August 27, 2021

Social Engineering: when people are the problem, they’re also the solution

“Hi, I’m Sam, and I’m a social engineer”.

What’s the first thought that goes through your mind when someone says “social engineer” or “social engineering”?

I remember what I thought when I first encountered these terms; just another empty concept being pumped out by some trendy tech start-up to attract talent and fill office space.

It turns out that social engineering is much more than that.

So, what is it?

Social engineering is the art of employing deception to manipulate others into making decisions that provide an advantage to the social engineer at the expense of the victim.

When we hear about companies such as JBS Meats, Colonial Pipelines or Toll Group suffering from ransomware attacks, we often think about the impact on the business, the implications for supply chains, and sometimes even the consequences for society. However, in the midst of all the lamenting and impotent rage we often fail to think about how and why the attacks happened in the first place.

All too often, we take it at face value that ransomware somehow ended up installed and executed on a victim’s machine. It might be a side-effect of the mystification of cybersecurity and IT more broadly, but a great many of us have acquired a default assumption that the success of a cyber attack comes down to the actions and decisions taken by the attacker. Consideration of the behaviour of the ‘victim’ usually fits into the narrative after systems have already been compromised.

Although advantageous for the victim’s treatment by the media, the exclusion of what the victim was doing before and during the attack obscures critical details that reinforce a false discourse; the fate of a cyber attack victim is predetermined. In reality, whether or not a cyber attack is successful is actually determined by the victim.

Take ransomware as an example. It’s not like a cyber attacker need only point their ransomware gun at their target and pull the trigger to achieve the desired effect. Ransomware, like all malware, is not a one-sided process. It’s a result of the interactions between the attacker and the victim. It’s up to the attacker to manipulate the behaviour of its target so the victim-to be voluntarily pulls the trigger of the attacker’s malware gun. The ‘victim’ must, of their own volition, download, click, execute, deactivate, or otherwise do something that facilitates a cyber attack.

Around 90% of the time, the outcome of a cyber attack is determined by whether or not a potential victim does something to permit an attack to take place.

Social Engineering: when people are the problem, they’re also the solution

This is exactly what social engineering is about – tricking the victim into doing something that will negatively affect them while benefitting the attacker.

Social engineering ‘greatest hits’ include:

  1. Persuading a victim to transfer money under false pretences or through impersonation.
  2. Enticing a victim to plug a USB infected with malware into their machine by labelling it “top secret” or “confession”.
  3. Persuading a victim to enter their account credentials on a spoofed webpage.
  4. Convincing a target to open a PDF file email attachment disguised as something innocuous.
  5. Impersonating an authority figure to compel a target to provide sensitive information.

The common theme, here? Nearly all these ransomware attacks are caused by a social engineering attack – particularly a phishing email. Nearly all involve the attacker sending the victim an email with a malicious attachment, successfully manipulating the victim into opening it and convincing them to execute the payload.

You might be thinking, “I know how to spot these things, I’m not a numpty!”

The problem is we get so much of these poorly-made phishing emails, we eventually start to assume all phishing emails look something like this:

When phishing emails can also look like this:

We deal with so many of those poorly-made phishing emails, we tend to let our guard down when a properly-crafted phishing email lands in our inbox and take it at face value.

This is a huge problem. Especially since we all have a trail of little crumbs of information about ourselves on social media, blog posts, industry websites, community websites, etc. All of which can be weaponised and leveraged into a properly-crafted phishing email.

That’s why social engineering is so effective. An attacker can easily collect information on just about anyone or any organisation, combine it with emotional manipulation and leverage that into a social engineering attack, often with devastating results.

For example, on a recent project we performed for a client, we used open-source intelligence to determine what systems are used within their organisation and crafted a phishing email, informing the client’s users there was an issue with their previous timesheet, and asked them to log into a spoofed webpage to confirm that the timesheet was correct. This evoked a sense of urgency in the users, as a timesheet error can result in a reduced pay.

The result? Of 7300 users, over 1800 were successfully manipulated into thinking the spoofed website was legitimate and they handed over their login credentials. If we had been a threat actor, we would have had access to one quarter of the organisation’s user accounts.

We also used open-source intelligence to gather information on 28 individual users, then weaponised this information to craft phishing emails intended to evoke various responses: urgency, compassion, outrage and curiosity. Some of these emails even mimicked communications from industry conferences, contractors and suppliers and community organisations. Of these 28 emails, 4 resulted in the users opening malicious attachments.

While 4 in 28 might be nothing to sneeze at, remember it only takes a single malicious attachment to compromise an entire organisation. If this was performed by a cybercriminal, or worse, a nation-state actor, it’s game over.

The key takeaway? Despite increased publicity and ‘awareness’ of cybersecurity, and ransomware and endless technology-centric cybersecurity products being on the market, people are still vulnerable to every social engineering trick in the book.

You may be rolling your eyes at this point, thinking, “Yeah but I have multiple controls, so my risk is mitigated.” Well, not quite. While solutions such as email filtering, firewalls and endpoint protection can reduce the risk of social engineering attacks, they can’t completely mitigate it.

Say you have a spear-phishing email slip through the cracks and land in a user’s inbox.
“Big deal. Endpoint protection will stop the payload from executing,” you say.

But what if that user is a developer and has that protection disabled because it prevented them from compiling code for testing?

And what if the attachment is a malicious macro-enabled document and the recipient is an accountant who requires the use of macros for their job role?

The point is the threat starts with people.

So, why aren’t we strengthening the people? The answer is also quite simple – the cybersecurity market has been saturated with technology-centric solutions. So much so, the human factors have been completely neglected.

Relying on technology-centric solutions isn’t enough. All the firewalls, endpoint protection and email filtering in the world won’t mean anything if your organization’s internal culture lacks cyber awareness and your people are susceptible to social engineering attacks.

To mitigate risks, businesses must adopt a more holistic approach to cybersecurity; one that leverages technical solutions but also improves internal cultures and empowers people.

Get started by contacting us at 460degrees.

Other articles you may find interesting...