Social Engineering is Getting More Extreme, but the Fixes Can Be Simple

Tim Peel and Laremy Legel

Social engineering is a hacking technique older than the internet itself, and it's tempting to think you've already seen it all. But recently, we've noted a trend among threat actors pursuing more sophisticated and aggressive techniques to trick, or even threaten, users into performing their desired actions. Their campaigns are convincing, brazen, and at times alarming. In this blog post, we want to talk about some of the techniques we've seen (or been made aware of) and provide some practical advice that you can use to defend your employees and organizations.

First off, you should note that the days of bad movie villain accents and emails filled with blatant typos from far flung international princes are coming to an end. Those attempting to breach systems are now proficient in corporate lingo and they put in the time and research to sound as authentic as the person at the desk next to you. You can expect them to know your internal tools, terminology and name drop your fellow employees with ease. This is the “confidence” portion of any confidence scam, the person on the other end of the line needs to make you feel like they have all the answers, and they need your help, immediately. And it’s this sense of “immediacy” that most social engineering attempts are going to rely on, preying on your desire to be helpful.

Imagine yourself on the end of this call:

“Quick do this for us, install this, we don’t have time to ask questions, hurry!”

Minutes later, you’ve given up a password, login, or access to your system because you were pressured to do so. As you hang up the phone, you get a weird feeling, that little tingle in the back of your brain that tells you something was “off” about the entire interaction ...

Before we get to our advice on this front, let’s review another real-life scenario we’ve seen play out. This is the tale of the business networking site, and we’ll place you in the mind of the intended target.

Just imagine, it’s a rainy day, and you’re on LinkedIn looking into what your current and past colleagues are doing for work these days. You’re browsing the site when you receive a message from someone you used to work with.

“Hey,” they lead off their message with, “I’ve heard through the rumor mill that you’re being investigated. I personally told them there’s no way, you’re too honest, but I just wanted to warn you that you might hear from the security team!”

You push the chair back from your desk, massively confused. Investigated? For what? You left that company months ago. You search your memory, trying to recall your relationship to the person who just messaged you, as well as what on Earth they might be talking about. Then an email arrives in your personal inbox, and this time from someone identifying themselves as security where you used to work, and it includes a link to a document for you to sign too, an NDA.

“Can you please give me a call? We have some questions we’d like to ask you.”

Frightened and concerned, you pick up your mobile device and dial. Now you're way more than halfway down the rabbit hole of granting someone access to your information. You’re clicking links, interacting with the adversary, and moving right down the path of a poor outcome.

The above hypothetical is in fact a real situation, and one that’s gaining popularity with bad actors. The social engineer has established a convincing pretext, and naturally you don't want to seem dishonest or evasive.

And when you consider the tools they're using, you know DocuSign, where the NDA .pdf came through, and you’re on LinkedIn all the time. We've also seen threat actors leveraging GitHub as well. What you’re not taking into account is that the adversary in question has credentialed themselves through your prior co-workers account, with a username and password they could easily have attained through a data leak. Then they’ve set themselves up for step two, the contact phase, prepping your mind to accept their version of events and motivating you to clear your good name.

The adversary hasn't given you a moment to stop and think about where this is coming from, and why a previous employee would reach out to you via a third party. By not giving you the time to pause and ask questions, they’ve also created a false sense of urgency. Of course you want to be helpful, so you don’t mind talking to security, because what do you have to hide? You’re innocent! But this desire to demonstrate your innocence, combined with a series of carefully fabricated events designed to place you on the defensive, can only lead to a poor outcome for you - and your employer.

Now let’s turn our attention to an even more cruel method of exploitation, threatening your loved ones. You receive a call at your desk at noon on a Thursday, and the voice on the other end of the line says they have your cousin Ali, and if you don’t do exactly as they say there’s going to be trouble. You’re shaken, and you ask what they could possibly want?

“Just install the software I’m emailing you and everything will be fine.”

You double click a few times and they hang up. Wait, what just happened? Is your cousin safe?

Of course, the idea of social engineering itself isn’t new or novel. We’ve written about these types of activities in the past, and we’ve seen widespread messaging of employees (and even family members of employees) in the past.

However, the current landscape indicates that threat actors are rapidly escalating both the level of their threats and the intimacy of their claims. Take a moment and consider the amount of information about you that is already out in the world. Are you on social media? The aforementioned business networking sites? Message boards? Ever applied for a business license or had personal information involved in a data breach? There are an incredible variety of ways to interact with the internet, and we do them all, but because of that it can be easy to form a composite of what’s important to us, as well as our specific connection to friends and family. Which is exactly the type of information that sophisticated adversaries will use to apply pressure and instill urgency. It’s this sense of urgency and intimacy that you should be aware of going forward.

Thus concludes the, “you wouldn’t believe the things we’ve seen” portion of this article. Now let’s talk about the steps you and your company can take to avoid these types of interactions, with the positive news being that the fixes are readily available and easy to implement. The fixes here aren’t hard, won’t require millions of dollars, and can lead to easy wins. The methods we’ve described are attempts at getting past your intrusion detection. Culturally, there are steps that you can take to build an environment that’s less likely to be a victim of social engineering.

1. Anticipate the adversary

You should expect and anticipate that adversaries will attempt to imitate the service or IT support desk. As such, what can enterprises do to differentiate the help desk from any random caller? Can your employees research who they are talking to on a company intranet? Can they ask to call the person back at the number that’s provided on your internal support pages? Every company is different - the information available to your employees will be different and therefore the processes you recommend will be too, but companies should have a defined verification process that their user base can leverage when IT support or security staff reach out to them. We don’t need people to become paranoid, but a mindset of ‘trust, but verify’ best practices for verification of callers (call back by known helpdesk number, visual match against org directory, etc.) can improve your security posture.

2. Have well-known procedures

In turn, it's important that the security and IT teams collaborate on an agreed process for safely providing remote support to users, and an unwavering commitment to following that process. Your security awareness program needs to communicate and set expectations to users on how they can validate the identity of helpdesk or security staff. It’s also worth considering having a security program where you’re not asking people to download software overall.

3. Security culture matters

Speaking of security awareness: never “punish” a user for asking questions of security or support teams. Instead, build a culture of security awareness and curiosity to encourage a healthy skepticism in your users. At this point, we know that adversaries have playbooks, including full scripts, on how to manipulate unsuspecting users into giving them information they can use. The culprits in this situation want the entire scheme to proceed quickly, without anyone having time to ask questions. Tell your users it’s okay to slow things down if they don’t understand what’s happening. Remember there is a power dynamic at play here, an emotional one, but when someone is asking you to do something you have the power in this situation, not them. Furthermore, you should encourage your security people to want to have conversations with everyday users, as well as having a photo and a phone number associated with their internal work profile.

4. All hands on deck!

Encourage and reward your employees for reporting social engineering attempts. They can be your eyes and ears, and an early warning system. Many organizations today have defined processes for reporting phishing emails, but do your people know that they should - and more importantly, know how to - report the types of approaches that we’ve talked about here today? Such attempts should be reported as soon as possible. And upon receiving such reports, your security team should work with other relevant parts of your business to ensure that your processes and advice to employees is sufficient for whatever the next creative permutation of these types of aggressive social engineering approaches looks like.

5. Downvote downloads

Your security awareness program should make users skeptical of downloading software to their endpoint. Getting concepts like this out to your employee base could make all the difference. And if you can, consider locking down your environment overall, outside of a limited set endorsed for use by support/IT teams by blocking all remote management and monitoring (RMM) tools.

We should expect that in a well-configured environment, attackers will resort to more extreme variations of social engineering. We’re seeing variations on the above themes all the time. Which is why we all need to be extremely intentional about how we respond to requests, no matter who they appear to be from, or how urgent they may seem. There is no "one size fits all" solution here. Every company is different, and the information available to your employees will be different and therefore the processes you recommend will be too. The main takeaway? Make your people aware, because improved security awareness tends to leads to improved security results.

Tim Peel
Director, Cyber Threat Research

Tim Peel leads Cyber Threat Research within Okta's cyber defence team.

Laremy Legel
Senior Manager, Security Communications

Prior to joining Okta recently as a Senior Communications Manager, Laremy Legel worked for Amazon Web Services (AWS). Upon joining AWS in 2014, he delivered communications on topics such as Zero Trust, Defense in Depth, Confidential Computing, and global privacy regulations. After bringing two services to market (AWS Artifact and Amazon Macie), Laremy transitioned to assist the CISO of AWS and co-founded the first dedicated cloud security conference, AWS re:Inforce, in 2019.