A recent Verizon study found that 33% of data breaches are caused by phishing or social engineering attacks. Why is social engineering so successful? It doesn’t matter how good your hardware is, or even your IT staff; if the rest of your team is not trained to identify cybersecurity threats, your thousands of dollars’ worth of security infrastructure is rendered useless.
We sat down with SOCBOX Lead Analyst Joseph Kozachenko, who conducts social engineering tests for companies, to see how this process works, why it’s a bigger threat than most people realize, and what tactics you should watch for.
Q: What’s the biggest danger you see with social engineering?
JK: Overconfidence, and lack of training. People think of phishing attempts as being obvious; the Nigerian prince, the “I need a trustworthy partner to help cash this $3 million-dollar check” email, etc. But modern phishing emails are much more sophisticated, more so than most people expect.
In conducting social engineering tests for organizations, I’ve successfully tricked all sorts of people: interns, C-level execs, new and tenured employees, and even security experts. Most companies don’t have a frequent, regular schedule of cyber awareness training—if they have one at all. And it only takes one deceived person to compromise your entire network.
Q: Why would a company request a social engineering test?
JK: For a variety of reasons. Maybe they’ve suffered a data breach in the past and want to check their vulnerability to another attack. Or they may want to test the effectiveness of their internal cyber awareness training program. Compliance might also come into play.
Q: What’s the first step for you?
JK: First, we’ll meet with the organization to address why and how they want the testing to be done. Some want us to target specific individuals and will give us their contact information. This would be similar to whitebox testing in a penetration test; we’re given all the information we need to try to penetrate the system. Whitebox testing imitates an internal actor—someone with insider knowledge of the business. Other organizations give us nothing; they basically say, “Just go be the bad guy and see what you can get.” This would be the blackbox test style, where we imitate a completely external malicious actor.
Q: Let’s say you’ve been tasked with the latter—trying to breach the organization without inside knowledge. Where do you start?
JK: With research. I’ll look at how many offices and staff members they have. I’ll pick a few targets, maybe based on their tenure at the office (new hires are less likely to know many of their coworkers well), the amount of information about them I can find on the Internet, or their position at the company.
Once I have my targets, I usually will try to impersonate someone in upper management or even a C-level exec. If they’re large enough to have multiple offices and a good-sized team, I’ve got a pretty good chance that my target may never have spoken to the person I’m impersonating.
Q: How do you impersonate them?
JK: I might call over the phone and introduce myself as that person. Or I may send an email to that higher-up, pretending to be a vendor or a prospective client. When they respond, I now have their email signature, and even an idea of how they write or format their emails. From there it’s time to buy a domain very similar to the business’, maybe one letter off, and set up an email address that looks almost identical to the address of the person I’ll be masquerading as. Now it’s time to reach out to my target and tell them to expect contact from a new staff member or security partner. Since the request apparently comes from their boss, or their boss’ boss, often this is enough to defeat the trust barrier.
Q: What do you mean by the ‘trust barrier’?
JK: Most people in business now have at least a rudimentary understanding of the need to be cautious and watch for scams, whether over email or phone. There’s a degree of mistrust of someone new or an unexpected request. But when it comes from someone they know, or at least know of, that suspicion often goes away, and they let their guard down. Now when I reach out to my target, pretending to be the new intern or partner, they’re expecting that contact and aren’t suspicious; that trust barrier is gone. Once I’ve gained their trust, 90% of my job is done.
Q: So now you’ve made contact with your target; what’s next?
JK: Next I try to get them to give me access to their device. There are multiple reasons a malicious actor would want to access an endpoint—someone’s computer, phone, tablet, etc. They may plant malware so they can maintain control of the endpoint while they dig deeper into the network, they may steal information to sell, or they can shut down the entire network. Obviously, that’s not my goal when conducting a social engineering test; my job is to see if I can trick the target into granting me access to the network.
Q: How do you do that?
JK: There’s different methods I can use here; maybe sending an attachment that looks like a legitimate document or file, or asking them to screenshare with me so I can (for example) check that their security software is up-to-date for compliance. To keep that trust barrier down, I might tell them that while screensharing, they can watch everything I do. But since most screensharing software allows for transferring of files, I can be siphoning information off their device or downloading software onto it completely undetected. Of course, I don’t plant anything malicious, but depending on our agreement with the business, I may take a screenshot of the user’s computer screen or plant a benign file to prove I was able to get in.
Q: What if they get suspicious during the screenshare?
JK: At that point, it’s too late. A malicious actor will lay their trap within the first few seconds, so even if they completely shut down their computer, the damage is already done. Once I have access to their device, it’s game over.
Q: Wow… So what can users do to protect themselves?
JK: Education and vigilance. Phishing tactics usually center on three main factors: fear, urgency, and power. Fear is a powerful motivator and encourages the user to act; as a social engineer, you’ve got a 50-50 chance of the target taking the action you want them to. Urgency prompts immediate action, which gives the user less time to think critically or to fact-check the information or source. And the power factor comes from impersonating someone high in the corporate ranks; there’s an attached authority that discourages the user from asking for additional verification.
If you’ve received an unexpected request (even if it appears to be from someone you know), it’s always best to verify through another channel—especially if it incorporates one or all of these phishing elements. If it was an email, call the person to confirm. Be vigilant: double-check email addresses carefully. (Interviewer note: for an example of why this is a vital step, see this story.)
Employers need to set up regular awareness training for all employees—cybersecurity isn’t just the IT team’s job. This is the last step of a social engineering engagement; we deliver the report to the organization and discuss lessons learned. We’re then able to use that information to provide tailored training for the organization’s staff.
Q: What’s your ultimate take-away for organizations?
JK: Your first line of defense is your employees, so invest in them by providing training. And even if you think you’re secure, get a social engineering test done; the results may surprise you.
The examples listed above are real methods that have been used to successfully breach businesses of all sizes—and this just barely scratches the surface. If you would like to schedule a social engineering test for your organization, or need guidance on setting up regular cyber awareness training for your employees, email us or call us at 877-284-7789 today.