Recently, I finished a great audiobook by the famed hacker Kevin Mitnick, called “Ghost in the Wires”, where he details his exploits in using social engineering techniques to hack phone systems. For the most part, he used old school methods that involved research, cold calling and convincing people he should have access to their systems. Success was predicated on his skill in manipulation – and the fact that most people inherently want to trust others.
Fast forward to 2020 and social engineering is essentially the same, relying on the techniques pioneered by Mitnick and his peers. The major differences now are that technology and scale play a greater part in the success of today’s attacks.
In a few of my recent articles, I warned about the growth potential for attacks in the coming year and explored some of the methods being adopted by attackers that use technology to ensure greater success.
Many of us are familiar with the two most common types of socially engineered attacks – phishing and spear-phishing – but there are many more to be aware of, including:
• Baiting, for example. The age-old story of a hacker leaving a USB device in a carpark, hoping that someone will pick it up and connect to their computer, may sound like the stuff of Hollywood, but it is a surprisingly common attack that has even been used successfully on USB devices given away at computing conferences. Once connected, the USB device will appear to be safe, perhaps containing music or videos. However, it is instead attempting to inject malicious software into the host device.
So, how can a baiting attack be avoided? By never blindly connecting an unknown USB device to your computer. If you do decide to trust the device, make sure you have the latest anti-virus software installed and set to “scan connected devices automatically” to prevent known malware infections.
• Pretexting covers several different attacks using emails, texts or phone calls. The attacker will pose as an authority with the intention of leveraging this authority to gain access to private, corporate or personal high value information. For example, in an attack, the target could first be emailed by a family member who says they need money, followed by an urgent text. This is a dangerous attack as it heavily exploits, and ultimately damages, trust.
Verification is the best way to avoid a pretexting attack. As much as we want to trust managers, friends and family members, if you get an unexpected and urgent call pressuring you to provide information or money, take extra steps to verify the request. Hang up and call back on a known number or have the caller provide some information which they would only know if they were genuine.
• Tailgating allows an attacker to gain access to a building or a restricted area and is easily executed. For instance, a stranger follows you into the office carrying a heavy box and asks if you can “badge” them in. Or, an unknown person scrambles in behind you, saying “brrr it’s cold outside! I’m glad to get out of the rain.” Either could be a tailgater or present a risk. They are relying on the fact that people want to be helpful and that by appearing to be familiar, they are less likely to be questioned.
Want to avoid a tailgating scenario? If someone asks you to let them in, make sure to escort them to reception – or use their badge to activate the door. Do not rely solely on trust.
• Scareware is another successful tactic in recent years, using desktop popups and messages to communicate a fake virus infection warning. Sometimes these messages even appear to be legitimately coming from security companies. Less common, but similar, is to receive the infection message in an email, purporting to come from your internet or security software provider. In both cases, clicking on the message will redirect to a software portal, offering the right software to remove the malware for a cost. At this stage, payment will result in two things: fake antivirus software being installed – or, possibly even malware – and stolen financial information.
Practice caution to avoid scareware. A popup or email stating that you’ve been infected by malware and offering a “click here” fix is likely fake and attempting to scare victims into engaging. Make sure to have the latest antimalware installed, along with the most recent operating system security updates. Never click on unknown popups or emails.
Socially engineered attacks are especially nasty and effective because they rely upon natural human responses to be successful; anyone can be a victim at any time. As both cybercriminals and technology get smarter, the public must also adapt. Educate consumers and employees on the risks and warning signs of these attacks. The idea is to not simply “trust no one;” rather, be cautiously suspicious and train yourself to sniff out the (ph)ishy.