Social Engineering is one of the most prolific entry points for modern cyberattacks. That makes sense: instead of trying to take advantage of a specific set of conditions that permit escalated permissions to resources, a threat actor need only take advantage of human behavioral quirks, many of which exist.
Let’s cover what social engineering is, why they’re so successful, some of the kinds of social engineering attacks, why Managed Service Providers (MSPs) have a unique risk profile for social engineering attacks, and what can be done to mitigate them.
Social engineering is a group of confidence schemes designed to manipulate individuals into divulging confidential information or performing actions that may compromise personal or organizational security. Those schemes rely on psychological tactics like trust, authority, fear, or urgency to exploit human emotions and behaviors to derive the desired outcome.
Those schemes are so popular and culturally relevant that there’s even an English term for the perpetrators of such schemes: con artists.
Those psychological tricks typically prey on the human “fight or flight” mechanism. Humans innately react to external negative stimuli in one of two ways:
Confront the negative stimuli to get rid of it, or
Escape or passively address the negative stimuli to be done with it.
The more stressful the stimuli, the more influential the reaction one way or another. Confrontation, in the corporate context, would be a “deny by default” mentality or rejecting bending the rules on a password disclosure request, clicking a phishing link, or letting someone else into your building improperly. Escape or passive resolution, on the other hand, would be an allow-by-default mentality.
Other types of social engineering take advantage of greed, kindness, laziness, or ignorance. I’ll highlight those, but they make up a small proportion of kinds of social engineering attacks and aren’t widely used because of the manual nature of those attacks.
Social engineering can be carried out through various modes of communication, including phone calls, emails, texts, in-person interactions, and even online advertisements. The purpose of social engineering is often to steal sensitive information, spread malware, or gain unauthorized access to systems. The goal is to achieve control over large swathes of organizational data, which can then be used, ransomed, or sold.
Think of it this way: social engineering is a hack that takes advantage of a critical human psychological vulnerability to access large tracks of very sensitive data. We’ll also address how to patch that vulnerability—it’s obviously more difficult than just applying an update.
Social Engineering Attacks take many different forms. Here are some of the more prominent modern and historical examples.
Phishing is a form of online attack where a threat actor uses an email to trick a user into downloading a file, clicking a link to a website, or redirecting information.
For file-based phishing attacks, typically, the file is a common file type like a spreadsheet or pdf that has a macro that automatically downloads malware to the victim’s computer. That malware then provides the threat actor access to that computer and the corporate network.
Link-based attacks redirect an individual to a seemingly legitimate website that requests their credentials. The victim enters their credentials, and the threat actor is then able to gain access to the corporate network with them.
Finally, redirecting information is an increasingly popular form of a phishing attack. It’s been in the news over the past year in increasing frequency because of the rise in popularity of Business Email Compromise, or BEC. BEC occurs when an individual spoof or successfully gains access to an MSP’s email address and redirects invoices, data, and payments from the MSP to the threat actor.
Phishing is far and away the most successful entry for threat actors into the corporate environment and has been for the past two to three years.
Vishing is a form of phishing relying on Voice communications. The threat actor uses a call or voicemail to impersonate an employee or otherwise steal credentials or sensitive information to gain further access.
In the MSP and organizational space, similar to BEC, vishing can be used to impersonate a legitimate business to cajole customers into redirecting payments to the threat actor. Unlike BEC, where organizations have a chance of taking down nefarious domains, there is little recourse for MSPs or organizations to have phone numbers removed. Even if there were, it’s trivial to set up and use or spoof a new phone number.
A watering hole attack is a form of social engineering where a website commonly used by targets is compromised with malware or is infiltrated to gather information. This attack can be carried out against organizations or customers of an organization.
Baiting attacks involve leaving a physical item, like a USB flash drive, in a public place to be picked up by an individual and used. There are a couple of different flavors of this:
Targeting anyone: the low-cost and level of effort of this kind of attack means that a threat actor can leave a device in any public place for anyone to pick up. Curiosity, the desire to keep and repurpose the device, or the desire to return the device to its rightful owner compels someone to plug it in. That deploys malware and gives a threat actor access to an individual computer.
Targeting an organization: it’s the same idea as targeting anyone, except the device is left in a place that’s highly trafficked by organizational personnel, like a sidewalk outside a corporate office or the lobby.
