Social Engineering Attacks in 2020 From a SOC Perspective
Over the last decade, the social engineering channel has become one of the most useful and intimidating threats of the business world. The threat relies on the organization’s human capital, unlike common threats, which depend on breaking or circumventing security devices.
Social engineering involves manipulating people into breaking routine security procedures to gain access to systems, networks, or financial gain.
The typical attack consists of six phases:
- Target– the attacker decides on a target’s profile – it can be an individual, or even consist of several entities that have a common factor.
- Obtaining - in this phase, the attacker achieves the first point of entry and acquires the target’s contact details. Unless the details are publicly shared through an accessible channel, the attacker may use data breaches or purchases the relevant information in the darknet.
- Research – The attacker gathers information about his target. In this phase, the attacker collects useful information and designs his attack accordingly. Research is done through several channels, like social media, physical encounters, target’s website, etc.
- Contact – The first milestone in which the victim first encounters the attacker’s scheme. This critical phase can determine the fate of the entire attack, depending on the victim’s behavior. The attacker usually impersonates a legitimate entity to deceive and persuade the victim to cooperate unconsciously.
- Exploitation – If the victim cooperates with the attacker, for example, by clicking on a suspicious hyperlink or even by responding to an e-mail containing many warning signs, the victim allows the attacker to develop a relationship with them, that can lead to an accomplishment of the attacker’s goals.
- Consequence – The final step in which the user becomes the crucial factor, depending on his discretion. If the user gets persuaded by the attacker’s tricks and decides to deliver his required confidential data, the attacker achieves his goal and gains access to the organizational network. Alternatively, the victim can choose not to cooperate and literally halt the attack.
Social engineering attacks rely on human error to gain access to a doorway into an organization’s systems and cause all kinds of damage. Any wrong move by an employee can jeopardize an entire business. Even the most advanced security devices and software will not be able to prevent the damage within the organization, as they cannot constantly monitor employee’s activity and discretion. Human error can be made in several areas, like opening a suspicious e-mail, by plugging in an unknown flash drive, or even by accessing a seemingly legitimate website.
Over time, attacks have been adjusted to better suit the victim’s profile - attacker’s research is usually enough to sufficiently outline the victim’s profile in a way that can be analyzed to understand his areas of interest. Social media can provide plenty of information about the victim. The more we share data and information about our professional, social, and personal life, the more information is fed to an attacker, helping him design a perfect trap.
Throughout 2020, most of the social-engineering attacks were Phishing-based. This fraud activity is usually carried out via e-mail. The attacker disguises himself as a trustworthy entity to gain sensitive data, including usernames, passwords, credit card details, and more. The ease at which we see victims fall for these attacks, speaks to the difficulty in recognizing them, and the risk is compounded by the fact that the victim could be attacked through multiple channels.
We also identified an increase in the number of whaling-phishing attacks in recent months. This type of attack is specialized to its target – high profile employees, including CEO’s or any other C-level executives, targeted because of their senior positions and higher likelihood to have access to sensitive data.
Although e-mail is usually used to execute an attack, recent months (and especially during the COVID-19 crisis) saw attacks become more brazen, carried out via the SMS (Smishing) and phone calls (Vishing) channels as well. We see Smishing attacks targeting financial figures – the victim is informed that his account has been disabled due to suspicious activity, with malicious hyperlinks attached in the message. Vishing attacks are designed according to the employee’s position – thorough background research might yield enough details about the victim’s professional life for the attacker to hold a conversation long enough to trick the victim into cooperating.
Social engineering attacks have greatly increased during the COVID-19 crisis, as many employees switched remote work. Workers are more exposed and vulnerable to specialized attacks because of the changes in the work environment and rapid adaptation to new workflows – what might seem suspicious in an office setting, might be the new routine. Furthermore, social distancing and quarantine turn people to socialize online and sharing more information publicly, available also to an attacker to use on a victim.
From my experience, social engineering attacks will never stop and will constantly be improved, especially during a global crisis when businesses are dramatically vulnerable.
The risk from the attacker perspective is very low, but the result can be very profitable.
Attackers are becoming more aggressive and ready to use any means, but the risk can be minimized using a combination of employee awareness and the proper use of cybersecurity products. These should work together like a perfect symphony that is played by multiple instruments.
Until threat detection systems become sophisticated enough, and incorporate advanced technologies (like artificial intelligence and machine learning) that could help identify, analyze and respond without any human interaction, we should invest all our means in educating employees to be more aware to the scope and the influence of cyber-attacks.
If you ever find yourself under any kind of attack, on any channel, follow these guidelines:
- If you receive an e-mail regarding suspicious activity in your account, do not click on any links (rather, login to check your account by navigating to the official website) and do not download any attached files.
- Analyze the subject of the e-mail – if it tries to scare or pressure you, this should increase your suspicions.
- Try to remember if you expected the mail/phone call or an unscheduled meeting.
- Pay attention to the content and the wording, and make sure that the phrases make sense.
- Carefully examine the sender’s name and the URL’s domain and compare it to the real one.
- Credentials must not be shared or exposed.
- Avoid leaving confidential information at your workstation (usernames, passwords, financial data).
- Avoid plugging in unfamiliar removable devices to both domestic and organizational computers.
- Report any suspicious activity you encounter to the information security team in your organization.
- Increase awareness among employees by following these guidelines:
- Perform recurring internal phishing campaigns through multiple channels (mail, SMS, phone calls).
- Conduct regular checks of workstations to look for sensitive data lying around (usernames, passwords, financial data).
- Test your employees by leaving physical removable devices at their workstations to see how they react to them.
- Constantly share information with your employees about new cyber-attacks that occur around the world.
- Where applicable, increases security by Use Two-Factor Authentication as it adds an additional step for accessing accounts.
- Stay tuned to the IOCs (Indicators of Compromise), this is forensic data that was identified with malicious activities and prevent them from reoccurring in your organization.
- Limit employee access to unnecessary data to mitigate potential hazards.
- Always keep your information systems updated.
- Perform routine security re-assessments and integrate components that can help detect and monitor these kinds of attacks.
- Consider using Security Operation Center’s services to maintain a high level of incident response and to detect, inspect, and handle any kind of malicious activity.