Do you know that the device from the picture below is actually a stealthy equipment, camouflaged as a functioning USB wall charger, that wirelessly and passively sniffs, decrypts, logs and reports back (over GSM) all the keystrokes from any Microsoft wireless keyboard in the vicinity? It’s called KeySweeper, anyone can make his own with just 10 to 80 EUR and it’s not the only device with such damaging capabilities. Let us explain you the world of Social Engineering.
Social engineering is the art of manipulating people so they share confidential information to people which poses as legitimate entities. The criminals are looking for various information, from simply tricking you to share them your password or your bank details, or secretly install malicious software into your computer in order to gain control over your assets and your personal network up to using your computer as a proxy for highly sophisticated cyber crimes or even exfiltrate confidential information from the company you working for.
Criminals tend to use social engineering tactics because it is usually easier to exploit human trust than to discover ways to hack software you use daily. For instance, it’s easier to fool someone into giving your personal details and reset his email account based on the security questions than to hack the email system.
Popular Social Engineering Tactics:
There are two main types of Social Engineering attacks based on their target: the ones which are targeted (spear phishing) and significant resources are involved in order to get to the victim. The second category of attacks are mass social engineering campaigns (simply called phising) which are usually used to infect thousands of people, to spread malicious applications (such as Ransomware), to transform their computers into zombies of botnet networks or even to steal personal, banking or contacts information. This category usually tend to have less personalised messages but they’re good enough to infect people.
Popular types of social engineering attacks include:
- Baiting: An attacker leaves a malware-infected physical device, such as a USB flash drive in a place where he is sure that it will be found. The finder usually picks up the device and loads it onto his or her computer, unintentionally installing the malware.
- Phishing: Phishing is when a malicious party sends a fraudulent email disguised as a legitimate email, often purporting to be from a trusted source. The message is meant to trick the recipient into sharing personal or financial information or clicking on a link that installs malware.
- Urgently ask for your help – your ’friend’ is stuck in country X, has been robbed, beaten, and is in the hospital. They need you to send money so they can get home and they tell you how to send the money to the criminal.
- Asks you to donate to their charitable fundraiser, or some other cause – with instructions on how to send the money to the criminal.
- Explain there is a problem, for instance that someone have reset your password, and if you believe that is a mistake you’re asked to click on a button to change it back.
- You’re a winner. The email usually claims to be from a lottery, or a dead relative, or the millionth person to click on their site, etc. But they ask you all sort of personal details in order to “confirm” your identity such as: bank account details, a proof of payment, address, social security number etc. Just don’t!
- Spear phishing: Spear phishing is like phishing, but tailored for a specific individual or organization.
- Check your password security. You receive an email from your IT/Security department and they ask you to check your password and see if it meets the minimum requirements of the company’s new password policy.
- Salary Bonus. You receive an email from HR with an unexpected salary bonus which can contain an attachment that “must be signed”.
- Email from a colleague/friend. If a hacker gains control to one of your colleague profile then he could send you a personal message, using your colleague typing style, based on your previous communication with him or her. The attacker will ask you to make certain actions such as Download or Open a file or view a website. Will you “answer” to that?
- All the above and more. Almost all of the previous phishing campaigns can become targeted actions. Also do not forget that when you or your organisation is targeted, then usually the attacker will have significant more time and resources to reach his goals.
- Pretexting: Pretexting is when one party lies to another to gain access to privileged data. For example, a pretexting scam could involve an attacker who pretends that works for the IT departments and asks the RDP username and password in order to “check” some minor technical difficulties.
- Scareware: Scareware involves tricking the victim into thinking his computer got infected with malware or has inadvertently downloaded illegal content. The attacker then offers the victim a solution that will fix the bogus problem; in reality, the victim is simply tricked into downloading and installing the attacker’s malware.
What devices should raise a red flag in your company’s office?
- USB wall charger. Forgotten wall chargers should be double checked. They can hack into your Wireless networks, create rogue Access Points and trigger your employees to use them and intercept or modify their traffic. Sometimes, they might have sound recording capabilities or even act as hacking toolkit for the attacker. Almost everything can fit into these. An example is KeySweeper.
- USB sticks. USB sticks should ALWAYS be shared with a technical person that will open the device and see what it contains in an isolated sandboxed environment with at least an antivirus solution up to date. Look for Rubber Ducky or Lan Turtle.
- Wifi Routers. Yes, you could install a malicious router into your office which has tremendous offensive capabilities. A popular solution used by security specialist is called Wifi Pineapple. If you find one, please remove it asap from your network.
- Ethernet Switches. If you discover undocumented ethernet switches consider them removing asap because they might have traffic recording capabilities.
- Any suspicious gadget connected to your and your colleagues PCs. If you find something new in one of your computer USB ports or it seems that your HDMI connection doesn’t goes straight to your monitor, or basically it seems you have a different color, size or new gadget, you should become suspicious because something phishy is going there.
What can be done to minimize the impact of Social Engineering Attacks?
- Slow down. Spammers and hackers want you to act first and think later. Be skeptical and never let their urgency influence your careful review.
- Research the facts. Be suspicious of any unsolicited messages.
- Reject requests for help or offers of help. Nobody want to eagerly help you for nothing. If it’s too free, then most of time is a catch. Don’t be that catch.
- Beware of any download or any link. If you treat carefully the links and attachments you have, the hacker won’t stand a chance. It doesn’t matter how good they are, most of the time they need your mistake to have control.
- Secure your computing devices. Install antivirus solutions, firewall, email filters etc.
- Secure your company. Perform regular penetration testing which also involves social engineering testing against your employees. Install security solutions that detect & prevent data exfiltration and information leakage.