Social engineering’s newest threat puts emphasis on the social

People often prove to be the weakest link in the security chain. We investigate the newest social engineering techniques being employed by cyber criminals to break into corporate networks in search of data and the link with the rise of social media.

By Tony Hallett

Thu 29 Jun 2017 @ 21:45

Social engineering has been around for a very long time, if we take it to mean gaining someone’s confidence to trick them (‘cons’ performed by ‘confidence tricksters’).

In terms of technology, telecoms hacking (‘phreaking’) predates anything done with computers or the internet. But the latest trends give new meaning to the word ‘social’ in social engineering. And we all need to take note.

Whaling’, ‘imposter fraud’, ‘business email compromise (BEC)’ accounted for at least $1bn in annual losses according to Interpol, and that was for calendar 2015.

Even the fact there are so many names for this latest trend shows it has yet to settle down. But they almost all rely on taking advantage of very natural employee instincts such as pleasing the boss and being responsive in the name of doing a good job.

Just as back in the early days of social engineering to hack into corporate telephone systems – the phone phreaking of Kevin Mitnick and others – whaling works by an imposter posing as a senior executive or supplier, usually then asking for information or a money transfer over the phone or email (which is where we get the terms ‘business email compromise’ and ‘CEO/manager fraud’).

So how is this new if Mitnick and co were doing it in the 1980s? The latest twist is fraudsters tapping social media.

Ever receive Facebook or LinkedIn connection requests from people you don’t know? Sometimes these are harmless friends of friends trying to boost their follower counts. But, even for the most locked-down social accounts, these can be criminals that have already infiltrated your contacts’ networks, seeking out new sources of information.

Publish photos when you’re still on holiday? Mention a new supplier in a LinkedIn post? Publish a photo of the front of your newly painted house on Instagram? This is all valuable to a hacker.

Nothing might happen immediately. The bad guys can play the long game. They will amass information over months or years and even sell on the info or the accounts they’re using to other criminals. (At a glance, social accounts with higher follower numbers look less suspicious to those who check.) One analyst has identified over 40,000 such accounts.

One new tactic is for hackers to follow popular accounts of retailers and utilities for complaints by customers. You might be seeking social customer service or even just to blow off some steam. But it’s another way to glean information for future BEC or whaling attacks.

Imagine a whole team at a company that has been profiled this way. Social media tells the bad guys when the boss is on holiday. They probably know who is then in charge, the name of the boss’ boss and which supplier to mention in an email – maybe one that’s been having problems. This is how attacks look so convincing.

What can be done? Organisations must also play the long game. Employee education about this type of thing is always a good idea. And both encourage and explain everyone to lock down social media accounts.

Lastly, have a plan for when there is a problem. And if you’ve never heard of such a breach, don’t assume it’s never happened. Speak to everyone, not just those responsible for online security, seek out their experiences and be open. It could be the bad guys are already watching – you just don’t know it.