This kind of attack is more commonly mitigated today than five years ago. Its prevalence encouraged many Endpoint Detection and Response (EDR) solutions to implement USB storage blocking as an included feature. Baiting attacks also tend to require geographic proximity to the target to implement a successful attack.
That’s not always the case, though. The Stuxnet virus, which was designed by the US and Israeli governments to cripple Iran’s nuclear program, is an excellent example of what could be considered a remote baiting attack. The virus was designed to interact with particular systems under particular conditions and spread via USB storage to overcome air-gapping controls.
Dumpster Diving is another geographically restricted attack requiring a threat actor to be in the same location as their target—or, more accurately, their target’s garbage. In the organizational space, this relies on employees not shredding critical information or correctly disposing of critical hardware. A threat actor can then gain access to that information by rifling through trash.
This is a very prominent investigative tool for police forces worldwide. In the US, for example, people have a (sometimes tenuous) constitutional right to privacy within their homes with more limited privacy on their property in public view. They, however, have no right to privacy when their trash is on the curb for pickup and disposal.
Quid Pro Quo is included in this list because of its success at compromising individuals and employees. There are a couple of different ways this is leveraged in an organizational environment:
Ransomware: the quid pro quo here is a data encryption and/or theft on the one hand and payment to decrypt on the other. This is especially concerning for MSPs which can have data for many different customers and therefore are prime targets for ransom.
Blackmail: the quid pro quo here is damming information on the one hand and payment or action to not have that information disclosed. Where that damming information is about someone with privileged credentials or an elevated position in an organization, the action can be very impactful to the organization.
Payment schemes: the quid pro quo is typically procurement and disclosure of gift cards on the one hand and doing a favor for an executive on the other. Typically this comes in the form of procuring hundreds of dollars of gift cards and sending the codes to a corporate executive. This can also be a scheme to seek payment of a small amount now to secure a more significant amount of money in exchange later. That obviously plays on innate human greed and is wildly successful as a result.
Quid pro quo attacks can happen on their own but may be combined with other attack methods on this list. For example, phishing and ransomware are very commonly paired effectively to extract large sums of money from an organization.
MSPs are increasingly being targeted by social engineering and other attacks because of economies of scale. A threat actor can attack ten or twenty different targets, or they can attack an MSP that either gives access to those targets’ data or environments.
Additionally, as has been demonstrated over the past couple of years, threat actors can attack MSPs to manipulate code bases for products used by thousands or millions of customers. Those modifications provide substantially greater returns on work investment than attacking customers individually.
Mitigating those attacks is also difficult. You can’t patch people. You can, however, provide them the tools, resources, and support needed to address social engineering attacks head-on and intelligently reject them.
This is primarily done through training. Phishing training, security training, threat training, incident and disaster recovery tabletop exercises, and other training are proven to be incredibly effective in mitigating social engineering threats. By letting staff know what they should be looking out for, they will be more vigilant in spotting and addressing those threats.
Empowering staff to “deny by default” is also critical. The power of saying no in situations where there could be a threat may mean the difference between millions of dollars of damage and losses that could result from a compromise. The flip side of that is addressing a false positive. If someone rejects a legitimate customer request, that could frustrate customers and turn them away from the services being offered.
There’s a precise balance: how much is too much in being too permissive or too restrictive? The answer to that depends on the environment and situation an organization finds itself in. Many organizations fail to adequately quantify risks and make assumptions around the incidence of risk. Where there are notable social engineering attacks in the news daily, it seems like a lot of organizations are missing the mark.
Staff also need a clear path of escalation for threats. The trickier and opaquer the ability to report threats, the fewer threats will be reported. Conversely, the more accessible and specific the ability to report threats, the more threats will be reported.
Administratively, staff shouldn’t be reprimanded for reporting threats in the normal course of business. Doing so will have a chilling effect on threat reporting. Again, where the consequences of that can be millions of dollars in damage and losses, there’s a risk balance to be struck, which is very organizationally dependent.
Social engineering attacks are incredibly powerful attacks that target the most significant vulnerability of any organization: people. They’re designed to quickly gain access to an organization’s environment in order to capture more substantial amounts of data or money.
Social engineering attacks are so effective because they take advantage of someone’s instinctual response to negative external stimuli. Additionally, many manifestations of social engineering attacks make them unpredictable and difficult to spot.
MSPs are increasingly being targeted by social engineering and other attacks because of their access to other organizations’ data and environments. Training that is well supported by positive reinforcement and the organizational process is the most effective tool to mitigate these attacks.