That noise, and the quick conversation following, cost a major security organization millions. Don’t believe me? Last month, a hacker called the help desk of the FBI and had the following exchange:
So, I called [the helpdesk] up, told them I was new and I didn’t understand how to get past [the portal],” the hacker told Motherboard. “They asked if I had a token code, I said no, they said that’s fine—just use our one. I clicked on it and I had full access to the computer.”
Soon after that, 20,000 FBI and 9,000 Department of Homeland Security records were released to the public. The hacker accessed employees’ names and even credit card information. Using the IBM 2015 cost per record breach standard ($170 per record based on malicious activity), that’s nearly $5 million dollars lost during a 2-minute phone conversation. It was probably higher, given the amount of credit card data and the as-yet-unknown implications of the national security data that was accessed.
That’s a government institution though, and this is not surprising according to some of my technical colleagues. But what about an IT-based organization? Surely, they’ll fare better; for some places, $5 million is a drop in the bucket. Well, in June of 2015, Ubiquiti Networks Inc. fell victim to a CEO scam or “whale attack” where they ended up transferring $46.7 million dollars through a wire transfer to China (they’ve recovered a $13.1 million so far).
What’s the root cause of these hacks? People. Hackers use social engineering attacks take advantage of the “faults” in humanity, our human emotions and feelings, to get access to money or a technical resource (physical or virtual). They’ll even resort to bribery and basic solicitation, though that’s something for an entirely different article.
Aren’t There More Efficient Ways than Social Engineering?
Hackers prefer social engineering because it’s much easier to hack a human than a business. Social engineering attacks allow the hacker to combine multiple efforts and even cover their tracks, because they can use the human to take money or install malware under their persona.
According to Nick Espinosa, CIO at BSSi2 where they do white hat hacking for their clients, “a [social engineering target] can either get [the hacker] access to the network by the [target] validating their malicious software or by actually having the person do the work for them.”
This problem is growing and our goal is to arm you against these attacks. With this list of social engineering attacks, you can educate your users and help them avoid falling for the insanely easy social engineering attacks that result in major security breaches. We’ve also included some ethical hacking ideas so you can test your users.
You might think this hack is obvious and even your best users can shut this one down, but here’s how the best social engineers use this tactic:
The social engineer will create an email address that looks like a C-level executive in your business. Maybe they nab a fake domain that looks like yours, too. For instance, firstname.lastname@example.org (a fake domain that looks like ours) would get my attention, especially if they put John Hurley (our CEO) as the “from” name.
How would the social engineer know the name of my CEO? According to Nick Espinosa, they’ll do what’s called a “Harvest Scan,” where they do everything from port scanning to IP address lookup to Google stalking to email address verification.
The hacker targets the people with direct or indirect ties to their victim. They then monitor to see when the target will be out of the office in order to best execute their attack.
If the hacker wants to install malware, they’ll execute a social engineering attack like the example above in order to get access to a computer. However, if the hacker wants money, they’ll write a message like:
Tommy, we just landed a large deal with a company in Beijing and they’re going to be supplying us with X so we can be more cost effective at building widgets. Please send $10 million to the following bank account on my authority. I’ll be back on Monday as planned to fill you in.”
These examples play on many human faults — known most commonly as “emotions” — to get me or “Tommy” to take action. That’s why I picked this tactic first, because many of these hacks use emotions and relationships to get us to hastily take action. In the data example, it uses a mobile phone signature which caused me to look past his missing email signature. All the attacker needed to know was the relationship, which a quick LinkedIn search can show. From there, he launches the attack. In the money-based attack, the hacker’s message would come from an email as well.
STOP THE HACKER: Identifying Fake Personas
According to Bruce Campbell, V.P., Clare Computer Solutions, “If someone spoofs an email that seems to be coming from someone you know, you can get a feel for an email that doesn’t feel right. Occasionally, I’ll get an email from a good friend that just says, ‘Check this out – this is hilarious and has a link.’ I never click the link. I call the friend and say, did you send me an email?”
Nick Espinosa had another idea as well — and it’s easy and nearly impossible to break. Have C-level executives and their staff handle any money or data exchange with a verbal password between themselves to verify who they are. If the CEO heads out for a conference, he can instruct the controller that anything financial will need the verbal password they established.
If the CEO emails the controller wanting to transfer $10 million, he can text them afterward with the password. This is a simple two-factor authentication method. You should rotate the password in case the C-level executive’s phone gets compromised in a social engineering attack.
The hacker commits (or pretends to commit) a low-level attack against an individual. Maybe the hacker gets the user to download an attachment, as in our first social engineering tactic. Maybe the hacker lied. Regardless, the hacker informs the user that that they will lose their job and face legal ramifications if they don’t follow their instructions.
These attacks can be targeted or sent en masse. Per Robert Siciliano, Identity Theft Expert at BestIDTheftCompanys, if the hacker doesn’t have true access, he will send out an email to thousands of people, hoping to land just one or two. In that email, the hacker communicates that the user has been hacked and needs to follow their instructions to prevent any consequences. Alternatively, they’ll send the malicious software (often ransomware in this case) and follow up later.
You’ll be familiar with this one. The hacker fakes an IT help desk account, mimics your brand look, and even purchases a domain like your own. They offer a password reset form, complete with an old password field — which is what the hacker needs to gain entry into the account. They will use this to access the network or the person’s machine in order to go deeper into the network.
Network access isn’t the only target of phishing attacks though. Occasionally, they target organizations that use credit cards. According to Drew Parrish, Help Desk Specialist at Wabash College, social engineers have used “spear-phishing” to target faculty with purchasing power. These phishing attacks would often be bank-based, even going as far as to use the bank’s official logo, web layout and name in the domain.
STOP THE HACKER: Dealing with Phishing
Phishing is the social engineer’s oldest and most reliable tool, because it works. Here’s how your users can avoid it, courtesy of Joe Palko, VP at American Eagle:
- Check the Domain on Your Phone and Desktop
- Many phishing attacks originate with hackers trying to pretend that their phishing website is an original corporate website. For example, if you are on the Chase website, the URL is going to be www.chase.com. A phishing website will do something like www.chase.bankonlinenow.com.
- Look for the SSL on Desktop and Mobile
- Always look to make sure the site is transmitting in SSL. There will be a green lock in the URL where you can click or tap the lock and see the security certificate for the website, and make sure it matches the name of the company you are visiting.
- When Using Social Media, Limit Surveys and Games
- Unless you are sure the source is reliable, do not take a survey or play any games on social. Many phishing attempts are disguised as games or surveys that require you to log in with Facebook.
In addition, penetration testing goes a long way. Drew Parrish mentioned that Wabash College sent out blatantly obvious phishing emails with “ridiculous email addresses and links to click.” After a year of testing, click-through rates dropped nearly 100% on the harmful links. They’ve informed users through email and a lunch-and-learn and that they should forward all questionable emails to the help desk.
4. The Friendly Hacker
For this hack, the social engineer compromises someone’s email or social media account. Their goal is to extend their reach, so they will look at recent messages that the user has sent. Often, the initial target isn’t the final target, especially if the final target has a strong security background.
If any links or documents have been sent, the hacker might follow up saying they’ve updated it or found something similar. For instance, if targets exchanged PDFs, the hacker could send a newly updated version with malicious code.
If the hacker can’t find any way to attack their final target with the initial account, they might look for mutual friends and try to repeat the process again.
STOP THE HACKER: Simple Goes a Long Way
According to Bruce Harmon, Dean of the College of Engineering at Colorado Technical University, keeping it simple goes a long way when defending against social engineering attacks:
“The best defense against these kinds of attacks is to educate the users to avoid giving information to persons not verified as acting as legitimate agents of the company and to avoid opening attachments or clicking on links that are suspicious or have been provided by persons unknown to the user. Err on the side of safety. Even someone known to you may unwittingly provide a harmful link.”
5. Vendor Scams for API Keys
Here the hacker is trying to get your API key for a particular product. Again, they will perform a harvest scan to find some tracking codes on your website and then message you from one of those organizations. From here, they’ll inform you via a seemingly standard automated email that your API key needs to be reset and to follow their link to reset it.
At this point, they create a phishing site, but instead of asking for a username or password, they request your API key. They will then either give you a new API key (that won’t work) or tell you to try again later, while reminding them that your current API key will work in the time being. Why target the API key? According to Travis Cunningham, a Software Engineer for SmartFile, “An API key is like a username/password. If someone has your API key, they can do anything on behalf of you, just as if they had your username/password.”
The level of control they gain depends on the tool they are mimicking. If they store any kind of data, even a few minutes of access could lead to a major breach. If you are ever worried about the integrity of your API key, Cunningham says to revoke the key as soon as possible to prevent unauthorized use.
Get the Social Engineering Tactics Infographic
Give management and your uses a quick and easy graphic about these social engineering attacks. Fill out the form and we’ll send you our infographic plus some other tips for stopping hackers!
Typosquatting is very similar to a phishing attack, but the hacker doesn’t reach out to the victim directly. Instead they sit on a similar domain and wait. Usually the domain is only a character or two off of the main brand’s domain. The hacker buys domain names and squats on them, matching a brand’s look and feel. When a user fills out a form, they will use the login credentials to cause harm.
If the site typically has a download, they can include malware with the executable file. This can include “scareware,” which uses popups and notifications on the target’s computer to require payment for access to the program. Once the user fills out the form, they have the user’s credit card information. So now, the hacker has access to the computer through the malware program, access to their account with their username and password, and access to their credit card information.
7. Device Leave Behind
This is often combined with the common piggyback or cable guy technique. The hacker leaves a USB drive, CD-RW, phone or other storage device around an office and writes a tempting label on it, like salary information or a famous musician (if it’s a CD). Often times, if someone finds a USB drive, they’ll just start to use it on their own.
To make sure the user thinks the storage device is legit, the hacker might place music files on there, along with other files on the storage device that sound enticing to click (for instance “XYZ Company Salary Records.xlsx”). Once accessed, the malicious code is launched.
If the hacker is using a USB-based device, he can take over your entire machine, even if you disable auto-run. Essentially, your computer sees the USB device as a keyboard. Sound crazy? Watch the hack as it happens:
8. Malware Piggyback
The hacker takes advantage of a big security breach or piece of malware floating around. Then they either execute a social media newsjacking attack, like we’ll discuss in #9, or an email file attachment like in #1.
The goal is to provide a link to a harmful file that claims to be a report of their findings on your site or a general report they send to you as a courtesy. Once the file is downloaded and accessed, they hacker’s malicious code is executed.
STOP THE HACKER: 4 Steps to Transform Human Behavior
Jack P. Healy (CPA/CFF, CFE), a Managing Director at Bear Hill Advisory Group, LLC, shares 4 ways you can transform human behavior when it comes to social engineering attacks:
- Provide feedback to associates on known tendencies
- Provide more education
“Many companies stop at #1. But there are organizations that can test your associates’ Social Engineering (Fraud IQ) by sending test emails. The testers will then send emails to your staff and provide you with reports on which staff opened the SE email. This is to point to additional training.”
9. Social Media Based Phishing
I wanted to separate this out because it can cover several different types of attacks.
In our first example, the hacker either builds a news brand that looks legit or mimics the target company’s site and brand. From here, they perform “newsjacking,” where they retweet or use a hashtag to join a conversation. The hacker then piggybacks on high profile stories surrounding their targets and push out a link to a phishing site where they can get users to take actions that might compromise their login or other information.
In our second example, the hacker gains access into your account and sends out shared links to surveys and games to your friends. In addition, they may take a more relationship-based approach and follow up on existing messages with your friends, who are their ultimate targets, offering them a link to a phishing site.
Finally, on professional social media sites like Linkedin, a hacker will pretend to be a recruiter for a company. They’ll send you a private message and inform you about a position at a well respected company that sounds incredible. They’ll send you to a phishing employment site, where they gather a bunch of information, and require your social security number for background check purposes. At this point, they can do just about anything with your information.
Social media is an easy way for hackers to go phishing for unsuspecting users, and it’s becoming more prevalent because there are so many attack methods. It deserves its own section so you can make sure your scam shields are up, even when you’re communicating with friends and quality brands online.
10. Neuro-Linguistic Programming (NLP)
This is a social engineering tactic you’ll sometimes see salespeople perform to get clients to like them. Social engineers use it in the same way. Once the hacker gets physically close to the target, the hacker will match the voice, tone and body language of their victim.
Per Daniel Smith of Radware, social engineers that “[mirror their target’s] body language, breathing rate, voice and vocabulary will begin to build a connection on a subconscious level with the target. The hacker can change the mood of the conversation subconsciously by changing your body language, breathing rate, voice and vocabulary to reflect thoughts and images that strike the desired emotion. By anchoring and reframing, the hacker is able to passively control the conversation and emotions of your target, allowing them to further direct the conversation to what they’re after: information.”
NLP helps social engineers build a rapport with the target and subtly steer the conversation. To top it off, the hacker will use industry or company jargon to help close the deal and get the info they need. This helps make them seem like an authority.
At this point, the social engineer can simply try to bribe, threaten or even straight up solicit information from their target.
STOP THE HACKER: Defending NLP-based Social Engineering Attacks
NLP based social engineering tactics are notoriously hard to stop — because they feel natural. Here are a few ways to spot NLP-based tactics (you might get some false positives though, so be patient):
- Know Your Body Language Quirks
- Do you do something a bit out of the ordinary? Maybe you cross your arms a certain way or speak fast. If you notice someone in a conversation matching these tendencies, be wary of their motives. Sometimes this happens naturally, other times it’s for their gain in some way.
- Can’t Touch This
- If people touch you, especially in the United States where touch is uncommon, with the exception of friends and close family, be on alert for suspicious activity.
- Listen for Passive Commands
- Did someone tell you to take off your coat? Did they welcome you to relax? These can all be indicators of an NLP hack.
- Trust Your Gut
- If a situation doesn’t feel right, leave the conversation. If you want to maintain the relationship, politely say you forgot about a meeting you must attend.
11. Classic Piggyback
This is an in-person social engineering attack that typically happens at large organizations. The hacker will scout the smoking or other outdoor social locations and then join the group, maybe even asking people what department they work in and striking up a casual conversation.
At this point, when the group goes in, the hacker follows the employees. As the hacker explores the buildings, if anyone asks who they are, they can always use one of the employee’s name, hoping that they don’t know the user. They’ll likely tour the office, looking for an open workstation, and pounce. If anyone asks, they’re IT and they’re updating Java or some other extremely common program.
12. The Cable Guy
The hacker will dress up as a phone or cable technician and report to the front desk. They’ll ask to be escorted to IT in order to work on the wiring or some other connection issue on the company’s end. In this scenario, the hacker might not even have to chat with someone in IT, as they may be shown to where they’re needed.
To carry out the ruse, the imposter might apologize for being late or take a fake phone or radio call from their boss, located in the home office or the van, with very specific directions on what he needs to look at. Once the hacker is alone, he can carry out his planned mischief.
13. Reverse Social Engineering
This is a pretty big ploy. Here, the hacker attacks a network and causes some damage, just enough to leave a trail. Then, feigning as a contractor/consultant, the hacker will claim that they found evidence of the breach in their target’s website or application and offer to work on it for a small fee or pro-bono in exchange for a testimonial or something.
With the deal being too good to pass up, the hacker’s fake company is hired. At this point, the hackers have considerably more access to the network and can do more harm. In the meantime, they can pass the buck and claim the “hackers” did it.
14. Rogue Employee
Obviously, for some of these situations, you need to be in the office. That leads to this hack, where the social engineer gets a low-level job at a company with just enough access to their marks. Another alternative involves bribery and solicitation to perform these actions.
Once they have a position in the office, either on their own or through a surrogate user, they can access open workstations or perform any number of activities as described in this article.
STOP THE HACKER: Check Your Logins
Tell your users that if someone uses their computer for any reason — authorized or unauthorized — to force logouts on other devices and consider changing your password.
According to Robert Siciliano, CSP at IDTheftSecurity.com, you should “keep an eye on your accounts and their activity. Account providers such as Gmail have dashboards that show where you’re logged in and what tools or apps are connected. This includes financial and social media accounts.”
15. Open Access
Here, the social engineer works for the company and pretends to have computer or database problems. Maybe Excel is going slow, or they can’t get the SQL server to open. Regardless, they know their mark has some level of access they need. So they make friends with them, and after some time working together, they ask if they can try something on their machine to see if it’s any better.
To make this truly effective, they can bring a storage device and execute the device leave-behind as well to ensure they have continuous access.
Another alternative is due to employee laziness. When employees leave their computers unlocked, they give malicious employees in the office open access to their account. While an open computer often leads to an office prank, like switching mouse settings, this also lets the hacker access specific files, install malware or use their persona to get access to other individuals.
16. Six Degrees of Separation
Here the hacker identifies a “whale,” or a C-level executive or a director-level employee. Using social media and watching their in-person patterns, the hacker reaches out to the target’s friends or family with the full intention of earning the trust of the target eventually.
The victim will use their mutual contact to request an introduction to their target. At this point, the target is in a group setting, warmed up and comfortable, and the hacker can go after viable information.
While a group might seem like a bad idea because the hacker could get caught, it could also lower someone’s guard, especially if the hacker doesn’t directly ask for sensitive information. The hacker can focus on the initial victim — the mutual friend that their prime target has so much history with — and beat around the bush until they ask the question the hacker’s been wanting to ask themselves.
17. Bar Hopping
The hacker finds the target (using a method like the six degrees of separation) and introduces himself at the bar. Then the hacker gets the victim drunk while staying sober. At this point, they use NLP, mutual “friends” and history to strike up a conversation to get the information they desire.
Here’s how this conversation might go down:
- The hacker might say, “IT got all over my case today, they said my password wasn’t strong enough. I feel like I need to write it in a foreign language!”
- Then the victim, inebriated and trusting, will respond in-kind “Man, my password’s ‘ABC123,’ if I wasn’t the CEO they’d get all over my case!”
From there, the target has the insight they need, but they’ll likely keep the conversation going in case they end up needing more information and to ensure that the password portion of the conversation isn’t memorable for the victim.
Oh, and why isn’t the hacker drunk? Because they may have paid the bartender in advance with a handsome tip to leave alcohol out of all of his beverages.
18. Cause a Panic and Take Advantage
In this situation, the hacker reaches out to a user in some way, saying they’ve been compromised, and the hacker claims to represent a technical support individual or a help desk employee. How do they get ahold of the user? Through data available on the Dark Net. For instance, there are numerous cases of Dell records, including service number and service call dates and information, that hackers can use to not only reach out to a user but truly convince them they are technical support. [include a link here to back it up]
Now they talk to the user, saying the user needs to reset their password to meet complexity requirements, enable remote desktop access or even install a file through the command prompt. The social engineer walks them through this process.
After the task is complete, the hacker asks if they can help them with anything else and informs the user that there maybe a survey following this call (which one of their friends might actually perform for them). They do this to make it seem authentic and because people tend to remember the beginning and end of conversations, but not the middle. By exiting the conversation gracefully or even adding another voice through a survey, they make it seem more authentic.
STOP THE HACKER: Dealing With Phone Based Social Engineering Attacks
Here are 5 tips users can try when dealing with potential phone scams according to Rod Simmons at eSecurityPlanet:
- Get the caller’s name, phone number and extension. End the call and call them back using a number on the official company’s website.
- If you get the caller’s full name, look them up on LinkedIn. See if they have a profile and history with the company.
- Zero Trust. Treat every call as if it is a scam and ask tough, detailed questions. Provide false information to throw them off.
- Tell them you’re busy and to call you back later. Search online to see if there is any information on a scam like the one you feel could be happening. Search the name of the company and scam.
- Trust your gut. Hang up if you need to and call your company or IT department’s extension.
Here the hacker needs to be inside the building at a large, multi-site company. The hacker will wait for a director or C-level employee to leave the country and they’ll need access to their desk phone. Once this happens, the hacker will reach out to off-site IT, faking frustration that they cannot access specific files and they’ll demand access immediately since they’re about to leave the country.
If IT resists, they’ll insist to speak to the person’s manager, growing angrier as time passes. Their ultimate goal is to get their target to quickly give into their demands because they’re so angry.
