28 infosec experts discuss how to prevent the most common social engineering attacks.
Social engineering attacks are not only becoming more common against enterprises and SMBs, but they're also increasingly sophisticated. With hackers devising ever-more clever methods for fooling employees and individuals into handing over valuable company data, enterprises must use due diligence in an effort to stay two steps ahead of cyber criminals.
Social engineering attacks typically involve some form of psychological manipulation, fooling otherwise unsuspecting users or employees into handing over confidential or sensitive data. Commonly, social engineering involves email or other communication that invokes urgency, fear, or similar emotions in the victim, leading the victim to promptly reveal sensitive information, click a malicious link, or open a malicious file. Because social engineering involves a human element, preventing these attacks can be tricky for enterprises.
October is National Cyber Security Awareness Month, and in recognition of the initiative we wanted to educate companies, employees, and end users on how to better recognize social engineering efforts and prevent these attacks from succeeding. To uncover some of the most common social engineering attacks being used against modern enterprises and get tips on how to avoid them, we asked a panel of data security experts and business leaders to answer the following question:
"What are the common social engineering attacks made on companies, and how can they be prevented?"
See what our experts had to say below:
Meet Our Panel of Data Security Experts:
Stu Sjouwerman and Kevin Mitnick
Stu Sjouwerman (pronounced “shower-man”) is the founder and CEO of KnowBe4, LLC, which hosts the world’s most popular integrated Security Awareness Training and Simulated Phishing platform. A data security expert with more than 30 years in the IT industry, Sjouwerman was the co-founder of Inc. 500 company Sunbelt Software, a multiple award-winning anti-malware software company that was acquired in 2010. Realizing that the human element of security was being seriously neglected, Sjouwerman decided to help organizations manage the problem of cybercrime social engineering tactics through new school security awareness training. KnowBe4 services over 1,200 organizations in a variety of industries, including highly-regulated fields such as healthcare, finance, energy, government and insurance and is experiencing explosive yearly growth of 300%. Sjouwerman is the author of four books, with his latest being “Cyberheist: The Biggest Financial Threat Facing American Businesses.”
Kevin Mitnick, ‘the World’s Most Famous Hacker’, is an internationally recognized computer security expert with extensive experience in exposing the vulnerabilities of complex operating systems and telecom devices. He gained notoriety as a highly skilled hacker who penetrated some of the most resilient computer systems ever developed. Today, Mitnick is renowned as an information security consultant and keynote speaker and has authored four books, including The New York Times best seller Ghost in the Wires. His latest endeavor is a collaboration with KnowBe4, LLC as its Chief Hacking Officer.
Social engineering techniques
What does social engineering look like in action? It could look like an email that has been designed to seem like it is from a credible organization, like your message service or Fed Ex or even your bank. But if you open it and click on that attachment, you could be installing malware or ransomware . Or, it could be disguised to look like it comes from someone inside your organization (like an unusual title such as IT@yourorganization – someone whom you trust). But if you respond to that email with your user name and password, your computer is easily compromised. The rule is Think Before You Click.
Social engineering attacks
The technical director of Symantec Security Response said that bad guys are generally not trying to exploit technical vulnerabilities in Windows. They are going after you instead. “You don’t need as many technical skills to find one person who might be willing, in a moment of weakness, to open up an attachment that contains malicious content.” Only about 3% of the malware they run into tries to exploit a technical flaw. The other 97% is trying to trick a user through some type of social engineering scheme, so in the end, it does not matter if your workstation is a PC or a Mac.
The most common social engineering attacks come from phishing or spear phishing and can vary with current events, disasters, or tax season. Since about 91% of data breaches come from phishing, this has become one of the most exploited forms of social engineering.
Here are some of the worst:
A. Court Notice to Appear - Scammers are sending phishing emails claiming to come from a real law firm called 'Baker & McKenzie' stating you are scheduled to appear in court and should click a link to view a copy of the court notice. If you click on the link, you download and install malware.
B. IRS refund ransomware - Many of us waited till the last moment before the April 15th tax deadline and are now holding our collective breath in expectation of that possibly rewarding refund. The problem is that cybercriminals are very aware of this anticipation and use social engineering tactics to trick taxpayers. Knowing that many in America are waiting for word from the Internal Revenue Service concerning pending refunds, the cyber mafia is working hard to get in first with a massive phishing attack that has a ransomware attachment. The attachment is an infected Word file, which holds a ransomware payload and encrypts the files of the unlucky end-user who opens the attachment, and all connected network drives if there are any.
C. Researchers at Proofpoint recently discovered a Phishing campaign that originated from select job postings on CareerBuilder. Taking advantage of the notification system the job portal uses, the attacker uploaded malicious attachments instead of résumés, which in turn forced CareerBuilder to act as a delivery vehicle for Phishing emails.
The scam is both simple and complex. It's simple because the attacker used a known job site to target a pool of willing email recipients, and complex because the malware that was delivered was deployed in stages.
The attack starts by submitting a malicious Word document (named resume.doc or cv.doc) to a job posting. On CareerBuilder, when someone submits a document to a job listing, a notification email is generated for the person(s) who posted the job and the attachment is included.
D. Last June, the Durham, New Hampshire police department fell prey to ransomware when an employee clicked on a legitimate-looking email. Numerous other police departments have been hit including Swansea and Tewksbury, MA, Dickson County (Tennessee) Sheriff, and others. As of this time, the primary means of infection appears to be through phishing emails containing malicious attachments, phony FedEx and UPS tracking notices, and even through pop-up ads.
Here are a few social engineering scams executed via phishing:
Banking Link Scam: Hackers send you an email with a phony link to your bank, tricking you into entering in your bank ID and password.
A billion dollar heist covering 30 countries and nearly a billion dollars in lost funds, nicknamed Carbanak by security firm Kaspersky, was reported on extensively in Feb 2015.
In the Carbanak scam, spear phishing emails were sent to employees that infected work stations, and from there the hackers tunneled deeper into the banks’ systems until they controlled employee stations that would allow them to make cash transfers, operate ATMs remotely, change account information, and make administrative changes.
It was a pretty standard scheme: an email with a link that looked like it was coming from a colleague contained the malicious code, which spread from there like a digital rhinovirus. The hackers recorded everything that happened on the affected computers to learn how the organization did things. When they had mastered the system, they commandeered it for a series of transactions that included the ATM hits, but also a practice of artificially inflating bank balances and then siphoning off that amount, so a customer’s account balance might go from $1,000 to $10,000 and then $9,000 would go to the hacker.
Fax Notice Scam: It's a phony link to a phony fax. But it will do real damage to your PC. This is quite common, especially for firms who still use faxes heavily such as document management, title companies, insurance and other financial services companies.
Dropbox Link Scam: Have we got a surprise waiting for you in Dropbox.
A couple variations of this were running 2014. One was a fake Dropbox password reset phishing email that when clicked, led users to a page saying their browser is out of date and they need to update it (with a “button” to the update). This would launch a Trojan in the Zeus family of malware.
Another was an email with Dropbox links that hosted malicious software like “CryptoWall” ransomware.
Court Secretary Complaint Link Scam: Here's a phony link confirming your complaint. Something tells us you'll be complaining about something else very soon.
A version of this has been in use for awhile. See A. above.
Facebook Message Link Scam: Vin Diesel has just died. Find out that your PC will be pushing up the daisies with this link.
