What is social engineering?
Social engineering: The practise of psychological manipulation used by malicious actors (hackers) allowing them to infiltrate your network.
Phishing and its many sub varieties, including spear phishing and BEC/CEO fraud are the most common vectors used within a successful social engineering attack.
What motivates a social engineer?
Whether the malicious actor is trying to steal the money directly from your bank account or your data to sell on the dark web, there is always a reward to make it worthwhile for them.
Also, the psychological gratification of knowing they have fooled a real human being can be reward enough for some social engineers.
That’s right, like a digital blood sport, some just do it for fun.
Why is it so effective?
Social engineering is one of the most effective methods of network penetration because it directly targets and tests the human user.
In most cases, the attack will bypass network security hardware and software and land straight in the user’s inbox.
At this stage the attacks success or failure is entirely dependent on that users ability to spot the attack.
How can it be stopped?
Social engineers revel in getting emails past advanced digital security by using well crafted, correctly worded messages carefully mimicking a real email the victim is likely to receive.
Because of this, security awareness training and regular simulated phishing attacks keep security front-of-mind for your users, enabling them to protect your organisation and themselves from these nefarious characters.
4 phases of a social engineering attack
Social engineering can be broken down into 4 predominant phases. Understanding how the phases work may just help you or one of your users spot one in the real world.
Social engineering attacks, to be effective, must be built upon a solid foundation of research and understanding. During this initial phase the hacker devotes extensive time and energy into learning everything about their target organisation, specifically that which they can exploit during later phases of the attack.
Utilising free open source intelligence (OSINT), such as information found through search engines, social media and news articles the social engineer builds their intimate knowledge of the victim. They may also utilise sensitive data they have acquired through less reputable means, such as the dark web or even during a previous attack.
It’s not just about what information the victim has plastered over their profile page on social media, a skilled social engineer will research third party organisations and contacts as well to gain further insight. They might look into which shipping company the victim uses, which accountant, how often they buy artisan coffee from the local vegan café, whether they drive to work each day, how often they speak with their boss…
The list may seem endless, but to a social engineer, knowledge is power.
Often intertwined with the research phase, planning is where the social engineer creates a strategy to lead them to their desired goal.
During this phase the social engineer will also select the ideal target(s) for their attack. This must be carefully considered as choosing the wrong employee could lead to instant failure.
The planning will vary enormously depending on the social engineers’ endgame. They may be aiming to steal bank account numbers, vital documents, or to silently install malware for use in the second phase of a larger scale attack.
The attack must be well planned or, saving for very poor security, it is very likely they will fail.
Now is when the social engineer’s practical skill really comes into play. They must now make contact with their chosen victim and begin to gain their trust.
Depending on the plan, they will vary the approach they take. They may be looking to come across as firm and dismissive, often used in CEO fraud attacks, so the victim is intimidated into manipulation without asking any questions.
They may instead opt for a very friendly route, offering helpful hints or favours to win over the victim’s trust and confidence. This contact method can be particularly dangerous as the victim becomes a friend of the social engineer and will be easier to turn against their fellow employees.
At this stage, the victim has become an insider threat and has turned from a helpful employee into an agent of the social engineer acting from inside your organisation.
Using their friend on the inside, they can act out the final stages of their plan. The hacker is now inside your organisation’s network and is able to enact almost unlimited damage from within.
This may be as simple as requesting bank account numbers, employee credentials or credit card details. Or perhaps they may be looking to pilfer company secrets to sell directly to your competitors.
Whatever their end goal is, they are now completely past your defence network and have all the clearance they need, courtesy of one of your employees.
If the relationship between the insider and the social engineer is strong enough, the insider may have no idea they were party to a potentially devastating data breach.
Often in these cases, the social engineer will enact an additional contact phase after the attack in order to not rouse any suspicion between themselves and the insider. This massively increases the risk of them coming back in the future and doing it all again.
The most common forms of social engineering
The most effective weapon against social engineers is user knowledge, this is the very basis of security awareness training. Below we’ll explore some of the most common methods of attack used by social engineers in 2020.
Phishing scams are by far the most commonly used attack vector by modern social engineers.
Most often being sent by way of email, these attacks will usually contain links or attachments designed to steal sensitive information from the victim such as user credentials, credit card numbers or bank account details.
They often impersonate well-known, authoritative organisations and trick victims into thinking they need to make a change to their account or update their card details online.
Phishing emails are continually evolving with the times in order to appear more legitimate, and it remains one of the lowest-effort forms of social engineering today.
There are many variations of phishing attacks, the traditional method of sending hundreds of thousands of random emails to an equally large number of recipients (known as the “Spray and Pray” phishing attack), has recently given way in popularity to more targeted spear phishing attacks.
Spear phishing attacks are the more refined, smaller and significantly more targeted alternative to regular “spray and pray” attacks described earlier. Where a regular phishing campaign may send hundreds of thousands of random emails out to an equally large number of inboxes, spear phishing attacks could be as targeted as one carefully written email to a single, well selected employee.
The social engineer spends considerable time researching the target organisation and the victim or victims within. They utilise both publicly available and stolen sensitive information to build their attack plan, learning the most effective way to convince the victim of their legitimacy.
Baiting, as the name suggests, is when a social engineer uses a carefully chosen piece of bate to lure the victim into doing something they shouldn’t.
Not solely executed via digital means, baiting can often involve social engineers leaving items such as malware-loaded USB sticks with “Confidential” or “bonus schedule Q4” or other enticing labels in places where a curious employee might find them. The office cafeteria, or bench outside the office where the boss has their coffee each morning.
The unsuspecting employee plugs in the device, hoping for some juicy gossip or insider information, and instead lets the social engineer right into their network.
Scareware is a form of malicious software that scares the victim into performing an to the benefit of the social engineer.
This could include fake malware scanning software which informs the victim their device has been infected and they must purchase a license in order to remove it.
This type of attack is most effective against users without regular cyber awareness training, as they are aware of the dangers of malware, but not regularly tested in spotting fake software.