Exploiting the Weakest Link - 'Humans' | Social Engineering
The weakest link in the security chain is the human who accepts a person or scenario at face value. It doesn’t matter how many locks and deadbolts are on your doors and windows, or if have guard dogs, alarm systems, floodlights, fences with barbed wire, and armed security personnel; if you trust the person at the gate who says he is the pizza delivery guy and you let him in without first checking to see if he is legitimate you are completely exposed to whatever risk he represents.
Social engineering is the art of manipulating people so they give up confidential information. The types of information these criminals are seeking can vary, but when individuals are targeted the criminals are usually trying to trick you into giving them your passwords or bank information, or access your computer to secretly install malicious software–that will give them access to your passwords and bank information as well as giving them control over your computer.
Criminals use social engineering tactics because it is usually easier to exploit your natural inclination to trust than it is to discover ways to hack your software. For example, it is much easier to fool someone into giving you their password than it is for you to try hacking their password (unless the password is really weak).
Security is all about knowing who and what to trust. It is important to know when and when not to take a person at their word and when the person you are communicating with is who they say they are. The same is true of online interactions and website usage: when do you trust that the website you are using is legitimate or is safe to provide your information?
Social engineering is an attack vector that exploits human psychology and susceptibility to manipulation victims into divulging confidential information and sensitive data or performing an action that breaks usual security standards.
Using a compelling story or pretext, these messages may:
Urgently ask for your help. Your ’friend’ is stuck in country X, has been robbed, beaten, and is in the hospital. They need you to send money so they can get home and they tell you how to send the money to the criminal.
Use phishing attempts with a legitimate-seeming background. Typically, a phisher sends an e-mail, IM, comment, or text message that appears to come from a legitimate, popular company, bank, school, or institution.
Ask you to donate to their charitable fundraiser, or some other cause. Likely with instructions on how to send the money to the criminal. Preying on kindness and generosity, these phishers ask for aid or support for whatever disaster, political campaign, or charity is momentarily top-of-mind. Covid19 ( Post March 2020, saw a spate to these kind of attacks across the world, many well know celebrities lost a lot of money because of this.)
Present a problem that requires you to "verify" your information by clicking on the displayed link and providing information in their form. The link location may look very legitimate with all the right logos, and content (in fact, the criminals may have copied the exact format and content of the legitimate site). Because everything looks legitimate, you trust the email and the phony site and provide whatever information the crook is asking for. These types of phishing scams often include a warning of what will happen if you fail to act soon because criminals know that if they can get you to act before you think, you’re more likely to fall for their phishing attempt.
Notify you that you’re a ’winner.’ Maybe the email claims to be from a lottery, or a dead relative, or the millionth person to click on their site, etc. In order to give you your ’winnings’ you have to provide information about your bank routing so they know how to send it to you or give your address and phone number so they can send the prize, and you may also be asked to prove who you are often including your social security number. These are the ’greed phishes’ where even if the story pretext is thin, people want what is offered and fall for it by giving away their information, then having their bank account emptied, and identity stolen.
Pose as a boss or coworker( CEO Phishing). It may ask for an update on an important, proprietary project your company is currently working on, for payment information pertaining to a company credit card, or some other inquiry masquerading as day-to-day business.
And it's not just employees organizations need to worry about. Third-party vendors are frequently the largest security threat, all it takes it one third-party to be breached to expose sensitive data.In general, social engineering success relies on a lack of cyber security awareness training and a lack of employee and vendor education. Employees are the first line of defense and are frequently the weakest link in an otherwise secure defense in depth strategy.
Why do cybercriminals use social engineering?
Cybercriminals use social engineering techniques to conceal their true identity and present themselves as a trusted source or individual. The objective is to influence, manipulate or trick victims into giving up personal information or gain unauthorized access in an organization.Most social engineering exploits people's willingness to be helpful. For example, the attacker may pose as a co-worker who has an urgent problem e.g. an overdue invoice. Social engineering is an increasingly popular way to subvert information security because it is often easier to exploit human weaknesses than network security or vulnerabilities.
That said, social engineering can be used as the first stage of a larger cyber attack design to infiltrate a system, install malware or expose sensitive data.
How does social engineering work?
Social engineers use a wide range of social engineering tactics that rely on the six principles of influence.That said, the first step for most social engineering attacks is to gather information on the target. For example, if the target is an organization, attackers can exploit poor OPSEC practices to gather intelligence on corporate structure, internal operations, industry jargon, third-party vendors and other publicly accessible information listed social media profiles, online and in person.
In many cases, the first target will be a low level employee whose login credentials can be used to gain access to internal information that can be used for spear phishing or other more targeted cyber threats. Social engineering attacks expose sensitive information, like social security numbers or credit card numbers, and lead to data breaches and data leaks of personally identifiable information (PII) and protected health information (PHI).
What are the six principles of influence?
All social engineering techniques rely on exploiting aspects of human interaction and decision-making known as cognitive biases. Think of biases as vulnerabilities in human software which can be exploited just like software-based vulnerabilities listed on CVE.
Social engineering relies heavily on Robert Cialdini's, Regents' Professor Emeritus of Psychology and Marketing at Arizona State University and best-selling author, theory of influence based on six principles:
Reciprocity: People tend to want to return a favour, which explains the pervasiveness of free samples in marketing. A scammer may give the target something for free and then request access to sensitive information.
Commitment and consistency: If people commit, orally or in writing, to a goal or idea, they are likely to honor the commitment because it fits with their self-image, even if the original motivation is removed.
Social proof: People tend to do things other people are doing.
Authority: People tend to obey authority figures even if asked to do objectionable acts. This is why spear phishing campaigns that use the CEO's name and target low-level employees can be successful.
Liking: People are easily persuaded by people they like, hence why spear phishers will often masquerade as a colleague or friend in their spear phishing campaigns.
Scarcity: Perceived scarcity increases demand, hence why social engineers often create a sense of urgency.
What are the types of social engineering attacks?
Common social engineering attacks include:
Baiting: A type of social engineering where an attacker leaves a physical device infected with a type of malware in a place it will be found, e.g. a USB. The victim inserts the USB into their computer and unintentionally infects the computer with malicious software.
Diversion theft: Social engineers trick a delivery company into sending the package to a different location and intercept the mail.
Honey trap: A con artist poses as an attractive person online to build up a fake online relationship to make money or gather personally identifiable information (PII) like the victim's phone number and email account.
Phishing: Phishing attacks gather sensitive information like login credentials, credit card numbers, bank account details by masquerading as a trusted source. A common phishing scam is use email spoofing to masquerade as a trusted source like a financial institution to trick the victim into clicking a malicious link or downloading an infected attachment. Phishing emails often create a sense of urgency to make the victim feel that divulging information quickly is important. Despite being a relatively unsophisticated attack, phishing represents one of the largest cybersecurity risks.
Pretexting: Pretexting is lying to gain access to personal data or other privileged information. For example, a fraudster may pose as a third-party vendor, saying they need to know your full name and title to verify your identity.
Quid pro quo: A quid pro quo attack uses the human tendency of reciprocity to gain access information. For example, an attacker may provide free technical support over a phone call to a victim and request that they turn off their anti-virus software or install a trojan that takes control of their operating system.
Rogue security software: Rogue security software or scareware is fake security software that claims malware is on the computer. The end user receives a pop-up that demands payment for removal. If a payment isn't made, pop-ups will continue but files are generally safe.
Spear phishing: Spear phishing is an email spoofing attack targeting a specific organization or individual. Spear phishing emails aim to infect the victim with ransomware or trick them into revealing sensitive data and sensitive information.
Smishing: Smishing or SMS phishing is phishing performed over SMS rather than the traditional medium of email.
Tailgating: Tailgating or piggybacking is when an attacker follows a person into a secure area. This type of attack relies on the person being followed assuming the person has legitimate access to the area.