This one is commonly used when a celebrity dies. This was exploited with Robin Williams when he passed away with the Robin Williams goodbye video. A bogus Facebook phishing message appeared that invited users to click a link and see an exclusive video of Robin Williams saying goodbye through his cell phone. Of course there was no video, and the link led to a bogus BBC news page which tried to trick clickers into clicking on other links that led to scam online surveys.
Since we train others and actively create test phishing campaigns for our customers to use, my staff tried to social engineer me the other day, trying to catch me as a prank.
It was a 2-stage attack, trying to get me to reveal my credentials. They spoofed our Director of HR, and sent me the email below. This is an example of very high operational sophistication, typical of top-tier whaling attacks, those cases when an individual is subjected to spear phishing attempts because they hold valuable information or wield influence within an organization. They had done their homework and knew I was active on the SpiceWorks forum for IT admins.
10:45 AM (1 hour ago)
I noticed that a user named securitybull72 (claiming to be an employee) in a security forum posted some negative comments about the company in general (executive compensation mainly) and you in specific (overpaid and incompetent). He gave detailed instances on his disagreements, and doing so, may have unwittingly divulged confidential company information regarding pending transactions.
The post generated quite a few replies, most of them agreeing with negative statements. While I understand that the employee has the right to his opinion, perhaps he should have vented his frustrations through appropriate channels before making this post. The link to the post is located here (it is the second one in the thread):
Could you please talk to him?
Nine out of ten would fall for something like this. The only thing that saved me was the fact that when I hovered over the link I saw that the domain was one I had created myself for simulated phishing attacks. But it was a close call! One more second and I would have been pnwned.
The best prevention actions are:
1. Train users with an effective training program that routinely uses an integrated anti-phishing tool that keeps security top of mind for users and help them recognize what a phishing email might look like.
2. Back up just in case and regularly test those backups to make sure they work.
Paul Kubler, CISSP, CCNA, Sec+, ACE
Paul Kubler is a Cyber Security and Digital Forensics Examiner at LIFARS LLC, an international cybersecurity and digital forensics firm. He’s a former employee at Boeing, in the Global Network Architecture division, the nation’s largest private cyberattack target. He previously worked at the Flushing Bank, in Network and Systems Infrastructure, protecting valuable financial data at various levels within the network and system. Paul has also performed forensic investigations into mobile devices aiding in the prosecution of criminals.
With several years of experience in cybersecurity and digital forensics, he conducted a wide range of investigations, including data breached through computer intrusions, theft of intellectual property, and computer hacking. He has worked on hardening the systems and deploying protection over an international organization. He has also created business networks with a defense in depth strategy and implemented firewalls on these networks.
Some of the more common forms of social engineering (and how to prevent them) include...
Phishing has become a big player in malware attacks in the last few years and this type of social engineering has proven hard to overcome. Attackers usually send well-crafted emails with seemingly legitimate attachments that carry a malicious payload. These aren’t the typical “Nigerian Prince” scammers, but rather sophisticated hacking groups with sufficient time and funding who launch these exploits. They usually hide behind a Tor network or the like and become hard to find, especially when they are backed by organized crime who use this as a source of income.
In the recent years, we’ve seen a dramatic increase in the use of ransomware being delivered alongside phishing emails. They usually send an attachment such as “URGENT ACCOUNT INFO” with a file extension of “.PDF.zip” or “.PDF.rar,” which slips by the unsuspecting victim and delivers the payload. This attack often encrypts the entire hard disk, or the documents and requires a bitcoin payment to unlock. Luckily, these groups actually do unlock the data - this way future victims are more likely to pay.
What can you do to minimize the chances of yourself as an individual of falling a victim to these dirty schemes? Here are a few steps you can take:
- DO NOT open emails in the spam folder or emails whose recipients you do not know.
- DO NOT open attachments in emails of unknown origin.
- Use a reputable antivirus software - I recommend Kaspersky or Symentec.
- Perform a regular backup to an external medium (external hard drive or the cloud).
- After backing up, disconnect your drive. Current ransomware is known to encrypt your backup drive as well.
- DO NOT pay the ransom. The reason why the criminals keep utilizing this form of blackmailing attacks is that people keep paying. To try to get your data back, consult a professional in your area.
What can your company do to prevent being victimized by these types of attacks?
- Humans need to be trained – they are the weakest link. Companies should employ, at minimum, a bi-annual training geared towards each user group (end-users, IT staff, managers, etc.) so that everyone is aware of the latest attacks.
- Employees should be tested by having an outside party conduct a social engineering test. These kinds of tests help keep the employee on their toes and more likely to avoid the attacks.
- Since these attacks are on the rise, a number of new defenses have been developed. AppRiver is a great Spam and Virus email filter that can block a large number of phishing exploits before they even reach the internal servers.
- If they happen to get through, an endpoint protection system that can block the latest malware is probably your best bet at stopping the attack.
- As a last line of defense, Cyphort has a good IDS/IPS solution that can help detect known attacks and how far they managed to get into the network by signature, behavior, and by community knowledge.
Doug Fodeman is the content director and co-owner of The Daily Scam, a web site devoted to helping individuals, companies, and organizations increase their understanding and awareness of internet-based threats, scams, and fraudulent practices in order to significantly decrease their risks and associated lost productivity.
When it comes to social engineering attacks, companies should understand...
Social engineering attacks that target companies or individuals are most easily and successfully launched through email. Everyone depends on email for communication, even more than social media which might be monitored by just one or a few company staff. Email is also a tool used daily by older members of the workforce. Also, email can direct a threat to everyone in an organization, including the CEO and CFO. But malicious emails require two triggers to be effective. The first is a cleverly worded subject line that will engage the recipient's curiosity and engineer them to open the email.
Some of the most effective subject lines are often innocent and simple like these recent ones I saw targeting an organization in just the last two weeks:
- A Special Invitation Advisory: Your online file was accessed
- Celebrate Mom this Sunday with an exquisite $29.96 bouquet
- Get noticed and watch your career take off
- Learn about harp
- Mothers Day bouquets with DESIGNER VASES
- Service cancellation May 10
- SHIPPING DOCUMENT / BL CONFIRMATION
- Welcome to the Whos Who Connection
- Confirm for your delivery
- Confirm your 3K transfer by Monday
- FBI letter of notification [code 210]
- Incoming fax
- I think you'll like this
- New health care reform laws are in
- No interest for the first year
- Notice of payment
- Treat as urgent and get back to me
- Your installation
- Your phone number
Once the recipient opens an email, the message has to be compelling enough to engineer a click of a link or attached file in order to initiate or deliver the attack. Many engineering strategies have been very successful including:
- Emails with a very professional look and presentation. These emails may include spoofed email addresses of legitimate companies or seemingly innocent pitches such as the sale of Mother's Day flowers.
- Emails that are very short and to the point, often citing a bogus invoice, blocked payment, delivery, or fax.
- Emails that are meant to engineer click-behavior by intimidation, such as an email made to look like it is from the FBI, a bank authority, or the IRS.
Unfortunately, most companies seem to put all of their defense efforts into software and hardware solutions to keep these threats from ever reaching employees. Using this approach is flawed because employees connect to the Internet through email, Facebook, LinkedIn, Twitter, and web pages from home, mobile devices, and work. Few companies also include employee education. I have found that educating employees about the threats that target them is MORE important than hardware and software defenses. And it isn't difficult to teach employees the simple methods to recognize threats such as mouse-over skills and understanding the anatomy of an email address or domain name.
