Viewpoints

Do you know the last time you were socially engineered?

Byron Acohido, 19 June 2019

The intensity of phishing campaigns endures, as threat actors manipulate human foibles to gain unauthorized access to homes and companies

This spring marked the 20th anniversary of the Melissa email virus, which spread around the globe, setting the stage for social engineering to become what it is today.

The Melissa malware arrived embedded in a Word doc attached to an email message that enticingly asserted, “Here’s the document you requested . . . don’t show anyone else;-).” Clicking on the Word doc activated a macro that silently executed instructions to send a copy of the email, including another infected attachment, to the first 50 people listed as Outlook contacts.

What’s happened since Melissa? Unfortunately, despite steady advances in malware detection and intrusion prevention systems – and much effort put into training employees – social engineering, most often in the form of phishing or spear phishing, remains the highly effective go-to trigger for many types of hacks.

Irrefutable evidence comes from Microsoft. Over the past 20 years, Microsoft’s flagship products, the Windows operating system and Office productivity suite, have been the prime target of cybercriminals. To its credit, the software giant has poured vast resources into beefing up security. And it has been a model corporate citizen when it comes to gathering and sharing invaluable intelligence about what the bad guys are up to.

Threat actors fully grasp that humans will forever remain the weak link in any digital network. Social engineering gives them a foot in the door, whether it’s to your smart home or the business network of the company that employs you.

Attack themes

A broad, general attack will look much like Melissa. The attacker will blast out waves of email with plausible subject lines, and also craft messages that make them look very much like they’re coming from someone you might have done business with, such as a shipping company, online retailer or even your bank.

Some common ones in regular rotation include: a court notice to appear; an IRS refund notice; a job offer from CareerBuilder; tracking notices from FedEx and UPS; a DropBox link notice; an Apple Store security alert; or a Facebook messaging notice.

Celebrity deaths, big sporting events and major holidays are a recurring theme. When Robin Williams died, a threat actor quickly blasted out a Facebook messaging notice enticing folks to click to a video of the actor’s supposed last phone call. Instead, victims were steered to a webpage designed to earn cash for the perpetrator via advertising clicks.

The larger point is that similar ruses designed to manipulate the human urge to click can deliver much more insidious payloads, such as activating premium rate phone services, installing spyware or even to distribute ransomware.

Online grifting

And then there is spear phishing. This involves focusing on a targeted company and gathering intelligence about a well-placed employee in order to craft a specialized phishing message. So-called business email compromise (BEC) attacks may be the highest form of spear phishing.

In a BEC caper, an imposter poses as a senior executive, and directs a subordinate to wire-transfer company funds into an account controlled by the perpetrators. This ought to astound you: losses due to BEC scams reached a whopping $1.3 billion in 2018, doubling the losses reported to the FBI in 2017, according to the agency’s annual internet crime report. That figure is probably understated, since it only tallies crimes reported to the FBI by U.S.-based companies.

Often a BEC attack pivots off the use of a compromised, legit company email account. The attacker uses this foothold to monitor the flow of company operations, gather intelligence about invoice forms and business contracts, and prepare spoofed collateral. Patience is part of the game. At the right moment, such as when a targeted senior executive is traveling, a well-planned online grift gets executed.

Personal responsibility

Why has social engineering not only endured, but become a bigger part of daily living? Our growing reliance on cloud-based services and third-party collaborations has only made it easier for threat actors to manipulate human tendencies. And there are so many more ways to subvert authentication. Years of stealing user names and passwords and poor password practices add to this mix.

For the foreseeable future, the burden remains with companies and individuals  to resist social engineering. Companies need to conduct effective training and testing of employees to keep them alert for targeted social engineering attacks – on an ongoing basis. Another part of human behavior is our propensity to slip back into comfortable habits that make us susceptible to being fooled time and again.

And each one of us, as individual digital citizens, need to be protective of the digital footprints we leave behind us when we go online. These habits need to become second nature:

  • Open email judiciously
  • Never open an attachment or click to a link that doesn’t seem quite right
  • Apply all security updates for your browsers and the main software you use
  • Use a reputable antivirus on all of your computing devices

From a threat standpoint, things have not changed much since Melissa. Staying safe has become an even greater personal responsibility. Talk more soon.