Exploiting Human Vulnerabilities
Social engineering is a technique that exploits human vulnerabilities within a security architecture. As Rachael Tubbs, IoT Village Organizer at Independent Security Evaluators, states in her RSAC 2024 presentation, “hackers heavily rely on these methods, with social engineering accounting for a staggering 98% of attacks." Unlike traditional hacking methods that focus on technical vulnerabilities, social engineering aims to manipulate individuals into divulging sensitive information or performing actions that compromise security. This is achieved by exploiting human psychology and leveraging trust to gain access to systems and data.
The core principle is not sophisticated tools but rather gaining the victim's trust. This can be achieved through various influence methods, such as those outlined in Tubbs's hexagon of human hacking (Figure 1), which exploit multiple human vulnerabilities simultaneously. Social Influence, a key component, leverages principles like reciprocity, authority, and scarcity to manipulate individuals.
Furthermore, the Theory of Planned Behavior and Cognitive Dissonance explains how cybercriminals can predict and understand human behavior, exploiting cognitive biases and inconsistencies to gain trust and extract information. Understanding these psychological principles is crucial for individuals and organizations to enhance their cyber resilience and protect themselves from social engineering attacks. To learn about a proactive behavioral approach to avoid becoming a victim of a social engineering attack, register for our upcoming webcast, A Proactive Behavioral Approach to Cyber Readiness: Insights from a Clinical Psychologist and a Social Scientist.
Figure 1. (Source: RSAC 2024 Presentation)
Phishing Attacks: Tactics and Countermeasures
Tubbs explains that phishing, dumpster diving, and scareware are a few tactics used in social engineering. Phishing is one of the top social engineering tactics used by cybercriminals. According to Trend Micro, phishing attacks grew by 58% last year and 18% of phishing attacks have been successful as of July 2024. Globally, phishing attacks have cost an estimated $3.5 billion in 2024 alone.
A 2024 Email Security Risk Report also found that 94% of organizations had experienced email security incidents. Cybercriminals tend to try and attack higher-value targets, such as larger organizations. One industry in specific, the healthcare sector, is highly targeted. By bypassing an organization's network, systems, and applications via one successful phishing email, cybercriminals can gain access to the information of thousands of users.
In his RSAC 2024 presentation, Steve Lukose, VP of Security at Clari, explains that cybercriminals in today's world have had to become craftier in their phishing email scams to lure even suspicious into clicking on them. Lukose explains that now, scammers will use an HTML editor to embed malicious code into the email and its attached links. Then, they steal your company's logo and do some research on what your SaaS applications look like. Once the email is crafted, the scammer will send it out to 1000 users hoping that at least one person will click on it. If successful, the cybercriminal can then collect information or use credentials to steal more information on other applications you may have on your device. For a full overview of what a typical phishing process looks like, see Figure 2.
Figure 2. (Source: RSAC 2024 Presentation)
Users should be cautious of emails, even those that appear authentic. To identify potential phishing attempts, check for red flags like incorrect grammar, requests for personal information, and mismatched sender addresses (even from known contacts). If unsure, further investigation is recommended.
Chris Taylor, Principal Consultant at Taksati Consulting, goes into a deep analysis of a phishing email he received in his RSAC 2024 webcast and provides users with the following identification tips.
- Examine Email Headers: To determine if an email is a phishing attempt, examine the raw source of the headers, reading from bottom to top. This reveals the email's body and text.
- Analyze Received Line: Identify the "Received" line to determine the sender server, its IP address, and domain.
- Investigate Other Header Lines: Analyze other header lines (as shown in Figure 3) to identify information about the client who sent the email.
- Use IP Address Verification Tools: Utilize applications that can analyze the sender's IP address to verify its authenticity and detect potential spam.
- Handle Attachments Safely: If the email contains Word documents, do not open them directly. Instead, compress them into a zip file. Inspect the zip file for embedded codes, which could indicate malware. Report any suspicious files to your IT department.
These are just a few ways a user or organization can prevent becoming a victim of a phishing attack.
Figure 3. (Source: RSAC 2024 Webcast)
Taking Control of Your Digital Security
Social media makes it easy for cybercriminals to gather information about potential targets. In their RSAC 2021 Podcast, Rachel Tobac, CEO of SocialProof Security, and Camille Stewart Gloster, Former Deputy National Cyber Director, Technology & Ecosystem Security at The White House, explain how hackers hack humans and how to mitigate digital risks. Hackers like Tobac use the following methods to get information to gain trust and steal credentials through direct and indirect hacking.
- Direct Hacking: Hackers pretend to be someone the victim knows, like a friend or family member, through phishing emails, calls, texts, or social media messages. Social media profiles provide valuable details for impersonation, Tobac explained.
- Indirect Hacking: Hackers target a victim's service providers (e.g., utility companies) to exploit their authentication methods and gain access to accounts.
Gloster states, there are simple steps to mitigate social engineering attacks:
- Enable two-factor authentication (MFA).
- Avoid reusing passwords.
- Don't share personal information on social media, including answers to security questions.
By limiting the information, you share online and practicing good cybersecurity hygiene, you can significantly reduce the risk of falling victim to social engineering. As Gloster emphasized, "treat your digital security like you would your physical security.”