Social Engineering is making a come back

November 21, 2023

History always seems to repeat itself.

History of social engineering

Ransomware has been around since the late 1980s. Social engineering has technically been around since the advent of human communication. In the context of technology security it’s been around since phreaking techniques were used in the 1960s and 1970s as a way to take advantage of phone systems. Today it’s phishing, vishing, smishing, and much more. It’s been around but not the main technique used to get into an organization, well until now.

It seems as vulnerability management and incident response improves attackers are switching to social engineering via phone. I recently heard from a friend about another friend who got all their work logins compromised via an attacker calling into the help desk and resetting his password and MFA. This comes on the heels of the MGM and Okta breaches.

MGM

Like the movie Ocean’s 11 attackers used social engineering techniques to obtain access into MGM system by impersonating an employee and calling into the help desk to have their credentials reset. This resulted in ransomware being deployed in their environment and costing the casino hundreds of millions of dollars.

Okta

The compromise of access tokens via the Okta’s customer support unit is probably even scarier because Okta holds the keys to a lot of other organizations. This breach gives attackers information to pivot into other organizations.

What’s next for social engineering

When attacks like the two examples above are successful and result in lots of money and infamy others start copying the techniques used. I would expect us to continue to see attacks like these going forward which means more focus will be needed on security awareness. Groups like Scattered Spider are already starting to pop up and their focus is on social engineering their way into organizations. Then with that access ransomware gangs begin deploying ransomware. This highlights a need for good detection procedures and technologies. We’ll probably also see more difficult controls put in place to protect accounts. This will degrade our account access user experience as a side effect.

Resources for Social Engineering

Social-Engineer: This is a company started by Chris Hadnagy focused on social engineering. They provide resources and also assessments for an organization that focus on social engineering. He’s written several books as well on the topic that I highly recommend.

One of those books:

"Social Engineering: The Art of Human Hacking" by Christopher Hadnagy: This book delves into the psychology and techniques of social engineering.

Krebs on Security is a great blog to follow in general. He covers a variety of topics mostly around breaches.

This blog post first appear on Exploring Information Security

InfoSec Links July 28, 2014

July 28, 2014

Here's How Easy It Could Be for Hackers to Control Your Hotel Room - Kim Zetter - Wired

The attack surface for hotels will increase as more electronic amenities are added to rooms. Security should be kept in mind from both the hotel side and the guest side.

How Thieves Can Hack and Disable Your Home Alarm System - Kim Zetter - Wired

It looks like some home security companies have some work to do in the security arena. Codes are being transmitted in a way that allows someone with the right equipment to capture your home alarm system code and they don’t necessarily need to be standing in front of your house. I like the idea of rotating numbers similar to what you get with two-factor authentication.

The App I Used to Break Into My Neighbor's Home - Andy Greenberg - Wired

This is scary. And even more scary is the fact that the company who designed an app to make keys with a picture seems to downplay some of the concerns surrounding that technique.

This post first appeared on Exploring Information Security.

Hacking links June 5, 2014

June 5, 2014

'Half of American adults hacked' in the past year - really? - John Zorabedian - Naked Security

Recently, CNN reported on a study that claimed that 47% of US adults have been hacked. The thing is those percentages and the numbers might not actually be representative of the population. Also at question, the term hacked. Should employee negligence or insider theft be considered negligence? Probably not.

Thieves Planted Malware to Hack ATMs - Brian Krebs - Krebs on Security

This occurred in the Chinese territory of Macau. The process for the hack is quite interesting. The criminals slide a long skimming board down the ATMs card slot to install the malware. The malware would log anyone that used that information and a few days later they'd follow the same process to get the logged information and to remove the malware. Pictures of the device and the rest of the kit are featured in the article.

Hacking the Registry to keep Windows XP Updating - A Bad, Bad Idea - Rafal Los - Following the Wh1t3 Rabbit

Apparently, someone has figured that you can change the registry of a Windows XP machine to make it look like a Point-of-Sales (POS) terminal, which are still getting Windows XP updates. This might not be the best idea in the world as POS terminals are much different than a computer installed with Windows XP and patches could negatively affect system stability. If you're that desperate to get Windows Updates, just go ahead and upgrade your system. It will save you a love headache in the long run.

This post first appeared on Exploring Information Security.