On February 5, 2023, a highly targeted–sophisticated, if you will–attack was launched on Reddit, which resulted in the credential compromise of only one employee, but a catastrophe for hundreds of former and current Reddit staff. They sent convincing prompts out, attempting to guide employees to a website with a cloned Reddit intranet gateway. The attacker aimed to steal credentials and second-factor tokens. Even though the attacker managed to steal only one employee’s credentials, that was all they needed. The attacker gained access to internal code, documents, business systems, and dashboards.
Unfortunately, Reddit hasn’t released any other details. However, based on the information we have, we can make some assumptions as to what exactly happened:
1. The fact that the attacker could spoof Reddit’s intranet gateway means they must’ve had some knowledge of internal operations.
2. By using the term “code”, we can assume that the attack was limited to users with desired access; here, probably developers or someone on the product side.
3. Reddit mentioned that production systems were accessed, and the attacker may have been an Initial Access Broker, meaning they may have worked intending to sell stolen credentials to other cybercriminals. So, they may have focused the attack on gaining a foothold rather than penetrating more sensitive data or systems.
Phishing is a type of cybercrime where the attacker tries to trick individuals into giving away sensitive information through fake emails, messages, or websites that appear to be from trustworthy sources. The attacker creates a sense of urgency or uses a believable scenario to convince the victim to take the desired action–in this case, clicking on a link or providing personal information.
Phishing attacks are increasing, and anyone is a potential victim. According to a report by security provider SlashNext, there was a steep 61% increase in the rate of phishing attacks over a six-month period that ended in October 2022 compared to 2021. With so many tech advances and ever-evolving security requirements, one can’t help but wonder how this is possible when we live in such security-conscious times. The reality is–the more we try to prevent phishing, the more brilliant phishers get. Their techniques are becoming more sophisticated, and their success rate is on the rise.
These sophisticated phishing techniques are known as social engineering, and it’s designed to play on people’s emotions. The trophy? A reaction in addition to sensitive information.
Falling victim to a phishing attack doesn’t mean that people are naïve. Instead, it’s because we naturally feel inclined to act when driven by a sense of urgency. This basic human need makes a sophisticated phishing attack successful. When we respond emotionally to something, we tend to overlook details that we may have noticed otherwise. Time-sensitive offers trigger the emotional response (i.e. you have two hours to enter your credit card details before the offer to win a trip expires).
Besides driving a sense of urgency, attackers also use techniques to earn our trust. As difficult as it is for some of us to trust just anyone or any simple email we receive, we pride ourselves on taking the time to investigate the legitimacy of something by, for example, reading reviews before deciding to act. Attackers know this, so they create fake forums and equally fake user testimonials.
Of course, these emails aren’t limited to tricking users into thinking that they’ve won something– attackers can infiltrate any environment, be it corporate, retail, education, or government. Naturally, the emails that victims receive are personalized. These attacks take time, and the perpetrator usually has a lot of patience to make it happen. They scavenge through their potential victims’ social media accounts to gather all the information they need to guarantee a successful outcome.
Success doesn’t come without a strategy. These attacks are planned, and they take specific steps to guarantee a successful outcome even though a social engineering attack requires no sophisticated knowledge of cybersecurity.
Knowing how to prevent these attacks requires knowledge of how attackers go to work so that you can cover all potential weak points and remain one step ahead.
This means that victims need to be identified. The attacker performs a recon and chooses a target based on their position in an organization or ease of access. However, they may simply decide on a range of targets, hoping that something sticks. After they’ve selected a target, they gather background information–for this; they use public information such as company websites, social media, and any other sources they can get their hands on. How do they do this?
A scenario would look like this: you and a couple of co-workers attend a party. You take pictures and post them on social media. The attacker zooms in on details of these pictures–for example, they notice a couple of people in the background. They start looking at the company you work for, identify faces they noticed in the background, and connect the dots. They then proceed to create a fake email address that seems authentic, to impersonate someone else that attended the party. They use details from the party to make it seem like they were there to gain your trust, which leads them to the next step in the process.
The perpetrator starts to engage their target; methods range from email to phone calls. For an attack to be successful, the attacker needs to get to know the target and earn their trust. They then start spinning a web of lies and stories, ultimately taking control of the conversation.
During this phase, the attacker gets cocky. They expand their foothold and execute the attack by providing the victim with stimuli for subsequent actions that break security practices. The disruption of business or data siphoning happens so discreetly that the target still doesn’t know what’s going on.
The first compromise usually comes in the form of a link or attachment; such as Office docs with macros. Luckily, Microsoft has reinforced protection against Office docs. This resulted in attackers expanding their expertise–they have now used OneNote-embedded files or scripts.
Without arousing suspicion, the attacker goes into a trace-removal mode where they remove all traces of malware, covering their tracks, and bringing the fiasco to an end.
However, this would be the case if an employee took action and reported their suspicion of the incident. If not, phishing could simply be the door that’s opened for other types of attacks. The attacker can end up spending a significant amount of time in the compromised network. This provides them with the opportunity to steal, encrypt, or wipe data.
Even though social engineering can lead to breaches, giving the attacker access to critical resources, it’s human error that causes these breaches as opposed to vulnerabilities in operating systems or software. The attacker needs a legitimate user to gain entry since it’s less predictable and harder to identify than a malware-based intrusion. Almost every type of cybersecurity attack contains some form of social engineering.
