Is social engineering on the rise? Microsoft seems to think so. It recently used data compiled by its antimalware products to support its claim that the proliferation of social engineering schemes is offsetting the decline of exploitable software defects. Remotely addressable flaws fell 70 percent between 2010 and 2013, while Trojan horses – a common payload for social engineering campaigns – became the leading category of malware during the final quarter of 2013.
There's no doubt that social engineering is a particularly effective strategy for cybercriminals, who can leverage newsworthy events and popular phenomena to trick end-users into visiting malware-laden sites. The April 15 tax filing deadline in the U.S. is a notorious magnet for these types of schemes. The Internal Revenue Service has even issued its own guidance for handling calls and messages from imposters seeking to extract sensitive information for taxpayers, especially immigrants.
Why does social engineering work?
The IRS incidents are par for the course, in that they exemplify the mix of official-sounding rhetoric and material threats (in their case, deportation and/or fines) that are employed to convince users to give in. Trend Micro's "5 Reasons Social Engineering Tricks" work boiled down what makes these schemes so successful, pointing out that:
- Cybercriminals often take advantage of headline events such as natural disasters, laying traps by posting "can't miss" videos or photos to social media to get users to click, only to then be redirected to phishing site
- Celebrity news is a major source of tabloid-style stories that actually link to malicious domains
- Holidays such as Christmas are prime opportunities for cybercriminals to promote limited time plugins or amenities that actually include malware
- Emails may be strewn with urgent-sounding language in order to pressure recipients into following suspicious links
- Social media overall is ripe for carefully orchestrated attacks that may entice users by promising them special features through the entry of specific codes
For these reasons and others, social engineering is highly successful and unlikely to wane in popularity in the near term. Going forward, it will be crucial for individuals and businesses to protect their assets through best practices for handling social media and email, as well as with the help of cybersecurity software such as Trend Micro OfficeScan.
"Socially engineered malware is one of the biggest threats today – people getting tricked into going to sites and downloading," stated Randy Abrams, research director at NSS Labs, according to GCN. "There's a variety of social engineering techniques and payloads."
Social engineering picks up slack from software exploits
There is no shortage of zero-day exploits out there, especially with Microsoft Windows XP no longer receiving official suport. Howewver, people may be more likely to be confronted with social engineering schemes than to fall victim to zero-day threats during the short periods before they are found and addressed. While zero-days rose as a share of all software vulnerabilities in 2013 according to Microsoft's findings, the overall tally of flaws continued a years-long drop.
At the same time, perpetrators of social engineering have learned some new tricks. Schemes have been updated with new payloads and techniques, including but not limited to:
- Advanced ransomware – CryptoLocker was one of the most innovative threats to emerge last year, combining strong encryption with a countdown timer and a Bitcoin-centric payment system. Social engineering excels in scaring its victims, and the prospect of losing critical work due to the destruction of an encryption key is enough to persuade many to just pay up.
- Leveraging of breached data – data breaches aren't just PR nightmares for organizations; they're also a source of potential leads for cybercriminals looking to extract additional money and information. For example, a breach involving Social Security numbers could give attackers just enough details to give their communications with targets an authoritative edge.
- Robocalls and interactive voice recordings – another means of sounding stern and official, automated calls and IVR have become sophisticated enough to get individuals to hand over credit card numbers, voicemail passwords and other data. Furthermore, caller IDs are frequently manipulated to hide the source of the call.
In addition, attackers have been taking advantage of a growing range of events, including funerals. Sometimes, a single scheme may involve multiple advanced techniques, as was the case with the "Francophoned" campaign chronicled by security researchers in 2013 and 2014. That incident features standard phishing emails, with a twist – recipients would often also get follow-up calls from someone claiming to be the person listed as the email sender.
Such plans require a great deal of reconnaissance and skill, and it is this level of social engineering, rather than the actual payload, that makes these attacks so dangerous. Francophoned recently shifted from a remote access Trojan to a newer Trojan that includes capabilities for cryptocurrency mining and distributed denial of service attacks, but it retained the social engineering aspects that made it so notable in the first place.
Staying on top of social engineering attacks
Social engineering takes many forms, from clickbait news stories to official-looking graphic design that imitates Web properties such as social networks and medical websites. Staying on top of every new technique is a tall task.
However, individuals and organizations can get a grip on social engineering by using cybersecurity solutions such as Trend Micro OfficeScan to catch malware and supporting education initiatives to keep everyone updated on the organization's situation. By combining these strategies, companies put themselves in good position to protect all assets from the rise of social engineering.
"Both testing and training have to be a continuous and never-ending process," stated Trend Micro senior threats researcher Jim Gogolinski in a blog post. "Social engineering attacks, as with all attacks, only become stronger over time. Employees join and leave the company, or change their roles. A truly effective training program has to keep all of these in mind in order to protect an organization for the long haul."