The Future of Social Engineering 3: Creativity and Spear Phishing

Read previous: The Future of Social Engineering 2: Nigerian and Friend scams

In this part of the talk, Sharon Conheady focuses on spear phishing, outlines some aspects of social networks exploiting, and describes how social engineering attacks keep moving into a creative area.

Spear phishing – very targeted, very effective

Next on social engineering, the attacks are getting a lot more sophisticated and a lot more targeted. So take phishing for an example. Now, we still get those blanket phishing attacks that are sent out to everybody, but we are seeing more and more spear phishing attacks that are very, very targeted.

Subpoena scam email

Subpoena scam email

This was an example of an email that executives in big companies in the U.S. received recently (see screenshot). So it was a subpoena telling them they needed to appear in court the following week, or the following month. Now, first of all you get this email, you’re gonna be kind of worried. Do you need to appear in court? It looks pretty professional. It’s a long way from the early phishing attacks. It looks really, really good. It’s issued to an individual. It isn’t sent to groups and groups of people. It’s issued to particular individuals. So I think this is a very effective attack.

Targeted attack via email to a pre-identified vendor

Targeted attack via email to a pre-identified vendor

Another example we have was quite effective because the fraudsters identified the names of vendors that dealt with particular companies, and then they emailed them (see image). They didn’t have malicious URLs in the email. They didn’t have suspicious attachments. They actually asked them directly to open up particular ports on the Firewall or to accept particular IPs into their company. So that’s a really good attack. And the reason it’s good is because the sender knows a lot of information. So they knew the vendor name, they knew the name of the IT administrator, and in certain cases they knew the name of the project that the IT team was working on. So you can see that was a whole combination of social engineering attacks that must have taken place before they sent this email – very effective.

Parking tickets with malware URLs – scammers go beyond the IT in their social engineering attacks

InformationWeek report on phishing through fliers

InformationWeek report on phishing through fliers

But of course the bait is not always going to be online. It could be in the real world, maybe nothing to do with IT at all. There was a really good example of attackers leaving parking tickets on some cars in the U.S. And when the people came back they saw they had parking tickets, and they were instructed to visit a certain URL to identify the photo of their car, click on it and pay their fine. And of course when they click on it – they download all kinds of lovely malware to their machines. It has absolutely nothing to do with IT, I think it was really effective.

So people are beginning to suspect some of the phishing emails they receive. They are beginning to expect some of the crazy pop-ups that appear on their screens. So if it’s on the computer screen in front of you – you are suspicious. If it’s in a car park and there is a piece of paper left there for you – you are not suspicious.

So I think that’s where social engineering is going. It’s open to such creativity now: the more creative your attack – the more likely it is to succeed.

Why social networks drastically changed social engineering techniques

And of course you can get so creative now; you can find so much information because of social networks. I mean social networking has really changed the face of social engineering over the past 3 – 4 years. Social engineers like to use social networks because it’s such a huge attack surface. We’ve all seen the statistics on the number of users. Of course it’s quick and it’s easy, sometimes you can even automate it to look up phone numbers that you can use in your vishing attacks for example.

It’s got a low barrier entry point, you don’t have to be technically skilled to do social engineering attacks via social networks. You just have to be a bit imaginative, or you just have to copy somebody else’s attack. You hardly need any technical skills at all to work this way on social networks.

It relies on publicly available information, people publish so much about them and they don’t realize it can be used in a social networking attack. And what I like about it is I don’t have to do so much dumpster diving any more because the information is available online, and I hate dumpster diving, it’s so dirty.

So you know loads of examples of people publishing their information. This person lost his phone and he asked all his friends to send their telephone numbers through. So they all did, and they all shared their friends’ telephone numbers as well. There are tons of examples like this.

Social engineering via social networks works because social networks are based on trust, and that’s exactly what social engineers like to exploit. It’s really easy to impersonate somebody on social networks.

Real-world impersonation as an effective social engineering trick

News report on impersonation in action

News report on impersonation in action

This example of impersonation in the real world took place in London (see screenshot). Some guys dressed up as policemen, went into a data center in the middle of London and said: “We’ve had reports of people on your roof, we need to go in and investigate.” So they went into the data center. Because they were dressed as policemen, they had handcuffs. They handcuffed the security guards to their chairs and they walked out carrying the servers.

But to execute an attack like this takes money. Well, first of all you are probably from a gang, you work in groups, you don’t go in on your own. You need to procure the policeman costumes somehow. So either you need to purchase them or you need to get them illegally. There is the potential for physically harming people, I mean they had to handcuff the staff to the chairs. As far as I know, nobody was hurt, but one person had to be treated for shock. This takes a lot of planning. And of course when you are doing a physical attack like this, it’s much easier to get caught. You compare this to setting up a fake profile online, it’s so much easier.

Read next: The Future of Social Engineering 4: Tactical Research Using Social Networks

Like This Article? Let Others Know!
Related Articles:

Comments are closed.

Comment via Facebook: