Social Engineering
Social Engineering is the psychological manipulation of people into performing actions
or divulging confidential information.
Social Engineering is the psychological manipulation of people into performing actions
or divulging confidential information.
Social engineering is a non-technical strategy cyber attackers use that relies heavily on human interaction and often involves tricking people into breaking standard security practices. The success of social engineering techniques depends on attackers’ ability to manipulate victims into performing certain actions or providing confidential information. Today, social engineering is recognized as one of the greatest security threats facing organizations. Social engineering differs from traditional hacking in the sense that social engineering attacks can be non-technical and don’t necessarily involve the compromise or exploitation of software or systems. When successful, many social engineering attacks enable attackers to gain legitimate, authorized access to confidential information.
In a social engineering attack, an attacker uses human interaction (social skills) to obtain or compromise information about an organization or its computer systems. An attacker may seem unassuming and respectable, possibly claiming to be a new employee, repair person, or researcher and even offering credentials to support that identity. However, by asking questions, he or she may be able to piece together enough information to infiltrate an organization's network. If an attacker is not able to gather enough information from one source, he or she may contact another source within the same organization and rely on the information from the first source to add to his or her credibility.
QR code-related phishing fraud has popped up on the radar screen in the last year.
QR codes—those machine-readable, black-and-white matrix codes arranged in a square—have become an increasingly popular way for companies to engage with consumers and deliver services in the midst of COVID-19. For example, many restaurants have ditched paper menus, and instead allow patrons to scan a QR code with their smartphone. Similarly, many Girl Scouts posted QR codes for no-contact ordering and delivery of cookies this spring.
But many of the websites that QR codes send people to are operated by third-party vendors. When scanned, a malicious QR code can connect phones to a malicious destination—just like clicking on a bad link. Same concept; new wrapper.
“People can become conditioned to just assume that the code and website is legit,” said Carpenter.
The ‘delivery’ methods for this social engineering tactic vary. Oz Alashe, CEO of U.K.-based security and analytics company CybSafe, said he has heard about leaflet drops in some neighborhoods with fraudulent codes that promise "Scan this QR code to have a chance of winning an Xbox.”
“Often the code will lead to a dodgy site which downloads malware to their phone,” said Alashe.
Web sites have for several years asked visitors to approve “notifications” from the site. What was once a useful way to engage with readers and keep them up to date is now, of course, also a social engineering tool.
“These are called push notifications, and they can be weaponized,” said Carpenter. “The problem is that many users blindly click 'yes' to allow these notifications.” While many users have learned some level of caution with web browsers, the notifications appear more like system messages from the device itself, rather than the browser.
Even for users who don’t blindly say yes, scammers find ways to install their notification scripts. Tactics include disguising subscription consent as another action, like a CAPTCHA, or switching the “accept” and “decline” buttons on subscription alerts mid-action.
Once the crook has a user’s (ill-gotten) consent, they start inundating them with messages—and the messages are usually phishing schemes, or scam notifications that contain malware.
With this social engineering tactic, cyber criminals target professionals in collaborative fields, said Alashe, including designers, developers, and even security researchers. The lure is an invitation that asks them to collaborate on work.
Recent pandemic lockdowns and expanded work-from-home increased people's comfort with remote collaboration, so this tactic fit the times well.
“The threat actors send over a Visual Studio Project containing malicious code. The user self-runs the program, and their device is infected pretty quickly. This attack essentially exploits the desire or need to assist or help others with passion projects,” said Alashe.
Tzury Bar Yochay, co-founder and CTO of security firm Reblaze, said examples of this attack are often well-crafted, showing great attention to detail.
“Attackers posed as active researchers and built social proof"—with apparent third parties validating their research—"using a blog including articles from industry sources as ‘guest posts,’ Twitter accounts, YouTube videos, LinkedIn, Discord, and more,” he said. A suspicious target may be put at ease by this seemingly wide social footprint.
George Gerchow, CSO at Sumo Logic, said attacks that exploit parts of an organization’s supply chain are now a big problem.
“It's not easy to defend what you can't see, and you are only as strong as the weakest link,” said Gerchow. “For example, there have been a plethora of targeted emails coming in that look like they are from your trusted partners but are in fact bad actors posing as employees you may know within your network.”
Gerchow said he first observed scam gift card offers presented to Sumo Logic employees, masked as incentives or thank-yous from the company’s real business partners.
But the attacks have become even more detailed over time.
