Social Engineering involves acting and using psychology to get information from a target. As a follow-up to our discussions regarding social engineering, research an article of an incident where social engineering was essential for the incident / breach to have occurred.
In your post, include the URL so that others can read the article being referenced.
Nicholas Fabrizio says
Title: Hackers Target Military and Aerospace Staff by Posing as HRs Offering Jobs
URL: https://thehackernews.com/2020/06/military-aerospace-hacking.html
In 2019 between the months of September and December a cyber-espionage campaign called “Operation In(ter)ception” was being directed towards aerospace and military organizations located in Europe and the Middle East. The targets of this attack were specific employees at these organizations, so the attackers used social engineering tactics. The attackers created fake LinkedIn accounts representing themselves as HR Managers from well respected organizations in similar industries and initiated conversations with the targets about employment. The attackers would send fake job offers via the LinkedIn’s messaging feature or email which was malware disguised in a PDF, RAR file, or a OneDrive link. Once the malware was installed on the targets computer the attackers attempted to limit their detection by renaming the malware as something else and created scheduled tasks to automatically run the malware. This was a sophisticated spear phishing attack that not only was attempting to steal information, but also unsuccessfully tried to trick employees into paying an outstanding invoice balance to an account they controlled.
Kelly Sharadin says
LinkedIn is such a necessary evil for business, but it is a goldmine for hackers. Your article captures of the power of these types of attacks. People are hurting for job opportunities and as your article points out this creates an excellent trap for the unsuspecting. I am sure most of us in this program get flooded on a daily basis by recruiters in our LinkedIn Mail how easy would it be to impersonate a recruiter?
Candace T Nelson says
Having worked in the Finance/Accounting department at an aerospace company, I know how critically sensitive and highly classified their information is. The measures taken by these infiltrators is incredible, and it is scary to think about how incredibly damaging information obtained in such a manner could be on a global level. Makes you think that – for every one of these incidents that have come to light – how many more there may be that have not yet been discovered.
Nicholas Fabrizio says
Hi Candace,
I agree with you and being that such companies have sensitive/classified information I find it surprising the organization would not be blocking access to social media sites on their network. Blocking access to LinkedIn would of helped reduce the chances of employees from falling victim to these types of attacks, at least while they were on a company computer.
Candace T Nelson says
Very good point Nicholas!
Zhuofu Wang says
Phishing and Harpooning/Whaling always be the efficient ways for social engineering. Attackers use the characteristics of HRs to package malicious software in a targeted manner. Once people relax their guard or neglect, they will step into the trap and cause malware to be installed into their production tools.
Kelly Sharadin says
This past summer, one of the craziest breaches to impact a social network ever was perpetrated by two teenagers using a phone-based spear-phishing attack. The teenagers used the vishing attack as an entry point, which allowed them to pivot further into the internal network. They continued to obtain more and more employee credentials granting them access to sensitive account information and management tools, which resulted in the compromise of 36 high-profile accounts such as Joe Biden and Kayne West, to name a few. Twitter’s official response to the breach reiterated what most security professionals know all too well; humans will always be the weakest link. Epic is right.
https://arstechnica.com/information-technology/2020/07/twitter-hackers-used-phone-spear-phishing-in-mass-account-takeover/
Candace T Nelson says
This is a fascinating article, Kelly – it inspired me to read more about the event. A subsequent article reported that the teen “mastermind” behind the plot was investigated back in April, at which point the Secret Service took 700K bitcoin from him. This Forbes article also reported that – as has been the case with so many of the posts this semester – the increase in remote workers coupled with understaffing “has created a perfect storm for such attacks.”
