It’s amazing and scary all at once. Technology is the lifeblood of our personal and business lives with an ever expanding range of gadgets and services.
While it’s awesome that we’re making so much progress, developers and inventors don’t always have the capital or time to spend on years of testing.
We live in interesting times. Rising tensions across the world encourage less-than-savoury organisations to exploit vulnerabilities but the biggest challenge we face is not necessarily the technology in place.
The problem is human beings. We are way too trusting.
In a BBC article, famous hacker Kevin Mitnick goes on to explain:
“The biggest threat to the security of a company is not a computer virus, an unpatched hole in a key program or a badly installed firewall. In fact, the biggest threat could be you… What I find personally to be true was that it’s easier to manipulate people rather than technology… Most of the time organisations overlook that human element.”
Given that the interview took place in 2002, it’s scary to think how relevant this statement is today almost two decades later.
Social Engineering Attacks and stats
Our tech team are certainly familiar with the sheer number of attacks taking place on a daily basis through observing our clients. We’ve been in operation for over a decade without seeing too many attacks taking place, but that all changed in 2017.
We started to see a massive surge of social engineering attacks starting to take place with a lot more frequency and we were not the only ones to notice. The statistics are hard to stomach.
In a detailed study, CyberEdge surveyed 1100 qualified IT professionals who work in organisations with 500+ employees and found the following:
These are just some of the stats worth paying attention to, with plenty more bad news discussed in further studies and surveys which have taken place to date.
What is Social Engineering?
Social engineering on a basic level is a scam carried out to obtain compromising information from a target. It could be anything from your login details to financial information and just about everything in between.
Social engineering is usually carried out in two methods, either through automated software or directly through human interaction. You could further break down the categories depending on how an attack is carried out i.e. social, technical or physical means.
Senior Cyber Security Consultant, Jen Fox provides an incredible seminar on two techniques she has used to pull off a social engineering attack. Check out the video below:
While Jen only covers two techniques in this video, there are a large number of creative ways hackers are exploiting to scam users.
In another highly detailed study carried out by MDPI, social engineering is defined by several sub-genres:
- Impersonation of a Helpdesk
- Diversion Theft
- Dumpster Diving
- Shoulder Surfing
- Quid Pro Quo
- Pop-Up Windows
- Reverse Social Engineering
- Online Social Engineering
- Phone Social Engineering
- Stealing Important Documents
- Fake Software
- Whitelisting Flow
Exploring each of these techniques is worth doing to completely understand the processes involved. Some techniques are proving to be more effective than others, especially when it comes to scaling up a target list.
I’d highly recommend reading this article by Wordfence which discusses DefCon 22’s Social Engineering CTF competition, showing how hackers put a number of these methods to use.
It’s shocking to see how easy social engineering is to implement!
Taking a closer look at phishing
Out of all the social engineering techniques used, the most common attack we’re aware of is phishing. The goal of a phishing email is to obtain login details or personal information which can be used against you.
To the untrained eye, Phishing emails are really convincing. Hackers will spend time carefully copying the layout of genuine, authoritative emails to make it seem like it’s the real thing.
Phishing Email Example
The Sender Email
The attacker has done an excellent job in copying the domain and sender email format which Office365 actually uses, except there is one small giveaway – the dash between office and 365.1 of 4
The Subject Line
The subject line is really simple, but uses fear and urgency to encourage immediate action…2 of 4
The Subject Line
The email body text gets straight to the point, and unless you carefully analyse the grammatical tone and spelling, you may just believe this is an email from Office365…3 of 4
The Subject Line
The sign off is the only dead giveaway in this email with a spelling error in the ‘Microsft’…4 of 4
Does this email look real to you?
It’s pretty close to what you may receive from Office365, but there are a few key giveaways which can be identified right away.
Email Address is fake
The domain used by Office365 doesn’t include a dash between the word and the number. Did you spot that? Probably not, it’s all in the small details which makes it very hard to spot when you’re in a hurry.
The Email wording is grammatically bad
If you’re a native english speaker, you may spot the wording is a little strange. For example, “Follow the instruction below” would actually be written as “follow the instructions below” and there would actually be instructions to follow!
You’d expect a highly evolved service like Office365 to write the perfect copy, which means it’s really worth reading the email properly to identify spelling and grammar issues which wouldn’t appear if written legitimately.
Sense of urgency
Phishing emails try to provoke a knee-jerk reaction by using subject lines and links which tell you that if you don’t act immediately, you will be in trouble.
This is why phishing emails have been so successful to date. The natural reaction to urgency for any normal human being is to take immediate action.
Take a look at the video below which goes into more detail on these key points and which provides a few additional tips to help work out if an email is indeed legitimate.
How to prevent social engineering?
The main challenge is education on the subject. Most people just want to get on with their work and believe that the IT department has everything protected, whereas social engineering is designed to exploit that exact thought process.
To prevent social engineering attacks, users need to know the methods used and what to look out for. A great article worth reading is this one provided by webroot which highlights a few more countermeasures to social engineering.
In most cases, it’s not possible for organisations to do 1-to-1 training, but putting together a basic set of training videos as part of new employee onboarding or as a way to update all users at once is a good way to quickly raise awareness.
But, how can you check if the knowledge has sunk in?
One idea is to have all employees take a phishing test, for example, like the one provided by OpenDNS linked here, or creating an internal quiz specific to your organisation.
Another option is to perform a company wide simulated phishing test and bait employees to see who falls victim to fake emails in real time.
Using a phishing attack simulator
One of the most common ways our own clients like to train their users is simply to send them simulated scam email to see which users fall victim. Simulators like Sophos Phish Threat have administration portals where IT admins can monitor how users interact with fake emails which are, in fact, harmless.
Depending on the number of victims who fall for the fake test, an organisation can concentrate their training on smaller groups of users and periodically carry out tests to keep everyone on their toes.
What can IT departments do?
While most of the burden falls on users to protect themselves from being scammed, there are a few technical barriers IT departments can put in place to prevent business systems from being accessed.
The most important is ensuring two factor authentication (2FA) is enabled on all company cloud platforms, email systems and supported servers.
The reason 2FA works so well is, even if a user hands over their username and password, a hacker would also need to have a numerical code which is generated by the users mobile device to gain access to a platform.
Two factor authentication codes are usually generated inside a secure application, but can also be sent as text messages or SMS. It’s not to say two factor authentication is unbeatable, but it certainly prevents 99% of standard phishing attacks, especially when used to obtain login details to company property.
While the bulk of this article covers one social engineering attack method, there are a load more to consider as part of an organisations security practice.
For example, bold hackers might obtain access to a physical office simply by following an employee through building security checkpoints (known as tailgating).
A user might be enticed to pick up a snazzy, expensive looking USB flash drive left on a train. There are even cables which we would normally use to charge mobile devices which have built in malware!
The list goes on, there are so many exploitative methods hackers might try, but taking a good look at the most obvious ones, like phishing, is certainly the main priority for any organisation.
It may even be a good idea to hire a 3rd party security specialist who can investigate, test and recommend further security hardening tools and practices.
Ultimately, as long as you are aware of the dangers and have a long-term action plan in place, you’re on the right track.
Has your organisation fallen victim to a phishing attack? I’d love to hear your thoughts, so hit me up in the comments below!