Spear-phishing / social-engineering

There’s no patch for human stupidity

Spear-phishing and social engineering are the most commonly used attack vector in data breaches. Nation-state actors and financially motivated cybercriminals regularly exploit the fact that human beings are the weakest link in most security systems. Typically, social engineering attacks will involve sending spear-phishing emails containing a malicious attachment (often a document with a macro) or a link to a malicious website that will harvest the victim’s username and password.

In many cases, spear-phishing campaigns are supported by phone social engineering attacks, where the attacker impersonates an individual of authority and coerces the victim on the phone into clicking on the email or opening the attachment. Our own research shows that a phone pretext drastically increases the chance of getting a target to fall prey to the payload delivered in an email.

 

 

Awareness training — insufficient and ineffective

Most companies deal with the threat from social engineering by attempting to educate their staff on the dangers of opening an email or revealing information to a stranger on the phone.

Unfortunately, this awareness approach has been shown to yield very low success rates. Even staff who received training a week prior to a social engineering simulation fall victim to the attacks at alarmingly high rates. In short — you can’t rely on the human to do the right thing.

Even worse, a social engineering campaign only requires one victim for the attacker to establish a foothold on the network. Even if training reduced the number of victims to just one in a hundred, the attacker has still succeeded.

 

 

What about spam filtering?

Spam filtering and email blacklists are of limited value to prevent these attacks as they attempt to ‘enumerate badness’ (much like antivirus signatures). Even when heuristics are applied, they can only catch attacks that have been seen before.

In a targeted campaign, the attacker will carefully craft the email to bypass spam and anti-phishing controls. They will also not reuse the emailing infrastructure that they have used in other campaigns as it may now be ‘burned’ and part of various blacklists.

Note also that the attacker can keep re-trying the attack with different scenarios, and can vary the target spread from hundreds to a single specifically chosen victim. As a result, the attack vector is extremely difficult to protect against.

How does deception technology detect social-engineering attacks?

The first step in launching a social engineering campaign is target selection. During this phase, the attacker will seek out high-value target personnel in the victim organisation. For example, they might target senior management, or administrators with access to critical systems.

IllusionBLACK’s deception technology creates fictitious personas — seemingly real people that match the target profile that an attacker is looking for. These personas can be distributed on social media, company websites, WHOIS records, or any other place where an attacker would look for them.

The contact information, including email address and phone number of the persona are monitored by IllusionBLACK for attempted social engineering attempts. If an attacker attempts to contact the persona, appropriate responses can be triggered, and the campaign can be identified. Additionally, integrations can be used to find other targets in the organisation, including those who have already fallen victim to the attack.

Your Name (required)

Your Business Email (required)

Interested In


Want more information on stopping ransomware attacks with deception?