Our expertise means a lot to us. However, we know that it is only possible with the expertise of our seasoned, battle-hardened professionals and the perspectives they bring to the table.
This is precisely why we sat down with Dr. Steve Jeffery, Lead Solutions Engineer of Fortra’s Clearswift, to ask what he thought of the kinds of social engineering attacks businesses are seeing today – and what can be done about them.
And what he had to say was downright scary.
Unsolicited “Updates”
When asked which attacks are beguiling us today, Dr. Jeffery said, “Before we talk about the new stuff, let’s just go over those tried-and-true attacker profiles that are still duping people.
Let’s talk about how they call you up–first, unsolicited–and start asking you for all this information. They claim to be from your insurance provider and say, ‘Hey, can I get your address? Can I grab your VIN?’ But how do YOU know that? How do they authenticate themselves to you? So I typically respond, ‘No.’ or ‘Why?’, which really gets on their nerves.
It’s as simple as this. If I call you, I’ll answer any security questions you want. But if you call me, I have no idea who you are. You could be anybody, or worse an imposter, and I’m not answering.”
The bottom line? Don’t give away personal, sensitive information to unsolicited callers. If you're concerned or feel you need to update your insurance information, hang up and call the line directly or verify if that’s actually the number on your caller ID it purports to be. But be careful – even that can be spoofed – so to be sure, it’s best to do your own digging and dialing.
Sly Social Engineering Asks
Building on this basic scheme, attackers are branching out to include more of a technical or financial element to get to the paydirt faster. Why patiently glean drops of information for a heist down the road when you can get people to send over their credit card details now?
Jeffery describes this phenomenon: “People are using that [original] social engineering [template] to try and get people to download or install something as well as the sort of straight fraud. ‘Please wire me some money,’ they’ll say, or 'Install this software because you've been asked to do it by your IT department.’ They'll try and leverage even a little piece of knowledge about you to gain your trust.”
He explains that because most people are naturally accommodating, their first instinct is to answer the questions with no sense of distrust. This is especially the case when attackers leverage a bit of personal information they already know about you, such as the fact that you golf (from scraping your hobbies on LinkedIn!).
SMS-based exploits
What comes next might be in the form of a text. Jeffery notes, “I've been seeing quite a bit more SMS-type attacks now. My friend was well down the road of sending a solicitor money when she thought, ‘Why does my son need a new iPhone? He’s an Android user!’ When she finally decided to text her son, she discovered that the other text thread was a complete scam. She almost lost several hundred dollars.”
He also shares, “Another friend of mine received a malicious text scam text notifying her of a parking notice. This was an easy technique to catch because she doesn’t drive or even own a car!”
And that's the point. Attackers are brazen and will act like someone you know. Unfortunately, we need to be wary of not only strangers but “friends” or acquaintances, who may not be who we think they are. The same rules apply: If there are any doubts, go to your contact list and message them directly.
It’s a Numbers Game
Jeffery also emphasized that when spoofing human beings, many intangibles come into play. Social engineering tactics and learning to spot their signs could be considered the art of an otherwise very technical field. You’ve got to use your instincts, your reasoning, and your common sense. After all, this is what attackers do (or prey on).
“[An attacker] only needs the rate to be really low, so lots of these social engineering attacks work on the premise of, ‘I could send that to 1,000 people, and 999 people are going to look at it and think, ‘Well, that's a scam.’ One person who's just distracted, not thinking properly, they're in the moment. They click the link or do whatever you've asked them to do because they were in a rush, and they didn't think it through properly.’”
And as he puts it succinctly, “That's all you need.”
Timing is Everything
In another case, a Mom was sending a gift to her son on his birthday, and he lived out of the country. She was on the phone with the delivery company because the package got stuck. No sooner had she hung up than half an hour later, the “same delivery company” texted and said they were ready to get things resolved. Trusting them, she texted back – and gave them information she couldn’t get back.
It was all in the timing. If that message had come at any other time–before or after the incident–chances are she would have seen it for what it was. But since the timing was aligned perfectly, she fell for the trap.
QR Code Phishing
Another trend we’re seeing quite a lot now is the ubiquitous QR code – or quishing - ploy. One of the drawbacks of this phishing flavor per Jeffery is: “If you put a URL into a message body, all the email security platforms are reading those URLs and checking them against the naughty list."
Jeffery continued, "But if it’s in a QR code, there’s a chance it can slip through if the organization hasn’t invested in QR code protection. So attackers roll the dice, which is why we’re seeing that as an attack vector more often now.”
Traditional email security services aren’t able to catch the nefarious links hidden in QR codes, so it’s up to employees – the first line of defense – to be aware and steer clear. Then enterprises should also invest in a QR code threat detection solution.
Stegomalware
Last, and certainly not least, is steganographic malware, or “stegomalware” for short. Nowadays, attackers are slipping extortion attempts within the blank spaces of images. Here’s how it works:
An attacker alters the code of an image at the binary level, changing the last four Least Significant Bits (LSBs) of an image. They don’t even need to alter the color much, so it goes unnoticed by even a savvy human eye. And because the malicious code in those images requires a separate component – a loader – to run, it goes unnoticed by email security systems unless you have an anti-steganography feature (which, luckily, Fortra’s Clearswift does).
While stegomalware and image-based attacks are often heard in the same sentence by security experts, another form of steganographic malware doesn’t come in an image at all, but instead users get pegged by a blended attack that combines “stegged” images and macros. For example, an attacker sends malicious macros in a Word document, knowing that while a malware binary will get caught off the bat, macros will not (because they’re not explicitly bad). For a full rundown on stegomalware, check out this blog.
Even Five-Year-Old Security Can’t Keep Up!
When it comes to defending against today’s social engineering threats, Jeffery says that the sad truth is that unless you’ve put some thought into revamping your security – especially email security – within the last five years, chances are it won’t keep up with the proliferating of more sophisticated threats being whipped up constantly.
“Social engineering and macro threats might not be in your toolbox if you’ve been doing your email security the same way for the last five to ten years. These are vectors that a lot of organizations haven’t thought through yet, but it’s about time. Ultimately, for the bare-minimum email security defense today, you need something that's intuitive enough to deal with macros and scripts, steganography, and images.”
Conclusion
To reiterate, teams today need something that:
- Trains users to spot textbook tactics (e.g., unsolicited text messages, unexpected requests for money, incongruous text messages, “update” alerts, etc.);
- Can read image-based text and QR codes (because cybercriminals know basic solutions will only scan for Unicode);
- Has an anti-stenography feature;
- Puts up controls around the sanitization of scripts and macros (this has been around for longer, but a lot of organizations still haven’t implemented it).
Social engineering attacks today are made up of the same fundamental bones but contain a lot of additional techniques and technologies that previous versions simply didn’t have. Because email servers end up with most of these in their net, today’s organizations must ensure their email security solutions are up to snuff. If they don’t have ways to catch steganography, stop QR-based exploits, or sanitize macros, Fortra’s Clearswift can help.
