• United States



6 of the most effective social engineering techniques

Mar 20, 20177 mins
SecuritySocial Engineering

marionette social engineering
Credit: Thinkstock

Social engineering is the strongest method of attack against the enterprise's weakest vulnerability, its people. Criminal hackers recognize this fact. In 2015, social engineering became the No. 1 method of attack, according to Proofpoint's 2016 Human Factor Report.

These successful social engineering methods often use phishing and malware. But deceptive information assailants have more tools and approaches to draw on than these.

That's why CSO covers six of the most effective social engineering techniques that attackers use both on and off the internet, providing insights into how each one works, what it accomplishes, and the technologies, methods, and policies for detecting and responding to social saboteurs and keeping them at bay.

Technique one: Enabling macros. Cybercrooks are using social engineering to trick organizational users into enabling macros so that macro malware will work. In attacks on Ukrainian critical infrastructure, bogus dialogue boxes appearing in Microsoft Office documents told users to enable macros to properly display content created in a more recent version of the Microsoft product.

The crooks wrote the dialogue text in Russian and made the dialogue image appear to come from Microsoft. When users complied and turned macros on, the document's malware infected user machines. "This phishing tactic used an interesting social engineering twist to account for the fact that most users have macros turned off," says Phil Neray, vice president of Industrial Cybersecurity at CyberX.

Technique two: Sextortion. In attacks called catphishing, cyber criminals pose as potential lovers to lure victims to share compromising videos and photos and then blackmail them. "These traps have evolved to target the enterprise," says James Maude, senior security engineer at Avecto.

By targeting senior people across the enterprise using social media, the sextortionists ultimately blackmail them into revealing sensitive credentials, says Maude. These attacks occur in person in bars and hotels at security conferences, as well, says Maude.

Technique three: Expanded affinity social engineering. Affinity social engineering counts on attackers forming a bond with a target based on a common interest or some way that they identify with each other. Crooks now establish these connections online based on shared political views, social media groups, hobbies, sports, movie or video game interests, activism, and crowdsourcing situations, explains Roger G. Johnston, Ph.D., Head of Right Brain Sekurity.

"The bad guy's method is to become friends, get the victim to do them a favor, slowly ask for information (initially innocuous), then ask for more sensitive information. Once the victim is in a little ways, the attacker can then blackmail them," says Johnston.

Technique four: Phony recruiters. With so many headhunters seeking out job candidates, it is not suspicious when a faker comes along to pump up an employee's ego and offer enticing yet fabricated positions to get information.

"This may not directly yield computer passwords, but an attacker can get enough data to figure out whom to password phish inside your company. The attacker can also threaten to tell the employee's boss that they are planning to leave the company and have already shared confidential information to gain leverage over the victim," explains Johnston.

Technique five: Old interns. While interns once were only young people, many are now older. An attacker posing as an older intern has the knowledge and experience necessary to commit industrial espionage, knowing what questions to ask and where and how to find confidential information, explains Johnston.

This may not directly yield computer passwords, but an attacker can get enough data to figure out whom to password phish inside your company.

Roger G. Johnston, Ph.D., Head of Right Brain Sekurity

Technique six: Social engineering bots. "Malicious bots are often responsible for highly sophisticated, damaging social engineering attacks," says Inbar Raz, principal researcher at PerimeterX. Bots infect web browsers with malicious extensions that hijack web surfing sessions and use social network credentials saved in the browser to send infected messages to friends, explains Raz.

Attackers use these bot approaches to trick the victim's friends into following links in the message or downloading and installing malware, which enables the cyber hoodlums to build large botnets that include their computers, Raz explains.

Technologies, methods, and policies to prevent, detect, and respond to social engineering

In the Ukrainian attack example, hardened machines that did not permit users to enable macros would have stopped the attack cold. Enterprises can also use deep packet inspection, behavioral analytics, and threat intelligence to monitor the network layer for anomalous behavior such as was exhibited by the Ukrainian attack on Microsoft Office, says Neray. "The enterprise can use next-gen endpoint security to perform a similar function on endpoint devices," says Neray. These technologies will help mitigate many social engineering attacks.

Policies for those above and many other attack methods should enforce applying network segmentation, multifactor authentication, and post-attack forensics on the network and endpoints to prevent lateral movement, limit damage from stolen credentials, and understand the scope of the breach to make sure to remove all associated malware, according to Neray.

The enterprise should address sextortion using a combination of least-privilege zero trust, behavioral detection, and monitoring to expose attacks and limit the abuse of credentials, which results from this social engineering technique.

Sextortion requires sensitive handling if such an attack has compromised an employee. "Legal, HR, and law enforcement may need to play a part in any actions, and everyone needs to be ready for the worst. In the cases I know, employee awareness and early intervention have limited the damage," says Maude.

Enabling employees with panic words they can use when they are in trouble can alert employers to attacks in progress that are using blackmail or coercion, says Johnston. To detect the corporate espionage agent working in the guise of an older intern, consider employees who never take vacations or sick leave, perhaps for fear that their activities will be detected while they are away, says Johnston.

Tools such as anomalous behavior monitoring products and some anti-virus and anti-malware software can detect bot behavior and changes to the browser. The enterprise can detect some weaker bots using threat intelligence and IP address reputation information, according to Johnston.

Employee training

The enterprise should continually update employee training with all the details of how criminals are using social engineering. "You should conduct social engineering awareness training separately and specifically, sketching out how these attacks work, making them sound very plausible," says Johnston. Put on plays (live or video) with all the characters, both victims and perpetrators to demonstrate the points vividly and personally, says Johnston.

Demonstrate how social engineering targets everyone, show how anyone can be vulnerable, and give people the tools to protect themselves and assurances that they are accepted even when they fall victim.

With an optimal combination of training, policies, and security technologies, enterprises can resist social engineering ploys old and new. The enterprise and its people must put forth a team security effort to do it.