Hypothesis –Social Engineering attacks will evolve to take the form of more blackmail/spear phishing attacks given how much data users upload to various data stores, often with little regard for who can see that data and what implications the data may cause.
Social engineering can take many different forms, but the basic roots of common methods utilised in different attacks are listed below:
- Quid pro quo
Each of these methods aim to take advantage of human emotions in a positive or negative way to achieve the goal of the attacker. The majority of human beings, whether they realise it or not, have a desire to be helpful and accepted. A social engineer can exploit this behaviour using the methods shown above and get a good read on the target to ascertain whether their plan is working. While the technologies available to attackers may change, the basic premise of these attacks stays the same and has done throughout history.
Perhaps the earliest recorded account of social engineering is from the book of Genesis where it is written that the Devil, in the form of a snake played to Eve’s greed by convincing her God was keeping specific powers to himself by forbidding her and Adam from eating fruit from the Tree of Life. One of the tactics a social engineer often performs is gaining the trust of the target by positioning themselves as an ally. This can be done by using ‘distrust’ tactics – a method in which the attacker casts negative aspersions on another character and then steps in as the hero.
In Greek mythology, Ulysses, leader of the Greek army changed his tactics after fighting a ten-year battle to take Troy over. Using baiting techniques, he tricked the Trojan army into thinking he and his army had given up their siege and left a large gift outside the city gates in the form of a huge wooden horse better known as the Trojan Horse. The Greek army were taken in by this bait and brought the horse into their city, with dire consequences. Fast forward to the present day and the term ‘Trojan’ is still widely used to represent this type of attack. Whether it is malware delivered in the form of an email, a compromised website or even a USB stick left in the target organisations car park, this effective method can, and will be used for many years to come.
In the 1960’s, Frank Abagnale was able to convince Pan Am staff along with many others that he was a commercial pilot. After using a pretext in which he assumed the identity of a school newspaper journalist, he was able to gather information about policy, procedure and invaluable industry terminology. Armed with this knowledge and a Pan Am pilot’s uniform, he was able to fly free of charge as well as using his knowledge of the Pan Am banking process to cash fraudulent cheques. If a social engineer looks, acts and sounds the part, there is a very high likelihoodthat people will take the attacker at face value and not question the pretext any further.
Quid Pro Quo:
Kevin Mitnick – arguably one of the most famous social engineers of the 20th Century utilised this method many times throughout his social engineering career. Often calling users of organisations he had been performing research on, offering to help with either real or fake IT problems that they were having, he managed to gain access to many different systems by asking seemingly benign questions while working on a ‘problem’ for the target.
Quid pro quo while similar to baiting is different in that quid pro quo offers something for something. Usually a service in exchange for information, rather than baiting which offers an item of goods.
Attacks for a modern age
Phone calls – Vishing:
Voice Phishing or ‘Vishing’ attacks are when telephone calls are used to target an organisation or individual and coerce them into providing sensitive information. Common attacks include the attacker calling up and pretending to be from an IT support service, playing with the target’s emotions by using a pretext that is designed to induce time limited fear, uncertainty and doubt. The attacker will often either get the target to disclose information that can be used in further attacks or state that in order to fix the issue that they are having, they need to disable their antivirus software, browse to a specific website and download some software – usually in the guise of a security patch. This software is actually malicious in nature and allows the attacker to gain remote access to the target’s machine with a view to compromising key targets on the organisations domain. Vishing attacks performed by a skilled attacker are often successful as they take advantage of human nature and behaviour to achieve their goals. By expressing urgency and panic, the target often forgets security awareness training they may have undertaken and unlike email or fax which can be deferred to a later time, an attacker with a well-planned pretext who is on the phone right now is a lot harder to deal with, especially with targets who may lack confidence. Calls can be spoofed to look like they are from legitimate sources and it is possible for the attacker to stay on the line even if the target thinks that they have hung up.
Although an ageing concept now, there was a time that trusty facsimile devices were used for social engineering. Faxes from supposed legal authorities and regulatory bodies were received and given some level of authenticity due to the fact that facsimile devices were not common place in households.
In 1971, the first email was sent, cementing a new attack vector for social engineers to use in years to come once businesses and home users gained access to this communication method and began using it on a frequent basis.
The availability of email as a social engineering platform further removes the social engineer from harms way and risk due to the relative anonymity of establishing communications with the target. No requirement for keeping a poker face or even having to speak to a person.
In 2016, it was reported that 1 in every 131 emails were unsolicited and contained malware attachments. Based upon figures from the same year, an estimated 269 billion emails were sent globally in a single day. An estimate of phishing/malware emails distributed each day based upon these numbers is a staggering 2,044,400,000 (two billion forty-four million four hundred thousand). This is not to say that each one of those emails delivered achieved it’s objective but in the numbers game, it is guaranteed that at least one of those emails will have been delivered and coerced the target into either disclosing information or installing malicious software. This will no doubt increase year on year as technological advancements allow for more storage and bandwidth.
Disguising malicious attachments as fake invoices remains a popular tactic for tricking users into opening phishing emails and taking the bait. According to Symantec's 2017 ISTR, one in every four major malware spam campaigns took this approach.
85% of organisations have reported suffering from phishing attacks which isn’t unexpected given the sheer volume of phishing emails sent out. This is a 65% increase on the year before. 30% of phishing emails get opened by the recipient. Phishing is a broad term and emails are often sent indiscriminately to targets en masse after performing basic reconnaissance about the target group or organisation to enumerate legitimate targets and identify high value users. These types of attacks require very little skill on the part of the social engineer as they can utilise freely available tools to perform each step of the attack, utilising pre-defined phishing scenarios and payloads.
More organisations are investing in security awareness training for staff repeating controlled exercises periodically to ensure staff follow pre-defined procedures to identify and deal with potentially suspicious emails. Theoretically, the number of successful ‘generic’ phishing attacks should reduce over time as staff become more aware of the tactics employed by social engineers. There will always be targets who despite training will, for any number of reasons fall foul of phishing attacks.
Technological security controls are constantly evolving also to identify malicious emails based upon criteria, updated in almost real time for some of these criteria. While the number of phishing emails distributed is huge, many of these emails will be quarantined by email filters and the intended recipients will never see the malicious email.
So, what is the answer? In the last 10 years there have been some devastating data breaches, from websites containing sensitive data. Below is a list of some of the more notable breaches but certainly not a comprehensible list and these are only reported breaches.
- 2008 - American Business Hack: Hackers were scraping data from 2005 to 2012. They got at least 160 million credit and debit card numbers. Estimates suggest this breach cost companies and individuals at least $300 million.
- 2009 – T-Mobile: Employees stole proprietary information about customer contracts and sold that data to T-Mobile competitors. They sold data for over 500,000 customers, including contract renewal dates, names, addresses, and phone numbers.
- 2010 – Netflix: Netflix gave contest participants access to anonymised data that tied back to 480,000 subscribers. Researchers, however, successfully tied the information back to specific subscribers.
- 2011 – Sony PSN: 1.6 million records were breached, including credit card numbers, addresses, birthdays, passwords, and answers to security questions.
- 2012 – LinkedIn: 167 million records were breached—most of these records were email addresses and passwords.
- 2013 – Yahoo: 3 billion records were breached. This breach wasn’t discovered until the tail end of 2016, but it actually happened three years earlier—hackers got email addresses, birthdays, and answers to security questions.
- 2014 – Sony Pictures Entertainment: A smaller breach than others (only about 47,000 records), but it had a big impact on Sony’s finances and reputation. Hackers got embarrassing internal emails, unreleased films, and celebrities’ contact information.
- 2015 – Ashley Madison: Hackers stole account details for customers looking online for extramarital affairs. The 37 million records breached included credit card numbers, addresses, and phone numbers.
- 2016 – Democratic National Committee: Hackers stole information about Democratic party candidates, including Hillary Clinton—but they also stole opposition research on Trump.
- 2017 – Equifax: This data breach affected at least 143 million Americans. Hackers stole SSNs, credit card info, names, addresses, and more.
There is a wealth of information contained within these breaches which can be used for identity theft, account compromise and the basis for many different spear phishing pretexts. With more users uploading potentially sensitive data to online repositories, it is becoming increasingly easy to get access and make use of data which shouldn’t be in the public domain. Despite frequent news articles stressing the importance of managing your data and utilising strong passwords/not using the same password for multiple accounts – people have and will continue to not take heed of the advice. For those users who do secure their data with complex passwords, they are still at the mercy of the data repositories security controls. With the availability of historic data breaches, as well as breaches that will undoubtedly occur in the future, I believe that attackers will shy away from using generic phishing campaigns and use more spear phishing campaigns combined with blackmailing tactics from data breaches. For example, a standard phishing campaign against a Financial Director of a company would probably be ignored and yield no results. A targeted spear phishing attack against the Financial Director, utilising data from the Ashley Madison data breach (or similar), designed to invoke panic based upon real life data which could cause significant damage both in and out of the workplace would more likely get the attention of the target and would stand a much higher chance of getting results from an attackers point of view.