Learn the best practices for developing a security awareness training program that is engaging. Engaging awareness programs have been shown to change more users’ behavior and are seen as an asset for your organization instead of annoyance. 

———————————————————————————————–

Introduction

Social engineering, in the context of information security, refers to the use of psychological manipulation to trick people into divulging sensitive information (information gathering) or performing actions (fraud/unauthorized system access). It is a non-technical confidence scam that resembles a very elaborate plan that consists of several stages (See the Typical Phases part). The three social engineering scams examined briefly here are 1) Identity Theft, 2) Vishing and 3) Baiting. They are ordered in line with their character from more people-oriented to those used primarily against corporations. In the second part, there is a short outline of why education and security awareness training can be helpful in preventing such social engineering scams.

I. Three Common Social Engineering Scams

Typical Phases

Social Engineering is often preceded by reconnaissance activities performed by the criminals. There is a little doubt that the opportunity given to an outsider to target employees, leveraging personal information on them that can be found on LinkedIn, Twitter, Facebook and so on, is an unfortunate by-product of the rise of social media in the past decade. Therefore, companies can only protect themselves from highly personalized social engineering attacks — for example, spear phishing — if they back up their policies on social media usage with effective workplace enterprise security awareness programs.

Pretexting is a form of social engineering where criminals devised a believable pretext, i.e., a fabricated scenario, in pursuit of victims’ personal information. Pretexting relies on instilling a false sense of trust in the victim. For that to happen, the story should be credible enough to leave little room for doubt.

To maximize the effect, pretexting can be combined with other cyber scams, for instance, identity theft. By way of example, in the autumn of 2014, several con artists presented themselves as representatives from modelling agencies and escort services. They concocted phony background stories and interview queries to sway women, including teenage girls, to send them nude images of themselves.

Social Engineering Attack

(“Identity Theft” Photo Credit: Got Credit)

2. Identity Theft

Social engineering can result directly in identity theft or the identity theft can just be a means to an end. Identity theft occurs when someone appropriates your personally-identifiable information (such as name, address, Social Security Number, IDs, date or/and place of birth, credit card/bank account numbers, medical insurance account numbers, etc.), without your permission or knowledge. This is most likely driven by financial motives.

In cases of identity theft, as in any other crime committed via the Internet, it is imperative to act as soon as possible. There are certain steps, a first response guide approved by the Federal Trade Commission for situations of identity theft. First, an initial fraud alert should be placed. Second, a person should issue an order for credit reports. Third, an identity theft report should be lodged (See Immediate Steps to Repair Identity Theft).

After bouncing back from the critical first phase of identity theft, a continued remediation plan is needed in order to prevent secondary tremors or a recurrence. In order to recover quickly, victims will need to file many forms to alert institutions and organizations that a fraud has been committed. All personal files should be cross-checked to ensure that the thief has not meddled with the victim’s data and accounts. Last but not least, victims should fully cooperate with the government in its duty to apprehend the criminals and make them answer for this nefarious deed (See Taking Charge After Identity Theft).

3. Vishing

A contraction between “voice” and “phishing”, the term vishing is the phone’s variation of email phishing. Scammers may use call center labor hired from foreign black market forums to run call scripts, or count on call robots and low cost voice systems. This scam seeks to deceive an person into divulging confidential info via a phone call. Vishing actors often use VoIP technology and mask their origin so that it will appear to come from either a known number or other trusted number. Criminals using this technique might come under the guise of some official authority or a person you have “met” somewhere.

Similarly to the blitzkrieg military tactic, vishing counts on not giving the victim time to realize that they are being attacked. As with phishing, its voice counterpart bears this trait of urgency that customers can sense, since they are told that failing to verify immediately or update their personal information can result in suspension of their account or even more grievous problem. To make things even worse for the recipient of the call, it targets personnel such as help desk, PR, HR, Sales – all employees whose job duties require communicating frequently with strangers.

Victims can be asked as well to transfer funds or allow the caller remote access to their computers. When they are unsure or have a reason to be suspicious, customers are advised to not follow automated instructions coming from a recording, but instead, call directly on their own initiative their financial institution. Be watchful also of the “No-Hang Up” scam. Another common phone scam is called “Microsoft Technical Support”. Of course it can be any other tech company inter alia that people tend to find trustworthy. The receiver of the call is asked to download software from a specific website in order to “fix” a technical issue.

Source: The New Face of Social Engineering and Fraud by D. Hobbs

Instead, giving a download command would start up the installation of malware onto the victim’s computer, which would allow the cyber crook full access to all information on that computer. The range of the attack can always be expanded by using methods such as escalating privileges.

Source: The New Face of Social Engineering and Fraud by D. Hobbs

Within the package of services that comes along with social engineering training is one solution called Vishing as a Service, or VaaS. It presents to its subscribers the opportunity to participate in simulated live call scenarios conducted in a controlled environment. VaaS is by all means an effective way to make an accurate vulnerability assessment with respect to potential vishing threats. Not only the extensive follow-up reports will provide actionable data concerning employees’ responses made during the various vishing attack scenarios, but it will identify the departments which are more likely to be exposed to this cyber scam.

