Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

11/8/2016
02:00 PM
Dan Cuddeford
Dan Cuddeford
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Stay Vigilant To The Evolving Threat Of Social Engineering

Even the most cyber-savvy individuals can easily get tripped up by a social engineering attack. But users can trip-up a threat simply by paying attention.

Little did you know, but your great-great-great-grandparents owned a lucrative mining operation in Nigeria and a law firm in Lagos has been trying to track you down for the past five years to appropriate your inheritance.

You probably haven’t seen an email like this for the past few years, but a quick look in your spam folder will still reveal endless 419 scams. Spam filtering technology has made huge improvements, but just because your inbox isn’t flooded with promises of lost lottery gains doesn’t mean you’re no longer at risk from a social engineering attack. If anything, these threats are evolving with twists and turns designed to take advantage of the main cause of data breaches — you. As IT systems gain more sophisticated defenses, it’s difficult to defend against layer-eight threats.

Dutch industrialist J.C. Van Marken first coined the term “sociale ingenieurs” in the 19th century. He thought society needed engineers that could deal with human factors, not just machines or circuits. But it wasn’t until the authoritarian propaganda regimes of the early 20th century that we saw practical demonstration of suggestive techniques intentionally designed against the masses.

By the late 20th century, most people had their first experience with social engineering through their email account. Originally, this was often a POP3 affair with email accounts being provided by whichever dial-up ISP they were using and downloaded to a local client. Threats were easy to identify to the tech-savvy consumer.

Then consumers started to trust and use the Internet for e-commerce. People were more likely to enter their address and credit card information online. And now, mobile devices have opened new doors for scammers to again prey on the inability of a user to tell the genuine article from a fake.


Dark Reading's all-day virtual event Nov. 15 offers an in-depth look at myths surrounding data defense and how to put business on a more effective security path. 


This year we’ve seen traditional phishing become more sophisticated by taking aim at enterprises via Business Email Compromise or BEC attacks. And now attackers are changing going one step further by attempting to use information you’ve posted on social media to seem like their communications are authentically coming from a friend.

A modern social engineering attack needs three things:

  1. A trigger for the attack. This can come in the form of an email, SMS, iMessage, etc., but the user has to trust or at least not suspect the message is for malicious purposes.
  2. Target synergy. The attacker must be phishing for resources to which the victim readily has access. It’s no good asking for Bank of America credentials if the victim only banks at Wells Fargo.
  3. Cloak and Dagger. The attack spoof must be good enough to fool the victim into giving up the required credentials for information. Ask for too much information and they might be suspicious or simply not have that information to hand, too little, and it will be of little use to the attacker.

Slow Down and Think
Even the most cyber-savvy individuals can get tripped up by an attack. But users can trip-up a threat at any one of these stages simply by being vigilant.

Above all, when people use the Internet, they need to slow down and think. Are you on a trusted network in a secure location? Today, even hardware-based attacks that log keystrokes of people nearby are possible. While rushing between tasks, people often click a link or download an attachment without a second thought, which can quickly lead to inadvertently installing spyware or a virus.

These messages often link to a webpage designed to look like your bank or credit card. If an email from, say, a financial institution, insists you follow a link to change your password because of a recent breach, instead go to the URL of the institution and see if they want the same changes. Also, many financial institutions now require multifactor authentication, sending you a text with a verification code after you input a password. If this isn’t the case, it could be a sign of a spoofed website.

With password hacks, there is often more than meets the eye, since the modern Web surfer typically uses the same login authentication everywhere. It’s easy to see why: The average Internet user these days has 27 different accounts, and 37% forget a password at least once a week. In the past year alone, Yahoo, Dropbox, and LinkedIn, to name a few, all were hit by attacks, requiring their users to create new passwords. This leaves you vulnerable to an across-the-board information breach, where your information from an unrelated account could be used to access your credit card accounts.

No PC Necessary
Modern attacks don’t only come from your desktop. An increasing number of attacks are focusing on mobile phones and tablets. Threats to iOS devices increased 82% in 2013 and Android devices are targeted nearly 6,000 times a day. If your phone is losing battery extremely quickly or you are suddenly burning through your data, it may be a sign of an infection, which could have come from an SMS link or through a downloaded app.

Some threats are less technical and come under the pretense of phone calls from imposter IT help desks, termed quid pro quo attacks. This unsolicited help is playing a numbers game: Call enough employees saying you will help with the issue they reported and one is bound to have actually done so recently. Be it a phone call asking you for a password or an email asking you to click on a link to update your software, employees must take care to verify the source asking for this information and question why they might be asking for credentials. Companies can train employees and their IT departments on how to use features like encrypted emails to relay sensitive information.

Malicious attacks that target users through gaining their trust have a long history and are not going away. If Mark Zuckerberg’s data can be breached, we can all fall victim. Vigilance is key to creating a culture of data security intelligence where individuals feel empowered to identify a threat.

Related Content:

Dan is director of sales engineering at Wandera, the leading global provider of security and management for mobile data. An experienced engineer in network and cloud security, Dan has worked with start-ups through to global enterprises. Organizations use Wandera to protect ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Overcoming the Challenge of Shorter Certificate Lifespans
Mike Cooper, Founder & CEO of Revocent,  10/15/2020
US Counterintelligence Director & Fmr. Europol Leader Talk Election Security
Kelly Sheridan, Staff Editor, Dark Reading,  10/16/2020
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-5790
PUBLISHED: 2020-10-20
Cross-site request forgery in Nagios XI 5.7.3 allows a remote attacker to perform sensitive application actions by tricking legitimate users into clicking a crafted link.
CVE-2020-5791
PUBLISHED: 2020-10-20
Improper neutralization of special elements used in an OS command in Nagios XI 5.7.3 allows a remote, authenticated admin user to execute operating system commands with the privileges of the apache user.
CVE-2020-5792
PUBLISHED: 2020-10-20
Improper neutralization of argument delimiters in a command in Nagios XI 5.7.3 allows a remote, authenticated admin user to write to arbitrary files and ultimately execute code with the privileges of the apache user.
CVE-2020-25157
PUBLISHED: 2020-10-20
The R-SeeNet webpage (1.5.1 through 2.4.10) suffers from SQL injection, which allows a remote attacker to invoke queries on the database and retrieve sensitive information.
CVE-2020-25648
PUBLISHED: 2020-10-20
A flaw was found in the way NSS handled CCS (ChangeCipherSpec) messages in TLS 1.3. This flaw allows a remote attacker to send multiple CCS messages, causing a denial of service for servers compiled with the NSS library. The highest threat from this vulnerability is to system availability. This flaw...