- 21 Eki 2015
- 477
- 1
34 infosec experts discuss how to prevent the most common social engineering attacks.
Social engineering attacks are not only becoming more common against enterprises and SMBs, but they're also increasingly sophisticated. With hackers devising ever-more clever methods for fooling employees and individuals into handing over valuable company data, enterprises must use due diligence in an effort to stay two steps ahead of cyber criminals.
Social engineering attacks typically involve some form of psychological manipulation, fooling otherwise unsuspecting users or employees into handing over confidential or sensitive data. Commonly, social engineering involves email or other communication that invokes urgency, fear, or similar emotions in the victim, leading the victim to promptly reveal sensitive information, click a malicious link, or open a malicious file. Because social engineering involves a human element, preventing these attacks can be tricky for enterprises.
We wanted to educate companies, employees, and end users on how to better recognize social engineering efforts and prevent these attacks from succeeding. To uncover some of the most common social engineering attacks being used against modern enterprises and get tips on how to av0id them, we asked a panel of data security experts and business leaders to answer the following question:
"What are the common social engineering attacks made on companies, and how can they be prevented?"
See what our experts had to say below:
STU SJOUWERMAN
Stu Sjouwerman (pronounced shower-man) is the founder and CEO of KnowBe4, LLC, which hosts the worlds most popular integrated Security Awareness Training and Simulated Phishing platform. A data security expert with more than 30 years in the IT industry, Sjouwerman was the co-founder of Inc. 500 company Sunbelt Software, a multiple award-winning anti-malware software company that was acquired in 2010. Realizing that the human element of security was being seriously neglected, Sjouwerman decided to help organizations manage the problem of cybercrime social engineering tactics through new school security awareness training. KnowBe4 services over 1,200 organizations in a variety of industries, including highly-regulated fields such as healthcare, finance, energy, government and insurance and is experiencing explosive yearly growth of 300%. Sjouwerman is the author of four books, with his latest being Cyberheist: The Biggest Financial Threat Facing American Businesses.
Kevin Mitnick
Kevin Mitnick, the Worlds Most Famous Hacker, is an internationally recognized computer security expert with extensive experience in exposing the vulnerabilities of complex operating systems and telecom devices. He gained notoriety as a highly skilled hacker who penetrated some of the most resilient computer systems ever developed. Today, Mitnick is renowned as an information security consultant and keynote speaker and has authored four books, including The New York Times best seller Ghost in the Wires. His latest endeavor is a collaboration with KnowBe4, LLC as its Chief Hacking Officer.
Social engineering techniques
What does social engineering look like in action? It could look like an email that has been designed to seem like it is from a credible organization, like your message service or Fed Ex or even your bank. But if you open it and click on that attachment, you could be installing malware or ransomware . Or, it could be disguised to look like it comes from someone inside your organization (like an unusual title such as IT@yourorganization someone whom you trust). But if you respond to that email with your user name and password, your computer is easily compromised. The rule is Think Before You Click.
Social engineering attacks
The technical director of Symantec Security Response said that bad guys are generally not trying to exploit technical vulnerabilities in Windows. They are going after you instead. You dont need as many technical skills to find one person who might be willing, in a moment of weakness, to open up an attachment that contains malicious content. Only about 3% of the malware they run into tries to exploit a technical flaw. The other 97% is trying to trick a user through some type of social engineering scheme, so in the end, it does not matter if your workstation is a PC or a Mac.
Phishing
The most common social engineering attacks come from phishing or spear phishing and can vary with current events, disasters, or tax season. Since about 91% of data breaches come from phishing, this has become one of the most exploited forms of social engineering.
Here are some of the worst:
A. Court Notice to Appear - Scammers are sending phishing emails claiming to come from a real law firm called 'Baker & McKenzie' stating you are scheduled to appear in court and should click a link to view a copy of the court notice. If you click on the link, you download and install malware.
B. IRS refund ransomware - Many of us waited till the last moment before the April 15th tax deadline and are now holding our collective breath in expectation of that possibly rewarding refund. The problem is that cybercriminals are very aware of this anticipation and use social engineering tactics to trick taxpayers. Knowing that many in America are waiting for word from the Internal Revenue Service concerning pending refunds, the cyber mafia is working hard to get in first with a massive phishing attack that has a ransomware attachment. The attachment is an infected Word file, which holds a ransomware payload and encrypts the files of the unlucky end-user who opens the attachment, and all connected network drives if there are any.
C. Researchers at Proofpoint recently discovered a Phishing campaign that originated from select job postings on CareerBuilder. Taking advantage of the notification system the job portal uses, the attacker uploaded malicious attachments instead of résumés, which in turn forced CareerBuilder to act as a delivery vehicle for Phishing emails.
The scam is both simple and complex. It's simple because the attacker used a known job site to target a pool of willing email recipients, and complex because the malware that was delivered was deployed in stages.
The attack starts by submitting a malicious Word d0cument (named resume.doc or cv.doc) to a job posting. On CareerBuilder, when someone submits a d0cument to a job listing, a notification email is generated for the person(s) who posted the job and the attachment is included.
D. Last June, the Durham, New Hampshire police department fell prey to ransomware when an employee clicked on a legitimate-looking email. Numerous other police departments have been hit including Swansea and Tewksbury, MA, Dickson County (Tennessee) Sheriff, and others. As of this time, the primary means of infection appears to be through phishing emails containing malicious attachments, phony FedEx and UPS tracking notices, and even through pop-up ads.
Here are a few social engineering scams executed via phishing:
Banking Link Scam: Hackers send you an email with a phony link to your bank, tricking you into entering in your bank ID and password.
A billion dollar heist covering 30 countries and nearly a billion dollars in lost funds, nicknamed Carbanak by security firm Kaspersky, was reported on extensively in Feb 2015.
In the Carbanak scam, spear phishing emails were sent to employees that infected work stations, and from there the hackers tunneled deeper into the banks systems until they controlled employee stations that would allow them to make cash transfers, operate ATMs remotely, change account information, and make administrative changes.
It was a pretty standard scheme: an email with a link that looked like it was coming from a colleague contained the malicious code, which spread from there like a digital rhinovirus. The hackers recorded everything that happened on the affected computers to learn how the organization did things. When they had mastered the system, they commandeered it for a series of transactions that included the ATM hits, but also a practice of artificially inflating bank balances and then siphoning off that amount, so a customers account balance might go from $1,000 to $10,000 and then $9,000 would go to the hacker.
Fax Notice Scam: It's a phony link to a phony fax. But it will do real damage to your PC. This is quite common, especially for firms who still use faxes heavily such as d0cument management, title companies, insurance and other financial services companies.
Dropbox Link Scam: Have we got a surprise waiting for you in Dropbox.
A couple variations of this were running 2014. One was a fake Dropbox password reset phishing email that when clicked, led users to a page saying their browser is out of date and they need to update it (with a button to the update). This would launch a Trojan in the Zeus family of malware.
Another was an email with Dropbox links that hosted malicious software like CryptoWall ransomware.
Court Secretary Complaint Link Scam: Here's a phony link confirming your complaint. Something tells us you'll be complaining about something else very soon.
A version of this has been in use for awhile. See A. above.
Facebook Message Link Scam: Vin Diesel has just died. Find out that your PC will be pushing up the daisies with this link.
This one is commonly used when a celebrity dies. This was exploited with Robin Williams when he passed away with the Robin Williams goodbye video. A bogus Facebook phishing message appeared that invited users to click a link and see an exclusive video of Robin Williams saying goodbye through his cell phone. Of course there was no video, and the link led to a bogus BBC news page which tried to trick clickers into clicking on other links that led to scam online surveys.
Since we train others and actively create test phishing campaigns for our customers to use, my staff tried to social engineer me the other day, trying to catch me as a prank.
It was a 2-stage attack, trying to get me to reveal my credentials. They spoofed our Director of HR, and sent me the email below. This is an example of very high operational sophistication, typical of top-tier whaling attacks, those cases when an individual is subjected to spear phishing attempts because they hold valuable information or wield influence within an organization. They had done their homework and knew I was active on the SpiceWorks forum for IT admins.
