Social engineering techniques go beyond email phishing to exploit the remote-working new normal.
One of the most common forms of cyber-attack techniques is phishing. However, with more advanced technologies and new mediums available, phishing is no longer confined to emails.
With personal information so publicly available on the Internet, the seemingly innocent social media posts on birthday celebrations and updates on job statuses can become the perfect place for hackers to identify targets, acquire information to profile them and create highly targeted attacks.
According to a report, nearly three quarters of people post information on social media that could make them vulnerable to a cyber-attack. For example, hackers can build a convincing impersonation of a senior executive from their LinkedIn posts and then target new employees with phishing scams. Hackers could even use machine learning and other automated technologies to track and engage targets on social media.
This is a growing cybersecurity concern especially as employees working remotely connect their Internet of Things (IoT) or personal devices to business servers, creating a suitable gateway to infiltrate entire networks.
CybersecAsia discussed the latest cyber-threats with Brad Gray, Senior Vice President, APAC, Exclusive Networks:
Could you provide an overview of the latest social engineering techniques employed by bad actors? What has been most prevalent in APAC recently?
Gray: The prevailing conditions surrounding the COVID-19 pandemic has shifted a variety of everyday activities onto online platforms, including remote working, digital learning, and online shopping. These have made it a fertile ground for cybercriminals to exploit as they abuse various COVID-19 related themes and spread scams and misinformation about the virus and vaccines to trick humans into divulging their credentials.
Crowdstrike’s 2021 Global Threat Report found that there was an increased data extortion during the pandemic, with 56% of organizations experiencing an attack last year. State-sponsored attacks targeting high-value organizations including healthcare organizations hit South and Southeast Asia particularly hard. This trend is expected to continue into 2021 as the region battles against the pandemic and vaccines are being rolled out.
These days, bad actors have become far more sophisticated in their approaches. Instead of the spray-and-bulk phishing attacks, where fraudulent messages are sent in bulk, cybercriminals have turned to highly targeted spear-phishing attacks, creating convincing messages using various methods to profile their victims, making it harder to resist.
Brand imitation is a growing trend as scammers try to imitate websites of well-known companies by using similar URLs, webpage designs, trademarks and logos. Last year, cloud services overtook financial services to become the most impersonated industry as remote working accelerated the adoption of digital technology.
Social media has also become an increasingly popular hunting ground for cyber criminals as personal information have become so easily and readily available. The Instagram posts on birthday celebrations, or even photos of home office setups during lockdowns may seem innocent but could expose users and put personal and critical data at risk. Hackers can use these information to build a convincing impersonation and then use them to target victims with phishing scams.
While advanced technologies such as artificial intelligence and machine learning have many positive applications in automating various functions, they also have the potential for misuse as cybercriminals use them for malicious purposes. These powerful tools can be a double-edged sword, used to scrape information, track and engage targets, automate hacking and impersonate victims using speech synthesis, etc.