Whitepaper: Social Engineering – Phishing Campaigns

What is Social Engineering

Social Engineering is the art of manipulating people into performing actions or divulgating confidential information.

Social Engineering is a form of hacking that relies on influencing, deceiving, or psychologically manipulating unwitting people to accomplish their goal rather than by breaking it or using technical cracking / hacking techniques.

While similar to a confidence trick or simple fraud, the term typically applies to trickery or deception for the purpose of information gathering, fraud, computer system access and physical security; in most cases the attacker never come face-to-face with the victim.

Social engineering has also been employed over the years not only for criminal purposes but by debt collectors, skip tracers, private investigators, bounty hunters and tabloid journalists as well penetration testers (who would operate under “Rules of Engagement”).

How it Works

There are a number of forms of Social Engineering, however, in today`s White Paper, we will be discussing Phishing attacks; a technique of fraudulently obtaining private information. The most common form of phishing attack is where the phisher (perpetrator) sends an email that appears to come from a legitimate business requesting “verification” of information and warning of some dire consequence if it is not provided to the target (victim).

The email usually contains a link to a fraudulent web page that seems legitimate with company logos and content and predictably has a form requesting PII (Personally Identifiable Information). This could be anything from your home address to National Insurance number or Social Security Number to your banking debit cards PIN code or a credit card number.

________________________________________________________________________________________

For example, in recent times, there was a phishing scam in which users received emails supposedly from eBay claiming that the user’s account was about to be suspended unless a link provided was clicked to update the credit card information (information that is not held by eBay but PayPal, who is owned by eBay).

It is relatively simple to make a website resemble a legitimate organization’s site (YouTube has videos on website design) by mimicking the source code and logos, the scam counted on people being tricked into thinking they were being contacted by eBay and subsequently, were going to eBay’s site to update their account information.

By spamming this email out to a large groups of people, the “phisher” counted on the email being read by a small percentage of people who were not aware that eBay does not hold your financial information on their systems.

In the current climate, phishers are not only targeting PII, but they are targeting organisations through the weakest link in the chain, the human factor, to gain access to ‘crown jewels’.

They send phishing campaigns in order to have great potential for hitting their target. They are knocking on several doors at once and they only need one person to react to their email and the front door is unlocked.

Social Engineering - Phishing Campaigns_Page_06_Image_0001

Risk – To Individuals and Organisations

An attacker who has gained access through the use of social engineering techniques is extremely difficult to trace. An organization may not be able to detect a well-crafted cyber-attack for months and sometimes relying on other security focused organisations to inform them they have been exploited.

The longer the attacker remains unnoticed, the bigger the impact (this could be financial losses and reputational damage) to the company brand, if they are a financial institution holding a lot of sensitive and personal information on individuals.

Social Engineering - Phishing Campaigns_Page_07_Image_0001

Common Characteristics

Phishing Emails

  • Sense of urgency – phishing emails play to our innate psychology. By impersonating a person or organization with a high level of authority and urging immediate action, these emails are dangerously persuasive.
  • Poor spelling and/or grammar – it is highly unlikely that a corporate communications department would send messages to its customer base without going through at least a few rounds of spelling and grammar checks, editing and proofreading.
  • It sometimes contains messages that sound attractive rather than threatening. For example; promising the recipients a prize or a reward.
  • The phishing email will use a forged sender’s address or spoofed identity of the organization, making the email appear legitimate as if it originated from the organization.
  • The phishing email will contain contents such as texts, logos, images and styles used on legitimate website to make it look genuine. It uses similar wording or tone, that is identical to that originating from a legitimate website or source. Some emails may even have links to the actual web pages of the legitimate website to gain the recipient’s confidence.
  • Hyperlinks – the phishing email will contain hyperlinks that will take the recipient to a fraudulent website / web page instead of the genuine website / web page.
  • It may contain a form for the recipient to complete, providing personal and/or financial information, then allowing the recipient to submit it. This normally involves the execution of scripts to send the information to databases or temporary storage areas where the fraudsters store and at a later time go back to collect their rewards.

 

Phishing Websites

  • It uses genuine looking content; such as images, texts, logos or even mirrors the legitimate website to entice visitors to enter their accounts or financial information.
  • It may contain actual links to web contents of the legitimate website such as contact us, privacy policy or disclaimer to trick the visitors.
  • It may use a similar domain name or sub-domain name as that of the legitimate website. For example; www[.]paypol[.]com or www[.]ebay[.]net
  • It may use forms to collect visitors’ information, these forms are similar to that seen on the legitimate website.
  • It may appear in the form of a pop-up window that is opened in the foreground with the genuine web page in the background to mislead and confuse the visitor into thinking that he/she is still visiting the legitimate website.
  • It may display the IP address or the fake address on the visitors’ address bar assuming that visitors may not aware of that. Some fraudsters may perform URL spoofing by using scripts or commands to construct a fake address in place of the original address.

Prevention / Remediation

The best preventative practice is providing a through and well delivered training program regarding social engineering tools and techniques used, to ALL employees but with a great emphasis on the new hires as they tend to be the people that the phishers target the most.

Other things that organisations can do to prevent these phishing campaigns being successful is by disabling the attachment preview feature in Outlook (this will minimize the risk) of an unauthorised program running or downloading an unauthorised piece of software. Additionally, establishing better filtering rules on the email server with reputation lists can significantly help combat campaigns succeeding.

For an organisation to rely on their security measures does not guarantee that an attack will never come, but it will certainly minimize the possibility that it will succeed, although there is always room for human susceptibility. By having the appropriate training is key to reducing the susceptibility. For example; a lot of security campaigns by government organisations and financial institutions inform and advise users to watch for the ‘lock’ symbol and ‘https’ prefix on web addresses, but in fact, this is a secure communications protocol that lets you know you are communicating with a website privately and in no way does it tell inform the user about the trustworthiness of the website. HTTPS & SSL does not mean “trust this”, it means “this is private”, so it is fundamental that the training provided to end users is objective and accurate.

The only way to protect your company against targeted attacks is the combination of smart software and top human talent. Powerful detection and response solutions are a great way to make sure your organization is well equipped to face an attack. Having a SOC (either in-house or provided to your organisation as a Managed Service) that can review all those security and audit logs for you, exponentially increases the chances of detecting malicious activity early and preventing any threat to your organisation. invinsec have the capability to integrate Office 365 along with other technologies into our SIEM BroadBot, which will has the ability to detect and alert on any suspicious activity that might be taking place or residing on your infrastructure in a dormant to semi-dormant state.

Best Practise Recommendations

Get creative about training! Best practice is to have regular training sessions for existing employees (e.g., quarterly) and as an intricate part of the on-boarding process for every new hire. Successful training incorporates a variety of activities that teach end users, how to identify social engineering attempts, phishing emails and other forms of data extraction.

Create a corporate policy that employees can understand. Use real-life examples and references that the end users can apply in practice. Avoid lengthy, technical documents that are difficult to read and apply to everyday work routines.

Give employees direct instructions that apply to your specific workplace. For example, tell employees to send suspicious and potential phishing emails to suspiciousemails@yourcompany[.]com, or alert a manager if they feel they’re encountering or have encountered a social engineering situation.

Organisational culture change can have dramatic effect. Moving away from shaming individuals who fall foul of phishing to a model that encourages disclosure has been shown to strengthen the entire team and organisation.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s