IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

A month in the life of a social engineer – part four

The final part of our series focuses on turning access into attack – and why cyber criminals may never leave your system

With social engineering set to plague 2022, understanding cyber criminals’ tactics, and the mistakes they make, might help us defend against their efforts. The final entry in our four-part series reveals how to avoid devastating consequences when a social engineer pulls the trigger.

Once an attacker has tricked an employee into compromising a corporate network, you might be forgiven for thinking the social engineering exercise is over. This process can, however, carry on for years without the target organisation, or even those within its global supply chain, ever knowing.

SolarWinds was a cleverly identified target. Once attackers had established a backdoor into SolarWinds' code, they moved automatically into the networks of clients, including Microsoft, when they updated their software. The malware roamed through US computer networks for at least nine months undetected.

It's difficult to predict how regularly this happens in other supply chains. Once a social engineer has installed a backdoor, they can then come and go; studying transactions, monitoring communications, gathering information about customers and clients, and even collecting audio samples to use in a deepfake attack. All this activity allows the cycle of infiltration and manipulation to continue undetected.

Look and learn

Even in relatively simple attacks, the social engineer will bide their time between the initial compromise and making off with data or money. Kevin Curran, senior IEEE member and professor of cyber security at Ulster University, points to a cash theft from a law firm. First, an employee was tricked into downloading malware to the company's Microsoft Exchange network. The attacker then spent weeks patiently studying the servers, before finally using what they learned to craft a second fake message, this time to steal a mortgage deposit.

SolarWinds logo on the side of a building

Shutterstock

Once hackers established a backdoor into SolarWinds, they remained undetected for months

"They were hiding in plain sight," says Curran. "From reading emails, they knew when a deposit transfer would be legitimate and what it would look like. The client knew they'd have to send £40,000, so they were expecting it. And, of course, they sent the money off to the wrong account. A few days later, they rang up the law firm and said: “Did you get the deposit?” They hadn't; the money was completely gone."

Sophisticated malware is able to delete itself and its audit trails once the attack is done, but most malware stays on the system and is never found, says Curran. "Your average IT administrator would find it really hard to detect a backdoor. We have intrusion detection and prevention systems, we have SIEMs (real-time monitoring) software that looks for outliers and nefarious activity as such, but it's generally impossible. There's literally millions of packets of data flowing through a corporate network every second. How do you control and monitor every single subsystem?"

Carry on conning

Most social engineering attacks end with the theft of data. The attacker also has to monetise the stolen data, for instance by using it to scam the company's customers, or in the next stage of a supply-chain attack. Often, though, they'll sell it to third parties and then fence their ill-gotten goods. This helps to lower the risk while maximising profit in the shortest possible time.

Ransomware is a particularly efficient way to monetise a social engineering attack. With 84% of US organisations reporting phishing or ransomware incidents in July last year, according to Trend Micro, it seems attackers frequently use both tactics. Indeed, ransomware management requires good human manipulation skills. A carefully-crafted ransomware demand can tie the victim into a long-term hostage arrangement that keeps on paying.

"A lot of companies pay the ransom secretly, because they don't want to damage their brands," former fraudster and We Fight Fraud founder Tony Sales tells IT Pro. "That's dangerous, because now you're in an agreement with a criminal who owns you forever. It's like criminals getting an officer under their wing in prison."

Tony Sales is a former fraudster and the founder of We Fight Fraud

Adam Boome

Tony Sales is a former fraudster and founder of We Fight Fraud

What's the answer? Security software can't stop human manipulation, but it can block the technical exploit, so antivirus remains vital. Email security solutions can keep malicious messages at bay, but they need to be configured carefully. Two-factor authentication (2FA), disabling remote access to unnecessary servers, and bringing in audio passwords to defeat deepfakes will all help.

Tech solutions are only effective if staff are able to use them, however, cautions Sales, whose organisation trains companies and employees to spot attackers' tricks. "The tech guys understand all that stuff, but not poor old Bob or Sheila who gets caught out on the company email they've been using forever,” he says. “Security is convoluted and complex, and that's part of the problem.”

Perhaps the answer is to fight social engineering with social engineering. Don't blame employees for falling for phishing tricks, or exclude them from security decisions. Instead, get them involved. One "highly effective" option is to encourage staff to report suspected phishing attempts, finds a 2021 F-Secure report. A full one-third (33%) of emails reported by staff as suspicious were, indeed, malicious.

Harnessing your employees’ eagerness to excel at their jobs, and their desire to be involved in decisions, before a criminal has the chance to exploit those very qualities, is among the most viable routes to overcoming a social engineer in action.

Featured Resources

Four strategies for building a hybrid workplace that works

All indications are that the future of work is hybrid, if it's not here already

Free webinar

The digital marketer’s guide to contextual insights and trends

How to use contextual intelligence to uncover new insights and inform strategies

Free Download

Ransomware and Microsoft 365 for business

What you need to know about reducing ransomware risk

Free Download

Building a modern strategy for analytics and machine learning success

Turning into business value

Free Download

Recommended

Hackers could use new Wslink malware in highly targeted cyber attacks
malware

Hackers could use new Wslink malware in highly targeted cyber attacks

1 Nov 2021
FBI raids Chinese POS business following cyber attack claims
malware

FBI raids Chinese POS business following cyber attack claims

27 Oct 2021
Malware developers create malformed code signatures to avoid detection
malware

Malware developers create malformed code signatures to avoid detection

24 Sep 2021
New malware uses search engine ads to target pirate gamers
malware

New malware uses search engine ads to target pirate gamers

21 Jul 2021

Most Popular

Russian hackers declare war on 10 countries after failed Eurovision DDoS attack
hacking

Russian hackers declare war on 10 countries after failed Eurovision DDoS attack

16 May 2022
Researchers demonstrate how to install malware on iPhone after it's switched off
Security

Researchers demonstrate how to install malware on iPhone after it's switched off

18 May 2022
Windows Server admins say latest Patch Tuesday broke authentication policies
Server & storage

Windows Server admins say latest Patch Tuesday broke authentication policies

12 May 2022