[email protected]
10:45 AM (1 hour ago)
to: stus
Stu,
I noticed that a user named securitybull72 (claiming to be an employee) in a security forum posted some negative comments about the company in general (executive compensation mainly) and you in specific (overpaid and incompetent). He gave detailed instances on his disagreements, and doing so, may have unwittingly divulged confidential company information regarding pending transactions.
The post generated quite a few replies, most of them agreeing with negative statements. While I understand that the employee has the right to his opinion, perhaps he should have vented his frustrations through appropriate channels before making this post. The link to the post is located here (it is the second one in the thread):
www.spiceworks.com/forums/security/234664/2345466.
Could you please talk to him?
Thanks.
Nine out of ten would fall for something like this. The only thing that saved me was the fact that when I hovered over the link I saw that the domain was one I had created myself for simulated phishing attacks. But it was a close call! One more second and I would have been pnwned.
The best prevention actions are:
1. Train users with an effective training program that routinely uses an integrated anti-phishing tool that keeps security top of mind for users and help them recognize what a phishing email might look like.
2. Back up just in case and regularly test those backups to make sure they work.
PAUL KUBLER
Paul Kubler is a Cyber Security and Digital Forensics Examiner at LIFARS LLC, an international cybersecurity and digital forensics firm. Hes a former employee at Boeing, in the Global Network Architecture division, the nations largest private cyberattack target. He previously worked at the Flushing Bank, in Network and Systems Infrastructure, protecting valuable financial data at various levels within the network and system. Paul has also performed forensic investigations into mobile devices aiding in the prosecution of criminals.
With several years of experience in cybersecurity and digital forensics, he conducted a wide range of investigations, including data breached through computer intrusions, theft of intellectual property, and computer hacking. He has worked on hardening the systems and deploying protection over an international organization. He has also created business networks with a defense in depth strategy and implemented firewalls on these networks.
Some of the more common forms of social engineering (and how to prevent them) include...
PHISHING
Phishing has become a big player in malware attacks in the last few years and this type of social engineering has proven hard to overcome. Attackers usually send well-crafted emails with seemingly legitimate attachments that carry a malicious payload. These arent the typical Nigerian Prince scammers, but rather sophisticated hacking groups with sufficient time and funding who launch these exploits. They usually hide behind a Tor network or the like and become hard to find, especially when they are backed by organized crime who use this as a source of income.
RANSOMWARE
In the recent years, weve seen a dramatic increase in the use of ransomware being delivered alongside phishing emails. They usually send an attachment such as URGENT ACCOUNT INFO with a file extension of .PDF.zip or .PDF.rar, which slips by the unsuspecting victim and delivers the payload. This attack often encrypts the entire hard disk, or the d0cuments and requires a bitcoin payment to unlock. Luckily, these groups actually do unlock the data - this way future victims are more likely to pay.
What can you do to minimize the chances of yourself as an individual of falling a victim to these dirty schemes? Here are a few steps you can take:
DOUG FODEMAN
Doug Fodeman is the content director and co-owner of The Daily Scam, a web site devoted to helping individuals, companies, and organizations increase their understanding and awareness of internet-based threats, scams, and fraudulent practices in order to significantly decrease their risks and associated lost productivity.
When it comes to social engineering attacks, companies should understand...
Social engineering attacks that target companies or individuals are most easily and successfully launched through email. Everyone depends on email for communication, even more than social media which might be monitored by just one or a few company staff. Email is also a tool used daily by older members of the workforce. Also, email can direct a threat to everyone in an organization, including the CEO and CFO. But malicious emails require two triggers to be effective. The first is a cleverly worded subject line that will engage the recipient's curiosity and engineer them to open the email.
Some of the most effective subject lines are often innocent and simple like these recent ones I saw targeting an organization in just the last two weeks:
A Special Invitation Advisory: Your online file was accessed
Celebrate Mom this Sunday with an exquisite $29.96 bouquet
Get noticed and watch your career take off
Learn about harp
Mother's Day bouquets with DESIGNER VASES
Service cancellation May 10
SHIPPING D0CUMENT / BL CONFIRMATION
Welcome to the Whos Who Connection
Confirm for your delivery
Confirm your 3K transfer by Monday
FBI letter of notification [code 210]
Incoming fax
I think you'll like this
New health care reform laws are in
No interest for the first year
Notice of payment
Treat as urgent and get back to me
Your installation
Your phone number
Once the recipient opens an email, the message has to be compelling enough to engineer a click of a link or attached file in order to initiate or deliver the attack. Many engineering strategies have been very successful including:
Unfortunately, most companies seem to put all of their defense efforts into software and hardware solutions to keep these threats from ever reaching employees. Using this approach is flawed because employees connect to the Internet through email, Facebook, LinkedIn, Twitter, and web pages from home, mobile devices, and work. Few companies also include employee education. I have found that educating employees about the threats that target them is MORE important than hardware and software defenses. And it isn't difficult to teach employees the simple methods to recognize threats such as mouse-over skills and understanding the anatomy of an email address or domain name.
Social engineering attacks are not only becoming more common against enterprises and SMBs, but they're also increasingly sophisticated. With hackers devising ever-more clever methods for fooling employees and individuals into handing over valuable company data, enterprises must use due diligence in an effort to stay two steps ahead of cyber criminals.
Social engineering attacks typically involve some form of psychological manipulation, fooling otherwise unsuspecting users or employees into handing over confidential or sensitive data. Commonly, social engineering involves email or other communication that invokes urgency, fear, or similar emotions in the victim, leading the victim to promptly reveal sensitive information, click a malicious link, or open a malicious file. Because social engineering involves a human element, preventing these attacks can be tricky for enterprises.
We wanted to educate companies, employees, and end users on how to better recognize social engineering efforts and prevent these attacks from succeeding. To uncover some of the most common social engineering attacks being used against modern enterprises and get tips on how to av0id them, we asked a panel of data security experts and business leaders to answer the following question:
"What are the common social engineering attacks made on companies, and how can they be prevented?"
See what our experts had to say below:
STU SJOUWERMAN
Stu Sjouwerman (pronounced shower-man) is the founder and CEO of KnowBe4, LLC, which hosts the worlds most popular integrated Security Awareness Training and Simulated Phishing platform. A data security expert with more than 30 years in the IT industry, Sjouwerman was the co-founder of Inc. 500 company Sunbelt Software, a multiple award-winning anti-malware software company that was acquired in 2010. Realizing that the human element of security was being seriously neglected, Sjouwerman decided to help organizations manage the problem of cybercrime social engineering tactics through new school security awareness training. KnowBe4 services over 1,200 organizations in a variety of industries, including highly-regulated fields such as healthcare, finance, energy, government and insurance and is experiencing explosive yearly growth of 300%. Sjouwerman is the author of four books, with his latest being Cyberheist: The Biggest Financial Threat Facing American Businesses.
Kevin Mitnick
Kevin Mitnick, the Worlds Most Famous Hacker, is an internationally recognized computer security expert with extensive experience in exposing the vulnerabilities of complex operating systems and telecom devices. He gained notoriety as a highly skilled hacker who penetrated some of the most resilient computer systems ever developed. Today, Mitnick is renowned as an information security consultant and keynote speaker and has authored four books, including The New York Times best seller Ghost in the Wires. His latest endeavor is a collaboration with KnowBe4, LLC as its Chief Hacking Officer.
Social engineering techniques
What does social engineering look like in action? It could look like an email that has been designed to seem like it is from a credible organization, like your message service or Fed Ex or even your bank. But if you open it and click on that attachment, you could be installing malware or ransomware . Or, it could be disguised to look like it comes from someone inside your organization (like an unusual title such as IT@yourorganization someone whom you trust). But if you respond to that email with your user name and password, your computer is easily compromised. The rule is Think Before You Click.
