Social engineering is unique in the cybersecurity world as its scope of influence can vary widely on the software, hardware, and even psychological level. In this article, we’ll cover social engineering attacks and help you learn from recent developments in the space.
With the help of Chris ‘l0gan’ Hadnagy, Chief Human Hacker at Social Engineer, Inc we’ll also show you how organizations can properly defend themselves.
Social engineering can impact organizations in a variety of ways and we’ve seen the consequences in several high-profile cases.
The 2013 Yahoo data breach that compromised over 3 billion accounts (as it was later discovered) was the result of a successful spearphishing campaign.
While it’s unknown how a hacker initially obtained important email information, the US Department of Justice data breach was made possible after the hacker called the Department of Justice, pretending to be a new employee, in order to obtain an access token to a web portal.
Before we break down different social engineering, attacks it’s important to have a definition of what social engineering is. Hadnagy considers social engineering as:
“...any act that influences a person to take an action that may or may not be in their best interest.”
While it’s a broad definition, it gets to the major principles of how and why social engineering attacks are successful. It’s an act of influence at the individual level.
Hadnagy also offered a detailed breakdown into the major social engineering attacks, covering their common targets and methodologies.
Phishing occurs when an attacker leverages email as an attack channel. Because it’s quite easy and low-risk to send massive amounts of emails, attackers leverage a ‘spray and pray’ method, targeting users in the thousands or even millions, knowing that even on a low success rate, the payoff can still remain high.
Targets can vary from entire organizations to the general public and emails usually try to get victims install malware by way of malicious links or attachments.
This is one of the most common social engineering attacks and, as a result, one of the most successful.
This attack leverages voice in order to compromise an organization or individual. Unlike traditional attacks where technology is compromised in order to obtain information, this is a direct approach that opts to steal from a primary source.
This attack preys on the lack of knowledge and/or the insecurity of individuals. For example, IRS and debtor scams are types of successful vishing attacks that take advantage of people who are willing to provide sensitive details in the hopes of keeping their finances secure.
Against organizations, hackers may target a low-level employee, pretending to be the IT department. By impersonating someone with a higher or more sophisticated access to information, they’re hoping an employee won’t think twice about divulging sensitive information.
Vishing often attempts to steal personal data, proprietary data, or, in most high-profile cases, company finances.
In smishing, the attack vector is SMS and social media messaging platforms like Facebook Messenger, or Twitter DMs.
This method has many similarities to phishing. The risk is relatively low, mass targeting is available, and malicious links or downloads are often the desired action.
The difference, Hadnagy noted, is that smishing is often on the rise after a major breach incident. When Wells Fargo disclosed their data breach in 2017, attackers prompted targets to change their password on a spoofed Wells Fargo log-in page. Victims would then ‘log-in’, and provide their password credentials right to the hackers.
This refers to a physical impersonation where an attacker will try to access a company’s headquarters or take advantage of the impersonated role. Hadnagy notes that law enforcement impersonation is up significantly compared to last year, though these attacks targeted people on a personal level.
While this kind of attack carries a high risk, the damage to the organization can be massive. Hackers can get away with servers, computers, and other hardware or they can install tracking devices to continuously collect sensitive data.
Other physical attacks that are considered social engineering attacks are when attackers mail USBs with malware pre-installed or send a blue-tooth keyboard with an installed keylogger.
With social media and the internet providing such a wide access to information, some attackers are opting to conduct some preliminary research to improve their targeting and rate of success.
Hadnagy pointed out that 91 percent of corporate phishing emails leverage name spoofing, which impersonate someone’s name in the organization, increasing effectiveness. He also mentioned that social media use in social engineering rose 500% in Q4.
This level of personalization has evolved social engineering attacks to a significant extent.
Attackers are now targeting specific individuals (known as spearphishing), usually those high in an organization’s hierarchy or who have department-specific knowledge (like the finance department).
As for vishing, they’re used in Business Email Compromise (BEC) attacks, which have increased 800% over the past year. These attacks occur when a hacker impersonates a CEO or other high-level individual in an organization and asks a lower-level employee to send an email with compromised information. For more direct methods, they tell users that they’ll receive an email. The attacker then sends a phishing email, which has a much higher likelihood of success.
Because technology has allowed attackers to set up voice servers anywhere in the world, all it takes is for a sense of urgency or potential job-loss and the target is likely to carry out the compromise.
With the wide acceptance of bring your own device (BYOD), attackers know that they can target employees personal devices. The employee will then bring that infected device to work and connect to the organization’s corporate network. If the company didn’t set up the right network segmentation, it’s now at risk.
“There’s no one software or single solution that will prevent or mitigate the damage of these kind of attacks.”
Hadnagy notes that it’s hard to defend against social engineering because attacks are carried out very differently, but offers education and experience as very helpful approaches.
“How can you defend against an attack if you don’t know it exists?”
Education is absolutely essential and critical for the entire organization. All employees should be aware of the kinds of social engineering attacks, how they’re carried out, and the best way to defend against them.
Education can vary from in-person training and computer-based training (CBT). In regards to CBT, Hadnagy notes that an organization will try out an option from among a pool of many, find that it doesn’t work and give up altogether. He insists that companies keep trying other educational resources until they find the right option for their employees.
“You can’t become a boxer if you don’t know how to take a punch.”
Hadnagy highly stressed the effectiveness of experiencing social engineering. His organization conducts auditing, testing, and social engineering attacks on a company as part of their security offerings. Of course, the attacks aren’t malicious and are done to provide the education and experience an organization needs to understand their vulnerabilities and where they need to patch up their security.
Hadnagy compares this to boxing. It’s not enough to watch or just train - it’s the experience of boxing that is the real teacher. Following this analogy, these proactive social engineering tests are akin to sparring.
By actually phishing employees and conducting physical penetration testing, Hadnagy notes that he can then show organizations where and how they were compromised. This gives companies an opportunity to shore up their defenses before a real attack can compromise an employee, their network or their physical headquarters.
As is often the case, an organization’s best options are to invest in education, training, and opportunities for all their employees to experience what social engineering really looks like. Because of the strange nature of social engineering, it’s hard to rely on invisible security protocols or defensive software. By exposing the organization to social engineering, it will be that much prepared in the case of an actual attack.
Interested in hearing more from Chris? He'll be one of our special keynote speakers at the upcoming InfoSec World Conference & Expo.