Not Just Phishing With a ‘P’ Anymore - Examining the A to Z of Social Engineering Attacks
In mid-July, the eyes of the Internet collectively swiveled towards the marbled, blue-checked halls of Twitter where something strange was happening. A host of prominent Twitter accounts - presidential candidates, tech moguls, musical messiahs - suddenly started asking people to send them Bitcoin and they’d double the money before sending it back. Identical tweets delivered with the clockwork discipline of an Olympic swimming team caused chaos online, with Twitter limiting account features for a couple of hours to stop the attack from spreading further.
One of the most brazen online attacks of our time? Yes, but also sadly just another variant of social engineering attacks that are growing in variety and sophistication every day. In this article, we’ll look at common social engineering attack types, outline tactics used by cybercriminals, and provide guidance that organizations can take to protect themselves against these attacks.
Common social engineering attacks
Over the years, as organizations and security vendors have greatly improved detection and remediation of mass phishing emails, adversaries have pivoted to more targeted attacks that use a bevy of techniques to evade traditional security controls. These attacks are usually clubbed under the ‘Business Email Compromise (BEC)’ category, with the FBI reporting $26 billion in reported losses due to BEC over the past 3 years.
Video: An overview of business email compromise attacks
Let’s go over common social engineering attacks:
The most common social engineering attack - and the most common technique used in such attacks - is impersonation. Adversaries pretend to be someone they’re not - a member of the C suite, a trusted colleague, a known vendor - and send emails designed to steal money and data. These emails are targeted, based on authority and trust, and sent with the express purpose of passing superficial eye tests.
2. Email account compromise
Sometimes also known as account takeover (ATO), this is mostly what happened with the Twitter hack. Cybercriminals gain control of an employee’s email account (through credential phishing or finding leaked details on the dark web) and launch follow-on attacks from the compromised account. Email forwarding rules are set up so that attackers can monitor the compromised account without needing to log in (until they’re ready to strike, that is).
3. Vendor email compromise
These are ‘long con’ email attacks where adversaries gain control of an employee’s account (like in email account compromise) and launch follow-on attacks on the company’s vendors, customers, and other third-party affiliates. One recent example of this attack was a PerSwaysion variant, where attackers sent an email from a compromised vendor account to steal Office 365 credentials from victims. These attacks also host files with phishing links on public Box or OneDrive folders, thus getting past security controls that block known bad links.
4. Brand impersonation
With everyone using a cavalcade of SaaS apps and online services, cybercriminals often send emails impersonating brands to steal account details (and more) from targets. This June saw one such email campaign impersonating Bank of America - this phishing flow stole login details and the answers to ‘security challenge’ questions from victims. And attackers don’t restrict themselves to impersonating business brands, either. Another recent attack saw a Supreme Court impersonation, a fake subpoena, and a fully-functioning CAPTCHA redirect.
Fig: Phishing flow for the Bank of America credential phishing attack caught by the Armorblox threat research team
5. Voice phishing (vishing)
Sometimes the most minimalist attacks are also the most sophisticated. In vishing attacks, adversaries pretend to be someone you know or trust, but over the phone instead of (or in addition to) over email. Straight from the confidence trickster’s handbook, vishing attacks aim to steal personal information with a much more personal touch. A recent vishing attack saw adversaries impersonate the Amazon fraud protection team, trying to steal personation information with a full vishing flow.
This is not an exhaustive list of social engineering attacks. The bottom line is - attackers have no shortage of techniques, vectors, and information while devising social engineering attacks, making this a question of ‘when’ and not ‘if’ the average person will be attacked.
Protecting against social engineering attacks
Given the spread and frequency of social engineering attacks, completely eliminating them is unlikely. Nonetheless, organizations can institute processes and invest in technologies that are purpose-built to stop such attacks.
1. Take your time and think rationally
This is the toughest piece of advice to execute on. Most social engineering emails, even when they’re sophisticated, usually have “a tell” - something suspicious that jumps out at you when you re-read the email closely. The problem is, attackers bank on you reading these emails with the relatively irrational, faster thinking part of your brain. No matter how urgent and authoritative the emails seem, it’s always worth taking an extra minute or two to ensure there’s nothing untoward going on.
2. Augment your native email security controls
Most cloud email providers have strengthened their native email security capabilities to stop spam, known malware, and mass-produced phishing attacks. Organizations should complement these native features with third-party controls that take a different approach to email security. Advancements in techniques like Natural Language Understanding (NLU) and machine learning now make it possible to effectively detect “needle in the haystack” BEC attacks.
3. Guard against alert fatigue
More email security controls should not equal more security alerts, especially if the relevance of those alerts doesn’t improve. Email security should aim to automatically remediate the vast majority of detected threats so that the security team can spend their valuable time looking at incidents that actually matter.
4. Protect against lateral movement
Organizations should introduce sufficient controls that minimize the impact any one employee can have on their sensitive systems and data. In the Twitter hack, once employees’ accounts were compromised, attackers were able to weaponize those accounts to gain admin-level access. Appropriate controls around employee access to data and systems can minimize the fallout from compromised email accounts.
Social engineering attacks are growing by the day and now encompass vast swathes of sub-attacks, each with different vectors and techniques used. Organizations should stay digitally safe by broadening their security controls, instituting processes that prevent any one employee from harming sensitive systems, and always treating emails with circumspection, even if they seem to come from trusted sources.
If you’d like more insight on email security trends and targeted email attacks we’ve seen in the wild, subscribe to email updates from Armorblox by visiting the link below.