Here's a new phish: An attacker recently created a fake phishing message and, posing as a bank customer, forwarded it to the bank's security officer. When the security manager clicked the link to find the alleged phishing site, the message secretly launched malware that highjacked his workstation for a month.
That's just one of many creative methods of social engineering attackers are using these days to commandeer user accounts or steal sensitive corporate data. As enterprise defenses improve, these "social engineering" exploits are becoming more sophisticated, tricky, and selective than ever. Security experts are seeing more targeted approaches, where a would-be attacker sets his sights on a key person within an organization, or on regional organizations, whose networks are typically not as secure as those of their larger counterparts.
"If [attackers] can get 10,000 Social Security numbers and credit card numbers, it's enough to justify the attack" on a regional financial institution, says Michael Maloof, CTO for TriGeo, a security software maker.
Social engineering schemes are typically a precursor to an electronic attack, such as spamming or phishing, or even the physical theft of a laptop or USB storage device. And all of those mobile laptops, Wi-Fi networks, PDAs, and USB devices floating around out there are making it even more tempting and simple for an unsavory attacker to pick his mark.
It's all about manipulating the trust of a user: the security manager who believes the attacker is a real customer, or the receptionist who lets a "consultant" into the conference room, where then he jumps onto an open network port.
The targeted attack on the security manager is more typical of today's exploits than the traditional mass-user attack, where an attacker sends out an email blast to try to collect personal information. "This was not about a browser exploit to compromise your machine," says Todd Hooper, vice president of business development for Granite Edge Networks, who describes the attack. "The goal was to get the security officer [the attackers] got a toehold on one of the most critical machines. That's pretty scary."
Scary indeed. There's a big black market out there for customer records, names, and addresses an attacker can pilfer. So these attackers aren't your script kiddies. Social engineers are typically profit-driven, white collar criminals - some with ties to organized crime who launch their schemes electronically, Hooper says.
Electronic attacks can be effective, but it's often easier to enter a business, sweet-talk the receptionist, and hop onto a network port in the conference room, experts say. Penetration testers and white-hat attackers (who usually make their attacks to test their clients' defenses) still say they rarely have trouble getting in the front door when they make a physical entry.
"We have yet to fail at a social engineering attack" for our clients, says Sean Kelly, business technology consultant for Consilium1.
Same with Secure Network Technologies, which also launches mock social engineering exploits on its clients to help them assess security. Social engineers will usually take the path of least resistance, says Steve Stasiukonis, vice president and founder of Secure Network Technologies. (See Social Engineering, the USB Way.) "Social engineering is more efficient," he says. Why spend hours [in front of your computer] at Starbucks if you have enough nerve to come in and jack in? You don't have to pass through [the company's] IDS or IPS. If you plug into a localized jack, you just hop on their network."
Stasiukonis says he and his team once waited in the parking lot at a bank client's site, then walked in with some smokers who believed a story about how the white-hats had lost their badges. "Then we commandeered their conference room, scanned the net and became domain administrators," Stasiukonis says. "And we walked out totally undetected."
Other electronic social engineering schemes are just as effective. Consilium1's Kelly says that while working for one client, his firm sent out a spoofed email posing as the company's network administrator and asking for user passwords. Many users took the bait.
Social engineers also target helpdesks. "They get yelled at all day long, and if you're nice to them, they can be really helpful," says Doug Shields, president of Secure Network Technologies. Shields says his team has found that helpdesks don't always check who's calling them, and can be duped into giving out a "forgotten" password or other information. "These are the weak links in the armor," he says. "These folks need to be trained [on social engineering]."
Social engineering may be the most visible, or invisible, part of an attack, but it's usually less than 20 percent of the overall attack, Shields says. How can companies close this relatively small door?
There's no security tool to combat social engineering, but you can lock down user access and even run some behavioral monitoring tools, experts say. The most important defense is ongoing education and training of your employees, says Mike Carpenter, vice president of IT and security officer for National Research Corp.
"You've got to educate your entire staff, from the receptionist on up," says Carpenter, whose company measures patient healthcare experiences and trends for the hospitals, healthcare systems, and insurers. "Someone shooting the breeze with you on a smoke break might have intentions other than just being friendly."
Pilfered passwords are a big problem in most organizations, especially when you can find them taped under a keyboard, as Secure Network Technologies often does when it infiltrates a client's site. A newly-published survey of 200 IT professionals by security vendor Cyber-Ark Software found that 38 percent write their own administrative passwords down on paper.
NRC's Carpenter says users should lock their workstations when they leave their desks and companies should institute multi-factor authentication and strong passwords, as NRC is doing. "Over time, biometrics is going to be a must," Carpenter says. NRC is working on protecting its passwords with encryption, and is considering biometrics, he says.
"A biometrics device can be attached or integrated with hardware to eliminate the need for remembering a password," Carpenter says.
But there's also an insider threat with social engineering: the employee running a spam email service from his desk (true story), or a disgruntled employee plotting revenge. The best way to prevent an inside job is to limit your users' access to only the information or tools they need to do their jobs, Consilium1's Kelly says. "I've seen fraudulent behavior, and this is huge concern," he says. Be sure an employee transferred to another department doesn't keeps his old access privileges, he advises.
But in the end, social engineering comes down to human nature: the attacker's greed, and the victim's naiveté, or apathy. "End users are still the weakest links if they are leaving their screen unlocked when they walk away form their desks. There's no point to having a login ID or password if you leave the apps open and anyone can log on and get them, or use your email," says Consilium1's Kelly.
Security technology is useless without training, experts say. "You spent all this money on security, but you didn't tell Mary to disable the network in the conference room, and to not let people walk around the building," says Secure Network Technologies' Shields. "[Social engineering] is a big wakeup call."
Even the most security-savvy person can get duped. "It's always been easy to get inside, because a business needs a certain level of openness, and it can't be put in a prison," says Rich Mogull, research vice president of security for Gartner. Mogull admits he was once duped by a non-technical social engineering scam as a tourist in Europe. "We try to put in the best security controls to reduce risk overall."
Kelly Jackson Higgins, Senior Editor, Dark Reading
Organizations mentioned in this article: