Social engineering attacks, also known as ‘human hacking’, are becoming increasingly sophisticated, with cybercriminals finding new in-roads to harvest sensitive data.
Techniques such as phishing and spear phishing are responsible for the majority of social engineering cyber-attacks. They are designed to manipulate employees to share personal data or credentials, which could be used to target an organisation directly. These types of attacks are commonly considered to be the most disruptive types of attacks that organisations face.
Organisations are responding, but so are cybercriminals
Businesses have begun to strategise against social engineering attacks and systematically prevent the leak of sensitive data or the installation of malicious applications. Controls such as Multi-Factor Authentication (MFA) and Endpoint Detection & Response (EDR) solutions have proven to reduce the risks of a phishing campaign being successful.
However, as organisations become more cyber aware, cybercriminals raise their game. A 2023 report by IBM stated that only one-third of breaches were identified by the organisations’ internal security teams and tools2, while recent surveys completed by the UK government’s National Cyber Security Centre and IT security company, Mimecast, provide further insight to the current threat landscape:
- 95% of data breaches are thought to be caused by human error.
- 75% of companies have experienced an increase in email-based threats.
- 32% of UK businesses detected a breach or attack in the preceding 12-month period.
Types of advanced social engineering attacks
These are the main types of advanced attacks we are seeing as cybercriminals try to stay one step ahead of common security controls.
Pass-the-cookie attacks
In a pass-the-cookie attack, the attacker can access web applications without knowing a user ID or password, and also without the one-time passcode from a Multi-Factor Authentication (MFA) system.
If malware is installed, it will capture when a user is authenticated to a website using their credentials and MFA code, once their session is created in the form of a ‘session cookie’ which stores user settings and authentication information.
The attacker can copy the session cookie and attempt to log in to the website using the active session. As long as the session stays open, it gives the attacker trusted access if they provide the session cookie — negating the need for any user authentication. Essentially, stealing a session cookie is like stealing a master key, allowing the attacker access to sensitive data and the opportunity to plant further malware and exploit vulnerabilities.
SMS forwarding and SIM swapping
SMS forwarding means redirecting text messages from one phone number to another. SIM swapping is replacing a SIM card in a mobile device to gain unauthorised access to the victim’s phone number and associated accounts.
In order for such attacks to be successful, attackers must first gather personal information of a victim to impersonate them. The aim is to fool the mobile provider into swapping the mobile number to a new SIM card. If successful, the attacker will receive all of the victim’s text messages. If they have successfully captured their credentials, the attacker can access the MFA code to authenticate the login.
QR Code Injection (Quishing)
QR code injection is a relatively new social engineering technique whereby malicious actors manipulate QR codes to redirect users to malicious websites or execute unauthorised actions on their devices. If the attack is successful, the victim will attempt to log in to a portal and their credentials will be harvested.
The recent increase in QR code attacks causes concern for security administrators because these attacks typically bypass anti-phishing filters, which primarily detect malicious links or attachments. The simplicity of a QR code in an image format means they can easily go undetected.
How can organisations respond to the threat?
- Employee training: An organisation’s people have the potential to be its best line of defence or its biggest weakness. If your employees know how to detect the red flags and — just as importantly — how to report their suspicions quickly and easily, the risks posed can be drastically reduced. Simulated drills can test employees’ resilience, honing their real-world defence capabilities.
- Next-generation anti-phishing solutions: Advanced anti-phishing techniques can be employed, such as Optical Character Recognition (OCR) or image capture technology to scan a QR code within the email and validate the link before the user receives it.
- Strengthening MFA controls: SMS has been identified as the weakest method of Multi-Factor Authentication. Encouraging users to use an MFA application such as Microsoft Authenticator, Duo or Google, or the use of a hardware token instead of relying on SMS can help provide greater protection.
- Geolocation and browser fingerprinting controls: These controls can be enabled to protect against stolen cookie sessions. This will ensure only legitimate users from approved locations can log in using the authorised devices.
How Gallagher can help?
Raising cyber awareness and vigilance is a low-cost but high-reward solution to social engineering threat vectors. Take the first step in bolstering your cyber security defence by visiting the Gallagher website or emailing Jon_McArdle@ajg.com.
Article provided by Medilink Midlands Patron Gallagher.