Curtis Peterson is the Digital Marketing Manager for SmartFile. Peterson is responsible for strategy and execution of SmartFile's content, email, search, and social strategies. SmartFile provides IT administrators with time-saving file and user management tools that enable non-IT employees to access and share files securely. Scalable cloud or on-premise storage is available for any size business that regularly sends, receives, and archives files.
In terms of identifying and preventing social engineering attacks...
Obviously, Edward Snowden was the poster boy for social engineering attacks. He either befriended folks or asked for their passwords and logins by telling them they were needed for his computer systems administrator role. Pretext, or creating a fake persona or using one's role in an improper way, is pretty popular for social engineering attacks.
The bottom line is 63% of data breaches come from internal sources, either control, errors, or fraud. In 2013, $143 billion dollars came from data theft (both stats can be found on isyourdatasafe.com).
Social engineering is hard to prevent. That's the tough part. A lot of prevention comes from IT compliance best practices. But still, even in the case of Edward Snowden, how can you tell something bad is happening when it appears to be a user with clearance? We'd recommend diligent monitoring and analytics to try to understand when this is happening. For instance, if you have a number of highly sensitive files, you should track when those are downloaded/shared. An IT administrator should also receive instant notifications when these actions are taken on sensitive files. Finally, there should be logs that are analyzed regularly to understand abnormal usage behaviors. For instance, if the file is downloaded after hours, it should be a red flag. Or if multiple sensitive files from same user are downloaded, that should be identified and looked into.
Jeremy Schoeneman is an information security specialist with a focus on social engineering. He has worked at SecureState for over one year, and conducts social engineering engagements as part of client penetration tests on a regular basis.
The most common social engineering techniques used today include...
Today, there are many ways an attacker will try and compromise a corporate network, but in the end, the individual is at the highest risk from an attack. Attackers will take whatever means necessary to break into a network and steal information, and the most popular, and most successful, is by way of social engineering. Social engineering is responsible for many of the recent major attacks, from Sony to The White House. There are essentially two very popular types of attacks: phishing and vishing (voice phishing).
Phishing attacks are the most prevalent way of obtaining information or access into a network. An individual will open a seemingly harmless email, either click a link that leads to a malicious site or download an attachment which contains malicious code, and compromise a system. Phishing has been increasingly successful because the attackers are creating more legitimate looking emails and the attacks are more sophisticated. Thanks to the prevalence of social media, an attacker can look up everything they need to know about a person and their interests, craft an email specially tailored to that person, and email something directly to them, which increases the chances of that person clicking.
Vishing is essentially phishing over the phone. An attacker will call someone, such as an IT help desk, and with a little bit of information about a person (such as a name and date of birth) either get login credentials or more information about the individual, such as a social security number.
Protecting a company from these attacks starts with education. Teaching people what to look for when getting an email or receiving a phone call from someone asking for information or to click on something is what's going to lessen the likelihood of a successful attack. Actually looking at the from address, hovering over links and verifying the URL, and never downloading attachments unless you absolutely know where the email comes from will drastically decrease the likelihood of a successful attack against a company. When an individual receives a phone call asking for information, it's important to establish the identity of the person without giving hints. Remember: people's information is easily found on the internet. Asking good security questions on the IT help desk level is a great way to help guard against these attacks. Something like: What high school did you go to, or what was the make of your first car, is a thousand times better than your birthday.
Pierluigi Paganini is a Security Researcher for the InfoSec Institute and has over 20 years experience in the field.
Here are a few basic rules to protect users' digital identities from social engineering attacks...
- Be aware of spam and adopt special cautions for email that:
- requests confirmation of personal or financial information with high urgency.
- requests quick action by threatening the user with frightening information.
- is sent by unknown senders.
- Monitor online accounts regularly to ensure that no unauthorized transactions have been made.
- Never divulge personal information via phone or on unsecure websites.
- Do not click on links, download files, or open email attachments from unknown senders.
- Be sure to make online transactions only on websites that use the https protocol. Look for a sign that indicates that the site is secure (e.g., a padlock on the address bar).
- Beware of phone phishing; never provide personal information over the phone if you receive a call. Beware of emails that ask the user to contact a specific phone number to update user’s information as well.
- Never divulge personal or financial information via email.
- Beware of links to web forms that request personal information, even if the email appears to come from a legitimate source. Phishing websites are often exact replicas of legitimate websites.
- Beware of pop-ups; never enter personal information in a pop-up screen or click on it.
- Adopt proper defense systems such as spam filters, anti-virus software, and a firewall, and keep all systems updated.
- For a social network user, it’s fundamental to trust no one and reveal only a limited amount of information. Never post personal information, such as a vacation schedule and home photos. Never click on links and videos from unknown origin and never download uncertified applications.
Keith Casey currently serves as Director of Product for Clarify.io working to make APIs easier, more consistent, and help solve real world problems. Previously, as a developer evangelist at Twilio, he worked to get good technology into the hands of good people to do great things. In his spare time, he works to build and support the Austin technology community, blogs occasionally at CaseySoftware.com and is completely fascinated by monkeys. Keith is also a co-author of “A Practical Approach to API Design” from Leanpub.
The most common social engineering attacks by far come in the form of...
"I just need." Basically, someone calls the company claiming to represent the phone company, internet provider, etc., and starts asking questions. They claim to have a simple problem or know about a problem that can be fixed quickly but they just need one little thing. It could be as innocuous as asking for a username or someone's schedule or as blatant as asking for a password. Once the attacker has this information, they call someone else in the company and use the new information to refine their attack. Lather, rinse, repeat.
After a few calls, they can often pass themselves off as an employee — often the assistant of someone significant — and ask for access or more detailed information right now. The unsuspecting employee doesn't want to annoy the significant person, so they answer and help before they've had a chance to think. At this point, it's almost trivial to get access to email accounts, phone records, travel itineraries, etc.
The only solution to this is to never trust someone that calls you. Instead of immediately giving the requested information, get the person's phone number from the company directory, and offer to call them back at that number. An honest person may be annoyed but it will work. An attacker will give up and try someone else. Also, never ask the person for their phone number, go to a known safe source — like the company directory — to get the information.
The same applies to your credit card company. Never give sensitive information to someone who calls you. Use the phone number on your card and call them back.
Joe Ferrara is President and CEO of Wombat Security Technologies. Joining Wombat in 2011, Joe brings 20 years of experience in technology marketing, operations and management to his role as President and CEO. Recently Joe was a finalist for EY Entrepreneur Of The Year Western Pennsylvania and West Virginia and received a CEO of the Year award from CEO World. Joe has provided expert commentary and has spoken at numerous information security industry events including RSA Europe, the CISO Executive Network forum, ISSA International, and information security regional conferences.
My advice for companies related to the increasing prevalence of social engineering attacks is...
Commonly defined as the art of exploiting human psychology to gain access to buildings, systems, or data, social engineering is evolving so rapidly that technology solutions, security policies, and operational procedures alone cannot protect critical resources. A recent Check Point sponsored survey revealed that 43 percent of the IT professionals surveyed said they had been targeted by social engineering schemes. The survey also found that new employees are the most susceptible to attacks, with 60 percent citing recent hires as being at high risk for social engineering.
- Take a baseline assessment of employee understanding.
- Help employees understand why their security discretion is vital to corporate health.
- Create a targeted training program that addresses the most risky employees and/or prevalent behaviors first.
- Empower employees to recognize potential threats and independently make correct security decisions.
- Improve knowledge retention with short interactive training sessions that work easily into employees' busy schedules and feature proven effective learning science principles.
- Monitor employee completion of assignments and deliver automatic reminders about training deadlines.
