And what to do to stop being so used by cybercriminals
Social engineering is the strongest method of attack against the biggest vulnerability of companies, their internal staff. Cybercriminals recognize this fact. They know that the most vulnerable element of any information security system is the human being, who has behavioral and psychological traits that make him susceptible to attacks, such as personal and / or professional vanity, self-confidence, willingness to be useful, a willingness to make new friendships , etc.
US hacker Kevin Mitnick was famous for getting secret information from big US corporations in the 1960s by calling some employees and after gaining their trust by asking some questions.
Mitnick taught security professionals that the main purpose of social engineering using the telephone as a mechanism of action was to convince their target that the attacker is (1) a co-worker or (2) some kind of external authority (such as an auditor or probation officer). From there, it was easy to get information about certain employees, even if the first phone calls were not made directly to them.
And if it was already possible to convince users themselves to provide passwords, it is even easier to fool people today to get valuable data. Not by chance, in 2015 social engineering became the # 1 attack method , according to Proofpoint's 2016 Human Factor Report .
With the information that the victims themselves put on sites such as Twitter and Facebook, for example, it is possible to direct them to very specific emails, which arouse curiosity and cause them to click on contaminated messages, thus installing malicious software in their Machines.
Generally, successful social engineering methods on the Internet use phishing and malware. But these are just two of the most common methods used by cybercriminals.
Unfortunately, misleading information assailants have a veritable arsenal of tools and approaches at their disposal. Much bigger than we suppose.
To combat these threats, companies must invest in people training, process creation, and security tools. However, for these investments to be assertive, they must know the 'modus operandi' of the criminals they are protecting themselves against. Successful social engineering attacks often require time, patience, and persistence. They are usually done calmly and methodically.
In this article, CSO addresses six of the most effective social engineering techniques used by the intruders, both on the Internet and beyond, providing information on how each works, what it does, and the technologies, methods, and policies to detect and respond to sabotages Social, keeping them away.
Technique One: Activating Macros
Cybercrooks are using social engineering to fool users of organizations and allow the execution of macros that trigger the installation of malware.
In attacks on Ukrainian critical infrastructure, fake dialog boxes appeared in Microsoft Office documents informing users to allow macros to properly display content created in a newer version of the Microsoft product.
The cheaters wrote the dialogue text in Russian and made the dialogue image seem to come from Microsoft. When users answered and turned on macros, document malware infected user machines. "This phishing tactic used an interesting social engineering technique to know that most users were using the macros of the programs that make up Office," says Phil Neray, vice president of Industrial Cybersecurity at CyberX.
Technique Two: Sextortion
In attacks called catphishing, cybercriminals pose as potential lovers to lure victims to share compromising videos and photos and then blackmail them. "These pitfalls have evolved to hit the company," says James Maude, Avecto's security engineer.
Targeting the company's senior employees using social media, sextoritors blackmail them to reveal sensitive credentials, Maude says.
There are several ways criminals can get their images. The most common is the manipulation of social media, through which the perpetrators of the crimes deceive the victim to send them compromising photos. Then they extort them to get others. Another possible method is to invade people's webcams and take pictures of them when they think that no one is looking, something made possible by spy software installed on that person's machine, either locally or remotely.
But the attacks also occur in person in bars and hotels during international conferences, says Maude.
Technique Three: By Affinity
Affinity social engineering relies on attackers forming a bond with a target based on a common interest or in some way that they identify with one another. "The method is to become friends with the victim, get her to do them a favor, slowly ask for information (initially innocuous), then ask for more sensitive information. Once the victim is entangled, the attacker can then blackmail Them, "says Roger G. Johnston, Head of Right Brain Sekurity.
Criminals take a friendly stance, show themselves interested in people's lives and in everything that is related to them. In a short time, they can obtain information that would not otherwise be obtained.
The technique, in this case, is simple: criminals use less important and more accessible people within companies to get information about others, better positioned in the business hierarchy.
According to security professionals, there may be up to ten steps between the criminal's target and the person first contacted within the organization.