“Now we see these long, sophisticated attempts to build trust or relationships with some of our outbound-facing teams whose entire job is to help. The bad actors have even posed as suppliers using our product with free accounts and have gone through use cases and scenarios to engage expertise within our company.”
By establishing these trusted relationships, the attackers’ ultimate goal is to make standard social engineering tactics more effective, eliciting help in bypassing security controls, or sending along malware that will compromise the target company’s systems.
The headline-making attack on SolarWinds is an example of a supply chain attack—in that case, a specific version called a vendor email compromise attack (VEC). As SolarWinds officials noted, an “email account was compromised and used to programmatically access accounts of targeted SolarWinds personnel in business and technical roles.”
Social engineers are now using deepfakes—startlingly realistic recordings that use artificial intelligence to simulate a specific person’s appearance or voice—to trick victims into divulging information or performing an action that benefits the attacker.
Reblaze’s Bar Yochay said audio deepfake attacks—in which the attacker uses a “cloned” voice that is nearly indistinguishable from a real person's voice to create a scam audio recording—are a growing concern. One of the earliest successful examples came in 2019, when a fake recording of a CEO’s voice was used to instruct an employee to immediately transfer money to an international account.
“The recording was left as a voicemail to the subordinate, who obeyed the fraudulent instructions and sent $243,000 to the attackers,” said Bar Yochav.
Gerchow also said he has seen criminals use deepfake recordings to manipulate staff into sending money or offering up private information—only audio recordings so far, but Gerchow believes video deepfakes are just a matter of time.
“Training, awareness, self-reporting, and transparency will be the only way to scale security around these attacks,” said Gerchow. “Security needs to be approachable and of course, log everything.”
While text has been a conduit for social engineering scams for a while, Rebecca Herold, a privacy and security expert, says texting tactics are up in prominence.
“We are becoming a society where a large portion of the population prefer communicating via text messages as opposed to phone. People are now extremely used to communicating very confidential types of information via text,” says Herold.
Because grocery and food delivery has grown in the last year, delivery-related scam texts are up. Other common lures include texts that promise information about COVID stimulus checks that link victims back to a website that looks like the IRS site and asks for sensitive personal information, such as a birth date and social security number.
Herold said she has also seen text scams in which fraudsters impersonate the U.S. Department of Health and Human Services and tell victims they must take a "mandatory online COVID test" using a provided link.
“Then, like other scams, their personal information is taken and malware is often loaded onto their computing device,” said Herold.
As with QR codes, victims simply have not developed the level of awareness and caution needed.
Carpenter said typosquatting—or lookalike domains—are often served up in a business email compromise (BEC) attack. Fraudsters impersonate legitimate domains in order to fool victims into thinking they are in a safe location.
They do this with many tricks, including misspelling the domain (think Gooogle instead of Google) or adding a different top-level domain (.uk instead of .co.uk). Unlike the often sloppy versions from earlier days, today these sites may feature sophisticated designs, carefully detailed mimicry of legitimate sites, and sophisticated functionality.
“Social engineering victims are usually tricked into either feeling psychological safety by their choice or into seeking psychological safety in a way that will play into an attacker's hands,” said Carpenter.
Criminals set these sites not only to deliver malware, but also to capture credit card information or other sensitive data through fake login fields or other fake forms.
More on social engineering:
Security awareness experts say employees still fall for these five old social engineering tricks, and they warn of four new scams that add a twist to these oldies but goodies.
Who could resist opening an email that appears to come from your company’s CEO with the subject line, “You’ve been mentioned in this document” and the email contains a link titled, “Employee Raises and Promotions 2022”? Yes, people still fall for that official-looking email, where message appears to be coming from a legitimate source or person you know, says John Wilson, senior fellow of threat researcher at Agari by HelpSystems. Wilson recently received this same phishing attempt, but he was familiar with the bait.
[ Learn how IT can harness the power and promise of 5G in this FREE CIO Roadmap Report. Download now! ]
In attempts like these, “bad guys are trying to phish credentials,” he says. In this case, to open the document, “it wants you to log in again with your Office 365 credentials. If they make it juicy enough, people will open it.”
Regardless of the bait offered, the lesson here is: “There is no good reason why you would have to log in again to open anything,” he says. Wilson also suggests using a password manager that will only apply your credentials if you are on an authentic website.
The FBI warned U.S. businesses in January about fake letters sent through the U.S. Postal Service and UPS that impersonated the Department of Health and Human Services in some cases offering COVID-19 information, and Amazon in others. Both included a USB stick laced with malicious software.
