Fraud Protection April 12, 2018
By Joe Gray 4 min read
Series: RSAC 2018

Joe is speaking at the RSA Conference, April 16-20, 2018 in San Francisco. 

Social engineering is a growing epidemic that can be either an endgame in itself or a stepping stone toward bigger threats such as ransomware. This age-old tactic can be traced back to the Trojan Horse story featured in Virgil’s “Aeneid” and Homer’s “The Odyssey,” from which the malware variant gets its name.

As the legend goes, the Greeks built the horse as bait for the Trojans to claim as a trophy of victory. They left a single person behind to tell the Trojans that the horse was an offering to the goddess Athena to atone for the Greeks’ atrocities. The Greeks even acted as if they were sailing away to enhance the credibility of the pretext. After the Trojans accepted the massive wooden horse, 30 of the best Greek warriors exited its belly in the night and decimated the city.

Modern Social Engineering Tactics

Today, social engineering exists in a variety of forms, including phishing, spear phishing, vishing (voice phishing), pretexting (impersonation), whaling (phishing targeting the C-Suite), smishing (SMS phishing) and more. Of these threats, phishing and spear phishing seem to be the most common.

Think of the typical ebb and flow of emails: You might receive legitimate messages, sales pitches, spam and bald-faced phishing attempts throughout the course of a normal day. Run-of-the-mill phishing emails will likely wind up in your spam folder, but with a little open source intelligence (OSINT), an attacker can develop a pretext to appear at least quasi-legitimate.

Collecting OSINT

When I evaluate targets, I look at them holistically — both inside and outside of work. How can I build a rapport with them? What are they telling me via social media and what am I able to find outside of that context? Does a target post selfies and pictures of his or her workplace? Does he or she have to wear personal protective equipment (PPE)? Are there any pictures of the target with physical security controls, such as badges and passwords, in view?

The data points listed above are all examples of OSINT. Using the goals of the DEF CON Social Engineering Capture the Flag (SECTF) competition as a reference, other considerations include:

  • Trash company and dumpster locations;
  • Janitorial services;
  • Food services;
  • IT customers and vendors;
  • Technologies used, such as virtual private network (VPN), wireless and service set identifier (SSID), operating system (OS), browser and antivirus;
  • Work schedule;
  • Training patterns; and
  • Exterminators.

Knowing some of these “flags” could enable attackers to find exploits relative to technologies used in the target’s workplace. Threat actors could also develop a story around these details to build a rapport with the victim and either excavate more information or influence the target to do their malicious bidding. The career page of a company’s website is an excellent place to start. An attacker could discover what the organization is hiring for and sometimes even deduce specific software versions.

Baiting, Vishing and Phishing

Social engineering attacks can involve many types of threats, but for the sake of time and space, let’s focus on baiting, vishing and phishing.

Baiting is the simplest form: An attacker places the payload, which is typically malware or a reverse shell, on the target’s system via a USB drive or QR code specifically labeled to entice targets to download the malicious data. Common labels include:

  • Property of the CEO;
  • Bonuses;
  • Terminations;
  • Mergers and Acquisitions; and
  • W-2s.

Vishing takes a little more work. It is probably the most intense form of social engineering since the attacker must interact with the target in real time over the phone and improvise to keep the ruse going. A threat actor might pretend to conduct a survey as an excuse to ask intrusive questions. For these reasons, voice-based phishing generally requires more OSINT research than other schemes.

Finally, email phishing is the most common form of social engineering. An attacker simply sends an email in an attempt to influence the recipient to click a malicious link, download malware or enter personal information. I like to send emails from domains that are similar to standard email providers with trusted mail exchange (MX) records to direct my targets to another domain in a cloud instance. This technique is called domain squatting. I usually ask the target for his or her email address and password, and then prompt him or her for password reset questions.

