In this part of the talk, Sharon Conheady focuses on spear phishing, outlines some aspects of social networks exploiting, and describes how social engineering attacks keep moving into a creative area.
Next on social engineering, the attacks are getting a lot more sophisticated and a lot more targeted. So take phishing for an example. Now, we still get those blanket phishing attacks that are sent out to everybody, but we are seeing more and more spear phishing attacks that are very, very targeted.This was an example of an email that executives in big companies in the U.S. received recently (see screenshot). So it was a subpoena telling them they needed to appear in court the following week, or the following month. Now, first of all you get this email, you’re gonna be kind of worried. Do you need to appear in court? It looks pretty professional. It’s a long way from the early phishing attacks. It looks really, really good. It’s issued to an individual. It isn’t sent to groups and groups of people. It’s issued to particular individuals. So I think this is a very effective attack. Another example we have was quite effective because the fraudsters identified the names of vendors that dealt with particular companies, and then they emailed them (see image). They didn’t have malicious URLs in the email. They didn’t have suspicious attachments. They actually asked them directly to open up particular ports on the Firewall or to accept particular IPs into their company. So that’s a really good attack. And the reason it’s good is because the sender knows a lot of information. So they knew the vendor name, they knew the name of the IT administrator, and in certain cases they knew the name of the project that the IT team was working on. So you can see that was a whole combination of social engineering attacks that must have taken place before they sent this email – very effective.
So people are beginning to suspect some of the phishing emails they receive. They are beginning to expect some of the crazy pop-ups that appear on their screens. So if it’s on the computer screen in front of you – you are suspicious. If it’s in a car park and there is a piece of paper left there for you – you are not suspicious.
So I think that’s where social engineering is going. It’s open to such creativity now: the more creative your attack – the more likely it is to succeed.
And of course you can get so creative now; you can find so much information because of social networks. I mean social networking has really changed the face of social engineering over the past 3 – 4 years. Social engineers like to use social networks because it’s such a huge attack surface. We’ve all seen the statistics on the number of users. Of course it’s quick and it’s easy, sometimes you can even automate it to look up phone numbers that you can use in your vishing attacks for example.
It’s got a low barrier entry point, you don’t have to be technically skilled to do social engineering attacks via social networks. You just have to be a bit imaginative, or you just have to copy somebody else’s attack. You hardly need any technical skills at all to work this way on social networks.
It relies on publicly available information, people publish so much about them and they don’t realize it can be used in a social networking attack. And what I like about it is I don’t have to do so much dumpster diving any more because the information is available online, and I hate dumpster diving, it’s so dirty.
So you know loads of examples of people publishing their information. This person lost his phone and he asked all his friends to send their telephone numbers through. So they all did, and they all shared their friends’ telephone numbers as well. There are tons of examples like this.
Social engineering via social networks works because social networks are based on trust, and that’s exactly what social engineers like to exploit. It’s really easy to impersonate somebody on social networks.
But to execute an attack like this takes money. Well, first of all you are probably from a gang, you work in groups, you don’t go in on your own. You need to procure the policeman costumes somehow. So either you need to purchase them or you need to get them illegally. There is the potential for physically harming people, I mean they had to handcuff the staff to the chairs. As far as I know, nobody was hurt, but one person had to be treated for shock. This takes a lot of planning. And of course when you are doing a physical attack like this, it’s much easier to get caught. You compare this to setting up a fake profile online, it’s so much easier.