4. Baiting

As the name suggests, an item or service is used to allure victims. This will eventually compromise their cyber-security. Unlike traditional phishing attacks, baiting delivers its payload through physical media, relying also to a greater extent on the curiosity (sometimes outright greed) of the victim. Promises for free music and movie downloads, for instance, can be offered to users in exchange for their login credentials.

Let’s examine first a simulated baiting attack organised by Trustwave SpiderLabs. In its first phase, the security firm gathered the names, work addresses and positions of most prominent figures working for the targeted organization. This could be done by leveraging any information available online on these persons, including such existent in social media (Check again the Typical Phases section). Then, the gathered data is analyzed and decision is made on exactly which employees will be attacked. One of the methods used by Trustwave SpiderLabs was sending a CD or USB with a fake antivirus update, accompanied with a letter detailing how to install the software on these physical media devices. The final result was 1 compromised target out of 15 packages delivered.

In a variation of this scam – perhaps a more successful one – the Trustwave planted 5 USB drives in the vicinity of a targeted organization. For the ruse to be more effective, the USB sticks were decorated with the company’s logos.

2 of the all “lost & found” drives were later on opened by local employees – an executive and a person from the physical security stuff.

Although the second person had no serious privileges in terms of information security, the researchers at Trustwave SpiderLabs managed to catch a glimpse of the software employed to organize all physical security control (e.g., cameras, main entrances, badges, etc.). In addition, Trustwave SpiderLabs escalated the privileges they gathered to the level of local administrator by utilizing a method dubbed “Named Pipe Impersonation”. After that move, they were able to retrieve a WPA pre-shared key residing in the Windows registry and then join the local wireless network, which gave them access to many systems.

One baiting attack in real life was documented by Steve Stasiukonis, a VP and founder of Secure Network Technologies, Inc., back in 2006. To assess the security of a financial client, Steve and his team infected dozens of USB flash drives with a Trojan and dispersed them around the organization’s parking lot. Being curious, many of the client’s employees picked up the USB sticks and plugged them into their computers, which activated a keylogger and gave Steve access to a number of employees’ login credentials. Workers at the DSM offices, a Dutch chemical company, reported as well discovering USB flash drives in the parking lot nearby. The memory sticks were loaded with viruses programmed to autorun onto company’s computers in an effort to reap an abundant harvest of employee login credentials.

We all have heard about the Stuxnet computer worm. Despite allegedly being designed to target the German-made software in the nuclear power plant at Natanz Iran, it has propagated to other systems made by the same company whose purpose is to manage water, gas and oil pipelines. Symantec warns that the USB memory sticks are carriers of Stuxnet, since the virus uses them to hop from one server to another in search of the right software to infect: “After Stuxnet finds its way onto an ordinary computer via the Internet, it hides there, waiting for a USB memory stick to be connected to the computer, when it transfers itself to the memory stick. When the USB device is then connected to a computer linked to an isolated server, it can enter the system and take control of it.” 63 personal computers infected with Stuxnet were found in 2010. The point here is that a USB can be dangerous even not in the traditional biting scenario, so they must be always dealt with caution.

Security specialists recommend using tools such as VirtualBox (if the temptation to plug in a recently found USB device is too irresistible). Virtualization builds environment in which one OS — the “guest” — is being run on another OS, the “Host”. The “guest” OS can be configured so as to not allow anything leave the virtual sandbox, thus harming your system.

II. The Need of Security Awareness and Education

While reading about these social engineering tricks, you might think: Why would a cyber criminal waste time attempting to come up with a sophisticated high-tech scam when he knows that the same result (and even such that surpasses his boldest expectations) can be achieved with a much simpler offline swindle?

Presumably, the weakest links in the chain of cyber security is not technological – it is human. And human beings are susceptible to psychological manipulation. Social engineering is not a new occurrence. It has been around under one form or another since the beginning of time (Top 14 Financial Frauds of All Time).

Common scams necessitate the existence of common mistakes. More attention is paid on security infrastructure instead of people, and that is the biggest mistake. As the managing principal research consultant of Accuvant LABS R&D team, Shawn Moyer, attests: “A lot of defenders still think in terms of an attacker on the Internet externally trying to find a way in. …The reality is, if I’m the outside threat, I find an insider and that insider becomes your threat.” The logic suggest that introducing security awareness training for employees is virtually mandatory.

Nowadays, demonstration of a careless attitude by employees (“What do I care, it’s not my data”) is simply unacceptable, according to Chris Hadnagy, an operations manager for Offensive security. “Now, security awareness has become personal for them. It’s not just about protecting their employer’s data but their life,” adds Hadnagy. On the other hand, overdoing security measures is the opposite extreme that might be as damaging as becoming a victim of a cyber breach, because it may impair the good communication between clients and organizations. For instance, while checking links with VirusTotal, which is a free service that inspects links and files for malware, is a proper thing to do when you have a reason to be suspicious, doing so for every link and file can seriously slow down the normal work process. A fine balance must be struck between security and productivity at work.