Training and Phishing Awareness

To defend your organization against various types of phishing attacks, you should employ the same baseline training for all employees periodically — I recommend monthly or quarterly. This will keep security and social engineering at the forefront of their minds. Beyond general education, you should conduct role-based training for specific groups, including:

  • Senior management;
  • Sales;
  • Human resources;
  • Accounting;
  • Purchasing;
  • Customer support/help desk; and
  • IT.

It’s crucial to train employees from the top down. In my experience, C-level executives typically trust emails and phone calls they receive because they have presumably passed through numerous layers of security.

As part of awareness training, you should proactively run phishing simulations to test your employees. This will keep them on their toes and condition them to respond and report when they suspect a phishing attempt. You should also consider social engineering when formulating your incident response plan.

When reporting a phishing incident, employees should consider the following factors:

  • Who should they contact? This should be a specific person or group — not just the IT or security department.
  • How should they contact the relevant parties? When reporting email incidents, employees should not use email, for example.
  • What information should they provide?
  • What actions should they take regarding the affected computer or device (e.g., unplug the computer from the network, power or restart down the device, log off, hibernate, do nothing, etc.)?

Finally, you should employ a nonpunitive policy for phishing. We’ve all clicked a malicious link at some point in our careers, and the last thing you want is for people to avoid reporting suspicious activity for fear of being punished or terminated.

Social engineering dates back to ancient times and isn’t likely to slow down anytime soon. The best way to defend against phishing and other forms of social engineering is to spread awareness throughout the organization and train all users, from rank-and-file employees to the C-suite, to be wary of the wooden horses that roll through their networks.

Listen to the podcast to learn more: Social Engineering 101 — How to Hack a Human

 |  |  |  |  |  |  |  |  | 
Joe Gray
Senior Security Architect, IBM

More from Fraud Protection
August 23, 2023

Remote access detection in 2023: Unmasking invisible fraud

3 min read - In the ever-evolving fraud landscape, fraudsters have shifted their tactics from using third-party devices to on-device fraud. Now, users face the rising threat of fraud involving remote access tools (RATs), while banks and fraud detection vendors struggle with new challenges in detecting this invisible threat. Let’s examine the modus operandi of fraudsters, prevalence rates across different regions, classic detection methods and Trusteer’s innovative approach to RAT detection through behavioral analysis. A rising threat As Fraud detection methods become more and…

August 17, 2023

Gozi strikes again, targeting banks, cryptocurrency and more

3 min read - In the world of cybercrime, malware plays a prominent role. One such malware, Gozi, emerged in 2006 as Gozi CRM, also known as CRM or Papras. Initially offered as a crime-as-a-service (CaaS) platform called 76Service, Gozi quickly gained notoriety for its advanced capabilities. Over time, Gozi underwent a significant transformation and became associated with other malware strains, such as Ursnif (Snifula) and Vawtrak/Neverquest. Now, in a recent campaign, Gozi has set its sights on banks, financial services and cryptocurrency platforms,…

July 28, 2023

The rise of malicious Chrome extensions targeting Latin America

9 min read - This post was made possible through the research contributions provided by Amir Gendler and Michael  Gal. In its latest research, IBM Security Lab has observed a noticeable increase in campaigns related to malicious Chrome extensions, targeting  Latin America with a focus on financial institutions, booking sites, and instant messaging. This trend is particularly concerning considering Chrome is one of the most widely used web browsers globally, with a market share of over 80% using the Chromium engine. As such, malicious…

July 20, 2023

What to do about the rise of financial fraud

6 min read - As our lives become increasingly digital, threat actors gain even more avenues of attack. With the average person spending about 400 minutes online, many scammers enjoy a heyday. Old impersonation scams continue to deceive people every day, as con artists and hackers are armed with advanced technologies and sophisticated social engineering tactics. According to the Federal Trade Commission, financial fraud increased by over 30% from 2021 to 2022, with total losses surpassing $8.8 billion. This ever-evolving threat will continue to…

© 2023 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature