The ongoing battle against social engineering

Cybercrime involving social engineering continues to be a growing threat to individuals and organisations — and newer approaches are becoming more widespread...

By Tim Ferguson

Wed 3 Jan 2018 @ 16:11

Social engineering is an increasingly common and favoured attack method used by cyber criminals to compromise corporate networks and commit fraud by deception.

'Whaling', 'imposter fraud' and 'business email compromise' (BEC) are becoming increasingly common as cyber criminals develop new methods to dupe individuals.

According to a recent report by specialist insurer Beazley, social engineering attacks increased nine-fold in 2017 and accounted for nine per cent of all data breaches in the first three quarters of the year. This compares to one per cent for the same period in 2016. In addition, half of social engineering breaches reported in the third quarter of 2017 involved fraudulent instruction, up from 17 per cent in the first quarter 2017.

Managed email provider Mimecast recently reported the success rate of impersonation attacks (whaling or BEC) increased by nearly 50 per cent quarter on quarter.

While social engineering is mature the techniques being used by cyber criminals are constantly evolving.

One approach that has gained traction is ‘Friday afternoon fraud’, in which cyber criminals target communications between solicitors and clients finalising the conveyancing process. Criminals intercept conversations and convince clients to pay property deposits they have spent years saving for into the wrong accounts.

As the fraud often takes place at the end of the week (hence the ‘Friday afternoon’ reference) the fraudulent transactions can remain undetected over the weekend, only becoming apparent the following week. This improves the chances of criminals getting away with it.

This kind of attack can result in hundreds of thousands of pounds falling into the wrong hands, often with little chance of it being recovered. In March 2016, the Financial Times reported that more than £85m had been stolen from UK law firms in 18 months as a result of Friday afternoon fraud, making it the number one cybercrime in the legal sector. And it has become increasingly common.

As mentioned in a previous article, fraudsters are increasingly tapping into social media to carry out social engineering attacks. Criminals make what seem like harmless friend or contact requests, which people accept, opening up their locked-down network to people with designs on their money or data.

Advanced persistent threat groups then use the information they gather to develop social engineering attacks that use social network platforms as the attack channel.

For example, following a spate of largely unsuccessful phishing attacks by an Iranian group in the Middle East, the social media accounts and online domains belonging to Mia Ash, purportedly a London-based photographer in her mid-20s, were identified as being used by the same group to spread malware.

With a large number of convincing connections on LinkedIn and Facebook, active postings, and information and photos belonging to a real photographer, Mia Ash looked like a legitimate individual looking to secure photography business.

When an employee at a company previously targeted by the phishing attacks became a connection with Mia Ash, they were duped into opening an Excel file, which they believed to be a survey about photography, but which actually contained the same remote access Trojan program previously used by the group.

Mia Ash shows how social media attacks have evolved with cyber criminals broadening their footprint from a single social media account to several different platforms associated with the same persona, making interactions more convincing to victims.

There are also signs that criminal groups are turning to social engineering. Security and AV company Bitdefender has found evidence that suggests established cybercrime group DarkHotel is now using whaling techniques to spread its malware variant via political targets.

The damage wrought by social engineering can be particularly damaging if cyber insurance fails to cover it. Given social engineering convinces people to willingly make transactions, organisations should check their cyber insurance policies with a fine toothcomb.

Employee education and awareness training continues to be an effective way of protecting organisations against these kinds of attack, with staff encouraged to lock down social media accounts and interrogate new connection requests carefully.

But organisations also need to increase their focus on network monitoring to flag irregular activity and to have the appropriate tools to respond quickly if an individual falls victim to social engineering.

Of course, the nature of the modern threat landscape means new and more sophisticated techniques will emerge and be successful in defrauding individuals and organisations or achieving other objectives.

But organisations need to make sure their employees and clients are regularly updated on developments and have the systems in place to ensure that if anything untoward does happen, a rapid response is possible.