Piggybacking: Social Engineering for Physical Access

Tailgating or piggybacking is an old but effective social engineering technique to gain physical access to restricted areas, according to Rahul Awati at TechTarget. Tailgating is when a bad actor simply follows an employee through a door that requires authentication.

“Tailgating is one of the simplest forms of a social engineering attack,” Awati writes. “It is an easy way for an unauthorized party to get around security mechanisms that are assumed to be secure. The security comes into question due to a combination of human carelessness (the followed party) and ingenuity (the following party). For example, a retina scanner is meant to limit entry to a physical area by scanning the retinas of authorized personnel. While retina scanning authentication works, unauthorized parties can gain access to a secured area if an employee holds the door for an unknown person behind them out of a misguided sense of courtesy or habit. Such a polite gesture may be exploited by individuals to gain access to a location they might not have been able to access otherwise.”

Tailgating most often occurs when an employee holds the door for another person out of politeness.

“Threat actors take advantage of cognitive biases that affect human decision-making,” Awati says. “One such ‘human bug’ is the tendency to be courteous. Another is the tendency to trust other people. A person holding the door open doesn’t typically assume that a tailgating person is not supposed to be there, or worse, intends to harm the organization. Tailgating is a common problem in multi-tenanted buildings where many people access the building, making it difficult to track unauthorized personnel and keep them out. Tailgating also happens more often in companies where employees don’t follow cybersecurity best practices. This may be due to carelessness or inadequate training.”

Not that you want everyone to be rude, but all fair-minded people understand that you can’t sacrifice security for politesse. New-school security awareness training can give your employees a healthy sense of suspicion so they can thwart social engineering attacks.


Children of Conti go Phishing

Researchers at AdvIntel warn that three more ransomware groups have begun using the BazarCall spear phishing technique invented by the Ryuk gang (a threat group that subsequently rebranded as Conti). BazarCall callback phishing allows threat actors to craft much more targeted social engineering attacks designed for specific victims. The researchers outline the four stages of this technique:

“Stage One. The threat actor sends out a legitimate-looking email, notifying the target that they have subscribed to a service for which payment is automatic. The email gives a phone number that targets are able to call to cancel their subscription.
“Stage Two. The victim is lured into contacting a special call center. When operators receive a call, they use a variety of social engineering tactics, to convince victims to give remote desktop control, ostensibly to help them cancel their subscription service.
“Stage Three. Upon accessing the victim’s desktop, a skilled network intruder silently entrenches into the user’s network, weaponizing legitimate tools that were previously typical of Conti’s arsenal. The initial operator remains on the line with the victim, pretending to assist them with the remote desktop access by continuing to utilize social engineering tactics.
“Stage Four. In the final stage of BazarCall, the initiated malware session yields the adversary access as an initial point of entry into the victim’s network. This initial access is then used and exploited in order to target an organization’s data.”
The researchers conclude that more ransomware actors will likely incorporate this technique into their own attacks.

“Since its resurgence in March earlier this year, call back phishing has entirely revolutionized the current threat landscape and forced its threat actors to reevaluate and update their methodologies of attack in order to stay on top of the new ransomware food chain,” AdvIntel says.

“Other threat groups, seeing the success, efficiency, and targeting capabilities of the tactic have begun using reversed phishing campaigns as a base and developing the attack vector into their own. This trend is likely to continue: As threat actors have realized the potentialities of weaponized social engineering tactics, it is likely that these phishing operations will only continue to become more elaborate, detailed, and difficult to parse from legitimate communications as time goes on.”

Conti as such may no longer be an active brand, but its operators haven’t retired. New-school security awareness training can teach your employees to thwart evolving social engineering tactics.


Initial Access Broker Phishing

Cisco has disclosed a security incident that occurred as a result of sophisticated voice phishing attacks that targeted employees, according to researchers at Cisco Talos. The researchers believe the attack was carried out by an initial access broker with the intent of selling access to the compromised accounts to other threat actors.

“On May 24, 2022, Cisco identified a security incident targeting Cisco corporate IT infrastructure, and we took immediate action to contain and eradicate the bad actors,” Cisco said in a statement. “In addition, we have taken steps to remediate the impact of the incident and further harden our IT environment. No ransomware has been observed or deployed and Cisco has successfully blocked attempts to access Cisco’s network since discovering the incident.

Cisco did not identify any impact to our business as a result of this incident, including no impact to any Cisco products or services, sensitive customer data or sensitive employee information, Cisco intellectual property, or supply chain operations. On August 10 the bad actors published a list of files from this security incident to the dark web.”

Cisco Talos explains that the attackers first gained access to Cisco’s networks after hacking an employee’s personal Google account, then stole the employee’s Cisco passwords via Google Chrome’s password syncing feature. The attackers then used various social engineering tactics to expand their access.

