Thought leadership. Threat analysis. Cybersecurity news and alerts.
Social Engineering: The Invisible Threat
In our digitized world, the threat landscape has vastly expanded. One term has steadily risen to prominence among the spectrum of online perils: Social Engineering. Unlike the conventional image of a hacker aggressively typing away on a keyboard to crack sophisticated codes, social engineering paints a subtler and arguably more sinister picture. This threat is not purely about computers or technology - it's about manipulating human psychology.
Social engineering is a form of deception where tricksters manipulate individuals into revealing sensitive information, such as passwords, bank details, or even company secrets. It is an art of exploiting human weaknesses, whether that's trust, curiosity, fear, or simple ignorance. We live in an era where our data is a coveted treasure, and protecting it has become paramount.
Guarding Our Digital Selves
Why should we care? Simply put, no one is immune. Cybercriminals armed with social engineering tactics can strike anyone: from individual internet users to small businesses and multinational corporations. These digital rogues don't discriminate. Their damage can range from mild inconvenience to catastrophic financial and reputation losses.
Moreover, the digital and real worlds are no longer separate entities - they are intrinsically intertwined. Our digital persona often holds just as much, if not more, significance as our physical one. Our social profiles, online banking, digital communications, and even our smart appliances at home - all weave into the fabric of our digital identity. Hence, it's not just about protecting our devices but also our digital lives.
In the face of this ever-evolving threat, knowledge is our best defence. Understanding the tactics of social engineers and adopting appropriate protective measures can greatly reduce our susceptibility to these attacks. The first step? Equipping yourself with the necessary armour to guard against the wiles of social engineering. Read on to navigate your way through this digital battlefield.
Understanding Social Engineering
The Deceptive Art
Imagine this: a stranger converses with you, perhaps at a coffee shop. They charm you, win your trust, and subtly, almost imperceptibly, you find yourself revealing personal information. This is an instance of social engineering in the real world. Translate this scenario into the digital landscape, and you have a typical social engineering attack blueprint.
In essence, social engineering is a form of manipulation that exploits human psychology to extract confidential information. Social engineers, the architects of these attacks, can use advanced technical skills. Instead, they leverage an intricate understanding of human behaviour to trick individuals into revealing their passwords, credit card numbers, or other sensitive information. It's less about cracking codes and more about cracking minds.
Tools of the Trade
While the art of social engineering may be complex, social engineers' tactics can be broken down into recognizable patterns. Here are a few common techniques:
Social Engineering In Action
To understand the true power of social engineering, let's examine a couple of real-world incidents:
As we delve deeper into how to protect ourselves from social engineering, remember awareness is half the battle. By understanding these tactics, we can be better prepared to spot and avoid social engineering attempts.
The Human Element of Social Engineering
Tugging the Psychological Strings
Social engineering, at its core, is a psychological play. It preys on the elements that make us human—our emotions, social patterns, and inherent trust in certain institutions. It's an uncomfortable truth, but the soft spot in most security systems is not a glitch in the software but the people using it. Social engineers understand this and leverage human behaviour to circumnavigate digital walls. But how exactly do they do this?
Trust is a fundamental aspect of human relationships and interactions. We trust our friends, and our family, and we extend this trust to institutions like our banks or service providers. Social engineers exploit this innate trust. For example, in a phishing attempt, they might pose as your bank, sending you an email that looks authentic, and because you trust your bank, you're more likely to engage with the email without questioning its validity.
Humans are hardwired to respect authority, which can be exploited in social engineering attacks. An attacker might impersonate a figure of authority, such as a CEO, a police officer, or a government official, to create a sense of urgency or fear, compelling the victim to divulge information without proper verification. This tactic is commonly seen in CEO fraud attacks or tech support scams.
Playing on Fear and Urgency
Fear is a powerful motivator, and in a state of panic, people often act without thinking clearly. Social engineers use this to their advantage, instilling fear or creating a sense of urgency to push individuals into hasty actions. For example, they might send an email warning that your bank account is under threat and you need to immediately log in to secure it, thereby luring you to a fake login page.
Appealing to Curiosity or Greed
Social engineers also tap into human emotions like curiosity or greed. They may use clickbait titles, promising sensational news or offer too-good-to-be-true rewards, leading the user down a dangerous path.
Understanding these psychological tactics is crucial. As we become more aware of how social engineers manipulate our emotions and responses, we're better equipped to guard ourselves against these deceptive strategies. The key lies in balancing healthy skepticism and beneficial online interactions. Remember, in the realm of social engineering, if something feels off, it probably is.
Recognizing Social Engineering Attacks
Unmasking the Digital Deception
While social engineers employ a vast array of tactics to deceive their victims, the good news is that many of these attacks can be identified with a vigilant eye and a skeptical mindset. Let's break down how to spot the common forms of social engineering attacks:
Phishing Emails and Malicious Links
Phishing emails and malicious links form the backbone of many social engineering attacks. Here are some red flags to look out for:
Recognizing Requests for Sensitive Information
Any unsolicited request for sensitive information, such as your password, social security number, or bank details, should raise an immediate red flag. Legitimate organizations typically do not ask for this information via email or phone.
