[BreachExchange] The scourge of social engineering

Audrey McNeil audrey at riskbasedsecurity.com
Wed Jul 6 19:33:06 EDT 2016


http://www.scmagazineuk.com/the-scourge-of-social-engineering/article/504950/

Today, social media platforms are no longer just a forum for online chat
but an important every day work and communication tool. Facebook alone has
more than a billion users, while social media business platform LinkedIn
has more than 400 million users.

Going after the big guns

A well-publicised incident was a three-year social engineering campaign
carried out by Iranians. It targeted US military officials, diplomatic and
congressional staff, and defence contractors in the country and abroad.

The Iranian spies used Facebook, LinkedIn, Twitter and Google+ to carry out
a sophisticated attack. They developed fake social media personas and posed
as recruiters from major international companies including Northrop Grumman
and General Motors. The targets were largely in telecom, government and
defence industries.

When a connection was established emails were sent to victims with malware
hidden in links and attachments. The aim was to get the target to download
malware into their computers which would give the hackers access to highly
sensitive information. The striking thing about this social
engineering-based attack was its scope and sophistication. It's certainly
not an isolated event; for some cyber-criminals it's a career path.

You don't need state resources or an encyclopaedic knowledge of psychology
and social media surfing habits. You don't even need to be well-versed in
the dark arts of black hat coding. All you need is a bit of patience to
trawl the web and the knowledge that too many people put far too much
information online than is necessary.

It doesn't take much to create a complete profile including place of work,
employment history, address, age, family, likes, dislikes, bank, shopping,
recent purchases, family members, their locations and so on.

All information to create a complete profile can be gleaned within a few
hours. There are even open source tools designed to help trawl social media
platforms and scoop up as much information about any one individual as
possible.

This information can be used for targeted phishing attacks at a place of
work or brute force password attacks on a company's network. Personal
information is gathered on the ‘target' from social media and a phishing
email is sent to their place of work.

Malware-laden messages

A phishing email is usually mocked up to look as though it's from an
organisation the target has recently dealt with. For instance, the victim
may have posted something about his or her brand new iPhone, so the hacker
creates an email that purportedly comes from Apple with a message about the
phone. A link in the email is clicked by the ‘target' and malware is
downloaded into the retailer's system. This provides the means for a hacker
to steal the contents of a customer database.

This data is put up for sale on a deep net website that trades in credit
card and identity information. The hacker is set to make hundreds of
thousands of pounds for a task that in all likelihood took a few days to
carry out.

A need to click

Organisations today are, by and large, aware of cyber-threats that come
from malware such as trojans, viruses and to some extent, ransomware.
However, many haven't yet fully grasped the implications of social
engineering with people freely giving away information and casually
downloading files from the Internet. As a result, education and awareness
programmes for employees can make a significant difference.

At the very least, education programmes will hammer home the point that
there are cyber-criminals circling corporate firewalls who are only too
keen to get into the network.

Education will make employees aware of sophisticated phishing techniques
and how sharing too much of their personal information on a social media
platform could well provide the starting point for a crippling network
attack.

This can also make personal practice tighter so they don't post workplace
information or inadvertently reveal pathways to corporate crown jewels.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160706/4ac54b53/attachment.html>


More information about the BreachExchange mailing list