“After obtaining the user’s credentials, the attacker attempted to bypass multifactor authentication (MFA) using a variety of techniques, including voice phishing (aka “vishing”) and MFA fatigue, the process of sending a high volume of push requests to the target’s mobile device until the user accepts, either accidentally or simply to attempt to silence the repeated push notifications they are receiving,” Cisco Talos says.

“Vishing is an increasingly common social engineering technique whereby attackers try to trick employees into divulging sensitive information over the phone. In this instance, an employee reported that they received multiple calls over several days in which the callers – who spoke in English with various international accents and dialects – purported to be associated with support organizations trusted by the user.”

New-school security awareness training can teach your employees to follow security best practices so they can thwart social engineering attacks.


U.S. Government Warns of Increased Texting Scams as Mobile Attacks are Up 100%

Cyberattacks via SMS messaging are on the rise, and are having such an impact, the Federal Communications Commission has released an advisory on Robotext phishing attacks (or smishing).

According to Verizon’s 2022 Mobile Threat Index, 45% of organizations have suffered a mobile compromise in 2022 – that’s double the % of orgs in 2021. If you’re wondering if it’s purely a shift in tactics on the cybercriminal’s part, think again. According to Verizon:

  • 58% of orgs have more users using mobile devices than the prior 12 months
  • Mobile users in 59% of orgs are doing more today with their mobile device than the prior 12 months
  • Users using mobile devices in 53% of orgs have access to more sensitive data than a year ago

And keep in mind that while there are plenty of security solutions designed to secure mobile endpoints, we’re talking about personal devices that are used as a mix of corporate and personal life. This makes for a very unprotected target by cybercriminals.

So, it shouldn’t come to any surprise that the FCC has put out an advisory warning about the increased use of robotexting-based phishing scams targeting mobile users, commonly called ‘smishing’.

Some of their warning signs include:

  • Unknown numbers
  • Misleading information
  • Misspellings to avoid blocking/filtering tools
  • 10-digit or longer phone numbers
  • Mysterious links
  • Sales pitches
  • Incomplete information

We’ve seen smishing scams impersonating T-Mobilemajor airlines, and even the U.K. Government. So consumers and corporate users alike need to be aware of the dangers of text-based phishing attacks – something reinforced through continual Security Awareness Training.


Massive Network of Over 10,000 Fake Investment Sites Targets Europe

Using a mix of compromised social media accounts, social engineering, call center agents, and some convincing websites, this latest scam seeks to get victims to repeatedly “invest”.

I’ve seen plenty of great websites and brands impersonated, phishing kits that come complete with a set of web pages, but nothing to this magnitude has been seen before. First discovered by the security respond team over at Group-IB, this scam targets would-be investors in the UK, Belgium, Germany, the Netherlands, Portugal, Poland, Norway, Sweden, and the Czech Republic.

Using a mix of celebrity endorsements in fake articles claiming how the celebrity turned 250 Euros into 700 in just 3 days, with compromised Facebook and YouTube accounts to add credibility, victims are taken to fake investment sites where they are bombarded with success stories in an effort to get victims to not just pay the 250 Euro fee once, but continually.

Once victims register, they are contacted by a call center to walk them through the process of paying their initial “investment”. Once invested, the victims are given access to a fake investment dashboard, where they are updated on the monies their “investment” is making to get them to want to make additional deposits.


Source: Group-IB

This is about as sophisticated as a phishing scam can get; the time and energy invested in over 10,000 fake sites seems unfathomable – and yet, it’s the reality today. This is the reason why every single person – whether at home or at work – need to have their defenses up, interacting with anything and everything on social media, the web, and in email with a sense of suspicion. This is something that comes naturally to users within an organization that go through continual Security Awareness Training; they begin to understand that anything that seems too good to be true, isn’t, and that anything received unexpectedly should be treated as if it’s a scam first.


New Phishing Campaign is Now Targeting Coinbase Users

If you’re a Coinbase user, you are most likely the next target of a new phishing campaign. Cybercriminals have managed to infiltrate two-factor authentication and deploying other social engineering strategies with the crypto currency exchange platform.

Researchers at PXIM Software have found that the attacks are spoofing Coinbase to trick users into logging in. Once logged in, the threat actors record the login credentials and use the information to drain funds and defraud users of their crypto balances.

In a blog post the Research team stated the following, “They will typically distribute these funds through a network of ‘burner’ accounts in an automated fashion via hundreds or thousands of transactions, in an effort to obfuscate the original wallet from their destination wallet,”

It is very import for your users to spot any potential warning signs from a suspicious email. New-school security awareness training can educate your users on how to spot red flags and report any malicious activity in their day-to-day operations.


New Research Shows Social Engineering and Phishing are the Top Threats

According to the CS Hub Mid-Year Market Report 2022, new findings shows that 75% of survey respondents believe that social engineering and phishing attacks are the top threat vector to cybersecurity within their organization.

