Photo by Karolina Grabowska on Pexels
In our previous post, Some insights about the twitter social engineering incident. Who’s Behind Epic Twitter Hack?, we analized the latest cybersecurity incident of the popular social network.
The attacker, only 17 years old, used one of the techniques that are currently on the rise: social engineering and, specifically, vishing. This way, through a phone call and a conversation full of Psychology-based persuasion techniques, he was able to obtain the credentials necessary to impersonate famous people and thus carry out an attack with global repercussions. All he needed was to impersonate one of the IT team members to get his victim to provide their VPN details through a fraudulent website.
A generalized problem
This is just one of the many cases of social engineering that have taken place recently. Although the previous attack occurred in the United States, it is a problem that happens in all geographies. For example, this same year in Spain the National Police arrested seventeen people for defrauding more than 1.3 million euros from various companies through the so-called CEO fraud.
This attack is aimed at employees or managers of an organization, in which the attacker impersonates a senior officer (even a C-level executive) of said company to achieve their purpose. In this case, the attackers obtained sensitive information about the companies in question using different techniques, in such a way that they were able to deceive their victims by referring to such data and thus increasing their credibility.
Another attack alerted by the Spanish National Cybersecurity Institute (INCIBE) is the Human Resources fraud. It consists of sending an email to the heads of said department posing as an employee of the company. The message asks for the modification of the bank account of said employee by that of the attacker, so that the payroll is received by the cybercriminal.
The reason behind success
It is clear that the key to all these incidents lies in the human factor. The question to be asked in these cases is: how do attackers trick company employees into acting exactly as they need to? The precise answer is: by exploiting their vulnerabilities.
These vulnerabilities have their origin in the way people are and, although certain aspects affect us more or less depending on how we are, all of them can be a gateway for attackers if the correct message is used.
In the case of the multiple companies that were victims of CEO fraud, choosing the figure of a senior position is not a random move, but rather the objective is to appeal to their authority to avoid questioning the procedure required (remember, outside protocols) and promote obedience.
This is not the only way to perform a successful social engineering attack. There are several factors that come into play, so knowing those messages to which we are most vulnerable is essential to be able to strengthen ourselves in terms of cybersecurity.
In this way, incidents such as the one avoided at Tesla can be prevented, where one of the employees alerted the company after having rejected a million-dollar offer to install ransomware on one of the corporate computers. This shows that the awareness of workers is not only possible, but also essential to preserve the security of the information, and this is achieved through a personalized strengthening process according to the needs of each one.
Kymatio includes functionalities that measure the level of vulnerability of a person to messages that can be used in a social engineering attack. Thus, awareness recommendations and real examples are launched that allow employees to be alert to the different social engineering attack vectors that can be used to cause an accident.