SocialEngineering-header.jpg

What is social engineering?

Social Engineering is the art of manipulating, influencing, or deceiving you in order to gain control over your computer system. The hacker might use the phone, email, snail mail or direct contact to gain illegal access. Phishing, spear phishing, and CEO Fraud are all examples.

How dangerous is it?

“…Many of the most damaging security penetrations are, and will continue to be, due to Social Engineering, not electronic hacking or cracking… Social Engineering is the single greatest security risk in the decade ahead.” — Gartner, 2010

Social Engineer

OK, so who are these people? It could be a hacker in the USA who is out to do damage or disrupt. It could be a member of an Eastern Europe cybercrime mafia that is trying to penetrate your network and steal cash from your online bank account. Or, it could be a Chinese hacker that is trying to get in your organization’s network for corporate espionage. 


Top 10 Techniques Used By Social Engineers

Understanding the different attack vectors for this type of crime is key when it comes to prevention. This is how the bad guys do it:

Pretexting

An invented scenario is used to engage a potential victim to try and increase the chance that the victim will bite. It's a false motive usually involving some real knowledge of the victim (e.g. date of birth, Social Security number, etc.) in an attempt to get even more information.

Diversion Theft

A 'con' exercised by professional thieves, usually targeted at a transport or courier company. The objective is to trick the company into making the delivery somewhere other than the intended location.

Phishing

The process of attempting to acquire sensitive information such as usernames, passwords, and credit card details by masquerading as a trustworthy entity using bulk email which tries to evade spam filters. Emails claiming to be from popular social web sites, banks, auction sites, or IT administrators are commonly used to lure the unsuspecting public. It’s a form of criminally fraudulent social engineering. Also see Spear Phishing.

Spear Phishing

A small, focused, targeted attack via email on a particular person or organization with the goal to penetrate their defenses. The spear phishing attack is done after research on the target and has a specific personalized component designed to make the target do something against their own interest. Here is more about how they do it.

Water-Holing

This technique takes advantage of websites people regularly visit and trust. The attacker will gather information about a targeted group of individuals to find out what those websites are, then test those websites for vulnerabilities. Over time, one or more members of the targeted group will get infected and the attacker can gain access to the secure system.

Baiting

Baiting means dangling something in front of a victim so that they take action. It can be through a peer-to-peer or social networking site in the form of a (porn) movie download or it can be a USB drive labeled “Q1 Layoff Plan” left out in a public place for the victim to find. Once the device is used or malicious file is downloaded, the victim’s computer is infected allowing the criminal to take over the network.

Quid Pro Quo

Latin for 'something for something', in this case it's a benefit to the victim in exchange for information. A good example is hackers pretending to be IT support. They will call everyone they can find at a company to say they have a quick fix and "you just need to disable your AV". Anyone that falls for it gets malware like ransomware installed on their machine.

Tailgating

A method used by social engineers to gain access to a building or other protected area. A tailgater waits for an authorized user to open and pass through a secure entry and then follows right behind.

Honeytrap

A trick that makes men interact with a fictitious attractive female online. From old spy tactics where a real female was used.

Rogue

Also Rogue Scanner, rogue anti-spyware, rogue anti-malware or scareware, rogue security software is a form of computer malware that deceives or misleads users into paying for the fake or simulated removal of malware. Rogue security software, in recent years, has become a growing and serious security threat in desktop computing. It is a very popular and there are literally dozens of these programs.

 

Scary New Threats in 2018

  1. Exponential growth of the ransomware plague. This attack isn't going anywhere. We'll see a rise in attacks that exfiltrate data, giving the bad guys a secondary way to get ransom payments with threats of data exposure. Also ransomware-as-a-service strains will grow, allowing newbies to easily get in on the game. Kits sell for anywhere from $10 to a few thousand dollars. Custom-made ransomware attacks focusing on high-value targets (ie healthcare organizations) has been on the rise, that trend will continue. Also POS systems being shut down is in the near future. 
  2. Pseudo-ransomware will continue to be used to distract organizations. They seem like ransomware on the surface, but really in the background hackers are just trying to infiltrate the organization. Multi-vector attacks including smishing, phishing and vishing will increase.
  3. Phishing automation - bots and intelligent scraping of social media and dark web will make automated spear phishing a very hard to identify problem. The amount of data stolen in breaches over the last couple of years makes it very easy to automate mass spear phishing attacks.
  4. Extortion scams with a long tail for businesses and individuals. Rather than immediate payment to get files back, a different tactic being used is demand sensitive content (such as ransomware that demands nudes, or in the corporate world demanding customer info to get data back). Expect micro-ransomware; extortion one document at a time.
  5. Search result tampering that will drive users to compromised websites are nothing new, but we will see an increase in this technique this year. 
  6. Mobile malware - new families are on the way that will target smartphones and mobile-first users.
  7. Blame-ware and False-Flag operations will increase - The European Union recently declared cyberattacks as acts of war and will appropriately respond to countries carrying out such attacks. Expect to see cyber propaganda operations that are engineered to spark controversy between countries, undermine democracies and destabilize trust globally. Watch out for related clickbait!

Real-World Examples

Phishing

A classic example is the tech support scam, and it comes in many varieties and levels of sophistication.

Over the past few years online service providers have been proactively messaging customers when they detect unusual activity on their users' accounts. Not surprisingly, the bad guys have used this trend to their advantage. Many of the emails are designed poorly with bad grammar, etc. but others look legitimate enough for someone to click if they weren't paying close attention.

Consider this fake Paypal security notice warning potential marks of "unusual log in activity" on their accounts:

Paypal Phishing Security Notice

Hovering over the links would be a dead giveaway that this is a phishing email, but enough targeted users click without thinking and scams like this continue. 

Spear Phishing

In a spear phishing attack, threat actors use a deep knowledge of the potential victims to target them, and that approach allows them to tailor the attack. These emails are more convincing and harder to detect than regular phishing emails. The attacker knows exactly who and what they're targeting.

Unlike mass phishing emails which may be attempting to distribute ransomware or gather individual login credentials to make a quick buck, spear phishers are normally after confidential information, business secrets, etc.

CEO Fraud

Here's an example of a CEO fraud attempt targeted at a KnowBe4 customer. She received an email from an individual purporting to be the president of the company. The employee initially responded, then remembered her training and reported the email via our Phish Alert Button, alerting her IT department to the fraud attempt.

When the employee failed to proceed with the wire transfer, she got another email from the bad guys, who probably thought they had her fooled:

CEO Fraud Phishing

Because this employee had gone through proper security awareness training, she was able to keep her company out of the headlines. This was a close call though, and not everyone is that lucky!

Social Media

Cybercriminals create bogus profiles on social media and try to trick you. They will impersonate a celebrity or one of your friends or colleagues. These profiles look very much like the real thing, and it’s easy to get tricked. They try to impersonate a celebrity that the bad guys already know you like a lot.

Let’s say you were tricked into believing a bogus Social Network profile. The next step is that they try to make you click on a link or install malicious software, often something to watch a video or review photos. If you click, or do that install, it’s highly likely you will infect your desktop with malware that allows the attacker to take over your PC.

Attacks

You may have heard of Norton antivirus, published by Symantec. The technical director of Symantec Security Response said that bad guys are generally not trying to exploit technical vulnerabilities in Windows. They are going after you instead. “You don’t need as many technical skills to find one person who might be willing, in a moment of weakness, to open up an attachment that contains malicious content.” Only about 3% of the malware they run into tries to exploit a technical flaw. The other 97% is trying to trick a user through some type of social engineering scheme. This means it does not matter if your workstation is a PC or a Mac. The last line of defense is… you guessed it: YOU! 


Social-Engineering-Threat-Landscape.jpg

Examples of each factor in the threat landscape: 

Email

• Phishing
• Spear phishing
• CEO fraud (aka Business Email Compromise or BEC)

Social Media and Internet

• Reconnaissance
• Fake friends
• Watering hole attacks
• Use of breach data

Trends

• Ransomware
• Pseudo-ransomware
• False flag operations
• Extortion
• Automation
• Search result poisoning

Criminal Groups

• Malicious insiders
• Organized crime
• Hacktivists
• Nation states
• Terrorists

Attack Vectors

• Physical on-site attacks
• Endpoint
• Mobile
• Network
• Cloud
• IoT

How to prevent attacks?

We've pulled together some resources to help you defend against social engineering attacks. A good place to start is ensure you have all levels of defense in depth in place. Keep reading below to find out how you can make yourself a hard target, get additional content for yourself and your users and stay up to date with social engineering in the news via our blog.

Both an office environment and your family at the house need to get effective security awareness training. That is what we do here at KnowBe4. Click on the links and learn more about how our Kevin Mitnick Security Awareness Training and Simulated Phishing platform can help you prevent attacks like this.

10 Ways To Make Your Organization A Hard Target 

You could spend a fortune purchasing technology and services, and your network infrastructure could still remain vulnerable to old-fashioned manipulation.”
— Kevin Mitnick

On-Demand Webinar: The Science and Methodology Behind Social Engineering

Join Stu Sjouwerman and Perry Carpenter as they provide fun and engaging examples of mental manipulation in everyday life: from the tactics used by oily car dealers, to sophisticated social engineering and online scams. Additionally, They'll look at how to ethically use the very same levers when educating our users.

Watch Now!

Webinars16

Phishing and Social Engineering in 2018 Webinar

On-Demand Webinar:
Phishing and Social Engineering Trends in 2018:
Is the Worst Yet to Come?

Watch this insider’s perspective of cybersecurity trends to expect in 2018 from security expert and CEO at KnowBe4, Stu Sjouwerman. The list of six predictions are founded on KnowBe4’s deep insight into threats that organizations experience today and should expect tomorrow.

Watch Now!

Get Your Customized Automated Security Awareness Program

Many IT pros don’t exactly know where to start when it comes to creating a security awareness program that will work for their organization. We’ve taken away all the guesswork with our Automated Security Awareness Program (ASAP), complete with helpful tips, courseware suggestions and a management calendar.

Answer 15-25 questions to get your customized program.

Get Started ASAP!
Automated Security Awareness Program

22 Social Engineering Red Flags 

We recommend EVERYONE to review the 22 social engineering red flags to watch out for in any email. It might be a good idea to print out this PDF and pass it along to family, friends, and coworkers. Remember to always think before you click!

22 Social Engineering Red Flags

The Latest In Social Engineering News



Get the latest about social engineering

Subscribe to CyberheistNews