The more things change, the more they stay the same. This age-old adage can certainly be applied to the realm of IT security where hackers continuously evolve their techniques to compromise their targets. Regardless of how mature an organization’s security posture might be, one thing remains the same: end-users – be they your employees or your customers – remain the weakest link. Hackers have relied heavily on a variety of ‘social engineering’ tactics for the past decade as a means of attaining secured credentials to perpetrate fraud.
These tactics include broad ‘phishing’ campaigns where a fraudulent message is broadcasted to a mass group that includes some type of malware payload and more recently, spear phishing in which hackers target individuals with partial knowledge of their victim with the goal of building a more complete profile which can be used to steal their identity or gain access to a secured corporate network. Hackers are continuously refining their techniques and introducing new schemes to collect and abuse private information. For example, a large number of Facebook users have reported that they have recently been inundated with ‘friend’ requests from strangers. Many security experts believe this is yet another social engineering attempt to obtain and exploit personal information.
Social engineering will continue to be an effective tactic as it leverages our intrinsic trusting nature, as well as our desire to cooperate in seemingly predictable situations (i.e., providing financial or personal details to an assumed bank representative or coworker). Consequently, hackers have become particularly adept at exploiting a range emotions to gain the confidence of their marks, with the goal of triggering an action that puts both their own security, as well as the security of a business, at risk.
Social Engineering on the Rise
Recently, the Fraud Intelligence team at Easy Solutions uncovered a new fraud scheme, in which a fake job advertisement on behalf of a familiar government agency was posted via a social network profile. Using this, criminals were able to collect sensitive user data that they later used to launch fraud attacks (they even requested fees to secure possible interviews and access to work opportunities).
At the same time, Easy Solutions’ email authentication solution, DMARC Compass, detected a wave of fraudulent emails that identified abused government domains that were used to lure users with tempting subjects like “Attention, check returned” “Information for contest winner”, and “Suspended tax ID” to name but a few.
Social engineering tactics typically succeed by convincing users to click on malicious links or unwittingly download malware through a disguised executable file.
For this reason, it is truly vital for institutions to improve their visibility into new threats to better protect their brand. Also, it is crucial for them to implement response mechanisms in case of an attack (which will happen sooner or later), and develop educational programs aimed at increasing threat awareness among users – including employees.