Spotting Impersonation Attacks
Impersonation attacks can happen in both the digital and physical worlds. Digitally, attackers might mimic the email style of a colleague or the format of an email from a trusted organization. In the physical world, they might pose as a maintenance worker or a fellow employee. To counteract this:
In the face of social engineering, maintaining a sense of healthy skepticism is your best defence. The adage "think before you click" is especially relevant here. If something feels off, take a moment to question it before proceeding.
Protecting Yourself Online
Building a Robust Digital Fortress
Being aware of the threats posed by social engineering is half the battle; the other half is building your defences. Online security may seem daunting, but you can significantly bolster it by adopting some straightforward practices. Here are some key steps to enhance your online protection:
The Power of Passwords
Your passwords are the keys to your digital kingdom, and it's essential they're both strong and unique. Aim for a mix of letters, numbers, and symbols, and avoid obvious choices like 'password123' or 'admin'. Additionally, ensure that each of your online accounts has a unique password; this way, if one account is compromised, the others remain safe. Password managers can be handy tools to help manage this complexity.
Two-Factor Authentication: Your Digital Bodyguard
Two-factor authentication (2FA) is like a second layer of security for your accounts. It requires you to provide two forms of identification before you can access your account. This is typically something you know (like your password) and something you have (like a code sent to your phone). With 2FA, even if a hacker manages to get your password, they still will need a second form of identification to access your account.
Safe Browsing: Navigating the Digital Seas Safely
Always check the URL of a website before entering any personal information. A secure site's URL should start with 'https://'—the 's' stands for 'secure'. Be cautious when downloading files or clicking links, especially from unknown sources.
VPNs and Secure Networks: The Invisible Cloak
Virtual Private Networks (VPNs) can provide an extra layer of security by masking your IP address and encrypting your online traffic. This is especially useful when using public Wi-Fi networks, which often need to be more secure. Always try to use trusted and secure networks for sensitive online activities.
Regular Software Updates: The Evolving Shield
Software updates often include security enhancements and patches for known vulnerabilities. Regularly updating your operating system, apps, and security software is crucial to protecting your devices against the latest threats.
In the fight against social engineering, the key to your online security is in your hands. It's not about being completely impervious to attacks. Rather, it's about making it so difficult for social engineers to breach your defences that they choose to move on to an easier target.
Responding to Social Engineering Attacks
Action Plan for the Unthinkable
Despite our best efforts, there may come a time when you find yourself a target or even a victim of a social engineering attack. The initial shock can be disorienting, but responding quickly and methodically is crucial. Here's what you should do:
Steps to Take if You've Been Targeted or Victimized
The Importance of Reporting Attacks
Even if you manage to fend off an attack, it's important to report it. If applicable, social engineering attacks should be reported to your organization's IT or security department and local law enforcement agencies.
By reporting the attack, you're not only helping to catch the perpetrators possibly but also helping to improve awareness and prevention measures for these types of crimes. In the world of cybersecurity, shared knowledge is our best defence.
Remember, it's not a failure if you fall prey to a social engineering attack. These attackers are skilled manipulators who exploit trust and sociability, inherently human traits. However, taking swift and decisive action can limit the damage and help prevent future attacks.
The Role of Continuous Learning
Staying One Step Ahead in the Cybersecurity Race
In the ever-changing cybersecurity landscape, standing still is the same as falling behind. Social engineering is a dynamic threat, with attackers constantly refining their methods and devising new ways to trick unsuspecting individuals. Staying ahead of these threats requires constant learning and adaptation.
The Ever-Evolving Nature of Social Engineering
Social engineering isn't a static field; the tactics that were popular five years ago may differ from those most commonly used today. As our digital behaviours evolve and new technologies emerge, so too do the methods employed by social engineers.
For example, as more people become aware of email phishing, social engineers have moved towards more sophisticated techniques like spear-phishing (targeted attacks) or whaling (attacks targeting high-level executives). As the world continues to digitalize, the attack surface expands, creating newer, more creative attacks.
The Importance of Staying Informed
Given this rapid pace of change, it's crucial to stay informed about the latest developments in social engineering attacks and the protective measures to counter them. Subscribe to cybersecurity blogs or newsletters, attend relevant webinars, and participate in online cybersecurity communities. Many of these resources are freely available and can provide valuable insights.
Make it a point to regularly update your knowledge about the latest scams, tricks, and attack vectors used by social engineers. Equally important is to keep abreast with the advancements in protective measures—be it the latest in two-factor authentication, VPN technologies, or privacy-enhancing software.
Regular cybersecurity training is a valuable investment for organizations. It can update employees on the latest threats and reinforce the importance of adhering to security protocols. Remember, the human element is often the weakest link in a security chain, and continuous learning can turn that weakness into a strength.
In conclusion, dealing with social engineering is not a one-time task but an ongoing commitment. The digital landscape changes rapidly, and so do the threats we face. However, by committing to continuous learning, we can ensure we're always one step ahead of the attackers, ready to counter whatever new trick they throw our way.
