As social engineering attacks continue to grow in frequency and sophistication with the increased use of technology and through all of the communication channels we use today. Organisations must look at employee training and education as the first line of defence in order to mitigate such attacks.
This article serves to explain some of the different types of social engineering and Phishing scams and to allow users to become more aware of the risks and precautions required to mitigate the chances of them falling victim to same.
We within the IPA work with organisations in order to raise awareness to these and other forms of attack to mitigate the risk of their success.
What is Social Engineering
Social Engineering is often referred to as the act of human hacking, it is the manipulation of people by psychological methods to provide information or perform actions. Social-engineer.org refer to social engineering as “a blend of science, psychology and art”(Social-engineer.org 2017) .
Where do attackers gain access to data to use against their prey?
The more information about their victims the more likely the attacks are to be successful, Attackers will sometimes call, email and even meet with victims or their colleagues in order to create a profile and gain valuable information which may be used in subsequent forms of communication to make them more believable.
Attackers often also gather the details that they need to personalize their attacks from social media sites such as Facebook, Twitter, and LinkedIn, they may use Job Postings on local newspapers or online and even data from company registration offices allowing them to profile targets’ company information, job details, and the names of co-worker’s or business partners.
Social Engineering can take many forms, from telephone calls (pretexting) to receiving E-mails (phishing) etc. in the next section, we will outline some examples of Social Engineering attacks.
Social Engineering Types
Social Engineering can come in a variety of forms, this article however will focus on 5 of the most common forms of Social Engineering which we should all be on the lookout for. They include phishing, pretexting, baiting, quid pro quo and tailgating.
Phishing scams tend to be the most common type of scam today. They can come in a happen in a number of methods to include email, chat, web advertisement or website and are designed to impersonate a real system or organization. When a victim falls prey to such an attack they end up divulging personal or confidential information to include usernames, passwords and Credit Card Details to the attacker.
Phishing can be broken down into 3 broad types known as Phishing, Spear Phishing and Whaling.
Phishing itself is where little or no targeting is performed for victims, a generic E-mail is crafted and sent to hundreds of recipients. Because it is not targeted, it is impersonal, addressed to ‘Dear Sir / Madam’ it is pretty common for people to receive phishing emails from Revenue services from countries to which they are not resident within. Below is an example email from the UK Revenue which had been received by people from all over the world.
Spear Phishing is where the attacker puts more work into selecting a target audience for the relevant scam. The Spear Phisher will commonly have your email, your name and possibly depending on the amount of research and work done previously other personal details about you in order to make the phishing more personal. This personalisation, although requiring more work from the phisher produces a better return on investment!
A recent report from GreatHorn.com state that “Highly targeted, low-volume spear phishing attacks are responsible for 90% of security breaches”(GreatHorn 2017), they further warn us that “despite the high success rate, cloud email providers and secure email gateways don’t protect against these types of payload-free attacks.”
In a study reported by CloudMark in 2016 on 300 companies (200 in the US and 100 in the UK) twenty Percent mentioned Spear Phishing as being the companies top security concern (42% mentioned it within the top three!) Of these organisations, 84% said that a Spear Phishing attack had penetrated their security defences within the last 12 months. CloudMark, further tell us that “These attacks are costly. Respondents reported that the average cost of an attack across all companies from a spear phishing attack was $1.6 million. One in six companies reported a decrease in stock price as the result of a spear phishing attack.”(CloudMark.com 2016)
According to TechTarget.com, “Whaling is a type of fraud that targets high-profile end users such as C-level corporate executives, politicians and celebrities.”(http://searchsecurity.techtarget.com 2014)
Whaling can be classed as a type of CEO fraud due to its targets and ‘Whaling’ is coined from the term ‘Big Fish’ due to the attractiveness from the profile because of the power they have within organisations.
Because these targets are so attractive, even more energy is spent targeting and customizing the scam which makes it even more difficult to detect
The goal of a whaling attack is to trick an executive into revealing personal or corporate data and even to authorize a transfer of funds or change bank accounts for suppliers, often through email and website spoofing.
Not only can they be more successful, there can definitely be more of a return too for the attacker, an Article in SCMagazine outlines a case from 2016 where a CEO and CFO were later sacked after an Australian Airline parts manufacturer lost €40.9 million (after recovering approximately €10 million) in such an attack! (Reeve 2016), the article also states that “It’s especially critical that finance, payroll, and human resources departments be alert for these scams as nearly 50 percent target the CFO and 25 percent target HR inboxes. Impostor messages often ask employees to keep things confidential and bypass normal approval channels. Employees should be suspicious if they receive a request for unusual information or a wire transfer via email. Check the reply-to email address and always call to confirm the request.”
