May 11, 2021

Social Engineering Attacks: It’s Kind of a Thing

shutterstock_1573945981 (1)

Thanks to social media, we love to share. A lot. We share photos of ourselves. We share specific and intimate details of our lives. We even tag our geographical location. We mindlessly hit ‘accept’ on terms and agreements with 97% of people ages 18-34 agreeing to terms and conditions without reading them. We accept these terms because we trust organizations to keep our data secure and private while holding the belief that our data will only be used to provide the personalized experiences we crave. Our comfort in oversharing coupled with a false sense of security has made us vulnerable to cyberattacks using a tactic called social engineering. A tactic that accounted for 33% of data breaches in 2018.

More often than not, we are completely unaware that we’ve shared sensitive information or understand how it can be used against us. According to the FBI’s report on Internet Crime for 2020, the top three crimes reported in 2020 were phishing scams, non-payment/non-delivery scams, and extortion which rely on information about you to be effective.

Business Email Compromise (BEC)/Email Account Compromise (EAC) alone accounted for $1.8 Billion in losses in 2020. So, what does social engineering have to do with BEC/EAC scams? Below are some common situations that show how social engineering plays into these attacks.

  1. Email to Slack:  You receive an email purportedly from a trusted source containing URLs to business-critical information (invoices, payroll, contracts etc.). These URLs hosted on Slack or BaseCamp cloud storage look legit, especially if you work in a large corporation. In this specific case, the link showed a digitally signed executable document with an Adobe PDF icon. Clicking this will download the BazarLoader (BL) malware: a staging malware for many ransomwares, including the infamous Ryuk. More on how to protect your business from ransomware here.
  2. W2 Tax Email Scam: Similar to the one above, you receive an email, specifically to your Gmail account, which has links that look to lead you to a PDF of your 2020 W2 and tax returns. Instead, the links take you to a page on Typeform, a free online form creation software, that asks for your email account credentials before granting access to the file. After you have entered your email credentials multiple times, you get the familiar ‘file not found’ reply. Your email credentials have successfully been compromised. The attackers use newly created Gmail, Yahoo, and Hotmail IDs to circumvent any filters and blocklists that block known low-reputation domains. Similar phishing attacks have been observed exploiting Box, Google forms, and others.
  3. ToxicEye campaign on Telegram: This too begins its life in an email with a malicious attachment. When you open this attachment, it connects to Telegram and makes that machine vulnerable to a remote attack later by Telegram bot, which uses the messaging service to mount an attack by the command-and-control (C2) server. After mounting the attack, the attackers gain full control over your machine and can further engage in a range of nefarious activities. For example, ToxicEye was used to steal passwords, browser history, and cookies from people’s devices. They could delete and transfer files, kill PC processes, as well as take over a PC’s task manager. It was observed to deploy keylogger or record audio/video of the victim’s surroundings as well as steal clipboard contents. (To identify and fix the Telegram compromise, search for a file called “rat.exe” located within the directory C:\Users\ToxicEye\rat[.]exe and delete it. As a network administrator, you should monitor network traffic from PCs to Telegram accounts (call homes), especially when the Telegram app is not installed on those PCs.)
  4. Call to unsubscribe: This compromise also starts with a scary-looking email that provides a phone number to call if the user wants to unsubscribe from an expensive service. When the user calls that number, a friendly person directs the hapless victim to go to a website to unsubscribe. Then the attack begins.

In all the above cases, infections and compromises started with a user taking an action – clicking a link, downloading an upgrade, etc. They relied on our trust, foxed our vigilance, and made us commit the first error. It also shows that those trying to dupe us are smart, fly under our alert radar, and disguise themselves very well.

What can you do to stay safe?

The FBI advises everyone to use ‘extreme caution in online communication’. “Unfortunately, criminals are very opportunistic. They see a vulnerable population out there that they can prey upon.” says FBI Section Chief Steven Merrill, Financial Crimes Section.

If you know what to look for and err on the side of caution when dealing with any unexpected emails, or emails containing links or attachments from unverified sources – you can begin to identify the patterns in these types of malicious emails. Some helpful tips include:

  • Check the sender’s address. Take a hard look and identify the validity of the sender before you open any email. Is this a person or company that you would be expecting an email from?
  • Watch for typos. Typos are common in phishing email i.e. Goggle.com or ariFrance.com
  • Beware of alphabet substitutions. Sometimes criminals might substitute certain alphabets with their look-alike (homographs) from another character set. For example, when the letter ‘a’ (ASCII 65) looks very similar to a letter from Cyrillic alphabet (Unicode 430). Identification is not easy, especially if the font sizes are small; when in doubt, enlarge the text to check. Another easy trick to employ is the copy and paste the entire text into a new Word document and run spell check. Word will flag these homographs as spelling errors. Finally, if this was in a business email, you can consult your IT department before you take action.
  • Check URLs before clicking. The email text appears to be pointing to a legitimate website, but the embedded hyperlink may not be. If you hover or ‘mouse over’ the URL it will generally show the embedded hyperlink address. Be wary of shortened links (eg. goo.gl, bit.ly, bl.ink etc.). Again, when in doubt, ask for help.
  • Keep your browser up to date. This is very important if you are using browser-based email, such as Gmail or web-based O365.
  • Train, train, train. Keep yourself and your employees on their toes by constantly training and staying informed on the latest techniques that cybercriminals are using.

Even if employees have mastered the identification of a social engineering attack, it is always a good idea to continuously evaluate and upgrade your network and end-point security to protect your business from these and other cyberattacks.