With social engineering set to plague 2022, understanding cyber criminals’ tactics, and the mistakes they make, might help us defend against their efforts. The final entry in our four-part series reveals how to avoid devastating consequences when a social engineer pulls the trigger.
Once an attacker has tricked an employee into compromising a corporate network, you might be forgiven for thinking the social engineering exercise is over. This process can, however, carry on for years without the target organisation, or even those within its global supply chain, ever knowing.
SolarWinds was a cleverly identified target. Once attackers had established a backdoor into SolarWinds' code, they moved automatically into the networks of clients, including Microsoft, when they updated their software. The malware roamed through US computer networks for at least nine months undetected.
It's difficult to predict how regularly this happens in other supply chains. Once a social engineer has installed a backdoor, they can then come and go; studying transactions, monitoring communications, gathering information about customers and clients, and even collecting audio samples to use in a deepfake attack. All this activity allows the cycle of infiltration and manipulation to continue undetected.
Look and learn
Even in relatively simple attacks, the social engineer will bide their time between the initial compromise and making off with data or money. Kevin Curran, senior IEEE member and professor of cyber security at Ulster University, points to a cash theft from a law firm. First, an employee was tricked into downloading malware to the company's Microsoft Exchange network. The attacker then spent weeks patiently studying the servers, before finally using what they learned to craft a second fake message, this time to steal a mortgage deposit.
Once hackers established a backdoor into SolarWinds, they remained undetected for months
"They were hiding in plain sight," says Curran. "From reading emails, they knew when a deposit transfer would be legitimate and what it would look like. The client knew they'd have to send £40,000, so they were expecting it. And, of course, they sent the money off to the wrong account. A few days later, they rang up the law firm and said: “Did you get the deposit?” They hadn't; the money was completely gone."
Sophisticated malware is able to delete itself and its audit trails once the attack is done, but most malware stays on the system and is never found, says Curran. "Your average IT administrator would find it really hard to detect a backdoor. We have intrusion detection and prevention systems, we have SIEMs (real-time monitoring) software that looks for outliers and nefarious activity as such, but it's generally impossible. There's literally millions of packets of data flowing through a corporate network every second. How do you control and monitor every single subsystem?"
Carry on conning
Most social engineering attacks end with the theft of data. The attacker also has to monetise the stolen data, for instance by using it to scam the company's customers, or in the next stage of a supply-chain attack. Often, though, they'll sell it to third parties and then fence their ill-gotten goods. This helps to lower the risk while maximising profit in the shortest possible time.
Ransomware is a particularly efficient way to monetise a social engineering attack. With 84% of US organisations reporting phishing or ransomware incidents in July last year, according to Trend Micro, it seems attackers frequently use both tactics. Indeed, ransomware management requires good human manipulation skills. A carefully-crafted ransomware demand can tie the victim into a long-term hostage arrangement that keeps on paying.
"A lot of companies pay the ransom secretly, because they don't want to damage their brands," former fraudster and We Fight Fraud founder Tony Sales tells IT Pro. "That's dangerous, because now you're in an agreement with a criminal who owns you forever. It's like criminals getting an officer under their wing in prison."
Tony Sales is a former fraudster and founder of We Fight Fraud
What's the answer? Security software can't stop human manipulation, but it can block the technical exploit, so antivirus remains vital. Email security solutions can keep malicious messages at bay, but they need to be configured carefully. Two-factor authentication (2FA), disabling remote access to unnecessary servers, and bringing in audio passwords to defeat deepfakes will all help.
Tech solutions are only effective if staff are able to use them, however, cautions Sales, whose organisation trains companies and employees to spot attackers' tricks. "The tech guys understand all that stuff, but not poor old Bob or Sheila who gets caught out on the company email they've been using forever,” he says. “Security is convoluted and complex, and that's part of the problem.”
Perhaps the answer is to fight social engineering with social engineering. Don't blame employees for falling for phishing tricks, or exclude them from security decisions. Instead, get them involved. One "highly effective" option is to encourage staff to report suspected phishing attempts, finds a 2021 F-Secure report. A full one-third (33%) of emails reported by staff as suspicious were, indeed, malicious.
Harnessing your employees’ eagerness to excel at their jobs, and their desire to be involved in decisions, before a criminal has the chance to exploit those very qualities, is among the most viable routes to overcoming a social engineer in action.
-
Choosing the right NAS for your businessAcross data security and scalability, NAS devices can help businesses take their networks to the next level
-
Ransomware victims are getting better at haggling with hackersNews While nearly half of companies paid a ransom to get their data back last year, victims are taking an increasingly hard line with hackers to strike fair deals.
-
The FBI says hackers are using AI voice clones to impersonate US government officialsNews The campaign uses AI voice generation to send messages pretending to be from high-ranking figures
-
Employee phishing training is working – but don’t get complacentNews Educating staff on how to avoid phishing attacks can cut the rate by 80%
-
Russian hackers tried to lure diplomats with wine tasting – sound familiar? It’s an update to a previous campaign by the notorious Midnight Blizzard groupNews The Midnight Blizzard threat group has been targeting European diplomats with malicious emails offering an invite to wine tasting events, according to Check Point.
-
This hacker group is posing as IT helpdesk workers to target enterprises – and researchers warn its social engineering techniques are exceptionally hard to spotNews The Luna Moth hacker group is ramping up attacks on firms across a range of industries with its 'callback phishing' campaign, according to security researchers.
-
Hackers are using Zoom’s remote control feature to infect devices with malwareNews Security experts have issued an alert over a new social engineering campaign using Zoom’s remote control features to take over victim devices.
-
State-sponsored cyber groups are flocking to the 'ClickFix' social engineering techniqueNews State-sponsored hackers from North Korea, Iran, and Russia are exploiting the ‘ClickFix’ social engineering technique for the first time – and to great success.
-
Have I Been Pwned owner Troy Hunt’s mailing list compromised in phishing attackTroy Hunt, the security blogger behind data-breach site Have I Been Pwned, has fallen victim to a phishing attack targeting his email subscriber list.
-
LinkedIn has become a prime hunting ground for cyber criminals – here’s what you need to knowNews Cyber criminals are flocking to LinkedIn to conduct social engineering campaigns, research shows.