Pretexting can be thought of as the human equivalent of phishing, it is when a hacker creates a false sense of trust or fear between themselves and the end user by impersonating a co-worker or a figure of authority in order to gain access to information.
This information may be login credentials, personal information or it may be other seemingly harmless information which may be used as part of a subsequent attack.
An example of this type of scam could be a telephone call to an employee looking for their password for an audit or to reset their account, it could also be a call or email or even a text message from a bank with regards to malicious activity being spotted etc.
A recent example of this in was where a call would come to an organisation impersonating the Irish Revenue Commissioners, demanding an immediate payment. In some cases they were even offering to collect cash from the unsuspecting victim!
A warning post from Revenue.ie is shown in the image below
Baiting, another attack similar to phishing, involves offering something enticing to an end user.
The “bait” may come in many forms, digital or physical, it could be an offer for a movie or music download or a free USB key. It commonly comes in the form of a USB or other media deice that the unsuspecting user ‘finds’ entitled ‘private’, ‘Confidential’ etc. in order to lure the victim to access the media.
In some cases the bait is used simply to gain information (this could simply be filling in a form) or to infect the victim with malware where it may create a reverse connection back to the attacker allowing them to gain access to data or to launch another attack in other cases it again.
Quid Pro Quo
Similar to baiting, quid pro quo involves a hacker requesting the exchange of data or login credentials in exchange for a service. A common example of this is a call or email from a ‘researcher’ looking for information or access to your infrastructure for research purposes! Another example could be a hacker calling an end user, posed as a IT expert, offers free IT assistance or technology improvements in exchange for login credentials.
Tailgating, also called Piggybacking, is when an unauthorized person physically follows an authorized person into a restricted corporate area or system. The attacker may be carrying several boxes in order for the victim to ‘hold the door open’ for them, another method is when a attacker calls out to an employee to hold a door open for them as they’ve forgotten their RFID card.
Is there a silver bullet?
There unfortunately is no silver bullet and as companies can now see, technology alone will not solve the problem. In order to mitigate the risk, companies have to increase awareness amongst their staff, I have been involved in running Cyber Awareness briefings and training sessions for all levels of staff over the last several years and it is great to see the surprised faces when people become more aware at how easy it is to fall prey to such attacks. So Education is key, I have also been involved in phishing employees on behalf of organisations and in setting up Phishing systems within organisations in order for them to raise awareness and also gauge the level of the problem through behavioural analytics.
Author: Tom Brett
Tom Brett is a business training expert with 20 years’+ experience in the field of IT and Cyber security. Working for the IPA in Ireland, he has delivered training briefings across all levels of an organisation from Directors to Senior Managers and Staff. Tom also delivers several courses and workshops in Ethical Hacking and Pentesting as well as CISO level training. For further details see: IPA-Sec.org
CloudMark.com, 2016. Survey Reveals Spear Phishing as a Top Security Concern to Enterprises | Cloudmark Security Blog. Available at: https://blog.cloudmark.com/2016/01/13/survey-spear-phishing-a-top-security-concern-to-enterprises/ [Accessed March 15, 2017].
GreatHorn, 2017. GreatHorn SPEAR PHISHING REPORT GreatHorn KEY TAKEAWAYS FROM THIS REPORT, Available at: http://info.greathorn.com/hubfs/GreatHorn Spear Phishing Report – 2017.pdf?t=1489439553139 [Accessed March 14, 2017].
http://searchsecurity.techtarget.com, 2014. What is whaling? – Definition from WhatIs.com. Available at: http://searchsecurity.techtarget.com/definition/whaling [Accessed March 15, 2017].
Reeve, T., 2016. CEO sacked after aircraft company grounded by whaling attack. SCMagazine.com. Available at: https://www.scmagazineuk.com/ceo-sacked-after-aircraft-company-grounded-by-whaling-attack/article/530984/ [Accessed March 15, 2017].
Social-engineer.org, 2017. What is Social Engineering? Social-Engineer.org. Available at: http://www.social-engineer.org/ [Accessed December 28, 2015].
Main Image Retrieved from https://clipartfest.com/download/b1501673b83f237844b269bc49702fe232127463.html
HM Customs Retrieved from http://jersey.police.uk/be-safe/scams/hm-revenue-customs-scam/
Irish Revenue Retrieved From http://www.revenue.ie/en/spotlights/bogus-calls.html