This past week, FireEye released its “Hacking the Street” report, indicating a group of highly sophisticated attackers exploited Wall Street using social engineering instead of malware or other technical attack vectors. The group, known as FIN4, initiated their attack through information-gathering. They reportedly contacted an array of publicly traded pharmaceutical, health care, and biotechnology organizations to pick up Wall Street terminology. The group then used the merger and acquisition lingo in extremely convincing phishing emails to con professionals working in financial services into believing in the legitimacy of the email. The emails were filled with Visual Basic Applications (VBA) macros implemented to obtain user names and passwords for key individuals. This incident sheds light on the growing number of attacks orchestrated without advanced technical means but, more importantly, demonstrates a profound aspect of social engineering: the ability to use the right terminology.
What does it mean to use the “right” terminology? Social engineers use social proof as one way to build credibility. They need to convince their targets that they’re insiders, a member of the tribe. Regardless of the organization, division, or industry, rest assured that every single one has a unique language. By using certain terms, phrases, euphemisms, and acronyms, social engineers can build credibility with employees of target companies. If an attacker sends an email requesting information for a technical upgrade and correctly references the internal name of the corporate Intranet, it is highly likely the employees will believe the email is authentic. If it is a vishing attack, the correct terminology accompanied by rapport-building will likely lead to the target into accidentally divulging information.
Social engineers must be chameleons. They must adapt to the culture they are trying to penetrate; they have to think, act, walk and talk like a normal employee. The best social engineers gather, share and store information over time, talking to different people and filling in pieces of the puzzle. It is not imperative for the target to disclose corporate trade secrets during the information-gathering phase. Attackers can call into five different departments, have five different conversations, and have five different pieces of information to help validate themselves for when they do want to obtain an employee ID, or access network credentials. One great example I think about is from the film Catch Me if You Can. There is a scene in which Leonardo DiCaprio’s character, Frank Abagnale, decides to become a lawyer. He observes a television show about a trial and hears words such as “client,” “objection,” “jury,” and “charge.” In his first confrontation with a judge, he recites the same speech he had seen in the film, but he does not use them in the correct portion of the hearing, incorrectly addressing the jury when there was no jury present.
Suppose your organization refers to employee ID numbers as “V” numbers, short for Verified Employee Identification. If I were to call your organization or send an email from “corporate” HR asking to verify your employee ID, chances are a red flag will go off because you don’t ever hear that term. But suppose I call, verify some additional publicly available information and then ask for your “V” number? The chances of you providing me with this information are far greater because I have provided affirmation of my legitimacy. Words are powerful, and using them the “right” way can have serious rewards (if you’re a social engineer) or repercussions if your organization is the target of a social engineering-based attack.
Looking at FIN4, it’s not surprising that they’ve been effectively operating for over a year. They are likely are working as a team, slowly and steadily contacting different individuals to gather bits of information from, and taking the time to formulate an iron-clad pretext for when they want the valuable information.
Unfortunately, these attacks are highly successful and they are on the rise. It’s time to ask yourself the tough questions: Are your employees adequately equipped to handle outsiders pretending to be insiders? Do employees know proper protocols for reporting suspicious activity? Does your organization have a process for verifying outside callers before providing any information? Do you have security awareness programs in place? If the answer to any of these questions is “no,” we can help. Social-Engineer can evaluate your organization’s overall susceptibility to social engineering and phishing attacks by conducting simulated insider attacks via phone, email, and in person. We can also conduct comprehensive virtual perimeter assessments or identify areas of vulnerability based on publicly available information, such as social media, to baseline and then improve your organization’s security posture with ongoing corporate training and awareness initiatives. Sophisticated attackers are leveraging social engineering to attack all industries, not just banking and finance. It’s time to make yourself and your employees part of the defense mechanism to protect the integrity of information assets.