Print Issue: September 2018
Chief financial officer Malcolm Fisher never thought he would be victimized by cybercrime—until a social engineer successfully impersonated him and bilked his company out of more than $125,000.
It was relatively easy for the criminal to identify Fisher as a high-value target given his key position within the company—his bio was readily available on the company website. And Fisher's social media profiles on Facebook, Twitter, and LinkedIn revealed several bits of information that marked him as a dream target for a diligent social engineer.
Fisher frequently participated in poker tournaments and was not modest in describing his success at the table. He posted about attending an upcoming tournament in Las Vegas and catalogued his travel plans across social media platforms. Shortly after his arrival to Las Vegas, Fisher received a text message from what appeared to be the tournament organizer providing a link to the updated schedule. When he clicked on the link, nothing seemed to happen—but he had just unwittingly provided the social engineer with entry into his company-issued mobile device.
Knowing that the tournament started at 11 the next morning, the fraudster hijacked Fisher's email account and sent an urgent message at 11:15 a.m. to a colleague. The email—supposedly written by Fisher—instructed the employee to immediately wire $125,000 to a vendor, noting that he would be out of touch for several hours because he was attending the tournament.
The employee, never questioning his boss's instructions, immediately processed the wire transfer. While Fisher left Las Vegas very pleased with his tournament winnings, he soon learned that he was the one who got played.
This scenario is not unusual. With more focus than ever on enterprise cybersecurity and preventing data breaches, many executives believe that technology alone provides sufficient protection against such threats.
But sophisticated threat actors—whether they be nation states, criminals, activists, or disloyal competitors—will frequently target the most significant vulnerability found in most organizations: the human factor. The interaction between human beings and the technology meant to protect the organization is frequently referred to as the weakest link in security.
The most common method used by these threat actors to exploit the human factor vulnerability is social engineering. In fact, according to the 2018 Verizon Data Breach Investigations Report, more than 90 percent of successful security breaches start with some aspect of social engineering.
Social engineering is the skillful manipulation of organizational insiders to undertake certain actions of interest to the social engineer. Insiders are not only employees of the organization—they include anyone who may have unescorted access into a target organization, including service providers such as the guard force, cleaning crews, catering companies, vending machine stockers, maintenance contractors, and more.
Greater awareness and insight into this process provides a better opportunity to mitigate the risk of social engineering attacks.
Collecting the Data
Prior to launching any type of attack against the target, a professional social engineer will spend time collecting available open source information. While such collection may be from a variety of resources, the most frequent medium is simple online research.
Almost every organization has a website with information about the company, its products and services, executive profiles, press releases, contact information, and career opportunities.
While all such sections may provide useful information to a social engineer, executive profiles—which often contain full names, titles, pictures, and a brief biographic sketch—provide considerable insight into key insiders and where they fit into the organizational structure.
Career opportunities, along with company contact information, provide exploitable details and a portal through which a social engineer may seek direct or indirect contact with the organization.
Job postings and reviews. Whether posted on the organization's website or advertised on online job boards, job postings can provide a wealth of information. At a bare minimum, such postings will usually reveal the basic preferred IT qualifications sought from an applicant, providing valuable insight into the operating systems and software programs the organization uses. The job description might also provide insight concerning potential expansion of the organization, whether it be geographically or through a new product or service.
With a job posting, an organization is inviting contact with someone from the outside. It provides social engineers an opportunity to electronically submit a cover letter or resume—either directly through human resources or to someone else within the organization chosen by the social engineer to forward the resume onward. The email, along with attachments, can be a medium to introduce malware into the target's system.
While less frequently exploited, such job postings can also create opportunities for social engineers to interview with the employer and elicit sensitive information.
Employer review sites such as Glassdoor can provide useful workplace insights posted by employees. These reviews inform the social engineer about the pulse regarding the morale within the organization. Generally, it is much easier to manipulate a disgruntled employee than someone who is happy and loyal to his or her employer.
Social media and search engines. While an organization may aggressively use social media to help promote their products and services, an unintended consequence can be the leakage of exploitable information.
Employees often upload photographs of themselves and coworkers in the workplace, revealing information about physical workspaces to include actual floor plans, office configurations, security system hardware, IT systems, employee badges, or employee dress. Much of this information can be extremely useful if planning an actual physical intrusion into the company.
Creative Google searches will take the social engineer well beyond the most popular entries surfaced regarding the organization's name.
For example, a simple yet creative search of the company's name and the words "pdf" or "confidential" may surface documents such as employee manuals, employee benefit packages, IT user guides, or contracts. These searches can identify companies subcontracted by the target company for services such as janitorial, trash disposal, security, catering, or temporary staff.
