Cyberattacks and data breaches are increasing, highlighting and exploiting the most crucial corporate vulnerabilities. Hackers often make use of major world events, and the pandemic has become a case in point.
The 2021 Cyber Security Statistics report by Purplesec found that 98% of cyberattacks relied on social engineering. Social engineering attacks manipulate employees within an organization to reveal confidential passwords or sensitive information to attackers. The most successful attacks are personal and sophisticated. These days, cyber criminals perform a thorough analysis of the targeted individual using social media or other sources, where it’s easy to find details known only to the victim’s close friends and family.
Why is social engineering effective?
There are numerous reasons why social engineering presents a constant business threat, including the growing popularity of remote working, the use of outdated software without additional access accounts for sensitive data and the impersonation of popular brands (Amazon, Microsoft). But employees are the weakest links in a security system. Fraudsters use psychological manipulation to build a trust relationship with their targets. Afterward, it’s much easier to exploit that bond and obtain necessary information. Moreover, many employees use their corporate email addresses to register on social networks. This greatly increases the likelihood of a successful cyberattack.
Is phishing really that easy?
Phishing represents the most common social engineering scam. These scams come in the following flavors:
- Personal information theft (names, addresses, or social security numbers).
- A redirect to suspicious websites that host phishing landing pages.
- Manipulation to take immediate action (by incorporating threats, fear in a phishing scam).
Research from Proofpoint found that 75% of organizations around the world experienced a phishing attack in 2020. Verizon found that 96% of engineering attacks are delivered by email, while just 3% arrive through a website, and 1% are associated with phone or SMS communications.
Despite the popular opinion that email phishing attacks are easy to execute, the process of launching a successful campaign requires significant preparation. There are many obstacles that could destroy an email phishing attack. These include email gateway spam filters, Outlook ‘junk email’ filters, intrusion prevention systems, web proxy servers, and egress filtering.
Moreover, companies and their cybersecurity vendors have improved when it comes to detecting and stopping mass phishing campaigns. Email services are now controlled by conglomerates of large IT companies that follow standardized security standards. The SMTP protocol (a standard communication protocol for electronic mail transmission) is not secure, so these vendors apply additional security measures to stop spam and phishing. For example, Google requires that the server from which users send email must have a white IP address with A/AAAA and reverse (PTR) DNS records. Also, to pass the spam classification when delivering to Gmail, additional DNS records must get configured (these include DKIM, SPF, DMARC). Once the phishing campaign begins, the time factor is of high importance, since modern hosting platforms will stop the server, put a limit on the number of outbound email messages, or close TCP 25 port on the firewall once the system reports the first serious abuse. That’s why many cybercriminals use illegal and semi-legal hosting services. However, many are already blacklisted by security vendors.
Fraudsters don't just focus on phishing anymore
These days, fraudsters have turned to more targeted social engineering attacks with a mix of techniques to avoid traditional security controls:
- Vishing and smishing. These phishing campaigns follow-up an email with a fraudulent phone call or SMS/text messaging. An attacker pressures a victim to click on the phishy email in real time. This encourages the target to click the email and activates the virus.
- Baiting. Puts something desirable in front of targets to coax them into the social engineering trap. A simple example: Handing out free USB drives to employees that, once loaded, activate malicious software.
- Evil twin. This type of attack uses a fake Wi-Fi hotspot that looks legitimate but can intercept data during transfer. This approach makes it easy to collect confidential data that is transferred during the connection.
- Scareware. Fraudsters create pop-up banners with a security warning. This kind of attack plays on human fears and lures you into visiting malicious websites.
New attack scenarios will undoubtably emerge, especially with the rapid development of neural networks and AI. Security pros should remember the following: It’s very rare that quality resources are handed out for free, always double-check an email address and sender’s details, users who are in doubt should report the abuse to the Infosec department, finally, take social engineering tests seriously. They let security teams quickly find patterns and recognize malicious activities.
Andrey Barashkov, security consultant, DataArt
