You know what was one of my favourite hobbies pre-2020 (and I mean besides threat hunting, of course)? People watching. You grab a coffee, sit down, and watch as (mostly) rational creatures go about their day. But that hobby has a way of turning into a way of thinking and analyzing the world around you. For instance, I remember several years ago at a past job, I would sit at my desk as people came in and out of a secure room. What I noticed was that many people would allow others to tailgate behind them, even if they didn’t know them. These otherwise “security-minded” people often allowed politeness to overwhelm their analytical mind. This is definitely not to blame them, as we are all guilty of these behaviours. In fact, the practice of social engineering relies on many of those default behaviours.
When people think of social engineering, they often have mixed thoughts. Some think of it only for physical security, like I described above. Others may apply it to things like phishing, especially if they work in a SOC. The reality is that it is both, and many other things as well. Also, working in security doesn’t make you immune. In fact, it can make you a target.
One of the best examples of this in modern memory occurred very recently. The event happened in January 2021 (continuing the mayhem of 2020!) and saw researchers at Google find evidence of an unusual social engineering campaign. The campaign was very well designed and targeted…
First a fake persona pretending to be a “security researcher” would connect. They often did this using Twitter. But these weren’t typical “egg” profiles. They had a history, many had bios, interactions with people, and posting content online. Many even had blogs. These profiles were established. These personas would then reach out to real researchers with a big claim. They would say that they had “found a bug in the latest chrome renderer.” They would then request to work with the researcher on “vulnerability research.” The actors would then send a Visual Studio Project with a weaponized DLL file. This file was then executed through Visual Studio Build Events, beginning the infection. It was later discovered that the actors conducting this were none other than North Korea.
This whole ordeal underscored that even security professionals can be willing targets. It also highlighted that everyone should consider themselves a potential target. Also, people need to start changing the way they think and analyze the world around them. The first step in that process is understand the social engineer’s tactics, techniques, and procedures.
In sales and marketing, the concept of a “call-to-action” (or CTA) is not new. This is a when, after nurturing a lead with information, you direct them to take some action. “Click here!” or “Sign up!”
The reality is that social engineering uses the very same tactic. They will “nurture” you with free money, a delivery, or an expensive product. Once they do this, their next step is to direct you to act on something without you thinking too much. These can take all shapes and sizes but the common theme is urgency. The more urgent, the better.
If you find yourself rushing to click that link or respond to that email, stop. Take a breather, and consider who sent it, and if what they are asking seems reasonable. How likely is it that you won a contest you don’t remember entering?
Or that some unknown person is depositing $100 in your bank account?
Another thing to keep in mind is the modern social engineering expert no longer relies on email. Indeed, many organizations have complex security controls protecting their email from phishing attacks. As a result, practitioners of social engineering have had to change tack and target. Now, more than ever, social engineering takes advantage of social media. Platforms like Twitter, LinkedIn, and Facebook are all rich targets with millions of users.
The adversaries will often first try and connect with you. Sometimes they will scrape together some public info on their target to make it seem like there is a mutual friend. Other times they may take a colder approach, asking to connect with no other details. Once they have connected, their target’s profile and information is available to them. This information allows them to craft posts or direct messages that the user is more likely to open. This could include topics like:
While we all enjoy making new friends on social media, if you get an unsolicited friend request, think twice. If they claim to be a friend-of-a-friend, contact your mutual acquaintance. Connecting on social media platforms often has wider implications then is obvious.
The first, last, and best piece of advice about social engineering is to stay vigilant.
As I mentioned at the beginning, I used to see a lot of security professionals make mistakes. This is because they would let their guard down. The trick is to watch yourself as you would watch others. Question why you are doing things the way you are.
When you get emails that seem too good to be true, consider- Am I expecting a package from DHL/FedEx/UPS?
Also, don’t be afraid to do your own research!