Phished, w/o Clicking

Conventional cyber wisdom says that social engineering and phishing involves a user only clicking on bad links.   A large percentage of social engineering attacks do invite users to click on bad links and this action can definitely have consequences, yet many of the highest profile social engineering attacks have absolutely nothing to do with links and nothing to do with “clicking.”

Some of the most damaging social engineering attacks often consist of a hacker’s patient collection of information, which is then leveraged many ways to inflict financial harm or damage a brand’s reputation.  The most effective utilization of this collection is a stealth-based approach, where conversation and information gathering occur very subtly, often outside the scope of advanced detection tools and beneath the radar of even the best-constructed defenses.[1]

Small businesses often have to balance between effectively promoting their products, brands, and people while still successfully defending against how that very same information can be used against them.  It is important to note that basic “social engineering” craft techniques do not involve clicking attachments, not the actual phish attack, nor even spear-phishing; it is the basic exchange of information between individuals and an unauthorized source that is backed by malicious intent by one or more of the individuals involved.  Direct phone calling and email is a low tech and yet stark example of this social engineering technique. 

In a past Wapack Labs Targeteer report[2], we identified a Nigerian threat actor by the name of Austine.  Austine used the fake name of, Sonu Kumar to perpetuate his on-line criminal activity.  Austine used a variety of both telephone conversations and emails to successfully social engineer victims from several companies.  One such company was the Italian company Fandis, who sell blinds.  Once trust was built, a phish email would be sent where Austine employed the Predator Pain keylogger for use in obtaining direct financial information. 

His whole fraud scheme would begin with social engineering, often through Facebook.  We were able to capture a screen shot of a female victim which developed into yet another one of his fraud schemes.     

Mitigation

Successful risk mitigation requires the application of a risk-based approach at the human level.  This is actually old advice and involves more than just not clicking on suspicious attachments.  Though you want to be friendly and promote your business, caution should always be employed when dealing with strangers.  The threat landscape, as it relates to social engineering, is constantly advancing and adapting in order to achieve more, with less effort.  The foundation of successful attacks is often built upon building trust, preying on human curiosity, and upgrading from traditional attacks to scams that are harder to detect.  Attackers are getting very good at understand these concepts.  This is the very principle of most, “Capture the Flag” contests that are sponsored and run throughout the year within the IT community.  These contests overwhelmingly demonstrate social engineering technique success.  To reduce social engineering risks requires awareness and possible, technologies that are designed to detect these eventual phishing attacks.  Wapack Labs and Trusted Internet LLC can help with mitigation products and strategies.   https://trustedinternet.io/services/     

For questions or comments regarding this report, please contact Wapack Labs at 603-606-1246, or feedback@wapacklabs.com

[1] https://blog.barracuda.com/

[2] Wapack Labs: IR-091-2017

E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!