We are in the dog days of summer right now. Perfect time of the year, right? Relax, kick back, take one day at a time, enjoy the fruits of our labors. Well, maybe not so much.
For starters, there was a full, blood-red moon the other night, AND the moon is in retrograde for the next three weeks (portention of bad luck?), our world leaders and Silicon Valley are squabbling over who is spying on whom, and the plight of social engineering seems to be on the rise for both consumers and businesses.
Wait, social engineering? What’s that got to do with anything? Social engineering… isn’t that like, community planning… or is it more like behavior modification? Nope, on both counts.
Remember that classic movie “The Sting”, (again, with my favorite actors Redford and Newman referenced a few blogs ago talking about cyber-bank robberies)? In the movie, this time our heroes are actually “confidence men,” also known as grifters, working the “long con” in order to scam a known mobster out of a cool half-million cash (hey, in 1936, $500K was like having $9 million today). They go through an elaborate setup, using basic information they already know about the mobster or “mark” (played perfectly by actor Robert Shaw), while setting up multiple instances of “chance” meetings and shenanigans to further gain more trust and information to which they can gain the mark’s confidence in them. The con is played out until it is time to bait, set and close the trap that secures them the grand payoff (FYI, that link is a spoiler… and if you haven’t seen this flick from 1973, get on it).
That’s pretty much what social engineering is, a human confidence game. Those that social engineer are hackers, conducting phishing-like scams with the objective of gaining enough personal information through confidence-instilling questions and exchanges. This polite banter and “social” interaction via phone, email, and online communities like Facebook, give up and exploit what seem to be innocent bits of information but in reality hand over the keys to the kingdom. In most cases, successful social engineering scams unlock the doors to money, privacy and secrets; some would say the trifecta of vices that begets the scam sloth at the bottom of our online society.
Costs of Social Engineering Scams
Of course, these social engineers have been hard at work over the years, perfecting their craft in exploiting even the most recent of online vulnerabilities and crypto policies. In the US alone, the FBI states to the American Banking Journal that the accumulated costs of social engineering hacks since 2013 have cost businesses $1.6B. And, according to the Ponemon Institute and Accenture report, “2017 Cost of Cyber Crime Study,” that’s an average cost increase of 62 percent. Some other facts from the report:
- organizations pay an average annualized cost of $11.7 million to deal with cybercrime (up 23% from the prior year);
- organizations are dealing with an average of 130 successful security breaches each year (an uptick of 27% year over year).
In his 2017 Peerlyst blog post “The Money in Social Engineering - A Trillion Dollar Industry”, Tony Reijm states that the cost of cyber-incidents is projected to be $2 Trillion in 2019, and a major cyber-incident is estimated to be equivalent to a natural disaster ($53 Billion).
He then asks the all-important question: “what do all these statistics on cyber incidents have to do with social engineering? Of these huge losses, upwards of 90 percent are due to the human element.”
Different Types of Social Engineering and What to Look For
According to Interpol, social engineering scams can be broken down into two main categories:
- Mass Frauds — which use basic techniques aimed at a large number of people; and
- Targeted Frauds — which have a higher degree of sophistication and are aimed at very specific individuals or companies.
Interpol also tells us that most social engineering hacks follow the same four steps:
- Gathering information.
- Developing a relationship.
- Exploiting any identified vulnerabilities.
- Execution.
Nate Lord, the former editor of Data Insider lists out in his article “What is Social Engineering: DEFINING AND AVOIDING COMMON SOCIAL ENGINEERING THREATS”, the basics for recognizing and educating others on the simplest forms of social engineering attacks:
- Baiting – attackers leave a malware-infected device, such as a USB flash drive or CD, in a place where someone likely will find it. Never load a found device no matter how tempting.
- Phishing – phishing lures you in when an attacker makes fraudulent communications that are disguised as legitimate, often claiming or seeming to be from a trusted source. In a phishing attack, the recipient is tricked into installing malware on their device or sharing personal, financial, or business information. Email is the most popular mode of communication for phishing attacks, but phishing may also utilize chat applications, social media, phone calls, or spoofed websites designed to look legitimate. Some of the worst phishing attacks make charity pleas after natural disasters or tragedies strike, exploiting people’s goodwill and urging them to donate to a cause by inputting personal or payment information. See GlobalSign’s recent blog regarding phishing techniques.
- Pretexting – pretexting and phishing via phone or email are quite similar and occurs when an attacker fabricates false circumstances to compel a victim into providing access to sensitive data or protected systems. Examples of pretexting attacks include a scammer pretending to need financial data in order to confirm the identity of the recipient or masquerading as a trusted entity such as a member of the company’s IT department in order to trick the victim into divulging login credentials or granting computer access. Unlike phishing emails, which use fear and urgency to their advantage, pretexting attacks rely on building a false sense of trust with the victim. This requires the attacker to build a credible story that leaves little room for doubt on the part of their target.
- Quid pro quo – a quid pro quo attack occurs when attackers request private information from someone in exchange for something desirable or some type of compensation. For instance, an attacker requests login credentials in exchange for a free gift. Remember, if it sounds too good to be true, it probably is.
