What is Social Engineering?
Social engineering – the art of hacking human beings – is an age-old threat. But the meteoric rise of online social media usage has led to a new security challenge: social media engineering. In this attack space, there are no Matrix-style hacker skills required. It’s not human vs. computer – it’s human vs. human, where a 19th-century snake oil salesman would do just fine.
Social media is not just one-to-one communication, but one-to-many, which greatly expands the “attack surface.” Criminals can spread malicious links across an entire organization, intelligence operatives can collect data from an entire population, politicians can steal an election, and more.
All humans are vulnerable to social engineering. Some are harder to trick than others. However, in any large group of people, a few are guaranteed to fail the test. And it may not matter that victims can eventually discover the ruse, once the money is gone or the election is over, the hackers have moved on to other targets.
With social media engineering, there is no reason for a hacker to think small. Of course, a lonely citizen is fair game – they are too small to fight back. However, even a powerful nation-state agency is a good target – the bigger they are, the harder they fall – and social media provides a way to connect to each and every one of its human employees.
How do Hackers Use Social Engineering?
Over the past several years, ZeroFOX has identified and remediated tens of thousands of social engineering profiles and fake accounts impersonating our customers. These accounts spoof a company’s brand or executive persona, hijack their logo, and try to mimic the authentic account in order to attack employees and defraud customers.
Fraudulent accounts, also called impersonations, are outrageously easy to create. The easy signup process lowers the barrier to entry to new users, but also makes it easier for attackers to quickly start a campaign. For cybercriminals, conducting their day job has never been more trivial, and just like they did on email, attackers spoof a brand or its executives to deliver their payload to customers. Today, the social engineer has far more tools at their disposal to create a convincing fraudulent persona and distribute their attack. The tactics used by these fraudulent accounts are devious and diverse, ranging from traditional social engineering ploys to actually paying money to advertise the scam to reap higher rewards.
The networks’ attempts to provide “verification” to real corporate accounts has led to a new breed of impersonations and “verification scams.” The broader impersonator landscape reveals many tactics meant to lure the user into buying competitor or counterfeit merchandise, providing personal information to unknowing fake recruiters, entering fabricated contests to steal personal information or money, engaging in fraudulent financial scams, and much more. This broader threat landscape extends beyond targeted threats and represents a more systemic issue of risks impacting enterprise security, privacy, and reputation. If allowed to go unresolved, these threats impact the organization’s bottom line and damage fundamental customer trust in the organization.
The social networks have taken the first step in combating the impersonator problem by verifying accounts, indicating to a user that the profile they’re interacting with is legitimate and not an imposter. This is similar to websites that are verified using website digital certificates, and browsers that highlight the URL in green. But what this approach doesn’t provide is any indication of a nefarious account.
Social networks rely on abuse reports from their users or manual triage in order to identify and respond to these accounts. This approach cannot keep up with the constant flux of impersonating accounts used for social engineering as they are created and deleted each day. The problem of fraudulent accounts is systemic across the social networks and the tactics are broad and diverse. Proactively hunting for these accounts requires sophisticated, layered methods using account verification, threat detection, and machine learning. This approach can be subsequently integrated to allow large-scale, cross-network analysis and improved detection accuracy. Machine learning classifiers that can report on these threats targeting an individual or enterprise at incredible scale. Armed with this intelligence, an organization can take a more proactive and timely approach to thwarting threats, requesting account takedowns, and mitigating risk. Impersonators are an excellent case study for the back-and-forth battle between cyber criminals, social networks and the users caught in the middle. In our new digital lives, where people are free to assume others’ identities and perpetrate malicious activity in their name, brands are increasingly at risk of financial and reputational losses.
Protect Today. Predict Tomorrow. Get started with ZeroFOX and secure your digital-first world with protection, intelligence and disruption.