When ISACA recently released part 2 of its State of Cybersecurity 2020 report, it was noted that the largest reported attack type was social engineering. While social engineering is not new to the threat landscape, it is an attack type that has had staying power, and attackers are becoming increasingly sophisticated in their approach. Let's explore several different types of social engineering, so that you don't take the bait -- hook, line and sinker.
Different types of phishing
Phishing, a high-profile form of social engineering, is a high-tech scam that uses email or websites to deceive targets into disclosing personal information useful in identity theft, passwords or other sensitive information. Phishing can also be an attempt to gain access to your corporate computer or network by requesting that you click a link to download a document or visit a website. Phishing jeopardizes the security of your company's information and information systems.
There are two main methods of phishing: email and tabnabbing. I will explore both types of ways to gain unauthorized access. However, first let me note the different types of email phishing. Phishing is usually an email sent to a large group of people that attempts to scam the recipients. Those recipients do not generally have anything in common. This tends to be a little easier to spot and stop with the appropriate spam filters.
Spear phishing, however, is a message sent to a smaller, more select group of targeted people or to a single individual. Spear phishing often targets a specific individual or group of individuals, such as middle management or leadership of an organization. Another difference is that a spear phishing email may appear to come from someone inside your organization, most likely from someone in a position of higher authority. Spear phishing is usually performed by very sophisticated hackers who most likely have done reconnaissance about you and your corporation on social media sites such as LinkedIn.
If the hackers succeed in gaining information from you, they can use that information to break into your corporate information systems. If those hackers gain access to these systems, they could hold your organization's data hostage until they receive a ransom. They might even be able to bring down the network or obtain sensitive or corporate confidential information.
Some attackers are even more ambitious and take their schemes right to the top. Whaling, or whale phishing, is a highly personalized message sent to senior executives or other high-level officials. These types of messages may be the most difficult for the corporate spam filters to spot and block.
One common thread among phishing emails is an attempt to trick or scare the target into an instant reaction. The email or pop-up message usually claims to be from a legitimate source, such as your own organization. The message, or lure, usually says that you need to update or confirm your account information. It might threaten some dire consequence if you do not respond.
Now, let's look closely at another method called tabnabbing. Tabnabbing occurs when an attacker takes control of your web browser. For example, one afternoon, you are working at your computer researching the CDC website about reopening your office during COVID-19, when you realize that you need to check each state for the different rules about opening up the office. After opening up multiple tabs in your browser to check the different states, you move to return to the CDC website and your original research when the tab for your corporate email catches your eye. You check to see if you've received any new messages. It appears that you've been logged out of your session, though you can't really remember having your corporate email open earlier in the day.
You have a choice to make. You can either type your username and password and select the login button, or close the tab. Here's how it works. You are using the internet and have multiple tabs open at one time. The attacker notices you haven't interacted with a tab for a while and replaces the content on that page with a familiar-looking page -- your email, for example. The attacker even adds the appropriate icon to the tab. The next time you look at your open tabs, you may notice the email tab and decide to check your email. If you type in your username and password, the attacker copies that information to his or her server, then redirects you to the correct email server, and you've been a victim of phishing without even realizing it.
Phishing as a malware vector
Phishing plays a large role in distributing malware directly onto user systems by deploying ransomware, cryptojackers and keyloggers. ISACA's State of Cybersecurity 2020 study noted that ransomware is the most-reported mechanism of post-exploitation monetization. However, subtler, more advanced adversaries can use this common technique to do much more. After stealing your credentials or injecting code into another process or computer, it may act as a "back door." Hackers can then establish a persistent presence on the corporate network and conduct network reconnaissance at their leisure. The hackers may even bypass compromising any additional endpoints and access sensitive documents stored in cloud-based services.
With a big enough targeted phish, attackers will have access to what you have access to on your corporate system -- a chilling scenario that end users and their organizations must vigilantly work to avoid.
About the author
Pamela Nigro, CISA, CRISC, CGEIT, CRMA, is an ISACA board director and vice president of information technology and security officer at Home Access Health Corporation. Nigro is experienced in governance, risk, compliance and cybersecurity focusing on the healthcare and insurance industries. She is a recognized subject matter expert in HIPAA, HITRUST, SOC 1, SOC 2, Sarbanes-Oxley (NAIC-MAR) and IT/cybersecurity controls and risk assessments. Nigro is also an adjunct professor at Lewis University, where she teaches graduate-level courses on information security, ethics, risk, IT governance and compliance and management of information systems in the MSIS and MBA programs.