- Show measurable knowledge improvement over time with easy-to-read reports for executive management.
Companies should promote a people-centric security culture that provides ongoing training to consistently inform employees about the latest security threats. Fighting attacks against the human mind requires behavioral changes more than technology defenses.
Companies should use a combined approach of simulated social engineering attacks coupled with interactive training modules to deliver the best result. Incorporating continuous training methodology can be the difference between a five-alarm data breach and a quiet night at the office.
Sanjay Ramnath is a Senior Director of Product Management for Barracuda, the go-to provider of powerful, easy-to-use, affordable IT solutions for security and storage.
When it comes to social engineering, my advice for companies is...
Social media is a necessary evil. Companies need to recognize the value of these sites for business use and cannot just outright block these sites from the network.
There are, however, a few ways to help mitigate the risks while allowing social networks to be in use. When it comes to training, sure you can hold a class for new and older employees to show them the Do's and Don'ts to better protect themselves against threats; however, most of this is common knowledge and hard to really enforce.
BYOD has really put stress on network admins to protect the network from users' mobile devices.
Social media is a zero trust environment. Social networking is so simple to use that, often, people's guards are lowered. A friend you know well could send you a link to an album of a trip they recently took for you to click on to view or download. You, of course, seeing your friend's picture next to the link, or getting an email from their email address, click on it because you assume that it's safe, not knowing that they have been hacked and now the pictures you think you are downloading are actually downloading malware onto your computer.
Companies need to consider securing all threat vectors and putting in place dedicated solutions to address every need. In a case like social engineering where victims are subject to spear phishing attacks, phishing attacks, malicious emails, and compromised sites, it is good to have a spam firewall and web filter in place to mitigate those threats before they even reach the network.
Having a secure web browser or mobile device management solution to address BYOD both on and off the company network is something they should also consider to protect company and employee information.
Alex Markowitz is a Systems Engineer for Chelsea Technologies, a managed IT services firm that provides design, implementation, hosting, and support services to the global financial industry. Alex has over 10 years of IT experience in the financial sector.
My top suggestion for companies in preventing social engineering attacks is...
The Power of No.
Google the top social engineering attacks. What do you get? Stories about Trojan Horses, phishing attacks, malware injections, redirects, spam, and people giving up way too much personal information on public websites. The surface area for social engineering attacks is as big as all the employees and users in your corporation. The best social engineering attack will involve nothing but an unnoticed slip or mistake from one user. I am going address the very specific aspect of internal security and leave you with the following: the most important protection you need in your company is the ability to say, "No."
Knowing the history of these attacks is useful, but overall, it is not going to protect you. The attackers are always ahead of those of us who are defending our information. A social engineer will always find a new way to do what they do. Someone who wants to target your company is considered an unending well of creativity, and must be treated as such. Keep in mind, technology always changes, but the humans utilizing that technology do not change. You can protect yourself with all the technology you want, but just one human mistake can blow your company's doors wide open. Humans are the attack surface on which a social engineer strikes.
Therefore, the problem we have as IT Professionals is keeping age-old human flaws from causing a technological attack. The following is an omnipresent human flaw that I would like to specifically address: I have worked at many financial institutions. At every institution, there is always a slew of executives, managers and the like that want to be treated special. They want access to the network on their personal laptop. They want access to the network on their iPad, but also let their kids play with that iPad. They want access when and where they should not have it, and they are in powerful positions that make them very difficult to reason with.
They want things that will make their professional lives even easier than we, in IT, struggle to make it. Unfortunately, in IT, we are in the habit of saying, "Yes." I have seen directors and CTOs create special exceptions for other high-ranking users to garner favors and popularity, but also because they are scared for their own position. This is lazy; this is arrogant; this is stupid, but this is most of all, human. We human beings are the system attacked by social engineering, and then we leave ourselves open by falling prey to our insecurities, giving an attacker an invitation to storm our gates. All IT needs to learn how to say is "No," and IT management needs to be strong and stubborn for the good of a company. One of the best ways to protect your company from social engineers is to learn how to say, "No." Keep politics and climbing the office ladder out of IT security.
I know I am addressing a very specific aspect of IT, but one of the best ways to shrink your attack surface is to learn how to say, "No." It takes strong leadership and determination from IT management to keep our protection streamlined. Only after our protection is streamlined can we accurately educate our users and create a secure infrastructure. Every individual exception opens a Pandora's Box for social engineers to find (or even just stumble upon) and exploit.
Robert Harrow is a research analyst for ValuePenguin.com, where he covers various personal finance verticals, including credit cards, home insurance, and health insurance. His interest in security comes mainly from studying credit card and health insurance data breaches.
The biggest social engineering threat to companies today is...
Phishing scams are the biggest threat, and the most common means of social engineering. According to the most recent report by EMC, there has been $5.9 billion in losses due to phishing scams in 2013 alone — this from close to 450,000 attacks.
Spam filters can be useful in helping employees avoid exposure to these attacks. However, these fail in what is referred to as spear phishing. These attacks are less frequent, but more targeted to specific high value individuals — likely CEOs, CFOs, and other people with high-level access in their company. These attacks are generally not picked up by spam filters and are much harder to detect.
Educating employees about the dangers of phishing and being careful about all e-mails they receive is crucial.
Steven J.J. Weisman, Esq.
Steven J.J. Weisman, Esq. is a lawyer, college professor at Bentley University where he teaches White Collar Crime, and one of the country's leading experts in scams, identity theft, and cybercrime. Weisman writes the blog Scamicide.com, where he provides daily updated information on the latest scams and identity theft schemes.
When it comes to social engineering attacks and how companies can prevent them, I advise...
Major data breaches and hacking of major companies such as Target, Sony, or even the State Department generally have one thing in common, and that is that despite the sophistication of the malware used to gather information, that malware has to be downloaded into the computers of the targeted company or agency and that is done, most often, through social engineering tactics that trick employees into clicking on links or downloading attachments that unwittingly download the malware.
So how do they convince employees to click on the links and download the attachments?
- They make it appear that the email comes from a friend, whose email they have hacked.
- They make it appear that the email comes from someone within the company, whose name and email address may have been obtained through a myriad of available databases including LinkedIn.
- They gather information on the targeted employee through social media, where the employee may have made personal information public that enables a skilled hacker to use that information to trick the employee into clicking on a link dealing with something in which they are interested in.
- The link is for free pornography.
- The link is to provide celebrity photos or gossip.
- The link is to provide sensational photographs or videos of an important and compelling news event.
- It appears to come from someone in IT security from the company informing the employee of an emergency.
These are just a few of the more common social engineering tactics used by hackers.
So what can be done to stop them?
Train employees on my motto, "Trust me, you can't trust anyone." No one should ever provide personal information to anyone in response to a request until they have verified that the request is legitimate. No one should ever click on any link without confirming that it is legitimate.
Train employees to be skeptical and what to be on the lookout for in regard to common phishing and spear phishing schemes.
Install and maintain the latest and constantly updated anti-virus and anti-malware software with the understanding that the latest updates are always at least a month behind the hackers.
Limit employees' information access to only that information that they have a need to have access to.
Use dual factor authentication along with strong passwords that are regularly changed.
A technical writer with 6 years' experience in the cyber security field at Bitdefender & Heimdal Security, Aurelian Neagu tries to discover and understand how technology changes human relationships in a society and modifies social perception of the world.
Social engineering attacks on companies...
Can come from both within and outside the organization.