Vishing: Vishing or voice phishing is conducted by phone and often targets users of Voice over IP (VoIP) services like Skype. Vishing paired with voice deep fakes is a massive cybersecurity risk. According to The Wall Street Journal, the CEO of a UK-based energy firm sent $243,000 to an attacker's bank account believing he was on the phone to his boss.
Waterholing: A watering hole attack is when an attacker targets a specific group of people by infecting a website they know and trust, e.g. by exploiting an outdated SSL certificate, typosquatting, lack of DNSSEC or domain hijacking.
Whaling: Whaling is a form of spear phishing targeting high-profile individuals like public company executives, politicians or celebrities. For example, whaling attacks often come in the form of a fake request from the CEO asking the HR department to change their existing payroll details to those set up by the phisher.
What is the best defense against social engineering?
Organizations can reduce the cybersecurity risk of social engineering by:
Training employees: Security awareness training that is relevant to the employee's position can reduce the risk they'll fall prey to a social engineering attack, e.g. outline what to do when asked for information via email and when someone tries to tailgate them into the office.
Processes: Establishing an information security policy that outlines what to do to avoid social engineering and have an incident response plan to react to data breaches and data leaks to reduce the impact of any one social engineering attack.
Scrutinize information: Teach employees to scrutinize every email they receive and every device they plug into their computer. By identifying what information is sensitive and evaluating how it could be exposed during a social engineering attack can help organizations build in countermeasures and mitigate cybersecurity risk.
Security protocols: Establish and information risk management program that has security protocols, policies and procedures that outline how to handle data security.
Test: Test your organization and perform social engineering attacks against it. Send fake phishing emails designed to test whether staff engage with the message, click links and download attachments.
Inoculation: Just like vaccination, your organization can become more resistant to social engineering attacks if they are exposed to them frequently, this is why testing multiple times a year is important.
Review: Review your countermeasures and training against social engineering attacks over time and improve or discard outdated information.
Waste management: Use a secure waste management service so social engineers can't gather information about your organization from the dumpster and use it to launch spear phishing or other targeted social engineering campaigns.
Multi-factor authentication: Require users to know something (password), have something (token) and be something (biometrics) in order to make a payment or perform a sensitive action.
Operations security: OPSEC is a process that identifies friendly actions that could be useful for a potential attacker if properly analyzed and grouped with other data to reveal critical information or sensitive data. By employing OPSEC practices, organizations can reduce the amount of information social engineers can gather.
Vendor risk management: It's no longer enough to solely focus on your organization's cyber resilience and cybersecurity. Third-party vendors are increasingly processing large amounts of personally identifiable information (PII) and protected health information (PHI), which makes them prime targets for social engineers who want access to personal data. Develop a third-party risk management framework, vendor management policy and perform a cyber security risk assessment before onboarding new vendors or continuing to use existing vendors. It's much easier to prevent data breaches than clean them up, especially once data has been sold on the dark web. Look for software that can automate vendor risk management and continuously monitor and rate your vendors' cyber security rating.
Leaked credential detection: It can be hard to know when credentials have been exposed during a phishing attack. Some phishers may wait months or years to use the credentials they collect, which is why your organization should be continuously scanning for data exposures and leaked credentials.
What are examples of social engineering attacks?
The most famous social engineering attack comes from the Ancient Greek story of the deceptive Trojan Horse that led to the fall of the city of Troy, where soldiers hid in a giant wooden horse presented to the Trojan army as a gift of peace.
A more recent example was the successful social engineering attack that led to the 2011 data breach of RSA. Attackers sent two phishing emails over two days to a group of RSA employees with the subject line of "2011 Recruitment Plan" and an infected Excel document that exploited an Adobe Flash vulnerability (CVE-2011-0609).
In 2013, Target suffered a massive data breach which started with a third-party vendor falling for a phishing email. The email contained a trojan and enabled the attackers to gain access to Target's POS system that resulted in the theft of 40 million Target customers' credit card details.