Human Factors Attacks: Social Engineering

One of the most sophisticated types of attack on your company’s infrastructure isn’t an electronic or malware attack — it’s a form of attack known as social engineering. These are attacks in which the perpetrator attempts to use social cues and expectations to achieve a vector into your network. As a member of InfraGard, an information and news dissemination list maintained in part by the FBI, I will post from time to time on common themes seen in these infrastructure attacks.

In this month’s exploit, an attacker poses as an IT professional — either inside or outside of your enterprise. What follows is a precis of the FBI alert from June 6, 2019. (See the full bulletin here.)

---

“The FBI’s New York office, in coordination with the FBI’s Office of Private Sector, is providing this information to private sector partners regarding criminals posing as technology support representatives to obtain personal and financial information. The perpetrators gain trust from victims by impersonating a representative from a legitimate or an illegitimate technology company. They mislead the victims by offering computer services to resolve a range of computer security and operations issues. When victims subscribe to the fraudulent services, the perpetrators gain access to their personally identifiable information and financial accounts. Some examples of this scam include:

• In October 2018, a victim received a phone call from a perpetrator who claimed he needed remote access to repair the victim’s computer issues. The perpetrator told the victim to send funds to the perpetrator’s account numbers because the victim was overpaid for a refund. As a result, the victim incurred a loss of approximately $416,000.

• In or around April 2018, a victim’s computer displayed a message after it froze, instructing the victim to call a specific phone number to correct a computer “problem.” The victim called and allowed the individual on the telephone remote access into his computer. The victim thought the individual fixed the computer issue and sent a check for approximately $1,400 to the tech support company for the service. The victim researched the company, realized it was a scam, and stopped payment on the check.

• In December 2017, a perpetrator posing as a representative of a computer service company that a victim used to maintain on the victim’s operating system told the victim he or she would receive a refund. The perpetrator used a computer program to connect to the victim’s machine to transfer money between the victim’s accounts, stealing approximately $118,700.

“According to FBI information, criminals will likely increase their use of technology support scams due to the ease of misleading victims by posing as technology support representatives and the prospect of financial gain. Criminals may also expand their activities to target start-up companies and small businesses who do not have a permanent or sufficient technology support staff.

“Indications of criminals conducting technology support scams include, but are not limited to, the following:

• Complaints from customers reporting they were defrauded by an individual posing as a technology support representative
• Complaints from customers reporting pop-up messages directing the customer to call a specific phone number for IT services
• Complaints from customers who sent wire transfers to countries such as Hong Kong and Malaysia to pay for IT services
• Complaints from customers who paid for IT services via prepaid cards or money transfer applications
• Complaints from customers who received an unsolicited phone number for an IT company who appeared legitimate
• Complaints from customers who provided their bank or credit card information to receive a “refund””

---

This alert confirms what IT security professionals have known for a long time — that the sophistication of external actors is increasing. And it raises the questions, “What can I do about this threat?” and “How does this apply to my Gigamon infrastructure?”

To combat this kind of social engineering attack you can arm your personnel with a form of two-factor authentication. In software terms, a two-factor identifier is a parallel method (like a message on a cell phone) that confirms a user’s identity when requesting access to company assets. 

When talking about reverse two-factor authentication, we’re suggesting that IT departments have a way to confirm their identity outside the email or phone channel. So, as a user in an organization, you’d have a second path to confirm the identity of the emailer or caller. Some examples:

• A monthly code phrase that’s distributed in the payroll or PTO statement
• A challenge phrase on a laminated card distributed quarterly
• A hardware token generator (usually cost prohibitive)

Any of these methods require the supposed IT department representative to prove their identity.

But what if these mechanisms fail? Can your Gigamon infrastructure provide you with any help? Yes, absolutely. Using the Visibility Fabric™ in a Gigamon appliance, perhaps in combination with our inline SSL offering, you have the ability to categorize and monitor which sites, addresses and URLs your outbound traffic is going to. For unusual traffic patterns, you can send a copy of the traffic to additional tools for inspection and potential intermediation.

No security posture is absolutely safe. But taking appropriate safety measures can go a long way toward a reliable and maintainable security infrastructure.

Be Safe!

Greg Maples
Sr. Security Architect, CISSP
Gigamon
[email protected]