The Days of Social Engineering Attacks Being Reserved for Governments and Organizations With Enemies Are Long Gone.
Social engineering is a sneaky, manipulative type of attack that takes more than just technical skill. There’s a psychological and often emotional aspect that accompanies it. A hacker who compromises an organization through social engineering has mastered the art of manipulating people into performing actions or divulging confidential information through various mediums. So usually, the victim doesn’t know they’re being played. Hackers will use social engineering techniques in combination with other forms of attack to breach companies and gather data.
Businesses usually don’t think about social engineering when securing the company’s data, as it’s not a common attack such as DDoS or Web application firewall breaches. But social engineering can be brutal and it makes unknowing conspirators out of innocent employees. With over 500 million people engaged in social networking of some kind, social engineering becomes much easier to accomplish. Add social engineering to the list of attacks businesses should be ready for.
Your employees are on Facebook, LinkedIn, Twitter and Quora, and they are adding personal information to the Web every single day. Most people don’t realize how much personal information is available online. Needless to say, we’ve all become comfortable sharing personal tidbits that used to be reserved for private, face-to-face conversations. This is the kind of fodder that social engineers rely on to launch an attack. A simple search of spokeo.com or any other of a number of sites will pull the wool off of anyone’s eyes really quick.
If I were a hacker and wanted to do some recon on a company, I need not look any further than the social sites of their employees. I can use that information to launch a social engineering attack on their company. Here’s how a common scenario might play out:
Let’s assume I am a malicious person and I want to obtain all the user account data and records for a particular organization. Their physical security is relatively good, and I have failed at high level attempts to get any kind of employee information. I have nothing. That’s fine. Let’s hop on LinkedIn and do a company search for this organization. Easy enough – I now have a list of potential targets, their job titles, employment histories, education history, affiliated organizations, business contacts and in some cases their pictures. Big deal you say? This type of information is invaluable when profiling your targets. With the information here, I can narrow down a few targets based on what I am trying to find, pull up more intimate information regarding their family, friends and hobbies on Facebook and have a very specific profile on the potential targets. Armed with this information, it would be easy to spoof a text message from a business contact or spouse asking them to visit a website containing malware and exploits. I could use their hobby information to entice them to click a link or open an attachment from a carefully crafted email that allows me to plan a virus. On a more advanced level and far more nefarious level, I could build a geolocation profile from embedded location information in posts and photos. Then all I have to do it wait for someone to work at a coffee shop and step away from their briefcase for a moment to slip in a USB drive loaded with auto-executable binaries that they’ll eventually plug in to a computer. This all sounds very “Mission Impossible” but I assure you, it’s highly possible and happens enough to pay attention.
The possibilities for social engineering are numerous, and employees tend to leave their own breadcrumbs. Similar situations have already happened. Just last month $150,000 was stolen from a US business via a social engineering attack. According to an FBI Alert, "The malware was embedded in an e-mail response to a job posting the business placed on an employment website and allowed the attacker to obtain the online banking credentials of the person who was authorized to conduct financial transactions within the company," the FBI alert reads. "The malicious actor changed the account settings to allow the sending of wire transfers, one to the Ukraine and two to domestic accounts. The malware was identified as a Bredolab variant, svrwsc.exe. This malware was connected to the ZeuS/Zbot Trojan, which is commonly used by cyber criminals to defraud U.S. businesses."
And in August at the 2011 Defcon conference in Las Vegas, a hacker contest revealed social engineering vulnerabilities when contest participants were able to access data from Oracle, Apple, and AT&T through uneducated and naive employees.
What Can be Done to Prevent Social Engineering?
The key to preventing a social engineering attack lies in the training and trust of your employees. Security is no longer just a problem for the IT department to solve – it’s company-wide and everyone has to do their part.
• Implement some form of regularly recurring security awareness training for your entire company that includes information on social engineering. ‘Recurring’ is the key word – don’t allow employees to become complacent.
• Create, implement and enforce a social media policy for your organization. Educate employees on potential risks associated with social media sharing and their potential for causing damages to the organization and the employees personal life. Reference pleaserobme.com and Include specific do’s and don’ts.
• Ensure you are using a positive security model logically and administer privileges with a ‘least-access-necessary’ mindset. Less people with access to sensitive data both from a network standpoint and a logical access standpoint significantly reduces your risk in losing data in a social engineering attack.
It used to be believed that social engineering was reserved for governments and organizations with enemies. However, it’s becoming as mainstream as any other kind of cybercrime and social media is making it far easier to stage an attack. The answer lies in education of the workforce, and, as with any other type of security measure, diligence.