Low Tech ‘Social Engineering’ is Often Key to Successful Cyberattacks

You hear about it in the news all the time now. A company has been “hacked,” leading to the exposure of thousands or even millions of consumer or employee records. Inevitably, there is then the follow on credit monitoring, regulatory action, and some forensic look at how the bad guys “got in” and what variant of the latest virus was used to infiltrate the victim company’s systems.

In depth social engineering supported an attack that cost Leoni AG, one of the world’s largest manufacturers of wires and electrical cables, more than $44 million.

These stories are real and important, for sure, but one thing that has been increasingly overlooked in the headlines is the fact that many of these so-called “hacks” don’t begin in a technical manner at all. Many so-called cyberattacks start with nothing more than good old fashioned “casing” or scouting of the victim company and their employees, often through seemingly innocent phones calls placed to company employees or through the review of easily and publicly accessible online social media accounts (think LinkedIn profiles that tell the world who does accounts payable for company ABC).

This low tech approach, known as “social engineering,” when done well empowers would-be cyber thieves to learn user names, passwords, job titles, functions, responsibilities and other information that is in turn used to perpetrate the follow-on attack.

This attack method was on full display during a “social engineering contest” at last month’s Def Con hacking conference in Las Vegas. Chris Silvers, who won first prize in that contest, called a company employee and pretended he was “filling in gaps in an internal survey the company had sent out to employees — a real survey he’d found on the company’s website during his pre-contest research.” (Source: USA Today, “A hacker’s best friend is a nice employee,” by Elizabeth Weise, Aug. 15, 2016).

“The staffer who answered her desk phone fell for his ploy hook, line and sinker, no doubt soothed by his southern accent and calm conviction he had every right in the world to be asking his questions. He convinced her to go to a non-existent website to sign up for a $10 Amazon gift card for her trouble. When that — of course — didn’t work, he offered to help her troubleshoot the problem.” (Source: Id.).

Ultimately, during a single phone call that lasted less than 25 minutes, Silvers was able to learn a “treasure trove of information about her company’s computer network, antivirus software and web filtering protocols  — more than enough information for a hacker to easily infiltrate the network.” (Source: Id.).

Chris Silvers, who runs CG Silvers, an independent security consulting firm in Atlanta, won first prize in the social engineering contest held at the DefCon hacker conference in Las Vegas. “You can get everything you need — information about their security, their operating system, what kind of computers they use. Just with a call,” he said.

This same type of social engineering was a key element in a real life multimillion dollar attack just last month on Leoni AG, one of the world’s largest manufacturers of wires and electrical cables. According to media reports, thieves “spoofed emails to look like official payment requests.” The CFO of the targeted Leoni factory then sent more than $44 million (USD) in funds to the thieves after receiving those emails, which were “cloned to look like they came from [the Company’s] German executives.” (Source: Gizmodo, “An Email Scam Cost One of Europe’s Biggest Companies $40 Million,” by Hudson Hongo, Sept. 1, 2016).

Apparently, the Leoni attack was successful largely because of the extent to which the thieves socially engineered their efforts, cloaking their fraud in the appearance of legitimacy.

“Investigators say the email was crafted in such a way to take into account Leoni’s internal procedures for approving and transferring funds. ..The [ ] factory was [also] not chosen at random…Leoni has four factories in Romania, and the [targeted] branch is the only one authorized to make money transfers.” (Source: Softpedia, “One of Europe’s Biggest Companies Loses €40 Million in Online Scam,” by Catalin Cimpanu, Aug. 31, 2016).

The lessons here are clear. Training employees is incredibly important in the defense of cybercrime. And, given the evidence of the latest attacks, that training must be broad enough to ensure that companies and their employees are on the lookout for and prepared to rebuff the social engineering tactics employed by cyber thieves. We’ve moved well past the “Nigerian prince” emails, and now live in an increasingly dangerous environment in which the bad guys are smart, cunning and seriously deliberate about who they target and what they’re after. Companies should be equally as committed, deliberate and thorough when it comes to their defenses – those that do will dramatically increase their chances of staying safe and staying out of the cyberattack headlines.