Social Engineering can take many different forms. In this video, you’ll learn about phishing, shoulder surfing, tailgating, impersonation, and more.
Social engineering attacks are a challenge to identify and to prevent. These attackers are using methods that are constantly changing. So we have to be aware of the latest threats, and we have to make sure that our user community is trained on those latest threats. Many of these social engineering attacks will involve multiple people across multiple organizations, which makes it even more difficult to identify and prevent.
These attacks can be electronic, which certainly makes them a bit easier to identify, but very often these are done by individuals communicating directly with other individuals. This makes it very difficult to be able to prevent this from occurring using traditional electronic means. Sometimes these attackers will act as a disgruntled customer, and they’ll try to bully someone into giving up additional information. And some attackers will take things that have occurred in the news or things that may be personal to a group in order to gain access to additional information.
For example, we’ve documented cases where attackers have identified someone in the organization who has recently passed away, and they will send funeral information to the entire group within the company. But that funeral information is actually a malicious link.
I get phishing attempts into my email inbox constantly. These are attacks that have a bit of social engineering with a little bit of spoofing. Combine that all together, and you have a way to fool people into giving up private and personal information. One of the ways that you can identify phishing is in the URL itself. If you don’t recognize the link, then you certainly should not be visiting that link. And it’s always a good best practice to never click on any links inside of an email message.
If you were to examine the website that these links would take you to, you’ll notice that there is something not quite right about the information you’re seeing on the screen. There may be issues with spelling. There may be unusual fonts that are in the message or the website itself. And often, you’ll find that graphics on the site simply won’t load properly.
To give you an idea of what might happen if you click one of those links in an email message, I grabbed an email message that was sent directly to me about my Rackspace service. You’ll notice first that this message itself was sent from someone with an iCloud account. This did not come directly from Rackspace.com. This says, “Dear User, we notice your email has not been confirmed for the new upgraded service,” no punctuation. “You will be blocked from sending and receiving emails if not confirmed within 48hrs hours of receiving this automated mail.”
Notice the single line in the email message has different sized fonts and different colors of fonts. Then it says you are required to confirm your email through the link below, and there’s a big button to Confirm Email Now. If you receive this in your email inbox, you should ignore it, send it to the spam folder, and you should certainly not click the link. On my system, I click the link so that we could see what the results might be. And it brought me to my webmail login page for my Rackspace inbox. Well, certainly, this is a legitimate link, so I can put in my email address and my password and click the Login button.
But if you were to look at a Rackspace login versus the login page that I was taken to, you would see they were very different. At the top is the email page that I was sent to when I clicked that link in my email, and in the bottom is the actual webmail login for my Rackspace email. You can see that although they are very similar in their structure, there are things that are very different between both of these. And although it may not be easy to immediately identify this top one as malicious, we can certainly compare it to the actual login page and see that there are major differences between them.
I did not put my email address and password into that phishing link, but if I had, I would expect that after the login prompt, it would have told me that information was incorrect, and it might have even sent me back over to the actual Rackspace login page, where I would put in my email address and password, and it would work properly. Behind the scenes, of course, my original email address and password has now been sent to the attackers, and they’re going to try using my resources on this Rackspace email now that they have those login credentials.
These phishing attacks are not just in our email inbox, of course. You may have many different phishing attacks during the day that are sent directly to your mobile phone. If this is something done over voice, we refer to this as voice phishing or vishing. You may have received a voicemail that is describing an important piece of information that you need to resolve, and you need to call them back and give them a lot of money to resolve this. Or they might be asking for security information. They might be posing as your bank. Or they may say that they’re with the local law enforcement organization.
The best practice for any of these situations is to hang up the phone. The banks are not going to call you directly, and your local law enforcement is not going to ask you for money over the phone. We also receive phishing attempts over our text messages. This is SMS phishing, which we also refer to as smishing. We might receive a text message that says that there are tolls that we need to pay and hour car. Or we might just receive a message that says, hi, how are you? from a phone number that we don’t recognize. And as soon as you interact with that text message, they now try to either get money or information directly from you over the text message.
And phishing has effectively ruined any type of public QR code scanning because it’s so easy to replace a public QR code with something that might be malicious. Generally speaking, you should not trust any QR code or the link that it takes you to unless you really do trust that particular link.
Attackers who are focusing on a single organization have a decision to make– do they focus on getting information from someone who works in the shipping and receiving department, or do they try to get information from the chief financial officer? Obviously, the CFO is someone who is going to have much more valuable information than perhaps anyone else in the organization. For that reason, they might want to focus their efforts on anyone within the executive team. We refer to this type of focus as spear phishing. They are targeting exactly the group that they would like to get information from, and generally this information is very lucrative.
