We all know about the type of attacker who leverages their technical expertise to infiltrate protected computer systems and compromise sensitive data. This breed of malicious actor makes news all the time, prompting us to counter their exploits by investing in new technologies that will bolster our network defenses.
However, there is another type of attacker who uses different tactics to skirt our tools and solutions. They are called “social engineers” because they exploit the one weakness that is found in every organization: human psychology. Using phone calls and other media, these attackers trick people into handing over access to the organization’s sensitive information.
Social engineering is a term that encompasses a broad spectrum of malicious activity. For the purposes of this article, let’s focus on the five most common attack types that social engineers use to target their victims. These are phishing, pretexting, baiting, quid pro quo and tailgating.
Phishing is the most common type of social engineering attack that occurs today. But what is it exactly? At a high level, most phishing scams endeavor to accomplish three things:
- Obtain personal information such as names, addresses and Social Security Numbers.
- Use shortened or misleading links that redirect users to suspicious websites that host phishing landing pages.
- Incorporate threats, fear and a sense of urgency in an attempt to manipulate the user into responding quickly.
No two phishing emails are the same. There are actually at least six different sub-categories of phishing attacks. Additionally, we all know some are poorly crafted to the extent that their messages suffer from spelling and grammar errors. Even so, these emails usually have the same goal of using fake websites or forms to steal user login credentials and other personal data.
A recent phishing campaign used a compromised email account to send out attack emails. These messages asked recipients to review a proposed document by clicking on an embedded URL. Wrapped with Symantec’s Click-time URL Protection, this malicious URL redirected recipients to a compromised SharePoint account that delivered a second malicious URL embedded in a OneNote document. That URL, in turn, redirected users to a phishing page impersonating a Microsoft Office 365 login portal.
Pretexting is another form of social engineering where attackers focus on creating a good pretext, or a fabricated scenario, that they use to try and steal their victims’ personal information. In these types of attacks, the scammer usually says they need certain bits of information from their target to confirm their identity. In actuality, they steal that data and use it to commit identity theft or stage secondary attacks.
More advanced attacks sometimes try to trick their targets into doing something that abuses an organization’s digital and/or physical weaknesses. For example, an attacker might impersonate an external IT services auditor so that they can talk a target company’s physical security team into letting them into the building.
Whereas phishing attacks mainly use fear and urgency to their advantage, pretexting attacks rely on building a false sense of trust with the victim. This requires the attacker to build a credible story that leaves little room for doubt on the part of their target.
Pretexting can and does take on various forms. Even so, many threat actors who embrace this attack type decide to masquerade as HR personnel or employees in the finance development. These disguises allow them to target C-level executives, as Verizon found in its 2019 Data Breach Investigations Report (DBIR).
Baiting is in many ways similar to phishing attacks. However, what distinguishes them from other types of social engineering is the promise of an item or good that malicious actors use to entice victims. Baiters may leverage the offer of free music or movie downloads, for example, to trick users into handing their login credentials.
Baiting attacks are not restricted to online schemes, either. Attackers can also focus on exploiting human curiosity via the use of physical media.
Back in July 2018, for instance, KrebsOnSecurity reported on an attack campaign targeting state and local government agencies in the United States. The operation sent out Chinese postmarked envelopes that included a confusing letter along with a compact disc (CD). The point was to pique recipients’ curiosity so that they would load the CD and thereby inadvertently infect their computers with malware.
4. Quid Pro Quo
Similar to baiting, quid pro quo attacks promise a benefit in exchange for information. This benefit usually assumes the form of a service, whereas baiting usually takes the form of a good.
One of the most common types of quid pro quo attacks that’s come out in recent years is when fraudsters impersonate the U.S. Social Security Administration (SSA). These fake SSA personnel contact random individuals, inform them that there’s been a computer problem on their end and ask that those individuals confirm their Social Security Number, all for the purpose of committing identity theft. In other cases detected by the Federal Trade Commission (FTC), malicious actors set up fake SSA websites that say they can help users apply for new Social Security cards but instead simply steal their personal information.
It is important to note, however, that attackers can use quid pro quo offers that are far less sophisticated than SSA-themed ruses. As earlier attacks have shown, office workers are more than willing to give away their passwords for a cheap pen or even a bar of chocolate.
Our final social engineering attack type of the day is known as tailgating or “piggybacking.” In these types of attacks, someone without the proper authentication follows an authenticated employee into a restricted area. The attacker might impersonate a delivery driver and wait outside a building to get things started. When an employee gains security’s approval and opens the door, the attacker asks the employee to hold the door, thereby gaining access to the building.
Tailgating does not work in all corporate settings such as large companies whose entrances require the use of a keycard. However, in mid-size enterprises, attackers can strike up conversations with employees and use this show of familiarity to get past the front desk.
In fact, Colin Greenless, a security consultant at Siemens Enterprise Communications, used these tactics to gain access to multiple floors and the data room at an FTSE-listed financial firm. He was even able to set up shop in a third floor meeting room and work there for several days.
Social Engineering Recommendations
Malicious actors who engage in social engineering attacks prey off of human psychology and curiosity in order to compromise their targets’ information. With this human-centric focus in mind, it is up to organizations to help their employees counter these types of attacks.
Here are a few tips that organizations can incorporate into their security awareness training programs that will help users to avoid social engineering schemes:
- Do not open any emails from untrusted sources. Contact a friend or family member in person or by phone if you receive a suspicious email message from them.
- Do not give offers from strangers the benefit of the doubt. If they seem too good to be true, they probably are.
- Lock your laptop whenever you are away from your workstation.
- Purchase anti-virus software. No AV solution can defend against every threat that seeks to jeopardize users’ information, but they can help protect against some.