• TREND MICRO
  • ABOUT
Search:
  • Latest Posts
  • Categories
    • Android
    • AWS
    • Azure
    • Cloud
    • Compliance
    • Critical Infrastructure
    • Cybercrime
    • Encryption
    • Financial Services
    • Government
    • Hacks
    • Healthcare
    • Internet of Everything
    • Malware
    • Microsoft
    • Mobile Security
    • Network
    • Privacy
    • Ransomware
    • Security
    • Social Media
    • Small Business
    • Targeted Attacks
    • Trend Spotlight
    • Virtualization
    • Vulnerabilities
    • Web Security
    • Zero Day Initiative
    • Industry News
  • Our Experts
    • Ed Cabrera
    • Rik Ferguson
    • Greg Young
    • Mark Nunnikhoven
    • Jon Clay
    • William “Bill” Malik
  • Research
Home   »   Industry News   »   Social engineering attacks on the rise, part 2: social media and Iranian schemes

Social engineering attacks on the rise, part 2: social media and Iranian schemes

  • Posted on:June 24, 2014
  • Posted in:Industry News, Vulnerabilities & Exploits
  • Posted by:
    Trend Micro
0

In a recent entry, we examined the growing prevalence of social engineering as a tactic in cybercrime. Social engineering is a technical term for tricking computer users into taking actions that they would have been unlikely to perform of their volition. For example, a social engineering victim may be conned into clicking on a link that promises entry into a get-rich-quick scheme but that actually redirects to a phishing site, where sensitive data such as location, account username and password may be harvested.

Why has social engineering become widely used? 
To cybercriminals, social engineering is appealing in part because individual schemes can be crafted in response to current events, including major news, seasonal sporting events, celebrity updates, promotions and scary ruses. As such, these campaigns can take advantage of people’s curiosities and fears and lead them into harm’s way. A recent Trend Micro infographic broke down how easy it is to do effective social engineering:

  • When Osama bin Laden was killed by U.S. forces in Pakistan in 2011, a malicious script masquerading as video of the incident surfaced on Facebook a mere three hours after the news broke. There was similar velocity for traps that piggybacked off of the 2011 earthquakes in Japan.
  • Sometimes, cybercriminals play the long game, setting up websites and sending out materials years in advance of major events such as the 2012 London Summer Olympics. These mechanisms may con victims into giving away personal information in hopes of purchasing early tickets.
  • There are also many medium-term opportunities, such as tax filing season in the U.S. In March 2014, the Internal Revenue Service warned Americans of fraudulent emails purporting to be from the legitimate Taxpayer Advocate Service, which as a rule does not communicate with taxpayers via email, text or social media.

With the rise of social media, social engineering has only become easier. Would-be attackers can leverage trending hashtags on Twitter and create “must see” posts on Facebook and other channels that entice viewers with linkbait headlines. At the same time, age-old maneuvers such as fake holiday cards and spam email are still commonplace, making social engineering one of the most versatile cybercrime tactics.

While schemes such as the infamous “Nigerian prince”  hoax and basic “click here now” email spam may seem both silly and small-time, social engineering has actually become a real threat, even to large companies and government agencies. The recent eBay breach, which caused the online marketplace to request its 128 million users to reset their account passwords, was initiated by successful phishing of eBay employee login credentials. Cybercriminals increasingly go to extraordinary lengths to gain the trust of their targets and ultimately bypass network security.

Iranian spies used fake social media profiles, news sites to lure U.S. government officials
How the eBay hackers deceived eBay employees into divulging their logins is unclear, although the incident suggests the absence of two-factor authentication mechanisms that possibly could have prevented rogue access. For clearer indication of the types of social engineering now in vogue, look at the recent revelation of a years-long Iranian scheme, dubbed Newscaster, targeting U.S. officials:

  • Iranian hackers connected to targets via a variety of social media sites, including Facebook, Twitter, Google and LinkedIn. Their efforts were so extensive that some of their fake LinkedIn accounts received endorsements for specific skills. Profiles featured titles such as defense contractor and systems administrator.
  • A website named NewsOnAir.org was created to legitimize the fake accounts. The social media personae often shared stories to the site, which was registered in Tehran and tied to Iranian IP addresses.
  • Operatives crafted data-scraping websites that closely resembled the login pages for Microsoft Outlook Web Access, Yahoo and Google. This methodology is a classic social engineering move, designed to fool the victim from start (misleading news story/link) to finish (deceptively designed credential collection portal).

