A man and a woman are standing side-by-side at the reception desk of your company. He is wearing dark, tattered jeans and a black sweatshirt with the hood pulled up. She is wearing a light cardigan over a conservative, blue and short, but elegant, heels. Which would you suspect of malicious intent?
Gone are the days of the underground malicious actor. While some still wear hoodies, the toughest threats to detect are those dressed to play the part; the salesman who offers you the latest and greatest goodies with no strings attached, an email from your closest friend with only a link attached, or the new guy on your smoke break who you hold the door for before returning to your desk.
These threats are using a technique called social engineering. It’s used as a technique to gain access to facilities, systems, data, and anything else they want by exploiting human psychology. As most humans run on emotion, social engineers manipulate that emotional response to further their purposes and achieve their goals. Any seasoned security expert will tell you that the weakest area of a security program is the human, and any social engineer will tell you the easiest way to get your password is for you to tell it to them.
While the following is not an exhaustive list, let’s look at common social engineering tactics used in attacks.
Pretexting is used in almost every other type of social engineering attack. It is the art of lying to obtain privileged data, typically by researching a person to impersonate them. This may include knowing personal details such as their social security number, date of birth, or their wife’s name. It may also be as simple as dressing in khakis and a red polo while impersonating an insurance sales man. Pretexting is an excellent way to establish legitimacy early in an attack.
Phishing is one of the most common social engineering techniques today and relies on sending out high numbers of emails. This type of attack relies on tricking people into personally giving away money or data. In 2017 , there was a surge of Netflix users receiving emails saying their accounts had been suspended due to a billing error. In the body of the email was a link that directed users to a site looking eerily similar to that of Netflix’s login page. Users would unknowingly hand over their login credentials and credit card information.
Spear phishing is a selective form of phishing, typically using pretexting to individualize an email before sending it out to a hand-picked person or group of people. The IRS and has released several statements regarding known e-mails being sent to collect W-2 information, full personal details for an employee, and tax statement. These known e-mails are being spoofed to appear as if they are coming from none other than the CEO of the corporation the employee works for. A common mode of impersonation attacks is Business Email Compromise (BEC) or "CEO fraud" that continues to manipulate companies by using false identities. This can severely damage a company’s reputation. This blog from last year explains BEC in detail.
Vishing is one of the most famous (or infamous) social engineering tactic. It is the practice of using phone calls and voice messages to obtain access or data. Impersonation is much easier on a phone than in real life and malicious actors are aware of this. Kevin Mitnick (http://www.nytimes.com/1994/07/04/us/cyberspace-s-most-wanted-hacker-eludes-fbi-pursuit.html?pagewanted=all) set a standard for vishing that is still being used today.
Watering Hole (or waterhole attack) is the act of placing malicious code into public websites that targets tend to visit. The attacker will scout potential sites the target will visit and look for vulnerabilities in those sites. Once the vulnerabilities are found and compromised, the site can be used to upload a backdoor to the target’s device.
Baiting is typically seen as a type of phishing attack, but differs in that the bait is commonly an offer for an item or good the target desires. The item or good being promised can be anything - free music, movies, or other media. To claim their prize, the target only needs to enter their login credentials.
Quid Pro Quo
Quid Pro Quo attacks are the promise of something, a good or benefit, in exchange for information. The information is commonly the target’s password(s), but additional information may include personally identifiable information (PII), physical location layouts, or network architecture. The good or benefit can be anything. In fact, some users have been known to give up their password for a cheap pen or a bar of chocolate.
Tailgating (or piggybacking) occurs when access is controlled by an electronic device and an attacker simply walks behind an individual with legitimate access. The media commonly portrays this entrance through the front door, where an employee scans their badge, gates open as access is granted, and two people pass through before the gates close. However, in the real world, this can be as simple as carrying a large box, or tray of catered food, to a back door where employees are known to linger. Human decency opens the door for the attacker, regardless of that door requiring privileged access.
How to Handle Social Engineering Tactics
New threats are seen on a regular basis and there are many additional types of social engineering attacks. While it is near impossible to stay away from being the target of such attacks, the following advice will help in ensuring you don’t turn being the target into being the victim.
- Be cautious when opening attachments. If you do not personally know the sender or have not requested the information, there is rarely a case when an attachment needs to be sent without valid pretext. If in doubt, it’s worth the extra time to research it before you open it. Contact an information security specialist in your company. VirusTotal.com is another great place to start.
- Find the URL from links on your own. Hovering over a link will show you the direct path for the URL. If you have any suspicions to the legitimacy of the URL, use a search engine to manually find the site yourself.
- Delete and block unsolicited requests for passwords or financial information. No one should ask you for this information in an email. Don’t give it to them, ever.
- When it comes to security, if it sounds too good to be true, it probably is. The Prince of Nigeria is not giving away millions, UPS left a note on your door if they missed you, and people don’t randomly send DocuSign documents without letting you know first.
- Routinely train end users on security. It’s not enough just for you to know. Your whole organization needs to know and the 5-minute training during onboarding three years ago is not sufficient.
- Secure your devices. Lock your workstation when you walk away from it, every time. Install email filters, anti-virus software, and firewalls. Make sure to apply recommended patches and keep your applications up-to-date.
Take a breath and slow down. It’s only after you give out your password that you’ll regret doing so. Attackers love to play off a sense of urgency. Don’t give in to it. The IT guy doesn’t need to know your password and it is a rare occasion when your actions on a computer are a life and death situation. Slow down.
About the Author
Joshua Lemon is the Founder of pentaROOT Information Security. He has a passion securing individuals and businesses and specializes in reconnaissance, vulnerability assessments, penetration testing, and social engineering. You can reach him directly on LinkedIn or @pentaroot.