Hello! Welcome back to this next TomCast from GuardSight; we are a tactical cybersecurity-as-a-service organization dedicated to helping businesses protect their data, their assets, and their endpoints.
Today we are going to start discussing Social Engineering, what it means, various methods used, and what can be one by the threat actors if social engineering attempts are successful. One social engineering definition by the Cambridge dictionary is “attempts to trick people into giving secret or personal information, especially on the internet, and using it for harmful purposes”.
Hmmm…attempts to trick people. Wow, if one has paid attention to the news at all over the past year to several years, you would recognize that there have been numerous attempts to trick people. Think of recent events. Has anyone here seen a fake email touting information on the latest COVID vaccine? How about ads that pop up claiming you have just won a prize? Or, even better, information that Bill Gates is sharing his fortune, but you have to click a link to receive your share?
Those are a few examples of social engineering, but each one of those examples are tech-based, electronic examples. How about face to face social engineering attempts? Ever heard of someone claiming to be someone they are not in an effort to gain access to a particular location or business?
Many of us have seen the multitudes of movies where someone is tricked into thinking a particular character really isn’t who they say they are. These are examples of social engineering as well. The attempt is to convince (or trick) the target into providing useful information. Maybe that useful information is access to another area that has …you guessed it…even more useful information.
Well, some may say “who cares?”. “Why do I need to worry about someone stealing my information? I don’t have anything useful out there to steal”. Well, that seems like a valid point, but look into it a bit deeper. Let’s say I am a threat actor trying to figure out how to purchase more equipment for my harmful intentions. I don’t want to use my own name since I don’t really want to have an early run-in with law enforcement.
So, I start trying to harvest other peoples’ information. Now, a target may believe they have nothing important for me sitting out there on the web. If I can grab their name, maybe their birthday, some more info about them, I could possibly impersonate them in an effort to obtain what I need for my own intentions. That way it wasn’t “me” that opened that line of credit, or that applied for that loan, it was my target. All I did was act like them and provide an updated address/account for the funds I need.
That is just one small example of what threat actors can do and have done. This is also one simple reason why folks should protect their information, regardless if they deem it important or not.
There are several different terms used (that you may have heard of) that fall under the broader category or term of social engineering. Phishing, baiting, pretexting, etc. These and other social engineering terms will be discussed in future TomCasts.
It is important to know the social engineering “life cycle”; there is a definite process that is in use when it comes to the succession of social engineering. Identification, Hook, Play, and Exit are the main four steps in the life cycle.
First, reconnaissance is performed on the target or targets; this is where the threat actor attempts to identify their “in” or their first point of access.
Once identification has occurred, the method of the hook is determined, a.k.a. how are they going to successfully lure and catch their target? This could be logical OR physical. A phishing email would be a logical attempt at the hook, while impersonating a vendor or another employee would be a physical attempt.
Once the target is caught (has clicked on the link or has allowed physical entry or access as an example), the play is employed. What information can now be extracted from the target? This is also typically the period where malware is injected (if the target is a logical one) to spread it throughout the network.
Then, the self-defined step of Exit, where the threat actor has achieved their goal and makes an exit of the network or facility, etc.
The important takeaway from this is that there is no definitive list of social engineering tactics; as technology advances and evolves so do social engineering methods. If one was around back in the 60’s or 70’s, well before the public internet, social engineering tactics were quite a bit different than now.
Technology has increased the attack surface for social engineering attempts exponentially, so each and every person needs to be on their guard at all times. Sounds like a tall order, but once one starts employing regular security practices they become like any other repeated behavior in their life or in the life of the organization that employs them. It becomes habit.
Well, I do not wish to make this first social engineering TomCast super long, so I will stop here. I will dive into social engineering types over the next couple of TomCasts to give you all a better idea of what the terms mean and how they are used. We here at GuardSight thank you for taking the time to listen to this TomCast. Please share this if you believe it would be of assistance to anyone in your contact list, and please provide us some feedback in the comments so we can continue to improve. Thanks!
Pt. II
Today we are going to continue discussing Social Engineering by taking the plunge into the definitions/use cases around the “ishings”. The “ishings”? What the heck are the “ishings”? The “ishings” are phishing, vishing, smishing, and a couple of phishing variants like spear phishing, whaling, clone phishing, angler phishing, and snowshoeing. Yes, yes, I know those don’t all end in “ishing”; perhaps it sounded better in my head when I was writing this.
Some of those terms may be familiar to you, some are a bit more recent than the others. So, let us get right to the thick of it:
Phishing: “the fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers.” In other words, a method of social engineering that utilizes email to trick the target into providing information that the threat actor is looking for. This basic type of social engineering is usually somewhat random in nature, like a shotgun blast effect of malicious emails to a broad spectrum of targets.
Vishing: “the fraudulent practice of making phone calls or leaving voice messages purporting to be from reputable companies in order to induce individuals to reveal personal information, such as bank details and credit card numbers.” This is one of the more original types of social engineering that is/was performed by threat actors to convince a target they are someone they are not, to gain trust, then gather or harvest as much information from the target as they can.
Remember crank phone calls? Pranking people over the phone? (I may be showing my age here). Usually those were for laughs, harmless (or thought to be harmless) jokes played on people back before the technologies we use now were available. The idea, however, may have been one of the many birthplaces of tactics like vishing. Ok, moving on.
Smishing: “the fraudulent practice of sending text messages purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords or credit card numbers”. Are we seeing a theme here? Each one of these types are using technologies we have grown accustomed to against us. Phishing typically hooks through email, vishing hooks through voice telephony, and smishing hooks through text communications.
