It's not every day you hear or see social engineers in action – well, knowingly, anyway – but that's exactly what the crowd did at Black Hat and DEF CON 2018 held last week in Las Vegas.
Traditional methods of social engineering and phishing attacks are mostly well-understood and remain successful, explained Matt Wixey, technical research leader for PwC's UK cybersecurity practice. Still, attackers are finding new and more advanced ways to manipulate their victims.
Wixey detailed their efforts in a Black Hat presentation on Remote Online Social Engineering (ROSE), his name for long-term campaigns in which actors leverage false personae and highly detailed reconnaissance to compromise target networks. By building a relationship with their targets, attackers can persuade employees to send data and assist in corporate hacking.
Why go to the trouble of social engineering when simple phishing attacks are just as effective?
"A big reason would be to bypass technical controls, and bypass the effects of user education and awareness," Wixey explained. Social engineers want to do more than slip past firewalls. They must also deceive a human's threshold for which behavior is suspicious and which isn't.
"Because [an attack] is designed to target a specific individual, it can be designed specifically to bypass that person's filters," he continued. We all have different standards for what constitutes phishy behavior, all of which vary depending on personality, upbringing, and other factors.
Getting to Know the Victim
A ROSE attack starts with an in-depth analysis of the target: their online activity, how they communicate, responses to good and bad news, linguistic styles, and their motivations for taking particular actions. They learn where they went to school, where they previously worked and which roles they held, interests and hobbies, names of family members and friends.
The attacker can use this information to craft a profile before reaching out to the target. Their fake profile may include similar interests, a shared educational background, or another trait to facilitate an opening for conversation. Their profile photo may not be stolen but may be altered or concealed behind a paywall from a private source to conceal the attacker's identity, he said.
They may keep up this charade for a while to build credibility and, over time, they may automatically post content and/or alter their fake profile to reflect changes in employment, interests, styles, and politics. When working toward direct contact, the attacker may "like" content from their target's friends or related to their interests to make themselves known.
Finally, they go in for the hook. An attacker can ping their victim with a request for help or proposal for a business relationship. All the while, they'll use their earlier research to inform their conversation and pursue more frequent contact to build rapport and trust.
Social engineers rely on several techniques to make their interactions more believable, said Wixey. Lies often include more negative emotions and fewer sensory details. Liars often use cognitive details and keep things simple so there are fewer details to recall in the future.
"Liars may ask more questions, perhaps in an attempt to shift the focus from them onto the person they're trying to device," Wixey added.
Dial-in Deception: Capture the Flag 2018
In his presentation, Wixey referenced a study stating people lie in 14% of emails, 27% of face-to-face interaction, and 37% of calls. We saw the final stat live during DEF CON's Social Engineering Capture the Flag competition, in which competitors call corporate targets and use social engineering tactics to get its employees to provide different pieces of data ("flags").
Participants are assigned target organizations a few weeks before DEF CON and prepare by collecting open-source intelligence on the company, its employees, and other characteristics. They prepare a game plan: who their fake persona is, why they're calling, and how they might leverage social engineering techniques to persuade the target to hand over information.
This year's winner, Whitney Maxwell, directly called employees at service centers for the company she was assigned to target. She was doing an audit, she explained, and she just needed the answers to a couple of questions. By using techniques to establish legitimacy with the employee – saying they have the same name for example – she got some key data.
One conversation yielded information including the company's version of Windows (XP), whether they used wireless Internet, building security, type of computer and desk phone, and whether they used Outlook and Adobe. She confirmed the center's location and, in one instance, was able to convince an employee to enter a bit.ly URL into the browser.
"If you can do that over the phone, you can compromise a whole network," said Chris Hadnagy, president and CEO of Social-Engineer, Inc. and organizer of the DEF CON event.
Challenges in Defense
Much of the time it's difficult to tell when the person on the other end of a phone call, email, or social media message is malicious. Wixey pointed to a few techniques businesses can use to stay safe as cybercriminals get stealthier.
To limit the amount of available information online, he advises setting a Google alert for your full name so you know when a specific term (your name, for example) appears in a Google search result. Conduct reverse image searches on new contact requests and research the people who want to join your network. If you're unsure about someone, check their account for early auto-posting and inconsistencies.
If a stranger pings you with a question or collaboration opportunity, second-guess their motives. Why might they ask you to do this, and how might they benefit? If they contact your corporate email address, how did they find it? Do they avoid face-to-face or video interaction?
"We lie all the time," said Wixey. "Everyone lies to each other, all day, every day." The challenge for businesses is determining where the malicious intent is.
- NSA Brings Nation-State Details to DEF CON
- 6 Eye-Raising Third-Party Breaches
- AWS Employee Flub Exposes S3 Bucket Containing GoDaddy Server Configuration and Pricing Models
- Weakness in WhatsApp Enables Large-Scale Social Engineering
Learn from the industry's most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Early bird rate ends August 31. Click for more info.