“When it comes to the high-value targets, [attackers] went after numerous contacts of the targets to try to befriend them,” John Hultquist, cyberespionage and intelligence expert at iSight, told SCMagazine.com. “It sort of snowballed in their favor as result, to the point where we actually saw people on LinkedIn endorsing these personas for their skills.”

The campaign may have begun as early as 2011, and it targeted intel about diplomatic and military affairs in the U.S. This sophisticated use of social engineering underscores Iran’s rise as a preeminent hacking nation, as well as the marked evolution of tactics from simple scams to dedicated, patient schemes that invest heavily in winning trust while eluding suspicion.

Battening down the hatches against the social engineering storm
The fundamental problem with addressing social engineering in the enterprise is that it only takes one slip-up for attackers to succeed. An organization can have advanced cybersecurity solutions in place, but if one employee falls for a well-crafted social media post or becomes entangled in an elaborate online trap, then even these defenses may become ineffective.

The prospect of social engineering has become more worrisome as major breaches, such as the ones at Target and eBay, provide cybercriminals with troves of data that can be re-purposed as part of a highly targeted attack. Enterprises have to refocus their security efforts on humans, not just networks and databases.

“The lowest hanging fruit is still humans,” stated Ken Westin, security researcher at Tripwire, according to PCWorld. “As long as attacks against humans still work consistently attackers will use them on their own, or as part of sophisticated, integrated campaigns.”

Rather than bombard targets with generic “Dear Sir/Madam”-style missives, attackers can increasingly create customized messages that seem almost normal in the deluge of everyday business communications. Companies already have some tools that can help catch dangerous items – spam filters, attachment scanning – but the challenge is a broad one, with employee usage of social media and unsecured mobile devices creating new risks. A combination of technical cybersecurity solutions and employee training is needed to beat back the tide of social engineering.

Read Part 1 – Social Engineering Attacks

Related posts:

  1. Social engineering attacks on the rise, part 1: eBay breach
  2. Social media malware on the rise
  3. As exploitable software flaws decline, social engineering rises
  4. Employees may be a company’s biggest cybersecurity risk: The threat of social engineering

Security Intelligence Blog

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits

Featured Authors

Ed Cabrera (Chief Cybersecurity Officer)
Ed Cabrera (Chief Cybersecurity Officer)
  • Ransomware is Still a Blight on Business
Greg Young (Vice President for Cybersecurity)
Greg Young (Vice President for Cybersecurity)
  • Not Just Good Security Products, But a Good Partner
Jon Clay (Global Threat Communications)
Jon Clay (Global Threat Communications)
  • This Week in Security News: Ransomware Gang is Raking in Tens of Millions of Dollars and Microsoft Patch Tuesday Update Fixes 17 Critical Bugs
Mark Nunnikhoven (Vice President, Cloud Research)
Mark Nunnikhoven (Vice President, Cloud Research)
  • Twitter Hacked in Bitcoin Scam
Rik Ferguson (VP, Security Research)
Rik Ferguson (VP, Security Research)
  • The Sky Has Already Fallen (you just haven’t seen the alert yet)
William
William "Bill" Malik (CISA VP Infrastructure Strategies)
  • Black Hat Trip Report – Trend Micro

Follow Us

Trend Micro In The News

  • Detected Cyber Threats Rose 20% to Exceed 62.6 Billion in 2020
  • Trend Micro Recognized on CRN Security 100 List
  • Trend Micro Reports Solid Results for Q4 and Fiscal Year 2020
  • Connected Cars Technology Vulnerable to Cyber Attacks
  • Trend Micro Asks Students How Their Relationship to the Internet Has Changed During COVID-19
  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © 2017 Trend Micro Incorporated. All rights reserved.