Time to dig a bit deeper into phishing types; let’s start with clone phishing: “Clone phishing requires the attacker to create a nearly identical replica of a legitimate message to trick the victim into thinking it is real. The email is sent from an address resembling the legitimate sender, and the body of the message looks the same as a previous message. The only difference is that the attachment or the link in the message has been swapped out with a malicious one.” Talk about some trickery. Oops, sorry about that, oh target-of-mine, I missed some details in that first email. Let me resend that to you. This is using trust that has been established against the target.
How about spear phishing? Spear phishing, like phishing, is attempting to gather information. This type, however, reduces the random factor, or the shotgun blast approach we listened to earlier. The targets are specifically selected by the threat actor and the attempts to convince the targets are harder to decipher. The threat actor here is looking for specific information to harvest and is making the emails look more and more legitimate. Spear phishing attempts typically lack some of the basic phishing errors that are easier to spot (misspellings, weird email addresses, obvious signs of trickery).
And that leads us into whaling. Where spear phishing turned up the complexity of the hook, whaling ratchets it up even farther. Whaling targets executives and the threat actors are typically looking for the payday with whaling attempts. The targets are high-value and the information they have is much more valuable than the information a lower-level employee may have. The threat actors spend a significant amount of time and effort on the whaling emails; they prey on executive level attentions (legal matters, customer service issues, business-related concerns) and the threat actors do their homework to make the attempts as convincing as possible.
So, what the heck is angler phishing? Angler phishing uses social media to gather the information the threat actor is searching for. Fake messages from the various platforms out there get disseminated to their user base in an effort to trick the targets to click/tap/etc. in order to achieve the threat actors’ goal. Doesn’t seem like that would be a real hard lift with all the information people post of their own volition.
And, finally, here is snowshoeing (and this has nothing to do with the wintertime hobby/pastime/sport, or whatever you may call it). Snowshoeing, or its other moniker, “hit-and-run” spam, is a term where attackers send messages via multiple domains and IP addresses. Each IP address sends out low volumes of messages, so reputation- or volume-based filtering technologies cannot recognize and block malicious messages right away.
Keep in mind that the content that is actually sent through the different “ishings” varies widely. Some links may be focused on harvesting information, while other links may result in malware/ransomware infection. The links and content depend solely on the threat actor and what they are trying to accomplish.
Ok, so that wraps up a very brief introduction to the “ishing’s” in an effort to better educate you, the listener, on what to be aware of and look out for. We here at GuardSight thank you for taking the time to listen to this TomCast. Please share this if you believe it would be of assistance to anyone in your contact list, and please provide us some feedback in the comments so we can continue to improve. Thanks!
Pt. III
Today we are going to discuss Social Engineering for the third time. This time we are going to jump into other lesser-known social engineering methods like baiting, pretexting, tailgaiting, and quid pro quo.
Remember the Cambridge definition of social engineering? “attempts to trick people into giving secret or personal information, especially on the internet, and using it for harmful purposes”. Ok, keep that general definition in the back of your mind while we go through these types.
Let’s start with pretexting; pretexting is a kind of attack where the threat actor comes up with a story — or pretext — in order to trick the victim. The pretext generally casts the attacker in the role of someone in authority who has the right to access the information being sought, or who can use the information to help the victim. Pretexters can use any form of communication, including emails, texts, and voice phone calls, so this type is not limited to any specific technology used.
Next type to define would be Baiting. This type of social engineering preys on curiosity, amongst other things. Baiting is just as it sounds; the threat actor places the bait and waits for the victim to grab it. There are physical baits and logical baits; an example of physical baiting would be leaving a USB drive containing malware on a bench or chair and simply waiting for a victim to pick it up and eventually insert it into their machine. A logical example would be an enticing ad that the victim would click that would result in the installation of a trojan horse or other malware.
Tailgating (otherwise known as piggybacking) is a physical form of social engineering that can be intentional or accidental. This is a physical security breach where someone follows an individual closely through security mechanisms (RFID scanner, retinal scanner, mantrap, etc.) in an effort to avoid having to address the security mechanism. As an example, an employee comes into work, and another person is walking close behind them. The employee scans their badge at the entrance to unlock the door. The person following could be appearing to be carrying something bulky/heavy and requests the door be held open. The employee holds the door, the person then gains access. This may be another employee that was truly requesting assistance, or it could have been a threat actor gaining access to the facility posing as someone else. Either situation is a breach of security.
Quid pro quo, which is Latin for “this for that”, is a type of social engineering attack where the threat actor provides a service or product in exchange for information or access. Typically, the threat actor impersonates someone of importance in the organization in order to successfully pull off a quid pro quo attack.
So, to wrap up, each one of those methods of social engineering were attempts to trick people into giving secret or personal information. The methods vary widely and can be used together. Take pretexting, for example. A threat actor comes up with a convincing story, posing as a vendor for an organization that requires access but “wasn’t provided the right badge or code”, so they convince the target to allow them to tailgate past security mechanisms and gain access to the facility. Obviously, that is a very simplified combination of pretexting and tailgating, but hopefully it sparks some thought as to how threat actors take various methods and use them together in order to achieve their goals.
We here at GuardSight thank you for taking the time to listen to this TomCast. Please share this if you believe it would be of assistance to anyone in your contact list, and please provide us some feedback in the comments so we can continue to improve. Thanks!