Welcome back to our series on Application Security! If you haven’t read our two previous posts on security for your application and database, then we’ll forgive you. Today, we’ll be focusing on non-technical topics - but we’ll be referencing some ideas in those previous posts, so if you start to feel lost, then it will help to give them a quick read-through. In this post, we’re going to talk about Social Engineering and all of the various manipulative tactics that attackers can employ to get access to things that they shouldn’t. Previously we focused on more technical security concepts - but if we’re being honest, most security threats end up being related to some sort of personal release of sensitive information (whether intentional or not). This is a social engineering attack, and for complete application security (and workplace security in general), you need to be aware of how social engineering attacks might take place, and what to do in those scenarios. We’ll be covering some of the most common social engineering attacks, including phishing, impersonation, and tailgating. But first, let’s start from the top.
Social Engineering is the practice of exploiting the physical or emotional tendencies of individuals who have rightful access to a physical location or source of information and using various tactics to acquire access to that location or information in a manipulative, thieving manner. Social engineering isn’t a recent invention; people have been manipulative to one another in this manner all throughout history. A classic example may be something as simple as walking up to a locked building, encouraging someone with access to go first (thus opening the door), and to shuffle in right after them, telling them you work there too (this is a form of tailgating, discussed more below). What’s made social engineering such a big topic lately is that with the popularity of internet communication over recent decades (including email, social media, forums, instant messaging, and more), people have been able to employ social engineering tactics to manipulate a mass amount of users with relative ease compared to before. This has led to much larger concerns such as identity theft, drained bank accounts, ransomware attacks, and other life-or-business altering situations. It’s not a light matter, and in this post, we’ll review how some of the attacks work and how you can protect yourself against threats.
Email Phishing refers specifically to the sending of fraudulent emails sent from accounts that are disguised as reputable entities (such as a business you trust, or even a friend/family member). They request sensitive information, monetary payment, or persuade you to click a link or open an attached file. This is one of the most common social engineering attacks, and you’re bound to have heard your workplace tell you to “be careful opening certain attachments in your emails.” However, most phishing emails don’t depend on you clicking an attachment; common phishing emails include account deactivation threats, links to look-alike websites, the traditional advance-fee scam, imprisonment threats, tech support, SEO help, and many more - all with the goal of trying to get you to provide valuable information such as login credentials, credit card information, and more.
Phishing, however, can take place beyond your inbox. Any encounter (including a phone call, text message, social media, physical mail, and more) in which deception takes place to try to steal information, goods, or access, is considered phishing. Currently, most phishing attempts are initiated via email, oftentimes users will be interacted with via social media, called on the phone, or texted after an initial email has been sent (to try to assuage any rightful fears over receiving a phishing email), etc.
Phishing is a large category of various forms of communication, inclusive of the following topics (and more):
Pretexting - Also known as “deceptive phishing.” This is the most common form of phishing in which the attacker builds a narrative to try to gain your trust so that you will provide your information or perform the attacker’s request. Pretexting emails can be sent on a mass scale, as they usually don’t include personal details relevant to the recipient.
Baiting - This form of phishing revolves around the promise of a good or item in exchange for information. The traditional advance-fee scam phishing attack is a form of baiting.
Quid Pro Quo - Similar to baiting, but instead of a good or item, you’ll be promised a service in exchange for your information.
Spear Phishing - This can be any form of phishing, but it is geared towards targeting a specific group of users by providing some form of personal touch. If you’ve ever received a spam email with your name, occupation, and perhaps it was seen as being sent by your boss, then you were the target of a spear phishing attack.
Whaling - aka “CEO Fraud.” This phishing attack takes spear phishing to the extreme by only targeting high-value individuals such as executives. Often, high-level executives aren’t subject to the same security training as are other employees, which makes this group especially vulnerable.
Vishing - A phishing attack via voice call.
Smishing - A phishing attack via text message (SMS).
Realistically, you don’t need to memorize all of these subcategories. The main point to remember is that phishing is any attempt to gather information, goods, services, etc. from you in a deceptive manner, and the best way to protect yourself is to be aware of the threats.
Recommendation: Phishing emails are often caught by spam filters, but many of them can make it through to your inbox. Before clicking anything in an email, we recommend asking yourself a series of questions:
Is there a rational reason that I received this email?
Do I know who sent it?
Is it too good to be true? (i.e. in case you’re offered money or free items)
Do the attachments look like normal files?
If I click on any links in the email, does the URL look like I would expect it to? i.e. If I get an email from Chase Bank, the URL should resemble chase.com, and not something like kwan.pw.
If you answered “No” to one or more of these questions, then you might have received a phishing email. When in doubt, it’s always better to get a second opinion and either ask a superior or if it’s a personal email, flag it as spam and move on.
