In an October 2004 report, Gartner indicated the greatest security risk facing large companies and individual Internet users of the next ten years will be the increasingly sophisticated use of social engineering to bypass IT security defenses (Gartner 152). Fast forward ten years, and social engineering attacks not only serve as a costly threat, but they are evolving in ways that make even the most security-conscious people susceptible. In recent times, social engineering attacks have become even more dangerous due to their complexity. We are seeing a rise in multifaceted social engineering attacks. These attacks combine a number of different social engineering mechanisms for a much greater chance of success.
How exactly is a multifaceted social engineering attack executed?
One method we have seen is when attackers send rogue invoices or some other form of attachment loaded with malware programs. These malware programs allow the attacker to steal access credentials, enough sensitive information to conduct a perimeter break-in, or transfer funds out of the organization by abusing the accounting system. To ensure the attachment is downloaded or the invoice is opened, the attacker will follow with a phone call, usually within a minute of when the email is sent. The caller impersonates an authority figure and requests immediate action. This results in a high-pressure situation in which staff feels obligated to comply with this important request.
In May of 2013, Symantec publicly unveiled an example of this type of multifaceted social engineering attack dubbed Operation Francophoned. In this dual-pronged attack, multiple organizations received both direct phone calls and spear-phishing emails from what they thought to be a well-known French telecommunications provider. The attackers responsible had conducted thorough due diligence, gathering published phone numbers and company emails to establish contact within the organization to make multiple requests.
This highly targeted, persistent, and successful attack resurged even more strongly in February 2014. Attackers distributed a new payload from a number of freshly compromised domains, resulting in a sudden increase in infected organizations. While Operation Francophoned presently only targets French-speaking organizations, we have observed a growing number of multifaceted social engineering attacks targeting organizations from a wide range of sectors including manufacturing, energy, government, research, education, financial, automotive, and healthcare.
Social engineering attacks of any kind tend to be highly successful, but against an organization with uneducated and untrained employees, these attacks are lethal. By combining phishing and vishing attacks, social engineers take advantage of existing vulnerabilities, such as a global company with multiple departments in dispersed geographic locations. They bounce from department to department targeting different employees until they gather enough pieces of information to complete an organization’s puzzle.
The only way to combat these types of attacks is to develop awareness and training programs, and proactively test susceptibility to attacks. Employees who are aware of non-technical attack vectors and understand the value of the information they hold can serve as an organization’s first line of defense against social engineering attacks.
Are you interested in testing your organization’s susceptibility to social engineering attacks or implementing training and awareness exercises? For more information on our real-world social engineering services check out our services page. ‘Til next time….