Over the years, cybersecurity practices have also become more advanced in order to keep up with and defend against the latest threats. These days most services, systems, and applications uphold a high level of security, making it difficult for attackers to breach the perimeter network. However, defense effectiveness depends on the effectiveness of an organization’s IT security policies and on the rigor with which they are implemented. Cyber threats have also continued to evolve, from ransomware including CryptoLocker and WannaCry, to sophisticated social engineering attacks.
Social Engineering attacks are the most common type of cyber threat because they rely on human error rather than vulnerabilities in software and operating systems. Legitimate users can make mistakes, which can be particularly difficult to predict relative to traditional malware-based attacks. These techniques rely on human decision-making factors known as cognitive biases. The attacker exploits these biases or “bugs in the human brain” using various combinations of techniques in order to steal employees’ confidential information. Two of the most popular social engineering techniques are Phishing and Spear Phishing.
Phishing is a technique used to fraudulently obtain private information. Typically, a mass email is sent out from a sender who appears to be legitimate. For example, a common phishing email is an Office 365 password reset email prompting the user to reset their password. The user clicks on the password reset link and is then taken to a site which looks very much like Office 365. The user unknowingly enters their old password and then their “new password”. The attackers now have the user’s original password, while the user thinks they have reset their password. The attackers now gain access to the user’s email mailbox and can steal personal information, intellectual property, or simply download all of the user’s emails and contacts to be used against them in a second attack. In some cases, an attacker may even setup a forward of all future sent/received emails to another email address and therefore be able to continuously monitor the victim’s communications even after the password is subsequently changed
Spear Phishing is a different technique because it is much more highly targeted and customized than phishing emails. Spear Phishing consists of attackers doing research on targets in order to trick them to take a requested action. A common spear phishing attack is an impersonation email often being sent from the “CEO” to an employee and instructing them to take a specific action such as wire money to a specific vendor or provide some sort of personal information. Spear Phishing attacks have a significantly higher success rate than phishing attacks due to the volume of Open Source Intelligence the attacker can obtain from public sources of information, including social media and company websites.
Written by: Payam Pourkhomami, President & CEO, OSIbeyond