The Human Vulnerability Scan
Is a hacker more likely to perform elaborate attacks that require slow stealth scans, creation of custom scripts, and metered brute forcing attempts? Or is it more likely that they search for the easiest and quickest way to get the data they are after without being noticed? Absolutely, elaborate attacks are carried out daily, but the more likely option is that a hacker will find the easiest way to get the data that they desire, and this is often by the use of social engineering.
“What are the first steps that a hacker may do to try to gain access to someone’s data?”
One of the many services that we provide for our Clients (and one of my personal favorites) is performing social engineering engagements, social engineering is defined as the use of deception to manipulate a person into divulging or giving one access any sort of confidential or personal information. These simulated attacks performed give business an idea where their weaknesses are in this aspect of security. Being that users are often the first line of attack, and defense, for phishing emails, vishing calls, and in-person social engineering attacks, security awareness training and these engagements prove to be necessary in preparing and reminding us that attacks are happening all the time and keeps a security focus in the forefront of the mind for users.
Social engineering attacks can be very sophisticated and can look very similar to legitimate email communication, so it takes a keen eye to spot the differences! Subtle changes are what to look for, if graphics are slightly off, the email header is different, there is an attachment with a strange name, there is misspelling, or if the body of an email doesn’t sound like who the email is coming from are all possible clues of a phishing email. For example, a legitimate email address could be firstname.lastname@example.org, but someone wanting to impersonate Mr. Johnny could spoof an email from email@example.com. Can you see the difference?
Likewise, another form of social engineering is voice phishing or vishing, these are social engineering attempts that are directed over the phone. These attacks are very similar to phishing attacks except in the aspect that they are conducted over the phone. As we are in the midst of tax season, a common vishing attempt around this time of year is attackers posing as the IRS threatening jail or huge fines to trick an individual into making a payment. Likewise, many people receive the calls from scammers telling you that “this is your second and final notice to lower your credit card rates, press 1 now to speak with a representative”. If the caller is posing as someone, you can contact the actual company or person to confirm if they were really trying to get in contact with you. Often you may be able to tell if something is strange about a phone call or email you receive but all it takes is one time where your guard is let down to become a victim.
In-person social engineering, this form of social engineering (like the name says) is done in person in an attempt to gain access to secure areas or confidential data within a facility. Once access is gained to a facility, attackers then use this access to gain insider information through eavesdropping on conversations, steal documents, steal equipment, or steal data from computer systems. This can be done either through copying data while in the area or installing a remote access tool (RAT) for access later. Often in order to gain access to an area, the attacker impersonates some sort of trusted source or someone you obey. Some examples could be a meter reader, third party IT, auditor, or even a fellow employee. How do we detect someone like this? Look for things that are unusual, outside individuals coming without an appointment or prior authorization, or people with odd questions or requests.
HUMAN NATURE! EMOTION!
The one commonality in all forms of social engineering is that an attacker wants to play to our human emotions. Playing on the exact characteristics that makes us human also makes us vulnerable, and this is the best chance at getting someone to divulge the information they want.
Fear. Urgency. Helpfulness. Excitement. Obedience. Curiosity.
Social engineering a psychological game.
The best tip I can provide someone who asks, “What can I do to prevent from being socially engineered?” is: Trust no one, question everything. You can still be polite and helpful while asking questions to authority or strangers.
If you would like help in testing your organization to see how you fair against social engineering attacks, please reach out to Alias Forensics by phone or email for a consultation!
Alias Forensics’ Security Engineer