To get an idea of just how good hackers got at social engineering in 2019, consider a cyber-attack our threat researchers encountered earlier in the year. Attackers breached a G Suite email account and were seeking out additional victims. They didn’t need to look far.
Like most of us, the compromised user had unfinished emails sitting in the draft folder. The attackers found a draft that looked nearly complete, attached malware to it, and hit “send.”
The attack was clever application of email account compromise, and an alarmingly potent form of social engineering. It was also a vivid reminder that of all the tools in a hacker’s arsenal, none is more essential—or powerful—than human nature itself.
Looking back on 2019, I’m struck by just how far attacks have shifted away from infrastructure (which is getting less and less vulnerable) toward people (who will always have human fallibilities).
To be sure, social engineering has been with us since civilization began, and it’s always been an issue in cybersecurity, but this year it evolved in both sophistication and scale.
First, more attackers began using advanced social engineering techniques that could fool even cynical-minded security experts. In the draft-email attack, the hijacked message was timely and relevant. It came from a legitimate email address—someone the recipient knew, actively engaged with and was probably expecting to hear from, and it was written in the unwitting sender’s own voice and tone, not the awkward, out-of-context prose that might give a less advanced attack away.
Second, attackers are using these advanced social engineering techniques at scale. In September, attackers used a retooled version of the Emotet banking Trojan in a large campaign to commandeer victims’ email inboxes. The malware would find unread messages and use the compromised email account to respond, sending malware along with the reply.
The better attackers understand their target, the more effective social engineering becomes. If you can read someone’s email, look at their calendar, and scroll through their contacts, it’s that much easier to fool them.
These attacks represent the apex of social engineering, but you can count on more like them in 2020. Attackers are going beyond identity deception techniques such as spoofing or lookalike domains to impersonate someone. From a practical standpoint, they are becoming the person.
So as social engineering evolves, the question for us becomes clear: are we are prepared to evolve as quickly? At the moment, security professionals and ordinary users are operating with a wildly differing set of expectations.
Those of us in cybersecurity expect to get socially engineered all the time. We’re justifiably paranoid. We’re just wired to be skeptical of everything in a way that other people are not.
Yet people outside of security circles tend to be more trusting. Wanting to be helpful, kind, and a productive member of society is just human nature. Social engineering is effective because it taps into those instincts.
Those mismatched expectations are why it can be hard for security teams to understand how users would fall for social engineering tactics that seem obvious to us. Ascertaining whether a given form of social engineering will work on a particular user is in some ways, reading into people’s mindsets. Right now, we do that in very primitive ways.
To keep up with new social engineering tools and techniques in 2020, we need to dig more deeply into the issues around human susceptibility to manipulation.
We also need to think about cybersecurity from a people-centric perspective. In some cases, that means putting ourselves in the shoes of our users. In other cases, it means thinking more like the attackers.
If you’re in the mindset of a cyber-criminal, you’re thinking about attacks in terms of figuring out where the money flows, where the data lives, and who you can manipulate to divert it. When you understand the problem from that people-centric perspective, you can start to think about what it takes to make that attacker’s job harder.
A people-centric view means not relying on technology alone; there may not be a technical solution to every attack. Organizations need to consider not just technical controls but business controls—and look at them as part of a holistic, integrated security strategy. Knowing attackers’ paths to success gives you roadmap of what to look for and where to invest your security efforts.
Because if 2019 has taught us anything, it’s that the next big attack won’t target your infrastructure. It will target your people. In fact, it may even be lurking in your own drafts folder.
