It only takes 1 email, a 30 second call, or 1 social media DM for ethical hacker Rachel Tobac to hack VIPs and gain access to your money, data, and systems.
My name is Rachel Tobac and I execute social engineering attacks for a living and use my real-life ethical hacking stories to keep everyone - including VIPs, executives, and their teams - up-to-date on the methods cybercriminals are using to trick people. I am a hacker and the CEO of SocialProof Security where I help people and companies keep their data safe by training and pentesting them on social engineering risks. In a recent webcast, I broke down recent cyber attacks in the news, discussed how remote work has changed the hacker playbook, and identified some key ways you can defend against the latest executive-based manipulation methods. Below I have provided an overview of what types of information cyber criminals look for, the primary principles they use when selecting a target, and how you can keep your team secure.
Oftentimes, cyber criminals are looking for your password online, trying to convince you to hand over your credentials, or hoping to get you to click on a malicious link or download a malicious file. They will sometimes try to get you to send them money, data, or anything sensitive, which could be as simple as a sensitive detail or confirmation about an acquisition or merger.
Before hackers hack, they do their research. Building up a hacking pretext is like fancy Googling, which usually involves simpler actions than you might expect. Often, it means that hackers are Googling the organization and trying to figure out where, and who, we should target to gain access. We also want to know details we can use to bolster our attack and make it more believable. This starts with really simple things like LinkedIn, which has org charts, coworkers, the software that your team uses, executives we can impersonate in something like a gift card scam or a new hire scam.
Gift card scams are increasingly common in this remote work world. The attacker pretends to be an executive at your company and messages someone on your team, saying, “Hey, can you buy me some gift cards for a client?” Many people have a phone number in their contact info on LinkedIn and don’t realize it’s still there. Cyber criminals then use that phone number to text you, and they use the executive’s phone number to impersonate them, or spoof, which means they make the caller ID look like it's calling from someone you know.
If a cyber criminal can't find your phone number they can simply look it up on a data brokerage site. Often, if you Google somebody's name and the words “phone number,” you'll find their phone number very quickly. If you're not sure if you can do this about yourself, I do recommend going to Google right now typing in your name, and then the words “phone number” or “email address” or “address” to see what information is available about you, and then take steps to remove that information. There are a few options like Google’s takedown tool (free) or Abine’s DeleteMe (paid) that you can use to remove that personally identifiable information (PII) about yourself online.
To build out a complete pretext, a hacker can also use artifacts like computer photos, pictures with work friends, badge pictures, egress points; we need to know what your environment looks like and the people you spend time with so that we can pretend to be you in a credible way. Instagram is really useful for that because people tend to be a lot more loose on Instagram and unintentionally provide more information. Often, it's a simple selfie with coworkers, but in the background there is an open laptop so I can see which software you use, or your email, or your client list. It's important to notice what information is public on social media about your and your workplace and not let other people convince you that they're legitimate based on that knowledge.
On forums like Reddit, Indeed, and Glassdoor people talk about their likes or dislikes at work, operations, and how their work runs. This is really useful for hackers because people think they're talking anonymously so they assume they can talk about more details. But in reality, it doesn't matter if this information is anonymous or not – it’s still valuable to an attacker. If a hacker knows that information, they can credibly create a pretext that commiserates with you about those details. For example, if the lunch options aren’t great in the work cafe, and everyone's talking about it, now, the attacker can email saying “We heard your feedback and we've improved our pizza, here's a coupon.”
Company social media policy
It’s not practical to tell your team not to use social media at all, but you can follow some best practices to use social media safely. Simply limit the work details that are shared and make that a company policy. For example, you and your team don't need to share each new software you're working with right now, which manager you just changed to for a specific project, or specific challenges with work that attackers can use to trick you. That type of detail is useful for cyber criminals looking for vulnerabilities to exploit at your organization.
Cybercriminals use several principles of persuasion to convince you to do things that you would not normally do. It all comes down to the right timing, the right pretext, and the availability of information about someone online, such as your passwords that were involved in a breach. These principles of persuasion are from Robert Cialdini’s book Influence.
There are 6 established principles:
Reciprocity: Cyber criminals use Reciprocity to manipulate their targets into revealing sensitive information by first sharing what appears to be personal information about themselves. This information is actually false and part of the pretext the attacker built up before making contact.
Commitment & Consistency: Attackers will also ease their target into revealing information by building up a false sense of trust through Commitment and Consistency, that is, getting you into a pattern of sharing information with them so it feels most natural for you to continue down that path, even if you begin to feel uncomfortable with the level of detail they are asking you to provide.
Social Proof: This is all about name-dropping – a social engineer will take advantage of the trust you have in your peers, boss, community, etc. by name-dropping someone in your circle in order to get you to comply with a request you would not normally say yes to.
Likability: Attackers will often mirror the speech and behavioral patterns of a target to take advantage of the mirror neurons in our brains and encourage us to trust those who behave in a similar manner to us.
Authority: We often comply with those in our community who have the authority to request us to take actions, this means oftentimes a hacker will pretend to be your boss’ boss. However, a social engineer does sometimes flip that script and pretend to be someone new in your company, giving you the power to tell them what to do (and divulge sensitive info or access in the process).
Scarcity: We are more likely to act under a sense of urgency, so a social engineer might time-box a request to convince you to take an action quickly.
A hacker will combine all of these principles of persuasion with pretexts – who we are pretending to be when we’re hacking. A pretext is more than just a lie, it’s an entire character and persona! How can we resist falling for these principles of persuasion, pretexts, and human-based attacks? Take a moment to check in with yourself and ask, “is this person trying to get me to speed up and do something within 30 seconds?” or “how might I verify this person is who they say they are?”
If you slow down and verify identity before taking action on a request, you’re much more likely to catch me in the act while I’m hacking!
What are the most important actions to take?
Update your human-based protocols to verify identity and be politely paranoid before taking action on a request
Upgrade your technology to protect people when they make a mistake – start with a password manager to avoid password reuse and help alert your team to look-alike sites, upgrade your MFA, and you’re well on your way to stopping an attacker in their tracks.
Hello security enthusiasts! Bitwarden is here to thank Rachel for her valuable talk and her help in making the internet a safer place for everyone. Bitwarden envisions a world where nobody gets hacked, and for that reason we have developed an open source, free-for-everybody password manager, which is one of the first steps to protect yourself and your company. Very often, a hacker can get into an organization by finding leaked passwords online and trying them on employees’ work accounts, at either an employee or executive level. It is essential that you have strong and unique passwords for every account because if one password gets leaked, the rest of your accounts remain unaffected. Even in the case of phishing or a social engineering attack, a password manager can help you stay safe by only filling in passwords on recognized websites.
It’s critical for every member of your team to be empowered to generate strong and unique passwords for every account that you use, store them securely, and identify when a website is legitimate and when it’s not, and your password manager can do that for you.