Verify End-Users to Prevent Social Engineering Cyber Attack

Social engineering is "the art of manipulating people in ways that result in them giving up confidential information. There are many different types of social engineering scams and schemes, but one area that is often overlooked is the helpdesk, or first contact assistance (as in a lawyer or accountant being engaged on a query).

The first step in such an attack is usually for the attacker to gather information about the organization that they are targeting. Information freely available on the Internet, and repeated in a way to engage the operator into releasing more. The attacker will usually use the information freely available on the internet to gain trust from the operator through the use of key words that link certain queues that connect the operator to release information as to who in the organization controls or handles the query type. They then continue the manipulation to figure out who within the organization is most likely to have elevated permissions or access sensitive information. An attacker can often get the freely available queues through a simple Google search or by querying business-oriented social networks such as LinkedIn or business Facebook accounts.

Once an attacker identifies a user whose credentials they want to steal, they can often obtain the email accounts from the business websites which connects them to the most common username possibility, the staff members email address. In the helpdesk situation an attacker may engage the operator by claiming they are the person from the organization and they cannot connect to the organization's Active Directory environment. Often an operator (especially when the helpdesk is a third party contractor) will tell you if you that the username is incorrect and provide the username information. This provides the attacker with a win for 50% of the battle.

When entered, the attacker will then say it is still not working, and a password reset may be initiated. If the attacker is sophisticated enough, they may have already obtained information from a leaked database and already have access to the email server where the password reset will be sent. Other options may include simply saying they never got the email and have the operator send it to their chosen phone number.

In several organizations security questions are used to combat the above scenario. However, it has been reported that security questions are largely ineffective. An experienced attacker can easily acquire the answers to security questions from any number of different sources. The Dark Web for instance, contains entire databases of answers to potential security questions and we know end-users often divulge way too much personal information on social media that provide the exact answers to security questions they use.

Some organizations have historically used caller ID information as a tool for verifying a user's identity. However, this method has also proven unreliable because cloud-based PBX systems make it simple for an attacker to spoof caller ID information.

Social engineering attacks are not theoretical attack vectors, they are happening in the real world regularly. Earlier this year, Electronic Arts was infiltrated by hackers who stole a large amount of data (including source code for the company's FIFA 21 soccer game), by tricking the company's IT support staff into giving them access to the company's network.

The key to preventing social engineering attacks against the frontline staff and in the helpdesk is to make information impossible to gain from these staffed areas to knowingly or unknowingly aid in such an attack.

Consider the earlier example in which an attacker contacts an organization's helpdesk pretending to be an employee who needs their password reset. Several things could conceivably happen during that conversation. Some possible outcomes include:

1. The attacker answers the security question using stolen information sourced from social media or from the Dark Web.

2. The attacker tries to gain the staff members trust through friendly conversation to gain favor in the hope that they will overlook the rules and go ahead and reset the password, even in the absence of the required security information. In some situations, the attacker might also try to make the staff member feel sorry for them.

3. The attacker might try to intimidate the staff member by posing as a person in authority who is extremely upset that they cannot log in. When the staff member asks a security question, the attacker might scream that they do not have time to answer a bunch of stupid questions, and demand that the password be reset right now (this technique has succeeded many times).

Ultimately, the staff members discretion is the only thing standing between the attacker and exploitation that determines whether the information requested or password reset is going to happen.

The best way to prevent such an attack is to:

1. limit information on social media to information that is not used in any security question information
2. Use security questions that are not related to personal information like pets, birth place and so on.
3. If it is a network issue (helpdesk) make call backs to the internal contact of the staff member mandatory for password resets.
4. Have operators confirm other current information as a security check.
5. Do not use for confirmation or verification anything that was sent via email.
6. Don't put all your eggs in one basket. I.e. don't use devices or authenticators from the same organization that controls your Active Directory for example as a compromise will give that information out and the authenticator can be spoofed or cloned. Use SMS if you have google accounts rather than google authenticator for example.
7. Make 2 factor Authentication to non email options mandatory.

These are just a few tips to add to security at the front lines.