- Spear phishing – spear phishing is a highly targeted type of phishing attack that focuses on a specific individual or organization. Spear phishing attacks use personal information that is specific to the recipient in order gain trust and appear more legitimate. Often times this information is taken from victims’ social media accounts or other online activity. By personalizing their phishing tactics, spear phishers have higher success rates for tricking victims into granting access or divulging sensitive information, such as financial data or trade secrets.
- Tailgating – tailgating is a physical social engineering technique that occurs when unauthorized individuals follow authorized individuals into an otherwise secure location. The goal of tailgating is to obtain valuable property or confidential information. Tailgating could occur when someone asks you to hold the door open because they forgot their access card or asks to borrow your phone or laptop to complete a simple task and instead installs malware or steals data.
As Lord concludes, “social engineering is a serious and ongoing threat for many organizations and individual consumers who fall victim to these cons. Education is the first step in preventing your organization from falling victim to savvy attackers employing increasingly sophisticated social engineering methods to gain access to sensitive data.”
A recent post from FoolsRushIn.info walks us through a typical social engineering hack whereby the scammers were able to access an employee’s IT system through the pretexting and spear phishing techniques – definitely worth the read, as it concludes with a statement from the folks at IBM:
“What is fascinating—and disheartening—is that over 95 percent of all incidents investigated recognize “human error” as a contributing factor. The most commonly recorded form of human errors include system misconfiguration, poor patch management, use of default user names and passwords or easy-to-guess passwords, lost laptops or mobile devices, and disclosure of regulated information via use of an incorrect email address. The most prevalent contributing human error? ‘Double clicking’ on an infected attachment or unsafe URL.”
Consumers are also Victims of Social Engineering
The Norton Cyber Security Insights Report, an online survey of 21,549 individuals ages 18+ across 20 markets, stated the impact and vulnerability of social engineering to general consumers:
“When it comes to cybersecurity, consumers are overconfident in their security prowess, leaving them vulnerable and enabling cybercriminals to up the ante this year, which has resulted in record attacks.”
Some statistics from the report:
- 978 million people in 20 countries were affected by cybercrime in 2017.
- 44 percent of consumers were impacted by cybercrime in the last 12 months.
- The most common cybercrimes experienced by consumers or someone they know include:
- having a device infected by a virus or other security threat (53 percent) o Experiencing debit or credit card fraud (38 percent);
- having an account password compromised (34 percent);
- encountering unauthorized access to or hacking of an email or social media account (34 percent);
- making a purchase online that turned out to be a scam (33 percent); and
- clicking on a fraudulent email or providing sensitive (personal/financial) information in response to a fraudulent email (32 percent).
The report summarizes, “as a result, consumers who were victims of cybercrime globally lost $172 billion – an average of $142 per victim – and nearly 24 hours globally (or almost three full work days) dealing with the aftermath.” You will notice those last three highlighted factoids are forms of social engineering.
The United States Computer Emergency Readiness Team (yes, there is one!), has recently revised and highlighted what they consider safe practices for consumers and business alike.
- Be suspicious of unsolicited phone calls, visits, or email messages from individuals asking about employees or other internal information. If an unknown individual claims to be from a legitimate organization, try to verify his or her identity directly with the company.
- Do not provide personal information or information about your organization, including its structure or networks, unless you are certain of a person's authority to have the information.
- Do not reveal personal or financial information in email, and do not respond to email solicitations for this information. This includes following links sent in email.
- Don't send sensitive information over the Internet before checking a website's security. See: Protecting Your Privacy for more information.
- Pay attention to the URL of a website. Malicious websites may look identical to a legitimate site, but the URL may use a variation in spelling or a different domain (e.g. .com vs. .net).
- If you are unsure whether an email request is legitimate, try to verify it by contacting the company directly. Do not use contact information provided on a website connected to the request; instead, check previous statements for contact information. Information about known phishing attacks is also available online from groups such as the Anti-Phishing Working Group.
- Install and maintain anti-virus software, firewalls, and email filters to reduce some of this traffic.
- Take advantage of any anti-phishing features offered by your email client and web browser.
CERT Warning: what do you do if you think you are a victim?
- If you believe you might have revealed sensitive information about your organization, report it to the appropriate people within the organization, including network administrators. They can be alert for any suspicious or unusual activity.
- If you believe your financial accounts may be compromised, contact your financial institution immediately and close any accounts that may have been compromised. Watch for any unexplainable charges to your account.
- Immediately change any passwords you might have revealed. If you used the same password for multiple resources, make sure to change it for each account, and do not use that password in the future.
- Watch for other signs of identity theft.
- Consider reporting the attack to the police, and file a report with the Federal Trade Commission.
In the end, we are all human. We are fallible. We are inherently trusting and benevolent (most of us, anyway). And, basically, in the end, we are all potential marks for a scam. But, we should all at least be prepared to know what’s coming. For some deeper reading and study, see these other recently-ripped-from-the-headlines links for more information on the types of attacks to look out for and how businesses and consumers can stay safe out there and avoid the “Long Con” of being socially engineered.