Social engineering has been a popular tactic used among cybercriminals to gain access to networks for a long time, especially as many organizations have transitioned to zero-trust models in their environments. This shift in security controls is driving attackers to use “tried and true” social engineering tactics such as business email compromise/spoofing, phishing, smishing, and vishing campaigns in continually inventive ways.
The hacker collective known as Scattered Spider, BlackCat, or ALPHV is one of many attacker groups known to use social engineering tactics. The recent attacks against MGM Casino and Caesars Entertainment were attributed to the group. During these attacks, sensitive data was stolen as a result of successful social engineering techniques.
According to the FBI and the CISA advisory, Scattered Spider targets employees by pretending to be an IT staff member or help desk employee in order to trick the victim employee into giving up their credentials or direct network access.
Here we’re taking a look at some of the prevalent tactics, techniques, and procedures (TTPs) employed by threat actors in cyberattacks.
Social Engineering (SE) Tactics in Cyber Attacks
Employees can be manipulated into divulging sensitive information, such as login credentials, or even into providing administrative privileges, through social engineering tactics. Attackers rely on the fact that people generally want to trust others, often making them the most vulnerable link in any security chain, and hackers use this to their advantage when targeting companies.
To gain access to a company’s network, threat actors employ a wide variety of tactics, techniques, and procedures (TTPs). In this article, we will examine a few social engineering techniques that everyone should be familiar with.
According to the CISA advisory, the Scattered Spider group uses some of these tactics, techniques, and procedures in its attacks.
Most people concur that phishing is the hacker technique most frequently employed to gain access to a business’s network. Typically, the hacker will set up a phishing campaign that sends emails to employees that appear to come from a legitimate source.
For example, a supplier, an internal department such as human resources or legal, banks, government agencies, or credit card providers. The email will contain malicious links or attachments that will redirect the employee to a fake website, where they will be prompted to enter personal information that the hacker steals to carry out further attacks.
The purpose of a pretexting attack is to trick the target into divulging confidential information or performing actions that are advantageous to the attacker by fabricating a scenario. The usual goal of this scenario is to increase the target’s susceptibility to manipulation by gaining their trust.
- An attacker can start an attack by fabricating a story to lure their target into a conversation in the hopes of coercing them into divulging sensitive information or performing some action.
- The attacker can build rapport and trust with the victim by using strategies like flattery and seeming concerned.
- When the victim thinks the attacker is sincere and reliable, they usually comply with their requests without realizing the consequences.
There are a few common scenarios that attackers use. For example, tech support impersonation, charity or donation requests, and urgent or emergency situations are commonly used.
In this attack, an employee of the target’s mobile phone company is deceived into transferring a victim’s phone number to a SIM card under the attacker’s control.
Leading up to the SIM swap, the attacker acquires the personal data of the victim, including their name, address, phone number, and SSN. Frequently, this is done through social engineering tactics, dark web purchases, or data breaches.
Armed with this information, the attacker reaches out to the wireless provider, impersonating the victim. After the carrier transfers the number, the attacker has access to intercept all communications the victim receives on the number, including the ability to intercept and reroute calls, texts, MFA codes, and one-time passwords that grant access to the victim’s online accounts and may result in significant financial losses or other negative impacts.
The intruder can now access the victim’s file share, bank accounts, credit card information, email, and/or social media accounts because they have the victim’s phone number and the ability to intercept security codes.
At this point, the attacker is ready to carry out all kinds of malicious activities, including stealing more personal information, fraudulent transactions, impersonating the victim to scam others, and draining the financial accounts of the victim.
Multifactor authentication (MFA) systems that verify the identity of the target using push notifications are the targets of push-bombing cyberattacks. In these attacks, the perpetrator uses bots or scripts that attempt to repeatedly log into a victim’s account. With the barrage of notifications popping up, the victim may end up approving an MFA request by accident.
- An attacker acquires stolen or leaked credentials.
- The attacker initiates multiple login attempts.
- Target receives an overwhelming number of notifications.
- Target inadvertently approves the MFA request.
Vishing is short for voice phishing and is one type of social engineering attack. To trick victims into divulging sensitive information such as credit card numbers, passwords, and other personal details, attackers will use voice messages or phone calls to convey their message.
Vishing is a practice that frequently makes use of human psychology and voice communication to generate a sense of urgency, legitimacy, and trust.
Typically, a vishing attack will run like this:
- Phone calls or voicemail
- Impersonation of authority figures or entities that prove credibility
- Creating urgency or conveying threats
- Voicemails requesting callbacks to numbers controlled by the attacker
- Targets are often within a specific organization
- Attackers may use fake scenarios in an elaborate pretext
Typically, attackers will spoof the caller ID, create a sense of urgency or fear, and heavily rely on social engineering to personalize the conversation using details about the victim to make the call more credible.
A type of phishing attack carried out through text messages is known as “smishing,” a blended combination of “phishing” and “Short Message Service” (SMS). Cybercriminals use smishing attacks to trick people into clicking on malicious links or disclosing personal information by sending them false SMS messages. These messages often contain urgent or enticing content to prompt immediate action.
Here’s how smishing attacks typically work:
Deceptive Messages: Attackers send text messages that appear to be from legitimate sources, such as banks, government agencies, or service providers, claiming some urgent matter that needs to be resolved.
Links or Phone Numbers: Smishing messages contain links or phone numbers that, when clicked or called, lead to malicious websites or phone lines.
Social Engineering: Like other phishing attacks, smishing relies on social engineering to manipulate individuals into taking specific actions.
Prevention and Mitigation
and improve a business’s security posture.
Some of the safeguards that should be implemented include:
- Implement multi-factor authentication (MFA): Enforce MFA for all user accounts, especially those with access to sensitive data or systems. MFA adds an extra layer of security beyond passwords, making it more difficult for attackers to gain unauthorized access. Educated users about push-bombing and carefully reviewed all approval requests.
- Deploy anti-phishing and anti-malware solutions: It is important to make use of email filtering tools, DNS/web proxies, and endpoint security software in order to prevent phishing emails, malicious attachments, and suspicious websites. Always keep these solutions current in order to remain one step ahead of ever-evolving threats.
- Segment networks and restrict access: Implement network segmentation to isolate critical systems from potential breaches and limit the spread of malware in case of an attack. Enforce least privilege access controls to restrict user access to only the resources they need for their roles.
By staying vigilant, adopting security best practices, and educating users about the risks, individuals and organizations can reduce the likelihood of falling victim to social engineering attack techniques and tactics.