Social engineering attacks
The technical director of Symantec Security Response said that bad guys are generally not trying to exploit technical vulnerabilities in Windows. They are going after you instead. You dont need as many technical skills to find one person who might be willing, in a moment of weakness, to open up an attachment that contains malicious content. Only about 3% of the malware they run into tries to exploit a technical flaw. The other 97% is trying to trick a user through some type of social engineering scheme, so in the end, it does not matter if your workstation is a PC or a Mac.
Phishing
The most common social engineering attacks come from phishing or spear phishing and can vary with current events, disasters, or tax season. Since about 91% of data breaches come from phishing, this has become one of the most exploited forms of social engineering.
Here are some of the worst:
A. Court Notice to Appear - Scammers are sending phishing emails claiming to come from a real law firm called 'Baker & McKenzie' stating you are scheduled to appear in court and should click a link to view a copy of the court notice. If you click on the link, you download and install malware.
B. IRS refund ransomware - Many of us waited till the last moment before the April 15th tax deadline and are now holding our collective breath in expectation of that possibly rewarding refund. The problem is that cybercriminals are very aware of this anticipation and use social engineering tactics to trick taxpayers. Knowing that many in America are waiting for word from the Internal Revenue Service concerning pending refunds, the cyber mafia is working hard to get in first with a massive phishing attack that has a ransomware attachment. The attachment is an infected Word file, which holds a ransomware payload and encrypts the files of the unlucky end-user who opens the attachment, and all connected network drives if there are any.
C. Researchers at Proofpoint recently discovered a Phishing campaign that originated from select job postings on CareerBuilder. Taking advantage of the notification system the job portal uses, the attacker uploaded malicious attachments instead of résumés, which in turn forced CareerBuilder to act as a delivery vehicle for Phishing emails.
The scam is both simple and complex. It's simple because the attacker used a known job site to target a pool of willing email recipients, and complex because the malware that was delivered was deployed in stages.
The attack starts by submitting a malicious Word d0cument (named resume.doc or cv.doc) to a job posting. On CareerBuilder, when someone submits a d0cument to a job listing, a notification email is generated for the person(s) who posted the job and the attachment is included.
D. Last June, the Durham, New Hampshire police department fell prey to ransomware when an employee clicked on a legitimate-looking email. Numerous other police departments have been hit including Swansea and Tewksbury, MA, Dickson County (Tennessee) Sheriff, and others. As of this time, the primary means of infection appears to be through phishing emails containing malicious attachments, phony FedEx and UPS tracking notices, and even through pop-up ads.
Here are a few social engineering scams executed via phishing:
Banking Link Scam: Hackers send you an email with a phony link to your bank, tricking you into entering in your bank ID and password.
A billion dollar heist covering 30 countries and nearly a billion dollars in lost funds, nicknamed Carbanak by security firm Kaspersky, was reported on extensively in Feb 2015.
In the Carbanak scam, spear phishing emails were sent to employees that infected work stations, and from there the hackers tunneled deeper into the banks systems until they controlled employee stations that would allow them to make cash transfers, operate ATMs remotely, change account information, and make administrative changes.
It was a pretty standard scheme: an email with a link that looked like it was coming from a colleague contained the malicious code, which spread from there like a digital rhinovirus. The hackers recorded everything that happened on the affected computers to learn how the organization did things. When they had mastered the system, they commandeered it for a series of transactions that included the ATM hits, but also a practice of artificially inflating bank balances and then siphoning off that amount, so a customers account balance might go from $1,000 to $10,000 and then $9,000 would go to the hacker.
Fax Notice Scam: It's a phony link to a phony fax. But it will do real damage to your PC. This is quite common, especially for firms who still use faxes heavily such as d0cument management, title companies, insurance and other financial services companies.
Dropbox Link Scam: Have we got a surprise waiting for you in Dropbox.
A couple variations of this were running 2014. One was a fake Dropbox password reset phishing email that when clicked, led users to a page saying their browser is out of date and they need to update it (with a button to the update). This would launch a Trojan in the Zeus family of malware.
