The human attack vector: Social engineering

Cyber    Tom Barton, July 22 2021

90% of attacks target the human element, learn what to look for and how to protect your organization.

4 mins

What are the most common cyber attacks?

search icon

Definition of a cyber attack

A cyber attack attempts to breach an organization’s or individual’s information system to benefit the cybercriminals financially or cause ongoing disruption to the victim. These attackers can be individuals or, in some cases, organizations. Attacks can disable computers, steal sensitive data or create a launchpad for other attacks from compromised systems. Common attacks include:

  • Malware
  • Phishing
  • Man-in-the-middle
  • Distributed denial-of-service (DDoS) attack
  • SQL injection attacks
  • Zero-day exploits

 

What is malware?

Malware is an umbrella term for various malicious software; this can take the form of spyware, ransomware, viruses, and worms, to name a few. This software is designed specifically to cause harm or exploit a targeted device, service, or network. More often than not, malware will extract data to gain leverage or financial fold over the victim. There are several types of malware that have different capabilities. Malware can:

  • Install other malware to perform further attacks
  • Covertly copy data from a hard drive and send it to the attacker
  • Disrupt a system and make it inoperable
  • Block access to a whole or part of a network.

There are so many different types of malware out in the wild that it’s almost impossible to prevent. However, basic user education can go a long way to offer at least a front line defense:

  • Keeping operating systems and applications up to date
  • Avoid clicking on unknown links in emails, social networks, or text messages
  • Have some form of antivirus software installed on your device
  • Stay vigilant!

What is phishing?

Phishing is a social engineering attack that attempts to gain access to systems via deploying malware through an email link or by tricking people into giving up sensitive information by masquerading as a trusted entity within an organization.

Phishing is the leading cause of cyberattacks in the world, according to the FBI - phishing incidents nearly doubled in frequency, from 114,702 incidents in 2019 to 241,324 incidents in 2020. 96% of all phishing attacks are delivered via email, staff training, and education are more important than ever before.

This prevalence makes the cost of a breach a scary stat, IBM’s Cost of a Data Breach Report, puts the average cost per compromised record in 2019 at $150. For context, 5.2 million records were stolen in Marriott’s 2020 breach. That means the cost of the breach could amount to $780 million. But on average, a breach costs organizations $3.92 million. 

Man-in-the-middle attack

Also known as an eavesdropping attack, the attacker intercepts and inserts themselves between two communicating parties. The man-in-the-middle then adjusts, alters, and even steals information between the two who believe they are communicating directly with each other.

Distributed denial-of-service (DDoS) attack

DDoS attack aims to restrict a server from completing legitimate requests; this freeze allows the attacker to hold the company at ransom. Additionally, the attack floods an organization’s information systems with multiple simultaneous data requests.

SQL injection attacks

Used in programming SQL (Structured Query Language) can be injected into a website or application to interfere with queries to the main database. This could make the server reveal sensitive information or data the application has access to, an attacker can modify or delete this data changing how the application functions.

Zero-day exploit

On the announcement of vulnerabilities in a network or application, attackers have a window of opportunity before the weakness is patched out. As discovery of the vulnerability is often before the victim is made aware; can be particularly devastating and difficult to stop.


What is social engineering?

Social engineering refers to all the techniques used to coerce or talk a victim into revealing information that someone can use to perform malicious activities and render an organization or individual vulnerable to further attacks.

How do social engineering attacks work?

Social engineering acts take place over a series of stages - starting with the investigation of the target victim/organization and understanding the flow of communication and who sits in the senior roles. Then they proceed to hook the target by engaging, often via email, spinning a story to trigger the reveal of sensitive information. Once the reveal has taken place the attacker can then proceed to expand the attack, disrupting more elements and interacting with other key stakeholders. With the attack complete the attacker will cover their tracks and remove any trace of their work - by this time it’s too late and the damage is done.

header

Social engineering attack techniques

There are many different techniques used within the arena of social engineering. We’ve listed a few of the critical ones to look out for:

  • Baiting - A form of physical social engineering whereby an attacker leaves a malware-infected USB device lying around; this is then picked up by a victim and inserted into a device out of innocent curiosity, unintentionally installing the malicious software.

  • Pretexting - An early stage of a far more complex social engineering attack, pretexting involves gaining the victim's trust by pretending to be a trusted source and exploiting this trust to gain information about them or the organization.

  • Tailgating - Another physical social engineering technique that involves the attacker following people into restricted areas and potentially gaining access to network devices. The old “I’ve forgotten my pass” trick is one of the most common themes.

  • Quid pro quo - An attacker impersonates tech support and hunts around to look for someone with a legitimate tech query. They will then use this to create a trade situation where they require X to do Y. 

  • Scareware - Normally delivered in the form of pop-ups that alert the victim that their device or application is out of date or at risk, by clicking the pop up malicious software is then installed.

  • Phishing - The most popular of all the social engineering techniques is due  many organizations' reliance on email as a form of communication. A malicious actor will send an email to an individual pretending to be a trusted source with the objective to either gain access to sensitive data or deploy malware via a link click.

  • Spear Phishing - A type of phishing that targets a particular individual in an organization, this will often follow the extensive investigation and pretexting.

  • Whaling - Whaling is another form of phishing that’s sole purpose is to target those at the top of the organization. 

  • Vishing - Essentially voice phishing is the same as email phishing, but the attack is carried out over a phone call.

  • Smishing - Phishing via SMS. Text messages from apparent legitimate sources that will be embedded with malicious links or can be used to bypass two-factor authentication methods.

What is business email compromise (BEC)?

Business Email Compromise (BEC) or CEO Fraud, often referred to as email spoofing, relies on the fact that businesses operate almost exclusively on email in most cases. According to the FBI, BEC is one of the most financially damaging forms of cybercrime currently in use.

The attacker will spoof an email by changing a few characters hoping to trick the receiver into thinking they’ve received an email from a senior member of the organization, most likely the CEO or CFO. The fraudulent email will attempt to harvest sensitive data or, in most cases, aim to transfer funds out of the organization.

The FBI lists BEC as the cybercrime with the highest amount of reported losses, accounting for $1.77 billion in losses during 2019 alone. The losses resulting from ransomware over the same period account for a small amount compared to 9 million dollars.

What is the best defense against social engineering?

A few strategies are available to help in the defence against social engineering attacks:

  • Keep antimalware and antivirus software up to date
  • Stay up to date with operating system and firmware updates on endpoints
  • Have a detailed log of staff that handle sensitive data
  • Ensure two factor authentication is enabled everywhere it can be
  • Use strong passwords and don’t reuse the same passwords across multiple accounts and applications
  • Regular penetration testing can help identify vulnerabilities
  • Keep staff trained and updated on how to detect and deal with attempted social engineering attacks