Social engineering the new norm for hackers, nation-states

News by John Walker

McAfee's new 'Hacking the Human Operating System' whitepaper focuses on the use of social engineering to attack home and business users, and finds once again that people are the weakest link.

The report outlines many of the well-known scams which deliver millions of hooks into homes and businesses on a daily basis, with the intention of catching the unaware end-user to respond to a harvesting targeted communication, or to click on a malicious link, carrying whatever payload has been crafted by the attacker.  

Some of the report's key findings include that two-thirds of the world's email is now spam, and that there has been a sharp increase in phishing emails, with McAfee now tracking more than 30 million suspect URLs. Meanwhile, 80 percent of workers are unable to detect common and frequently-used phishing scams.

Researchers note there are four stages of a social engineering campaign; research, hook, play and exit, while the report reveals that everyone from script kiddies and insiders to hackers, nation-state actors, terrorists and private investigators now use social engineering as an attacking tactic.

One example is aware of that has been in high circulation concerns a call to a user who is informed that their PC has been detected on the caller's servers to have a critical fault. The helpful caller then continues, and requests that the user press the Windows Key + R, which invokes the Run Box, into which the unsuspecting user is encouraged to enter a command, enticing them to become complicit in their own compromise.

Another example of the successful use of social engineering relates to an email targeting business users. This particular scam-communication was a 'once in a lifetime offer' to the first fifty recipients who would receive free tickets to a brand new show running in Covent Garden, along with two additional lucky winning recipients securing a dinner engagement with no less than David and Victoria Beckham. However, whilst the prize of a show, and dinner with celebrities did not actually exist, this link was serving up an adverse baited-payload directly into the protected corporate environment.

Sarb Sembhi, director of consultancy Storm Guidance, told “Social engineering is a real risk whether it is email, telephone call or just turning up at the door. In the private home environment every day we hear stories of people who were taken in by some scheme or another. In the work environment when users are conditioned to do more in less time, and they are not always trained to pick up on social engineering, and it is no surprise that users don't always identify these threats easily when they arrive at the corporate desktop. However, the real question is, is SE over-hyped?  Not in my opinion, but at the same time there are no robust and meaningful statistics showing how many organisations have actually suffered an SE attack, and as to what role the presence of SE had in a subsequent compromise. Until then, in many respects we may only guess at what has happened until such time the culprits are discovered."

Peter Wood, CEO of First Base Technologies LLP, added: “Too many organisations are looking for the magic ‘silver bullet application to rid all vulnerabilities, exposures and evils of insecurity from their enterprise - but such a solution does not exist today. Only by considering the end-to-end security lifecycle encompassing policies, processes, technology, and people can any form of robust security posture be achieved. The end user and their exposure to the prospect of social engineering should not be underestimated as it presents that chink in the armour through which unauthorised incursions will seek to exploit any security shortfalls – make no mistake. Social engineering is a very credible risk.”

The McAfee report points out that there are many organisations who develop and deliver user awareness programmes into their business areas, but the effectiveness of such programmes varies, and in some identified cases, even after the security training has been delivered, it has done very little to educate their end users with any valued security awareness to mitigate the threat of the social engineering attack.  

It may be a valued assumption that, notwithstanding any technological defences, if organisations fail to educate their end users', and start to invest in what may be considered a human firewall, they will continue to suffer the consequences of end-user driven compromise of business environments and the associated assets. However, when we consider the home user, without any orchestrated media campaigns to alert this massive group as to the risks they are running when using the internet, they will remain exposed to the global tentacles of the accomplished social engineer. 

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews