Little did you know, but your great-great-great-grandparents owned a lucrative mining operation in Nigeria and a law firm in Lagos has been trying to track you down for the past five years to appropriate your inheritance.
You probably haven’t seen an email like this for the past few years, but a quick look in your spam folder will still reveal endless 419 scams. Spam filtering technology has made huge improvements, but just because your inbox isn’t flooded with promises of lost lottery gains doesn’t mean you’re no longer at risk from a social engineering attack. If anything, these threats are evolving with twists and turns designed to take advantage of the main cause of data breaches — you. As IT systems gain more sophisticated defenses, it’s difficult to defend against layer-eight threats.
Dutch industrialist J.C. Van Marken first coined the term “sociale ingenieurs” in the 19th century. He thought society needed engineers that could deal with human factors, not just machines or circuits. But it wasn’t until the authoritarian propaganda regimes of the early 20th century that we saw practical demonstration of suggestive techniques intentionally designed against the masses.
By the late 20th century, most people had their first experience with social engineering through their email account. Originally, this was often a POP3 affair with email accounts being provided by whichever dial-up ISP they were using and downloaded to a local client. Threats were easy to identify to the tech-savvy consumer.
Then consumers started to trust and use the Internet for e-commerce. People were more likely to enter their address and credit card information online. And now, mobile devices have opened new doors for scammers to again prey on the inability of a user to tell the genuine article from a fake.
Dark Reading's all-day virtual event Nov. 15 offers an in-depth look at myths surrounding data defense and how to put business on a more effective security path.
This year we’ve seen traditional phishing become more sophisticated by taking aim at enterprises via Business Email Compromise or BEC attacks. And now attackers are changing going one step further by attempting to use information you’ve posted on social media to seem like their communications are authentically coming from a friend.
A modern social engineering attack needs three things:
- A trigger for the attack. This can come in the form of an email, SMS, iMessage, etc., but the user has to trust or at least not suspect the message is for malicious purposes.
- Target synergy. The attacker must be phishing for resources to which the victim readily has access. It’s no good asking for Bank of America credentials if the victim only banks at Wells Fargo.
- Cloak and Dagger. The attack spoof must be good enough to fool the victim into giving up the required credentials for information. Ask for too much information and they might be suspicious or simply not have that information to hand, too little, and it will be of little use to the attacker.
Slow Down and Think
Even the most cyber-savvy individuals can get tripped up by an attack. But users can trip-up a threat at any one of these stages simply by being vigilant.
Above all, when people use the Internet, they need to slow down and think. Are you on a trusted network in a secure location? Today, even hardware-based attacks that log keystrokes of people nearby are possible. While rushing between tasks, people often click a link or download an attachment without a second thought, which can quickly lead to inadvertently installing spyware or a virus.
These messages often link to a webpage designed to look like your bank or credit card. If an email from, say, a financial institution, insists you follow a link to change your password because of a recent breach, instead go to the URL of the institution and see if they want the same changes. Also, many financial institutions now require multifactor authentication, sending you a text with a verification code after you input a password. If this isn’t the case, it could be a sign of a spoofed website.
With password hacks, there is often more than meets the eye, since the modern Web surfer typically uses the same login authentication everywhere. It’s easy to see why: The average Internet user these days has 27 different accounts, and 37% forget a password at least once a week. In the past year alone, Yahoo, Dropbox, and LinkedIn, to name a few, all were hit by attacks, requiring their users to create new passwords. This leaves you vulnerable to an across-the-board information breach, where your information from an unrelated account could be used to access your credit card accounts.
No PC Necessary
Modern attacks don’t only come from your desktop. An increasing number of attacks are focusing on mobile phones and tablets. Threats to iOS devices increased 82% in 2013 and Android devices are targeted nearly 6,000 times a day. If your phone is losing battery extremely quickly or you are suddenly burning through your data, it may be a sign of an infection, which could have come from an SMS link or through a downloaded app.
Some threats are less technical and come under the pretense of phone calls from imposter IT help desks, termed quid pro quo attacks. This unsolicited help is playing a numbers game: Call enough employees saying you will help with the issue they reported and one is bound to have actually done so recently. Be it a phone call asking you for a password or an email asking you to click on a link to update your software, employees must take care to verify the source asking for this information and question why they might be asking for credentials. Companies can train employees and their IT departments on how to use features like encrypted emails to relay sensitive information.
Malicious attacks that target users through gaining their trust have a long history and are not going away. If Mark Zuckerberg’s data can be breached, we can all fall victim. Vigilance is key to creating a culture of data security intelligence where individuals feel empowered to identify a threat.