Social engineering carried out by malicious insiders
According to PwC’s 18th Annual Global CEO Survey 2015, 21% of current or former employees use social engineering to gain financial advantage, for revenge, out of curiosity or for fun.
Social engineering methods used inside the organization can include:
- Extracting company information (such as passwords, credentials) from the inside and delivering it to third parties.
- Using confidential information as leverage for finding a new job or achieving a better position inside the company.
- Leaving the organization with login information and confidential information and using it for malicious purposes.
Social engineering carried by malicious outsiders
- Malicious outsiders very often pose as company contractors to extract confidential information from gullible employees. They can do that either through phone calls, emails, or by physically gaining access to company premises.
- Social engineering often relies on the strong confidence that cyber criminals possess and on the trust that is usually instilled in external contractors, especially if they come from reputed companies, such as Cisco or IBM.
- Information about employees found on social networking sites can also be a method of gaining the victim’s trust in order to gather sensitive information from him/her.
- Malicious outsiders can also use malware-laden programs or executables hidden in email attachments. Once such a Trojan gets inside an employee’s computer, it can act in various ways, such as sending copies of documents or spying on the employee’s computer activity.
- Phishing is yet another method used by cyber criminals. It includes the use of e-mails that appear to originate from a trusted source to trick an employee into entering valid credentials on a fake website.
Social engineering can be used either to extract information or to penetrate the company’s defenses in order to implant malware that can spread through the organization and cause massive damage, as it happened in the case of Target’s breach from 2013.
Another example of a spear phishing attack targeted Danish architecture firms in March 2015.
How can social engineering attacks be prevented
- The most important advice for companies is to invest in educating their employees about cyber security. If employees learn how to protect their data and the company’s confidential data, they’ll be able to spot a social engineering attempt and mitigate its consequences. Additionally, they can become more vigilant and become a much-needed security layer themselves.
- Periodic cyber security assessments are also necessary, because companies evolve, they grow, they change — and the information flow changes within the organization. Consequently, penetration testing should be carried out on a regular basis and lead to actionable recommendations that can improve data security across the organization.
- Additionally — I always recommend companies who haven’t done this yet — define and implement a thorough security policy. This is the type of policy that is worth investing in, because it can have a huge impact on the organization and prevent cyber attacks from happening and leading to serious consequences.
Shobha Mallarapu is the President and CEO of Anvaya Solutions, Inc., a cyber security company. She has been featured in Business Journal articles on security and has taught hundreds of businesses on cyber security. Anvaya Solutions, Inc. has trained thousands of employees on security awareness in various organizations.
The common social engineering attacks on companies include...
1. Phishing: This is one of the most common attacks that entices employees to divulge information. An email impersonates a company or a government organization to extract the login and password of the user for a sensitive account within the company, or hijacks a known email and sends links which, once clicked, will embed a malware or a Trojan on the computer of the user. Hackers then take the reigns from there.
Similar attacks by phone, with the caller claiming to be a trusted source or an authorized organization, also can lead to employees revealing information that may be detrimental to the bottom line of the company or its reputation.
2. Information Sharing: Sharing too much information on social media can enable attackers to guess passwords or extract a company's confidential information through posts by employees. Security Awareness is the key to prevent such incidents. Developing policies, training employees, and implementing measures, such as warnings or other other disciplinary actions for repeat or serious incidents, will mitigate the risk of social engineering attacks.
If you are not expecting an email, type the link address instead of clicking on it. Or, call a person to confirm that the email came from them. The same principles apply to phone phishing attacks. Tell them you will call back and get their number. Make sure that number belongs to a valid organization by using the phone lookup before calling them.
Elvis Moreland, CISSP-ISSEP, CGEIT, CISM, NSA IEM-IAM, CNSS 4012-4015-4016, is a Computerworld Magazine Premier 100 IT Leader and Chief Information Security Officer (CISO).
One of the most common social engineering attacks today is...
A Spear Phishing attack. This is an email that delivers malicious content via a web-link or attachment in an email.
1. Never open links or attachments from unknown sources. If in doubt, report it!
2. If the email seems to be from a normal source, ask yourself "Why would they want me to open this link or attachment? Is that normal behavior?" If not, report it!
3. When in doubt, double check the source, content, and/or ask for help from your IT security or cybersecurity department.
4. In a corporate setting, your business should be protected by using one of various, if not several combined, network security architectural appliances or countermeasures such as a SMTP Gateway with scanning and/or some filtering mechanism to help you tag or remove questionable email campaigns and content.
5. Never solely rely on just anti-virus or firewalls to protect you from these types of advanced attacks. They arrive bearing variants of malicious content that cannot be detected by blacklists or signature-based countermeasures (AV or firewalls) alone, because they just can't keep up.
Greg Mancusi-Ungaro is responsible for developing and executing the BrandProtect market, marketing, and go to market strategy. A passionate evangelist for emerging technologies, business practices, and customer-centricity, Greg has been leading and advising world-class marketing initiatives, teams and organizations for more than twenty-five years. Prior to joining BrandProtect, Greg served in marketing leadership roles at ActiveRisk, Savi Technologies, Sepaton, Deltek, Novell, and Ximian, building breakthrough products and accelerating business growth. He is a co-founder of the openSUSE project, one of the world's leading open source initiatives.
Common quick cash-grab social engineering schemes usually involve...
Variations of the stranded traveler scam. In this type of scam, a social engineer sends their target an email that appears to be originating from a trusted colleague's personal email account. After a quick explanation of why they can't use the company email system, such as a lost/broken computer, VPN connection issues, or forgotten Outlook Web access domain, they claim that they are stranded in a far off place and need money wired to them. As this social engineer has access to your email, he or she knows who your colleagues are and can create a pretty convincing story.
Another common class of social engineering attacks occurs outside of the business environment, on social networks and other social media sites. There, social engineers will copy profiles, substitute headshots and literally steal an entire online identity, which they can then use to friend others at your firm or at other establishments, parlaying the stolen identity into a series of seemingly legitimate online friendships. From that moment forward, it's only a matter of time before the next social engineering ask is made.
Far more serious, however, are the social engineering schemes where the friend request involves using the company network. For example, a colleague emails you late at night and claims to have forgotten the VPN access code — this is a suspicious email to receive, and likely a social engineering attack. As a second example — and an even more sophisticated approach: Imagine a social network friend sending you an email with a cover letter and resume attached, requesting that you forward it to your hiring manager. The email might have the name of the hiring manager or the name of an open position, but in either case, it's a very effective approach. Meanwhile, behind the scenes, the social engineer is hoping you'll click on either document, unknowingly installing malware on your computer and infiltrating your company network.
Once a social engineer gains a trusted identity, or is accepted within a trusted circle of colleagues, they will leverage that trust to gain access to other people, networks, IPs, or corporate assets. Social engineers usually have their eyes on something bigger than their unsuspecting targets; the innocent victims are just a convenient and easy way for the cybercriminals to get to a bigger prize.
So, how do you prevent social engineers from succeeding?
As a company, the easiest way is to diligently monitor for unauthorized emails that use your brand, and validate that the social domain profiles that carry your brand are owned by individuals who have the right to do so. For instance, recently, a BrandProtect client discovered that more than half of their branded online agents were actually not authorized agents. Some of that activity was innocent — some former agents forgetting to remove a logo — but some of it was masquerading and identity theft!