Here is a chart from the report with additional findings:
Source: CS Hub
Phishing and social engineering attacks far exceed the other cybersecurity threats of supply-chain/third-party compliance risks (36%) and lack of cybersecurity expertise (30%).
The most interesting take away your organization can learn from this report is that phishing and social engineering attacks rely on human error. While outright software vulnerabilities can be out of your control, ensuring your employees are well trained in new-school security awareness training is not.

Twilio hacked by phishing campaign targeting internet companies

Communications giant Twilio has confirmed hackers accessed customer data after successfully tricking employees into handing over their corporate login credentials.

The San Francisco-based company, which allows users to build voice and SMS capabilities — such as two-factor authentication — into applications, said in a blog post published Monday that it became aware that someone gained “unauthorized access” to information related to some Twilio customer accounts on August 4.

Twilio said since the attack, it has revoked access to the compromised employee accounts and has increased its security training to ensure employees are on “high alert” for social engineering attacks. The company said it has begun contacting affected customers on an individual basis. Full story at TechCrunch.


LinkedIn Continues its Reign as the Most-Impersonated Brand in Phishing Attacks

As cybercriminals look for novel and effective ways to gain entrance to a victim network, LinkedIn is proving to be fruitful enough to keep the attention of phishing scammers.

I hope you can appreciate the sophistication of a phishing attack that targets not just a specific company, or even an individual, but a role within the organization – complete with a tailored socially engineered campaign of emails, landing pages, impersonated brands, phone call scripts, and a defined process for the prospective victim to follow… until they perform the malicious action desired by the threat actor at the helm.

This is exactly the kinds of attacks we’re seeing with LinkedIn – the top impersonated brand for the second quarter in a row, according to Checkpoint’s Q2 Brand Phishing Report. With the data on over 500 million LinkedIn users available for cybercriminals to utilize, we’ve seen massive increases in attacks impersonating LinkedIn of well-over 200% in just a single month.

The FBI even recently put out a warning about widespread fraudulent activity using LinkedIn’s branding and platform as the foundation for the attack.

According to Checkpoint, impersonation of LinkedIn is used in phishing attacks today at more than three times the rate of Microsoft (a brand we’ve seen way too often used, due to its widespread applicability to users of the Windows operating system and the Microsoft 365 platform).

Because even your organization has users that are looking for their next job today, it’s imperative that they understand the risk of responding to any communication – whether in email or on the web – that is either unexpected or seems too good to be true. This level of vigilance is attained by putting users through continual Security Awareness Training to teach them about how brand impersonation (LinkedIn or otherwise) is commonly used to increase the chances of a successful phishing attack


Labor Market Social Engineering: Supply-Side and Demand-Side

We’re accustomed to social engineering being used for credential theft and business email compromise. We’re also accustomed to hearing about the increase in remote work during the pandemic, and how that has expanded organizations’ attack surface.

But another round of deception, of social engineering, is now afflicting the hiring process itself. North Korean threat actors are poaching LinkedIn and Indeed profiles to secure jobs working remotely at cryptocurrency companies.

North Korea has long used cybercrime as a tool of state policy, seeking to redress, through theft, the effects of worldwide sanctions on its economy. Remote work for cryptocurrency companies is attractive for a variety of reasons. Citing research by Mandiant that follows up and confirms a warning the US Government issued in May, Bloomberg reports:

“According to the Mandiant researchers, by collecting information from crypto companies, North Koreans can gather intelligence about upcoming cryptocurrency trends. Such data – about topics like Ethereum virtual currency, nonfungible tokens and potential security lapses – could give the North Korean government an edge in how to launder cryptocurrency in a way that helps Pyongyang avoid sanctions, said Joe Dobson, a principal analyst at Mandiant.

“‘It comes down to insider threats,’ he said. ‘If someone gets hired onto a crypto project, and they become a core developer, that allows them to influence things, whether for good or not.’”

Some of the attempts have been successful.

“Mandiant researchers said they had identified multiple suspected North Korean personas on employment sites that have successfully been hired as freelance employees. They declined to name the employers.

“‘These are North Koreans trying to get hired and get to a place where they can funnel money back to the regime,’ said Michael Barnhart, a principal analyst at Mandiant.”

This is worker-side deception, in which North Korean operators pose as coders looking for remote work they can use for either direct theft or espionage. There’s a corresponding North Korean employer-side deception in which the Lazarus Group and related DPRK threat groups put up websites that impersonate well-known companies, and on which they post bogus job offers. Bloomberg cites research by Google that identified a North Korean-produced site that impersonated the employment service Indeed.com.

“Other fake domains, created by suspected North Korean operators, impersonated ZipRecruiter, a Disney careers page and a site called Variety Jobs, according to Google.” The goal of these attempts is to induce marks to submit personal and professional information that can be used to either socially engineer the victims, or else to enable DPRK intelligence services to impersonate those victims in other campaigns.

So don’t neglect HR and recruiting in your security training, and keep an eye out for attempts to impersonate your public-facing websites. New-school security awareness training can teach your people how to recognize social engineering tactics, whether they’re worker-side or employer-side.