Social Engineering Tricks Used Against YOU
BY ZACH CROSMAN
Cybersecurity is a never ending cycle of patching vulnerabilities and fixing weak configurations, but it is very common to overlook the biggest vulnerability, people! It can start with something as simple as opening a document with malicious functions or a phone call from the “IT team”. According to the Verizon Data Breach Investigations Report social engineering is the leading technique that results in a data breach.
Phishing emails are the most well known type of social engineering. Everyone has received some email that is spammed to thousands of people. These emails are usually easy to pick out with basic training, but they get much more advanced. You might have also seen some that might have included your name, address, or other information that would make you trust the sender. These are included to attempt to make the emails look more legitimate. Phishing can also be broken down into more specific categories. Spear phishing is when a specific person is targeted and these attempts will usually contain more specific info to make it more believable. These are often targeted at high value targets that have higher level of access or certain targeted privileges.
Although phishing is the most common type of social engineering, there are other approaches that everyone should be aware of. Another technique used is through SMS messages (smishing). These are similar to phishing emails as they can be mass spamming of texts or targeted attempts to specific people. SMS messages usually follow the same approach as phishing emails, but it is more common for these to have a link with the goal of harvesting valid credentials. Another less common, but very effective technique is vishing. Vishing can be used in combination with other social engineering techniques to make them more effective or independently. This type of attack has evolved with technology over the last few years. In 2019 an AI was used to mimic a CEO’s voice to instruct an employee to transfer money to the malicious actor's account. This is a perfect example of why you should always try to communicate through two different channels when possible.
There are many different techniques for a malicious actor to gain access to a target's computer. Usually, this step still requires some action by the victim. Attachments such as Word or Excel documents are commonly used in business and may not stick out as suspicious, but the documents have the ability to run malicious macros which can lead to access to a computer without the target noticing. Although Microsoft is adding additional preventative measures for Office file types, this will likely still be a technique to gain access to a target's computer. Other file types can also be used as well, so it’s important to always pay attention to these attachments. If you see any type of document or file that you aren’t expecting or from somebody that you don’t know, you should be very cautious. Credentials are also a high value target for these social engineering campaigns. These emails can be very tricky. Emails and logon portals can be cloned very easily to make it look exactly like it is coming from a trustworthy source. Always pay attention to the details such as the senders and URLs.
Another often overlooked technique is physical social engineering. This usually isn’t covered as well in training because it is viewed as less of a risk and obvious. These attacks may sound simple, but they can lead to malicious actors obtaining valuable information or connecting a discrete device, such as a custom raspberry pi, on the network. A device that has access to the internal network is very similar to an attack that starts by gaining access to an employee’s computer and can lead to the same results. Viewer discretion is advised but, Jayson Street gave a great talk at DEFCON that covered his experience performing physical social engineering engagements. He showed how easy it is to take advantage of poor physical controls. He also stated that this is the biggest risk to organizations, but that is obviously dependent on training and controls in place for businesses. The best and most basic advice for these types of attacks is: Don’t assume someone or something belongs if you aren’t sure.
Failing to identify social engineering can lead to severe consequences. Goals of these campaigns vary, but most of them tie back to a financial gain or valuable information. It’s also important to consider that social engineering isn’t limited to basic campaigns. Very advanced APT groups often lean heavily on social engineering to gain initial access. Besides basic mitigations like web filtering, antivirus, and an IDS/IPS, the number one way to prevent these attacks is user training! All it takes for these attacks to be effective is for a single user to not identify these attacks properly. If your business is interested in learning more about protecting itself from social engineering attacks, contact our team for assistance at www.sixgen.io.