Now, these cheaters establish connections in social networks based on shared political views, social media groups, hobbies, sports, interests in video games, activism, and crowdsourcing situations, "explains Johnston.
Technique Four: False Recruiter
With so many headhunters looking for job seekers, no one suspects when a fake recruiter comes to inflate an employee's ego and offer seductive positions just to get information.
"This may not generate computer passwords directly, but an attacker can get enough data to find information about the company. The attacker can also threaten to tell the boss of the employee that he is planning to leave the company and has already shared confidential information to make the victim Inform their system access passwords, "explains Johnston.
Technique Five: Older Trainee
An assailant posing as an older trainee has the knowledge and experience necessary to commit industrial espionage, knowing what questions to ask and where and how to find confidential information, Johnston explains.
This may not generate computer passwords directly, but an attacker can get enough data to figure out who should hack to gain access to passwords within their company.
Another interest is to know the corporate language well. Every industry has its own codes and criminal social engineering will study such language so that it can get the most out of it. If someone speaks to you using language and expressions that you recognize, it is easier to convey security. People tend to show less resistance and lower their guard when talking to someone who uses the same acronyms and expressions she is accustomed to hearing.
Technique Six: Bots
"Malicious robots are often responsible for highly sophisticated and harmful social engineering attacks," says Inbar Raz, principal investigator at PerimeterX. The robots infect web browsers with malicious extensions that hijack web browsing sessions and use social networking credentials saved in the browser to send infected messages to friends, explains Raz. Attackers use these bot approaches to trick the victim's friends into embedded links in messages or download and install malware, which allows cybercriminals to build large botnets that include their computers, Raz explains.
What to do?
In the example of Ukrainian attack, machines that did not allow users to enable macros would have stopped the cold attack. Companies can also use deep packet inspection, behavioral analysis, and threat intelligence to monitor the network layer for anomalous behavior, as exhibited by the Ukrainian attack on Microsoft Office, says Neray.
To try to bar other methods of attack, companies must apply network segmentation, multifactorial authentication, and post-attack forensic techniques on the network and endpoints to prevent side movements, limit damage caused by stolen credentials, and understand the scope of the violation To ensure the removal of all associated malware, according to Neray.
And they should address sextoration using a combination of zero trust of less privilege, behavioral detection, and monitoring to expose attacks and limit misuse of credentials resulting from this social engineering technique.
Sextortion also requires sensitive manipulation if such an attack has compromised an employee. "The Legal and HR areas may have to play a relevant role in all actions, and everyone needs to be ready for the worst." In cases I know, employee awareness and early intervention have limited the damage, "says Maude.
As far as bots are concerned, tools such as anomalous behavior monitoring products and some anti-virus and anti-malware software can detect bot behavior and browser changes. The company may detect some weaker robots using threat intelligence and IP address reputation information, according to Johnston.
Every company should continually update employee training with all the details of how criminals are using social engineering.
"You should conduct social engineering awareness training separately and specifically, outlining how these attacks work, making them seem very plausible," says Johnston. Put in staging (live or on video) all characters, both victims and perpetrators, to demonstrate the points vividly and in person, says Johnston.
"During training sessions, I often tell people that they should be paranoid in the extreme since it's never possible to determine what a criminal might want from you," says Sal Lifrieri, CEO of Protective Countermeasures, who worked for 20 Years in the New York Police Department.
According to him, it is not uncommon for social engineering methods to target such employees as the receptionist or the guard who commands the parking gate. "That is why the training has to reach everyone since the secretary or receptionist is generally less than ten movements of the person you want to achieve."
Demonstrating how social engineering affects everyone, showing how vulnerable people can be, and giving people the tools to protect themselves and the assurance that they are accepted even when they are victims, helps.
In addition, allowing employees to know and use words that alert their employers that they are in trouble can report ongoing attacks that use blackmail or coercion, says Johnston.
By combining safety training, policies and technologies, companies can withstand old and new social engineering maneuvers.