As an individual, the simplest way to reduce social engineering exposure is to always be sure of who you are communicating with. If there is the least bit of doubt, explain that you can't assist with the incoming request. If they claim that they are your friend, there are additional ways to gently validate someone's identity. For instance, they can call you on your cell phone or email your personal account instead. After all, if they are who they claim to be, they will easily be able to reach you via other forms of communication.
Much of the personal defense against social engineering may seem to be common sense, but companies should invest in employee education about these and other online risks. By simply raising awareness of these dangers attacks, significant amounts of corporate risk will be mitigated.
David Howard has been a Certified Ethical Hacker since 2009, and has worked in the security segment of IT since. Recently, David has founded PPL HACK, a Cincinnati based company that offers free seminars across the country including live hacking demonstrations to help small and medium sized businesses educate their staff to become better equipped to protect company data.
The most common types of social engineering attacks are...
As a Certified Ethical Hacker and founder of PPL HACK, I have done numerous intrusion attempts and social engineering are both the most fun and most common vectors of attack on a company's data. Phishing email, by far, is the number one method, where a company is flooded with email that looks legitimate, but gets you to click a link, open a file, or install a program that has nefarious intent. You'll also find cloned and faked websites meant to steal your login or financial information for later use. In some cases, your computer is attacked just because it can be used as a bot in a larger network that can do many things. Botnets to attack sites are common, but what is becoming even more common is hijacking your computer's power to work in a larger network mining Bitcoin and other Alt-Coins for the financial gain of others.
Another of the more common attacks is a wireless man in the middle. That is where a wireless access point that is under the control of a hacker is placed within your environment so that all of your login and data traffic is funneled through a control point that can be logged and accessed. Using public/open WiFi at hotels, coffee houses, etc. also puts your data in a precarious situation. How to stop these attacks is an ongoing question, but there are steps you can use to mitigate them. Don't use the same passwords over and over again. Use pass phrases such as I W3nt to h@wa11 4 phun instead of words that can be guessed with dictionary attacks. VPNs, and not the free ones that are often a scam of their own, should be used on any wireless device used on a network outside of your control. When using a VPN properly, the data between you and the websites you visit is encrypted from prying eyes.
Oren Kedem brings over 15 years of experience in product management in the areas of Web Fraud Detection and Enterprise Security. Prior to BioCatch Oren served as Director of Product Marketing at Trusteer (now part of IBM) and led the Anti-fraud e-commerce solution at RSA (now part of EMC). Oren also served at various product marketing and management positions at BMC covering the Identify and Access Management and System's Management solutions. Oren holds an MBA and BSc. In Industrial Engineering from the Israeli Institute of Technology (Technion).
The most common attacks on organizations are...
Referred to as Advanced Persistent Threats (APT). These attacks have two main phases: Reconnaissance and Attack. Social engineering plays a role in both. In the Attack Phase, detailed organizational, business, and internal process data is used to convince employees to perform an action aimed at ex-filtrating sensitive documents, or performing an action (e.g. approve a transaction in an internal system).
Attacks use simple communication vehicles such as phone calls and email messages that seems to come from a trusted source — for example a call from the bank or an email from a customer or partner. During this communication, employees are asked to perform actions that are within the norm of the business life (e.g., can you please approve this transaction?, can you please send me the contract for signing?).
These attacks are highly effective if the criminal has done his homework and has all the relevant information. Where do criminals get the information in the first place? Well...this is where the Reconnaissance Phase comes into play. At this phase, which may take anywhere from several months to a year (hence the Persistent in APT) the criminal typically infects a few organizational computers with spyware and patiently sifts information and access credentials.
Social engineering is used to convince employees to install malicious software or open a webpage or document embedded with harmful exploit code (i.e., code that knows to install software automatically). In one infamous case — the RSA breach — an HR admin opened and excel sheet that was attached to an email (supposedly with HR related stats) and infected her computer with malware. A few months later, code was stolen from RSA and, later, that code was used to attack Lockheed Martin in combination with other social engineering phones and emails.
So what can organizations do?
Educate employees to follow a few simple rules:
Rule #1: NEVER respond to unsolicited communications (email/phone) without verifying the identity of the person on the other side. The simple way to verify is to tell the person you will call them back on a verified phone.
Rule #2: NEVER open an attachment or access a site from an un-trusted / invalidated source. Many organizations have set up departmental unsafe computers for access to any document or site (either physical or as a remote VM). These computers are wiped out frequently and should never store sensitive data.
Rule #3: Change password and access frequently (every few months) and sporadically (do not have predictability on when passwords change as to not help fraudsters plan ahead).
Rule #4: Education, Education, Education. Share 'war stories' and industry experience with employees. They can't be cautious if they are not aware of the threats.
Roberto A. Rodriguez is the Head HumanFirewall at HumanFirewalls LLC. HumanFirewalls is an organization located in Delaware that prides itself on offering top of the line Security Services such as Security Awareness, Threat Intelligence, Network Security Monitoring, Compliance Management, Vulnerability Management, and Integrity Controls. Humanfirewalls understands that small/midsized companies rarely have the in-house expertise, the time, or the budget to implement the right security controls that could protect their organizations from threats that are now capable to avoid detection and bypass traditional security controls.
The most common social engineering attacks made on companies are...
Phishing & Spear Phishing
A Phishing email is a crafted email that pretends to be from a known trusted source and that could trick the user to download an attachment, click on a malicious link, or simply cooperate to provide sensitive information such as your passwords. These emails, for example, can be sent to an entire organization without targeting specific people in the company. Spear Phishing emails, on the other hand, are emails that are crafted specifically for a few people in an organization that could have valuable information for an attacker.
Phishing, in general, has been being used a lot for the past couple of years by cyber criminals to break into an organization. Ranked #3 on the Verizon Report in 2014, it was made clear that cyber criminals are focusing more on the human factor instead of the technology in place.This is because it is not expensive to craft a phishing email. There are open source tools such as SET (Social Engineering Toolkit) that could help an attacker to circumvent high-end technology. Spam filters are great, but they end up being a fundamental layer of security to an organization if the attacker knows how to trick the user into cooperating without making him or her click on a link. One perfect example would be receiving an email from your bank asking you to call a number provided in the email to change your ATM PIN. The cyber criminal provides a number where he is waiting to forward the communication to the real bank, but mirroring/capturing/sniffing the traffic or conversation that the user trusted the number in the email.
How to prevent it?
Companies must approach security with proactive security controls addressing the human factor. Security Awareness Training programs are really helpful to reduce the risk of getting compromised and increase the level of awareness in the organization.
Vishing (Voice and Phishing)
This social-based attack tricks the user over the phone to reveal sensitive information regarding the organization. This one is very common in customer service departments, where they try to satisfy the customer over the phone and end up providing information that could be used to break into the network. Information varies and could include names of possible targets, hours of operations, financial or personal information, and even password resets.
How to prevent it?
Extensive Security Awareness Training to ensure the user understands what type of information they are allowed to reveal. Also, different technologies in places such as NAC solutions that limit the access to data that cannot be shared without authorization.
Tailgating or Piggybacking
This is a social-based attack that involves an attacker without authorized access and an employee with a low level of awareness. The way it works is by having the unaware user cooperate and provide the unauthorized person access to a restricted area. This is common in many organizations, because there are always people such as delivery guys from different institutions dropping packages and interacting with unaware users, creating a level of comfort and making it a routine. Once again, technology such as swiping cards to get into elevators or open doors in big organizations not always work, and this is because all it takes is, "I forgot my badge, and I am late for a meeting. Would you mind?" to trick the user and gain access.
How to prevent it?
