Getting Smart on Social Engineering
Human hacking — commonly referred to as ‘social engineering’ — predates computers. How can you avoid being manipulated into disclosing information that should be kept close to the vest?
Whenever we hear of a cybersecurity incident, the first thing that many people picture is a dark-hooded hacker sitting behind a computer who has used their super l33t skills to penetrate the network of a company and take all the company’s data.
What occurs more commonly is a breakdown at the human level. Yes, we, the folks that use our computers and phones for everything from email and web surfing to banking and shopping are the weakest link in the security chain. It’s not for lack of wanting to be secure. Bad actors are clever at always finding innovative ways to extract that information from us, by capitalizing on one of the foundational traits of human nature: Trust.
Bad actors are clever at always finding innovative ways to extract that information from us, by capitalizing on one of the foundational traits of human nature: Trust.
Human hacking — commonly referred to as ‘social engineering’ — predates computers and has been used as a method manipulate people into giving up information that should generally be kept close to the vest. It’s no surprise that social engineering found its way into the cybersecurity world, considering the wealth of data that flows through the internet and is stored in huge data lakes by corporations. Your data has a monetary value to it and bad actors can easily use it for a variety of illegal activities.
How Social Engineering Takes Place
As infrastructure and application security postures have improved, the need to manipulate a person into performing an action that could compromise systems has become more prevalent.
This could take the form of:
- Phishing — Sending emails that contain a malicious link or document to a broad group of people in the hopes one of them will take the bait
- Spear Phishing — Similar to phishing but this is generally a targeted attack focused on someone with specific information or access rights to important systems (like a CEO or system administrator)
- SIM Swapping — When a bad actor convinces a cell carrier that they’re the owner of a specific phone number in order to “swap” out their SIM card and take over the number, generally to gain access to services that require SMS-based MFA
- Smooth Talking Criminal — Manipulating a customer service agent to give up a customer’s personal information
In most cases, these types of campaigns are low-cost, simplistic efforts that could have catastrophic effects both technically and personally. Security researcher @mzbat summed it nicely when discussing how pervasive social engineering is in terms of business email compromises:
Her statement reinforces the notion that human behavior is one of the biggest contributors to compromise and not necessarily the sophistication of the attackers. Powerful tools like Dave Kennedy’s The Social Engineer Toolkit make it trivial for anyone to spin up a campaigns that can mislead users into giving up credentials or engaging in behavior that could be dangerous and insecure.
Many companies don’t have the internal capabilities to properly educate their staff on security best practices and in a world of “bring your own device”, the threat landscape is now impacted by the personal devices of their employees. This is why there’s a whole industry evolving solely around building security awareness.
When It Becomes Personal
The most prevalent of the social engineering efforts seen are email-based phishing attacks and due to the increasing number of data breaches, criminals are adjusting their tactics to capitalize on the breadth of breached information available to personalize their attempts. There have been numerous examples of phishing emails that include some form of an extortion attempt and use a target’s legitimate password as supposed proof that they have some embarrassing information on the person. Breach data dumps are easy to come by making it easy to personalize these emails and scare a recipient into paying the extortion via an anonymous payment source.
In fact, the Microsoft Security Intelligence Report shows that from January 2018 to January 2019, there was a 350% increase in percentage of emails associated with phishing out of all inbound emails:
Threat actors aren’t standing still.
Although organizations are adopting the latest and greatest email threat protection security technology, tools alone won’t help. End users need to be alert and savvy enough to fend off email-based phishing attacks. Key guidance to mitigate risk includes: taking screen captures of and reporting all suspicious emails to the IT or IT security team and, despite temptation — such as the lure of a free vacation or gift card from a well-known retailer — not opening those emails nor clicking any links.
Taking this a step further, think about all of the personal information that we share on social media. It goes without saying that your data is never really private, even if you set up your privacy settings. A determined threat actor can easily get access and even use data aggregation sites like Pipl.com or Spokeo to create a profile of you that can be used to further personalize their phishing emails. Worse, social media information can be used to break past the verification questions commonly used to validate a person’s identity, resulting in potential identity theft issues.
This precise issue with identity theft has led to a rise in SIM swapping victims, who not only suffer the inconvenience of having their physical phone disconnected but then risk losing access to specific accounts that require SMS-based authentication. Criminals will “SIM swap” for something as minor as taking over an Instagram account, merely because they liked that username.
The Real World
Social engineering isn’t limited to the online world. Professional penetration testers employ all types of techniques to get past physical security as well.
In one example, penetration tester Jek Hyde donned a fake pregnancy prosthetic in attempt to gain sympathy from targeted employees. Despite the company’s badge-scanning policy, many employees held the door for her while she wore the prosthetic.
Many companies have a “one swipe, one entry” rule. Basically, it means that every person needs to swipe their badge to ensure they’re allowed access into an area. Not only is this a security concern but a safety one as well.
In reality, employees struggle with how their peers may perceive them if they comply with the security process and don’t “just let them in.” We all experience discomfort even when we see someone who didn’t swipe in — Do you stop them and ask them to badge in, or do you just assume that they belong because they look the part?
We must remember that physical attackers will do their best to fit in, even going so far as to research the company’s buildings and the people who work in them. The person who didn’t badge in, but says they’re going to see “Joe Smith on the 3rd floor”, may not actually belong in the building. While these conversations may be uncomfortable, we must stop and ask questions to maintain a secure and safe environment.
Even something as innocuous as a USB stick can have severe consequences. After finding one on the floor while walking to work or home, so many people will insert a found USB stick into their computers without a second thought — perhaps out of curiosity or the appeal of something free.
Criminals capitalize on this by purposely dropping malware-laden USB sticks, especially around companies, in the hopes that someone will find it, quickly infecting their device’s system and creating a backdoor. For example, Hak5’s Rubber Ducky is a common tool used by both security professionals and criminals to run scripts that could do everything from keylogging to installing a backdoor.
While criminals employ social engineering tactics that take advantage of our instincts to be trustful and helpful, we do not need to sacrifice our humanity to fight back. We can develop a security mindset that is mindful of the myriad ways social engineering attacks can occur — from phishing to SIM swapping to tail-gating past physical security — and educate those around us to do the same.