A staggering 98% of cyberattacks include an element of social engineering aimed at tricking end users. The victims are frequently company employees, who are often manipulated into revealing their credentials for company log-ins and SaaS applications.
Social engineering has evolved from an opportunistic crime, taking advantage of sensitive information, such as executive travel plans, into something approaching a science. There are now five distinct phases designed to compromise even the most cautious members of staff.
In stage one of a socially-engineered attack, the threat actor identifies the precise target, usually a relatively senior member of staff holding “the keys to the kingdom” in the form of log-in credentials, passwords, and permissions.
Stage two consists of information gathering. Traditionally, this has often involved a physical approach such as a stranger at a bar striking up a seemingly innocent conversation about work. Today, most social engineering takes place online, frequently employing software specifically designed to crawl the internet for personal details relating to the target, using open-source intelligence (OSINT). Attackers can find valuable information in social networks and in forums where the target may have registered. Leaked personal details from customer accounts revealed when companies like Amazon are hacked are also available for purchase on the dark web.
Once the threat actors have compiled enough information to build a full picture of the target employee’s character and habits, they move onto the attack’s third stage: pretexting. With pretexting, the attackers manipulate the target and build trust with the selected employee, sending sophisticated messages, impersonating co-workers online, and many other strategies.
In the fourth stage, attackers exploit the target’s trust to elicit all kinds of sensitive information, such as credentials, permission, and banking details. The threat actor tricks the target into visiting known URLs, downloading unknown source applications, opening emails with a malicious Microsoft Office document attached, and other ruses. While staff may know about basic cybersecurity while sitting at their workstations, mobile and video communications offer threat actors additional strategies. For example, a “smishing” attack contains an urgent-looking text message that has a fraudulent link, weaponized with malware such as ransomware or spyware. The term “vishing” refers to a similar strategy using phone calls or voice mails to solicit sensitive information from the target.
This gives the threat actor initial entry into the company’s internal IT system enabling the fifth and final stage: the execution of the attack itself. This often involves stealing sensitive data or banking information, harvesting credentials, and deploying ransomware. Once one organization has been breached, professional threat actors will frequently then attempt to breach the company’s affiliates, partner organizations, clients, and customers.
When a significant proportion of the working population shifted to working from home in 2020, there was a rapid rise in phishing attacks, particularly those aimed at employees. According to the FBI, business email compromises (BECs) accounted for almost $2.4 billion in losses in 2021. Such phishing attacks surreptitiously deliver payloads, such as malicious attachments, executable files masquerading as pictures, and PDF files with hidden embedded JavaScript. The also may include malicious Office documents containing weaponized micros, malicious zip files, HTML files with redirections that download additional malicious payloads, malicious payloads, and malicious spoofed URLs.
People are always the weakest entry point in even the most secure organizations. To safeguard companies from the human element requires a truly holistic approach involving all aspects of the organization’s cyber strategy.
It’s essential to educate the staff, together with providing regular updates of the latest pretexting and exploitation tactics used by cyber criminals to manipulate gullible staff. Teach employees to stay wary of mixing their professional and personal lives too much on social media. Details of new responsibilities at work or revealing holiday plans are often used in combination with other available information to construct a socially engineered cyber-attack.
Once companies have established an acceptable level of staff cybersecurity training, they should also strengthen their security strategy to further protect themselves against surreptitious and tough-to-detect socially engineered cyberattacks. For example, check for breaches that may occur in real-time and also anticipate new threat vectors to shore up the corporate defenses in advance. As a result, organizations are now increasingly hiring managed and detection response (MDR) teams to deliver alert monitoring, attack investigation, assistance with incident response in addition to investing in proactive threat hunting, and penetration testing.
All cybersecurity strategies must constantly adapt to take account of new threat vectors and constantly evolving TTPs. And it’s especially true in the realm of social engineering, where cybercriminals are constantly developing new ways to exploit every kind of human weakness.
Adam Bar Zeev, security analyst, Cynet Security
