Proofpoint: Social engineering attacks slipping past users
Executives, administrators and network defenders overlook the severity of many of the most effective social engineering tools, Proofpoint cautions.
Some of the most effective tricks used for social engineering attacks are being overlooked or underestimated.
That’s according to security vendor Proofpoint, whose 2022 Social Engineering report concluded that many companies mistakenly assume that cybercriminals are unwilling or unable to use tactics such as extended conversations, legitimate services and hijacked email threads in order to dupe their targets into opening malware and following phishing links.
Proofpoint, which specializes in tools and services to counter social engineering, argued that these assumptions are putting companies at heightened risk for network intrusions and malware infections.
“Despite defenders’ best efforts, cybercriminals continue to defraud, extort and ransom companies for billions of dollars annually,” said Sherrod DeGrippo, vice president of threat research and detection at Proofpoint, based in Sunnyvale, Calif. “The struggle with threat actors evolves constantly, as they change tactics to earn clicks from end users.”
In general, the report found, companies underestimate the resources attackers are willing to put into social engineering attacks. For example, many believe that hacking crews will not exchange multiple messages with their targets.
In reality, the study found that many hacking operations were not only willing to exchange multiple messages with their targets in hopes of gaining their trust, but were also looking to get the target to engage over multiple forms of communication, such as personal email messages and phone calls…
Though the FBI vishing warning references attacks that began in December 2019, the alert is reminiscent of the Twitter social engineering attacks that took place last July.
Several months after the highly publicized Twitter attacks of last summer, social engineering and vishing are back in the spotlight.
A Jan. 14 Private Industry Notification (PIN) by the FBI’s Cyber Division warned of cybercriminals targeting employees at large U.S. and international companies using social engineering and vishing tactics. In these attacks, which the FBI said began in December 2019, threat actors would target employees using VoIP platforms and convince victims to expose their corporate credentials through phishing sites.
“During the phone calls, employees were tricked into logging into a phishing webpage in order to capture the employee’s username and password,” the notification reads. “After gaining access to the network, many cyber criminals found they had greater network access, including the ability to escalate privileges of the compromised employees’ accounts, thus allowing them to gain further access into the network often causing significant financial damage.”
The PIN offered an example of an incident in which “cyber criminals found an employee via the company’s chatroom, and convinced the individual to log into the fake VPN page operated by the cyber criminals.” Once the threat actors had the employee’s credentials, they logged into the company’s VPN and began the process of locating a higher-privilege individual.
Recommended mitigations by the FBI include using multifactor authentication, keeping new employees on a lower privilege level and actively scanning for unauthorized access. The bureau also recommended network segmentation and for administrators to be “issued two accounts: one account with admin privileges to make system changes and the other account used for email, deploying updates, and generating reports.”
SearchSecurity asked the FBI about targeted industries and the number of attacks observed, but the bureau has not responded at press time.
Last July, Twitter was attacked in one of the most significant vishing attacks in recent memory. The attackers posed as Twitter tech support staff and used social engineering tactics to gain access to internal Twitter systems as well as numerous high-profile accounts like former president Barack Obama and SpaceX founder and CEO Elon Musk. The attackers then tweeted Bitcoin scams from these compromised accounts and made off with over $100,000 in cryptocurrency.
And last August, the FBI and CISA issued an advisory referencing a vishing campaign that took place the previous month, though it did not directly refence Twitter. The advisory, like last week’s FBI PIN, warned that threat actors were taking advantage of the COVID-19 pandemic and increased VPN usage to vish employees and convince them to give up their login credentials.
July 11, 2018
The U.S. Department of Homeland Security has partnered with security firm SecureLogix to develop technology to defend against telephony denial-of-service attacks, which remain a significant threat to emergency call centers, banks, schools and hospitals.
The DHS Science and Technology (S&T) Directorate said this week the office and SecureLogix were making “rapid progress” in developing defenses against call spoofing and robocalls — two techniques used by criminals in launching telephony denial-of-service (TDoS) attacks to extort money. Ultimately, the S&T’s goal is to “shift the advantage from TDoS attackers to network administrators.”…
February 28, 2017
Unified communications security is venturing into unknown territory with the growing trend of embedding communications into business applications. New security challenges could emerge for IT as organizations fuse their communications to business apps by using APIs and communications platform as a service (CPaaS)…
February 22, 2017
UC security is not a priority, according to a survey of IT professionals. But security should not be overlooked, as cloud UC creates new risks.
Unified communications security seems like a no-brainer, but a report has found that it’s not on the radar for…