“Social engineering works. It seems to tap into psychological factors that are part of the human nature.”1
We’ve all heard the story. A friend of a friend wires money to a family member stranded in a foreign country, desperate for cash to get back home. An article about a celebrity claimed to be deceased floods facebook newsfeeds for hours until the very alive person breaks the silence. The common thread? A criminal is trying to gain access to someone’s sensitive information.
Deceptive tactics like this have been used for years as a way to extract information from people through psychological manipulation. The story hasn’t changed, but the tactics have evolved dramatically. Criminals have access to a vast array of public information about ourselves, and the things that interest us. Simply following Google Trends will tell you on an hourly basis what the majority of the online population is seeking information about. Our public profiles on LinkedIn tell the world where we work, and often our alma mater. By combining a piece of our identity, what we’re most likely interested in, and advanced malware, a cybercriminal can dupe the best of us with a simple malicious link which may as well be titled “Here’s something you’ll like, and thanks for the backdoor into your network!”.
Social engineering attacks are often hard to spot due to their targeted, convincing nature, but this does not mean their malicious intent cannot be stopped. Take for example, an email with the subject line “URGENT: Upcoming Bonus Payment for [Insert Your Name Here]” from a spoofed email address. The body contains formal language and an email signature with your company’s logo.
So far, so fooled.
Within the body, you find a link which insists you must update your contact information to receive this quarter’s bonus. Judging by the legitimacy and incentive established so far, you go ahead and click the link. Unbeknownst to you, simply visiting the URL has injected the first round of malware onto your computer through an exploit method known as cross-site scripting. Your address book containing co-worker, customer, and partner contact information is now being silently communicated back to the criminal’s operation center overseas.
So you get to the page, and again, see the same logo, along with a form asking for your updated contact information. Seems a little strange to be taken to “corporatebonusadvisor.com” instead of an internal site, but your company uses third-party vendors all the time, right? Within this form you input your name, mailing address, and to verify your identity – *cringe* – your social security number. Without using any malware at all during this stage, the criminals behind this attack now have critical elements of your identity in their hands.
The incentive established by putting your bonus payment on the line has clouded your judgment thus far, but when you click “submit”, something odd strikes you. In the corner of your browser, you spot “Waiting for hbrtefisdsj.ru…”, displayed for just a few seconds before you are redirected to a confirmation page. Now, there is no way your company is processing bonus payments through Russia. You’ve been phished. Taking the right step forward, you immediately contact your IT department and notify them of the attack. While the malware can be retroactively addressed, your personal information is in the wild, forever.
While social engineering attacks may not always be possible to stop at their inception, a combination of technology and educational awareness can eliminate the negative implications of their malicious intent. Here are a few ways this type of attack can be averted:
- Education. From the top down or even amongst colleagues, everyone should be informed about what risks exist in cyberspace today. Schedule a training session, or pass along a best practices document outlining safe digital behavior.
- Email Security. Implementing an email security solution can eliminate email from known malicious senders before it even reaches your inbox.
- Web Security. Before a malicious URL is even allowed to execute and deliver its payload, web security solutions will recognize the malicious intent and stop the page in its tracks.
- Data Loss Prevention. If an attacker simply wants to gather information through social engineering, sometimes malware will not even be used. Data Loss Prevention policies can prevent users from inputting specific types of information, such as SSNs, into web forms. Identity theft averted.
The tactics used to steal information will continue to evolve, and so will the methods we use to protect against them. Cyber security, now more than ever, requires a connected approach to staying safe which combines protection across multiple threat vectors, including the human user. Through educational awareness and advanced security technology, social engineers will only be able to stay disguised for so long.