Heading Off Advanced Social Engineering AttacksHeading Off Advanced Social Engineering Attacks
An inside look at how social engineering attacks are developed -- and how you can protect your organization
March 18, 2013
The following is excerpted from "Heading Off Advanced Social Engineering Attacks," a new report posted this week on Dark Reading's Advanced Threats Tech Center.]
During the last few years, security researchers have uncovered malware that could have been developed only by incredibly well-resourced and skilled programmers. But creating an advanced program such as Stuxnet is only one phase of an attack.
To be of any use, the program or payload has to be installed on the victim's network or device. Those behind Stuxnet initially relied on USB drives to infect their intended targets.
However, more and more attacks are duping targeted individuals into inadvertently installing malware or providing confidential information by using sophisticated social engineering techniques -- often getting the victim to break security procedures or to ignore common sense.
However, unlike vulnerabilities that target services running on a machine, browser-based vulnerabilities require some form of user interaction to activate the malicious content. An attacker must therefore trick the victim into making a fatal mistake; it doesn't matter how clever the malware is, even if it contains a zeroday exploit and passes unrecognized by antimalware programs.
Social engineering -- or the art of psychological manipulation -- is commonly used to get somebody to follow a link to an infected website or open a booby-trapped email attachment. It usually exploits users' innate curiosity or natural desire to help. It can also try to appeal to vanity or authority and other psychological triggers such as greed, fear, anger or moral duty.
Recognizable attempts at phishing for personal and financial details appeared at the turn of the century, and by 2004 phishing had already become a global, fully industrialized criminal activity with new variants appearing all the time.
Spear phishing is commonly used in targeted attacks and is directed at a specific individual or organization. Spear phishing aimed at senior executives within an organization is termed a whaling attack.
Every aspect of a phishing campaign -- from email lists to sophisticated malware -- can be bought, with criminals specializing in different areas. Some products are free, such as Super Phisher, which provides a simple-to-use interface that allows a phisher to convincingly reproduce an existing website and capture login details entered at the fake site. The use of the same zero-day exploits by different groups within a short period of time also indicates that exploits are shared or sold by developers.
While drive-by exploits indiscriminately compromise as many users as they can, they're not truly targeted. Those preparing a spear-phishing campaign will research their victims in great detail to deliver a more focused attack. Attackers are using social networking sites and other sources of information to gather background information.
For details on the latest phishing and social engineering exploits -- and some recommendations on how you can mitigate them -- download the free report.
Have a comment on this story? Please click "Add a Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.
Read more about:2013
About the Author(s)
You May Also Like
How to Combat the Latest Cloud Security ThreatsNov 06, 2023
Reducing Cyber Risk in Enterprise Email Systems: It's Not Just Spam and PhishingNov 01, 2023
SecOps & DevSecOps in the CloudNov 06, 2023
What's In Your Cloud?Nov 30, 2023
Everything You Need to Know About DNS AttacksNov 30, 2023
Passwords Are Passe: Next Gen Authentication Addresses Today's Threats
How to Deploy Zero Trust for Remote Workforce Security
What Ransomware Groups Look for in Enterprise Victims
How to Use Threat Intelligence to Mitigate Third-Party Risk
Concerns Mount Over Ransomware, Zero-Day Bugs, and AI-Enabled Malware
9 Traits You Need to Succeed as a Cybersecurity Leader
The Ultimate Guide to the CISSP
Quantifying the Gap Between Perceived Security and Comprehensive MITRE ATT&CK Coverage
Get the Gartner Report: SOC Model Guide
Building Immunity: The 2021 Healthcare and Pharmaceutical Industry Cyber Threat Landscape Report