Human carelessness or error is the main factor that makes it possible for attackers to penetrate the information networks of organizations. According to IBM research, up to 95% of all system breaches occur precisely because of the human factor. By the way, the percentage of incidents that occurred due to the exploitation of software vulnerabilities is many times lower.
Many people are convinced that hacking a computer system or network involves, first of all, the search for technical or software vulnerabilities. In reality, most attacks start with social engineering, which is sometimes difficult to distinguish from ordinary communication.
Social engineering is, in a certain sense, the “hacking” of a person, as a result of which he/she reacts to manipulation, which leads, for example, to a data leak or the infection of a device with dangerous code.
To better understand how social engineering works, it’s worth understanding the basic elements of organizing this type of attack. Not all of them are mandatory. If attackers don’t create a personalized script for a specific victim, some of these steps may be skipped.
Paradoxically, a mass attack doesn’t always require large preparation costs. For example, sending emails in the subject of which the State Revenue Agency is mentioned doesn’t require detailed preparation or study of the specifics of the victims’ business. More personalized attacks begin by finding a specific target’s weaknesses.
Intelligence and data collection while simultaneously identifying weak spots
To understand what a potential victim will react to, you need to find vulnerable places in him or her. In order to do this, it’s necessary to thoroughly study both the immediate victim and his or her surroundings. It can be an analysis of the business structure, the habits of the company’s employees, the search for information available in open sources, including social media. For example, an employee who complains on social media about being underpaid can easily be used to organize such an attack. Such a person may be offered a job interview at a new company. All you have to do is to click on the link with the job description. A person “takes the bait” and the job is done. And as a result – huge financial and image losses.
This is how the theft of cryptocurrency from the online game Axie Infinity happened in March 2022. Hackers sent emails to employees of the game developer company, offering jobs with extremely high salaries. Those, apparently, were interested in the offer, went to a fake website and thus installed spy software on their computers. Financial losses at the time of the attack totaled $625 million.
Creating a fake identity and building a relationship with the victim
This approach is typical for personalized attacks based on social engineering. A fake profile, long-term communication, forming personal connections – all this can be a part of the preliminary stage, intelligence and data collection.
Obviously, it’s much easier to accept a message from an old acquaintance rather than accepting a message from a new contact.
A recent example of such an attack affected Verizon Wireless, the largest wireless carrier in the United States. The attacker managed to convince the company employee that he works in the internal support. The victim believed it and gave the hacker access to an internal system that processed employee data, and the hacker was able to download a database containing the full names, email addresses, and corporate IDs of hundreds of people.
Another very famous example of a successful attack using social engineering was the hacking of more than 100 verified Twitter accounts in the summer of 2020. Then the attackers hacked the account of one of Twitter’s employees, got into the company’s internal Slack chats, where they found passwords to the platform’s internal administration system. As a result, cybercriminals were able to take over a large number of verified accounts of famous people. The company confirmed that the hackers used social engineering, but they didn’t say how exactly Twitter employees “took the bait”.
Professional carelessness as the main factor in the success of the attack
Criminals often try to convince their victims that they are their business partners, clients or employees of banks or state/municipal authorities. In this case, they don’t need to infect computers with viruses or steal data.
Schemes of such attacks are built in such a way that victims themselves transfer money to criminals. Almost always in such cases, attackers create artificial urgency so that the victim does not have time to qualitatively analyze the attacker’s request.
This is how one of the most damaging attacks, carried out by the Lithuanian Evaldas Rimasauskas, was organized. He created a fake computer company that works with Google and Facebook. Then the employees of the tech giants received emails with invoices issued for the delivered goods. In 2013-2015, Rimasauskas and his partners defrauded big tech companies for more than $120 million.
Another illustrative example of an attack was against a well-known American investor, one of the “business sharks” of the American TV show Shark Tank – Barbara Corcoran. The attacker pretended to be an assistant to the businesswoman and on her behalf sent an invoice to her bookkeeper for a renovation payment from a similar to the real assistant’s email address. The fraud was exposed only after the accountant sent a follow-up email to confirm the invoice to the assistant’s correct address. But at that moment of time, $388,700 were already wired to a criminal.
Protection against social engineering attacks
Protecting an organization from social engineering attacks is one of the most difficult tasks. It’s impossible to completely protect against them. However, it’s possible to significantly reduce the probability that companies will become their victims. And this requires the active involvement of all employees without exception and constant cyber hygiene training.
What are the first steps every organization should take?
1. Systematic training of employees of the basics of cyber hygiene with simulation of various types of attacks. Simple stories about not responding to unknown emails no longer work. But if you send such emails without warning and then analyze this case and demonstrate to employees what attributes of emails you should pay attention to, this approach can be much more effective. More about cyber hygiene training from ISSP you can find via the link.
2. Establishing correct business processes within the organization, including financial matters. Any formalized business process is a kind of maze for hackers and they have to spend more resources thinking about how to get through this maze. The main goal is to prevent situations where, for example, the mistake of one accountant reacting to a social engineering attack can lead to huge financial losses for the company. A seemingly obvious rule – large payments in the company must be confirmed by at least one more person – does not work in all organizations.
It would also be appropriate to implement the role of Chief Information Security Officer (CISO). In many companies, primarily in critical infrastructure, such a position already exists.
What should those organizations without appropriate specialists do? Order CISO functionality as a service from experienced providers. This is a worldwide practice, which is especially relevant under the conditions of constantly growing cyber threats. At ISSP, we offer CISO-as-a-Service as part of a suite of cybersecurity services for SMEs. More information is here.
3. Constant monitoring of the network environment and regular assessments of the state of the company’s cyber security with the help of its own SOC (Security Operations Center) or with the involvement of an external contractor.
What does a SOC do? Helps companies and organizations improve their IT infrastructure monitoring capabilities to detect hidden behavior anomalies, early threat detection and incident response. You can learn more about the functionality of our Center via the link.
4. Development of corporate policies and their implementation control regarding employees’ use of their own mobile devices and use of social media at the workplace. An unprotected smartphone on which corporate email is viewed can facilitate its hacking and use in attacks on other employees. Just like viewing your own social media on work computers.
5. Using a powerful anti-spam system and security gateways for email and network traffic, if employees work mainly from the office. They will block suspicious emails and suspicious traffic. And the fewer of them fall into the eyes of potential victims, the less likely cyberattacks will be successful.