Sometimes you’ll hear about spear phishing going after a CEO. And because that person has such control within the organization, you might hear that referred to as whaling. Attackers will go to LinkedIn or other databases to find out who the executive management is of a company, they’ll begin gathering information across all of those individuals and then start attacking each one of them individually to gather more information. The CFO is a valuable target because the CFO often has direct access to the finances of the organization. They can access and log in to the bank accounts, and they have controls and passwords that the attacker would like to gain access to.
Spear phishing is a bit more difficult to identify and stop, but with the right training with your executive team, you can keep this type of threat to a minimum.
I was on a train recently, and this very short trip allowed me to view confidential financial information from a third-party company, and I was able to see prerelease details that were in a presentation, all of this by simply sitting behind someone who is viewing this on their screen. This was shoulder surfing, where I was able to identify sensitive information that normally I would not have access to by simply looking over someone’s shoulder.
So if you’re in an airport, you’re on a train, you’re at a coffee shop or anywhere where third parties may be able to view your screen, you may be susceptible to a shoulder surfing attack. If you’re in a city, some attackers will take this idea of shoulder surfing to the next level. Buildings are so close to each other in the city that you’re very easily able to see someone’s screen with a telescope or a pair of binoculars from the next building over. And some attackers have found a way to do this from afar, by installing webcam monitoring software on someone’s computer and simply watching their screen from a remote location.
Fortunately, shoulder surfing is a relatively easy attack to stop. First, you need to be aware of your surroundings, and you need to understand that other people near you might be able to see your screen. You might also want to use privacy filters. If you’re sitting next to somebody on an airplane or a train that are using these privacy filters, the screen looks completely black to you, but the person sitting directly in front of the screen can see everything very clearly. If you’re in a building or a room where people can see your screen as they’re walking by, you may want to turn your desk or turn the monitor so that you’re the only one who has access to that screen.
Throughout my career, I’ve been to many airports and traveled in many different ways, and it is very easy to be able to view information on someone’s screen when clearly that information is meant to be confidential and private. A very common attack is one where the attacker simply walks into the building right through security. One way that they’re able to do this is by using tailgating. This is when you are using someone who is authorized to go through that door to allow you access into the inside of the building.
With tailgating, the attacker does not have consent to come into the building. In many cases, no one even realizes that the attacker made it into the building. Perhaps an employee of the building is coming back from lunch. They badge in, they open the door and walk through it, and they don’t realize that right behind them, somebody else is also walking through that open door. That’s the attacker taking advantage of a tailgating opportunity.
Piggybacking is a similar attack. But in this case, the person holding the door recognizes that they are letting this person into the building. This might be an attacker who has a box full of food or a box full of donuts and doesn’t have any hands free and says, oh, please hold the door and let me in, and I’ll deliver this to the third floor. This is why many organizations will prevent piggybacking by putting a sign right next to the door that says no piggybacking. Everyone must badge in and the door must be closed between each badging session.
Obviously, the problem in many organizations is once you make it through that initial security door, you’re able to have a lot of access to the inside of that building. So to prevent someone from gaining even more access to your internal systems, you need to be sure that you prevent both tailgating and piggybacking.
Some social engineering takes place as impersonation. This is when the attacker is pretending to be someone else. They might have gone to LinkedIn and found information about your company. They could have found posts on the internet where previous employees may have provided internal details. Or they could have previously been in your dumpster, going through your garbage, and finding information about important details that only people inside of the building would normally have.
For example, they could call the help desk, say that they are a vice president, and then provide detailed information about that vice president that they found when they were going through the trash. This is information that helps put the victim at ease. How else would they know that detail unless they were part of this organization? Or perhaps the attacker tries to confuse the victim by using detailed information and technical jargon. This can be confusing, especially if they’re providing a lot of information in a rapid fire function in the hopes that they can get that victim to provide them with additional details or provide a particular access to their systems.
Or sometimes, the attacker just tries to be a friend or a buddy and charm the information out of the victim. Many organizations will try to prevent this type of impersonation by having a certain set of policies and rules about what information must be provided during a phone call to provide the appropriate level of authentication.
I previously described the process where an attacker will go through your garbage to find information about a company. This is a relatively simple process, and it is remarkable how much information you can find just by going through someone’s trash. In the US, we refer to this as dumpster diving because there is a brand of industrial garbage collection devices known as dumpsters. If you’re in the UK or Europe, you may refer to these as a rubbish skip.
We’re generally not finding pages of usernames and passwords being thrown out with the garbage, but something as simple as a phone list or a set of emails of employees can provide a wealth of information to someone who’s trying to gain access to people inside of the company. From there, they can impersonate the name of the district manager located in Cleveland, Ohio, or they can pretend to be part of the technical team that’s developing an application in Beaverton, Oregon. And it’s not unusual for attackers to even understand when the next pickup will be for garbage, so that they can arrive and go through your garbage before it is taken away.