CyberSense is a monthly bulletin by CSA that spotlights salient cybersecurity topics, trends and technologies, based on curated articles and commentaries. CSA provides periodic updates to these bulletins when there are new developments.
According to Verizon Data Breach Incident Report 2020, 22% of data breaches involved social engineering, and 96% of these were executed through emails. Social engineering preys on specific emotions within the human psyche to achieve its objectives; hence, understanding social engineering and how it works is key to allowing us to better guard against such threats. This edition of CyberSense takes a closer look at common types of social engineering through several recent, real-world examples.
WHAT IS SOCIAL ENGINEERING?
Social engineering refers to the “psychological manipulation of people into performing actions or divulging confidential information”. Common social engineering techniques include:
- Phishing/ Spear Phishing. These are usually carried out through the sending of emails with links to malicious sites or attachments. The key behind these common social engineering attempts is gaining their victims’ trust, and phishing emails sent by the attackers typically bear distinctive trademarks of an organisation (such as its logo or other characteristics) to make them look legitimate. Phishing messages may also leverage other emotions - such as fear and anxiety - to amplify their impact and obtain a quick response. The difference between phishing and spear-phishing lies primarily in targeting and sophistication; phishing emails are typically sent to a large number of recipients at random, while spear-phishing involves specific targets or groups, and usually carry specific messages applicable only to them.
- Pretexting. Closely related to spear-phishing and again preying on victims’ trust, attackers here focus on creating a good pretext (or a fabricated scenario) to steal victims’ information. In these types of attempts, the attackers will usually come up with a story and claim that they need some information from the victim in order to confirm the latter’s identity or complete a transaction. They might impersonate as government agencies, banks and even the IT helpdesk of the victims’ organisation, requesting personal details for verification or login credentials so they can perform certain security patches on victims’ devices.
- Baiting and Quid Pro Quo. As its name implies, ‘Baiting’ preys on curiosity and greed or the ‘Fear of Missing Out (FOMO)’. Baiting typically exploit victims’ curiosity, such as access to exclusive/ confidential information of certain major events; alternatively, they can also involve the use of freebies and gifts to entice victims to provide certain information or perform certain actions. ‘Quid Pro Quo’ is similar to baiting, but with promise of benefit in the form of service in exchange for information as oppose to goods/items in baiting.
REAL WORLD SOCIAL ENGINEERING EXAMPLES
Case Study 1: Twitter Account Hack
In July 2020, hackers took over several high-profile Twitter accounts - including those of Elon Musk, Joe Biden and Bill Gates – through the unauthorised use of internal administrative tools only available to the company’s employees. It is widely believed that one of the scammers convinced a Twitter IT staff he was a co-worker to gain access to the admin tools, and subsequently posted tweets from as many as 45 Twitter accounts. Followers of these accounts saw tweets on "giving back to community" - where bitcoin donations would be returned in double. The scammers managed to trick more than 300 users into sending them bitcoins.
Case Study 2: Local Subscriber Identity Module (SIM) swap Incident
In July 2020, it was reported that a subscriber’s mobile service was allegedly terminated by a scammer in a SIM swap hack. In such incidents, the hacker would typically start by gathering personal details about the victim. The hacker would then contact, and attempt to convince the victim’s telecommunications provider to port the mobile number to the hacker’s SIM (or telephone number)* by impersonating the victim with the relevant personal details on hand. If the swap is successful, all calls and messages to the mobile number will be directed to the hacker's device - which can then potentially be used to compromise the victim’s accounts on platforms and services that use the mobile device as a two-factor authentication.
* This feature is normally used when a customer has lost their mobile or switching service to a new phone.
Case Study 3: Magellan Health Breach
In the Magellan Health breach (April 2020), the attacker gained access into Magellan’s systems through a phishing email that impersonated a client. Thereafter, the attacker exfiltrated data, including sensitive personal information, and deployed ransomware in the company’s system. This incident clearly illustrated that social engineering can also be used as an entry point for secondary, and more devastating cyber-attacks.
Case Study 4: Founder of Real Estate Brokerage Almost Scammed
In Feb 2020, Barbara Corcocan, founder of real estate brokerage firm Corcocan Group, nearly lost $400,000 to an email phishing scam. The scammer posed as her assistant and requested payment from Corcocan’s bookkeeper for a recent renovation. There was no suspicion of scam initially as Corcocan invested in real estate and the phishing email was from an email address that is very similar to the assistant's email address (with one misspelled letter).
As illustrated in the case studies, social engineering attacks often exploit human behaviour and are not always technological in nature. Attackers may leverage information about their targets (e.g. personal details or information related to organisation) to bring the victims’ guard down. They might pretend to be a client and take over a service from a victim or impersonate a co-worker or someone familiar to request for information or help. As such, our mindset needs to evolve from one of trust to caution, and there is a need for individuals and employees to be mindful of such threats to be able to recognise social engineering attempts. For more cybersecurity tips, please go to Gosafeonline and SingCERT website.
AsiaOne, Beeping Computer, CNN, CSO, ISACA, Terranova Security, Tripwire, Verizon Data Breach Incident Report 2020