How to protect yourself against social engineering

According to the FBI, “business email compromise” is rapidly on the rise.

Hardly surprising, given the low-risk, high-reward nature of this kind of crime.

But coupled with the number of personal data records that have been purloined by criminals from healthcare providers, retail outlets and government departments over the past few years, the big question CEOs should be asking is: what can security professionals do about this and how can businesses protect themselves?

Business email compromise - or social engineering - has netted cyber fraudsters over US$2.3 billion (A$3 billion) since October 2013 through to February of this year. Over 17,000 businesses have been affected so far and attacks have been reported in at least 79 countries.

However, these are only cases the FBI is aware of.

The hard fact is that many cybercrimes go unreported, both in large and small businesses. You might expect that small businesses won’t report it, especially where the loss is insignificant, such as a $200 fee to get data back from a successful ransomware attack.

However, big businesses are not reporting either, maybe for fear of public embarrassment or in an attempt to avoid regulatory scrutiny.

Why email compromise?

Over the past five years or so, we’ve seen many successful hacks remove millions upon millions of records from large companies, such as Target, Sony, the US Office of Personnel Management, Anthem, Talk Talk in the UK, and Kmart and David Jones in Australia.

But these mega hacks are just those that make news. There have literally been tens of thousands of attacks that didn’t make the headlines since they weren’t as juicy.

Nevertheless, in every case, almost without exception, the thieves were targeting customer data. These massive treasure troves of data are worth a lot of money on the black market. Consider the Anthem attack, where thieves took off with over 80 million healthcare records. Each one of these on the black market is worth around $10.

Even at a significant bulk buy discount, they could have sold that database for big money, potentially to an organised crime syndicate. This leads us to consider not the breach itself, but the use of the data once sold.

Typically, the hacker wants to quickly pass the data onto a buyer. The market is filled with unscrupulous organised crime mobs, terrorists and nation states who would have the funds to buy the data and the intent to use it.

There are so many reasons Anthem’s data may have been bought. ID theft is the criminal modus operandi that most people think about, where social security numbers, addresses, names, dates of births, etc. are used to convince credit companies that the criminal is actually a legitimate citizen and then authorise credit agreements for mobile phones, automobiles, new back accounts etc.

However, business email compromise is another mode of operation that the organised crime mobs may be using these data breaches for. They’ve got a lot of useful data in those heists to masquerade as a legitimate partner.

"They research employees who manage money and use language specific to the company they are targeting, then they request a wire fraud transfer using dollar amounts that lend legitimacy," the FBI said.

Just imagine how convincing they can be with a few stolen healthcare records, open source research on LinkedIn and a few carefully planned social engineering attacks on the target company.

It’s no wonder these highly targeted, blended attacks are on the rise, given the amount of data that is now circulating on the black market, along with what’s circulating freely on social media.

What can we do?

Unfortunately, there isn’t much you can do about the origins of the attack. That’s for law enforcement to coordinate globally, and the threat is real and is getting progressively worse every year. Also, the wealth of information already leaked, along with that available on social media, means targeted social engineering is still by far the best way to attack an organisation.

The only way to protect yourself is to educate staff, especially those in roles that will be targeted, about the nature of this threat. Security awareness training is by far the best control you can put into an organisation to create a culture that is naturally suspicious and willing to challenge.

The second thing to consider is the process you use for release of capital funds. If an email is enough justification to have your payroll send funds to a creditor, charity or partner, then it’s time to upgrade the workflow to include additional checks and balances.

Building a couple of phone calls into your process where you check a transaction number or secure passcode would be good. Maybe instigate the use of cryptographic technologies to provide the originator of the message was who they say they are, based on signing the message with a key that you have provided them.

There are many ways to increase the security of these kinds of workflows, it’s a matter of seeing their inherent weakness today and engaging with an expert who can design the security architecture of the process for you.

Banks do this already. When you request a payment be made from your account to a third party, you use your RSA token plus PIN to authorise, authenticating that the transaction is indeed being set up by the account holder. 

A reasonable paper that introduces secure electronic payments systems was published by ISACA back in 2014 and can be found here [pdf]. NIST publishes the best overall guide on creating a security awareness program, which can be found here [pdf]. 

The reality is that there is certainly enough information, technology and evidence of criminal intent around today that if you are hacked using a simple business email compromise attack, it’s really your own fault.

If you are handling the amounts of money we are talking about and believe yourself not to be targeted by criminals, then your head needs to come out of the sand before it’s too late.