It begins with a baited hook.
It could be a link posted on social media that appears to lead to a subject of interest. It could be the sudden arrival of an emailed invoice. Whatever the ploy, social engineering is the opening salvo in targeted attacks against organizations all over the world. Sometimes, the social engineering begins with an email. Other times it may involve Facebook, and other times it may begin with a phone call.
That last scenario was found to be the case in the recent attack on Tesla Motors. A Tesla spokesperson told SecurityWeek that a hacker posed as a Tesla employee, called AT&T customer support and tricked them into forwarding calls to an illegitimate phone number. At that point, the impostor contacted the domain registrar company that hosts teslamotors.com, Network Solutions, and using the forwarded number, added a bogus email address to the Tesla domain admin account.
According to the spokesperson, the impostor then reset the password of the domain admin account, routed most of the site’s traffic to a spoofed website and temporarily gained access to the Twitter accounts of both the company and its CEO Elon Musk.
“Attackers are constantly evolving their techniques to evade detection and trick even the savviest of users,” said Rohyt Belani, CEO at PhishMe.
“A prominent example of improved social engineering can be found in “double-barrel” or conversational phishing,” he said. “This tactic features two emails: a benign email or lure that builds trust with the recipient and a phishing email that delivers the attack. The constant evolution of attack tactics makes it important to implement a continuous training program that exposes your workforce to the latest attack techniques.”
A recent study by Proofpoint found that sales, finance and procurement were the worst offenders when it came to clicking links in malicious messages. According to Proofpoint, they clicked on the links 50 to 80 percent more frequently than the average departmental click rate. The study used a statistical sample of tens of billions of emails, taken from a larger corpus used by a worldwide customer base. The results reflect data correlations across roughly one trillion data points, with experts analyzing numerous elements per email such as header information, embedded URL and click data.
“The data suggests that information overload and the degree of expected external interaction both play a role in malicious click susceptibility,” said Kevin Epstein, vice president of advanced security and governance at Proofpoint. “The top three clickers — sales, finance, and procurement — all received the most malicious mail, and are also by their nature functions chartered with responding to large amounts of external communications from never-before-seen sources. Employees in such functions would naturally be prone to be less suspicious of well-constructed phishing email.”
The study also found the peak hours for end-users clicking on malicious links are between 10am and 6pm ET. End-users also were found to click 17 percent more on Tuesdays than the other weekdays.
“Long gone are the days of a Nigerian Prince emailing people with a plethora of grammar and spelling errors,” said Candis Orr, senior security analyst at Bishop Fox. “Today, attackers can impersonate a well known company, like a major bank, by acquiring a similar domain to the company, cloning the company’s website, and cloning one of their regular emails where the only difference would be the destination of the included links. Many people cannot tell phishing emails apart from the legitimate ones, so they unfortunately fall for them.”
Most security awareness training done today is very poor, Orr said.
“Companies send out security emails or put up posters and consider that to be training so they can maintain compliance with their required frameworks,” she said. “It has become apparent that meeting the minimum requirements necessary for compliance is no longer sufficient for security. Employees need to know what they should and should not do, as well as whom to contact when incidents occur. Companies need better training practices that are more interactive and educational. They should also try to reward employees who report suspicious emails and phone calls, instead of firing or disciplining those who fail.”
A security awareness program should focus on all employees but also be tailored to risk areas, said James Lyne, global head of security research at Sophos. Executives, anyone with interesting data or those who are in the public eye are a natural target and should be given extra focus, he said. Sales and HR people who frequently receive documents or emails from unknown sources are also a particular challenge and should be well versed in the dos and don’ts and how to report it when things go wrong, he added.
PhishMe’s Belani said that while a salesperson may not analyze the technical aspects of a phishing email, they can be trained to be suspicious of receiving a purchase order they weren’t expecting or from an organization they aren’t familiar with. If they pass this suspicious email onto the security team, “suddenly they are an asset instead of a liability,” he said.
“It has been long understood that people are one of the major weak links in security defense and that attackers exploit this,” Lyne said, explaining that many people believe all scams are trivial to spot due to bad spelling, links or other defects.
“While plenty of criminals conform to this profile, many–particularly more targeted attackers–do not,” he said.
Training alone however will not address the issue, said Epstein.
“Training has an impact in reducing clicks, but what the report shows is that it’s not sufficient on a standalone basis — there’s a clear need for targeted attack protection, and more importantly, automated threat response,” he said.