A search for public court records will provide access to nationwide criminal and civil court documents. These documents will frequently contain operational details regarding the target company or officials that the company would have preferred to maintain confidential.
A common misconception regarding the Internet is that once a company has deleted or modified information previously contained on its corporate website, the original information is no longer available. This is false.
The Wayback Machine is a digital archive of the World Wide Web and enables users to see archived versions of web pages as far back as 1996. Even if an organization's new security director decided to remove potentially sensitive information from the entity's website, the social engineer can attempt to use the Wayback Machine to retrieve it.
Sites such as Google Maps help the social engineer virtually conduct reconnaissance—if the social engineer considered launching an intrusion into target offices, he or she would want to learn as much as possible about access points, access control including badge readers or other access systems, surveillance cameras, and guards.
The social engineer could also use the maps to identify businesses near the target location that employees may frequent and orchestrate a run-in, resulting in a onetime casual conversation with an employee to carefully gather information not available via open source. It could also be an opportunity to develop an employee for use as a future insider source.
A second potential objective for the reconnaissance is the identification of locations in the vicinity that make deliveries to the target's office, such as flower shops or restaurants. With this information in hand, the social engineer may decide to impersonate someone making a delivery to obtain unescorted access onto the premises.
Insiders. Beyond collecting information on the organization, social engineers also target insiders in these entities. There could literally be several thousand employees in a medium to large organization, but the social engineer only needs to collect useful data on one or more well-placed individuals.
He or she will want to know as much as possible about targeted insiders' personal and professional backgrounds, as well as an indication of what their motivations may be. With this information in hand, the social engineer can better manipulate them.
The most common starting point for data collection on insiders is through social media sites. While there are hundreds of such sites bringing together more than 3.3. billion users, social engineers will typically use sites providing the most prolific information.
Facebook can be used to find pictures of a targeted insider and their network of contacts. Here one can learn where the targets live, their age and birthdate, where they went to school, their hobbies and interests, and past and future travel plans. When faced with a target who may enact privacy settings, the resourceful social engineer will turn to the accounts of the target's spouse or children that may lack such privacy settings.
Twitter can provide play-by-play action of where the target is and what they are doing at that moment. And on LinkedIn, a social engineer will learn about the target's professional, academic, and work profile; professional interests; and network of contacts.
Social engineers use four types of attack vectors to scam companies out of money, intellectual property, or data.
Phishing. Phishing currently represents more than 90 percent of all social engineering attacks. This includes typical spam emails requesting that the recipient click a link or open an attachment embedded in the email, which could lead to the downloading of malicious tools that could potentially compromise the recipient's computer, if not the entire IT network.
While such emails do not target specific people and are literally sent out by the thousands, even a small percentage of recipient victims who click on the link may provide the sender with a viable return on investment.
Professional social engineers will use spear phishing, which effectively tailors the email to a specific target leveraging information previously gleaned from data collection. This will greatly enhance the likelihood that the chosen target will click on the link or open the attachment.
Another variation would involve the social engineer creating a fictitious LinkedIn account and engaging the target on a specific issue. If the target has a tendency of not accepting invitations from unknown individuals, the social engineer will first invite the target's peers to connect. Then, when the target sees that several of his industry peers are already connected to this fictitious profile, he will also likely accept.
Once successfully linked, the social engineer will exchange a few emails with the target, leading to one hosting the link or attachment containing the malware. As their previous exchanges have likely resulted in the building of rapport and trust, the target will likely fall vulnerable to the attack.
Smishing. This technique is similar to phishing, but instead of using email as a medium to deliver the attack, the social engineer will send a link or attachment via text message. The result is the same. While smishing is not yet as common as its phishing cousin, it is expected to begin mirroring trends in mass marketing, which is moving more and more to SMS due to the high open rates.
Vishing. For professional social engineers, vishing can be fun and exhilarating. While requiring a little more skill, vishing is typically much more effective than the previously mentioned techniques. Here the social engineer will telephone the target using any one of several ploys or pretexts. To increase credibility, the social engineer will spoof the call and manipulate the caller ID seen on recipient's end.
Say a social engineer wants to collect protected information regarding the status of a new product at a target company headquartered in Chicago. Posing as a new assistant to the company's vice president of operations, the social engineer will call the operations manager for one of the target firm's laboratories in Los Angeles.
To add credibility, the social engineer will spoof the call, making it appear as though the telephone number is from the vice president's Chicago office. She will state that the vice president is making final preparations for a meeting about to take place and urgently needs updates on the product's rollout date and expenditures compared to budgeted figures. As the request appears to be genuinely coming from someone in a position of authority, combined with urgency, the social engineer will likely be successful.
