Visible to the public SoS Musings #26 - Social Engineering AttacksConflict Detection Enabled

SoS Musings #26
Social Engineering Attacks

Organizations often fall victim to cyberattacks in which their data and/or systems are compromised as a result of social engineering attacks, further indicating that humans remain one of the weakest links in cybersecurity. Social engineering refers to the use of methods to exploit human weaknesses in order to gain access to sensitive information and systems. Using social engineering tactics, people are often deceived into exposing sensitive information that could be used by attackers to gain access to protected systems. Social engineering attacks continue to succeed as it is often easy to exploit humans' psychological attributes such as being trusting and having the desire to help others. According to Proofpoint's Quarterly Threat Report for Q2 2018, there was a 500% increase in social engineering attacks with cybercriminals continuing to explore new ways to abuse humans' psychological weaknesses to launch attacks. Proofpoint's 2018 report, titled The Human Factor: People-Centered Threats Define the Landscape, also highlights the increased use of social engineering by attackers over automated exploits. This report states that in 2018, 95% of observed web-based attacks were executed using social engineering tactics, 55% of social media attacks in which customer-support accounts were impersonated targeted financial service companies' customers, and 35% of social media scams used links and clickbait to trick users into visiting streaming and movie download websites. It is important that organizations continue to explore the ways in which social engineering attacks and the impacts of such attacks could be prevented and mitigated.

There are many ways in which social engineering attacks can be performed. Infosec has cited the most common social engineering attacks as of 2019, which include phishing attacks, watering hole attacks, whaling attacks, pretexting, baiting, and tailgating. Among these attacks, phishing is the most common as it allows attackers to trick unsuspecting users into divulging sensitive information via emails, social media, instant messaging, SMS, and clicking links to malicious websites containing malware that would enable users' systems to be infiltrated. Attackers can execute watering hole attacks by gathering information about a targeted group in relation to what websites they frequently visit and probing those websites installing malware on those sites to infect that group's systems. A whaling attack is a specific type of phishing attack that targets high-profile individuals such as public spokespersons, CEOs, CFOs, and more, to impersonate such entities and gain access to sensitive data or other assets. Pretexting refers to the practice of masquerading as another person in order to gain access to private information, which is usually performed by attackers through the careful creation of fake identities. When attackers abuse the humans' curious nature by making promises of relinquishing a good used to trick victims, they are performing an attack known as baiting. The placement of an infected USB drive or optical disk in a public area in hopes of someone taking it and using it on a device is an example of baiting. Another common social engineering attack is called tailgating, also known as piggybacking, which refers to the unauthorized entry into a facility by way of authorized individuals who have been tricked into giving access to this entrance. An example of tailgating is when an unauthorized person claims to have forgotten their RFID and requests that an authorized person hold a door open for them, giving them unauthorized access to the facility or other protected area. Other social engineering attacks that end users should be aware of include phone-based phishing known as vishing, low tech ransomware, phishing via Dropbox, Box, or OneDrive, and more. The different ways social engineering can be carried out must continue to be explored and highlighted by security professionals and researchers.

Recent incidents in which social engineering tactics were used by attackers to obtain access to systems and sensitive data bring further attention to the continued success of these attacks. Verizon's 2019 Data Breach Investigations Report (DBIR) reveals that C-level executives are increasingly being hit with social engineering attacks as they have access to sensitive information, posing a significant threat to supply chains. Hackers have gained the trust of C-level executives through fraudulent business emails, tricking them into clicking on malicious links and revealing passwords. A British teenager, named Kane Gamble, successfully infiltrated email accounts belonging to CIA and DNI chiefs, and accessed sensitive databases through the use of social engineering. He managed to deceive call centers and help desks into helping him gain access to these email accounts and databases. Attackers have even used the distress and bewilderment caused by tragic events such as the Christchurch massacre in New Zealand to perform social engineering attacks. Following this tragic event, CERT NZ received reports on the distribution of phishing emails asking for donations in support of relief efforts. This would instead redirect users to malicious banking pages that appeared to be legitimate donation pages. According to Barracuda's latest 2019 Spear Phishing Report, cybercriminals have been improving upon the social engineering tactic, brand impersonation, in the performance of spear phishing attacks as indicated by recent findings. Brand impersonation is involved in 83% of all phishing attacks in which Office 365, financial institutions, and Apple have been impersonated. Following the study of hacker-for-hire services conducted by Google and academics at the University of California, it was discovered that all attacks launched by these services involve social engineering with hackers performing spear-phishing against victims. These incidents bring attention to the advancement and potential impact of social engineering attacks, which must be prevented and mitigated.

As a huge component of social engineering is human behavior, preventing such attacks remain a significant challenge. Security professionals often overlook the psychological aspects of social engineering and instead focus on ways to prevent these attacks through technological implementations. According to Dr. Jessica Barker, an independent consultant and sociologist whose research delved into the psychology surrounding why humans often fall victim to social engineering attacks, the human instincts of curiosity, naivety, narcissism, overconfidence, and the desire to reciprocate are the main reasons as to why social engineering attacks are so successful. It is important that the underlying psychological elements of social engineering are also explored by security researchers to help combat such attacks. When asked the question of how to prevent social engineering attacks, one of the key answers given by security professionals is that security awareness education and training should be provided to end users, IT staff, managers, and more in support of bringing further attention to social engineering attacks and strategies to avoid such attacks. Users often fall victim to social engineering attacks because they are unaware of the different ways in which these attacks are performed, thus calling for more education and training that will explore social engineering in addition to other attack techniques. In the process of being trained, users should be made aware of the possible spoofing of trusted sources in order to avoid clicking on links or attachments sent from suspicious sources. As social engineers often exploit the impulsive behavior of users that leads them to click emails without considering the source, users should be encouraged to slow down and conduct a careful review to verify the identity of the suspicious source. Other current best practices for protection include deleting requests to reply with personal information as any message that asks for such information is most likely a scam. They should not give out sensitive information or credentials. Antivirus software should be installed and kept up-to-date, and email spam filters should be set to significantly decrease the amount of junk mail. In regard to physical social engineering attacks, individuals should always be asked to show appropriate credentials and proof of authorization before entering premises at which systems and sensitive information is handled and stored. More technological efforts must be made to deal with social engineering attacks such as that of the Defense Advanced Research Projects Agency (DARPA), which has established the Active Social Engineering Defense (ASED) program, the purpose of which is to develop technology that uses bots to detect, disrupt, and examine such attacks. Researchers from Northumbria University proposed the use of nudges, particularly social saliency nudges, to help users better evaluate emails and detect phishing, thus providing further protection from social engineering attacks. The use of external devices to nudge users towards good cybersecurity behaviors could also help users avoid falling victim to these attacks. The Adafruit Circuit Playground is a circuit board that can detect a person's movement and trigger nudges via lights, sounds, and vibration, to users to lock their computer screens as they leave their desk. Security professionals and researchers are urged to continue exploring the different aspects of social engineering, other ways to prevent social engineering attacks, and bring further awareness to such attacks.