What is social engineering?
Social Engineering is the art of tricking people into compromising security or disclosing confidential information. Why work hard to break into a network when someone will tell you the information you need over the phone or in person?
In Febuary 2017, a hacker called the help desk of the FBI and had the following exchange:
So, I called [the helpdesk] up, told them I was new and I didn’t understand how to get past [the portal]. They asked if I had a token code, I said no, they said that’s fine—just use our one. I clicked on it and I had full access to the computer.
In a few minutes, over $5 million was lost in personal, credit card, and classified information. Would an IT company fare any better?
In June 2015, Ubiquiti Networks Inc. fell victim to a CEO scam where they ended up transferring $46.7 million through a wire transfer to an attacker in China. Google and Facebook recently lost over $100 million due to a scammer sending fake invoices and contracts to employees demanding wire transfers. (Source)
Now imagine you are an HR representative and receive a panicked call or e-mail from the CEO demanding that you send all of the company’s W-2’s to them immediately. Similar scams have been estimated by the FBI in June 2016 to have stolen over $3.1 billion from 22,000 victims. The information these scams expose spike around tax return season and are sold on the black market for $4 to $20 a piece. (Source)
These social engineering attacks are costing companies their reputations and millions of dollars a year. Companies are spending thousands of dollars a year on antivirus software, firewalls, and other network security measures but all of that effort can be undone because hackers have found the easiest target: humans.
What are the most common types of attacks?
Comprising over 77% of social engineering attacks, phishing involves faking an IT help desk account, mimicking your brand look, or even purchasing a domain with a common misspelling of your legitimate domain. They typically offer a password reset form, with an old password field, which is what the hacker needs to gain entry into the account. Once they’ve obtained the user’s credentials, they can access the user’s machine in order to transfer funds out of their bank account or infiltrate the company’s network. Phishing attacks often impersonate banks and other financial institutions, even going as far as to use the official logo, web layout and name in the domain.
The social engineer will create an email address that looks like a C-level executive in your business. The attacker can purchase a fake domain that looks close to your actual domain. For instance, firstname.lastname@example.org (a fake domain that looks like ours) would get my attention, especially if they put our CEO as the “from” name.
The hacker commits (or pretends to commit) an attack in which they get the user to download an attachment and run it. The hacker then threatens the user that that they will lose their job or face legal ramifications if they don’t follow their instructions. If the hacker doesn’t have a specific target, they can send out emails to thousands of people, hoping to land just a few. They can also send the malicious software (often ransomware in this case) and demand payment in Bitcoins. In some cases, users can have their files unencrypted if they are able to get 5 other people they know to launch the ransomware.
The hacker compromises someone’s email or social media account looking for recent contacts that can be used as targets. They then will send infected mobile websites or documents to gain access to even more accounts to exploit.
The hacker leaves a USB drive, CD, phone or other storage device laying around an office and writes a tempting label on it, like “2017 Salary Information”. Once accessed, the malicious code is launched.
This attack typically happens at large organizations where a stranger wouldn’t be noticed as easily. The hacker will scout the smoking or other social situations and join the group, maybe even asking people what department they work in and striking up a casual conversation. When the group goes back into the office, the hacker follows the employees bypassing locks and key cards. As the hacker explores the building, if anyone asks who they are, they can always use one of the employee’s name – hoping that they don’t know the user. They’ll likely tour the office, looking for an open workstation in an isolated area and begin working on installing the malicious code. If anyone asks, they’re the new IT guy and they’re updating some common software like Flash or Java.
The Cable Guy
The hacker will dress up as a phone or cable technician and report to the front desk. They’ll ask to be escorted to the server room in order to work on the wiring or some other connection issue on the company’s end. In this scenario, the hacker might not even have to chat with someone in IT, as they may be shown to where they’re needed.
What can be done to prevent this?
Here are several tips that can help prevent social engineering:
- All employees must be trained to never provide confidential information or, for that matter, even non-confidential data and credentials via email, chat messenger, phone or in person to unknown or suspicious sources.
- If an email is received with a link to an unknown site, they need to avoid the instinct to click it immediately even if it seems to have been sent from one of their contacts. Often the email might seem to have arrived from one of their contacts but if they check the email address they will see that it is not legitimate.
- IT admins need to implement SPF checking, DKIM , TLS-encrypted email, and scanning outbound email for SSNs, credit card information, and other sensitive information.
- Before clicking on links both in emails and on websites keep an eye out for for misspellings, @ signs and suspicious sub-domains.
- When clicking on links sent via email or on websites, always keep a watch out for uninitiated or automatic downloads. All such activity should be reported immediately to your security manager and/or IT helpdesk.
- Webmasters should check their website regularly to look for private and confidential information that could have been uploaded mistakenly.
- Block all USB storage devices in order to reduce the risk of Baiting. Baiting is the digital equivalent of a real-world Trojan Horse, where the attacker tempts users with free or found physical media (USB drives) and relies on the curiosity or greed of the victim – if they plug it in, malicious software begins to infect the PC
- Follow the ATE – Awareness, Training and Education – security concept for all employees, no matter what level and what position they hold in the organization. While C-level employees are great targets, their admins can be even more powerful vectors for attack
- Use 2-factor authentication in order to make it more difficult for hackers to compromise your users’ passwords
- Implement a honey pot to detect ransomware infections to limit the damage caused
- Use AppLocker and/or Software Restriction Policies to whitelist known good applications – this will prevent any unknown executables from running on the PC and greatly reduce all forms of malware and viruses
- Send phishing tests to all users and if they fail, notify their supervisor and HR as well as making them re-train on your security policies. A great open-source tool is gophish.
Do you have any tools or suggestions you’d like to add? Please do so in the comments.