There is another alternative as well. The hacker will call the IT representative, saying they were frustrated after having a face-to-face with another individual in IT. They’ll tell the victim that they are owed a favor by the CFO, or whoever the hacker was impersonating.
20. Whale Hunting
Here the hacker goes after a whale, also known as your executive team. The hacker calls, pretending to be from a good cause or a professional or alumni association and promises to provide a business partnership/networking environment that can help them move their business. The hackers make it very affordable and brand the web page well. Naturally, the C-level executive fills out his form with his corporate credit card information.
At this point, the hacker has what they need to make corporate expenditures on the account. Other prime what targets would include the C-level support team, both in regards to money transfers and data security, especially when the C-level executive is away.
21. Election Season
This social engineering practice is very similar to whale hunting, but it can happen to anyone. A person lies about being from the campaign and they call the victim for a corporate donation. This is typically following a local election. If they pick the wrong candidate, they’ll try again in a few days with their opponent’s name.
The person will either build a website or ask for the credit card information over the phone. To finish the hack, they’ll often make the user fill out a form that looks like an official tax document, where they can gather more information about the person they hacked to reach out directly to them in the future or use their information for further gain.
The typical target for this kind of social engineering tactic is a whale. The hacker will call with a pre-recorded message, pretending to be the victim’s company or the company’s bank. The hacker will ask the user to call a phone number, and in doing so, they will ask for their credit card info, phone number, pin, last four digits of their social security number and other sensitive details.
At this point, they’ll report some transactions that will obviously be fake, and they’ll cancel the transaction and promise the cardholder that they will send out a new card soon. However, the hacker hasn’t done any of these things and they’ll spend more money on the card.
23. Vendor Scams for Wire Transfers
The social engineering tactic here focuses on getting money. The hacker needs to have some knowledge of the organization to pull this off on a specific target, but it can also be sent in volume acting as a big name vendor.
The social engineer will claim to be a vendor the company uses. Again, they’ll perform a harvest scan and look at some tracking codes the company uses. This could be as simple as identifying an email marketing vendor, and web analytics tracking software or even a content management system.
They will then execute a classic phishing scam, but they’ll inform the victim that they’re from “collections” or “accounts receivable.” This typically happens through a phone call, but it can also come from an email as well. They’ll provide an invoice for services and request payment or wire transfer to an offshore (and therefore protected) bank account.
If they really want to go after someone who initially ignores the request, they’ll follow up and use a voice recording from a phone call where they get the victim to answer “yes.” They then use that to try to leverage payment for a product by saying that they have you answering “yes” to being overdue for an invoice. From there, they may threaten legal action. How do they get you to say yes? They ask you to confirm your identify on the first call, which targets often respond with by saying “Yes, this is [FIRST NAME].”
STOP THE HACKER: Identifying Wire Transfer Social Engineering Attacks
We spoke with Damian Caracciolo, VP and Practice Leader at CBIZ Management & Professional Risk, about how he’d stop wire transfer based social engineering attacks. He gave us 3 warning signs to watch out for:
1. A request for money or payment from an apparent vendor. Never send money to an unknown subject. Always ask for multiple forms of identity from the individual that you are working with before transferring money.
2. Normal wire request process being circumvented or altered. If a normal wire request has been circumvented, something isn’t right. It’s better to be safe than sorry. Ask the necessary questions to find out why the client is altering the wire request before approving.
3. Being pressed to make a decision or send money fast. Never feel rushed to make a wire transfer. Many scam artists will rush the process so that they can get paid quickly without any background check.
Concluding Thoughts on Social Engineering Attacks
Hopefully, this gets you thinking about ways you can be hacked, while also giving you white hat hacking methods to test your own users with. Make sure that you keep track of confirmed victims and try to lower that rate each year.
As you can see, there are also various types of goals to these social engineering based attacks. Many of these social engineering tactics want access to data, and these attacks would be difficult to detect. That’s why it’s so important to protect the foundation of your data, the files your organization stores and transfers. Advanced visual file analytics and in-depth audit reporting can help identify breaches early. To improve file governance, management and access control, use SmartFile and connect it directly to your network. Request a demo to see how it works!