Twitter Attributes Latest Hack to Its Systems to Social Engineering
Last July 15th, verified Twitter accounts, including that of Amazon CEO Jeff Bezos and Former U.S. President Barack Obama, tweeted similar content, saying that they've decided to give back to their community by giving back twice the Bitcoin amount (limited to US $50 million) for every Bitcoin that will be sent to a particular Bitcoin address.
The tweets were later removed – a confirmation that the tweets were part of a scam and that the involved verified Twitter accounts were, in fact, hacked. A total of 393 transactions sent varying amounts of Bitcoin to the indicated Bitcoin address. Whoever orchestrated the campaign earned 12.8 Bitcoins, valued at US $117,473 as of July 18, 2020.
How Twitter Was Hacked?
In a blog post dated July 18, 2020, Twitter attributed the hacking of the 130 verified Twitter accounts to social engineering. "At this time, we believe attackers targeted certain Twitter employees through a social engineering scheme," Twitter said.
The company, however, didn't elaborate how the social engineering was carried out by attackers. Twitter defined social engineering as the "intentional manipulation of people into performing certain actions and divulging confidential information."
According to Twitter, the intentional manipulation of a small number of Twitter employees enabled the attackers to access the company's internal systems using the credentials of the targeted Twitter employees, and "getting through" the company's two-factor authentication (2FA) protection.
Twitter said the attackers were able to view personal information including phone numbers and email addresses – information that were accessible to some of the targeted employees. Out of the 130 hacked verified accounts, Twitter added, 45 of those accounts, the attackers were able to login to the account, send tweets and initiate a password reset.
In accounts taken over by the attackers, the company said that the attackers may have been able to view additional information. The company also added that the attackers attempted to sell some of the hacked accounts.
The July 15th cyber incident at Twitter isn't the first hacking incident that the company experienced. Nearly a year ago, the Twitter account of its CEO Jack Dorsey was hacked.
After taking over Dorsey's Twitter account @jack, attackers fired off nearly two dozen tweets and retweets. "The phone number associated with the account was compromised due to a security oversight by the mobile provider," Twitter said in a statement. "This allowed an unauthorized person to compose and send tweets via text message from the phone number."
The above-mentioned statement from Twitter on how its CEO's account was hacked describes a typical SIM swap attack – a type of cyberattack in which a mobile phone company employee switches a victim’s phone number to a new phone number that's under the attacker’s control.
This type of attack is carried out in two ways. One method is by calling a customer help line of the mobile phone company and pretend to be the intended victim. The other method is by paying off phone company employees to do the phone number switches. There have been reports that attackers paid off phone company employees to do the phone number switching for as low as US $100.
SIM swap plays a big role in an attack that tries to bypass text message-based 2-factor authentication, an authentication method that requires additional authentication, that is, on top of the usual username and password requirement, a user can only login to an account by providing a one-time code – a code that's sent to the phone number provided by a user. In a SIM swap attack, by changing the target's phone number to the phone number controlled by the attacker, the one-time code is sent to the new phone number controlled by the attacker.
In September 2019, the U.S. Federal Bureau of Investigation (FBI) warned its partner organizations about SIM swapping. According to the FBI, between 2018 and 2019, the most common tactic used by attackers in circumventing the 2-factor authentication was through SIM swapping.
In 2019, a report came out that Twitter left its internal systems exposed to outsiders by failing to apply the latest security update of a particular software. This time, however, bug bounty hunters found the vulnerability and responsively disclosed the vulnerability to Twitter.
In a blog post dated September 2, 2019, security researchers at DEVCORE reported that they were able to perform on Twitter's internal systems remote code execution – the ability to access someone else's computing device and make changes to it regardless of where this computing device is geographically located. The researchers said they initially gained access to Twitter's internal system by exploiting an unpatched Pulse Secure VPN used by the company.
The security researchers at DEVCORE are the same researchers that discovered the remote code execution vulnerability in Pulse Secure VPN products and reported this vulnerability to the software vendor Pulse Secure. The same researchers also discovered and reported the security vulnerabilities in the VPN products of OpenVPN and Fortinet.
"During our research, we found a new attack vector to take over all the clients [computers or software that accesses a service made available by a server]," security researchers at DEVCORE said. "It’s the 'logon script' feature. It appears in almost EVERY SSL VPNs, such as OpenVPN, Fortinet, Pulse Secure… and more. It can execute corresponding scripts to mount the network filesystem or change the routing table once the VPN connection established. Due to this 'hacker-friendly' feature, once we got the admin privilege, we can leverage this feature to infect all the VPN clients!"
The researchers also reported that they bypassed the 2-factor authentication as Twitter enabled the Pulse Secure VPN's roaming session feature, which allows a session from multiple IP locations. "Due to this 'convenient' [roaming session] feature, we can just download the session database and forge our cookies to log into their system!"
Prior to going public, the security researchers at DEVCORE reported to Twitter their findings via the company's bug bounty program.
Social engineering is a significant risk for most organizations and individuals alike. This is why we’ve created a blog post with 52 cybersecurity tips for businesses and individuals to help mitigate key risks.
Steve E. Driz, I.S.P., ITCP