Once again, Security Awareness Training, where the user learns the different security policies in place by the organization and is able to identify certain behaviors that might have put their organization in risk in the past.
Jayson is an Infosec Ranger at Pwnie Express, a well known conference speaker, and author of the book “Dissecting the hack: The F0rb1dd3n Network.” Pwnie Express provides continuous visibility throughout the wired/wireless/RF spectrum, across all physical locations including remote sites and branch offices, detecting “known-bad,” unauthorized, vulnerable, and suspicious devices.
Here’s a look at some of the most common social engineering attacks...
A common solution to all lies in enhanced awareness and employee training. Companies need to include security practices as part of their job descriptions and properly train employees to think critically and react appropriately to suspicious activities. How to mitigate attacks:
1. Spearphishing: Contrary to popular belief, today’s spearphishing attacks are highly calculated and carefully crafted to be relevant and un-alarming to the user. It’s not as easy as most people think to spot a spoof, so employees must be trained to question and validate unprompted links by calling the sender, sending a separate follow-up email or checking via services such as https://www.virustotal.com/.
2. The Rogue Technician: Under the guise of technicians or delivery people, stealthy social engineers walk right into organizations and can physically compromise the network. Employees should heed basic “stranger danger” trainings and ensure anyone who enters the building has an appointment or pre-established purpose.
3. Malicious Websites: Often, malicious websites are disguised as corporate or partner sites, and will prompt visitors to update java/Adobe or install a specific plug-in. Users should always close the browser and open a new one to directly update java or Adobe from their official sites. If users are prompted for a specific program or missing plug-in, they should close the browser and send an email to the website asking about the specific configuration issue.
With over 20 years of security management in several vertical markets, Patricia Titus has been responsible for designing and implementing robust information security programs, ensuring the continued protection of sensitive corporate, customer and personal information in her various positions.
Most recently, Titus served as the Vice President and Chief Information Security Officer at Freddie Mac and played a strategic role in the protection and integrity of Freddie Mac's information assets while transforming the information security program including the identity and access management program. Titus is also a member of the Visual Privacy Advisory Council.
While several technical solutions are available to prevent social engineering attacks, the weakest link is often...
The human. Only through rigorous training, education, and testing can you achieve a successful defense to this growing problem.
Common digital social engineering techniques are ones that trick or con our employees to provide information that leads to information reconnaissance, gaining access to systems, or criminal behavior including fraud.
To prevent social engineering attacks, start by addressing people, process, and technology, and taking the following steps into consideration:
- Develop and establish a targeted security awareness program centered on social engineering. Make it interesting and interactive.
- Create a social engineering security awareness marketing campaign within the company to help employees understand how the company is addressing the issue. Educate employees, partners, vendors, etc. about the threat and their responsibility to prevent it.
- Establish a framework and program of high trust or privileged employees.
- These employees are allowed to handle the most sensitive information.
- They have heightened training and testing.
- The company performs enhanced background screening on regular intervals, including random drug testing and credit checking.
- Identify your critical data or data that would cause the greatest harm if exposed to social engineering. Enlist a third party to perform a risk assessment to determine any possible security gaps.
- Establish handling guidelines or policies for the critical data.
- Report to the executive level or possibly board on the results of your social engineering tests both positive and negative.
- Perform random and scheduled tests against all employees using social engineering techniques.
The technology selection is very diverse and specific to the data you need to protect from social engineering. It can involve the following technology programs or projects, but is not limited to these:
- Identity and access management
- Security incident and event management system
- Non-signature based malware technology
- Proxy blocking both white and black listing
- Inbound and outbound communication monitoring
Greg Scott is a veteran of the tumultuous IT industry. After working as a consultant at Digital Equipment Corporation, a large computer company in its day, Scott branched out on his own in 1994 and started Scott Consulting. A larger firm bought Scott Consulting in 1999, just as the dot-com bust devastated the IT Service industry. Scott went out on his own again in late 1999 and started Infrasupport Corporation, this time with a laser focus on infrastructure and security. He currently lives in the Minneapolis/St. Paul metro area with wife, daughter, and two grandchildren. He holds several IT industry certifications, including CISSP number 358671.
Far and away, the most common social engineering attacks I've seen are...
Phishing emails. I must get 200 or more of them every single day. Every time I participate in another tech support forum, somebody must sell my email address to a new spammer/phisher. The most common of these lately are emails claiming to come from Amazon asking me to open a .zip or .doc file with the latest update. I get several asking for a tracking number for goods I allegedly shipped. Sometimes demanding them — just click on this document for the invoice I supposedly sent. Sometimes the first names in the emails match first names of people I know, so they social engineer me into opening the emails. But not the attachments.
Old-fashioned phone calls are making a comeback. Some of the bad guys these days have IP phones with callerID numbers in my area code, which entices me to answer when they call. I took one this morning from a lady with a thick accent. She wanted to send my $100 gift card that I requested last week from somebody. When I asked who was the somebody, she said she didn't know, that her company fulfills orders from many customers and she had no way to know which customer this was. I told her no thanks.
And then there's always the fake tech support phone calls.
How to defend against it? Nothing I can do about the emails that come in. Spam filtering gets rid of some of it, but there's no substitute for good human judgment and no automation will be 100 percent effective. Whenever I think the email might be legit, I check the email header to see if it came from where it claimed to come from. The absolute best defense against this is old-fashioned, human vigilance. The same holds true for phone schemes.
Ondrej Krehel, CISSP, CEH, CEI, EnCE, is the founder and principal of LIFARS LLC, an international cybersecurity and digital forensics firm. He's the former Chief Information Security Officer of Identity Theft 911, the nation's premier identity theft recovery and data breach management service. He previously conducted forensics investigations and managed the cyber security department at Stroz Friedberg and the Loews Corporation. With two decades of experience in computer security and digital forensics, he has launched investigations into a broad range of IT security matters, from hacker attacks to data breaches to intellectual property theft. His work has received attention from CNN, Reuters, The Wall Street Journal, and The New York Times, among many others.
Some of the common types of social engineering tactics include...
Phishing - a popular way of obtaining sensitive information and credentials from users by sending out mass emails that imitate the design and form of, for example, an email from a bank, car insurance provider, etc., in hopes of tricking users to give up information. This information can later be used to open fraudulent credit cards or gain access to various online accounts.
Spear Phishing - a more sophisticated form of phishing. Attackers behind spear phishing campaigns typically know more information about the victims and target them specifically. For example, in the recent case of the LastPass breach, email addresses were stolen (along with other information). These will likely be abused and the attackers will send out an email to the owners of those mailboxes that will resemble an official LastPass email that will recommend users to change their passwords, but when the users do so, they are in fact sending it to the cybercriminals. Similarly, spear phishing is one of the most effective ways to breach a network. Victims will usually receive a spoofed email from someone in the company with an important document, which will usually install malware or some type of Trojan that will be used to compromise their computer. This initial attack vector has proven itself extremely effective and is often used in high level cyberespionage campaigns.
Another form of social engineering commonly exploited are phone calls. This can happen as a part of a larger scam or as a standalone scam.
Part of a larger scam:
Imagine an individual's bank account credentials get stolen by hackers. They are going to be unable to send money without a entering a unique code that gets sent to the victim's phone. Scammers have been known to contact the victim before wiring the money out of the account and telling them a lie in order for the victim to share the unique code. They can say something such as Hi. We are seeing some suspicious activity on your account. In order to review the activity in question, we will need to verify that you are in fact the owner of the account. You'll be receiving a verification SMS shortly. Once you receive it, go ahead and read the code to me and we will proceed with the review. - This is highly effective.