If inserted into a computer, the USB stick could have given the hacking group access to an organization's network to deploy ransomware, the FBI said. It's unclear if any of the firms were compromised in the incidents, but it's a reminder that old social engineering tricks linger.
One of the most prolific, if not most effective social engineering tricks still circulating is the gift-card scam, where an email appears to come from an executive at the company asking for assistance. The story usually goes – the executive needs gift cards to reward staff, “and it’s a surprise so don’t tell anybody,” Wilson says. The goal is to get the employee to purchase the cards, scratch off the silver coating covering the codes, then email back a photo of the backs of the cards.
“I would say 1 out of 100 [employees] will reply that first time. What’s unclear is if anybody goes and gets the gift card,” Wilson says, but his team has logged roughly 10,300 incidents since January 2019 and sees hundreds of these phishing attempts each day in data across its customer base. “It’s still going, so somebody is falling for it,” he says.
Malware-laced internal voicemails sent through emails have resurfaced in recent months – and some employees still fall for them, Wilson says. “It’s been going on forever. It’s just a good lure because you want to get your email,” he says. The effectiveness of this depends on who is on the receiving end and their department. “An engineer won’t answer your voicemail, but if you’re in sales, and you think that voicemail might be an order or a prospect, you might open it up.”
Recipients should ask themselves if their company even uses a system that sends voicemail through email. If it does, then always hover over the email address to make sure it’s from a known sender, Wilson says.
Fake parcel delivery notices have evolved and flourished for more than 15 years, says Chester Wisniewski, Sophos principal research scientist. These phishing attempts come in many variations but are designed to charge you a fee for duties or customs, while others are simply phishing attacks designed to have you "login with your email to track a package,” and credentials are stolen. “These are often customized to the region of the recipient and will spoof global logistics brands like DHL, UPS or FedEx,” he adds.
There’s never a shortage of new social engineering scams waiting to be exploited, but here are four of the more common, flagrant or dangerous new tricks based on old vices.
A popular social engineering trick, especially since the beginning of the COVID-19 pandemic, is malware disguised as a request to sign legal documents via DocuSign. “Presumably more legal forms are being signed digitally these days,” Wisniewski says. “They will prompt you to install some sort of plugin, which is really computer malware, to proceed with viewing the purported document.”
In this scam, an employee, usually in accounts receivable, gets an email claiming to be from a company executive. The message says he or she wants to do research into our outstanding receivables and asks the recipient to “please send our latest AR aging report” that includes a list of all customers who owe money and the amount of time past due. Next, the bad actors create and register a lookalike domain name and they hit up everybody on that list, Wilson says.
“The bad actors know how much is owed, when it’s owed, payment terms, and will then say, ‘We’re only accepting ACH payments to this account number going forward.’ Unfortunately because all information matches, the customers go along.” By all accounts, the trick has been fairly effective, Wilson says. “The scam is particularly dangerous because the damage isn’t to your company, but to all your customers.”
Cybercriminals are using a phishing email to convince a target that there is a problem with their bank account, email account or other high-value account. The email contains a link that will help the targeted individual resolve the urgent issue. Clicking on the link launches a web browser window, which then takes them to a login page for that account. The victim then enters their credentials, receives the expected message requesting an MFA code, which the victim also enters. The victim sees nothing wrong in the account, thinks the message about the problem was an error, and closes the browser window or tab that they used to log in.
“This is a new and tricky way to get around improved security controls (like multifactor authentication) to pull off old, reliable social engineering tricks,” says Erich Kron, security awareness advocate at KnowBe4. Many organizations have become good at spotting the reverse proxy servers used for this, making it tougher for the cybercriminals carry out, Kron adds. “Cybercriminals have fought back, though.”
Newer scams have emerged using the telephone. Malware known as BazarLoader impersonates brands like Amazon to convince you that you are being charged hundreds of dollars for a subscription. If you want to cancel, you need to call a phone number to speak to a representative. The criminals operate real call centers where they instruct you over the phone how to download the malware and run it on your computer. Other variations of this include similar lures to cancel streaming video services or magazines.
“These attacks will never go away, we just need to try and remain vigilant and warn others when we detect a scam making the rounds,” Wisniewski says. Security teams should make it easy for employees to report when they’ve been tricked, “and make it clear that employees are not in trouble.”
More on social engineering: