Posted May 27, 2020
In March 2020, a threat actor advertised the sale of social engineering templates in a prominent cyber crime forum. According to the actor, he had previously used these transcripts successfully, and they could be adapted to fit any number of potential target organizations. The actor currently enjoys a favorable reputation among members of the forum and has substantial experience in social engineering, offering mentorship and tutorials to interested forum members. LookingGlass has written a STRATISS report entitled “Recipe for Success: Social Engineering Scripts for Sale in the Underground” about this offering. You can request your copy of this report below.
Although providing social engineering templates is not a prominent offering in the cyber criminal underground, social engineering’s importance in the cyber criminal ecosystem is undisputed. Social engineering is an essential component of a variety of criminal activities including, but not limited to, phishing/spear phishing, pharming, fraudulent telephone calls, SMShing, ransomware attacks, and help desk impersonation. Social engineering-based attacks rely on human interaction to succeed; the more polished and professional the content, the better chance attackers have to deceive victims.
First introduced by a Dutch industrialist in 1894, social engineering’s definition has evolved into the current understanding in cybersecurity circles. According to a prominent author on the subject, social engineering is an “act of manipulating a person to take an action that may or may not be in the target’s best interest. This may include obtaining information, gaining access, or getting the target to take certain action.” The following four stages comprise the social engineering lifecycle:
- Information Gathering. Two critical aspects of a social engineering-enabled attack are researching the target and crafting the content. Therefore, it is no surprise that information gathering is an important part of the social engineering process. Information can be collected from some of the following sources and aggregated to support attack planning:
- Official Company Websites
- Official Company/Industry Press Releases
- Official Social Media Channels
- Personal Social Media Channels
- Official Company Biographies
- Industry Conferences
- Personal Social Media Channels
- News and Media Sources
- Establishing Rapport with Target. Socially-engineered content is important because it establishes the seeming legitimacy of the attacker, helping threat actors to gain the confidence and manipulate the actions of their victims. According to 2019 statistics, nearly 98 percent of cyber attacks observed relied on social engineering; newer employees were most susceptible to such attacks.
- Exploitation. At this point in the lifecycle, if the attacker has done a thorough job in gathering information and gaining rapport, the chances for success are greatly enhanced. The actual exploitation method depends largely on the attack itself, but given the popularity of email-based attacks, weaponized attachments or links that facilitate the download of malware are common.
- Execution. The final stage of the process occurs when the attacker advances his goals, whether it entails theft of sensitive/personal data, monetary theft, establishing permanent access, or another end goal.
What Can Organizations Do?
Precautions and best practices that organizations can adopt include, but are not limited to, the following areas:
- Ongoing Social Engineering Situational Awareness Training. Enterprises need to implement social engineering awareness training for all levels of their organizations throughout the calendar year. TTPs are consistently changing; employees and executives that are aware of the threats will have a better chance of staying ahead of them and will be more likely to identify questionable correspondence and report it to appropriate security personnel.
- Social Media Diligence/Policy Development. Information that helps attackers craft social engineering content is often collected via social media and public-facing outlets. Organizations may want to develop and implement social media policies to help guide what information should be made readily accessible to anyone with an Internet connection.
- Cybersecurity Posture Assessment. Organizations may want to conduct periodic cybersecurity assessments to identify strengths and weaknesses in the company’s overall posture. Testing employees and senior staff via phishing, SMShing, and other attack vectors that rely on social engineering can help an organization allocate resources to improve cybersecurity shortcomings.
- Mobile Device Security. Mobile devices are often used to support enterprises, and ensuring their security can help reduce risks associated with SMShing. Smartphones are becoming more assimilated into work environments, making SMShing a potentially advantageous attack vector for hostile actors. Having BYOD policies and proper security mechanisms in place can help mitigate the threat.
- Incident Response Plan Development. Developing, exercising, and implementing incident response to social engineering attacks helps ensure that organizations can quickly pivot from them. This includes creating a contact list so that the appropriate personnel are notified to help with remediation efforts.
- Verify Contacts. Whether via phone, email, or text message, it is important to verify the identity of the individual requesting information or action steps prior to compliance. Verification should be done separately, not using any contact medium provided by that individual.
- Update Software/Hardware. Ensure that all software/hardware/operating systems are updated with the latest security patches to reduce the threat of socially engineered attacks.
LookingGlass has provided tips entitled “Protect Your Organization from Targeted Scams” that organizations are encouraged to review.
For more information, request to see the recent LookingGlass STRATISS Report titled “Recipe for Success: Social Engineering Scripts for Sale in the Underground” that was published May 15, 2020.