Direct intrusion. While considered the most difficult of the four techniques to execute, this is usually the most successful. It involves face-to-face interaction with the target.
The social engineer can choose from a variety of pretexts for attempting this contact, including posing as someone with an appointment inside of the building, IT support, a fire inspector conducting a survey, or a member of contracted service providers.
The social engineer could easily pose as someone making a delivery of a package requiring the recipient's signature, even going so far as to procure a FedEx or UPS uniform online. After reviewing the identified locations near the target facility, the social engineer could also pose as someone making a delivery of flowers, office supplies, or fast food.
Once inside the facility with unescorted access, the social engineer may emplace listening devices in conference rooms or keyboard loggers to capture specific information, such as network usernames and passwords.
How difficult would it be for a social engineer to leave several thumb drives around the premises marked "Confidential Payroll?" Betting on the nature of human curiosity, the social engineer would expect that at least one of the employees would find and insert one of the drives into the computer, hoping to see what compensation others are receiving in the company. When they do, the social engineer is successful in uploading malicious files, potentially compromising the network.
Another successful ploy involves the social engineer posing as an executive recruiter. Without a need to divulge the name of a specific client, the "recruiter" can directly contact the target insider, saying that they were impressed by the insider's professional background as seen on LinkedIn and believe that the target may be a great candidate for an attractive position they are trying to fill.
Feeling nothing to lose, the target will frequently allow the social engineer, either over the telephone or during a personal meeting, to elicit considerable information regarding the target's own background, as well as confidential information regarding current and past employers.
Perhaps the main character trait that makes humans so vulnerable to a social engineering ploy is the tendency to blindly trust everyone, even people they do not know. This blind trust can be fatal to an organization's security posture. It is this trust that makes it easy for social engineers to convince their victims that they are whoever they pretend to be.
In addition to leveraging trust, professional social engineers will also exploit any number of influence techniques. As victims are more likely to assist someone they find to be pleasant, the social engineer will attempt to develop strong personal rapport prior to making the request. Similarly, if the social engineer conducts a significant courtesy or kind deed for the victim, the target will often feel a strong sense of obligation to reciprocate by performing a deed for the social engineer.
Victims are more likely to comply if they believe that the request is coming from someone in authority, or if the social engineer pressures the target by implying that refusing to assist will be seen by others as socially unacceptable. Another tactic involves the social engineer asking for something that the victim initially finds implausible to comply with. The victim will subsequently agree to comply with a request from the social engineer which appears to be meeting halfway.
The social engineer may also take advantage of the perception of scarcity, putting pressure on the victim to make a quick decision as the perceived window of opportunity for the victim is about to close.
There are basic measures that can significantly lower the risk that an organization will be victimized.
First, the amount of unnecessary, yet exploitable, data about organizations that can be found online needs to be minimized. In addition to establishing clear policies regarding what employees can post online regarding the organization, there must be someone responsible to periodically scan key sites to ensure compliance. The more data available to social engineers, the more likely the organization will be on a list of targets.
While unenforceable, this same practice should be encouraged among the organization's employees regarding the personal information they post on social media.
A second measure is establishing social engineering awareness training within the organization. Such training will sensitize employees to recognize potential social engineering attacks and what specific actions they should take.
Warning signs of a potential social engineer at work may involve a caller refusing to give a callback number, making an unusual request, or showing discomfort when questioned. Employees should also take note if a caller makes claims of authority, stresses urgency, or threatens negative consequences if the employee doesn't act. And if a caller engages in name dropping, flirting, or complimenting, that could be a red flag as well.
Once alerted, employees need to know what actions to take—simply not complying with the social engineer's request is not enough. Organizations need to have a system in place where the employee can promptly bring such attacks to the attention of security, via incident reports.
Employees need to receive this type of training on a periodic basis, ideally annually. To be truly effective, the training should be accompanied by social engineering penetration testing, which mimics potential ploys used by threat actors to breach the organization's security.
By conducting a social engineering awareness campaign, employees will remain alert to such threats and undertake appropriate actions, thereby decreasing existing vulnerabilities.
In all interactions—whether via email, text, over the phone, or in person—employees must first verify that the person is who they say they are and that they have a legitimate request. Remember this slogan: verify before trusting.
Peter Warmka, CPP, is director of business intelligence for Strategic Risk Management and an adjunct professor for Webster University's cybersecurity masters program. He is a frequent speaker on social engineering threats at conferences for trade associations and wealth management advisory firms. Warmka is a member of ASIS International.