Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Social Media Makes Way for Social Engineering

Social Engineering Threats

The Days of Social Engineering Attacks Being Reserved for Governments and Organizations With Enemies Are Long Gone. 

Social Engineering Threats

The Days of Social Engineering Attacks Being Reserved for Governments and Organizations With Enemies Are Long Gone. 

Social engineering is a sneaky, manipulative type of attack that takes more than just technical skill. There’s a psychological and often emotional aspect that accompanies it. A hacker who compromises an organization through social engineering has mastered the art of manipulating people into performing actions or divulging confidential information through various mediums. So usually, the victim doesn’t know they’re being played. Hackers will use social engineering techniques in combination with other forms of attack to breach companies and gather data.

Businesses usually don’t think about social engineering when securing the company’s data, as it’s not a common attack such as DDoS or Web application firewall breaches. But social engineering can be brutal and it makes unknowing conspirators out of innocent employees. With over 500 million people engaged in social networking of some kind, social engineering becomes much easier to accomplish. Add social engineering to the list of attacks businesses should be ready for.

Your employees are on Facebook, LinkedIn, Twitter and Quora, and they are adding personal information to the Web every single day. Most people don’t realize how much personal information is available online. Needless to say, we’ve all become comfortable sharing personal tidbits that used to be reserved for private, face-to-face conversations. This is the kind of fodder that social engineers rely on to launch an attack. A simple search of spokeo.com or any other of a number of sites will pull the wool off of anyone’s eyes really quick.

If I were a hacker and wanted to do some recon on a company, I need not look any further than the social sites of their employees. I can use that information to launch a social engineering attack on their company. Here’s how a common scenario might play out:

Targeted Social Engineering

Let’s assume I am a malicious person and I want to obtain all the user account data and records for a particular organization. Their physical security is relatively good, and I have failed at high level attempts to get any kind of employee information. I have nothing. That’s fine. Let’s hop on LinkedIn and do a company search for this organization. Easy enough – I now have a list of potential targets, their job titles, employment histories, education history, affiliated organizations, business contacts and in some cases their pictures. Big deal you say? This type of information is invaluable when profiling your targets. With the information here, I can narrow down a few targets based on what I am trying to find, pull up more intimate information regarding their family, friends and hobbies on Facebook and have a very specific profile on the potential targets. Armed with this information, it would be easy to spoof a text message from a business contact or spouse asking them to visit a website containing malware and exploits. I could use their hobby information to entice them to click a link or open an attachment from a carefully crafted email that allows me to plan a virus. On a more advanced level and far more nefarious level, I could build a geolocation profile from embedded location information in posts and photos. Then all I have to do it wait for someone to work at a coffee shop and step away from their briefcase for a moment to slip in a USB drive loaded with auto-executable binaries that they’ll eventually plug in to a computer. This all sounds very “Mission Impossible” but I assure you, it’s highly possible and happens enough to pay attention.

The possibilities for social engineering are numerous, and employees tend to leave their own breadcrumbs. Similar situations have already happened. Just last month $150,000 was stolen from a US business via a social engineering attack. According to an FBI Alert, “The malware was embedded in an e-mail response to a job posting the business placed on an employment website and allowed the attacker to obtain the online banking credentials of the person who was authorized to conduct financial transactions within the company,” the FBI alert reads. “The malicious actor changed the account settings to allow the sending of wire transfers, one to the Ukraine and two to domestic accounts. The malware was identified as a Bredolab variant, svrwsc.exe. This malware was connected to the ZeuS/Zbot Trojan, which is commonly used by cyber criminals to defraud U.S. businesses.”

And in August at the 2011 Defcon conference in Las Vegas, a hacker contest revealed social engineering vulnerabilities when contest participants were able to access data from Oracle, Apple, and AT&T through uneducated and naive employees.

Advertisement. Scroll to continue reading.

What Can be Done to Prevent Social Engineering?

The key to preventing a social engineering attack lies in the training and trust of your employees. Security is no longer just a problem for the IT department to solve – it’s company-wide and everyone has to do their part.

• Implement some form of regularly recurring security awareness training for your entire company that includes information on social engineering. ‘Recurring’ is the key word – don’t allow employees to become complacent.

• Create, implement and enforce a social media policy for your organization. Educate employees on potential risks associated with social media sharing and their potential for causing damages to the organization and the employees personal life. Reference pleaserobme.com and Include specific do’s and don’ts.

• Ensure you are using a positive security model logically and administer privileges with a ‘least-access-necessary’ mindset. Less people with access to sensitive data both from a network standpoint and a logical access standpoint significantly reduces your risk in losing data in a social engineering attack.

It used to be believed that social engineering was reserved for governments and organizations with enemies. However, it’s becoming as mainstream as any other kind of cybercrime and social media is making it far easier to stage an attack. The answer lies in education of the workforce, and, as with any other type of security measure, diligence.

Related Reading: Social Engineering is Alive and Well. How Vulnerable is Your Organization?

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...