As an end user we receive many spam calls on a regular basis where the person on the other end is posing as your bank executive, trying to trick you into getting your card details, OTP or PIN numbers. The end customer, if not educated or informed well, might end up giving up the information attackers are asking. Another example can be asking you to donate to a charitable fundraiser, or some other cause or simply announcing that you are a winner of some lottery. We bet if you open your email today, you will find such emails in your inbox or your spam folder for sure.
On 15th July 2020, social media giant, Twitter, got outsmarted by a group of hackers. Twitter believed it, “to be a coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools.”
We detected what we believe to be a coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools.
— Twitter Support (@TwitterSupport) July 16, 2020
These attackers not only stopped here, instead they took the additional step of downloading the compromised account’s information through our “Your Twitter Data” tool. This is a tool that is meant to provide an account owner with a summary of their Twitter account details and activity.
Because of the above incident Twitter’s stock slid the day after the hack, wiping $1.3 billion off its market value and most importantly the trust and confidence of its millions of users.
The above incident took place on a large scale where a large number of accounts, followers and a big company was on target for attacker personal benefits. But social engineering attacks can happen on individual accounts also.
Now more people are getting aware through government and corporate policies, TV ads and social media campaigns, and such attempts of asking passwords or sensitive information are diminished today. Instead attackers are targeting users through phishing emails. Phishing messages can be an innocent looking SMS, a direct message in your social media account or an email, that are designed to closely resemble legitimate communications. Upon clicking on the links, users are redirected to log in to a fake site using their actual username and passwords. This information is then captured by the attacker and used to log into the actual site.
Phishing attacks often target financial services websites such as banking websites or online wallets. Thus user credentials can be used to quickly transfer cash. In addition the phishing messages can also be used to install malware codes into the target system. A common phishing email we can show here from our own yahoo spam folder. These days email systems are smart enough to give you the first line of defense by detecting spam emails and silently moving them into your spam folder. In the example below the email sent was from some a mass email distributor which was filtered by Yahoo. As a precaution all the images and links were disabled by default. Here the sender wanted you to click on the ‘Details here’ button to check your driving license details. Here sender probably wanted
- To capture user’s personal information, driving license details.
- To check if a user’s email address is active or not so that they can spam further.
- Or probably wanted to inject some kind of malware into your system.
There are also many common variants of phishing. Some of these include the following:
Spear phishing attacks are specifically targeted at an individual based upon research conducted by the attacker. They may include personal information designed to make the message appear more authentic.
Whaling attacks are a subset of spear phishing attacks sent to high value targets, such as senior executives.
Vishing attacks use phishing techniques over voice communications, such as the telephone.
Sometimes attackers can use credentials to obtain sensitive information by literally searching through the trash of the target individual or company’s system, which is termed as Dumpster diving. Dumpster diving is also a variant of social engineering.
Countermeasures:
Most important countermeasure in dealing with Social Engineering attacks is Education.
As an individual:
- Don’t rush and take time whenever receiving such messages or calls. If in doubt cut the ongoing communication and do your own research and investigation about the facts stated.
- Do not click on any links, enter your information on suspicious websites which generates curiosity in website visitors. A simple example can be a huge discount sale flashing as an ad banner on a website which offers an Apple iPhone on $150 price instead of its regular $1000 price tag.
- Do not reply to emails which are sure shot scams. Often attackers send such emails in bulk to check whether users’ emails are active or not. Once replied, they will start spamming your inbox.
- Never ever provide your username, passwords, OTP, PIN, banking details etc. out to third parties over emails or over telephone.
- Never write down your passwords or PIN anywhere digitally or physically. Similarly don’t save passwords on your computer or mobile browser.
- Once you are login to a site, log out properly when done and not just end the session by closing or exiting the application directly.
A full list of Dos and Don’ts for password safety and online safeguard can be found here.
As an enterprise:
- Users should receive training when they first enter an organization, and they should receive periodic refresher training, even if it’s just an email from the administrator reminding them of the threats. This exercise becomes more critical and important for people who belong to the security team of the organization.
- Users in an enterprise should not use shared passwords within team members.
- Provide users with the knowledge they need to create secure passwords. Tell them about the techniques attackers use when guessing passwords, and give them advice on how to create a strong password. Do follow practice of using ‘Passphrases’. Passphrases are combinations of password and phrases. These are long and alphanumeric in nature. For eg. “1aMGo!ngF0raW@lk”, includes uppercase, lowercase, special characters, numbers and the phrase ‘I am going for a walk’ or user of initials for the same passphrase ‘1Agf@w’ can be a strong password and easy to remember too.
- A strong data loss prevention technique can be implemented to avoid internal and sensitive data leakage.
- External emails or communications can be blocked by implementing strong firewalls rules.
In conclusion we would like to say that awareness and education is the most important step of getting yourself safe from not only social engineering attacks but all kinds of attacks. Users should use strong passwords/passphrases and encryption techniques, should not rush into providing information and should not click on suspicious email links. Enterprise users should be properly trained by companies before giving them actual production tasks. These training modules should be refreshed periodically to upgrade user’s knowledge to deal with the latest attack techniques. Companies can regularly schedule audit checks to find loopholes and strengthen their security policies.