Light Dark
April 12, 2018 By Joe Gray 4 min read
Fraud Protection
Data Protection
Incident Response

Joe is speaking at the RSA Conference, April 16-20, 2018 in San Francisco. 

Social engineering is a growing epidemic that can be either an endgame in itself or a stepping stone toward bigger threats such as ransomware. This age-old tactic can be traced back to the Trojan Horse story featured in Virgil’s “Aeneid” and Homer’s “The Odyssey,” from which the malware variant gets its name.

As the legend goes, the Greeks built the horse as bait for the Trojans to claim as a trophy of victory. They left a single person behind to tell the Trojans that the horse was an offering to the goddess Athena to atone for the Greeks’ atrocities. The Greeks even acted as if they were sailing away to enhance the credibility of the pretext. After the Trojans accepted the massive wooden horse, 30 of the best Greek warriors exited its belly in the night and decimated the city.

Modern Social Engineering Tactics

Today, social engineering exists in a variety of forms, including phishing, spear phishing, vishing (voice phishing), pretexting (impersonation), whaling (phishing targeting the C-Suite), smishing (SMS phishing) and more. Of these threats, phishing and spear phishing seem to be the most common.

Think of the typical ebb and flow of emails: You might receive legitimate messages, sales pitches, spam and bald-faced phishing attempts throughout the course of a normal day. Run-of-the-mill phishing emails will likely wind up in your spam folder, but with a little open source intelligence (OSINT), an attacker can develop a pretext to appear at least quasi-legitimate.

Collecting OSINT

When I evaluate targets, I look at them holistically — both inside and outside of work. How can I build a rapport with them? What are they telling me via social media and what am I able to find outside of that context? Does a target post selfies and pictures of his or her workplace? Does he or she have to wear personal protective equipment (PPE)? Are there any pictures of the target with physical security controls, such as badges and passwords, in view?

The data points listed above are all examples of OSINT. Using the goals of the DEF CON Social Engineering Capture the Flag (SECTF) competition as a reference, other considerations include:

  • Trash company and dumpster locations;
  • Janitorial services;
  • Food services;
  • IT customers and vendors;
  • Technologies used, such as virtual private network (VPN), wireless and service set identifier (SSID), operating system (OS), browser and antivirus;
  • Work schedule;
  • Training patterns; and
  • Exterminators.

Knowing some of these “flags” could enable attackers to find exploits relative to technologies used in the target’s workplace. Threat actors could also develop a story around these details to build a rapport with the victim and either excavate more information or influence the target to do their malicious bidding. The career page of a company’s website is an excellent place to start. An attacker could discover what the organization is hiring for and sometimes even deduce specific software versions.

Baiting, Vishing and Phishing

Social engineering attacks can involve many types of threats, but for the sake of time and space, let’s focus on baiting, vishing and phishing.

Baiting is the simplest form: An attacker places the payload, which is typically malware or a reverse shell, on the target’s system via a USB drive or QR code specifically labeled to entice targets to download the malicious data. Common labels include:

  • Property of the CEO;
  • Bonuses;
  • Terminations;
  • Mergers and Acquisitions; and
  • W-2s.

Vishing takes a little more work. It is probably the most intense form of social engineering since the attacker must interact with the target in real time over the phone and improvise to keep the ruse going. A threat actor might pretend to conduct a survey as an excuse to ask intrusive questions. For these reasons, voice-based phishing generally requires more OSINT research than other schemes.

Finally, email phishing is the most common form of social engineering. An attacker simply sends an email in an attempt to influence the recipient to click a malicious link, download malware or enter personal information. I like to send emails from domains that are similar to standard email providers with trusted mail exchange (MX) records to direct my targets to another domain in a cloud instance. This technique is called domain squatting. I usually ask the target for his or her email address and password, and then prompt him or her for password reset questions.

Training and Phishing Awareness

To defend your organization against various types of phishing attacks, you should employ the same baseline training for all employees periodically — I recommend monthly or quarterly. This will keep security and social engineering at the forefront of their minds. Beyond general education, you should conduct role-based training for specific groups, including:

  • Senior management;
  • Sales;
  • Human resources;
  • Accounting;
  • Purchasing;
  • Customer support/help desk; and
  • IT.

It’s crucial to train employees from the top down. In my experience, C-level executives typically trust emails and phone calls they receive because they have presumably passed through numerous layers of security.

As part of awareness training, you should proactively run phishing simulations to test your employees. This will keep them on their toes and condition them to respond and report when they suspect a phishing attempt. You should also consider social engineering when formulating your incident response plan.

When reporting a phishing incident, employees should consider the following factors:

  • Who should they contact? This should be a specific person or group — not just the IT or security department.
  • How should they contact the relevant parties? When reporting email incidents, employees should not use email, for example.
  • What information should they provide?
  • What actions should they take regarding the affected computer or device (e.g., unplug the computer from the network, power or restart down the device, log off, hibernate, do nothing, etc.)?

Finally, you should employ a nonpunitive policy for phishing. We’ve all clicked a malicious link at some point in our careers, and the last thing you want is for people to avoid reporting suspicious activity for fear of being punished or terminated.

Social engineering dates back to ancient times and isn’t likely to slow down anytime soon. The best way to defend against phishing and other forms of social engineering is to spread awareness throughout the organization and train all users, from rank-and-file employees to the C-suite, to be wary of the wooden horses that roll through their networks.

Listen to the podcast to learn more: Social Engineering 101 — How to Hack a Human

 |  |  |  |  |  |  |  |  | 
Joe Gray
Senior Security Architect, IBM

More from Fraud Protection
October 30, 2023

Virtual credit card fraud: An old scam reinvented

3 min read - In today's rapidly evolving financial landscape, as banks continue to broaden their range of services and embrace innovative technologies, they find themselves at the forefront of a dual-edged sword. While these advancements promise greater convenience and accessibility for customers, they also inadvertently expose the financial industry to an ever-shifting spectrum of emerging fraud trends. This delicate balance between new offerings and security controls is a key part of the modern banking challenges. In this blog, we explore such an example.…

August 23, 2023

Remote access detection in 2023: Unmasking invisible fraud

3 min read - In the ever-evolving fraud landscape, fraudsters have shifted their tactics from using third-party devices to on-device fraud. Now, users face the rising threat of fraud involving remote access tools (RATs), while banks and fraud detection vendors struggle with new challenges in detecting this invisible threat. Let’s examine the modus operandi of fraudsters, prevalence rates across different regions, classic detection methods and Trusteer’s innovative approach to RAT detection through behavioral analysis. A rising threat As Fraud detection methods become more and…

August 17, 2023

Gozi strikes again, targeting banks, cryptocurrency and more

3 min read - In the world of cybercrime, malware plays a prominent role. One such malware, Gozi, emerged in 2006 as Gozi CRM, also known as CRM or Papras. Initially offered as a crime-as-a-service (CaaS) platform called 76Service, Gozi quickly gained notoriety for its advanced capabilities. Over time, Gozi underwent a significant transformation and became associated with other malware strains, such as Ursnif (Snifula) and Vawtrak/Neverquest. Now, in a recent campaign, Gozi has set its sights on banks, financial services and cryptocurrency platforms,…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature