In a recent entry, we examined the growing prevalence of social engineering as a tactic in cybercrime. Social engineering is a technical term for tricking computer users into taking actions that they would have been unlikely to perform of their volition. For example, a social engineering victim may be conned into clicking on a link that promises entry into a get-rich-quick scheme but that actually redirects to a phishing site, where sensitive data such as location, account username and password may be harvested.
Why has social engineering become widely used?
To cybercriminals, social engineering is appealing in part because individual schemes can be crafted in response to current events, including major news, seasonal sporting events, celebrity updates, promotions and scary ruses. As such, these campaigns can take advantage of people’s curiosities and fears and lead them into harm’s way. A recent Trend Micro infographic broke down how easy it is to do effective social engineering:
- When Osama bin Laden was killed by U.S. forces in Pakistan in 2011, a malicious script masquerading as video of the incident surfaced on Facebook a mere three hours after the news broke. There was similar velocity for traps that piggybacked off of the 2011 earthquakes in Japan.
- Sometimes, cybercriminals play the long game, setting up websites and sending out materials years in advance of major events such as the 2012 London Summer Olympics. These mechanisms may con victims into giving away personal information in hopes of purchasing early tickets.
- There are also many medium-term opportunities, such as tax filing season in the U.S. In March 2014, the Internal Revenue Service warned Americans of fraudulent emails purporting to be from the legitimate Taxpayer Advocate Service, which as a rule does not communicate with taxpayers via email, text or social media.
With the rise of social media, social engineering has only become easier. Would-be attackers can leverage trending hashtags on Twitter and create “must see” posts on Facebook and other channels that entice viewers with linkbait headlines. At the same time, age-old maneuvers such as fake holiday cards and spam email are still commonplace, making social engineering one of the most versatile cybercrime tactics.
While schemes such as the infamous “Nigerian prince” hoax and basic “click here now” email spam may seem both silly and small-time, social engineering has actually become a real threat, even to large companies and government agencies. The recent eBay breach, which caused the online marketplace to request its 128 million users to reset their account passwords, was initiated by successful phishing of eBay employee login credentials. Cybercriminals increasingly go to extraordinary lengths to gain the trust of their targets and ultimately bypass network security.
Iranian spies used fake social media profiles, news sites to lure U.S. government officials
How the eBay hackers deceived eBay employees into divulging their logins is unclear, although the incident suggests the absence of two-factor authentication mechanisms that possibly could have prevented rogue access. For clearer indication of the types of social engineering now in vogue, look at the recent revelation of a years-long Iranian scheme, dubbed Newscaster, targeting U.S. officials:
- Iranian hackers connected to targets via a variety of social media sites, including Facebook, Twitter, Google and LinkedIn. Their efforts were so extensive that some of their fake LinkedIn accounts received endorsements for specific skills. Profiles featured titles such as defense contractor and systems administrator.
- A website named NewsOnAir.org was created to legitimize the fake accounts. The social media personae often shared stories to the site, which was registered in Tehran and tied to Iranian IP addresses.
- Operatives crafted data-scraping websites that closely resembled the login pages for Microsoft Outlook Web Access, Yahoo and Google. This methodology is a classic social engineering move, designed to fool the victim from start (misleading news story/link) to finish (deceptively designed credential collection portal).
“When it comes to the high-value targets, [attackers] went after numerous contacts of the targets to try to befriend them,” John Hultquist, cyberespionage and intelligence expert at iSight, told SCMagazine.com. “It sort of snowballed in their favor as result, to the point where we actually saw people on LinkedIn endorsing these personas for their skills.”
The campaign may have begun as early as 2011, and it targeted intel about diplomatic and military affairs in the U.S. This sophisticated use of social engineering underscores Iran’s rise as a preeminent hacking nation, as well as the marked evolution of tactics from simple scams to dedicated, patient schemes that invest heavily in winning trust while eluding suspicion.
Battening down the hatches against the social engineering storm
The fundamental problem with addressing social engineering in the enterprise is that it only takes one slip-up for attackers to succeed. An organization can have advanced cybersecurity solutions in place, but if one employee falls for a well-crafted social media post or becomes entangled in an elaborate online trap, then even these defenses may become ineffective.
The prospect of social engineering has become more worrisome as major breaches, such as the ones at Target and eBay, provide cybercriminals with troves of data that can be re-purposed as part of a highly targeted attack. Enterprises have to refocus their security efforts on humans, not just networks and databases.
“The lowest hanging fruit is still humans,” stated Ken Westin, security researcher at Tripwire, according to PCWorld. “As long as attacks against humans still work consistently attackers will use them on their own, or as part of sophisticated, integrated campaigns.”
Rather than bombard targets with generic “Dear Sir/Madam”-style missives, attackers can increasingly create customized messages that seem almost normal in the deluge of everyday business communications. Companies already have some tools that can help catch dangerous items – spam filters, attachment scanning – but the challenge is a broad one, with employee usage of social media and unsecured mobile devices creating new risks. A combination of technical cybersecurity solutions and employee training is needed to beat back the tide of social engineering.