People are weak points: Are employees an Achilles heel? - Social engineering

People are weak points: Are employees an Achilles heel?

No firewall or antivirus program will help against these attacks. What we’re talking about here is social engineering. The scam is as old as the hills, but it still works a treat.

Employees download malicious files, click phishing links, chat with hackers, and reveal their colleagues’ contact details – social engineering is a true classic among the most powerful tools in the cyber attacker’s toolkit. What’s more, this technique was around long before the birth of the internet – probably in fact since people learned how to communicate. The method is based on gaining our trust and getting us to do things we ought not to do, such as revealing a password, social security number, financial details, or other secret information.

Pulling on your emotions

How does it manage to do that? Psychologists have discovered that people tend to ignore logic and facts when making emotional decisions. And this is precisely what criminals have learned to specialize in: Triggering an emotional response and exploiting it. Instead of finding a vulnerability in a program, for example, it is much easier to call an employee, pretend to be an IT support colleague, and then try to con the employee into revealing his/her password. Nobody would simply just go giving away their Facebook credentials to a complete stranger. But when a well-crafted phishing email rolls in that tells a convincing story of a hacked account or the need to verify login credentials, it seems that for many users common sense goes flying out the window. Such techniques also work well outside the digital world, with countless people having fallen for the con at their own front door of people wearing a fake police uniform or dressed as a tradesperson.

Spear phishing: Targeted attacks on specific individuals

Typically, cybercriminals deliberately seek out their victims. Compared to other attacks, with these spear phishing techniques the criminal even establishes direct contact with the victim such as via email, where the fraudster poses as the system administrator, or by using a fake Facebook profile, where the con artist poses as a colleague. Sometimes, the crooks even go so far as to phone the victim. The latest report by Positive Technologies reveals just how well social engineering attacks work in general. As part of their research, they sent 3,300 emails to employees in various companies – here are their key findings:

  • 17% of all social engineering attacks were successful and could have led, in a real attack, to the compromising of employees’ computers and, consequently, the entire enterprise infrastructure.
  • 27% of employees clicked an emailed phishing link, which makes such attacks the most successful social engineering technique. It seems that many users are unable to spot fake websites.

According to the research, in some cases users tried to enter their password up to 40 times on a fake site. And when they were unable to open an attachment right away, they often forwarded it straight to their IT department. Doing so exacerbates the risk as the IT employee probably sees their colleague as a trusted source and is likely to just open the “broken” file, according to the report.

Preventing social engineering attacks

In contrast to viruses and other typical attacks, while cyber security software such as Avira Internet Security Suite is unable to help in every instance, in the majority of cases such programs are still able to detect infected attachments and often even fake websites. The best strategy against social engineering is providing targeted information, a healthy dose of distrust, and curbing curiosity. If the employees of the following companies had also heeded this advice, these social engineering scandals would never have happened.

The three most successful social engineering attacks

Ubiquiti Networks

Things got really expensive for Ubiquiti, a US manufacturer specializing in Wi-Fi hardware and software, when the accounts department fell for a scam. They received emails with payment requests that seemed to come from the company’s subsidiary in Hong Kong. The amounts were wired directly to the hackers’ accounts without being verified, resulting in damage amounting to a hefty US$47 million.

 

Sony Pictures

This attack even caused tensions between two nuclear powers. North Korean hackers managed to disable Sony Pictures’ servers for several days as a result of a successful phishing attack. It was all triggered by the movie “The Interview” in which two US journalists, played by Seth Rogen and James Franco, are recruited to interview and assassinate the North Korean dictator, Kim Jong Un.

 

Yahoo

It’s one of the biggest data scandals ever: A Yahoo engineer made the mistake of falling for a spear phishing message which landed in his mailbox. This gave the attackers access to every single customer account of the US company – affecting more than 3 billion users. Their data ended up on the darknet and was used to launch subsequent attacks on other targets.

This post is also available in: GermanFrenchItalian