination
as-a-service, with service level agreements and support.” As a result, social
engineering awareness and subsequent testing is increasingly required and present
within security training at most organizations, he adds.
Jack Chapman, vice president of threat intelligence at Egress, points to a recent rise in
“missed messaging” social engineering attacks. “This involves spoofing the account of
a senior employee; the attacker will send a more junior colleague an email requesting
that they send over a piece of completed work, such as a report,” he tells CSO.
To create additional pressure, the attacker will mention that the report was first
requested in a fictional previous email, leading the recipient to believe that they’ve
missed an email and haven’t completed an important task. “This is a highly effective
way of generating urgency to respond, particularly in a remote work environment,” says
Chapman. Furthermore, attackers are increasingly exploiting flattery to encourage
recipients to click their malicious links. “A surprising trend we’ve seen is hackers
sending birthday cards. Attackers can use OSINT to find out when their victim’s
birthday is and send a link to ‘view a birthday e-card’ that is actually a weaponized
phishing link. Often, the recipient doesn’t suspect a phishing attack because they’re too
busy being flattered to have received a card on their birthday.”
According to Neosec CISO Renan Feldman, most social engineering attacks today
leverage exposed APIs. “Most attackers are seeking access to those APIs rather than
access to a device or a network, because in today’s world the business runs on
application platforms. Moreover, breaching an API is much easier than penetrating an
enterprise network and moving laterally to take over most or all key assets in it. Thus,
over the next couple of years, it’s likely we will see a rise in single extortion via APIs.
With more and more business data moving to APIs, organizations are tightening their
anti-ransomware controls.”
Security awareness training is the number one way to prevent social engineering.
Employees should be aware that social engineering exists and be familiar with the
most commonly used tactics.
Fortunately, social engineering awareness lends itself to storytelling. And stories are
much easier to understand and much more interesting than explanations of technical
flaws. Quizzes and attention-grabbing or humorous posters are also effective
reminders about not assuming everyone is who they say they are.
But it isn't just the average employee who needs to be aware of social engineering.
Senior leadership and executives are primary enterprise targets.
Ensure that you have a comprehensive security awareness training program in place
that is regularly updated to address both the general phishing threats and the new
targeted cyberthreats. Remember, this is not just about clicking on links.
Yes, include senior executives, but don’t forget anyone who has authority to make wire
transfers or other financial transactions. Remember that many of the true stories
involving fraud occur with lower-level staff who get fooled into believing an executive is
asking them to conduct an urgent action — usually bypassing normal procedures
and/or controls.
Add extra controls, if needed. Remember that separation of duties and other
protections may be compromised at some point by insider threats, so risk reviews may
need to be reanalyzed given the increased threats.
An email from the CEO’s Gmail account should automatically raise a red flag to staff,
but they need to understand the latest techniques being deployed by the dark side. You
need authorized emergency procedures that are well-understood by all.
5. Review, refine and test your incident management and phishing reporting
systems.
Run a tabletop exercise with management and with key personnel on a regular basis.
Test controls and reverse-engineer potential areas of vulnerability.
Social engineering toolkit
Currently, the best defense against social engineering attacks is user education and
layers of technological defenses to better detect and respond to attacks. Detection of
key words in emails or phone calls can be used to weed out potential attacks, but even
those technologies will probably be ineffective in stopping skilled social engineers.
Follow 👤