The Social Engineering Threat
There are many threats to the security of our information in modern workplaces. However this month we thought we’d focus on the increasing and serious threat of ‘social engineering’.
What is social engineering?
According to Wikipedia, it is:
Social engineering, in the context of information security, is the psychological manipulation of people into performing actions or divulging confidential information. This differs from social engineering within the social sciences, which does not concern the divulging of confidential information. A type of confidence trick for the purpose of information gathering, fraud, or system access, it differs from a traditional “con” in that it is often one of many steps in a more complex fraud scheme.
It has also been defined as “any act that influences a person to take an action that may or may not be in their best interests.”
Let’s focus on the top five examples:
Phishing is the most common type of social engineering attack that occurs today. But what is it exactly? At a high level, most phishing scams endeavour to accomplish three things:
Obtain personal information such as names, addresses and Social Security Numbers.
Use shortened or misleading links that redirect users to suspicious websites that host phishing landing pages, e.g. some HMRC Phishing based attacks
Incorporate threats, fear and a sense of urgency in an attempt to manipulate the user into responding quickly, e.g. your bank account may have been breached please forward account details or transfer money to this temporary account.
No two phishing emails are the same. There are actually at least six different sub-categories of phishing attacks. Additionally, we all know some are poorly crafted to the extent that their messages suffer from spelling and grammar errors. Even so, these emails usually have the same goal of using fake websites or forms to steal user login credentials and other personal data.
A recent phishing campaign used a compromised email account to send out attack emails. These messages asked recipients to review a proposed document by clicking on an embedded URL. Wrapped with Symantec’s Click-time URL Protection, this malicious URL redirected recipients to a compromised SharePoint account that delivered a second malicious URL embedded in a OneNote document. That URL, in turn, redirected users to a phishing page impersonating a Microsoft Office 365 login portal.
Our advice with regards to Phishing is as follows:
Train your team in relation to identifying and handling Phishing attacks
Utilise Phishing detection software to support identification and removal of these types of attacks
Pretexting is another form of social engineering where attackers focus on creating a good pretext, or a fabricated scenario, that they use to try and steal their victims’ personal information. In these types of attacks, the scammer usually says they need certain bits of information from their target to confirm their identity. In reality, they steal that data and use it to commit identity theft or stage secondary attacks. Note – watch out for bogus calls to IT support personnel, where scammers are highly successful at obtaining control of IT support teams work stations.
More advanced attacks sometimes try to trick their targets into doing something that abuses an organization’s digital and/or physical weaknesses. For example, an attacker might impersonate an external IT services auditor so that they can talk a target company’s physical security team into letting them into the building.
Whereas phishing attacks mainly use fear and urgency to their advantage, pretexting attacks rely on building a false sense of trust with the victim. This requires the attacker to build a credible story that leaves little room for doubt on the part of their target.
Pretexting can and does take on various forms. Even so, many threat actors who embrace this attack type decide to masquerade as HR personnel or employees in the finance development. These disguises allow them to target C-level executives, as Verizon found in its 2019 Data Breach Investigations Report (DBIR).
Our advice here is to ensure that data protection processes and procedures are robust enough to identify and prevent pretexting attacks.
Baiting is in many ways similar to Phishing attacks. However, what distinguishes them from other types of social engineering is the promise of an item or favourable outcome that malicious actors use to entice victims. Baiters may leverage the offer of free music or movie downloads, for example, to trick users into handing their login credentials.
Baiting attacks are not restricted to online schemes, either. Attackers can also focus on exploiting human curiosity via the use of physical media. Note – beware of USB based promotions and use of USB sticks in general.
Quid Pro Quo
Similar to baiting, quid pro quo attacks promise a benefit in exchange for information. This benefit usually assumes the form of a service, whereas baiting usually takes the form of a favourable outcome.
One of the most common types of quid pro quo attacks involve the impersonation of HMRC employees.. These fake HMRC personnel contact random individuals, inform them that there’s been a computer problem on their end and ask that those individuals confirm their Unique Tax Reference Number, National Insurance Number, all for the purpose of committing identity theft. In other cases detected, malicious actors set up fake HMRC websites that say they can help users apply for tax rebates but instead simply steal their personal information.
It is important to note, however, that attackers can use quid pro quo offers that are far less sophisticated than the HMRC based ruses. As earlier attacks have shown, office workers are more than willing to give away their passwords for a cheap pen or even a bar of chocolate.
Our final social engineering attack example is known as tailgating or “piggybacking.” In these types of attacks, someone without the proper authentication follows an authenticated employee into a restricted area. The attacker might impersonate a delivery driver and wait outside a building to get things started. When an employee gains security’s approval and opens the door, the attacker asks the employee to hold the door, thereby gaining access to the building.
Tailgating does not work in all corporate settings such as large companies whose entrances require the use of a keycard. However, in mid-size enterprises, attackers can strike up conversations with employees and use this show of familiarity to get past the front desk.
Malicious actors who engage in social engineering attacks prey off of human psychology and curiosity in order to compromise their targets’ information. With this human-centric focus in mind, it is up to you all to help their employees counter these types of attacks.
Here are a few tips that you can incorporate into their security awareness training programs that will help users to avoid social engineering schemes:
Do not open any emails from untrusted sources. Contact a friend or family member in person or by phone if you receive a suspicious email message from them.
Do not give offers from strangers the benefit of the doubt. If they seem too good to be true, they probably are.
Lock your laptop whenever you are away from your workstation.
Purchase anti-virus software. No AV solution can defend against every threat that seeks to jeopardise users’ information, but they can help protect against some.