In today’s post, we discuss some social engineering tricks commonly employed by cybercriminals to attack companies. Coming up: several variants of a scam involving calls and emails from fake tech support; business email compromise attacks; requests for data from bogus law enforcement agencies…
Hello, I’m from tech support
A classic social engineering scheme is a call to a company employee from “technical support”. For example, hackers might call on a weekend and say something like: “Hello, this is your company’s technical support service. We’ve detected strange activity on your work computer. You need to come to the office right away so we can figure out what it is.” Of course, not many folks want to go to the office on a weekend, so the tech support guy “reluctantly” agrees, “as a one-off”, to break company protocol and sort out the issue remotely. But to do this they’ll need the employee’s login credentials. You can guess the rest.
There’s a variation on this scheme that became widespread during the mass migration over to remote working during the pandemic. The fake tech support “notices” suspicious activity on the victim’s laptop used for working from home, and suggests solving the problem using a remote connection, via a RAT. Again, the outcome is fairly predictable.
Confirm, confirm, confirm…
Let’s continue the topic of fake tech support. An interesting technique was spotted during the attack on Uber in the fall of 2022, when an 18-year-old hacker managed to compromise a number of the company’s systems. The attack began with the criminal obtaining an Uber contractor’s personal login details from the dark web. However, to gain access to the company’s internal systems, there was still the small matter of getting past multifactor authentication…
And this is where the social engineering came in. Through numerous login attempts, the hacker spammed the unfortunate contractor with authentication requests, then messaged the contractor on WhatsApp under the guise of technical support with a proposed solution to the problem: to stop the flow of spam, just confirm one. Thus, the final obstacle into Uber’s network was removed.
It’s the CEO here. I need a money transfer this minute!
Let’s return to a classic again: next in line is a type of attack called an business email compromise (BEC) attack. The idea behind it is to somehow initiate correspondence with company employees, typically posing as a manager or an important business partner. Typically, the purpose of the correspondence is to get the victim to transfer money to an account specified by the scammers. Meanwhile, the attack scenarios can vary: if the criminals are more interested in infiltrating the company’s internal network, they might send the victim a malicious attachment which absolutely needs to be opened.
One way or another, all BEC attacks revolve around email compromise; but that’s the technical aspect. A far greater role is played by the element of social engineering. Whereas most scam emails targeting regular users provoke nothing but mirth, BEC operations involve people with experience of large companies who are able to write plausible business emails and persuade the recipients to do what the criminals want.
Where did we leave off?
It’s worth noting separately a specific BEC attack technique that has become very popular among cybercriminals in recent years. Known as conversation hijacking, the scheme allows attackers to insert themselves into existing business correspondence by impersonating one of the participants. Generally, neither account hacking nor technical tricks are used to disguise the sender — all the attackers need is to get hold of a real email and create a lookalike domain. This way they automatically gain the trust of all other participants, allowing them to gently steer the conversation in the direction they want. To perform this type of attack, cybercriminals often buy databases of stolen or leaked email correspondence on the dark web.
The attack scenarios can vary. Use of phishing or malware isn’t ruled out. But as per the classic scheme, hackers usually try to hijack conversations that relate directly to money, preferably large amounts, dropping their bank details in at the opportune moment, and then taking off with the loot to a tropical island.
A prime example of conversation hijacking is what happened during the transfer of soccer player Leandro Paredes. Cybercriminals slipped into the email exchange under the guise of a representative of Paredes’ debut club, Boca Juniors, which was entitled to a small percentage of the transfer fee — amounting to €520 000, which the scammers pocketed for themselves.
Hand over your data, this is the police
A recent trend, which seems to have appeared in 2022, is for hackers to make “official” requests for data when harvesting information in preparation for attacks on users of online services. Such requests have been received by US-based ISPs, social networks and tech companies from hacked email accounts belonging to law enforcement agencies.
A bit of context would be useful here. Under normal circumstances, to obtain data from service providers in the United States requires a writ signed by a judge. However, in situations where human life or health is endangered, an Emergency Data Request (EDR) can be issued.
But whereas in the case of normal data requests there are simple and understandable verification procedures in place, for EDRs there’s currently nothing of the sort. Therefore, it’s highly likely that such a request would be granted if it looks plausible and seemingly came from a law enforcement agency. In this way, hackers can get information about victims from a reliable source and use it for further attacks.
How to guard against social engineering attacks
The target in all the above attack methods is not a soulless lump of hardware, but a human being. So, to tighten corporate defenses against social engineering attacks, the focus must be on people. This means teaching employees the basics of cybersecurity to increase their security awareness, and explaining how to counteract various types of attacks. A great way to do this is through our interactive training solution Kaspersky Automated Security Awareness Platform.