Humans are hard-wired to connect and to trust. As infants, our survival is based on making social connections so we can obtain our basic needs and this propensity continues into adult life. This natural trait is the most effective weapon for cyber threat actors using social engineering as a vector for attacks, and it is one that continues to prove especially difficult to combat.
Attackers use social engineering through human interaction to exploit trust and manipulate people into ignoring or deliberately circumventing normal endpoint security procedures. The targeted nature of attacks also helps threat actors to cover their tracks for as long as possible so they can accomplish their aims—often the target doesn’t realise they have been a victim until the wider effects become noticeable.
Josh Lefkowitz, CEO, Flashpoint.
These effects can be anything from crippling malware infections to major financial fraud affecting businesses and individuals. And, just like other kinds of cyber threats, adversaries’ tactics are evolving all the time.
Recently we’ve seen a rise in attackers playing the long game, devising bespoke social engineering campaigns targeting corporate users over an extended period in a bid to ultimately dupe them into providing access to their company network so a malicious payload can be delivered. Matt Wixey of PwC, who has conducted research into this phenomenon, has dubbed it “Remote Online Social Engineering” or ROSE.
Unlike a classic phishing attack, which relies on targets failing to spot a spoofed email address in the heat of the moment, ROSE is focused on building credibility with the target—in a similar way to tactics employed in catfishing, but without the romantic overtones. The campaign is built around in-depth research into the target’s personality, interests, and activities and is designed to bypass the filters that might otherwise put the victim on their guard.
Credibility is built through the creation of false personas with presence across multiple social media platforms that the target trusts, such as LinkedIn. The persona engages with the target over time, often using trust-building tactics like appearing to be part of similar social groups such as a company or university alumnus. Once trust is established, the threat actor finds a way to introduce an infected file through the target’s business email, causing them to unwittingly deliver malware onto the corporate network. While malware infection seems to be the most common motivation at the moment, such tactics could equally be used for extortion or to recruit victims into undertaking activities such as money laundering.
ROSE represents a significant and difficult-to-detect risk. For most organisations, the first indication that an employee has been the target of extended social engineering will be when network monitoring controls spot malware execution—at which point the “attack” has likely been under way for a considerable amount of time.
A key challenge for corporate defenders stems from the proliferation of false profiles on social media platforms, including those frequented by employees and often used for legitimate business purposes. False profiles can be very convincing, particularly if they demonstrate a long account history and conversations with other profiles. Employees need to be educated to look deeper for evidence of a connection’s claims. For example, do they show independent knowledge of apparently shared events, locations, or institutions? They should also be required to “sandbox” communications with social media acquaintances by not interacting using corporate email. Any deviation from such policies should raise a red flag immediately.
Phishing attacks persist
“Classic” phishing attacks remain a major problem for enterprises as their sheer volume raises the chances that some will eventually succeed. The problem becomes particularly prevalent around the holiday season. The spike in consumer shopping spurs threat actors to create convincing fake shopping sites and advertise discounts sent via phishing emails designed to reel in the unwitting, often time-pressured consumer.
Linked to the high volumes of holiday sales is an increase in refund fraud, which continues to be a major source of revenue loss for retailers. Here, threat actors purchase goods and then falsely claim that they have not been delivered or are faulty, relying on their social engineering skills to convince the retailer’s customer service team that they are due a refund. Fraudsters may also use fake receipts to claim refunds, despite never having purchased a product in the first place.
Build a hybrid defence against social engineering
Mitigating social engineering fraud risk requires a combination of automated signature- and indicator-based tools and employee education, implemented alongside an understanding of the context in which threats are developed and deployed. This context varies all the time; for example, maybe your company is involved in merger and acquisition activity and threat actors want to glean insider information. This could put employees at greater risk of phishing or ROSE attempts. Business intelligence can provide risk in context and help pivot an organization’s protection programme accordingly.
Neither automation nor education can succeed in reducing risk alone, and both require security teams to stay up to date with the latest social engineering and phishing tactics to provide essential context around the attack environment. For example, in the case of refund fraud, it’s important to be aware of threat intelligence around evolving tactics, such as serial number generators on fraudulent receipts, and help customer service teams stay alert to indicators that a refund request is not genuine.
From a technical perspective, automated tools that capture phishing attempts, such as blocking known spoofed email addresses and recognising indicators of compromise, reduce the quantity of phishing mails that reach employee inboxes. However, some will always make it through, and automated tools cannot detect the attackers who are “invited in” by victims of remote online social engineering scams. Ongoing employee education, cybersecurity training, and open discussions around the risks and tactics used in social engineering campaigns bridges the gap between what automated tools can block and what they can’t, thereby reducing the overall risk that attacks will succeed.
Ultimately, social engineering attacks are based on exploiting human nature, and there’s no technical or automated solution that’s 100% effective against an attack that preys on individuals’ vulnerabilities. At Flashpoint, we analyse business risk intelligence around the latest social engineering tactics to better understand the context in which threats are developed and deployed. This allows us to tailor our technical and employee education programmes for organisations, accordingly. With robust and timely programmes, organisations have an opportunity to trigger warnings that will make employees and consumers think twice before they – and the corporate network – fall victim.
- Protect against malware with the best antivirus software.