The recent security events at RSA and Epsilon have once again raised the issue of social media engineering attacks against enterprises. RSA employees were targeted by an email titled “2011 Recruitment Plan.” Its subject seemed relevant and interesting enough for the targeted employees to open it. The email included an attachment that exploited a Flash vulnerability in order to install malware on the employees’ computers. This is the entire essence of social engineering; so how do cyber criminals trick users into voluntarily doing something they shouldn’t?
The recent massive data leak from email service provider Epsilon will result in more employees being exposed to such attacks. At IBM, we have been monitoring social engineering attacks for some time and consider this method to be one of the most effective tools available to cyber criminals. Today, we’d like to share with you the results of a new research project we conducted on social engineering attacks and whether user education would defend against them.
Common Types of Attacks
While many experts believe that social engineering attacks can be defeated with proper user education, our research has shown otherwise. We have found that a carefully crafted attack will fool even the most educated users.
As a security best practice, users are told that if something calls for immediate action or looks uncommon, too good to be true or unlikely, it is most likely an attack. For example, phishing emails that encourage users to click on a link in order to unlock their bank account meet most of these criteria. It is unlikely for a bank to contact customers this way, and it calls for immediate action. Similarly, an email from tax authorities about a pending refund is probably too good to be true and such information would likely not be conveyed via email.
These types of attacks can be explained to users and most likely avoided. Of course, in large populations, some users will still fall for these attacks regardless of how much effort is put into education. The tools that organizations have to train their customers are often not effective enough to reach all customers and simply convey the message.
Researching Social Engineering Attacks
But what if the attack email is commonplace, doesn’t call for immediate action and isn’t too good to be true?
Most users today get updates from social networking websites such as Facebook, Twitter and LinkedIn. These updates arrive on an almost daily basis and are reviewed by many users. All these social networking sites include multiple links in their emails, and it’s very common for users to click on these links. We all know that fraudsters actively use fake messages from social networking websites in order to install malware on victims’ computers. But how easy is it to create an effective attack? How likely is it that educated users will actually fall for this attack?
These are the questions our research was designed to answer. We decided to focus on LinkedIn, even though we could have chosen Facebook or any other social networking website. We picked a population of 100 users comprising friends, family and other people we knew who seemed to be fairly educated about security. We asked their permission to take part in a security experiment that would not in any way put them at risk. However, we did not tell them what we were testing and how.
First, we created a new identity on LinkedIn for the purposes of the study. Next, through very simple data-mining techniques, we were able to gather information about our targets — specifically their list of connections and their connections’ LinkedIn profiles.
Since LinkedIn sends an alert when one of your connections has a new job, we decided to use this update method to create a fraudulent email. For each one of our targets, we crafted a fictitious new job alert. We chose one of their LinkedIn connections and announced that this person was now working for a company that directly competes with the victim’s company. We included a big button that said, “View [friend’s name] new Title,” just like LinkedIn does in its alerts; we also included the friend’s photo, just like LinkedIn does.
Clicking on the button redirects the victim to a different website, not LinkedIn. The website we used was innocuous, but it was a placeholder for a potentially malicious website that places malware on the victim’s computer.
We released this email to all 100 subjects on the same day and monitored who clicked the link and reached our landing page. Forty-one subjects reached our landing page within 24 hours, 52 subjects reached our landing page within 48 hours and 68 subjects reached our landing page within seven days. The total time we invested in this project while building the attack was 17 hours.
We approached the 32 subjects who didn’t reach our landing page and asked them why they didn’t click on the link. Sixteen said they never saw the email (it probably went to their spam folder); seven said they don’t usually read LinkedIn updates; nine said that the update was not interesting enough for them to click the link.
This research clearly demonstrates that social engineering makes it easy to drive corporate users to fake websites that could potentially download malware onto their computer. Education is always recommended and can certainly help, but in this case, education did not prevent this attack. As we learned, cyber criminals have access to information needed to create fraudulent emails that can fly under the radar of even the most security-savvy users.
The solution to this problem must be based on technology and using more than one prevention method. Based on these findings, we strongly recommend that organizations reevaluate their approach to targeted attacks since they represent the most dangerous type of threat to their business.