Another was an email with Dropbox links that hosted malicious software like CryptoWall ransomware.
Court Secretary Complaint Link Scam: Here's a phony link confirming your complaint. Something tells us you'll be complaining about something else very soon.
A version of this has been in use for awhile. See A. above.
Facebook Message Link Scam: Vin Diesel has just died. Find out that your PC will be pushing up the daisies with this link.
This one is commonly used when a celebrity dies. This was exploited with Robin Williams when he passed away with the Robin Williams goodbye video. A bogus Facebook phishing message appeared that invited users to click a link and see an exclusive video of Robin Williams saying goodbye through his cell phone. Of course there was no video, and the link led to a bogus BBC news page which tried to trick clickers into clicking on other links that led to scam online surveys.
Since we train others and actively create test phishing campaigns for our customers to use, my staff tried to social engineer me the other day, trying to catch me as a prank.
It was a 2-stage attack, trying to get me to reveal my credentials. They spoofed our Director of HR, and sent me the email below. This is an example of very high operational sophistication, typical of top-tier whaling attacks, those cases when an individual is subjected to spear phishing attempts because they hold valuable information or wield influence within an organization. They had done their homework and knew I was active on the SpiceWorks forum for IT admins.
[email protected]
10:45 AM (1 hour ago)
to: stus
Stu,
I noticed that a user named securitybull72 (claiming to be an employee) in a security forum posted some negative comments about the company in general (executive compensation mainly) and you in specific (overpaid and incompetent). He gave detailed instances on his disagreements, and doing so, may have unwittingly divulged confidential company information regarding pending transactions.
The post generated quite a few replies, most of them agreeing with negative statements. While I understand that the employee has the right to his opinion, perhaps he should have vented his frustrations through appropriate channels before making this post. The link to the post is located here (it is the second one in the thread):
www.spiceworks.com/forums/security/234664/2345466.
Could you please talk to him?
Thanks.
Nine out of ten would fall for something like this. The only thing that saved me was the fact that when I hovered over the link I saw that the domain was one I had created myself for simulated phishing attacks. But it was a close call! One more second and I would have been pnwned.
The best prevention actions are:
1. Train users with an effective training program that routinely uses an integrated anti-phishing tool that keeps security top of mind for users and help them recognize what a phishing email might look like.
2. Back up just in case and regularly test those backups to make sure they work.
PAUL KUBLER
Paul Kubler is a Cyber Security and Digital Forensics Examiner at LIFARS LLC, an international cybersecurity and digital forensics firm. Hes a former employee at Boeing, in the Global Network Architecture division, the nations largest private cyberattack target. He previously worked at the Flushing Bank, in Network and Systems Infrastructure, protecting valuable financial data at various levels within the network and system. Paul has also performed forensic investigations into mobile devices aiding in the prosecution of criminals.
With several years of experience in cybersecurity and digital forensics, he conducted a wide range of investigations, including data breached through computer intrusions, theft of intellectual property, and computer hacking. He has worked on hardening the systems and deploying protection over an international organization. He has also created business networks with a defense in depth strategy and implemented firewalls on these networks.
Some of the more common forms of social engineering (and how to prevent them) include...
PHISHING
Phishing has become a big player in malware attacks in the last few years and this type of social engineering has proven hard to overcome. Attackers usually send well-crafted emails with seemingly legitimate attachments that carry a malicious payload. These arent the typical Nigerian Prince scammers, but rather sophisticated hacking groups with sufficient time and funding who launch these exploits. They usually hide behind a Tor network or the like and become hard to find, especially when they are backed by organized crime who use this as a source of income.
RANSOMWARE
In the recent years, weve seen a dramatic increase in the use of ransomware being delivered alongside phishing emails. They usually send an attachment such as URGENT ACCOUNT INFO with a file extension of .PDF.zip or .PDF.rar, which slips by the unsuspecting victim and delivers the payload. This attack often encrypts the entire hard disk, or the d0cuments and requires a bitcoin payment to unlock. Luckily, these groups actually do unlock the data - this way future victims are more likely to pay.