For other situations, including phone calls, social media interactions, text messages, etc., our best recommendation is to ask yourself if any of these messages seem a bit fishy (pun intended) by asking similar questions to the ones above. If so, then feel free to ignore the message and move on. If you’re worried about missing out on that free Disney Cruise, don’t worry, because it probably never actually existed in the first place.
Next up, we have impersonation. Impersonation attacks are driven by an attacker impersonating a different user’s identity, and accessing unauthorized information on that user’s behalf. Impersonation is a very targeted form of pretexting that isn’t necessarily email-driven or mass-distributed.
Via impersonation, an attacker can use one of many vectors of communication to acquire personally identifiable information (e.g. a Facebook quiz that asks for eye color, height, weight, hometown, birth date, etc.), and use that to authenticate as a different user. Impersonation is often a very personal form of social engineering, which is what makes it so dangerous. With some relatively easy-to-acquire information, an attacker could:
Contact your bank to get access to your credit card accounts, transfer funds, or write fraudulent checks.
Contact your phone carrier to engage in a SIM swap attack.
Apply for a loan in your name.
Get you fired from your job via fraudulent communication.
We tend to think the best in people, so let’s roleplay: you’re a bank customer service representative, and you get a call from someone in tears saying that they’re locked out of their online bank account, don’t currently have access to their regular email address to initiate a password reset, and their rent is due within the hour. They provide you with the user’s SSN (which is reasonably easy to acquire) and some additional loose authentication about who they are (i.e. “I was born on this date, live at this address, and I bought a Starbucks latte yesterday for this much”), so you think that it has to be the right person - and you provide them a password reset to a different email address. Unfortunately, this was an impersonation attack, and the attacker now has full access to the original user’s account.
Recommendation: Impersonation attacks can be difficult to protect against because if an attacker really wants to infiltrate your data, then there are many workarounds they can utilize. The best way for you to protect yourself is to:
Monitor your information (bank accounts, bills, credit report, etc.) regularly.
Don’t reuse passwords.
Tailgating, the last major category of social engineering attacks, is the act of an unauthorized individual following another individual into an area where they are authorized to be. Tailgating is also commonly called “Piggybacking,” but there are subtle differences between the two; tailgating is where the authorized user does not consent to the unauthorized user’s presence and piggybacking is where the authorized user does consent. Knowing that, the idea of piggybacking may seem pretty crazy, but look back to the example we gave in the introduction. The authorized person who held the door for the unauthorized person consented to their presence but just thought that they too were an authorized person. For the rest of this post, we’ll refer to “tailgating” as encompassing both tailgating and piggybacking.
You’ll find many examples online about how tailgating can physically take place, such as assailants getting physical access to a secure business, but it happens all the time with virtual access as well. A common form of tailgating these days is by not locking your computer and being away from it (whether for a bathroom break, meeting, lunch, or leaving for the day). Any person walking by could use your unlocked computer, and most likely, your work computer has sensitive information that shouldn’t be given to other individuals. Anytime you leave your computer unattended but still logged in, then you’re open to that vulnerability. This is why many websites and software applications have session timeouts (you can read more about session timeouts in our first post in this series), to try to prevent unauthorized users from accessing your sensitive data.
Recommendation: Protecting against tailgating can be difficult, as that usually involves casting aside our politeness and trustworthiness of other people. Ideally, to better protect yourself from tailgating, you would:
Refrain from holding the door for someone.
Alert others of someone’s presence if you don’t know them.
Don’t allow people within the area unless authorization has taken place (this includes delivery drivers, visitors, and even corporate executives).
Lock your computer any moment you’re away from it.
Log out of sensitive websites after you are done (and never log in to these sites from a public computer).
Don’t leave any sensitive information unattended, such as a phone or even a work notebook.
If your business is willing to invest in a large physical infrastructure, then there are a plethora of blog posts online about implementing turnstiles, cameras, badge access, hiring security guards, limiting elevator access, etc. to help prevent tailgating. On a more personal level, however, we can all abide by the bullet points above to help play our part in keeping our workplace secure.
With all this information, the power is up to you to prevent social engineering! Or, at least you can prevent the negative consequences of it. In the end, there will always be nefarious people out there trying to steal information and authorization, and the best way to protect yourself is to know what to look for.
We hope you’ve enjoyed our 3 part series on Application Security, and we appreciate you sticking with us so far. If we’ve helped open your eyes to new ways of considering security for your technical applications, and maybe even for your workplace in general, then we’ve done our job. At Clevyr, we’re a security-first organization, and we take every concept listed here in this series very seriously. If you would like to chat with us about a new project or taking over an existing project, then give us a call!
Clevyr builds cutting edge, scalable technology software solutions including artificial intelligence for IT operations, digital twinning, predictive analytics, and cognitive computing - plus much more! Check us out at clevyr.com or drop us a line at [email protected].
Join The List! Sign up here to get the latest news and updates delivered straight to your inbox.