Attackers use social engineering to convince users to turn over their internal access credentials, allow someone into a secured area (such as a corporate office), or access some resource. For instance:
• Tailgating another person walking into a corporate office
• Claiming the user’s computer has a problem, and you are going to fix it for them
• Claiming someone the user cares about is kidnapped, in financial trouble, etc.
Social engineers often rely on overloading a victim with too much information or convincing someone they can be trusted, and they use many ways to contact the victim.
The Ingenuity of Social Engineering Attacks
Social engineering attacks can be unexpectedly creative. For instance, I have seen attackers claim to be newly married to the victim while playing the sound of a crying baby in the background to convince a support person to add her to the victim’s account. This attack is especially insidious, as you must close some accounts to remove users.
In other cases, attackers have posed as fire or building inspectors to gain access to restricted areas. Attackers sometimes work in pairs, such as when one person acts like a frustrated employee pressuring a security guard to give them access to a building quickly. At the same time, another acts like a flower delivery person who needs immediate access.
Email and messenger-based (text messages, private messaging, and voice) social engineering attacks are the most common, including spam and phishing. While the terms spam and phishing are often used interchangeably, they are distinctly different.
Spam is unsolicited advertisements, mailing lists, etc. Spam is usually directed at large numbers of people; it is not customized for one specific person. Spam might be an advertisement from a company you did not ask for, contain an infected attached, or ask you to click on a link.
Phishing is like spam, but it is customized to the receiver.
Attackers may spend a few minutes to hours researching an individual victim and customizing an email the victim is more likely to act on. The attacker might try to emulate an email from an organization the victim already trusts, such as Google, Microsoft, an email provider, or a bank.
Note
Chapter 20 discusses strategies for countering spam, phishing, and other social engineering attacks.
Attackers quickly take advantage of new technologies, such as deepfakes and large language model artificial intelligence (LLM/AI) systems.
Threat actors use deepfakes to mimic the voice, physical characteristics, or writing style of someone the victim trusts.
The deepfake is used to convince the victim to take some action.
If the voice on the other of the phone sounds like your manager, you are likely to give them your password; if it does not sound like your manage, you are likely to be more suspicious. As deepfakes become more realistic, they become more dangerous.
Deepfakes and Social Engineering Attacks
When this book was written, security professionals reported a case where a woman received a phone call from her daughter.
The daughter stated she had been kidnapped, and her mother needed to send a large sum of money to a bank account in the next hour, or she would be harmed. The woman found a way to contact her daughter and discovered she was still safe. The attacker used a deepfake of her daughter’s voice.
LLMs are used to research a victim and write a convincing email quickly. LLMs can assemble an authentic-looking email from a large, trusted organization with little effort from the attacker.
While viruses, worms, spyware, and keyloggers are technically different computer programs, they are all kinds of a broader class of software called malware.
Malware is a self-replicating application designed to disrupt a computer system. Malware generally tries to do one of three things:
• Prevent the user from accessing data, either by encrypting it (ransomware) or deleting it (wiper)
• Log interactions between users and the system to steal passwords, discover private information, etc.
• Leak private information to the attacker
These actions will be considered in more detail later in this chapter.
Malware self-replicates by
• Finding other vulnerable computers through the host’s network connection.
• Installing itself on vulnerable websites, so visitors’ computers can be infected.
• Infecting portable media like USB thumb drives.
Hackers can also spread malware through software during a
supply chain attack.
Supply Chain Attack
Supply chain attacks gain access to a network through some element of their supply chain. Here are some famous supply chain attacks:
• In late 2013, an attacker accessed Target’s data center, ultimately breaching the company’s network and installing malware on its point of sale (PoS) systems. The malware, in turn, took millions of customers’ data. Security experts believe Target’s data center was breached via a relationship with its heating, ventilation, and air conditioning (HVAC) contractor.
• In 2020, the security vendor SolarWinds was breached, and backdoor access was inserted into its code. The infected code was installed by hundreds of SolarWinds customers, allowing attackers to breach their networks easily. Several of SolarWinds’ customers were breached using this entry point.
• In 2021, Microsoft’s Exchange Server code was breached, and a back door was added.
Supply chain attacks are some of the most difficult to detect and counter. For commercial vendor ( closed source) products, users must place their trust entirely in the vendor’s security. For open-source packages, users must either trust the community or have engineers on staff who can examine the package’s code for potential security threats.