As we enter a new year, IT security teams and cyber-criminals are both already searching for the development that will tip the scales in the on-going cyber arms race. A common assumption is that a new malware strain or vulnerability will be the defining factor of 2018, similar to the WannaCry and NotPetya outbreaks of last year.
The fact that the EternalBlue exploit used by both attacks was taken from a cache of vulnerabilities originally discovered by the NSA has many teams anticipating more attacks with currently unknown exploits this year. While this is indeed likely, I believe a much bigger threat comes in the form of the increasingly advanced deceptive techniques used by criminals to reach their targets. That is because the human factor will remain a criminal opportunity, whether organizations patch their software and deploy advanced anti-virus methods.
The effective use of social engineering is already one of the most dangerous weapons in the cyber criminal’s arsenal, with uses ranging from nation-state attacks — whether financially motivated or politically driven — to attacks on organizations and consumers. In particular, Business Email Compromise (BEC) attacks, which impersonate a trusted identity to trick the target into making payments or sharing sensitive information, are routinely bypassing traditional security measures and costing businesses thousands and even millions of pounds. Email Account Compromise (EAC), where attackers compromise a legitimate email account and use it to evade security and deceive others, is even more difficult to stop.
The cost of these attacks is already staggering. The FBI recorded 40,203 cases of BEC and EAC around the world between October 2013 and December 2016, resulting in total exposed losses of $5,302,890,448 to businesses. This only includes reported attacks — and it is believed that many companies rather not make their losses known, or in many cases, are unaware of them for years.
This figure is also set to rise over the coming years as attackers refine their techniques, and a greater number of would-be criminals are drawn to the opportunities that social engineering entail.
Taking advantage of multifactor authentication
At the center of any social engineering attack is the (ab)use of trust. The most successful attackers will impersonate an identity that is both well known to the target, and ideally holds some form of authority or respect for them. In BEC attacks we most commonly see the CEO or another senior figure at the company being impersonated.
This tactic has continued to evolve by blending fraudulent emails with legitimate system messages. One approach sees attackers exploiting the traditional password reset features used by most services. The criminal can attempt to login and request a password reset code to be sent to the target’s email, and then simultaneously send a deceptive email to the victim, requesting the code.
After receiving a legitimate password reset email, many targets may enter the code into the second email without realizing that this will give full access to their account. This type of interactive phishing approach enables criminals to harvest accounts on a significantly larger scale, granting direct access to user accounts without the more obvious ploy of asking for the password directly — and while also circumventing security measures tied to the entry of a valid password from a new IP address or computer
Another tactic is to impersonate the email provider itself to send a message warning the victim they need to retrain their spam folder, as important messages may have been sent to spam by mistake. The victim will then naturally check their spam folder and move the apparent emails back into their main inbox before reading them and potentially falling for the deceptive attack.
The death of less-secure 2FA
Alongside email-based multifactor authentication, criminals are also increasingly exploring other areas, such as the commonly used SMS-based two-factor authentication (2FA) used by many services.
New social engineering attacks can take advantage of the fact 2FA has rarely been implemented with social engineering in mind, and individuals tend to be less guarded about requests for 2FA codes than passwords.
In an experiment I carried out with collaborators at New York University, we were able to craft SMS social engineering pitches with a success rate of 50 per cent – dramatically higher than the success rate of the typical phishing attack.
The major failing of 2FA is that if an attacker gets hold of the “secret code” sent by a service provider, they have full access to the associated account. Coupled with this, most services do not deploy the usual intrusion detection measures if the account is accessed with 2FA, as security is already assumed.
More data, smarter attacks
Alongside usurping a trusted identity, social engineering also requires the attacker to be armed with information about their intended victim. The last few years have seen a number of extremely large data breaches, leaking the details of hundreds of millions of people. This information can be used to facilitate even more convincing social engineering attacks, but is currently fairly scattered and disorganized. I believe the next stage will be for the criminal community to consolidate the data from different breaches into a form that can facilitate higher-yield automated attacks.
With so much data already available, attackers won’t even need to launch more deceptive attacks seeking information – they can skip straight to the payday. Attackers could, for example, cross reference two separate breaches, one concerning names and social security numbers, and one with names, email addresses and passwords. By matching the two data sets, the criminal could find users on both lists – giving them all the information they need for an attack with much higher expected yield than what either breach data set would afford them.
Shining a light on the deception
With existing social engineering attacks already enjoying a high success rate, and more advanced techniques steadily creeping into mainstream use, organizations must begin using defensive measures designed to identify deception.
To beat these new threats, it is necessary to look beyond the content of the messages and focus on the identity of the sender. Details such as mismatched reply-to names and addresses, or the use of new email addresses with familiar display names, while difficult to spot to the typical end user, can be easily spotted with the right systems in place.
Once one of these unusual signs has been identified, the message can be isolated and examined to determine if it is fraudulent – before it ever reaches its planned victim.
Far too many companies still rely on traditional filter and signature-based email security, or worse still, expect their employees to be able to spot attackers themselves. The best social engineering attacks are specifically designed to play on the victim’s psyche and get them to relax their guard and comply – while simultaneously evading security systems planned around keywords and malicious attachments.
Organizations that still base their security around these measures in 2018 are leaving themselves – and their employees and customers – open to a major attack.