In today’s blog, we will be discussing social engineering attacks in the age of COVID-19. Social Engineering is a popular vector for attackers and with the rise of remote work due to the pandemic, companies’ IT security departments need to be increasingly vigilant.
As many of our readers are no doubt aware, social engineering attacks are becoming more and more prevalent in today’s world. One of the main reasons is the improvement in technical defenses on network perimeters. For example, many companies are using modern behavioral anti-virus, a combination of tools such as IDS, IPS and/or SIEM, and enforcing multi-factor authentication. Therefore, it is often easier and more time-effective for an attacker to focus on the weakest link; the end user. It is far easier for an attacker to attempt to coerce a user into inadvertently handing over their login credentials than it is for an attacker to write a zero-day exploit to bypass a company’s technical controls. This is especially true in the year 2020, where companies are having to adjust to the ongoing pandemic. More and more people are working remotely and IT departments are having to rapidly change their processes to aid employees, and amidst the confusion, attackers are waiting to pounce. In fact, social engineering attacks have noticeably increased during the pandemic.
Social Engineering Assessments
Here at Triaxiom, we regularly conduct social engineering assessments for our clients, and have already discussed their importance. In an effort to make our social engineering engagements as realistic as possible, we attempt to emulate what we see attackers doing in the wild. As such, recent assessments we’ve conducted have attempted to take advantage of the COVID-19 pandemic to coerce users into performing actions they shouldn’t. For example, in a recent campaign, we posed as our client’s IT department and sent the following email to a number of their employees:
As we mentioned, many companies are adapting their processes to make life easier for employees during the age of quarantines and remote working. As seen in Figure 1, we posed as our client’s IT helpdesk and advised employees they needed to login to a new ‘Work from Home’ portal. This portal would assist users with remote working, and user’s were advised they had to login to test compatibility with the new system.
For the login portal, we mimicked the client’s VPN login, thus giving users a sense of familiarity. We purchased a similar domain to the client’s. We configured the portal to use HTTPS and setup certificates to ensure there were no certificate errors in the browser.
Many users will see the padlock symbol in the URL and assume the site is secure. They are correct, of course, in the sense that the traffic between the login portal and the server is encrypted. However, the bad news for them is that the server is controlled by the attacker, or in this case, Triaxiom. Therefore, when users went to login, we were able to capture their credentials.
The user would then be redirected to a generic success page advising them that their machine is indeed compatible with the new ‘Work from Home’ system. Meanwhile, Triaxiom went on to use those credentials in other areas of the network and were ultimately able to take full control of the entire domain.
The above was just one example of the many social engineering campaigns Triaxiom has launched during the pandemic. We have carried out many different types of vishing campaigns and various phishing campaigns, all of which have yielded great results from a testers point of view. This indicates to us that many companies are simply not prepared to deal with the threat of social engineering attacks.
We firmly believe in a defense-in-depth approach. Below are a few things we recommend when it comes to mitigating the risk of social engineering attacks
- Conduct security awareness training for users in order to convey how/when the IT department, or third parties on their behalf, will ask them for information, how to validate the identity of a caller before performing any IT-related actions, what common social engineering attacks look like, and what the dangers of these attacks are.
- Implement multi-factor authentication on all employee-utilized login interfaces on the external perimeter. This would then render any gathered credentials useless to an attacker because they would still not have the second factor to authenticate.
- Ensure an incident response plan is in place and regularly tested to quickly detect and respond to social engineering attacks.
- Consider placing an ‘external email’ banner on all emails originating from outside the organization. This will aid users in spotting phishing attempts.
If you are interested in learning more about social engineering assessments, please feel free to contact us here.