What can you do to minimize the chances of yourself as an individual of falling a victim to these dirty schemes? Here are a few steps you can take:
- DO NOT open emails in the spam folder or emails whose recipients you do not know.
- DO NOT open attachments in emails of unknown origin.
- Use a reputable antivirus software - I recommend Kaspersky or Symentec.
- Perform a regular backup to an external medium (external hard drive or the cloud).
- After backing up, disconnect your drive. Current ransomware is known to encrypt your backup drive as well.
- DO NOT pay the ransom. The reason why the criminals keep utilizing this form of blackmailing attacks is that people keep paying. To try to get your data back, consult a professional in your area.
- What can your company do to prevent being victimized by these types of attacks?
- Humans need to be trained they are the weakest link. Companies should employ, at minimum, a bi-annual training geared towards each user group (end-users, IT staff, managers, etc.) so that everyone is aware of the latest attacks.
- Employees should be tested by having an outside party conduct a social engineering test. These kinds of tests help keep the employee on their toes and more likely to ac0id the attacks.
- Since these attacks are on the rise, a number of new defenses have been developed. AppRiver is a great Spam and Virus email filter that can block a large number of phishing exploits before they even reach the internal servers.
- If they happen to get through, an endpoint protection system that can block the latest malware is probably your best bet at stopping the attack.
- As a last line of defense, Cyphort has a good IDS/IPS solution that can help detect known attacks and how far they managed to get into the network by signature, behavior, and by community knowledge.
DOUG FODEMAN
Doug Fodeman is the content director and co-owner of The Daily Scam, a web site devoted to helping individuals, companies, and organizations increase their understanding and awareness of internet-based threats, scams, and fraudulent practices in order to significantly decrease their risks and associated lost productivity.
When it comes to social engineering attacks, companies should understand...
Social engineering attacks that target companies or individuals are most easily and successfully launched through email. Everyone depends on email for communication, even more than social media which might be monitored by just one or a few company staff. Email is also a tool used daily by older members of the workforce. Also, email can direct a threat to everyone in an organization, including the CEO and CFO. But malicious emails require two triggers to be effective. The first is a cleverly worded subject line that will engage the recipient's curiosity and engineer them to open the email.
Some of the most effective subject lines are often innocent and simple like these recent ones I saw targeting an organization in just the last two weeks:
A Special Invitation Advisory: Your online file was accessed
Celebrate Mom this Sunday with an exquisite $29.96 bouquet
Get noticed and watch your career take off
Learn about harp
Mother's Day bouquets with DESIGNER VASES
Service cancellation May 10
SHIPPING D0CUMENT / BL CONFIRMATION
Welcome to the Whos Who Connection
Confirm for your delivery
Confirm your 3K transfer by Monday
FBI letter of notification [code 210]
Incoming fax
I think you'll like this
New health care reform laws are in
No interest for the first year
Notice of payment
Treat as urgent and get back to me
Your installation
Your phone number
Once the recipient opens an email, the message has to be compelling enough to engineer a click of a link or attached file in order to initiate or deliver the attack. Many engineering strategies have been very successful including:
- Emails with a very professional look and presentation. These emails may include spoofed email addresses of legitimate companies or seemingly innocent pitches such as the sale of Mother's Day flowers.
- Emails that are very short and to the point, often citing a bogus invoice, blocked payment, delivery, or fax.
- Emails that are meant to engineer click-behavior by intimidation, such as an email made to look like it is from the FBI, a bank authority, or the IRS.
Unfortunately, most companies seem to put all of their defense efforts into software and hardware solutions to keep these threats from ever reaching employees. Using this approach is flawed because employees connect to the Internet through email, Facebook, LinkedIn, Twitter, and web pages from home, mobile devices, and work. Few companies also include employee education. I have found that educating employees about the threats that target them is MORE important than hardware and software defenses. And it isn't difficult to teach employees the simple methods to recognize threats such as mouse-over skills and understanding the anatomy of an email address or domain name.
Son düzenleme:
