Endpoint
4/11/2013
05:35 PM
Connect Directly
Twitter
Twitter
RSS
E-Mail
50%
50%

How Hackers Fool Your Employees

Attackers are taking aim at the weakest point in your network: human beings. Do you know how to protect your data?

Pop quiz time: Which endpoint vulnerability is a hacker most likely to exploit to gain access to your enterprise network resources? It's not some unpatched Windows flaw or browser vulnerability. It actually isn't any technology at all. Your most vulnerable endpoint is the technology user a few cubes over.

People are nothing more than another operating system, says Lance Spitzner, training director for the Securing The Human Program at SANS Institute. "Computers store, process and transfer information, and people store, process and transfer information," he says. "They're another endpoint. But instead of buffer overflows, people suffer from insecure behaviors."

Hackers send phony messages crafted to look legitimate, and your employees click on the malicious attachments and links. The bad guys leave infected USB sticks in company parking lots that employees find and plug in just to see. Employees log on to compromised wireless networks to access corporate assets. There's a huge number of insecure behaviors along with a great many ways hackers exploit them.

Of course, your organization has anti-phishing technology to stop malicious messages from getting to users' inboxes, as well as vulnerability management suites that secure all those flaws that hackers exploit. And you have plenty of anti-malware software. But these products aren't perfect, nor are the deployments and practices around them.

Well-designed phishing messages stream past filters. The bad guys look for previously undetected technological vulnerabilities they can exploit with the help of unsuspecting users. They regularly develop new malware variants that anti-malware engines fail to detect. And they come up with sneakier ways to hide malicious software in messages and on the Web. In all these cases, the last line of defense is the employee who gets the malicious email or lands on the infected website. If companies don't address the vulnerable humans they employ, they're setting themselves up for failure.

Letting people fall into the mindset that the IT guys have this covered is what leads to a false sense of security, says Rohyt Belani, CEO of security training firm PhishMe. Most big companies that get breached inevitably are using anti-malware or anti-phishing software, he says, "so either the technology providers are lying to their clients or they're not 100% effective."

Penetration testers will tell you that most security failures come in the form of email, and their most powerful hacking tool isn't some low-level network exploit tool. "The most powerful pen test tool is Outlook," SANS's Spitzner says.

Ninety-one percent of targeted attacks between February and September last year involved spearphishing tactics, according to Trend Micro, an Internet content security vendor. Those attacks have evolved way beyond the bank phishing attacks of yesteryear. Attackers now take time to make detailed plans, research targets and develop or buy malicious exploits that raise as little suspicion as possible. If they can slip their attack mechanism past the victim's technical defenses, it can remain on the user's machine long enough for the attacker to make forays into the network it's connected to.

Conversational phishing is the latest attack trend. The victim gets multiple emails "that make it look like there's a human on the other end and that it's part of an email thread," PhishMe's Belani says. The attacker knows enough about the victim and his interests to convince him that, say, they had met at a busy convention such as RSA. From there, the attacker tells the victim about a blog post that he'd surely be interested in and attaches an infected version. The attacker even sends a follow-up message asking the user if he had a chance to look at the blog.

"Now you're subconsciously convinced that it's a real human being so you open that document," Belani says. "The bad guys have been doing that for at least the last six months."

And these attacks are becoming more sophisticated, says Mike Murray, managing partner for MAD Security, which does incident response and awareness training. In one instance about a year ago, a nation-state-level attacker went after an executive at one of MAD Security's clients, as well as four other executives at other organizations. The attacker did extensive research, likely on LinkedIn, and knew that the five executives regularly worked together on projects, Murray says. Using that knowledge, the hacker crafted five different emails, each of which looked like an email from one of the five colleagues to the rest of the group referencing a fictional meeting the recipient had missed. That message included a malicious attachment that was the supposed agenda for the fake meeting. Each email had a made-up thread to make it appear there had been a flurry of responses back and forth among the rest of the group.

"Tell me that you wouldn't have opened that? If it was five people you work with normally?" Murray says. "Every single person I know would have opened that, me included."

Social Engineers: Human Flaw Finders

Conversational phishing is just one of several social engineering tricks attackers use. On physical sites, they've dressed up as deliverymen to bluff their way into corporate buildings in order to plant key loggers, steal data-storing equipment and gather valuable intelligence. On the phone, they've posed as tech support people to fool users into spilling their corporate credentials. And online, attackers send spearphishing messages and flood search engines and social media with links to infected fake news articles.

Using these tactics, they manipulate users to stumble into attacks and take advantage of users' bad habits, such as reusing passwords. If an attacker can get his hands on a user's banking password through a phishing campaign or by compromising a bank's user-name and password database, and then find out where that user works, he may have what he needs to log into the corporate network.

5 security training essentials

Social engineers take full advantage of our proclivity to be complacent, SANS's Spitzner says. People aren't aware that they're targets, and they unwittingly help attackers by putting very public clues about themselves online, he says.

"It's people putting bits and pieces here and there, not realizing that when the bad guys harvest all that information, they now have a complete picture," Spitzner says. That picture lets attackers write emails full of cues that create a false sense of legitimacy.

People with a dominant public profile on social media stand a 50% greater chance of being spearphished than the average corporate user, Trend Micro says. Attackers aren't just conducting research on Facebook, LinkedIn and Twitter. They're combing through target organizations' websites seeking information they can use against employees, including partner announcements and logo lists boasting the company's high-profile clients.

"They have the time to do the research," says Tim Rohrbaugh, chief information security officer at Intersections, an identity risk management services provider. "They can figure out relationships between departments and managers through social media. They're reading filings, they're sorting out those partner lists and they're crafting messages that are very, very close to what a legitimate message would look like."

Even more troubling, features such as the Facebook Graph social search engine give hackers even more information to exploit, MAD Security's Murray says. He predicts that in just a few years, attackers will develop automated workflows to mine social graphs that craft phishing messages with very little human intervention. On LinkedIn, it's already possible to write a quick script that scrapes the service, grabs all the people a target knows and crafts phishing emails from them to you or you to them, he says.

chart: most valuable security practices

chart: what type of security breaches occured in your company in past year?

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.