As a standalone scam:
You get a call from a person claiming to be a Microsoft tech support employee charged with contacting you about an error they are receiving from your computer. In order to fix the error, he will ask you to install one small program that he uses to diagnose the issue. This program will typically be malware. Often with key logger and Remote Access Trojan that they can abuse to steal your banking credentials, along with anything else they please. They will often also ask for you to pay for the service via a credit card — and, sadly, many people fall for it. These are just a few examples of how social engineering in the digital realm can be used to commit crimes and victimize innocent people.
Amichai Shulman is the co-founder and CTO of Imperva. Amichai oversees the company's security and compliance research group, the Application Defense Center (ADC). The ADC has been credited with discovering vulnerabilities in commercial Web application and database products including Oracle, IBM, and Microsoft. He was also InfoWorld's CTO of the year in 2006.
When it comes to social engineering attacks, companies should understand...
Social engineering is one of the most powerful tools used by attackers and is probably at the very root of every major breach. There are a lot of misconceptions about how social engineering is mostly used, but the reality is far less glamorous than the perception, and often occurs over email.
Most of the cybercrime activity stems from massive infection campaigns that rely on mass scale social engineering. When distributed in large enough numbers, these messages are bound to find their target victim population and become effective. With some careful distribution (e.g. choosing addresses like email@example.com, firstname.lastname@example.org), these campaigns become even more effective with smaller distribution lists (which also makes it harder to detect them as spam).
Here are two very common email techniques that I have received in the past few weeks alone:
1. Match email to target audience
It's not uncommon to receive emails that seem perfectly normal and may be from a company you worked with previously, but are, in fact, infected. For example, I received an email from a law firm I had done business with. I noticed that the recipient list included every single contact in the lawyer's list, and was able to tell that this was done via automation tools. I'm sure that others on the list were fooled as they were likely waiting for information from this very lawyer and didn't suspect they were under attack. By making your emails look legitimate and relevant, many people wouldn't think twice about the email received.
I was recently sent an email from a travel agency that I had booked a trip with, and was sent a standard email from a separate account that was impersonating the sender's address. I would guess that the majority of people would fall prey to this attack, as the email looks like it came from a trusted address. In the case, often attackers get the information from their victim simply from a reply. What can we do?
While employee education is a necessity, infection is inevitable. Links will be clicked and attachments will be downloaded, opened, and executed because that is the job of the average employee. Organizations should focus on building a security suite that is fast in detecting a compromised machine or account, and then quickly and automatically apply a quarantine to that what's been compromised- preventing further access to sensitive enterprise data.
Ken Simpson is Co-founder and CEO of MailChannels. Ken first experienced the excitement and magic of software when his father brought home one of the first IBM PCs in 1980, teaching him how to write simple programs in BASIC. Since then, he has combined his passion for software with entrepreneurism, founding or participating as an early-stage employee in four successful startups in a broad range of technical areas including Voice-over-IP, Wireless Internet, and of course anti-spam. Ken has a First Class Honors degree in Computer Engineering from Simon Fraser University and Santa Clara University. At the Messaging Anti-Abuse Working Group (MAAWG), Ken splits his time running the botnet and web abuse sub-committees, as well as assisting in the work of the outbound abuse sub-committee.
Social engineering is generally used to...
Widen an already existing breach of information. So for example, an attacker may have certain information about the employees within a company, and he uses that information to learn something new — for instance, a password to an internal system. There is a misconception that social engineering is a one-shot deal: a single faked call from the cable company, and suddenly millions of credit card numbers are stolen. Professional cybercriminals extract one piece at a time, slowly earning their way in deeper to the organization.
For example, RSA was famously hacked via social engineering to gain access to the SecurID infrastructure. The first step was to email two phishing messages to two groups of relatively low level employees. The subject was Recruiting 2011, and the messages contained an Excel malware that executed a zero-day attack against the employees' machines. Despite the Excel file being junk-foldered, at least one employee fetched it from junk and opened it, executing the malware and compromising their machine. Prior to the phishing messages, it's presumed that the attacker used social media such as LinkedIn to map the company's targets by name, and that they guessed the email addresses using a familiar pattern such email@example.com. Once the malware was installed, the attacker perused files on the target system and accessed internal RSA web sites to determine higher value targets. With that information in hand, they moved toward the higher value targets and eventually to the data they were seeking.
Generally speaking, the most common social engineering attack these days is a spear phishing attack. In spear phishing — such as the RSA case outlined above — the attacker targets very specific employees with a message that they are likely to interpret as being genuine. The spear phishing message either earns a response containing information that allows the attacker to probe deeper, or directly results in malware installation. Either way, the next step is to proceed farther into the organization either electronically via vulnerabilities or via additional spear phishing emails to others in the organization located via internal directories.
Kurt started Technology Seed, LLC in June, 2000. Kurt is involved in most aspects of the business, including the “roll-up-your-sleeves” work. At his core, he’s a troubleshooter and enjoys the challenges that IT work brings. Kurt’s been known to catch a Bruin’s game with his kids from time to time.
The most common types of social engineering attacks carried out against companies include...
Email scams while nothing new are evolving from random email blasts to hundreds of thousands of targets, to targeted, deliberate email scam attacks. I wrote a blog article with examples here, but to summarize, email scammers are cleverly using social engineering as follows:
1. Research and select a target company.
a. This is a significant change from historical attacks which were random.
2. Purchase the required tools of the attack (almost identical domain name as the target company).
a. This is significant change, in that this attack actually costs the scammer money.
3. Select the appropriate executives of the target company.
4. Devise the scam, which usually involves a well-written email meant to exploit the trust of C-level executives who are too busy to properly vet their emails.
In the I.T. world, we find that no matter what steps we take, no matter what technology we implement, end-user training is the best protection against these types (and most types) of scams. Raise an eyebrow to anything that looks odd, just doesn't feel right or that you weren't expecting. If you're unsure, pick up the phone and call a trusted resource.
Luis A. Chapetti
Luis A. Chapetti, Software Engineer and Data Scientist, Barracuda. Luis is part of the Barracuda Central Intelligence Team where he wears various hats handling IP reputation systems, Spydef databases, and other top security stuff on the Barracuda Real-time protection system.
When it comes to social engineering and preventing these types of attacks against your company, I recommend...
Once upon a time, hackers and spammers relied on blasting spam/phishing emails to as many eyes as possible to gain access to sensitive information via malicious attachments or links. The spam/phishing attempts have evolved to become extremely specific and, effectively, the most advanced persistent threats seen to date. Using social media tactics to find just about anyone, attackers have gotten great at personalizing phishing emails.
LinkedIn has provided a wealth of information about employees at just about any company. Facebook can assist the attacker by not only finding the C-level executives, but family members who may have access to a mobile device or machines that are connected to the network.
These are two commonly used elements in social engineering, to be safe we recommend the following:
- Use a mobile device management system that carries the same strong level of security you would expect to see at your headquarters, everywhere you go.
- Segment the level of access. Be sure that the only people that have access to sensitive data, have specific credentials to that data.
- Use a powerful email filter. Almost all successful attacks gain some kind of information or infect machines this way.
- LinkedIn and Facebook should be used to connect to only those you know or do business with. Treat it as such and remember it is not a popularity contest, this could prove costly in the end.
- Educate your employee's and be sure they are aware of the potential risk of these types of social engineering attacks. The more they know the better off your employees and company will be.