Once again, they will always try to find new and unique ways to carry out a successful attack. Now, they’ve started to master the impersonation of legitimate people in an organization, as well as websites. They use AI tools to imitate the language and behavior of certain people when setting up phishing text messages, audio, and video deep fakes.
Social engineering attacks are possible wherever human interaction is involved. They come in different forms, but some of the most common assaults include the following techniques.
Phishing happens when the attacker poses as a legitimate person or organization to trick a user into sharing personal or sensitive information. They usually do this via email or instant message. With phishing, the attacker’s goal is to get the victim to click on a malicious link to enter personal details or install a virus on the victim’s device.
This malware tactic involves scaring the user into thinking their device is at risk of infection. This tactic gets the user to install or buy software disguised as a cybersecurity solution. If the tactic works, the attacker may steal personal data or information.
Watering hole attacks take place on a seemingly legitimate website intending to launch or download malicious code onto the victim’s device. Here, the attacker has done their research well enough to target users commonly using a specific site. The compromised site can, for example, install a backdoor Trojan to the victim’s device, which allows the attacker to control said device.
As the name suggests, the attacker promises a user something interesting enough to spark curiosity or greed. This is usually done by enticing users with ads that lead to malicious websites or by leaving malware-infected flash drives in conspicuous places where someone is sure to find them.
In a pre-texting attack, attackers create a fake identity and use it to manipulate their victims into providing private information. For example, attackers may pretend to be an external IT service provider, and request users’ account details and passwords to assist them with a problem. Or they might pretend to be the victim’s financial institution, asking them for confirmation of their bank account number or bank website credentials.
Whaling is another phishing attack that mostly targets wealthy people, senior executives, or network administrators. This is because the attacker seeking highly valuable information–as a result, these attacks are more sophisticated. The attacker does their homework well before posing as a colleague, employee, or manager, crafting a specific email containing a request, or requiring urgent intervention from the victim.
Investing in your security and security awareness will guarantee a lesser chance of breaches. Let’s look at some prevention tips to stay ahead of phishing attacks.
While some staff members are aware of the consequences of social engineering, others may not be. The scope of attacks, as well as security requirements, are always changing. Therefore, continuous security education is essential. All employees should know about policies and precautions before giving out any information.
After training staff members on security awareness, have everyone take part in an exercise. For example: Send a fake phishing email to all users and record who is reporting it to the security team, who simply deletes it, and who takes action. This is a great way to identify where your team stands and what measures need to be taken to improve awareness. Security awareness is the key to keeping your organization safe from social engineering attacks.
Installing basic measures requires the installation of antivirus and any other endpoint protection on user devices. Modern protection tools are so clever, they can:
It’s important to note that antivirus alone isn’t enough. This should be implemented with other security measures as well since some forms of attacks can still go undetected.
Penetration testing, also known as pen-testing, involves using an ethical hacker to test the security of an organization. This is beneficial since it identifies security weaknesses, ultimately helping you to discover systems or employees you need to focus on protecting, or methods of social engineering you may be especially susceptible to.
Security Information and Event Management (SIEM) and a Security Operations Center (SOC) are exceptional security services. They work with each other. SIEM aids organizations in detecting, analyzing, and responding to security threats before they harm businesses. SOC teams are tasked with continuous monitoring, detection, prevention, and response to cyber threats.
The SIEM solution gives your organization visibility into all activities taking place within your network. This gives you the ability to respond quickly to cyber threats, and it ensures that your organization adheres to compliance requirements.
SOC teams protect your organization’s brand integrity, business systems, intellectual property, and staff data. However, SOC teams also take the heavy security burden off your shoulders, since they plan and implement your organization’s overall security strategy for you.
DLP is a combination of best practices and technology that prevents the exposure, damage, or loss of sensitive information. This would come in after a successful phishing attack as a late detection method. Modern software uses AI based on machine learning to learn and improve the approach to detection and blocking.
The goal of DLP is to prevent unauthorized access to sensitive information. It does this by applying automated protection policies and classifying different content types in a data object. Ensuring sensitive information stays behind a firewall can be achieved by implementing a multilayered DLP strategy. This will also enable your organization to review and update its retention and data storage policies to maintain regulatory compliance.
Besides investing in measures to up your organization’s security game, there are a couple of smaller, easier steps to take to avoid falling victim to social engineering attacks. These include:
More importantly, encourage employees to confirm the legitimacy of any piece of communication that may seem suspicious.
The Reddit attack goes to show how important it is to continuously educate staff on security. If the employee who fell victim to the attack didn’t come forward, it could’ve turned out much worse. Reddit is still actively investigating the attack. Social engineering is becoming an increasingly effective method for cybercriminals to breach organizations’ security measures. Identification and prevention of these attacks are essential.
07/31/2023In addition to using encryption, ransomware criminals use data exfiltration technology to get their hands on copious amounts of sensitive information. They threaten to publicly leak this information or sell it on the dark web. The costs and reputational damage this can inflict puts targeted organizations under pressure to pay the ransom to deal with the issue.
10/20/2023An insider is not just an employee; it includes a wide range of individuals who once had or still have access to an organization’s resources. This includes members, contractors, vendors, and anyone entrusted with sensitive information and access.