In the last edition of Cyber Summer, we reviewed safe internet browsing and what you can do to preserve your privacy while searching the web. This weeks topic is social engineering. We’re sure something below will sound familiar…
Q: What is social engineering?
A: Social engineering is a very broad topic. In essence, it is an act of deception tailored toward individuals in order to make them divulge information they normally would not give. This can come in a variety of forms, such as; impersonation on the phone, physical disguises in the workplace, an email appearing to be a staff member, or an ordinary stranger handing out free removable media. What appears to be a friendly person asking for help into a building, might actually be someone with an alternative motive. You shouldn’t stop helping people out of fear that they have bad intentions, but be cautious of their actions and keep an eye on them. One of the most popular disguises individuals take on in person is the appearance of higher-ups or executives. People of power are less likely to be questioned so impersonating someone who plays an important role in the company increases their chances of getting away with what they set out to accomplish. In a previous edition of our Cyber Summer Series, we discussed phishing which falls under the umbrella of social engineering, but ultimately, social engineering can be executed in more ways.
Q: What does the future of social engineering look like?
A: Social engineering has become more and more cunning. Through deep faked images and voice, AI software can pretend to be anyone using preexisting photos and vocal audio clips. Imagine a scenario where your boss calls you on your office phone and asks for your login to the software you use every day because he needs to change some settings. Later in the afternoon, you run into your boss in the breakroom and discover that they never called you at all. It sounded like them, but it was duplicated by AI using voice clips to create fake sentences. Hackers are taking advantage of the shift in workplace communication to strictly digital platforms. All in all, never divulge information that your superiors would not need, or that they would already have access to through your IT department.
Q: Are all social engineering attacks executed online?
A: No. Attacks can be in person, in a public area, or completely through IM’s and emails. They can be from a friendly face on the street handing out “free CD’s”, or from someone that claims to be auditing the system infrastructure and needs to have access to a computer. Knowing that these attacks can be from someone seemingly friendly, can give you an advantage in spotting them. Through IP spoofing or email spoofing, an attacker can pretend to be from within the company. They can have a signature identical to the company’s signature and even have a picture of a real employee. A giveaway, in that case, can be an odd email address like john.jones1@companyname.com instead of the normal john.jones@companyname.com. Another giveaway is spelling errors (more than normal) and/or the party asking for a lot of confidential information. You can always double-check a request is legitimate by sending the person a message on another platform or physically taking a walk over to their desk to confirm it was truly them.
Q: What can my company do to protect itself from a social engineering attack?
A: User training is the most effective way to protect yourself against a social engineering attack. Humans are the weakest point in any business, so properly training your staff can potentially mitigate an attack. Proper training will allow your employees to be experts on picking up on suspicious activities. If left untrained, a single employee unintentionally could take down an entire business through simply plugging in a flash drive they found on the ground of the workplace to investigate. Like many other workplace training sessions, a small investment of time can really save you in the long-term.
Q: What are some experiences you’ve had with social engineering?
A: A specific example I encountered recently involved removable media. More so in New York City than the Hudson Valley, strangers will hand out copies of their “music” on CDs or flash drives. After the medium has been inserted into the device, it releases malware that reveals data on your computer and if this information alone isn’t enough, it will be used to manipulate more information out of the target. The objective is to trick someone into thinking they have malware and causing them to call into a “support line” that is actually a scammer. Requesting to “remote in” and “fix it”, they are actually acquiring access to a system that was infected with a fake virus. Impersonating as a support line caused the customer to trust them enough to run a few odd command lines, planting a long term rootkit that continues to steal user data. Once the attacker was finished and claimed the fake virus was removed, the victim thought everything was fixed.
At my previous place of employment, someone impersonated a staff member within the company and sent out an email to US-NY, which went to every single staff member in the New York office. It said, “My Agile program isn’t working properly, are you seeing the same issues?”. Following that statement there was a link, that once clicked on, would prompt you to log in to our secure Agile program system. The login credentials would not make it to the real website and were being sent directly to an attacker. Luckily, the on-call IT personnel sent out another mass email shortly after spotting it. Only a few individuals fell for this scam, and passwords were forced to be changed by the entire company due to the breach. By acting quickly, there was no damage done and a lesson was definitely learned for the future.
This is the 3rd part of an 8-part series. To learn more about cybersecurity and safe practices, check out the links below:
Phishing
Safe Internet Browsing
Social Engineering
Safe Passwords and Security
IoT + BYOD
Rogue Access Points
Penetration Testing
What to Do After a Data Breach
Next week, we’ll be discussing the topic of Safe Passwords & Security. Submit your questions to info@hvtdc.org and tune into our social channels every Friday for the next update to our Cyber Summer Series!