With regard to employees undergoing security awareness training, Lance Spitzner, director of SANS Securing the Human Program, says: “We’ve done tremendous work to secure computers but nothing to secure the human operating system. That’s why these social engineering techniques are so prevalent. To change human behaviour, you need to educate and train employees, not just once a year but continuously. Like you continually patch computers and applications, you’re continually training and patching human operating systems.” In the same spirit, Spitzner made the observation that employees who undergo periodic security training exhibit better orientation in the event of cyber-threats and are as a whole less likely to become a victim of spear phishing and similar social engineering campaigns.

There are usually always some signs that expose a scam disguised as an innocuous deed. That could be the tone used, the noises in the background, the origin of a link when you hover the mouse cursor over it, etc. Hence, users should pay attention to the details. People who are trained to be security aware have a better chance of sensing that they are victimized by a social engineering deception and contact the security team promptly. Reacting quickly is critical here. To sum up, there is no easy fix for social engineering scams, but proper education could likely give to you and your team what it needs to see it coming.

Reference List

Bisson, D. (2015). 5 Social Engineering Attacks to Watch Out For. Available at http://www.tripwire.com/state-of-security/security-awareness/5-social-engineering-attacks-to-watch-out-for/ (01/08/2015)

Corporate Information Technologies. Social Engineering Detection and Training. Available at http://www.corp-infotech.com/services-solutions/social-engineering-detection-training/ (01/08/2015)

Doctorow, C. (2012). Dropped infected USB in the company parking lot as a way of getting malware onto the company network. Available at http://boingboing.net/2012/07/10/dropped-infected-usb-in-the-co.html (01/08/2015)

Galloway, D. (2011). Open Found USB Drives/CD-ROMs with a Virtual Machine to Avoid Malware Attacks. Available at http://lifehacker.com/5817765/open-found-usb-drivescd-roms-with-a-virtual-machine-to-avoid-malware-attacks (01/08/2015)

Grauer, Y. (2015). For Social Engineering Scams, The Best Security Patch Is Education. Available at http://www.forbes.com/sites/ygrauer/2015/07/09/social-engineering/ (01/08/2015)

Henrique, W. (2013). Baiting Attack Exercise – The Old School Way Still Works. Available at https://www.trustwave.com/Resources/SpiderLabs-Blog/Baiting-Attack-Exercise-%E2%80%93-The-Old-School-Way-Still-Works/ (01/08/2015)

Hobbs, D. (2014). The New Face of Social Engineering and Fraud. Available at http://blog.radware.com/security/2014/05/new-face-of-social-engineering-fraud/ (01/08/2015)

KnowBe4, LLC. What is Vishing? Available at http://www.knowbe4.com/vishing (01/08/2015)

KU Leuven (2013). Identity theft – social engineering. Available at https://admin.kuleuven.be/icts/english/information-security/identity-theft-2013-social-engineering (01/08/2015)

Mosk, G. (2013). Protect yourself Online from Social Engineering and Identity Theft. Available at http://www.domainraccoon.com/blog/social-engineering-and-identity-theft (01/08/2015)

Pontiroli, S. (2013). Social Engineering, Hacking The Human OS. Available at https://blog.kaspersky.com/social-engineering-hacking-the-human-os/ (01/08/2015)

Savage, M. Gaining awareness to prevent social engineering techniques, attacks. Available at http://searchsecurity.techtarget.com/magazineContent/Gaining-awareness-to-prevent-social-engineering-techniques-attacks (01/08/2015)

Secure Thinking Ltd. How to Identify Phone Scams. Available at http://securethinking.co.uk/how-to-identify-phone-scams/ (01/08/2015)

Shimbun, Y. (2010). October 5, 2010: Cybervirus Found in Japan / Stuxnet Designed to Attack Off-Line Servers via USB Memory Sticks. Available at https://311truth.wordpress.com/2014/01/21/october-5-2010-cybervirus-found-in-japan-stuxnet-designed-to-attack-off-line-servers-via-usb-memory-sticks/ (01/08/2015)

Social Engineer, Inc. Vishing as a Service (VaaS). Available at https://www.social-engineer.com/vishing-service/ (01/08/2015)

Social Engineer, Inc. Identity Thieves. Available at http://www.social-engineer.org/framework/general-discussion/categories-social-engineers/identity-theives/ (01/08/2015)

Stanford University (2014). Phishing & Social Engineering. Available at https://web.stanford.edu/group/security/securecomputing/phishing.html (01/08/2015)

Wall Street National (2015). For Social Engineering Scams, The Best Security Patch Is Education. Available at http://www.wallstreetnational.com/for-social-engineering-scams-the-best-security-patch-is-education/ (01/08/2015)