Social engineering is a time-tested hacking technique for gaining access to networks, systems, and physical locations. Unlike other popular tactics, social engineering is not a purely technical process, instead it focuses on using impersonation and misdirection to bypass security protections and trick company staff into handing over valuable data.
Perhaps you’ve heard of Kevin Mitnick, often referred to as “the world’s most famous hacker”? After successfully employing social engineering tactics to hack the Los Angeles bus system, the Pacific Bell voicemail system, and steal the source code for Motorola’s most advanced cell phone — then getting apprehended by the FBI — he wrote a definitive book on the subject called, The Art of Deception.
Social engineering attacks continue to be a major threat to businesses and organizations
Though those attacks happened many years ago, social engineering attacks continue to be a major threat to businesses and organizations. In fact, Mitnick, who now works as a leading cybersecurity analyst, claims he still has a 100% success rate when employing social engineering techniques during a penetration test.
Their continued relevance means that businesses should be aware of the latest social engineering threats and the steps they can take to counteract them.
The most basic form of social engineering that hackers employ is phishing. Despite the rapid improvement in new anti-phishing technology, including secure email gateways and artificial intelligence based solutions, Microsoft announced that the number of phishing attacks rose by as much as 250% in 2018.
Phishing attacks usually fall into two categories:
Phishing is when a fraudulent communication (often an email) is sent to targets en masse. The goal of a phishing attack is to trick users into handing over personal or sensitive information by disguising those communications as legitimate. According to Verizon, 90% of data breaches in 2018 started with a phishing attack.
A targeted, refined version of a phishing attack, spear phishing starts with deep research into a person’s social media feeds and online biographical data. Often designed to target a decision maker, spear phishing emails look more authentic and customized than a normal phishing email.
The sophistication of these attacks is increasing as well. Not only can criminals “spoof” email addresses and URLs more effectively than before, which was once a primary way of identifying a phishing campaign, they can also make more realistic facsimiles of emails and websites from large companies like Microsoft and Google too.
In one recent phishing campaign, hackers attempted to use a seemingly authentic Google Translate URL to trick users into clicking through to a malicious link. Only by paying close attention to the details of the site would an observant person have noticed it was fraudulent, meaning the campaign would likely have a high rate of success among untrained workers.
While phishing is far and away the most prevalent social engineering threat, several other social engineering attacks have continued to rise in popularity over the last few years.
Did you know that app stores, like the Google Chrome store, have malicious applications in them that are designed to steal your data? While Google is constantly updating its software to thwart these attempts, like its major update at the end of 2018, there are many examples of extensions that bypass those protections and attempt to steal user data.
In recent years, hackers have even started infiltrating the accounts of legitimate developers to hijack their extensions and install malicious payloads, leading some security experts to question whether these extensions are worth the security risk at all.
A watering hole attack begins with a hacker profiling your organization to learn which websites your staff frequent. Next, the hacker will probe those websites for exploitable weaknesses and implant malicious code that’s designed to infect your systems next time someone from your organization visits that site.
Unlike Phishing attacks, watering hole attacks can be very difficult to spot, and have been used to successfully infiltrate US Federal agencies, major telecommunications companies, and many others.
One of the hallmarks of social engineering attacks is that they’re often not highly technical. Although malicious code may help to facilitate the attack, the primary way in which they steal data is by fooling a user into violating security best practices.
Pretexting is a targeted social engineering attack in which a hacker uses a complex scenario or assumed relationship to gain a victim’s trust. Pretexting attacks can occur via email, phone call, or physical media, and usually involve a hacker posing as a representative of trusted organization, such as a supplier, vendor, or potential employer. Over a series of several conversations, the hacker will gradually gain trust before extracting the information they want. While still relatively, rare, the number of pretexting attacks has tripled in the last few years, according the Verizon Data Breach Investigations Reports.
While less common than pretexting, here are some other physical social engineering threats you should be aware of:
Watch for unfamiliar USB drives or other physical media in your office. In a baiting attack, hackers place these devices near your office, or in other high traffic areas, hoping that someone plugs them in out of curiosity, allowing the delivery of a malicious payload.
Tailgating attacks are when a hacker physically follows an employee or other authorized person into a location by pretending to be a delivery person, caretaker, or trusted associate. While larger businesses have physical security protections in place, small and midsized organizations are often vulnerable to this approach.
In order to protect your staff against social engineering tactics, here are some best practices you can share with them.
Hackers make their communications seem legitimate
Hackers will use information they’ve gathered about your organization to make their communications seem legitimate. Any phone call or email that uses incomplete private information to provoke you into providing more information, perhaps under the guise of updating a file or record, should be approached with great skepticism.
All social engineering attacks, both online and offline, rely on personal data to appear authentic. When was the last time you and your employees scoured your social media feeds to take stock of which information is publicly available? Knowing what information others can learn about you, as well as removing sensitive information from social media, can make it harder for hackers to launch effective social engineering attacks.
Take stock of the software installed on each of your network endpoints. Do they have programs like Adobe Flash, Adobe Reader, or Internet Explorer? Each of those may present a security vulnerability and should be updated and/or removed to minimize your attack surface. You may also want to consider implementing a VPN to hide your staff’s online activity from prying eyes.
We know that the first step toward better IT support is to research your options. We’ve put this guide together to aid you in that process.
It’s designed to give you an overview of our organization, so that you have the key information you need to evaluate our service fit.
This guide covers:
Download it for free by filling out the form here.