Instead of relying on advanced tools or complex scripts, experienced attackers penetrate systems and steal data using the most effective weapon of all: social engineering. Social engineering lies at the intersection of cybersecurity and psychology, exploiting human behavior to achieve malicious goals.
From the legendary scams of Kevin Mitnick to today’s AI-driven threats, cybercriminals have come a long way, constantly developing new tactics. In recent years, social engineering attacks have become more strategic and precise.
Attackers no longer focus solely on stealing small amounts of money from as many people as possible. Instead, they primarily target individuals within a company who have extensive privileges. These can include elevated network permissions, access to remote tools and sensitive data, or the ability to carry out large financial transactions.
AI-Criminal intelligence
The triumph of artificial intelligence does not stop at social engineering. One technique that has developed particularly in this area is pretexting. This involves the victim feeling compelled to follow the attacker’s instructions based on false assumptions. Cybercriminals pose as partners, customers, or high-ranking executives and trick their victims into transferring money, for example.
A large asset management company was recently hit by such a social engineering attack. It became apparent that the attackers had conducted extensive research in advance and focused specifically on a high-ranking group leader in the finance department.
The attack began with a fake non-disclosure agreement (NDA) that looked like it came from DocuSign. The perpetrators pretended to be from a partner with whom the company already worked. A manager then signed the document. He was then asked to call the phone number provided in the email. However, no one answered the call.
The next day, he received a call back from the supposed partner and its CEO. During the conference call, the CEO confirmed the authenticity of the NDA and explained that a deposit was required to begin work. As a result, the group leader transferred a deposit of one million euros to the fraudster.
Upon investigation, it turned out that the real CEO had never participated in the call. The attacker had cloned the company boss’s voice using AI to manipulate the group leader.
It’s raining (phishing) emails
Unlike other attacks in the cybersecurity landscape, social engineering does not focus on exploiting vulnerabilities in code or network architecture. Instead, it exploits human behavior, which is often the weakest link in the security chain. And stress on an already busy day is an extremely effective trigger.
The following examples show how strategic social engineering attacks have become:
Step 1: Create a problem
Attackers can create technical problems to make their stories more convincing. A common method is email bombardment or graymail flooding. The attacker registers the victim’s email address with numerous services, resulting in an enormous number of legitimate emails. For example, one victim received 3,000 emails in less than two hours.
Step 2: Present yourself as the savior
In the cases investigated, the victim was always called by someone posing as a help desk manager. The caller promised to solve the problem so that the workday could continue as planned. The attacker attempted to get the victim to reveal their login details or grant access to their desktop via phone call, which was often successful in the supposed emergency.
False team play
In connection with social engineering, a sharp increase in complex vishing (voice phishing) attacks has also been observed. For example, the hacker group Black Basta uses legitimate Microsoft Teams logins to gain the victim’s trust via a Teams call from a user named “Helpdesk,” “Support Team,” or “Helpdesk Manager.”
The attackers pose as internal IT staff and trick victims into using the Windows app “Quick Assist.” The use of this tool lends more credibility to the fraudsters’ actions, as it is a legitimate Windows tool that does not trigger any security warnings. Victims are then tricked into using the key combination “Ctrl + Windows key + Q,” which opens a window and generates a code.
This allows the attackers to access the victim’s computer. The cybercriminals then attempt to extend their privileges and move laterally within the systems. In one of the cases investigated, several terabytes of data were stolen from the entire environment within a few days.
What security managers can do
Protecting employees from sophisticated social engineering traps is difficult and complex. However, several technical and human strategies can help reduce the likelihood of successful attacks:
Both Teams and Zoom offer options to restrict communication to trusted domains and organizations only. Although implementing and listing all trusted partners takes some time, this can be a very effective step.
Some attackers exploit the built-in remote capabilities of video chat applications. Both Zoom and Teams allow you to set whether external participants can remotely access the screens of other participants during a call. Although there are slight differences between the platforms, it is advisable to review the features of each platform and configure them according to your organization’s requirements.
Implementing conditional access is a key factor in strengthening access control within the company. Conditional access policies are, in the simplest case, if-then statements: if a user wants to access a resource, they must perform an action. Or, if a user wants to access an application or service such as Microsoft 365, they must perform multi-factor authentication to gain access. Security managers can implement conditional access policies to restrict access based on geographic locations, user types, applications, and even a token protection policy.
Basically, all security efforts are about limiting the blast radius, i.e., the potential damage that a compromised account can cause. This reduces cyber risks in the long term, regardless of how attackers want to achieve their goal. And in the vast majority of cases, that goal is a company’s sensitive data. That’s why employee protection and awareness must start at this very point.
This article is published as part of the Foundry Expert Contributor Network.
Want to join?
No Responses