Examining a real Social Engineering Attack

If you are employed by a company that has cash in it’s bank account and you have any decision making or operational responsibilities related to transfers or wires, you are a target for hackers! Particularly startups and small businesses that don't have the resources for cybersecurity staff. Let me assure you, titles and responsibilities are posted online for everyone to see, so it’s pretty easy to figure out who is doing what.

I worked for a company that was targeted by a Social Engineering attack and wanted to share the details with you so that you don’t fall prey to the same attack. Having read the late Kevin Mittnick’s book on social engineering, The Art of Deception, a few years earlier, thankfully, I was familiar with the tactic and recognized the attack.

This was a social media spear phishing attack where the attacker researched the organizational structure and sent an email to his target, the CFO, using a specific technique call Business Email Compromise(BEC). The email was sent with the CEO’s name as the sender and the target took action based upon trust, familiarity and the urgency of the request. He directed the Controller to execute the wire, which fell to me.

Contents of the Request

Hey _____,

I need you to wire me $20,000 to this account, as an advance.

Thanks.

___________

Number of people involved: 3 employees plus the attacker

Reasons why social engineering attacks are effective include:

·?????? Authority: Threat actors impersonate individuals with power. This is because people, in general, have been conditioned to respect and follow authority figures.?

·?????? Intimidation: Threat actors use bullying tactics. This includes persuading and intimidating victims into doing what they’re told.?

·?????? Consensus/Social proof: Because people sometimes do things that they believe many others are doing, threat actors use others’ trust to pretend they are legitimate. For example, a threat actor might try to gain access to private data by telling an employee that other people at the company have given them access to that data in the past.?

·?????? Scarcity: A tactic used to imply that goods or services are in limited supply.?

·?????? Familiarity: Threat actors establish a fake emotional connection with users that can be exploited.??

·?????? Trust: Threat actors establish an emotional relationship with users that can be exploited over time. They use this relationship to develop trust and gain personal information.

·?????? Urgency: A threat actor persuades others to respond quickly and without questioning.

Circumstances that contributed to the attack: This request was not uncommon because the CEO had made this request before. The CFO was targeted and became the reason why the attack almost succeeded, because of his seniority and relationship with the CEO. As he gave instructions to his subordinates, they were less likely to stop the attack for fear of insubordination. If the employee targeted is more than one step below the CEO, it’s pretty easy for them to question the attack. Because it comes from someone that is close to the CEO, people in the execution chain are less likely to question the directions. Had the hacker been successful, it would have been a tremendous loss for the business, but can you really blame one person for falling for the ruse?

Single event that thwarted the attack: The request seemed odd and I asked to view the email request. I clicked on the 'From address' and noticed that the address was strange and looked to be a spoof, because it was misspelled. I called off the wire and asked the CFO to call the CEO to see if the request was legitimate. The answer was ‘No’!

Lessons learned:

This attack probably took a few minutes to research and execute. It could have easily cost this company $20,000 and would have been an easy score for the attacker. Small companies often believe that they are too small to be a target, but this could not be further from the truth. If the attacker knows that you have cash in your account, as most companies do, you are a target.

Do:

Set up an email firewall and proxy server to prevent odd email addresses, like .cz, from connecting, thus filtering spam and email from unknown parties and foreign countries.

Set up an email filter which prevents employees from clicking nefarious links in emails. This software will prevent them from connecting to known malicious links.

Regularly educate employees by training them on the types of attacks they may face while employed. Practice by doing regular pen tests against your organization and network, using common attacks.

Have policies and procedures in place for cash distributions that require adherence to documented processes and dual approval for special requests.

Don’t:

Deviate from the policies related to the distribution of cash, even in emergencies.

Be afraid to question things that seem strange and adhere to policy particularly with wires and large sums!

?

Reach out to me if you need software, policies or processes to protect your environment.