There has also been a rise in mobile phishing attacks since this is a relatively new way for employees to communicate. Risks associated with increased mobile phone reliance an opportunities for exploitation are not widely known or understood, and anti-virus protections available on laptops/desktops are not as prevalent on mobile phones, resulting in greater vulnerabilities.
https://www.forbes.com/sites/petersuciu/2020/08/01/twitter-spear-phishing-attack-highlights-security-weaknesses-of-social-media/#155f8c197a29
Kelly Sharadin says
Wow did not know the culprit was already invesitigated and caught for a prior incident! My background is in criminal behavior and analysis so you’ve peaked my interest to also dive into the individual’s history a little more. For most street crime, often, its only a small percentage of the population thats responsbile for the majority of all crimes that take place. With the internet being essentially boundary-less these statistics obviously change. However, I wonder what percentage of criminal hackers are multiple repeat-offenders vs single-time offenders. Thanks for sharing this info.
Candace T Nelson says
Hi Kelly,
What you do sounds fascinating to me. I have always been curious about the psychology behind criminals and the crimes they commit.
Thinking about cyber fraud, I would imagine that the rate of recidivism could be high since computers are so readily available and not easily avoidable. I guess the consequences of the crimes committed would have to outweigh the potential benefits of committing them for that to change.
By the way, I peeked at your LinkedIn profile – best of luck to you at SAP!!
Nicholas Fabrizio says
Hopefully, Twitter was able to put more secure policies in place to reduce this from happening again because a lot of high-profile people use this platform. Sending out fraudulent tweets from some of these verified high-profile accounts could have a serious ripple effect on stock markets, companies, and much more.
Kelly Sharadin says
They claim that they’ve put measures in place to further reduce their human attack surface by limiting access controls for employees. However, these attackers specifically targeted low-level employees and pivoted up from there. So, other than increasing IR efforts – I believe this could easily happen again.
Amelia Safirstein says
This just goes to show how important training of employees is in cyber security. I feel like it’s often overlooked or halfway done.
Bryan Garrahan says
I think we just live in a time where the majority of organizational employees simply don’t understand the risk around Cyber security. Just the other day I walked by my roommate and he said something along the lines of, “I don’t have much work today other than completing this bs cyber security training”. I can’t say I was surprised because I’ve heard things like this from other people before too. People are going to have to learn somehow, which unfortunately for a lot of people will be the hard way.
Humbert Amiani says
The twitter attack was definitely one of the highlights of the year. The fact that teenagers pulled it off is even more alarming, since a good percentage of grade schools have gone fully online and more teens are now sitting in front of a computer for most of their day. I am sure we are just seeing the beginning of what’s to come. It is only a matter of time before we see another incident of similar magnitude.
Anthony Wong says
This was a well-timed event because of COVID-19 and the attackers capitalized on it because tweets sent offered a COVID-19 relief aid by doubling the amount that was sent to the Bitcoin wallet. Also, it’s crazy how young these people were! One was still 17 at the time.
Bryan Garrahan says
https://www.securitynewspaper.com/2020/02/28/shark-tank-star-barbara-corcoran-was-hacked-attackers-stole-380k-with-a-phishing-email/
The article above is related to Barbara Corcoran, a highly regarded businesswoman and judge on the show Shark Tank, who fell victim to a phishing attack back in February. The attackers were able to obtain Barbara’s personal assistants (i.e. via reconnaissance) email address. The attackers were able to create a new email account that was almost the exact same (altered by just one letter) as Barbara’s assistants and from there the article states the attackers emailed Barabra’s accountant to to make an electronic transfer for $388,700 USD to a firm called FFH Concept GmbH.
“Although the Corcoran accountant asked some questions related to the bank transfer, the hackers seemed to be aware of the victim’s business, as they managed to deceive those involved”. Barbara’s accountant didn’t just blindly submit the transaction – rather, the accountant actually did perform some due diligence to ensure the authenticity of the request. It was clear that the attackers deployed a competitive advantage mentality in order to execute the hack. They took into account some questions may be asked and were prepared for it.
Candace T Nelson says
Wow – I am surprised by Barbara Corcoran’s response: “Lesson learned: Be careful when you wire money!” Seems that losing nearly $400K is not as detrimental to her as it would be to the average American!
It is worth noting that this fraud could have been prevented if a simple “call back” process existed. Had “Christine” (the Accountant) called “Emily” (Ms. Corcoran’s personal assistant) to confirm the request, the attack would not have occurred. Siting Kelly’s article in this week’s assignment, a naïve employee is the weakest link!
Nicholas Fabrizio says
Hi Candace,
I agree with you if they only had setup some sort of callback process they could of easily determined this was a fraudulent request. I imagine Barbara is involved in so many investments from being on Shark Tank and other business dealings that it became the normal to just communicate over email to setup financial wire transfers and the attackers used this to their advantage.
Bryan Garrahan says
Thanks Candace and Nick – I think it’s interesting to note that the hackers essentially attacked a small shop instead of a large organization. Why go after an organization with layered controls when you can take advantage of a small shop that has ineffective controls or potential gaps within them?
Zhuofu Wang says
People should be more sensitive to wire transfers. Perhaps the amount of money is not a big deal to Barbara, which led her to relax her vigilance about this operation. It made her contacted the assistant after the transaction was approved. This attack also shows that the attacker has a deep understanding of Barbara’s business. This type of attack based on real information is very clever and difficult to prevent.
Amelia Safirstein says
Wire-transfers are often used in real-estate cybercrimes as well. Hackers gain access to a realtor’s email account, find out when a closing is going to occur, then email the buyer last minute to request a wire transfer or a change of the current wire transfer’s destination.
Candace T Nelson says
That is very helpful information, Amelia since I work for a real estate company. I am going to look at our fraud schemes to see if this one has been identified, but I don’t believe it has. I will also point it out to our Treasury department and inquire whether this is something that could occur, after considering our internal control structure. Thank you!
Anthony Wong says
The attacker must have found extremely valuable information during their reconnaissance in order to pull this off. The fact that they were prepared for the questions insane. Also, it is good to see the accountant tried to perform some due diligence before authorizing the transaction. To me it seems a lot of social engineering attacks are successful without any resistance .
Candace T Nelson says
https://www.classaction.org/news/magellan-health-hit-with-class-action-over-april-2020-ransomware-attack
A ransomware attack at Fortune 500 (for-profit) insurance company Magellan Health, Inc. that was discovered on April 11, 2020 has resulted in a class action lawsuit filed by three former employees. An investigation revealed that a company employee responded to a spear phishing email sent on April 6th that allowed hackers to gain access to employee email accounts.
The lawsuit claims the breach resulted from Magellan’s maintenance of protected and sensitive information “in a reckless manner” by storing it on a computer network that was vulnerable to cyberattacks since a data breach resulting from a phishing attack had also occurred less than a year prior. Information compromised in the 2020 breach included names, contact information, employee ID numbers, W-2 or 1099 information (such as Social Security numbers or taxpayer ID numbers), treatment information, health insurance account information, member IDs, email addresses, phone numbers, physical addresses, and other health-related details.
The lawsuit further stresses that Magellan failed to take adequate steps to secure data after the first breach, and that they failed to provide timely notice to nearly 160,000 affected individuals.
I found it interesting that the prior year breach occurred as a result of a phishing email, and the subsequent breach resulted from a spear phishing email. This tells me that the latter email was targeted to an executive, and implies that the company did not properly train it’s employees – including it’s executive employees – about the risks associated with clicking on suspicious email links after the first breach occurred.
Kelly Sharadin says
Phishing, the old tried and true method. My organization just concluded a security awareness phishing campagin. Many employees did pretty well which was scored by their ability to report the email to our triage platform (Cofense). We actually had one employee email the cybersecurity mailbox annoyed, he thought we were wasting his time by sending a ‘fake’ email but tough for him lol.
Humbert Amiani says
Seems like the hackers used information gathered in the first incident to try their chances at spear phishing and it worked. Magellan failed in putting security measures in place including training pf employees to protect their data and systems. Hopefully this serves as an expensive lesson to them, to avoid a third incident.
Bryan Garrahan says
Thanks for sharing! The article notes, “An employee had “inappropriately” responded to a spear phishing email sent on April 6, allowing unauthorized actors to gain access to employee email accounts”. I know we never really learn what exactly was exploited in these data breach news articles but i’m curious as to who within the organization was targeted and how was this attack then executed based on that.
