Social Engineering

social engineering cyberattacks

Social engineering cyberattack relies on manipulating individuals to obtain confidential information or gain unauthorized access to systems.

When we think of cyberattacks, we usually think about the technical aspects that go into them. And while coding is an integral part component, 98% of cyberattacks rely on psychology. More specifically, a social engineering attack. Social engineering is simply the art of exploiting human psychology, in which bad actors use such techniques to “get inside” their target. After all, a cybercriminal can’t show off their malicious coding skills if they are on the outs.

Since social engineering exploits human nature, employees pose the greatest cybersecurity risk (Human Factors in Cybersecurity). Organizations are aware of this and often subject their staff to undergo cybersecurity training. However, such efforts mainly focus on well-known social engineering techniques, such as phishing. And despite phishing being a significant threat, we want to highlight other social engineering techniques that get commonly used yet are less recognized; those relating to hardware-based attacks.

Social Engineering of Cyberattacks

If It Walks Like a Duck… It Might Not Be a Duck! The first form of social engineering is simply the appearance of Rogue Devices (hardware attack tools). To encourage their use and not raise any suspicion, Rogue Devices look legitimate; in design (e.g. USB Ninja Cable used in juice jacking) or by getting embedded within benign devices (e.g. Raspberry Pi hidden inside a keyboard). So, while you may think you are using an ordinary Logitech keyboard, you might actually be facilitating an attack. Our human nature to trust gets exploited in the wildest of ways…

rogue devices

Welcoming the Enemy

Hardware-based attacks require physical access, and social engineering techniques are relied on extensively to achieve this. Employees get manipulated – wittingly or not – to provide attackers with access to the target’s premises or a physical component of its infrastructure. Some social engineering techniques are overt, such as bribery, relying on human greediness to execute the attack. However, most are covert and exploit other aspects of human nature.

An Open-Door Policy You Didn’t Know You Had

Malicious actors who choose to bring the Rogue Device into the target’s premises themselves will manipulate employees into providing them with a way inside. Doing so requires deceptive social engineering techniques that involve disguises. One of which is the “evil maid attack”. By dressing up as outsourced cleaning personnel, the attacker can get inside the target without raising suspicion. Similarly, pretending to be a colleague who “forgot their access card” is another easy way in for malicious actors. Large enterprises can employ thousands of people in just one office, so it is not unusual for employees to see an unfamiliar face and not question it.

Alternatively, a bad actor can dress a type of way to give off a specific impression, be that of a C-suite executive or a company rep, which will provide them with access. In a pen-test, a social engineering expert gained access to a retail company by wearing a $4 Cisco shirt and pretending to be a rep for the company. Yes, it really can be that easy.

From the inside out

On the other hand, attackers don’t even need to go as far as entering a target’s premises. Perpetrators can gain access to the organization through remote entry points. The rise in BYOD and WFH trends has expanded the attack surface significantly and made it more accessible. Today, attackers can manipulate employees into using Rogue Devices without going anywhere near the office. Home-office devices like keyboards and mice sold on sites such as Amazon and AliExpress are a hit with remote workers due to the range of options and low prices. However, such products might be Rogue Devices in disguise that, once used, provide access to the target. But not only work-related products pose a threat; bad actors have found value in manipulating public charging kiosks. Our devices have access to and store so much data that we are constantly valuable targets.

Social engineering techniques can exploit human greed in the form of free giveaways. Greediness often trumps our cautionary instincts, and when we are presented with a free “iPhone charger” as part of a giveaway, it can be all too tempting to turn down (we really are a simple species). Greediness is sometimes all it takes to cause a cyber incident; instead of questioning the charger’s legitimacy, we simply accept the gift for what it appears to be. However, the gift must be worth it. In an attempt to exploit human greediness, an attacker offered a hospitality company with a $50 Best Buy gift card that could be accessed through a USB thumb drive. The recipient grew suspicious and did not fall for the attack, demonstrating either good instincts or good cybersecurity training – or both.

You Have the Power…

Rogue Devices bypass existing security solutions, such as NAC, EPS, IDS, or IoT Network Security, due to a lack of Layer 1 visibility, meaning they go undetected. Hence, to evade hardware-based attacks, it is essential to avoid using Rogue Devices, which, in other words, means the responsibility lies on employees. Employees’ role in preventing such attacks highlights the importance of recognizing the above-mentioned social engineering techniques. Such awareness is even more crucial as hardware-based attacks occur more frequently, with 37% of threats designed for USB exploitation in 2020, nearly double than in 2019. Further, as USB usage rose by 30% in 2020, attackers are more likely to be successful.

…But We Are Here to Help

The problem, however, is that, even with training, employee negligence is the cause of 62% of cyber incidents. So, while training is important, it is not a silver bullet; especially since hardware-based social engineering techniques can be extremely deceptive and hard to recognize. So, for an extra layer of protection, Sepio’s platform (ARM) provides the visibility required to detect, identify, and block Rogue Devices, should one appear within an organization’s infrastructure.

October 12th, 2021