A month in the life of a social engineer – part one

With social engineering set to plague 2022, understanding cyber criminals’ tactics, and the mistakes they make, might help us defend against their efforts. The final entry in our four-part series reveals how to avoid devastating consequences when a social engineer pulls the trigger.

Once an attacker has tricked an employee into compromising a corporate network, you might be forgiven for thinking the social engineering exercise is over. This process can, however, carry on for years without the target organisation, or even those within its global supply chain, ever knowing.

SolarWinds was a cleverly identified target. Once attackers had established a backdoor into SolarWinds' code, they moved automatically into the networks of clients, including Microsoft, when they updated their software. The malware roamed through US computer networks for at least nine months undetected.

It's difficult to predict how regularly this happens in other supply chains. Once a social engineer has installed a backdoor, they can then come and go; studying transactions, monitoring communications, gathering information about customers and clients, and even collecting audio samples to use in a deepfake attack. All this activity allows the cycle of infiltration and manipulation to continue undetected.

Look and learn

Even in relatively simple attacks, the social engineer will bide their time between the initial compromise and making off with data or money. Kevin Curran, senior IEEE member and professor of cyber security at Ulster University, points to a cash theft from a law firm. First, an employee was tricked into downloading malware to the company's Microsoft Exchange network. The attacker then spent weeks patiently studying the servers, before finally using what they learned to craft a second fake message, this time to steal a mortgage deposit.

Once hackers established a backdoor into SolarWinds, they remained undetected for months

"They were hiding in plain sight," says Curran. "From reading emails, they knew when a deposit transfer would be legitimate and what it would look like. The client knew they'd have to send £40,000, so they were expecting it. And, of course, they sent the money off to the wrong account. A few days later, they rang up the law firm and said: “Did you get the deposit?” They hadn't; the money was completely gone."

Sophisticated malware is able to delete itself and its audit trails once the attack is done, but most malware stays on the system and is never found, says Curran. "Your average IT administrator would find it really hard to detect a backdoor. We have intrusion detection and prevention systems, we have SIEMs (real-time monitoring) software that looks for outliers and nefarious activity as such, but it's generally impossible. There's literally millions of packets of data flowing through a corporate network every second. How do you control and monitor every single subsystem?"

Carry on conning

Most social engineering attacks end with the theft of data. The attacker also has to monetise the stolen data, for instance by using it to scam the company's customers, or in the next stage of a supply-chain attack. Often, though, they'll sell it to third parties and then fence their ill-gotten goods. This helps to lower the risk while maximising profit in the shortest possible time.

Ransomware is a particularly efficient way to monetise a social engineering attack. With 84% of US organisations reporting phishing or ransomware incidents in July last year, according to Trend Micro, it seems attackers frequently use both tactics. Indeed, ransomware management requires good human manipulation skills. A carefully-crafted ransomware demand can tie the victim into a long-term hostage arrangement that keeps on paying.

"A lot of companies pay the ransom secretly, because they don't want to damage their brands," former fraudster and We Fight Fraud founder Tony Sales tells IT Pro. "That's dangerous, because now you're in an agreement with a criminal who owns you forever. It's like criminals getting an officer under their wing in prison."

Tony Sales is a former fraudster and founder of We Fight Fraud

What's the answer? Security software can't stop human manipulation, but it can block the technical exploit, so antivirus remains vital. Email security solutions can keep malicious messages at bay, but they need to be configured carefully. Two-factor authentication (2FA), disabling remote access to unnecessary servers, and bringing in audio passwords to defeat deepfakes will all help.

Tech solutions are only effective if staff are able to use them, however, cautions Sales, whose organisation trains companies and employees to spot attackers' tricks. "The tech guys understand all that stuff, but not poor old Bob or Sheila who gets caught out on the company email they've been using forever,” he says. “Security is convoluted and complex, and that's part of the problem.”

Perhaps the answer is to fight social engineering with social engineering. Don't blame employees for falling for phishing tricks, or exclude them from security decisions. Instead, get them involved. One "highly effective" option is to encourage staff to report suspected phishing attempts, finds a 2021 F-Secure report. A full one-third (33%) of emails reported by staff as suspicious were, indeed, malicious.

Harnessing your employees’ eagerness to excel at their jobs, and their desire to be involved in decisions, before a criminal has the chance to exploit those very qualities, is among the most viable routes to overcoming a social engineer in action.