I agree with your point regarding a lack of preparation or training for the organizations employees. However, this could also be due to employee fault too as many organizations do in fact deploy cyber security awareness training that is just not taken seriously or simply ignored. by employees.
Candace T Nelson says
Good point, Bryan –
I noticed your comment in our other assignment string that your roommate was not taking cybersecurity training seriously and that others (like him) may have to learn the hard way. It is unfortunate that the ultimate victims of these attacks – individuals who trusted a third party to securely maintain their personal and/or sensitive information, did nothing wrong. I find it especially disturbing when companies that are targets for data breaches (e.g. healthcare, credit reporting agencies, tourism) are lax when it comes to information security – especially when they are breached multiple times. Don’t even get me started on Equifax… 🙁
Humbert Amiani says
pretexting / vishing / SMS Social Engineering Attack (All in one)
A reddit user detailed how he fell victim a sophisticated combination of different forms of social engineering. He received a call with a spoofed caller ID of Wells Fargo which he answered. The caller identified as a Wells Fargo employee with sensitive information about fraudulent charges on the victim’s bank cards, but he will need to verify his identity before the information can be further discussed. The caller asked him to read of the six-digit confirmation code sent to him on the phone number they were using, which he read. He was informed that the code had expired and asked to read off a second code that was sent to the same phone.
The caller then read out charges on the victim’s card, which the victim verified he made four, and did not recognize one. He was then assured that the unrecognized charge will be refunded to his account, but he needed to read off another confirmation code sent to his phone to confirm that he had disputed the charge and was due to be refunded the amount. After reading the last confirmation code, the caller thanked him and assured him he will be refunded then hang up.
The victim then checked his phone which had been vibrating while he was on the call, to his dismay, he had 4 emails, one read “your username has been reset”, the second read, “Your password has been reset”, the third read, “Welcome to Zelle”, and the fourth read, “You’ve just forwarded $1000!”. In one phone call, his account had been compromised and he was out $1000 already. This story highlights the importance of being vigilant and questioning when in doubt.
https://blog.knowbe4.com/now-here-is-a-devious-combo-pretexting-/-vishing-/-sms-attack
Humbert Amiani says
A link to a page explaining Pretexting techniques in detail with examples.
https://www.csoonline.com/article/3546299/what-is-pretexting-definition-examples-and-prevention.html
Nicholas Fabrizio says
It is amazing how sophisticated attackers are getting at scams such as these. I’ve previously read online of similar scams were the attacker will send what looks like an automated text message from Google saying there is suspicious activity on the account and they need to verify your identity with the code they sent. I think the best option is to always be suspicious of any text or phone call from a bank that you did not initiate and you call the bank back from the number on the card. According to the article it took the victim almost two hours to finally get a hold of a bank employee and being a major company that is way to long.
Zhuofu Wang says
I agree. If we encounter a similar incident, we should call the official contact number to confirm whether it is true.
It seems that the attacker is very familiar with the business process of Wells Fargo, while the victim is obviously not familiar with it, so that when the attacker asked to provide the confirmation code, he has not been alert.
Humbert Amiani says
Nearly every form of security is being exposed in unprecedented ways. It is getting more complicated to keep your guard up since you never know when and how you are going to get hit.
Amelia Safirstein says
These kinds of attacks have left me paranoid any time I’m asked for personal information online or over the phone! It’s so important to maintain composure and think through the situation to avoid falling victim.
Anthony Wong says
This is the main reason why I never pick up calls from any unknown numbers. If it’s important enough, the caller can leave me a voice mail. More recently, I have been getting about 10 calls a day which is extremely frustrating.
Candace T Nelson says
I am glad to hear that I am not the only one who rarely answers my phone anymore. Fortunately, caller ID on both my cell and home phone identify potential spam, but if I don’t recognize the number (or if it is not associated with a contact in my cell phone) and the caller doesn’t leave a message, I guess the call wasn’t that important after all. It is an unfortunate state of affairs that I hope improves after the presidential election!
Humbert Amiani says
Amy, phone spoofing can really leave one paranoid. Especially when you get multiple calls a day as Anthony says. I always wait for voicemails as well, in most cases they end up being my car warranty expired. Back in 2016 June though November, I used to get at least 3 voicemails a week from the “IRS” giving me free money for being a good citizen, or a student loan overpayment refund yet I had zero loans, and they needed my preferred bank that they can route it to.
Anthony Wong says
In this scenario, I thought the victim could have simply logged into their bank account to confirm that the transactions showed on their account. But 100% agree with you, waiting two hours to get ahold of a representative is way too long.
Humbert Amiani says
They really got him good with the spoofed caller ID and fact that he got an actual confirmation/verification code from Wells Fargo. Also, he recognized the transactions mentioned to him apart from one, which according to the his narration was just about to happen, the $1000 transfer.
Zhuofu Wang says
Phishing in the Amazon: Internet shoppers urged to look out for Prime Day scams
URL: https://portswigger.net/daily-swig/phishing-in-the-amazon-internet-shoppers-urged-to-look-out-for-prime-day-scams
The data shows that the number of phishing websites targeting Amazon is increasing significantly. The attacker created a series of phishing website pages and copied the header, footer and other graphics of the Amazon website. It will prompt the victim to fill in a form confirming his payment details, or the victim’s social security number, date of birth, etc.
A common trick used by attackers is to ask victims to fill out questionnaires/play mini-games and provide rewards. The victim was required to enter credit card information for a $1 to receive the reward. After the victims provided the information and waited for a few days, what they waited for was not a reward, but charges on the credit card number which they provided.
As the author said, there is no free lunch. We need to be vigilant against all actions that ask for sensitive information from us.
Anthony Wong says
The victims should have thought this one through a little more carefully… offering an iPhone 11 Pro for $1 is an offer that is too good to be true. Furthermore, the phishing website requires a social security number. If the victims online shop, they should be aware that SSN is never required for a checkout process.
Amelia Safirstein says
Social engineering is largely responsible for making SIM swapping possible. Bad actors collect information on a target, then call the target’s phone company and convince the support associate to transfer the target’s phone number to a different SIM. Once the support associate transfer’s the target’s phone number, the bad actor can trick others into believing that they are the target or use the new SIM to circumvent two-factor authentication on the target’s accounts.
https://www.infosecurity-magazine.com/opinions/sim-swap-hacker/
Humbert Amiani says
Sim swapping is greatest nemesis to two-factor authentication. Combine this with the fact that it takes in the upwards of hours to get a hold of customer care at any phone service provider, by the time you get help, the bad actors have done enough damage already.
Anthony Wong says
Service NSW is a New South Wales Government executive agency that provides access to government services such as managing drivers’ licenses and car, firearm registration, payments of fines, etc. In April, 47 employees’ email accounts were compromised due to a phishing email. Initially, Service NSW believe that the attackers had limited access to the contents within the email address. However, over the course of the investigation, the agency reviewed 3.8 million documents contained on the 47 email accounts and identified approximately 500,000 of them contained personal information. Ultimately, 186,000 customers were affected. Those customers would be notified via registered mail about what data may have been stolen and provide advice on next steps.
URL: https://www.theguardian.com/australia-news/2020/sep/10/service-nsw-hack-could-have-been-prevented-with-simple-security-measures
Humbert Amiani says
Hi Anthony,
As much as investigations have to be done, I believe organizations should first notify their clients or those affected of a possible data breach where their PII might have been exposed. If they wait until the investigation is over, it could be too late for some of those affected.
Bryan Garrahan says
Unfortunately organizations typically don’t care about their clients well being or data. All they really care about is releasing just enough information about the breach so that they can say they addressed it and keep it moving. Rarely will we see organizations go above and beyond for the client sadly.
Jerry Butler says
https://threatpost.com/godaddy-employees-tricked-compromise-cryptocurrency/161520/
This article explains how employees were able to be tricked into giving over creditials. The Threat actor was able to change DNS poiter records, and bring down/access critical infrastructure of GODADDY.com